lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Mar 29 17:16:01 2006
From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull)
Subject: Hello everyone

Thanks for this helpful informative post. I was expecting to be blasted as 
an idiot idealist - to be frank, though hoping for just this sort of info. 
Nice one.
I guess as in most things in life - mind your own business and if you don't 
you're liable to get punched in the nose. I think I liked it better when the 
free T-Shirts were in vogue.

Sticking to my own LAN is a great idea though admittedly I expect there are 
times when being inside won't work the same as if coming from the ether.

Not that I'd want to cross the line and test what you say I just read a 
great article where a 13 year old bombed GRC.COM a few years back but due to 
his age and that he hadn't commited more than $US 5,000 of damage the FBI 
said they really didn't have the resources to bother with him.
http://grc.com/dos/grcdos.htm

Are these old exploits documented anywhere. I guess maybe not otherwise we'd 
have a lot more problems. I've googled around but aren't really sure what 
else to search on other than "software exploits" but don't seem to be able 
to find a really good one.

Again, thanks for your helpful email Groundzero.

Ian t

>From: "GroundZero Security" <fd@....org>
>To: "Ian stuart Turnbull" <ian.t7@...mail.co.uk>
>CC: <full-disclosure@...ts.grok.org.uk>
>Subject: Re: [Full-disclosure] Hello everyone
>Date: Wed, 29 Mar 2006 17:43:23 +0200
>MIME-Version: 1.0
>Received: from hosting.GroundZero-Security.com ([217.172.172.12]) by 
>bay0-pamc1-f10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 
>29 Mar 2006 07:41:54 -0800
>Received: from nuclearwinter (p5499E7FC.dip.t-dialin.net 
>[84.153.231.252])by hosting.GroundZero-Security.com (8.13.1/8.13.1/SuSE 
>Linux 0.7) with SMTP id k2TFgLw0020333;Wed, 29 Mar 2006 17:42:24 +0200
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8=
>References: <BAY112-F30FB06BA53D6D48F6B09A99D00@....gbl>
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2800.1506
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
>Return-Path: fd@....org
>X-OriginalArrivalTime: 29 Mar 2006 15:41:54.0612 (UTC) 
>FILETIME=[4E2EEF40:01C65347]
>
>Hello,
>
>well the problem is, if you do access the System, you cross the line.
>Even if its open or without password, but that is already illegal access.
>
>Sure you just want to be nice, but if one of the users you try to inform
>gets angry, then he could still contact law enforcement. On the legal side, 
>he
>would be right as you accessed his System. Especially if its on a cooperate
>network. Companies have a lot to loose if customer data or even source code
>gets stolen, so even if you inform them of a bug, they can't be sure that 
>you
>didn't already copy things, unless they inform law officials to raid you.
>
>In the 90s, if you informed a Administrator of a vulnerability, you offten
>received a present of some sort like a free t-shirt  :-) but those times 
>changed.
>At least i didnt hear of someone receiving a present for hacking in years
>(contests don't count). Its a nice idea to inform the people the have 
>vulnerabilities,
>but you have to be carefull. If you just scan and tell them that port 139 
>is open
>then its fine as you didnt access the System and as far as i know port 
>scanning
>is still legal in most countries, but if you actually connect to a open 
>share thats a
>different story.
>
>A few years back there was also a discussion about whitehat worms which 
>would
>scan and patch vulnerable hosts, but its still illegal to hack a system and 
>install
>software, no matter if its to patch or not. Well i suggest you setup a 
>little test
>network and hack those Systems on your LAN. On that way you can learn
>without breaking the law. You need to understand how bugs get exploited and
>how to find vulnerabilities in code and how to write your own exploits.
>Get some old daemons which are known to be vulnerable and where exploits
>exist to get a better understanding. Just a few hints, hope that helps you 
>out.
>
>good luck! (and dont trust any hacking certifications as that is just to 
>make money)
>
>-sk
>Http://www.groundzero-security.com
>
>----- Original Message -----
>From: "Ian stuart Turnbull" <ian.t7@...mail.co.uk>
>To: <full-disclosure@...ts.grok.org.uk>
>Sent: Wednesday, March 29, 2006 5:05 PM
>Subject: [Full-disclosure] Hello everyone
>
>
> > I have just started in this "hacking" [ethical I should quickly add] and
> > after much reading etc [and a forest more to do] I have a fundamental
> > question I'd like to pose.
> > After just a few hours of scanning (I have to start somewhere} I have
> > located quite a few routers that have their manufacturers password still 
>set
> > not to mention loads of Windows machines that have port 139 open AND 
>have
> > write access to the whole of the C: Drive in some instances.
> >
> > My question - since it is these machines that I understand will be the
> > computers that the hacker will use to hide him/her self and given that 
>there
> > are tools around - just that I don't know of one yet - WHY doesn't 
>someone
> > send a message to these machines that the owner will see and ASK them
> > politely to close up these holes? Perhaps something along the "net send"
> > command.
> > I'm sure they would love to be enligtened. i.e. their banking info etc 
>won't
> > be stolen.
> >
> > If given the knowledge I'd be happy to devote a day or so doing just 
>this.
> > Currently I don't yet have enough skills.
> >
> > Yes, I know someone somewhere must have asked this question, though I
> > haven't found any instance of it, so please don't flame me. I am here to
> > LEARN from obviously well instructed and knowledgeable people.
> >
> > Also, forgive me if I appear naive - at this point I admit I definately 
>am
> > but that will change in time to come.
> >
> > I'd love to help make the internet a safer place. It is a truly great
> > invention but for a few darksided individuals. Just because one has the
> > knowledge doesn't mean they have to ruin it for others !!
> >
> > _________________________________________________________________
> > Are you using the latest version of MSN Messenger? Download MSN 
>Messenger
> > 7.5 today! http://join.msn.com/messenger/overview
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today! http://join.msn.com/messenger/overview

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ