Plateforme de Hacking


HackBBS.org est une communauté faisant évoluer un système de services vulnérables.

Nous apprenons à exploiter de manière collaborative des solutions permettant de détourner les systèmes d'informations.
Cet apprentissage nous permet d'améliorer les technologies que nous utilisons et/ou de mieux comprendre l'ingénierie social.

Nous défendons les valeurs de l'entraide, du challenge personnel et contribuons modestement à rendre l'expérience des utilisateurs finaux la plus agréable possible.

Vous pouvez nous rencontrer via notre salon irc.
Le forum est en cours de remplacement par une version plus moderne, et tout aussi faillible que l'ancien ^^.
A ce jours nous enregistrons plusieurs dizaines de hack réussi contre notre site, et ce chiffre est en constante évolution. Merci a tous les contributeurs!

La refonte est en version alpha. Cette nouvelle plateforme permet de pentester à distance sans avoir son matériel à disposition.
Via l'exécution de scripts python connecté en websocket à l'ihm web, nous pouvons piloter le chargement de scénario
d'attaque/défense en "multijoueur" ^^.
Le système permet de charger des scripts de bibliothèques partagées et de chiffrer les échanges selon les modules déployés.
Vous trouverez dans la rubrique article de nombreux tutoriels afin de mieux comprendre la sécurité informatique,
ainsi que différents articles plus poussés.
Hacker
  • Sniffing
  • Cracking
  • Buffer overflow
  • Créations d'exploits
  • Social engineering
  • L'anonymat sur le web, spoofing
  • Bypass-proxy, Bypass-firewall
  • Injection de code SSI, SQL, etc...
  • Utilisation d'exploits, création de scripts(php, irc, perl)
We make porn

Please Donate To Bitcoin Address: [[address]]

Donation of [[value]] BTC Received. Thank You.
[[error]]
Nous vous recommandons de sniffer votre réseau lors de votre navigation sur le site. La refonte vous fournira un outillage pour réaliser vos attaques/défenses.

Vous êtes perdu? Utilisez le moteur de recherche du site!



Challenges
Vous pourrez également participer à de nombreux challenges en constant renouvellement (si possible :p)
Dernièrement, les missions relativent aux derniers produits open sources marchent bien :)

Votre ultime challenge sera de défacer HackBBS. De nombreuses failles sont présentes. A vous de les trouver et de les exploiter.

Cet ultime test permettra de constater votre réactions face à une faille.
Black ou White? ^^

Ezine du moment: p45-13.txt
                              ==Phrack Magazine==



                 Volume Five, Issue Forty-Five, File 13 of 28



****************************************************************************



The 10th Chaos Computer Congress



by Manny E. Farber



  Armed only with an invitation in English addressed to the "global

community" and a small pile of German Marks, I arrived at the

Eidelstedter Buergerhaus about an hour or so before the beginning of

the 10th Chaos Communication Congress (subtitled "Ten years after

Orwell"), sponsored by the (in)famous Chaos Computer Club.  The

Buergerhaus (literally, "citizen's house") turned out to be a modest

community hall; needless to say, not all invited showed up.  The

Congress took place between the 27th and the 29th of December.  As the

title implies, social as well as technical issues were on the docket.



  After forking over 30 DM (about $20) for a pass for the first two

days of the Congress, I sort of felt like asking for a schedule, but

refrained, thinking that asking for scheduled chaos might seem a bit

odd.  I went to the cafeteria for breakfast.  An organizer started out

announcing, "Anyone who wants to eat breakfast pays 5 Marks, and gets a

stamp, which--no, rather, anyone who wants breakfast pays 5 Marks and

eats breakfast."



  The atmosphere was quite collegial and informal, with little more

order than was absolutely necessary.  The approximately 150 attendees

were predominantly German (a few from Switzerland and Holland, at least

-- and probably only -- one from the United States, namely myself),

male, and technically oriented.  (During an explanation of the

mathematical algorithm underlying electronic cash, a non-techie

objected, "But I don't want to have to think up a 200-digit random

number every time I buy something!"  It was explained to him that this

was done by software in the chip-card ...).



  Although not mentioned in the invitation, not a word of English was to

be heard; all the events were conducted in German.  Some were conducted

in a "talk show" format, with a host asking questions, simplifying

answers, making jokes.  A television network carried the video from the

auditorium to other rooms throughout the building (albeit without

sound) along with up-to-the-minute event schedules.



  The tone of the discussions of how electronic cash could be

embezzled, or chip cards abused, digital signatures forged, etc., was

constructive rather than destructive.  And it was balanced, i.e. not

only "how could a malicious individual embezzle money?" was discussed,

but also "how could the government use chip cards to reduce people's

privacy?"  Here, the "hackers" were hackers in the positive sense of

understanding a technology, not in the negative sense of wreaking

havoc.  It was, however, noted that trying out a potential weakness of

the "EuroScheck" cash cards was quite easy:  it would require buying a

card reader for 1,500 DM and maybe a week of time.



  The question of technical solutions to "big brother" did come up in

the presentations about chip cards.  The danger is that a pile of cards

is eliminated in favor of a card containing someone's driver's license,

driving record (maybe), employee information, credit information, etc.

etc.  A chip card could theoretically be programed to give out *only*

the information absolutely necessary, e.g. telling a policeman only

that someone is allowed to drive, without disclosing his identity.



  The "Hackzentrum" (Hacking Center) turned out to be a room filled

with networked computers and people hacking on them.  It seemed mostly

harmless.  (I nevertheless did not try a remote login -- I had no

reason to doubt good intentions, but on the other hand, who knows who

wrote or replaced the keyboard driver and what sort of supplemental

functionality it might have?)  The packet radio room had a "Digi"

repeating station and, true to the ham radio tradition, where the

conversation centers on who is talking to whom and how well they hear

each other and on what other frequency they might hear each other

better, the computers attached were mostly displaying maps of the

packet radio network itself.  I didn't delve very deeply into the

"Chaos Archive," but noticed a collection of maintenance sheets for

telephone equipment among CCC newsletters and other paraphenalia.



  Some "signs of the Congress":



    - Bumper sticker:  "I (heart) your computer"

    - Telephone stickers:  "Achtung, Abhoergefahr" ("Attention,

      Eavesdropping danger"; and the German PTT logo transformed into a

      pirate insignia, with the words "Telefun - Mobilpunk" (derived from

      "Telefon - Mobilfunk")

    - T-shirt:  "Watching them (eye-ball) watching us"

    - Post-It Note pad (for sale for DM 1.50):  a pad of about 50,

      pre-printed with a hand-written note:  "Vorsicht, Stoerung.

      Automat macht Karte ungueltig" ("Careful--Defect. Machine makes

      card invalid")

    - Word coinage:  "Gopher-space"

    - Stamp:  "ORIGINALE KOPIE" ("ORIGINAL COPY")



  The press were told not to take pictures of anyone without their

explicit permission.



  Schedules were distributed throughout the Congress.  By the evening

of the 27th, a schedule for the 28th, "Fahrplan 28.12 Version 2.0," was

already available ("Fahrplan" means a bus/train schedule; this is

presumably an "in" joke).  By 17:30 on the 28th, "Fahrplan 28.12

Version 2.7" was being distributed.  (I missed most of the intervening

versions; presumably they were neatly filed away in the Chaos Archive

by then ...)



  The scheduled events (in translation) were as follows; a "*" means

that I have included some comments later in this report:





December 27, 1993



- Welcoming/opening

- How does a computer work?

- ISDN:  Everything over one network

- Internet and multimedia applications:  MIME/Mosaik/Gopher

- Data transport for beginners

- Chip-cards:  Technology

* Media and information structures:  How much truth remains?  Direct

  democracy:  information needs of the citizen

- Encryption for beginners, the practical application of PGP

* Alternative networks:  ZAMIRNET, APS+Hacktic, Green-Net, Knoopunt,

  Z-Netz and CL





December 28, 1993



- Encryption:  Principles, Systems, and Visions

- Modacom "wireless modem"

- Electronic Cash

- Bulletin board protocols: Functional comparison and social form, with the

  example of citizen participation

- Discussion with journalist Eva Weber

- Net groups for students, Jan Ulbrich, DFN

* What's left after the eavesdropping attack?  Forbidding encryption?

  Panel:  Mitglied des Bundestags (Member of Parliament) Peter Paterna,

  Datenschutz Beauftragter Hamburg (Data privacy official) Peter Schar,

  a journalist from Die Zeit, a representative from the German PTT, a

  student writing a book about related issues, and a few members of the

  Chaos Computer Club

- Cyber Bla:  Info-cram

* How does an intelligence service work?  Training videos from the

  "Stasi" Ministrium fuer STAatsSIcherheit (Ministry for National Security)

- System theory and Info-policies with Thomas Barth

- Science Fiction video session:  Krieg der Eispiraten

  ("War of the ice pirates")





December 29, 1993



- Thoughts about organization ("Urheben")

- Computer recycling

- Dumbness in the nets:  Electronic warfare

- Lockpicking:  About opening locks

- The Arbeitsgemeinschaft freier Mailboxen introduces itself

- In year 10 after Orwell ... Visions of the hacker scene





-------------------------------------------------------------------------------

THE EAVESDROPING ATTACK



  This has to do with a proposed law making its way through the German

Parliament.  The invitation describes this as "a proposed law reform

allowing state authorities to listen in, even in private rooms, in

order to fight organized crime."  This session was the centerpiece of

the Congress.  Bayerische Rundfunk, the Bavarian sender, sent a

reporter (or at least a big microphone with their logo on it).  The

panel consisted of:



MdB - Mitglied des Bundestags (Member of Parliament) Peter Paterna

DsB - Datenschutz Beauftragter Hamburg (Data privacy official) Peter Schar

Journalist - from Die Zeit

PTT - a representative from the German PTT

Student - writing a book about related issues

CCC - a few members of the Chaos Computer Club



  My notes are significantly less than a word-for-word transcript.  In

the following, I have not only excerpted and translated, but

reorganized comments to make the threads easier to follow.





  IS IT JUSTIFIED?



MdB - There is massive concern ("Beunruhigung") in Germany:  7 million

crimes last year.  Using the US as comparison for effectiveness of

eavesdroping, it's only applicable in about 10-20 cases:  this has

nothing to do with the 7 million.  The congress is nevertheless

reacting to the 7 million, not to the specifics.  In principle, I am

opposed and have concerns about opening a Pandora's box.



CCC #1 - The 7 million crimes does not surprise me in the least.  I am

convinced that there is a clear relationship between the number of laws

and the number of crimes.  When you make more laws, you have more

crimes.  Every second action in this country is illegal.



Journalist - Laws/crimes correlation is an over-simplification.  There

are more murders, even though there are no more laws against it.



MdB - There is a conflict between internal security, protecting the

constitution, and civil rights.  How dangerous  is 6 billion Marks of

washed drug money to the nation?  Taking the US as an example, the

corrosion may have gone so far that it's too late to undo it.  I hope

that this point hasn't been reached yet in Germany.



DsB - I am worried about a slippery slope.  There is a tradeoff between

freedom and security, and this is the wrong place to make it; other

more effective measures aren't being taken up.





  EFFECTIVENESS OF CONTROLS ON EAVESDROPING



MdB - Supposedly federal controls are effective.  Although there are

very few eavesdroping cases, even if you look at those that are

court-approved, it's increasing exponentially.  No proper brakes are

built into the system.  As for controls for eavesdroping by the

intelligence service, there is a committee of  three members of

parliament, to whom all cases must be presented.  They have final say,

and I know one of the three, and have relatively much trust in him.

They are also allowed to go into any PTT facility anytime, unannounced,

to see whether or not something is being tapped or not.



MdB - Policies for eavesdroping:  if no trace of an applicable

conversation is heard within the first "n" minutes, they must terminate

the eavesdroping [...]  The question is, at which point the most

effective brakes and regulations should be applied:  in the

constitution?  in the practice?



PTT - True, but often the actual words spoken is not important, rather

who spoke with whom, and when.



DsB - There is no catalog for crimes, saying what measures can be

applied in investigating which crimes.  It's quite possible to use them

for simple crimes, e.g. speeding.  There is no law saying that the PTT

*has to* store data; they *may*.  They can choose technical and

organizational solutions that don't require it.



MdB - This is a valid point, I don't waive responsibility for such

details.  The PTT could be required to wipe out detailed information as

soon as it is no longer needed, e.g. after the customer has been billed

for a call.





  TECHNICAL TRENDS



Journalist - Digital network techniques make it easy to keep trails,

and there is an electronic trail produced as waste product, which can

be used for billing as well as for other purposes.  Load measurements

are allowable, but it can also be used for tracking movements.



DsB - The PTT claims they need detailed network data to better plan the

network.  The government says they need details in order to be able to

govern us better.



DsB - In the past, the trend has always been to increasingly

identificable phone cards.  There is economic pressure on the customer

to use a billing card instead of a cash card, since a telephone unit

costs less.  With "picocells," your movement profile is getting more

and more visible.



PTT - As for the trend towards less-anonymous billing-cards:  with the

new ISDN networks, this is necessary.  Billing is a major cost, and

this is just a technical priority.



Student - As for techniques to reduce potential for eavesdroping, it

is for example technically possible to address a mobile phone without

the network operator needing to know its position.  Why aren't such

things being pursued?



PTT - UMTS is quite preliminary and not necessarily economically

feasible.  [Comments about debit cards].  We have more interest in

customer trust than anything else. But when something is according to

the law, we have no option other than to carry it out.  But we don't do

it gladly.





  THE BIG CONSPIRACY?



CCC #2 - I don't give a shit about these phone conversations being

overheard.  I want to know why there is such a big controversy.  Who

wants what?  Why is this so important?  Why so much effort?  Why are so

many Mafia films being shown on TV when the eavesdroping law is being

discussed?  What's up?  Why, and who are the people?



Student - I am writing a book about this, and I haven't figured this

out myself.  My best theory:  there are some politicians who have lost

their detailed outlook ("Feinbild"), and they should be done away with

("abgeschaffen").



PTT - We're in a difficult position, with immense investments needed to

be able to overhear phone conversations [in digital networks (?)].  We

have no interest in a cover-up.



MdB - As for the earlier question about what NATO countries may do.

During the occupation of Berlin, they did want they wanted on the

networks.  In western Germany, it has always been debated.  Funny

business has never been proved, nor has suspicion been cleared up.



CCC #2 - After further thought, I have another theory.  American

companies are interested in spying on German companies in order to get

a jump on their product offerings.



MdB - That's clear, but there are more benign explanations.  Government

offices tend towards creating work.  Individuals are promoted if their

offices expand, and they look for new fields to be busy in.  In Bonn,

we've gone from 4,000 people to 24,000 since the 50's.



CCC #1 (to MdB) - Honestly, I don't see why you people in Bonn are

anything other than one of these impenetrable bureaucracies like you

described, inaccessible, out of touch with reality, and interested only

in justifying their own existence.



MdB - Well, *my* federal government isn't that.





  CLIPPER CHIP CONTROVERSY



Student - Observation/concern:  in the US, AT&T's encryption system is

cheap and weak.  If this becomes a de facto standard, it is much harder

to introduce a better one later.



Journalist - In the US, the Clipper chip controversy has centered more

on the lost business opportunities for encryption technology, not on

principles.  There every suggestion for forbidding encryption has

encountered stiff opposition.



Student -  As for the Clipper algorithm, it's quite easy to invite

three experts to cursorily examine an algorithm (they weren't allowed

to take documents home to study it) and then sign-off that they have no

complaints.



Journalist - As for the cursory rubber-stamping by the three experts

who certified the Clipper algorithm, my information is that they had

multiple days of computing days on a supercomputer available.  I don't

see a problem with the algorithm.  The problem lies in the "trust

centers" that manage the keys.  I personally don't see why the whole

question of cryptology is at all open ("zugaenglich") for the

government.





  CONCLUDING REMARKS



DsB - The question is not only whether or not politicians are separated

from what the citizens want, but also of what the citizens want.

Germans have a tendency to valuing security.  Different tradition in

the US, and less eavesdroping.  I can imagine how the basic law

("Grundgesetz") could be eliminated in favor of regulations designed to

reduce eavesdroping, the trade-off you (MdB) mentioned earlier.  The

headlines would look like "fewer cases of eavesdroping", "checks built

in to the system," etc., everyone would be happy, and then once the law

has been abolished, it would creep back up, and then there's no limit.



MdB - (Nods agreement)



CCC #2 - There are things that must be administered centrally (like the

PTT), and the government is the natural choice, but I suggest that we

don't speak of the "government," but rather of "coordination."  This

reduces the perceived "required power" aspect ... As a closing remark,

I would like to suggest that we take a broader perspective, assume that

a person may commit e.g. 5,000 DM more of theft in his lifetime, live

with that, and save e.g. 100,000 DM in taxes trying to prevent this

degree of theft.



-------------------------------------------------------------------------------

MEDIA AND INFORMATION STRUCTURES



  In this session, a lot of time was wasted in pointless philosophical

discussion of what is meant by Truth, although once this topic was

forcefully ignored, some interesting points came up (I don't

necessarily agree or disagree with these):



- In electronic media, the receiver has more responsibility for judging

truth placed on his shoulders.  He can no longer assume that the sender

is accountable.  With "Network Trust," you would know someone who knows

what's worthwhile, rather than filtering the deluge yourself.  A

primitive form of this already exists in the form of Usenet "kill" files.



- A large portion of Usenet blather is due to people who just got their

accounts cross-posting to the entire world.  The actual posting is not

the problem, rather that others follow it up with a few dozen messages

debating whether or not it's really mis-posted, or argue that they

should stop discussing it, etc.  People are beginning to learn however,

and the ripple effect is diminishing.



- Companies such as Microsoft are afraid of the Internet, because its

distributed form of software development means they are no longer the

only ones able to marshal 100 or 1,000 people for a windowing system

like X-Windows or Microsoft Windows.



- If someone is trying to be nasty and knows what he's doing, a Usenet

posting can be made to cost $500,000 in network bandwidth, disk space, etc.



- At a Dutch university, about 50% of the network bandwidth could have

been saved if copies of Playboy were placed in the terminal rooms.

Such technical refinements as Gopher caching daemons pale in comparison.



- All e-mail into or out of China goes through one node.  Suspicious,

isn't it?



-------------------------------------------------------------------------------

ALTERNATIVE NETWORKS



  Several people reported about computer networks they set up and are

operating.  A sampling:



  APS+Hacktic - Rop Gonggrijp reported about networking services for the

masses, namely Unix and Internet for about $15 per month, in Holland.

There are currently 1,000 subscribers, and the funding is sufficient to

break even and to expand to keep up with exponential demand.



  A German reported about efforts to provide e-mail to regions of

ex-Yugoslavia that are severed from one another, either due to

destroyed telephone lines or to phone lines being shut off by the

government.  A foundation provided them with the funds to use London

(later Vienna), which is reachable from both regions, as a common node.



  The original author of the Zerberus mail system used on many private

German networks complained about the degree of meta-discussion and how

his program was being used for people to complain about who is paying

what for networking services and so forth.  He said he did not create

it for such non-substantial blather.  The difference between now and

several years ago is that now there are networks that work,

technically, and the problem is how to use them in a worthwhile manner.



  A German of Turkish origin is trying to allow Turks in Turkey to

participate in relevant discussions on German networks (in German) and

is providing translating services (if I heard right, some of this

was being done in Sweden).  This killed the rest of the session,

which degenerated into a discussion of which languages were/are/should

be used on which networks.



-------------------------------------------------------------------------------

HOW AN INTELLIGENCE SERVICE WORKS:  STASI TRAINING VIDEOS



  The person introducing the videos sat on the stage, the room

darkened.  The camera blotted out his upper body and face; all that was

to see on the video, projected behind him, was a pair of hands moving

around.



  It apparently didn't take much to earn a file in the Stasi archives.

And once you were in there, the "10 W's:  Wo/wann/warum/mit wem/..."

("where/when/why/with whom/...") ensured that the file, as well as

those of your acquaintances, grew.



  The videos reported the following "case studies":



  - The tale of "Eva," whose materialistic lifestyle, contacts with

Western capitalists, and "Abenteuerromantik" tendencies made her a

clear danger to the state, as well as a valuable operative.  She swore

allegiance to the Stasi and was recruited.  Eventually the good working

relationship deteriorated, and the Stasi had to prevent her from trying

to escape to the West.  The video showed how the different parts of the

intelligence service worked together.



  - A member of the military made a call to the consulate of West

Germany in Hungary.  The list of 10,000 possible travellers to Hungary

in the relevant time frame was narrowed down to 6,000 on the basis of a

determination of age and accent from the recorded conversation, then

down to 80 by who would have any secrets to sell, then down to three

(by hunch?  I don't remember now).



  One video showed how a subversive was discreetly arrested.  Cameras

throughout the city were used to track his movements.  When he arrived

at his home, a few workers were "fixing" the door, which they claimed

couldn't be opened at the moment.  They walked him over to the next

building to show him the entrance, and arrested him there.  A dinky

little East German car comes up, six people pile into it.  Two

uniformed police stand on the sidewalk pretending nothing is happening.





Manifest
Le but de ce site est de mieux comprendre la sécurité informatique.
Un hacker par définition est une personne qui cherche à améliorer les systèmes d'information dans le seul et unique but de contribuer à la stabilité de ces systèmes!
La croyance populaire laisse entendre que les hackers sont des pirates.
C'est vrai. Mais il y a différents types de pirate.
Tout comme il y a différents types de personnes.
Les bavures courantes auxquelles on pense lorsqu'on évoque le terme de pirate informatique
seraient les hacks de compte msn, ordinateurs lâchement trojantés avec des exploits déjà tous faits
et encore peut-on classifier en tant que hack le fait de spammer
alors que depuis plus de 15 ans des scripts tous faits le font extrêmement bien?

Ce ne sont pas des hackers qui font ça!!!
Nous appelons ces gens des lammers! Quand ils sont mauvais,
ou des black hat lorsqu'ils sont doués dans la mise en application de leurs méfaits.
Aucun amour propre - Aucune dignité
Agissent par dégout, vengeance ou simple plaisir.
Les raisons peuvent être nombreuses et je ne prétends pas devoir juger qui que ce soit.
Je pense juste que l'on ne doit pas utiliser l'épée de fly pour commettre des injustices.
Il est 100 fois plus profitable d'améliorer un système que de marcher sur un château de sable... même si marcher sur un château de sable est rigolo :P
A vous de trouver votre amusement. ;)

Tu peux réagir sur la shootbox


Disclaimer Veuillez lire obligatoirement les règles ci-dessous avant de consulter ce site.
Conformément aux dispositions des différentes lois en vigueur, intrusions et maintenances frauduleuses sur un site, vol et / ou falsification de données.
Vous ne devez en aucun cas mettre en application les stratagèmes mis en place par ce site, qui sont présentés uniquement à titre d’éducation et de recherche dans le domaine de la protection de données.
Vous ne devez en aucun cas utiliser ce que vous aurez découvert, sauf si vous avez une autorisation écrite de l’administrateur d’un site ou que celui-ci vous ai ouvert un compte uniquement pour la recherche de failles.
Tout cela est interdit et illégal ne faites pas n'importe quoi.
Vous acceptez donc que l'administrateur de ce site n'est en aucun cas responsable d'aucun de vos actes. Sinon quittez ce site.
Vous êtes soumis à ce disclaimer.
ET À CE TITRE, NI LA COMMUNAUTÉ, NI L'ADMINISTRATEUR, NI L'HÉBERGEUR, NE POURRONT, NI NE SERONT RESPONSABLE DE VOS ACTES.