Plateforme de Hacking


HackBBS.org est une communauté faisant évoluer un système de services vulnérables.

Nous apprenons à exploiter de manière collaborative des solutions permettant de détourner les systèmes d'informations.
Cet apprentissage nous permet d'améliorer les technologies que nous utilisons et/ou de mieux comprendre l'ingénierie social.

Nous défendons les valeurs de l'entraide, du challenge personnel et contribuons modestement à rendre l'expérience des utilisateurs finaux la plus agréable possible.

Vous pouvez nous rencontrer via notre salon irc.
Le forum est en cours de remplacement par une version plus moderne, et tout aussi faillible que l'ancien ^^.
A ce jours nous enregistrons plusieurs dizaines de hack réussi contre notre site, et ce chiffre est en constante évolution. Merci a tous les contributeurs!

La refonte est en version alpha. Cette nouvelle plateforme permet de pentester à distance sans avoir son matériel à disposition.
Via l'exécution de scripts python connecté en websocket à l'ihm web, nous pouvons piloter le chargement de scénario
d'attaque/défense en "multijoueur" ^^.
Le système permet de charger des scripts de bibliothèques partagées et de chiffrer les échanges selon les modules déployés.
Vous trouverez dans la rubrique article de nombreux tutoriels afin de mieux comprendre la sécurité informatique,
ainsi que différents articles plus poussés.
Hacker
  • Sniffing
  • Cracking
  • Buffer overflow
  • Créations d'exploits
  • Social engineering
  • L'anonymat sur le web, spoofing
  • Bypass-proxy, Bypass-firewall
  • Injection de code SSI, SQL, etc...
  • Utilisation d'exploits, création de scripts(php, irc, perl)

Nous vous recommandons de sniffer votre réseau lors de votre navigation sur le site. La refonte vous fournira un outillage pour réaliser vos attaques/défenses.

Challenges
Vous pourrez également participer à de nombreux challenges
Dernièrement, les missions relativent aux derniers produits open sources marchent bien :)

Votre ultime challenge sera de défacer HackBBS. De nombreuses failles sont présentes. A vous de les trouver et de les exploiter.

Cet ultime test permettra de constater votre réactions face à une faille.
Black ou White? ^^

Ezine du moment: cdc027.txt

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=  


          _   _                                            _   _
         ((___))                                          ((___))
         [ x x ]           cDc communications             [ x x ]
          \   /                presents...                 \   /
          (` ')                                            (` ')
           (U)                                              (U)                  


                       Frankie's Fireside Phreak Primer
                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             A few words of advice that apply to phreaks every-
             where.  Whether a telecom veteran, or a K0dez Kid,
             the following guidelines may keep you out of trouble
             and make life in the Computer Underground a little
             more pleasant. Brought to you by the CULT, o'course.

       >> A CULT Publication by High Priest and Scribe, Franken Gibe <<
            -cDc- Cult of the Dead Cow Dissemination Council -cDc-
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
I think we could all use a little refresher on Phreak Safety and Hygiene. It
seems that phreaks are getting more and more careless...and it's when you think
you can't get caught that...yeah: You do. Most of you know these, or think
about them occasionally, but try to put the following stuff into practice. A
Safe Phreak is an Informed Phreak; A Safe Phreak is a Phreak who Respects the
Telecom Medium.  Those are trite epigrams, but very true.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

1) Due to the proliferation of Traffic Pattern Monitoring software among
independent carriers, it is DEADLY to scan. If you must scan, NEVER use big
name IC's (notably MCI [Real Time Toll Fraud Detection System], U.S. Sprint
[those 950's are NOT fun-and-games], etc). If you MUST scan, remember these few
commandments:
   A) Thou shalt never scan sequencially.
   B) Thou shalt never scan in predictable or detectable patterns.
   C) Thou shalt never scan a single access port all night, in closely-spaced    

      increments. Best not to scan. Best to have some little kid who doesn't
      know you scan.

2) Alternate codes as MUCH as you can. Using a code-a-call isn't a bad idea if 
you have those kinds of resources.  Coupled with the no-scanning doctrine, 
though, notebooks full of codes will not be so common.

3) This is the important corollary to number 2...NEVER EVER EVER overuse codes, 
nor use codes that you've abused earlier in a given month later on in the same 
month (generally, after the 20th, when d'bills start to roll out). 

4) Do as MUCH remote phreaking as is humanly possible. If you can roll your 
computer out to some fortress fone, and hook up an acoustic coupler, AND not 
attract attention...Go for it. (Heck, I'd do it!)

5) Local access ports and AT&T WATS access ports are generally safer than
950's. WATS #'s owned by Ind. Carriers are DEADLY. Here's a little list of
advantages and disadvantages of all the above...

   A) Local Access Ports:
      Depending on the size of the LDS, these ports can be more or less safe.
      Almost NEVER have any sort of ANI hooked up, but if abuse becomes
      notable, they CAN install an incoming trap, discover a phreak's Central
      Office Code, and then put an outgoing trap in his CO. After that, it's
      only a matter of time.  Traffic Pattern software can give an LDS a good
      idea of what action it needs to take.

   B) AT&T WATS numbers: Not a free ride by ANY means, but generally pretty 
      safe. According to No Severance, AT&T WATS lines receive no ANI 
      information. Like the local ports, the area from which a phreak is 
      calling can be determined, but abuse would have to be pretty dramatic.
      Between local and AT&T WATS, I'd take WATS ("But what about the 800 
      Excessive Calling List?" Well, if it exists, then it's best not to use
      WATS too much...i.e. Do NOT Scan).

   C) Most 950's are safe, contrary to popular belief. There are a number of 
      Feature Groups into which these numbers fall. I don't really remember 
      what they are, and it doesn't really matter. I just wouldn't be too
      anxious to use these 'cause they're sorta bizarre, and they're VERY 
      abused (never a good thing). But if you must, it's better than...

   D) Independent Carrier-Owned WATS numbers: God, DO NOT use these. When an IC
      owns its own carrier, it receives KP + II + 10Dig (YOUR phone number) +
      ST. In other words, these guys are generally ANI equipped. How can you
      tell? Well, if you've got an 800 access port, and the exchange is NXX 
      (i.e., you've got a number :1-800-NXX-XXXX), then FIRST dial 
      1-800-NXX-0000. If you get the "You have reached the AT&T Long Distance 
      Network" recording, the # is AT&T. If you get a "Your call cannot be 
      completed " recording, DO NOT use that WATS number. Simple. 

6) [or whatever number...sigh]  PLEASE...for your own good, and that of 
Phreakdom, DO NOT advertise what you do. Yeah, some kids at school might think 
it's pretty k-radical. Those same kids are the ones to nark, or to mention 
stuff to the friendly administrators should they ask around. The less 
non-phreaks know the better.  Keep your MOUTH SHUT. That reminds me of poor
Disk Demon [of 915]. The kid really wasn't expecting trouble, but he made the 
fatal mistake of talking: probably to someone he trusted, and probably he 
didn't say much. All he mentioned was bringing a disk to school the next day to
a school chum and that was all the cops needed to search his house, and 
bam...they have him with telecom fraud evidence.  But that was all it took. The
cops don't need much to get a warrant to monitor your telfo. It's a scary
reality in a nation that takes less and less seriously the Bill of Rights.

8) NEVER phreak voice calls. Sigh. I know, I'm sure there are a thousand 
screams of "Oh, COME ON, that's going too far". Okay, let me qualify that, 
then. Voice-phreak only if you're 1) sure you're not monitored (and who is ever 
sure?) and  2) know that the recipient can handle possible threats and 
unpleasantness from the friendly operator who may give him a buzz.  Feds and
investigators ain't stupid...or at least, not THAT stupid. As long as no one
admits anything, it's okay. But the minute you start voice-phreaking, you open
a lot of loose ends. Some suggestions, then, for voice phreaking:
   A) Try to remain anonymous. Not too hard.
   B) IF you're talking to strangers, don't mention where you're calling from,   

      much less leave a number. Yeah, just common sense.
   C) Don't talk about phreaking over the line if you don't think the line is    

      secure. Duh!
   D) If you trust the kid you're calling, tell him you've phreaked a call to    

      him. Ask him if it's "cool". Make sure he can handle possible (and      
      usually improbable) inquiries. Make sure his 'rents know NOTHING. 

9) That's another thing. This doesn't have to do with safe phreaking, but with 
keeping phreaks safe. Know what you'll say if you ever get called by an 
operator or investigator type. If you have a bbs or data line, great. If not, 
have a story ready and rehearsed. When you think about it, it IS kinda hard for 
these people to believe that you don't know WHO called you for 5 hours last 
Sunday night...be prepared. (Ee! Boy scouts rule.) Okay, that's it for for now.
If you have any more suggestions, leave me mail on 

Manifest
Le but de ce site est de mieux comprendre la sécurité informatique.
Un hacker par définition est une personne qui cherche à améliorer les systèmes d'information dans le seul et unique but de contribuer à la stabilité de ces systèmes!
La croyance populaire laisse entendre que les hackers sont des pirates.
C'est vrai. Mais il y a différents types de pirate.
Tout comme il y a différents types de personnes.
Les bavures courantes auxquelles on pense lorsqu'on évoque le terme de pirate informatique
seraient les hacks de compte msn, ordinateurs lâchement trojantés avec des exploits déjà tous faits
et encore peut-on classifier en tant que hack le fait de spammer
alors que depuis plus de 15 ans des scripts tous faits le font extrêmement bien?

Ce ne sont pas des hackers qui font ça!!!
Nous appelons ces gens des lammers! Quand ils sont mauvais,
ou des black hat lorsqu'ils sont doués dans la mise en application de leurs méfaits.
Aucun amour propre - Aucune dignité
Agissent par dégout, vengeance ou simple plaisir.
Les raisons peuvent être nombreuses et je ne prétends pas devoir juger qui que ce soit.
Je pense juste que l'on ne doit pas utiliser l'épée de fly pour commettre des injustices.
Il est 100 fois plus profitable d'améliorer un système que de marcher sur un château de sable... même si marcher sur un château de sable est rigolo :P
A vous de trouver votre amusement. ;)

Tu peux réagir sur la shootbox


Disclaimer Veuillez lire obligatoirement les règles ci-dessous avant de consulter ce site.
Conformément aux dispositions des différentes lois en vigueur, intrusions et maintenances frauduleuses sur un site, vol et / ou falsification de données.
Vous ne devez en aucun cas mettre en application les stratagèmes mis en place par ce site, qui sont présentés uniquement à titre d’éducation et de recherche dans le domaine de la protection de données.
Vous ne devez en aucun cas utiliser ce que vous aurez découvert, sauf si vous avez une autorisation écrite de l’administrateur d’un site ou que celui-ci vous ai ouvert un compte uniquement pour la recherche de failles.
Tout cela est interdit et illégal ne faites pas n'importe quoi.
Vous acceptez donc que l'administrateur de ce site n'est en aucun cas responsable d'aucun de vos actes. Sinon quittez ce site.
Vous êtes soumis à ce disclaimer.
ET À CE TITRE, NI LA COMMUNAUTÉ, NI L'ADMINISTRATEUR, NI L'HÉBERGEUR, NE POURRONT, NI NE SERONT RESPONSABLE DE VOS ACTES.