Copy Link
Add to Bookmark
Report

f0rbidden knowledge issue 05

eZine's profile picture
Published in 
f0rbidden knowledge
 · 4 years ago

  

::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=---::
:: ::
:: :: ::
:: $$$; iii ::
:: $$$$$, ZZZZ ____ ::
:: $$$$$$. $$$$ .%$$$$$` ::
:: $$$?$$$, $$$$ i$$$$` ::
:: -------// $$$ `$$$. $$$------- I$$$'---------/ / << < ::
:: $$$ `$$$, ;$$ ;$$$: ::
:: $$$ ;$$$ j$$ ,$$$; ..forbidden ::
:: $$$ ^^" $$$ __ÒÒ$$$$' knowledge.. ::
:: $$$ $$$ $$$$$½' ::
:: ----- $$QQ###zzzzz $$$ _ ----------< < ------ ::
:: ^^"
'?$$$$$$$ $$$ ?$$$· ::
:: I$$ $$$ '?$$$, ::
:: .I$$ $$$ '$$$, ::
:: ;$$$ '$$$, ::
:: L$$$ ;$$$ ::
:: ," $ :$$$; ::
::  : $$$$$$$' ::
:: ` . ?$$$P ::
:: '$' ::
:: ; ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=---::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Contents of This Issue Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: -/- Introduction by The Editor ::
:: ::
:: -/- Protecting Memory and Addressing Part One by wyze1 ::
:: -/- Defeating Telkom Caller ID by Nakamura ::
:: -/- Social Insurance Number Checksums by Moe1 ::
:: -/- Implications of Unsrestricted Port Binding under NT by wyze1 ::
:: -/- A Lesson in Lactural thinking by wyze1 ::
:: -/- Hacking Dockside Internet Accounts by Moe1 ::
:: -/- Hacking Standard Bank by wyze1 ::
:: ::
:: -/- Conclusion, Greets, All that other stuff that wastes space ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Bright Idea of the Week from Wyzewun Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: If your name is sektorgrl and you're a slut -- kill yourself. ::
:: ::
:: If your name is not sektorgrl and you think that people called sektorgrl ::
:: are sluts -- Perhaps you should tell that to her mother. Just /msg her ::
:: on EFNet. Her nick is jojobean. I'm sure she won't mind. :) ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Introduction by The Editor Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: Due to an administrative error by the (marvelously efficient) South ::
:: African government, Ecstascy, Cocaine and Morphine (amongst others) ::
:: became legal in South Africa for a period of 5 weeks - much to the joy ::
:: of Marc Satur9 and various other members of the Forbidden Knowledge ::
:: Production Team. And so a special celebratory anti-computer month was ::
:: proclaimed to celebrate the fantastic intelligence of our government ::
:: (besides, both Marc and I had critical hardware failures - my video card ::
:: and his cpu), so why not have a little holiday? ;P ::
:: ::
:: So, needless to say, this issue was a bit setback, but it is still here, ::
:: right on schedule and pretty damn kickass, if I do say so myself. Being ::
:: the Editor of a Zine is something you get better at with practice, and ::
:: I'm grateful to have had the opportunity to fuck up a lot of things in ::
:: the zine, or to just not improve things that should be improved, and ::
:: STILL get recognised as a good zine. Heh. Must be my good looks or ::
:: something. <Marc Satur9: Yeh Right> ::
:: ::
:: We have been under a lot of pressure lately, but things are beginning to ::
:: slow down again. Vortexia is back from the USA, for now at least, and ::
:: the rest of us will remain here for some time. Well... Assuming Marc ::
:: Satur9 doesn't get drafted by the German Army like they want him to be. ::
:: Maybe if we told them about his habits of blowing up dog kennels and ::
:: attacking toddlers with blowtorches he would get out of it. Hmmm. :) ::
:: ::
::-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=::
:: Editor: Wyzewun wyze1@g0v.za.org ::
:: ::
:: Co-Editors: Marc Satur9 satur9@beer.com ::
:: Vortexia vortexia@psyche.za.org ::
:: ::
:: Writes Stuff: Moe1 moe1@h4x0rz.za.org ::
:: Makes ASCII Art: CyberPhrk phuman@icon.co.za ::
:: ::
:: Never does Anything: Sniper sniper@h4x0rz.za.org ::
::==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==::
:: ::
:: Other Stuff in this Issue of Forbidden Knowledge... ::
:: ::
:: phjeer.txt ===========> IRC Lawgs dat joo will Ph34r ::
:: unix.txt =============> Why Unix Users are Perverts ::
:: carriers.txt =========> Carriers for ZA Scum ::
:: ::
:: Mail comments, questions and article submissions to fk@posthuman.za.net ::
:: Subscription requests can be sent to fk@posthuman.za.net with the ::
:: Subject line "
FK Subscribe". We hope you enjoy the zine as much as we ::
:: have enjoyed making it. <Marc Satur9: After all dem pillz, who wouldnt ::
:: enjoy making FK?> ::
:: ::
:: Cheers, ::
:: Wyzewun ::
:: ::
:: PS. Sorry if this issue is a bit thin, but nobody sent me articles ::
:: except for Nakamura and Moe1, so I had very little to work with. And ::
:: we pay a lot of attention to deadlines. ;) ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Protecting Memory and Addressing Part One by wyze1 Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: This is the first of a wave of technical articles which I am going to be ::
:: publishing in FK. I am making a conscious decision to get the zine more ::
:: technically orientated and to have some serious articles for the ::
:: intermediate hacker. ::
:: ::
:: I toyed with the idea of writing an article on Buffer Overflow but after ::
:: having seen this in Phrack, b4b0 and THC Magazine, decided that the idea ::
:: was tired out by now, and by now (hopefully) everyone knows what it is. ::
:: And so, I decided to look into an area less commonly exploited and less ::
:: well-known, memory protection. In this issue I will be covering some ::
:: fairly primitive methods of memory protection and will move on to more ::
:: commonly used systems in Part Two. It is intended to be simple, concise ::
:: and to explain exactly what memory protection is from the ground up. ::
:: ::
:: In multiuser environments (Like Windows NT and UNIX), it is important ::
:: that the memory assigned to one user cannot be accessed in any way by ::
:: another user -- not only for security reasons, but also obviously so ::
:: that if one user's program crashes, the whole system won't go down. Lets ::
:: start by looking at the most basic form of memory protection - protecting::
:: only the Operating System itself in a singleuser environment. This uses ::
:: the Fence Register method. ::
:: ::
:: ____________________ ::
:: | | The Memory ::
:: | Operating System | ::
:: | | ::
:: |--------------------| ::
:: ,- | | ::
:: | | User Program | ::
:: | | Space | ::
:: Addressing Range ---| | | ::
:: | | | ::
:: `- | | ::
:: -------------------- ::
:: ::
:: This is achieved by using a Hardware register called a Fence Register. ::
:: The Fence Register is a lower level memory address that indicates that ::
:: nothing above this should be modified. We would then say that the ::
:: Relocation Factor for this example is the amount of memory blocks a ::
:: program written as if it would be resident at the beginning of the RAM ::
:: would have to move down so as not to interfere with the Operating System.::
:: ::
:: Now, in a multiuser environment we don't want our users to be able to ::
:: cause any trouble for eachother whatsoever and we can't achieve that ::
:: with just our one Fence Register. This is where we bring in Bounds ::
:: Registers. Like how Fence Registers are lower level memory addresses, ::
:: Bounds Registers are higher level memory addresses, and show that all ::
:: memory below it belongs to them. (Until it hits another Bounds Register).::
:: So an example would look something like... ::
:: ::
:: ____________________ ::
:: | | ::
:: | Operating System | ::
:: | | ::
:: Base Register --->> |--------------------| ::
:: | | -, ::
:: | Bobs Program Space | | ::
:: | | | ::
:: Bounds Register --->> |------------------- | |-- User Program Space ::
:: | | | ::
:: | Sods Program Space | | ::
:: | | -' ::
:: -------------------- ::
:: ::
:: However there is still a big problem with this form of memory protection.::
:: Because there is no definition between executable and data areas, and ::
:: because each user has full control over memory in their assigned piece ::
:: of memory, they can write over things and cause crashes and different ::
:: things happening in the execution of their programs. Sure, its only ::
:: their programs, but what if this was a SUID program? ;) ::
:: ::
:: So, what we may want to do, is seperate the users data from their ::
:: program space to avoid security threats like the one mentioned above. So ::
:: our memory will look something like this... ::
:: ::
:: ____________________ ::
:: | | ::
:: | Operating System | ::
:: | | ::
:: Base Register --->> |--------------------| ::
:: | Bobs Data Space | -, ::
:: Bounds Register --->> |--------------------| | ::
:: | Bobs Program Space | | ::
:: Bounds Register --->> |------------------- | |-- User Memory ::
:: | Sods Data Space | | ::
:: Bounds Register --->> |--------------------| | ::
:: | Sods Program Space | -' ::
:: -------------------- ::

:: ::
:: Needless to say, this type of memory protection will not work if we want ::
:: a truly secure Operating System. And that is where Tagged Architecture ::
:: comes in, another alternate method of memory protection. This sytem is ::
:: just really the idea of having a few bits after every Memory location ::
:: that cannot be modified containing flags such as R, W & X, to represent ::
:: what the user may and may not do with this piece of memory, for example ::
:: R - Read, W - Write, X - Execute - like in UNIX. ::
:: ::
:: This system is used on the Burroughs B6500-7500 systems and the IBM ::
:: System/38 also uses a similar method. In next issue I will discuss other ::
:: memory management techniques, including Paging, Segmentation, And a ::
:: hybrid of the two. Please let me know what you think of this article, ::
:: it is my vision of the type of articles which will be in future issues ::
:: of Forbidden Knowledge. ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Some Telkom Info from Nakamura Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: <Comments from wyze1: This information is specific to Telkom, the bunch ::
:: who have the monopoly over the South African telecommunications ::
:: industry. Werd.> ::
:: ::
:: Big Brother is watching. ::
:: ::
:: Telkom has rolled out its IdentiCall system now; it is already ::
:: operational in almost all of South Africa and parts that haven't got it ::
:: yet will get it soon enough. The system they are selling can log the ::
:: last 99 incoming numbers and that is the residential unit. Commercial ::
:: units with higher throughput that can log several thousand numbers are ::
:: being discussed. ::
:: ::
:: What are the implications? Well, ISP's can use it to make dial-in ::
:: accounts far more secure, simply by dedicating a server to ID each ::
:: incoming call. If the call is not from the listed users' number, the ::
:: number can be traced and the ISP informed. There is some speculation that::
:: such a system is already being tested. There is also an obvious danger ::
:: for anyone phreaking with a beige box. ::
:: ::
:: There are two good points. Telkom will be charging for the service. Not ::
:: a hell of a lot, but it will cost money anyway. <Wyze1: If you call R14 ::
:: money. ;) More expensive for commercial versions though and R100 for the ::
:: unit that displays the number if you want it> Some corporate types may ::
:: decide not to shell out for the added security. Telkom also told everyone::
:: that was concerned about privacy that the dialing party can disable the ::
:: service by punching *31* (star, three, one, star) before dialing the ::
:: number. There will be no identification then. There is no way to know if ::
:: this is really the case, and if they will be selling some kind of ::
:: "
identify anyone" package at a huge price. They also say that they will ::
:: have no record of the dialing numbers and that they will be stored only ::
:: on the unit attached to the receiving phone. Again there is no way to ::
:: know if this is true. ::
:: ::
:: Moral of the story - watch out. Big Brother now has the technology to ::
:: watch you. It is a good idea to append *31* before any number you dial in::
:: future, INCLUDING your modem auto-dial. Don't say you weren't warned, and::
:: don't get caught. Brought to you by Nakamura. ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Social Insurance Number Checksums by Moe1 Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: Social Insurance Numbers are validated by a simple checksum process. ::
:: ::
:: Example using a valid Social Insurance Number: ::
:: ::
:: 236 454 286 (Social Insurance Number) ::
:: ::
:: 236 454 286 \ Multiply each top number ::
:: 121 212 121 / by the number below it ::
:: ----------- ::
:: 266 858 276 and get this. ::
:: ^ ::
:: ^ ::
:: Notice here that 8*2=16, add the 1 and ::
:: the 6 together from 16 and get 7. If you get a ::
:: 2 digit number always add the digits together. ::
:: ::
:: 2+6+6+8+5+8+2+7+6=50 (Now Add all the digits together) ::
:: ^^ ::
:: ^^ ::
:: If the Social Insurance Number is valid this ::
:: number will be evenly divisible by 10. ::
:: ::
:: Since 50 is a multiple of 10 our example is a valid Social Insurance No. ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Implications of User-level Port Binding under NT by wyze1 Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: Unlike other multi-user Operating Systems, Windows NT 4 (I am not sure ::
:: if Windows 2000 behaves the same way) allows users to run daemons on any ::
:: port that the user feels like running them on. Why is this the stupidest ::
:: thing I have ever seen in my life? Well, the biggest problem I can think ::
:: of would be... ::
:: ::
:: Any user can easily get the Administrator Password. Because NetBIOS is ::
:: not bound to a specific IP, should a user run his own daemon on the ::
:: NetBIOS ports and bind it to a *specific* IP, his daemon will field ::
:: incoming connections before NetBIOS does, making it easy for him to set ::
:: up some or other utility to steal the passwords of whoever tries to ::
:: login remotely. Ewww. ::
:: ::
:: Regardless of this major threat, there are many obvious minor threats. ::
:: How would you like to be woken up by the cops one day because your users ::
:: decided to set up a leeto warez ftp? ::
:: ::
:: Gee, Windows is pretty funky... But I dont think I'll be giving up *BSD ::
:: just yet. ;) ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO A Lesson in lactural thinking by wyze1 Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: In todays hacking scene many people are so overly concerned about buffer ::
:: overflows and the like, that they forget about possible ways to hack ::
:: into a system with "
no" vunerabilities. Hacking is not about finding all ::
:: the latest kiddie scripts, scanning for vunerable hosts and exploiting ::
:: all of them - It's about using your brain and thinking of NEW ways to do ::
:: things when other things fail. ::
:: ::
:: Allright, I am going to use a real example from a situation that I was ::
:: in. I had user access on a completely secure FreeBSD box and wanted to ::
:: gain root access. The box didnt run X, had no SUID executables and did ::
:: not have ANY known security flaws. The conclusion most people would make ::
:: here (and that no hacker ever should) is that this box is pretty much ::
:: completely secure. But it is the ever-questioning mind of the hacker ::
:: that says: "
There has to be a way." And there always is. ::
:: ::
:: I catted the .bash_history, and by the number of su entries I saw, I ::
:: concluded that this account must either be the Admin's user account, or ::
:: it is used by him frequently. Then, I started to look around for things ::
:: that I had been given write access to, but found absolutely nothing, ::
:: save for the configuration script my shell. (.bashrc etc) ::
:: ::
:: Then it hit me - Using my write access to .bashrc, I can create aliases! ::
:: So, I quickly wrote a fake su program that mails the password to me and ::
:: saved it in /home/whatever/.ncftp/.blah, then added a line into .bashrc ::
:: saying: alias su='~/.ncftp/.blah' and logged out, only to find the root ::
:: password in plaintext in my mail the very next day. ::
:: ::
:: This is not so much a hacking tip, as it is a plea to think DIFFERENTLY. ::
:: To explore your OWN ideas and concepts and not follow the ones of others ::
:: and most importantly, to think for yourself and not to rely on others. ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Hacking Dockside Temporary Internet Accounts by Moe1 Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: Credits go out to: syc{King} and cuzziez for helping me test. <w1: For ::
:: all the foreign readers, cuzziez is a stupid South-African-ism for ::
:: cousins. We're dumb and cant speak English. So Shoot us.> ::
:: ::
:: Dockside Internet provides first time users with temporary trial ::
:: accounts, all you have to do is apply for one is phone them up and tell ::
:: them that you wanna try this Internet thingy out and you will be supplied::
:: with a temporary username and password. ::
:: ::
:: So why is this useful? It only works for 48 Hours! Well... when that 48 ::
:: hours is finished, we decide to take a look at that assigned username ::
:: and password one more time... ::
:: ::
:: My username is X11195 and my password is 9715. I wonder if the password ::
:: for X11196 is 9716. Well, lo and behold it is! What a coincedence! ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ..ooO Hacking Standard Bank by wyze1 Ooo.. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::
:: ::
:: Let me start by saying: d1s 1z d4 l33t3st d1sc0verY eYe h4vE eV3r m4de!! ::
:: Honestly, the ppl at Standard Bank should be fucking ashamed for having ::
:: such fantastically stupid vunerabilities. But anyway, on with the show, ::
:: or something... ::
:: ::
:: Standard Bank have these nice little terminals to promote online banking.::
:: All it is, is a Windows Box, with no Hard-drive, permanently stuck in a ::
:: modified version of Netscape to browse the company's webpage through the ::
:: Intranet. Although they have remembered to block all sorts of uber-ereet ::
:: things like pressing the start button, or jamming ctrl+s, if you press ::
:: alt+tab you get chucked back into a command prompt. Oh dear. =) ::
:: ::
:: Have some-one to stand near you while you explore their system, and ::
:: press Alt+Tab again to go back into Netscape when anyone walks by. ::
:: ::
:: While in this command prompt, you can locate and mount the shares of ::
:: any other machine on the network. You can get into all sorts of evil ::
:: little shares that you shouldnt be in, and you can even get onto the ::
:: the internet if you really know what you're doing. (Heaven knows why you ::
:: would want to do this, though) ::
:: ::
:: But I won't cover any of that, you can figure it out yourself. And with ::
:: a hack this stupid I think asking that you learn about the internal ::
:: workings of the system on your own is pretty much justified, dont you? ::
:: HEH. Alt+Tab Hax0rs of the Werld Unite! Alt+Tab the Planet! *Sigh* I ::
:: cant wait to go back to England where people have brains. ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-=::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Thanks and Greets Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: Group Greets: ::
:: b4b0, cDc, EHAP, gH, HNN, L0pht, LoU, Posthuman, Rhino9 ::
:: ::
:: Personal Greets: ::
:: Badspirit, Crazyguy, Cyclotron, Halflife, Kool4Katz, Lothos, Mnemonic ::
:: m0f0, ph1x, Tattooman, ultima, xmagii ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::


::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Next Issue Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: The next Issue will be released at Midnight (SAST) on the 6th of August, ::
:: and will be available at Posthuman Systems, Packet Storm Security and ::
:: the E-Text Archives. ::
:: ::
:: ::
:: : ____ ::
:: i..?W$$$$$$$ __ ::
:: ;Q$$P"
$$$ ;$$$ ::
:: .$$$;' $$$ I$$$ ::
:: I$$. : $$$ $$$; ::
:: ;$I? . $$$ _..$$$; ::
:: $$$; $$$y#Q$$$$$P' ::
:: $$$ $$$P""^^ ::
:: _____$$$ $$$; ::
:: $$$$$$$$$$$$$$ `$$$y, ::
:: ''^""$$$^^"""" ;,"?$$$#, ::
:: $$$ I$# ^$$$$, ::
:: $$y, $$$ ?$$$; ::
:: $$$; $$$ ;$$$I ::
:: : $$$ $$$$ ::
:: . $$$$ ::
:: ::
:: #posthuman, EFNet -=- www.posthuman.za.net -=- fk@posthuman.za.net ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT