<=-------------------------------------------------------------------------=> ,%$+: =++%- -+- .+##@ H##H, ;@#= H##- ,##@. ,H#= ISSUE03 OCTOBER 1999 X##/ ;##H +#= X@#H $H#H /#= X+##, H+#H ., ,- /#= . H=##; -%/#@. ./%%= ++:+,:H%:%%; /#=-+%= =%%: -;:. ,;;- -%%+- @,H#X /;;#M. XH=%M- /M$@#%M#M@M#M: /#+H@#@, =@/%M: =HM= =X#+ .H+:M$ @,/##. H.;#M. +#- @@.-@#M@#=+#$ $#@. /#X, /#; .@X .@@. /#= -#% ;# ;H @.,##:,H :#M. @M. $#: ;#X-; -#% -##= /#: -#+ :#$==@#= /#= -#% +#= .$ @ @#$;+ :#M. -#@. +#+ =#% -#% H#/ /#= -#% +#@XXH#: /#= -#% +#@+,. # +##H= :#M. =#H. /#$ -#+ -#% X#+ /#= -#% $#/ /#= -#% -####; # =##M. :##. =#H. /#$ -#+ -#% $#/ /#= -#% $#% /#= -#% /M##M # M#$ :##. -#@. +#+ -#+ -#% $#: /#= -#% %#X /#= -#% -.-/##- # $#/ :##. @#, $#= -#+ -#% HM, /#= -#% =##: -. /#: :#% /+ ;#- =#= :#- /##= /#: .@H. =#% -#H =#% /#= -#% .@#@//H, :#$,=$#X,;@. ;#. :@#@: ,M. %M##@: .$@;$M= ,X#M+. -#M%/@H, :@#@-,H#M: :###M; .@#@X:#@=-#X;@+ ---=- - =---=- :+/. ,:-=;. -#%:+/. ,:-=..:--- ,++, .+/ .: ,/+= -#% -#% -#% L A U G H I N G =#% -H#M; =;;// <=-------------------------------------------------------------------------=> Presented By: ALOC - Australias Legion of Cyberpunkz ,/ =: /%, .+XXX /#X ,#. %@.XX .@$ HXXX @/ ,M= :# %@. .M; X+ .// /@ -/, X+ .@/ .// -#, -/, -#///@/ @#X .#, ;##, /M $@. @#X #/ ;##, .X. X, %XXXXX% .XX, ,XXX% Web:/ http://www.aloc.cc Email:/ phrost_byte@hotmail.com <=-------------------------------------------------------------------------=> 'visiting time is over, so we walk away' -= The Cure =- <=-------------------------------------------------------------------------=> Contents -------- 1.0 -[ Welcome ]- 1.1 - Introduction......................................Phrost Byte 1.2 - About ALOC 2.0 -[ News ]- 2.1 - Enough is Enough Telstra!.............................^OpTix^ 3.0 -[ Hacking ]- 3.1 - .bash_history.......................................anonymous 3.2 - grep..............................................Phrost Byte 4.0 -[ Phreaking ]- 4.1 - Breaking into Telstra Exchanges...................Epic Target 4.2 - Sydney Exchange Locations..........................Lord Hades 4.3 - Superlink.........................................Phrost Byte 5.0 -[ Anarchy ]- 5.1 - Fun With Security Tags..................................Ikari 5.2 - Sending Fake Email.....................................[R]yde 6.0 -[ Challenge ]- 6.1 - JavaScript Password Box Continued.................Phrost Byte 7.0 -[ Conclusion ]- <=-------------------------------------------------------------------------=> 1.0 -[ Welcome ]- ----------------- 1.1 - Introduction Issue 3... finally. An issue that I didnt write more than 70% of the articles. Morpheus will not be released on a set date, it will be released when I receive enough info to compile another issue. If you have something you would like printed please send it in.. or if I have contained something in a previous issue that you feel you should have credit for, or it is incorrect, please let me know and i will make the due alterations. Enjoy the rest of the e-zine. - Phrost Byte 1.2 - About ALOC / Morpheus ALOC started off as a group, but it didnt work out. So I went back to my original idea.. and that was to create a place where australian hackers and phreakers could meet together, trade information, and learn. So that is what ALOC has become, a place to get information and talk to others of similar interests. In general it has become a Network. Morpheus is part of the above, and it compiles alot of what would be little texts into one large one, which would otherwise be quite time consuming to write seperate small files on. This magazine in its electronic form can not be sold without prior permission from the authors. It also may not be spread via any sort of Public Domain, Shareware or CD-ROM package. <=-------------------------------------------------------------------------=> 2.0 -[ News ]- -------------- 2.1 - Enough Is Enough Telstra by OpTiX^ I am absolutly sick of seeing headlines like this "Telstra denies EasyCall hard sell." Well of course they're going to deny it. Would you admit that your employees have been signing up thousands of unsuspecting customers for easycall options they didn't select. Basiclly Telstra don't give a fuck what you think so long as they have your hard earned money in their pockets. Telstra are ripping you off and most of you don't even know it. For example 8 Number Abbreviated Dialling costs $3 a month. To the best of my knowledge all it takes to set this up is to send someone down to the exchange and set that option to enabled on the computer. Or take payphones for example, I'm not exactly sure how much they cost to produce but the C4's (Goldphones) used to sell for under $1000. As reported by Phrost last issue, some X1/X2's ("Smart" Phones) have recorded 1 - 2 million dollars worth of calls being made since installation. And Telstra throw a big temper tantrum when they find out they've lost a couple of dollars from vandals or phreakers (there is a big difference between phreaking and petty vandalism). That just goes to show how much Telstra wants your money. Well enough is enough, It's high time that Telstra learned that we're not as stupid as they think we are. Do anything that you think will help make them learn that we can not be bullied anymore. One point to consider though is that the easiest way of being caught by the AFP is bragging about what you've done to everyone. If you're going to brag then at least brag to people you trust, that way there's less chance of being caught. BTW In case anyone is wondering where DataKing found those Phreaking laws in Neurocactus 7, those laws are listed in the Crimes Act 1914, Part VIIB, Sections 85ZB to 85ZKB. This is my version of the article I read (the headline one i was talking about earlier in this article). Telstra recieved thousands of complaints when people opened their bills to see that they'd been charged for easycall options that they did not want. Telstra claims that they've only sacked one employee (at the time of writing) but the Union (god bless them) claim 30 employees have been given the sack over this incident. The employees of the Burwood call centre in Melbourne have been told to increase their productivity by 400% which is an impossible figure to reach. The secretary of the CEPU's communications division, Len Cooper, said "This is a case of management scapegoating its workers in the most brutal and blatant fashion." Telstra, of course, deny this but have said the sales staff have been told to become "more sales focused" in the tougher, competitive environment. Well I'd say Telstra has a lot of explaining to do. As the motto of telstra.is.lame.nu says "Making Life Sleasier." I'd say that's 100% true. So next time you ring Telstra try to remember this, most employees are actually nice people who are being overworked by their superiors. The only real assholes in Telstra are the ones sitting upstairs in the corporate headquarters counting our money or the ones who are trying to hunt us down (you know who you are). <=-------------------------------------------------------------------------=> 3.0 -[ Hacking ]- ----------------- 3.1 - .bash_history by anonymous A simple way of getting accounts, even though its unpratical and should be used as a last resort, is to look at users .bash_history and .history files that are stored in their $HOME. It is suprising how easy it is to access other people's private information by looking at their logs. By default any file thats been created by the user is set chmod 744, this lets anyone read the file if they have the same group privledges as that user. Same goes when a new user first logs in, the /etc/skel files are copied to their home and .bash_history will be created when the user logs in next time, assuming its a bash shell (Bourne Again). Inside the .bash_history you might be lucky enough to find some typo's of passwords, heres some examples of what you might want to look for: aloc:/home/victom# cat .bash_history tenlet whitehouse.gov /* mis spelt */ telnet whitehouse.gov : cat /etc/passwd ls cd .. more /var/log/messages : login Lewinsk1 /* login as user Lewinsk1 */ If there are many users on the system you may want to use grep: aloc:~# grep telnet /home/*/.bash_history | more /home/victom1/.bash_history:telnet whitehouse.gov /home/victom2/.bash_history:telnet /home/victom3/.bash_history:telnet fed.gov.au If your looking for some 0 GID or even root you look for: aloc:~# grep su /home/*/.bash_history /root/.bash_history | more or even: aloc:~# grep passwd /home/*/.bash_history /root/.bash_history | more It may be a good choice if you find some that look promising enough then have a look at the file, it may take a while to find anything but its up to you if you want to trade time for accounts. It's a good idea to check out the /etc/passwd to have an idea of where the home directories are located and what type of shells they use because they may very from system to system. Also you may need to pissfart round with the login or passwd but its up to you depending how desperate you need the accounts. To fix this if your a user then a simple "chmod 000 .bash_history" will do the trick. or even "ln -s ~/.bash_history /dev/null" does a better job. If your an admin then do the following: touch /etc/skel/.bash_history /etc/skel/.history chmod 700 /etc/skel/.*history chmod 700 /home/*/.*history (depending on where your users home is placed) This maybe considered as a lame method of gaining accounts but I belive its worth a mention. Posted in by a Spaceman from outer space that wants to stay Anonymous. 3.2 - grep by Phrost Byte All I will say is that it depends on your definition of 'hacking'. The following will increase your power in working with a Unix based system. Grep is from a family of commands: grep, egrep, and fgrep. They all search the named input files (or standard input if no files are named) for lines containing a match to the given pattern. Each of the grep commands are basically the same, the only real difference is that egrep uses a slightly different syntax for its pattern matching, whereas fgrep uses fixed strings. There is also another member to the grep family, and that is zgrep. Zgrep is used to search compressed files and is invoked the same way as grep. In this text I will be detailing grep, and I feel that it is easier to learn and understand by seeing examples, so I hope to provide alot of usefull ones :) For examples I will be using a list of Bauhaus songs. Just cut and paste the following to a file and name it bauhaus.txt ----cut here---- The passion of lovers Bela Lugosi's dead She's in parties Ziggy stardust Wasp Hope King Volcano The sanity assassin Terror couple hill colonel ----cut here---- The syntax for grep is as follows: grep [options] pattern [file] Usefull options: -c counts number of matching lines -i ignore caps -n includes the line number -s suppress error messages -v lines NOT mattching the pattern A simple example: #grep -c Z bauhaus.txt 1 The above statement counts how many lines contain the letter Z (case sensitive) and displays the result. If I typed the following, it will display the lines: #grep Z bauhaus.txt Ziggy stardust With the added option -v, lines NOT matching will be counted: #grep -vc Z bauhaus.txt 8 and displayed: #grep -v Z bauhaus.txt The passion of lovers Bela Lugosi's dead She's in parties Wasp Hope King Volcano The sanity assassin Terror couple hill colonel displayed and line numbered: #grep -vn Z bauhaus.txt 1:The passion of lovers 2:Bela Lugosi's dead 3:She's in parties 5:Wasp 6:Hope 7:King Volcano 8:The sanity assassin 9:Terror couple hill colonel Options can be mixed like any other command. Regular expressions are used to provide grep with expressions whcih set locations of patterns and ranges of characters (all regular expressions must be quoted). The hat (^) means start of line, and the dollar ($) means the end of the line. To display lines ending with 's' #grep 's$' bauhaus.txt The passion of lovers She's in parties To display lines not ending in 's' and also number them: #grep -vn 's$' bauhaus.txt 2:Bela Lugosi's dead 4:Ziggy stardust 5:Wasp 6:Hope 7:King Volcano 8:The sanity assassin 9:Terror couple hill colonel The full stop (.) represents a single character wildcard. eg the following will display any line that has any character before the 'e': #grep '.e' bauhaus.txt The passion of lovers Bela Lugosi's dead She's in parties Hope The sanity assassin Terror couple hill colonel More examples: #grep -i '.L' bauhaus.txt - any case, with any character/s before 'L' #grep 'V.....o' bauhaus.txt - V, any 7 characters, then o The square brackets ([]) specify any one of the characters enclosed. eg, to display the lines beginning with 'T', 'W' or 'Z': #grep '^[TWZ]' bauhaus.txt The passion of lovers Ziggy stardust Wasp The sanity assassin Terror couple hill colonel For a range of characters, use a hyphen: #grep '^[A-J] bauhaus.txt Bela Lugosi's dead Hope More examples: #grep '^[A-Za-z0-9] bauhaus.txt - all letters / numbers #grep '[0-9]$' bauhaus.txt - ending with a number #grep -v '[a-m]$' bauhaus.txt - lines that dont end with a-m When the hat (^) is used in the square brackets it means 'not'. eg the following will show lines not beginning with 'A' to 'G': #grep '^[^A-G]' bauhaus.txt The passion of lovers She's in parties Ziggy stardust Wasp King Volcano The sanity assassin Terror couple hill colonel A wildcard can also be used (*). eg the following will display lines beginning with 'T' and ending with 's' #grep '^T.*s$' bauhaus.txt The passion of lovers The following will display lines beginning with 'M' to 'Z' and ending in 's' or 't': #grep '^[M-Z].*[st]$' bauhaus.txt The passion of lovers She's in parties Ziggy stardust The above was just an introduction to grep, there is a myrid of other statements, redirections (>>) and piping (|) that can be done using it. From the above, you should now be able to do alot of sorting, extracting, and removing from logs ALOT easier now ;) (grep -v /var/log/messages >> /var/log/messages.2) <=-------------------------------------------------------------------------=> 4.0 -[ Phreaking ]- ------------------- 4.1 - Breaking into Telstra Exchanges by Epic Target I had a problem trying to decide whether to put this article in Anarchy or Phreaking, or whether to include it at all, given the nature of it. But since it was written to aid the Phreaker in his/her pursuit of knowledge, I have placed it in this section. I know that the techniques will be used for wrong doing, and I hope you get caught >:| But to all phreaks who use it to aid themselves in the pursuit of knowledge.. good luck! (see attached file breakex.txt) - Phrost Byte 4.2 - Sydney Exchange Locations by Lord Hades Lord Hades - L_Hades@hotmail.com This List of Exchange Locations is an official Tel$tra list. It has most locations on here. However there are a few that are missing. Blame Tel$tra. If anyone can get numbers for these Exchanges, I would greatly apreciate it. Many of these Exchanges are fully Automated and have no personell looking after them. However the major exchanges have alot of people and Bins to Trash. Exchange Name | LRD | Exchange Address --------------------------------------------------------------------- Arndell Park | ARDK | Lot 6 Kenoma PL Ashfield | ASHF | 11 Hercules ST Austral AUST 4th and 12 AVE Avalon AVAL 15th Old Barrenjoey RD Balgowlah BALG Sydney Rd and Woodlands St Balmain BALM Montague and Dowling ST Bankstown BANK 18 Kitchener PDE Bankstown Airport BAKA Lot 4 Marion ST Baulkahm Hills BAUL Russel and Windsor RD Berambering Park BMBG Berkshire Park BKPK Berowra BERO CNR Berwora Waters Bilpin BLPN Bells line of Road Birralee BIRR CNR Mccallums and Chilcott Blackheath BLKH Wentworth ST Blacktown BLAC 69 Fluscombe DR Blakehurst BLAK 507 Princess Highway Blaxland's Ridge BLAX Bondi BOND 16 Roscoe ST Botany BOTA 38 Tenderson RD Bringelly BRGY Lot 1 Badgery's Creek RD Brooklyn BROO Burwoood BURD 32 Railway PDE Campsie CAMP 395 Canterbury RD Canoelands CALD Carlingford CARL 413 North Rocks RD Carramar CARR 6 The Horsley DRV Castle Hill CAST Old Northern RD Castlereagh CRGH Catai CATI Chatswood CHAT Victoria AVE Chipping Norton CHIP 23 Earnest RD City East EAST 330 Liverpool ST Darlinghurst City South CYSH Colo COLO Colo Heights CHTS 219 Putty RD Como COMO 11 Ortona PDE Concord CONC 35 Yarralla ST Coogee COOG 56 Dolphin ST Cranebrook CNBK Lot 111 Borrowdale Way Cremorne CREM 219 Military RD Cronulla CRON 4 Wilbar AVE Dalley DALL Dee Why DEEW 1/7 Cumberland ST Drummoyne DRUM 60 Lyons RD Dural DURA 969 Old Northern RD Eaglevale EGVL Lot 54 Cornelian AVE Eastwood EWOO 101-105 Chatham RD Ebenezer EBEN Wilberforce and Wisemans Edensor Park ERPK 8 Bonnyrigg AVE Edgecliff EDGE 369 Edgecliff RD Emu Plains EUPS Lot 1 Russle ST Engadine ENGA 1091 Princess HWY Epping EPPI 3 Oxford ST Erskine Park ESPK Altham PL Fiddletown FIDD Hollands RD Five Dock FIVE 192 Great North RD Freeman's Reach FRCH Lot 19 Creek Ridge RD Frenchs Forest FREN 510 Warringah RD Galston GALS 47 Schools RD Glebe GLEB ST Johns RD Glenbrook GLBK Glenbrook and Haynet ST Glenorie GLEN Old Northern RD and Harrison Granville GRAN Maud and Hutchinson ST Grosse Vale GVLE Grossewold RD Guildford GUIL 2 Guildford RD Gunderman GDMN Wisemans Ferry RD Harboard HARB 375 Oliver ST Haymarket HMKT Hazelbrook HZBK 16 Great Western HWY Holsworthy HOLS Labuan RD Homebush HOME 68 Beresford RD Hornsby HORN 290 Pacific HWY Horsley Park HORS Hunters Hill HUHL 3 John ST Hurstville HURS 39 Bridge ST Ingleburn INGL 29 Albert ST Katoomba KTBA 144 Katoomba ST Kelly Ville KELL Old Windsor RD and Windsor RD Kemps Creek KEMP Elizabeth DRV Kensington KENS 113 Todman AVE Kent Street KNST Kenthurst KENT Kenthurst and Volunteer RD Kenthurst North KNTH Blue Gum RD Killara KILL 637 Pacific HWY Kingsgrove KING 107 Wolli ST Kograh KOGA Belgrave ST and Post Office LN Kurajong KURG Burralow RD Kurajong Heights KRJH Douglas ST Kurnell KURN 4 Bridges ST Lakemba LAKE Croydon RD Lane Cove LANE Lot 46 Burns Bay RD Lawson LWSN 4 Honour AVE Leppington LEPP Heath and Dickson ST Leura LERA Leura Mall Lidcombe LIDC 1 Taylor ST Linden LNDN Great Western HWY Lindfield LIND Beaconsfield PDE Liverpool LIVE 40 Terminus ST Llandilo LLDO Lot 31 Northern RD Lower Portland LPTD Lot 2 River RD Lundenham LUDM Lot 1 Northern RD Manly MANL Lot 21 Belgrave ST Marayla MRYA Maroota MRTA Maroota South MRTS Wisemans Ferry and Sackville Maroubra MARO Loch Maree and Story ST Mascot MASC 904 Botany RD Matraville MATR 1 Romani RD Medlow Bath MDWB ST Albians and Railway PDE Menai MENA Menai RD Miller MILL 87 Cartwright AVE Minto MINT Kent ST Miranda MIRA 576 The Kingsway Mona Vale MONA 1763 Pittwater RD Mooney Mooney MOON Pacific HWY Mosman MOSM 850 Military MT Ku-Rin-Gai MTKU Lot 1 Pacific HWY MT Wilson MTWN Queen RD Mulgoa MGOA Allan RD Narrabeen NARR 7 Windsor RD Newtown NEWT 2 Mary ST North Parramatta NPAR GLadstone and Sorrell North Richmond NHRD Beaumont RD North Ryde NRYD 165 Lane Cove RD North Sydney NSYD Mount and William ST Northbridge NBRI Eastern Valley Way Orchard Hills ORHS Bringelly RD Palm Beach PALM 856 Barrenjoey RD Parramatta PARR 21A George ST Peakhurst PEAK 41 Beaumans RD Pendle Hill PENN 18 Pennant Hills RD Penrith PNTH 90 Henry ST Pitt Street PITT Pitt Town PITN Off Bathurst ST Potts Point POTT Mcleay and Greenknowne Pymble PYMB Lot 1 Bungalow RD Quakers Hill QUAK 3-5 Railway RD Ramsgate RAMS 28 Alice ST Randwick RAND 206 Allison RD Redfern REDF 101 George ST Regentville REVL Lot 1 Lutrell ST Revesby REVE 2 Doyle RD Richmond RCHD 314 Windsor RD Riverstone RIVE 80 Riverstone RD Rockdale ROCK 395 Princes RD Roodty Hill ROOT 115 Rooty Hill RD Rose Bay ROSE 64 Dover RD Rouse Hill ROUS Lot 180 Edwards RD Rydalmere RYDA 431 Victoria Ryde RYDE 124 Blaxland RD Sackville Reach SRCH Sackville RD Sefton SEFT 93 Carlinford RD Seven Hills SEVE 33 Brahms RD Shavely SHAL Lot 306 Noumea ST Silverwater SILV Parramatta RD Nth Lidcombe South Strathfield SSTR 481 Liverpool RD Springwood SPWD 143 MacQuarie RD ST Albans STAL MacDonald River ST Leonards STLE 524 Pacific HWY ST Marys STMA Queen ST Sutherland SUTH 40 Auburn ST Sylvania SYLV 96 Princess HWY Tennyson TNYN Terry Hills TERR Mona Vale and Aumona RD Turnbull TNBL East Kurrajong RD Undercliffe UNDE Hill ST and Livingstone RD Vaulcluse VAUC 4 Olphert AVE Wharoonga WAHR 33 Goonambarra RD Warragamba WGBA Fourth ST Warrimoo WMOO Great Western HWY Waverly WAVE 112 Bronte RD Wentworth Falls WFAL 8 Cascade ST West Wetherill Park WWPK 10 Metters PL Wetherill Park WETH 8 Kings RD Fairfield Willberforce WFCE 22 Kings ST Willoughby WILL 370 Eastern Valley RD Windsor WSOR Lot A MacQuarie Winmalee WNML 4 Singles Ridge RD Wisemans Ferry WFRY 4.3 - Superlink by Phrost Byte Thanks goes to Imortal for this information. He found it while on one of his regular trashing runs :). I typed it out. Superlink is, as Telstra say 'a new interactive free-call telephone information serivce for TSS and TPSS members'. It provides Telstra employees with an estimate of the value of their superanuation at a date selected for: retirement, retrenchment, or invalidity / death. It also provides a phreaker who has an employee (AGS) number and PAC (Personal Access Code), with the above information, it not much use in the way of gaining free calls.. but it's information all the same. :P To recieve a quote, phone Superlink on 1800 620 232, and it operates from 7:00am to 7:00pm EST (Eastern Standard Time). Menu Map: 1 8 0 0 6 2 0 2 3 2 | | ----------- | Welcome | ----------- | _ | | [1] | | Name of Scheme | __________|__________ | | | | | [1] TSS [2] TPSS [3]OTCSSS | |__________|__________| | | | | | Press 0 to ------------------------------- | speak to a | Employee (AGS) Number | | Client Services | Enter your 8-digit Employee | | Officer during | Number, then press # | | any of these ------------------------------- | steps. | | ------------------------------ | | Personal Access Code | | | Enter your 4-digit | | | Personal Access Code (PAC) | | ------------------------------ | | Benefit Quote | _________________________________|________________ | | | | | | | [1] ??? [2] Resignation [3] Retirement | [4] Invalidity / Death |_ | | ------------------------- eg, press 010796 | Date of Quote | for 1st, July, 96 | Enter the date of the | for todays date | benefit quote | press * ------------------------- | | ---------------------------------- | Recorded Message | | You will now hear details | | of the benefit. | | This message will be repeated. | ---------------------------------- | _______|_______ | | [0] [H] Press 0 to To end the exit message and call, just speak to a Client hang up. Services Officer. <=-------------------------------------------------------------------------=> 5.0 -[ Anarchy ]- ----------------- 5.1 - Fun With Security Tags by Ikari (ikari_@hotmail.com) If there is one small thing that can be used for a quick laugh, it is an adhesive security tag. What is this useful device? I here some of you ask. Well, it's like this. The tag itself is nondescript, you will find them most often on CDs and electrical products at your local Big W. I have often found them inside plastic wrapped CDs that I bought from Grace Bros or other stores. It is a small square about 40mm on each side. The tag has a thin pink border which cuts across one corner to form a larger pink area. There is a trail as thick as the border leading from that corner to the centre, where it becomes a 13mm-edged square. Between the border and centre square is a spiral of thin, flat silver wire, less than a millimetre wide, which circles seven times starting from attached to the border before it meets the centre pink square. I'm not precisely certain how it works, but I believe it is a modification of the magnetic induction principle. When one of these squares passes through a special detector (you'll most often see them at the exits of the store or electrical department) the detector registers an alteration in the magnetic field it is generating, caused by the wire spirals. This sets of a generally loud, high pitched squealing alarm, as you can imagine it is very annoying. Occasionally pushing a trolley through has a similar effect, although Big W employees are lectured that only a security tag can set off the alarms. Already you should be beginning to see the potential for mischief that such an innovative anti-theft device can play. The icing on the cake for me is that these labels are adhesive. In their pristine form, they often come on a slip of anti-stick sheeting, complete with barcode, which the shelf-stackers peel off when they stack the CDs in those annoyingly large plastic boxes that chain stores love so much. Simply obtain one of these squares, and just like the famous 'Kick-Me' note, attach it to a friend or loved one's back and observe the mayhem when they enter the store. Better yet, smuggle the label into the store (more on this later) and attach it to an unsuspecting passer-by. As they didn't beep on their way in, that poor person will become an immediate shoplifting suspect. Try to get some nervous fool who'll run away and get chased by security, or a boneheaded meatbrain who is as likely to hit the guard as talk to him. How does one first get the tag into the store to do this, though? Would it not immediately go off when you enter the store? Well, no. I made this discovery accidentally the first time I tested one of these tags. I went down to my local Big W with the tag in my left pocket, wallet in my right. As I walked through the entrance, the alarm went off, as expected. I did my best to look perplexed, and the door lady asked if I'd just made that go off. I shrugged, and she asked me if I had a wallet, which was where the problems began. See, as the problem was expected to be my wallet, if I'd had the tag in there there'd be no worries. But because it was, stupidly, in my left pocket, when I left my wallet outside I'd still set the alarm off. Luckily for me the lady turned at that second to briefly address a bystander so I whipped out the tag and jammed it into my wallet. Then, when I didn't set off the alarm, we put my wallet through, and surprise, the alarm still didn't go off. I surmised that because I'd put the tag next to something metallic in my wallet (car key) that the pattern the alarm was looking for was disturbed and didn't qualify for an alarm. If anyone has a better theory, or knows more about these things, please e-mail me So you see it is quite easy to hide one of these things and use it later.. The chick at the department store asked if I had any cards on me, so obviously there's some expectation that they may set off alarms (despite what they tell the employees). If you can conceal a tag inside a real or mock card, or make some bullshit about the tag being part of your exclusive bank smartcard's circuitry, you can then hide the tag more effectively (though I don’t know why you’d do that, concealing a slip of paper is pretty easy anyway). Be creative! What am I supposed to do, spoonfeed you? Anyone is creative enough to come up with more complex schemes than I've put in here, but remember, the more complex the scheme, the higher the chance of failure. The best laughs come from simple pranks that pay off highly. If you know where a person can buy these tags wholesale, or you're a store employee with access to them, e-mail me and I'll repost the information to anybody who mails me requesting it. They come in big fat rolls just like tape, with hundreds of tags on them. These tags, while useful, are hard to obtain, but one may get lucky. For instance, in Grace Bros in Sydney's Pitt Street Mall there's "bargain bins" of the shockingest 80s music ever, but they're all plastic wrapped with tags inside presumably, and the prices range from $1.50 all the way down to 10c. [You get an unstuck security sticker when u buy a box of those 50 disks from big-w .. ie the sticker still has the backing on it.. its not stuck to anything. - ED] When you carry off these exploits or if you have any better ones, feel free to e-mail the details to me at ikari_@hotmail.com, where I will collect them and keep them for good laughs, or perhaps repost them to anybody who requests them. So for now, keep on stickin' it to those who deserve it most, and remember: "The only good teenybopper is a dead teenybopper." Keep on listening to Triple J, all across the nation! 5.2 - Sending Fake Email by [R]yde INTRODUCTION Have you ever got spam mail and when you tried to reply to them or Unsubscribe from the list you thought you might have been accidentally added to, you find out that it was not a real e-mail address? The reason for that is forgery of e-mail. Forging e-mail is commonly done by spammers and 'make money now' companies who's tactics are not all the legitiment and are too shifty to actually send real e-mail. I decided to write this because i wanted to show ppl how easy it is to forge e-mail. Forging e-mail, once you get to know the commands, is just as easy as logging into hotmail and it comes in very handy when you do not have access to a commercial anonymous mail program. WHAT YOU NEED - TELNET CLIENT If you run Linux or UNIX then you have to type.... telnet If you run Windows 9x then you go to 'Accessories' and click on 'Telnet' [OR: click, start, run, type telnet, press enter - ED :)] *Telnet is a program that lets you log into remote computers around the world*, you may also have a different telnet client you wish to use. - THIS DOCUMENT and ummmmm....... thats all LETS GET STARTED Now you have to pick a server. The server is the computer you log into to send this fake mail **NOTE** The server you log into e.g Micro$oft.com, does not mean that your e-mail will be username@Micro$oft.com, you specify your e-mail address once inside the computer** You have set in the preferences box in telnet 'Local Echo on' So that you can read the text inside the computer. O.k a good server is usually a big university or something like that, a place that gets hundreds of people logging into it a day so it won't notice one little person ;) O.k once you have picked a server you telnet to it on port 25 (Port 25 is the SMTP port which controls the sending of mail from computer to computer) In this example i logged onto the computer Madx.com on port 25 I got: 220 markus.tcit.net ESMTPSendmail8.8.8/8.8.8;Fri,11Jun1999 02:05:16-0400 (EDT) 214-This is Sendmail version 8.8.8 This tells you that the computer is markus.tcit.net and it is running Sendmail version 8.8.8 on port 25. You then type the command 'HELO ' to tell them what computer you are connecting from. It usually does not matter what you type in because it will get your IP from your dial-up connection. [use a wingate to avoid IP detection - ED] helo does.not.matter.com 250 markus.tcit.net Hello 56-ascend.madfish.com [203.161.118.4], pleased to meet you Now we have identified ourself it is time to create havoc. Type 'Mail from:
' to set the fake address you want your mail to be sent from: mail from: ryde@ryde.aloc.cc 250 ryde@ryde.aloc.cc... Sender ok Now we type in the recipient that we want the mail to be sent to. To do this you type the command "Rctp to:
': rcpt to: Ronald@McDonalds.com 250 Ronald@McDonalds.com... Recipient ok Now we type in the word 'Data' to start the body of the mail. data 354 Enter mail, end with "." on a line by itself Dear Mr McDonald, I am writing to complain about you cheese, quite frankly i feel that it tastes like plastic. Yours nauseously [R]YDE . 250 CAA13112 Message accepted for delivery DA DAAAA! it's that simple, all you have to do is remember those commands. Mail from: Rcpt to: Data "Starts the message" . "Ends and sends the message" For completness, here is what 'help ' displays for the above: 214-MAIL FROM: [ ] 214- Specifies the sender. Parameters are ESMTP extensions. 214- See "HELP DSN" for details. 214-RCPT TO: [ ] 214- Specifies the recipient. Can be used any number of times. 214- Parameters are ESMTP extensions. See "HELP DSN" for details. 214-DATA 214- Following text is collected as the message. 214- End with a single dot. **NOTE** There are some mail programs that could show your IP in the e-mail message. Ways around this is too test all your mail progs by sending an anonymous msg to yourself and checking the header for your IP. Another way around it is too use an Ident Spoofer that spoofs ident request and masks your server. Free web e-mails such as Hotmail and yahoo don't show your ip in the header so send away to them ;) I hope that this helps at least one person discover the marvels of sending fake mail. <=-------------------------------------------------------------------------=> 6.0 -[ Challenge ]- ------------------- 6.1 - JavaScript Password Box Continued by Phrost Byte Most of you would have tried the challenge from the previous issue, and a couple of people I know have gotten pretty far with it. Although they have come across a problem which I did not see, ie there are far too many possible combinations that are acceptable, yet only one of them is the right password, since the password makes up the link to the html file. I didnt see this, as I only figured out how to reverse it in theory (which worked).. but I didnt realise that there were more than one possible combination of characters that can be accepted :( In the following, I will detail how the obfuscation process works, and how the JavaScript itself works. This should help alot of you out there who are stuck. I have also included a program that calculates the 'code' for a given combination of characters.. so you can use it if you wish to easily add restriction to certain parts of your site (see attached crtcode.cpp). Basic knowledge of JavaScript is assumed in the explanation, ie, each line wont be described in detail in what it does. The text is written in a way that if you are stuck on a particular section you can just jump to that section, read it, and hopefully get 'un-stuck'.. if you just want some hints, just read up to the section on where you are stuck, and dont read further. Getting The Source: ------------------- Firstly, to be able to break the code, you must have the source (unless you want to brute force it, which some people have tried). To get to the source, just un-enable JavaScript (in Netscape, click Edit/Preferences/ Advanced, then un-check the enable JavaSript checkbox). Then load up the page that has the script in it, and the password prompt box should not pop up, then click on view source (ctrl-u in Netscape). The Script: ----------- The JavaScript is simple, yet an effective and easy method of passwording off a visible link. It basically works by prompting the user for a password in a pop-up box, which has a limited number of trys to get it correct (in this case 4, change the variable fraCounter for more). Once the user has entered a password, it is then encrypted, and compared to the one defined in the script (similar to loging in on a Unix system, although the JavaScript is reversable.. to an extent, unlike the current implementation of DES in Unix, Crypt(3)). JavaScript password schemes all work on the same idea of adding .html to the password entered by the user. The users password is the name of the .html file. If the password is 'phrost123', then the html file that will be retrieved after entering the password, would be 'phrost123.html', the name of the html file could be viewed by viewing the source and looking for the password check statement (which in this case is 'if (pass=="phrost123")'): ** The above script is used on many lame sites to 'password protect' an area. But since Fravia+ obfuscates the name of the html file, it is not written in the script, the password checking is as follows: if (code==278015) go() else inc() function go(){ location.href=pass+".html"; } As mentioned beforehand, the password entered by the user is encrypted and compared to the 'code' in the script. Which in this case is 278015, therefore, if you entered phrost123 and when encrypted if it is equal to 278015, then you are taken to the passworded .html file, which would be 'phrost123.html', otherwise a counter is decremented, and you are given another chance. Read on to learn how to calculate the 'code' The Obfuscation: ---------------- Each numeric and character are given an integer value, which is used to calculate the code with. Firstly a base set is created, an array containing 0 to 9, A to Z, and a to z: var base=new Array("0", "1", "2", "3", "4", .... etc ... "x", "y", "z") A second array 'f' contains all the respective values given to each character contained in the array 'base'. ie, f[10] contains the value for the character at base[10] (f[10]=12, and base[10]=A, therefore 'A' has the value 12) Array 'f' is calculated by performing a set of different math functions for each different set of characters. ie one set of functions for 0 to 9, another for A to Z, and one for a to z. Hense, the first for loop in the JavaScript calculates the values for 0 to 9: for (x=0; x<10; x++) { f[x]=x<<9 f[x]+=23 } This is a loop from x = 0 until x < 10, and assigns the calculated values to f[0] to f[9]. f[x] is calculated by multipling x by 2^9 (2 to the power of 9), then adding 23 to it. eg, the first value of x is 0, therefore: f[x]=x<<9 results in f[0]=0<<9 => f[0]=0*2^9 => f[0]=0 f[x]+=23 results in f[0]+=23 => f[0]=23 And the resulting values will be: f[0]=23 => 0 f[1]=535 => 1 f[2]=1047 => 2 f[3]=1559 => 3 : : f[9]=4631 => 4 The second for loop calculates the values for A to Z and is slightly more complicated: for (x=10; x<36; x++) { y=y<<1; v=Math.sqrt(y) v=parseInt(v,16) v=+5 f[x]=v y++ } As mentioned before hand, this calculates the values for A to Z, which is positions 10 to 35 in the array 'f'. Keep in mind that 'y' has been defined ealier with a value of 28. Assign y with y*2^1, assign v the sqare root of y (this is assigned to v, and not y, since y is used again to calculate the next value), change v into base 16 (this is a simple method of rounding off the given value.. ie removing anything after the decimal point), add 5 to it, then assign it to f[x] and increment y, eg for x=10: y=y<<1 results in y=28*2^1 => y=56 v=Math.sqrt(y) results in v=Math.sqrt(56) => v=7.483315 v=parseInt(v,16) results in v=parseInt(v,16) => v=7 v=+5 results in v=12 f[x]=v results in [10]=12 y++ results in y=57 And the resulting values will be: f[10]=12 => A f[11]=21 => B f[12]=26 => C f[13]=38 => D : : f[35]=278810 => Z The last loop which calculates the values for a to z is the same as above, except instead of adding 5 to v, it adds 74, and uses z inplace of y which has been defined with the value of 23. f[36]=80 => a f[37]=83 => b f[38]=93 => c f[39]=99 => d : : f[61]=262524 => z The Obfuscation 2: ------------------ The next part to be described is the obfuscation of the password which has been entered by the user. The following code of the JavaScript performs this: var lpass=(pass.length)+1 for (l=1; l code = 0+194 = 194 code = code * y => code = 194*1 = 194 y=2, x=0, is K[2]==base[0].. no, (is r = 0) x=1, is K[2]==base[1].. no, (is r = 1) x=2, is K[2]==base[2].. no, (is r = 2) x=3, is K[2]==base[3].. no, (is r = 3) : : x=53, is k[2]==base[53].. yes! (is r = r) code = code + f[53] => code = 194+9554 = 9764 code = code * y => code = 9764*2 = 19576 y=3, x=0, is k[3]==base[0].. no, (is o = 0) x=1, is K[3]==base[1].. no, (is o = 1) x=2, is K[3]==base[2].. no, (is o = 2) x=3, is K[3]==base[3].. no, (is o = 3) : : x=50, is k[3]==base[50].. yes! (is o = o) code = code + f[50] => code = 19576+2256 = 21752 code = code * y => code = 21752*3 = 65256 y=4, x=0, is k[4]==base[0].. no, (is s = 0) x=1, is K[4]==base[1].. no, (is s = 1) x=2, is K[4]==base[2].. no, (is s = 2) x=3, is K[4]==base[3].. no, (is s = 3) : : x=54, is k[4]==base[54].. yes! (is s = s) code = code + f[54] => code = 65256+13713 = 78969 code = code * y => code = 78969*4 = 315876 y=5, x=0, is k[5]==base[0].. no, (is t = 0) x=1, is K[5]==base[1].. no, (is t = 1) x=2, is K[5]==base[2].. no, (is t = 2) x=3, is K[5]==base[3].. no, (is t = 3) : : x=55, is k[5]==base[55].. yes! (is t = t) code = code + f[55] => code = 315876+20576 = 336452 code = code * y => code = 336452*5 = 1682260 y=6, x=0, is k[6]==base[0].. no, (is ? = 0) x=1, is K[6]==base[1].. no, (is ? = 1) x=2, is K[6]==base[2].. no, (is ? = 2) x=3, is K[6]==base[3].. no, (is ? = 3) : : x=61, is k[6]==base[61].. no, (is ? = z) Therefore the code for 'phrost' is 1682260 (but remember, 1hrost, 2hrost, etc can also be entered, and be valid.) Conclusion ---------- Hopefully that helped you understand the JavaScript. You should now be able to implement it in your own html, and try your hand at cracking it. Feel free to email me with any queries, or alterations. Next issue, I will detail how to crack it. <=-------------------------------------------------------------------------=> 7.0 -[ Conclusion ]- -------------------- "People annoy the shit outta me that are willing to let u carry it on your back, then complain if the content is not to their liking, so here's my contribution. enjoy :) " - Imortal Thats all I have to say. - Phrost Byte <=-------------------------------------------------------------------------=> b el8 & dr1nk -> #MMMMMMMMMMMMMMMMMMM# M@@@@@@@@@@@@@@MMMM# M@@@@@@@@@@@@@@MMMM M@@@@@@@@@@@@@MMMMM M@@@@@@@@@@@@@MMMM# M@@@@@@@@@@@@@MMMMM #@@@@@@@@@@@@@MMMM# M@@@@@@@@@@@@@MMMM# M@@@@@@@@@@@@@MMMMM## M@@@@@@@@@@@@@@@@MMM# #M%# #@@@@M@@@@@@@@@@@MMM# #H-. .MM MMMMMM@@@@@@@@@@@MMMM #H =MM M#M@MHHHMMMMMMMMMM #M%= /MM M@M :MM##M: HMM M@M% .%%= MMM M@MH /. ,HMMM M@@H % :MMMMMMM## # M@@@@@M. % MM# ##M, MM# #MMH/::/HMM@@@M H .:MH :M# #M/ ,MM# #M- ,HM MHMMMMMMM- MM# #% /MM/ : .MM#---#M %MM #% M. / .MM#----#% MM# #% ,M % .MM#-----M, -MM #/ M HM@@@@@M. H .MM#######M HM# #%:M= .- ,MM@@@@@@@M H ,MM .M# #MM / MM@@@@@@@@@M. H .MMM/ %M# #M % M@@@@@@@@@@M: M MMM#M. MM ## #% / .M@@@@@@@@@@MM%HM /MM# #M ./MM#### # , ,M@@@@@@@@@@@@M/ HHHMHMMMMMMHHHHMM# #: =HMMMMMMM# : H =M@@MMMM@@@@@@M,%/ MMM######### #MMMM## MH # -H MH,MMMM@@@@@@MMM =MM# #/ .M . M@@@@@@MMM HMM# #$++$ ,.= # == M@@@@@@MM: :MMM# + ,;;.H = .# #M %MM:@@@@@MMM .%MMMM #. $ = . ; -. ,, M ,MMMMM@@@@MMM=/HMMMMM# # H # =--= H ,#H=. $ #M%, -MMMMM#M@@@@MMMMMMMM## @ @ #@ ,H= M .= ,H+ ,; #MMMMMMMMM# #M@@@MMM H ; #MM M# M #M@@@MM# M@@@MM MM@@MM #M@MM# #M@MM M@MM MMM# MMM MM# #M# #M ## <=-------------------------------------------------------------------------=>