Getting Started
Okay - you've found the network/system that you want to hack. What's first? Find out which of these protocols the target supports. Can you telnet to this computer? Can you FTP to it and copy files from it? To find out, you will need to run a portscan on it, with you port-scanning utility. Just type in the URL or IP address of the machine in question, and start scanning. You will be shown what protocols (TCP/IP sub-protocols and others) the target has. It will not, however, tell you that it supports TCP/IP, because, to put it simply, it has to have TCP/IP to be on the Internet. What you are looking for here is services - these TCP/IP sub-protocols and other services/ports. Do not let the term port mislead you - we're not talking about physical ports.
Now, if the port scan indicated that the target matching supports telnet (port 23), you can telnet to it, and attempt to log in. Go ahead - try it. You'll need a valid username/password combo to get it, which we'll get to later.
If port 21 is open, that means that the matching supports FTP, and files can be transferred back and forth from it. But, like access via telnet, you'll need a login name and password. A default "anonymous" account is ftp/ftp for a username/password, so go ahead and try that. If this works (and don't be surprised if it doesn't), you won't have much in the way of access privileges (meaning you'll be able to look at files, but usually not copy files to your computer, and most likely not copy files to it). If you can anonymously log on, you at least have your foot in the door, and can possibly use this as a stair stepping to get further into the system. More on this later. Once logged on via an FTP port, commands to jump around from directory to directory and copy files are very DOS-like (actually more UNIX-like than DOS, but if you know a little DOS, you should feel comfortable navigating the system). Type 'help' or '?' for a list of commands. When you do this, you are accessing a help file on your computer. To access the help file on the computer you’re on (which is usually more extensive and has commands specific to the computer your logged on to) type 'rhelp' or 'remotehelp,' or something similar. Or you could telnet to the FTP port and type 'help.' FTP is the only way to transfer files between the target computer and yours - which you will need to do to get password files, change their website ('this site has been hacked by Kurruppt2k'), or whatever. More on this later. One last note on FTP - you can telnet to an FTP port, and log in. However, since you are not using an FTP client, you will not be able to do much once inside (like get directory listings or download files) because your telnet program does not follow the rules and guidelines (protocol) specified in FTP. In fact, you can telnet to any port, but if the right commands are not issued (usually done by your client program), you may not get anywhere, and may even be disconnected. Telnetting to ports that you aren't sure what are, though, is a very good way to learn about the computer you are targeting, and is usually necessary to break in.
Now, if your port scan turned up either 'www' or 'http,' that means that you've found the computer that has all the HTML files (website files) that contain this organizations website. This really is only relevant if you are attempting to break into the target's website. To do so, you'll need access to the index.html file (usually only accessible to superusers, or root accounts), and will have to FTP the page you will replace theirs with, and replace index.html with your own. Doing this, though, could be considered cracker-like, and slightly malicious. This also tends to piss sysadmins off, and may drive them to attempting to find you - so be careful!
A last few notes on TCP/IP. You need to understand the structure of a URL, and of an IP address. Every computer on the Internet is designated by an address. The addressing scheme (IPv4) looks something like this: 38.233.203.2. Generally, the very last number is the node address, or the computer's address. The second to last is the subnet address. Each number between the decimals (called an octet) can be from 0 to 254. So the IP address is in the 38.233.203 subnet. The last number, again, specifies the computer in that subnet. So if you wanted to see what other machines were on that subnet, you would scan from 38.233.203.0 to 38.233.203.254. Now, each IP address can also have a name. If 38.233.203.2 belongs to the netscape.com domain, it might be www.netscape.com, or mail.netscape.com, or something similar. So when you type www.netscape.com to visit its website, you could also type http://38.233.203.2 (assuming that was its IP address). Which brings us to URL. Here is a typical "web address": http://www.microsoft.com/servives/windowsNT. The http:// specifies the protocol used. You could also replace it with ftp:// or even telnet://. (Note: to log in via ftp with your browser, use ftp://username:[email protected].) The www.microsoft.com is just the computer name. The DNS protocol handles resolving the name into an IP address. The /services/windowsNT is the path to the file you are requesting (index.html, if none other is specified), just like a path on your computer (with forward slashed instead of backslashes).
I
dub thee... "Hacker"
Okay, you now should have enough preliminary knowledge to start your very first hack. Pick a target. Universities usually have somewhat lax security. Pick something relatively easy for your first time. Stay away from government networks and those belonging to large businesses and corporations. The very first step is finding the domain name of your target. If your target is www.spicegirls.com, the domain name is simply spicegirls.com.
Step one. Every successful hack starts with a little preliminary investigation. The more information you have about a specific domain, the better armed you are. Open a notebook and start an "info collection" of your target. First, visit their website. Try to view every page, and write down anything of importance. Copy down all email addresses - as these are also usually valid login names. Write down anything else of relevance. Next run a whois or NSlookup on the domain, with your appropriate utility (available at The CyberUnderground). This will give you very useful information. You'll get the domain’s nameservers, the administrator, and a few more email addresses, other computers on the network, and other useful stuff. Copy everything down. Another trick is sending an email to the domain with a username that you know doesn't exist (e.g.: [email protected]). The SMTP service of whatever server is designated as the primary mail server of that network will return a letter to you saying that there is no such user. In the header of this email will also be some useful information - copy it all down.
Step two. Next you should try to get a scope of what kinds of computers are on the outside of this network (by outside, I mean what machines are "on the Internet," and not behind a firewall or proxy server). To do so, you will scan the subnet with your trusty IP scanner. Again, a subnet is every computer (numbers 1 through 254) on a particular range of IP addresses. For example, 253.87.8.3 and 253.87.8.45 would be on the same subnet, whereas 253.87.8.45 and 253.87.11.12 are not. (Actually, class C subnets are often-times broken up even further - read an RFC on IP to learn all about IP addressing, packet structure, etc.) To scan the subnet of your target, do as follows. Ping the hostname (your computer should have a ping utility, as do most of the hacker programs you should already have). This will give you the IP address of the domain's primary name server (as would a lookup or whois). If the IP address is 253.87.8.45, scan the entire subnet, which would be 253.87.8.1 through 253.87.8.254. This will tell you every computer on that subnet - their IP addresses and hostnames if applicable. If you already know of two computers on different subnets, scan both. Now, write down each computer you found and their IP addresses, along with any relevant notes. When you're done, you should have a list of each (or most) of the servers on your target's network, not behind a firewall/proxy server.
Step three. Now that you know what servers are on this network, you need to find out what services are running on each one. So what do you do next? You guessed it - you'll scan for services, or ports, onn each computer you found. Use your portscanner and scan each computer you wrote down. Think of each service running on a machine is like a door that you might be able to break in through. Below I'll explain methods to use to possibly "break and enter" through each "door." Now, to get in, and have the power to actually do things and explore the network, you'll need to telnet into one of the machines. This is usually the last step of hacking your way in, and you'll need a username and password to do so (or an exploit, which will be explained shortly). You'll hack into other ports in order to get these usernames and passwords. Now, a username and password that works on one machine of the network will usually work on all on that same network, so if you get passwords from one computer, you can use them on a different one to get in. Also, if there are no telnet ports, you can still (sometimes) log in via FTP. You won't be able to do much (like run any programs on the computer), but you will be able to look around and upload or download files from the computer. This all, of course, is assuming the computer is a Unix machine, which most computers on the Internet are. You may come across a Windows NT machine, which are entirely different. This means to become elite, you'll have to learn both operating systems.
Unix
The vast majority of the computers you'll come across on the Internet will be some flavor of Unix, beit BSD, Solaris, AIX, Linux, or whatever. Unix systems are set up to be multi-user. There will be a Unix box with lots of dumb terminals (monitors and keyboards with no boxes of their own) directly hardwired into it. Each person who is authorized to be on a dumb terminal (or access the box via telnet) has an account on that system, and probably on each machine on that subnet. Their account has their own directory (folder), which is the same as their username. As soon as they log in, they will be placed in that directory, or their home directory. Every file and directory in a user's home directory belongs to that user, beit a text file, program, or whatever. Also, every user belongs to a group. This is important, because it is a fundamental of how permissions work. Not every user is allowed to read every file on the computer, change every file, and run every program. To list the files in your pwd (present working directory, the "folder" your currently in) type 'ls' (without the quotations). This is equivalent to the 'dir' command in DOS. To see the permissions of the files in your pwd, type 'ls -l'. This will tell you the permissions of that file, including who owns it, and what group that user belongs to. Permission categories are set for read permissions (the ability to read the file), write (the ability to make changes to the file), and execute (the ability to run the program). Each category is set for the owner of that file (user), everyone in that user's group (group), and then for everyone else on the system (other). When you issue an ls -l for each file will be listed a ten character string. The first character will be a dash (-) if its a regular file, a 'd' if its a directory, or an 'l' if its a symbolic link (kind of like a windows shortcut). Other less common letters may appear, which I won't cover. The next nine characters are broken up to three sets of three. The first three apply to 'user,' or the owner of that file. Each of the three characters represent either an r for read, a w for write, or an x for execute. If they have permissions to read, write, or execute that file, the corresponding letter will appear, if not, a dash will. The next set of three characters apply to the file owner's group, with r, w, and x in the same manner. And the last set of three are for 'other,' meaning the permissions (r, w, and x) for everyone else on that system. So a permissions string of -rwxr--r-- means that it’s a regular file (not a directory or link), that the owner of that file can read it, make changes to it, and execute it. Also, we see that the group that the user belongs to can also read the file (but not change or execute it), and that everyone else can read it but nothing else.
Unix is set up much like DOS, in that there are directories with subdirectories, and a root directory. Instead of C:\tools\ftp you would see /tools/ftp. The slashes are forward instead of back, and there is no drive letter - root is simply /.
Oftentimes, if you find a Unix machine on the Internet, it is connected to a variety of other computers. What's more exciting is that the Unix machine you just broke into may be directly connected to another, more secret Unix computer that was behind a firewall (meaning that you normally wouldn't be able to just telnet to it from your home computer, and it probably didn't show up on a subnet scan). If you telnet from your hacked Unix account, to another Unix machine, your source IP address becomes that of the Unix machine you are on (this is often done to deter authorities from tracing a hack). So lets pretend you run a subnet scan on your target network, looking for a computer called secret.network.com. Among others, you find comp1.network.com, comp2.network.com, and comp3.network.com. But no computer named secret. And if you try to telnet to secret.network.com, you're connection lasts only a split second. Firewall. After a few hours of plugging away gets you a root shell on comp2. You then telnet from comp2 to secret, and are presented with a logon prompt. Why can you now connect to secret? Because your IP address is now comp2's, meaning secret is set up to allow connections from computers only on its network - and it thinks you are comp2. For a list of connected Unix machines, look at /etc/hosts.
When you first log into a machine with a username and password you 'hacked,' find out what group that account belongs to, and get a feel for what kinds of stuff you have access to, and what you don't. If you find yourself with just about zero access to anything fun, you'll have to use the account you have to obtain one with more privileges. For more info on Unix, get a Unix book, or read the Unix Bible text file (available at The CyberUnderground). This is one operating system that you will need to know, and well, if you plan on becoming elite. For some basic Unix commands, look at Appendix B at the end of this text.