Copy Link
Add to Bookmark
Report
f0rbidden knowledge issue 07
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: :: ::
:: $$$; iii ::
:: $$$$$, ZZZZ ____ ::
:: $$$$$$. $$$$ .%$$$$$` ::
:: $$$?$$$, $$$$ i$$$$` ::
:: -------// $$$ `$$$. $$$------- I$$$'---------/ / << < ::
:: $$$ `$$$, ;$$ ;$$$: ::
:: $$$ ;$$$ j$$ ,$$$; ..forbidden ::
:: $$$ ^^" $$$ __ÒÒ$$$$' knowledge.. ::
:: $$$ $$$ $$$$$½' ::
:: ----- $$QQ###zzzzz $$$ _ ----------< < ------ ::
:: ^^"'?$$$$$$$ $$$ ?$$$· ::
:: I$$ $$$ '?$$$, ::
:: .I$$ $$$ '$$$, ::
:: ;$$$ '$$$, ::
:: L$$$ ;$$$ ::
:: ," $ :$$$; ::
:: : $$$$$$$' ::
:: ` . ?$$$P ::
:: '$' ::
:: ; ::
:: ::
:: ..[Forbidden Knowledge Issue Seven].. ::
:: ..[Released Saturday, the Second of October, 1999].. ::
:: ::
:: Forbidden Knowledge is an independant project brought to you by the ::
:: following team of cleverly trained chimpanzees... ::
:: ::
::--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--::
:: [ Wyzewun ] [ Editor ] [ w1@macroshaft.org ] ::
:: ::
:: [ Pneuma ] [ Co-Editor ] [ satur9@punkass.com ] ::
:: [ Vortexia ] [ Co-Editor ] [ andrew@idle.za.org ] ::
:: ::
:: [ Moe1 ] [ Articles ] [ moe1@codiez.za.org ] ::
:: [ Scarz ] [ Not much ] [ sniper@werd.leet.org ] ::
:: ::
:: [ Cyberphrk ] [ Assumed Dead ] [ phuman@icon.co.za ] ::
::--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--::
:: ::
:: Guest contributer this ish: CoLdBLood, jus ::
:: ::
:: Group Greetz: b4b0, cDc, Darkcyde, eEye, gH, HNN, HWA, KeyRoot, L0pht ::
:: Individual Greetz: Axess, CoLdBLood, Corrupt SYN, Cruciphux, Cyber Demon,::
:: DrSmok[e], gr1p, f0bic, icesk, jus, kokey, lusta, ::
:: Mnemonic, NtWaK0, secto0r, Timewiz, vision, w3stside, ::
:: UglyKidJoe ::
:: ::
:: Fuck Youz: Oprah Windfrey (y3r sh0w f$ck1ng sUcKz d1cK b!tch !@#$%^) ::
:: ::
:: This issue: Was made in EDIT.COM on a DOS 386 with no hard-drive. Gee, ::
:: eam so retro. :] Anyway - it should look great either in ::
:: edit.com, pico, mcedit or whatever. Especially mcedit. Coz ::
:: it's written by a South African. Pheer. :> ::
:: ::
:: Apologies: For leaving the number for the Shiva LANRover in carriers.txt ::
:: as 0800-I-FORGOT last issue, I meant to put in the real ::
:: number, but was too drunk. :( Ironically, I have forgotten ::
:: the number for that Shiva now anywayz. ;P ::
:: ::
:: Further apologies: For any errors left in this issue. We released it ::
:: while very stoned. As with last issue. And the issue ::
:: before. :> ::
:: ::
:: Inexcusably Lame: All those neato elito hax0rz who think that changing ::
:: index.html's is hardcore - You suck anal dick. ::
:: ::
:: Elite: Hotmetal aka. gov-boi from Hack.Co.Za rooting one of the lame ::
:: Linux boxes at Vortexia's company, modifying the log files, and ::
:: leaving full backups of the original ones in /root ::
:: ::
:: Phear: Vortexia's code in this Issue ::
:: Do not Phear: Wyzewun's Wang - It is your friend ::
:: ::
:: Well done: To Microsoft who *finally* got a new customer support number. ::
:: I noticed this one isn't toll free - it just charges local ::
:: rates. Hmm. I wonder why. ;) (See Forbidden Knowledge #2) ::
:: ::
:: Warning: Still planning to root that .gov.za box you've been playing ::
:: with for so long? Do it now! It's only 3 months before the new ::
:: Computer Crime Act comes into place and hacking finally becomes ::
:: illegal in South Africa. :( ::
:: ::
:: Nice Proxy: intruder.deepsouth.co.za -- the open SQUID proxy of Bretton ::
:: Vine aka. Kool4Katz - ZA Security consultant elite. Kinda ::
:: fun to scan for CGI vulnerabilities through. ::
:: ::
:: Official Soundtrack for this Issue: Eminem - Brain Damage ::
:: ::
:: .ooO b0nus juarez Ooo. ::
:: ::
:: Trusted Windows RFC [ Pneuma and Wyzewun ] ::
:: Mass Fake Portscanner [ Vortexia ] ::
:: Leet Windows/Linux Benchmark [ Microsoft and Wyzewun ] ::
:: Port Sentry Killer [ Vortexia ] ::
:: Guide to learning how to hack [ Pneuma ] ::
:: Mass CGI Vulnerability Scanner [ Wyzewun ] ::
:: DOS/Win9x Keylogger in ASM [ CoLdBLooD ] ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Contents of This Issue Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: -/- Introduction by The Co-Editor ::
:: ::
:: -/- Some Windows NT junk ::
:: -/- Offline Internet access services ::
:: -/- Playing with gawk ::
:: -/- ZA ID Bitchingz ::
:: -/- Defeating Portscan detection ::
:: -/- Whats going down wit dem oinks ::
:: -/- Socket programming in Perl ::
:: -/- Hackers and the media ::
:: ::
:: -/- Laterz and udder Bullsh!t ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Introduction from the (Co)Editor Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: I have been keeping in the background alot when it came to this E-zine, ::
:: and finally decided to use my power of sub editorship to do something ::
:: useful, so it appears I got stuck with the Introduction from the ::
:: (Assistant) Editor this edition. ::
:: ::
:: Firstly, please bare with the FK team, we are NOT getting enough *good* ::
:: quality submissions from you peepz, if you have *anything* to contribute,::
:: send it thru and we may put it right <HERE> or there abouts, and give ::
:: you propz, and please, no more e-mails asking when the next issue will be::
:: out, it is now bi-monthly, which means that it comes out ever TWO ::
:: months, on the first friday of that month to co-incide with the ::
:: 2600/PHaSM meetings at Sandton (details on our page), this issue came ::
:: out the 1st of october, you do the maths to find when issue 8 comes out. ::
:: ::
:: Well done to Packetstorm for getting back up, we just hope that your ::
:: commercialisation does not inhibit your ability to produce a good FK ::
:: mirror (What? Packetstorm isn't only an FK mirror? What is this world ::
:: coming to? :) ::
:: ::
:: A bigazz fuckyou goes to all the South African "professional" security ::
:: agencies who spend vast time busting white hate hackers who e-mail them ::
:: reports on their security and allowed that disgruntled employee from a ::
:: rather large mining firm to sell information of their entire corporation ::
:: to a competitor. She was a secatary btw who gained access to the server ::
:: using a password she was not meant to have and got R120,000 while ::
:: costing the company over R45,700,000. I would like you dicks to explain ::
:: once again who the real threat is? ::
:: ::
:: We got some really good shit flowing into this mag, even if we are ::
:: understaffed and have no reliable contributers, and I take this ::
:: oppurtunity to thank Wyzewun for producing the best (and only?) South ::
:: African e-zine worth reading. ::
:: ::
:: Peace out, keep the love and 'E' flowing... ::
:: Pneuma ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Some Windows NT Junk by Wyzewun Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: Ugh, I was gonna continue my memory management articles with Windows NT ::
:: stuff and it kinda got off the point, so in this article I'll be talking ::
:: about Windows NT Security features and how they interoperate with ::
:: process management and virtual memory. Lets go... ::
:: ::
:: Right, some aarb user logs in with their username and password. NT gives ::
:: them an access token, which I will be covering in more detail soon. ::
:: Basically, it serves two purposes - keeping all security information ::
:: together in one place to make validation faster and allowing each ::
:: process to modify its security characteristics (in limited ways) without ::
:: affecting the user's other processes, because each process inherits its ::
:: own copy of the access token. ::
:: ::
:: Generally, the token has all privaleges disabled, and just attempts to ::
:: enable the ones it needs when it needs to. This is also a good reason ::
:: for having an access token for each process, because otherwise all other ::
:: processes owned by that user would recieve that privalege. ::
:: ::
:: If the process requires interprocess communication, it will have a ::
:: security descriptor which consists mostly of an access control list that ::
:: specifies access rights for various users and user groups for the ::
:: object. When another process attempts to access it, the SID (Security ::
:: ID) of the process is matched against the access control list. ::
:: ::
:: Right, now lets look at that Access Token in detail now. It consists of ::
:: the following properties... ::
:: ::
:: Security ID - Used to identify the user uniquely across ::
:: the network. Normally the username. ::
:: ::
:: Group SID - A list of the groups to which the user ::
:: belongs. Each group has its own SID. ::
:: ::
:: Privileges - Wether or not the user has weird privileges ::
:: like "create token", or "backup privilege" ::
:: which allows them to backup files they ::
:: wouldn't be able to read normally. Most ::
:: users have no privileges. ::
:: ::
:: Default Owner - If this process generates another object, ::
:: what group does it go to? But the user can ::
:: specify it to be run under any Group SID to ::
:: which they belong. ::
:: ::
:: Default ACL - This is an initial list of protections ::
:: that is applied to objects the user creates.::
:: These can be changed later. ::
:: ::
:: Allright, that does it for the Access Tokens. So lets take a look at the ::
:: stuff we can find in the security descriptors... ::
:: ::
:: SACL - Specifies what kind of operations on the ::
:: (System Access object should cause audit messages, so it ::
:: Control List) can bitch about users trying to mess it ::
:: around or whatever. The Access Token has ::
:: to verify Read/Write access to the SACL, so ::
:: that attackers can't find out what they ::
:: shouldn't do to avoid audit messages. ;) ::
:: ::
:: DACL - Determines which users and objects can ::
:: (Discretionary access this object for which operations. ::
:: Access Control List) Basically, just a list of ACE's. (Access ::
:: Control Lists) ::
:: ::
:: Owner - Can be individual or group SID and decides ::
:: who has ability to change DACL. ::
:: ::
:: Flags - Defines type and contents of the security ::
:: descriptor - wether or not the DACL and the ::
:: SACL are present, wether or not they were ::
:: placed in the object by a defaulting ::
:: mechanism, and wether the pointers in the ::
:: descriptor use absolute or relative ::
:: addressing. Relative descriptors are needed ::
:: for objects that are transmitted over a ::
:: network. ::
:: ::
:: When a process attempts to access an object, it scans through the ::
:: object's DACL. If a match is found, ie. if if a ACE is found with a SID ::
:: that matches one of the ones in the token, then the process has the ::
:: rights over that process specified by the access mask in that ACE. ::
:: ::
:: So what does an access mask look like anyway? Well, the first 16 bits ::
:: contain access rights that apply to a particular file or object. The ::
:: other 16 bits contains masks that apply to all objects. The five of ::
:: these that are reffered to as standard object types are... ::
:: ::
:: Write_Owner: Allows the program to change the owner of the object ::
:: ::
:: Synchronize: Gives permission to synchronize object with some other ::
:: process, like used in a sleep() ::
:: ::
:: Write_DAC: Allows the application to modify the DACL and hence the ::
:: protection of this object. ::
:: ::
:: Read_Control: Allows the app to query the owner and DACL fields of the ::
:: security descriptor in that object ::
:: ::
:: Delete: Duh. You have to guess this one. ;) ::
:: ::
:: Now, there are the four "generic" access types. Right, say that an app ::
:: has to create several different object types and ensure that the user ::
:: had "read" access to all of them, even though "read" means something ::
:: somewhat different in each case. Now, instead of having to create a ::
:: different ACE for every object type, it uses the generic bits, which ::
:: consist of... ::
:: ::
:: Generic_all: Allow all access ::
:: ::
:: Generic_execute: Allows execution if executable ::
:: ::
:: Generic_write: Allows write access ::
:: ::
:: Generic_read: Allow read-only access ::
:: ::
:: The generic bits also have an affect on the standard access types. For ::
:: example, for a file object, Generic_read maps to the standard bits ::
:: Read_Control and Synchronize and to other object specific bits ::
:: File_Read_Data, File_Read_Attributes and File_Read_EA. Placing an ACE on ::
:: a file object that has a SID Generic_Read granted would be the same as ::
:: specifying all 5 of the aformentioned File_* rights. ::
:: ::
:: The remaining two bits in the ACE that we haven't looked at yet have ::
:: special meanings. The Access_System_Security bit allows modifying audit ::
:: and alarm control for this object. However, not only must this bit be ::
:: set for a SID, but the access token for the process with that SID must ::
:: have the corresponding privilege enabled. ::
:: ::
:: Lastly, the Maximum_Allowed bit is not really and access bit, but a bit ::
:: used by NT to determine how to scan the DACL for the SID. Normally, NT ::
:: will scan through the DACL until it reaches an ACE that specifically ::
:: grants or denies the access requested by the coresponding object. The ::
:: Maximum_Allow bit specifies the maximum rights that the object will ::
:: allow for any given user. The three options for this are... ::
:: ::
:: 1. Attempt to open the object for any kind of access. The disadvantage ::
:: of this is that access may be denied even though the application may::
:: have all of the access rights actually required for this action. ::
:: ::
:: 2. Only open the object when a specific access is required, and open a ::
:: new handle to the object for each different type of request. This ::
:: is generally the method favoured by most because it won't ::
:: unnecessarily deny access nor will it allow more access than needed.::
:: ::
:: 3. Attempt to play with the object as much as the object will allow ::
:: this SID. The advantage is that the user will not be artificially ::
:: denied access, but the app itself may have more access than it ::
:: needs. Bad idea. ::
:: ::
:: Right, now that we've covered the basic security mechanisms of Win NT, ::
:: lets head on to take a look at process management. Probably the biggest ::
:: factor that has affected Windows NT threading and process management, ::
:: has been the need to support binaries from several different ::
:: environments, including Win 9x, OS/2, POSIX and, obviously enough, WinNT ::
:: itself. :] ::
:: ::
:: So each OS subset would become a single process on the WinNT native ::
:: process management system, which is fairly simple and has the following ::
:: important characteristics... ::
:: ::
:: * NT processes are implemented as objects ::
:: * An executable process may contain one or more threads ::
:: * Process and thread objects have built-in synchronization abilities ::
:: * The NT kernel maintains no relationships among the processes ::
:: ::
:: The access token controls wether or not the process can change its own ::
:: attributes. Wether or not the process may have a handle to the access ::
:: token is determined by the security system. Also, related to the process ::
:: are a series of blocks which define the virtual address space assigned ::
:: to this process. No process, no matter what privaleges it has, will be ::
:: permitted to change these blocks. It must rely on the virtual memory ::
:: manager to do that for it. ::
:: ::
:: Mmmm. I have to be honest, I don't feel like finishing this article and ::
:: because it's just a corny H/P zine and nothing which affects my life I ::
:: hearby end it, coz I feel like doing so. :) Hehehe, don't worry, I'll ::
:: carry on with our study of Windows NT next issue, if enough people are ::
:: interested in it. If you are, mail me and let me know. 8) ::
:: ::
:: --=====-- ::
:: <lusta> im doin' route now, heh ::
:: <Pneuma> wyze1 ::
:: <Pneuma> isn't it weird ::
:: <Pneuma> that "lusta" is an anagram for "aslut" ::
:: --=====-- ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO (Ab)using Offline HTTP/FTP services by Wyzewun Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: Hmmm, way back in yonder BBS days (which wasn't actually that long ago ::
:: for me - I only bothered moving to the Internet about two years ago) I ::
:: learnt how to access WWW, Gopher, FTP, etc. through e-mail. Apparently ::
:: people don't know how to do this. =) So, I decided to write a little ::
:: article on how to use and abuse of these services. ::
:: ::
:: Let's start with taking a look at accessing the web, because it is the ::
:: most common use for the Internet, and because Agora, the software most ::
:: commonly used to access it offline, is quite commonplace. Right, so how ::
:: does one use an Agora server? Here's the explanation for the impatient.. ::
:: ::
:: Send mail to the Agora server (eg. agora@dna.affrc.co.jp) with a message ::
:: body that looks something like... ::
:: ::
:: www ::
:: send http://www.antionline.com/hello-jp-you-dumb-fag.html ::
:: ::
:: And thats it. Simple enough, huh? The rsend command is used in a similar ::
:: way, except that you can specify the return address, so it will send to ::
:: whoever you want. Like so: "rsend gaypee@antionline.com URL". However, ::
:: because this command is commonly abused, most places disable it. Like ::
:: that really helps. :) But anyway, FTP is much better to abuse if yer ::
:: gonna do something lame, because 30MB files are always more impressive ::
:: than small little text-only webpages. :) ::
:: ::
:: Right, go forth and... errr... Waste your time on the web. =P These are ::
:: some good Agora servers. Send a message with "help" in the subject line ::
:: and they should cough up some decent information... ::
:: ::
:: agora@dna.affrc.go.jp ::
:: agora@kamakura.mss.co.jp ::
:: agora@info.lanic.utexas.edu ::
:: ::
:: Other non-agora HTTP through e-mail servers available can be found at ::
:: webmail@www.ucc.ie and w3mail@bagheera.gmb.de which use GO and GET ::
:: respectively instead of SEND. ::
:: ::
:: Now, FTPMail is pretty much exactly like using the UNIX ftp client. Only ::
:: remotely. :) The following is example usage of an ftpmail server (this ::
:: would be the body of the message) ::
:: ::
:: open ftp.technotronic.com ::
:: dir ::
:: quit ::
:: ::
:: That would just log into the appropriate FTP site, get a directory ::
:: listing and mail it back to you. Should we want a file, for example, the ::
:: very popular Legion NetBIOS Scanner, we would type... ::
:: ::
:: open ftp.technotronic.com ::
:: chdir /rhino9-products ::
:: binary ::
:: get legion.zip ::
:: quit ::
:: ::
:: And the file will come to you through e-mail UUEncoded. :) Once again, ::
:: sending "help" in the subject line for the server you are using will ::
:: help a lot. :) The following are some FTPMail daemons... ::
:: ::
:: bitftp@vm.gmd.de ::
:: ftpmail@ftp.uni-stuttgart.de ::
:: ftpmail@ieunet.ie ::
:: bitftp@plearn.edu.pl ::
:: ftpmail@archie.inesc.pt ::
:: ftpmail@ftp.sun.ac.za ::
:: ftpmail@ftp.sunet.se ::
:: ftpmail@ftp.luth.se ::
:: ftpmail@NCTUCCCA.edu.tw ::
:: ftpmail@oak.oakland.edu ::
:: ftpmail@sunsite.unc.edu ::
:: ftpmail@decwrl.dec.com ::
:: bitftp@pucc.princeton.edu ::
:: ftpmail@ftp.Dartmouth.EDU ::
:: ftpmail@census.gov ::
:: ftp-request@netcom.com ::
:: ftpmail@src.doc.ic.ac.uk ::
:: ::
:: Right, I could go on and on and on, but this was a last minute article ::
:: and I don't have time to explain Gopher, Usenet etc. access offline. Any ::
:: questions or comments -- don't hesitate to mail me at w1@antioffline.com ::
:: ::
:: --=====-- ::
:: --=====-- ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO A Guide to playing with gawk by Wyzewun Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: I was shocked at the number of people who don't know how to use (g)awk ::
:: properly, so I decided to write up a guide to getting starting with gawk ::
:: for text formatting or whatever. Oh, I generally refer to gawk, but if ::
:: you have an ancient *nix then you may have another version, but awk will ::
:: probably symlink to it anyway. Here's a little chart of the evolution of ::
:: the awk utility... ::
:: ::
:: awk ------> nawk ------> POSIXawk ------> gawk ::
:: ::
:: Right, so lets try some simple stuff with awk first. Probably the most ::
:: commonly known thing that one can do with awk is format coloums. For ::
:: example, the output of a command like host -l gov.za would have an ::
:: output that looks like this... ::
:: ::
:: <stuff cut out> ::
:: gp.gov.za has address 196.254.66.6 ::
:: <stuff cut out> ::
:: ::
:: Now, we want to format the output of our host command and save the IP ::
:: addresses to a file called lame. We would type something to the effect ::
:: of host -l gov.za | gawk '{print $4}' > lame ::
:: ::
:: We are telling awk to print the fourth coloum only, thus the $4, and so ::
:: we will end up with a list of all the IPs with .gov.za hostnames. ;) ::
:: ::
:: Obviously, the above is used by script kiddies a helluva lot, so they ::
:: can use their l33t0 mscan across a third of the internet, in the hope ::
:: that they'll find some lame .edu host that they can root and feel elite. ::
:: *Sigh* So lets look at some more useful stuff, shall we? It won't help ::
:: you pointlessly compromise machines, but it may help you become a ::
:: proficient Unix user (imagine that). ::
:: ::
:: Okey Dokey, awk can count the number of coloums as well. We could've ::
:: done this with the previous example by typing something like ::
:: host -l gov.za | gawk '{print NF ": " $0}' ::
:: ::
:: We are telling awk to print the number of fields (print NF), followed by ::
:: a colon and a space (": "), right at the beginning of each line of text ::
:: ($0), so we get an output that will look like... ::
:: ::
:: 4: gp.gov.za has address 196.254.66.6 ::
:: ::
:: You can use *awk for counting lines as well, instead of wc -l, by using ::
:: NR instead of NF. ::
:: ::
:: I also find gawk useful for finding strings in files, when grep can't ::
:: quite cut it. I could do something like gawk '/wyze1/' /etc/passwd and ::
:: I would get an output like this... ::
:: ::
:: wyze1:x:2005:12:wyze1:/home/wyze1:/bin/tcsh ::
:: drew:x:2006:13:wyze1:/home/drew:/bin/tcsh ::
:: ::
:: So, I hear you saying "So What? I can do that with grep!" Sure. You can. ::
:: But say you were only looking for the username wyze1 and not that drew ::
:: account which has wyze1 as the real name and not the username, you can't ::
:: do that with grep, can you? So, we use awk and do something like ::
:: gawk -F: '$1 ~ /wyze1/' /etc/passwd then I will only get the wyze1 ::
:: account. Easy, huh? =) ::
:: ::
:: Say I have given myself 500 pointless accounts on my box, and have ::
:: specified "Wyzewun" as the Real Name for some & "Wyze1" for others. Now, ::
:: to make things more difficult, the Real Name for some other accounts ::
:: which I DON'T want have been set as "NotSoWyze1" and "AnythingButWyze1", ::
:: so grep will find all sorts of accounts I don't want. So, I decided to ::
:: do something like gawk -F: '$5 ~ /Wyze*/' /etc/passwd and I only find ::
:: the accounts that I want because I specified that the field must begin ::
:: with "Wyze" and end with anything. ::
:: ::
:: Now, you can also write *awk programs using BEGIN and END blocks, and it ::
:: becomes in many places much like a proper programming language. BEGIN ::
:: blocks are used for initializing variables and END blocks are used for ::
:: things that are input dependant, like totals. Lets make an example ::
:: program to find all users on the system with the username or real name ::
:: "drew" on our machine... ::
:: ::
:: BEGIN { ::
:: FS = ":" # /etc/passwd seperates stuff with colons, remember? ::
:: OFS = " " # tab ::
:: print "Username", "Real Name" ::
:: } ::
:: /drew/ {print $1, $5} ::
:: ::
:: We then save this file as fk_is_lame.awk and then invoke it by typing ::
:: gawk -f fk_is_lame.awk /etc/passwd and get an output like... ::
:: ::
:: Username Real Name ::
:: wizdumb drew ::
:: drew wyze1 ::
:: ::
:: Easy enough. :) If we wanted to do something with an end tag we could ::
:: rewrite the program like this... ::
:: ::
:: BEGIN { ::
:: FS = ":" # /etc/passwd seperates stuff with colons, remember? ::
:: OFS = " " # set output to a tab ::
:: print "Username", "Real Name" ::
:: } ::
:: /drew/ {print $1, $5 ; counts++} ::
:: END ::
:: {print counts " accounts found."} ::
:: ::
:: So our output will then look something like... ::
:: ::
:: Username Real Name ::
:: wizdumb drew ::
:: drew wyze1 ::
:: 2 accounts found. ::
:: ::
:: You can also do comparisons in awk, with the same operators you use in ::
:: C, C++, Java, whatever. (==, <, >, <=, >=, !=, ~, ~!). The only ::
:: unfamiliar stuff there should be ~ and ~! which represent matched by and ::
:: not matched by respectively. And if that other stuff isn't familiar, I ::
:: highly recommend that you start learning to code, not only is it an ::
:: extrememly rewarding experience, but it is damn useful, wether you're ::
:: involved in the computer underground or not. ::
:: ::
:: Another really powerful feature of awk, are Range Patterns. Say I have ::
:: access to an employee record sheet which follows a pattern something like::
:: Name:Employee ID:Salary that looks like... ::
:: ::
:: Drew:666000:14000 ::
:: Koos:231876:100 ::
:: John:967123:18000 ::
:: Marc:000666:16000 ::
:: ::
:: I want to view all employees with a salary between 13000 and 17000 per ::
:: month, so I type... ::
:: ::
:: cat list | gawk -F: '$3 == 13000, $3 == 17000 {print $1, $3}' ::
:: ::
:: And my result is... ::
:: ::
:: Drew 14000 ::
:: Marc 16000 ::
:: ::
:: I could also do something simpler like printing all people with a salary ::
:: less than R1000 with standard operators, like $3 < 1000 would only ::
:: print Koos's details. ::
:: ::
:: We could do that using if statement, like so... ::
:: ::
:: { if $3 < 1000 ::
:: print $1 " is such a loser" ::
:: else ::
:: print $1 " is such a pimp" } ::
:: ::
:: Drew is such a pimp ::
:: Koos is such a loser ::
:: John is such a pimp ::
:: Marc is such a pimp ::
:: ::
:: You can also use the shorthand ? : style if then else statement as used ::
:: in C/C++ and Java, which I personally prefer. ::
:: ::
:: Errr... I really don't have time to finish this article and there's a ::
:: whole bunch of stuff that I haven't covered. Hrmm. I'll make a sequel ::
:: some time, okay? ;) ::
:: ::
:: --=====-- ::
:: <WGM> Don't code Java man!!! ::
:: <WGM> Total MS-run Crap!! ::
:: <WGM> Code Delphi instead, less MS-based ::
:: --=====-- ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO The South African Identity Document Number System by Pneuma Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: Every so often, i see some kiddie is busted for fraud, and it is proven ::
:: that the most frequent cause of this is entering a wrong id number.This ::
:: information does not endorse fraud and the user of this information is ::
:: liable for all misuse. The id number consists of 13 numerical digits and ::
:: is divided into 4 groups of numbers, namely the first 6 digits, the next ::
:: four digits, the next 2 digits and the last digit. The groups of digits ::
:: each mean something that should be taken into account. ::
:: ::
::Structure of ID number: ::
:: YYMMDD SSSS PP C ::
:: 111111 2222 33 4 ::
:: Date of Birth______| | | |_____ Control Digit ::
:: Sex ___ | |____Population Group ::
:: ::
:: 1) The first six digits represent the date of birth of the number holder ::
:: in the order YYMMDD, first two digits indicating yeat, next two month and::
:: last two day. ::
:: ::
:: 2) The following four digits is a serial number and indicates sex of the ::
:: number holder. If the nummers is between 0001 and 4999, the holder is ::
:: female, if the number is above 5000 then he is male. ::
:: ::
:: 3) The third group of represents the population group and citezenship of ::
:: the holder and is a fixed number, as shown in the following: ::
:: ::
:: Population group S.A. Citizen Non-S.A. Citizen ::
:: ^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^ ::
:: i) White 00 10 ::
:: ii) Cape Coloured 01 11 ::
:: iii) Malay 02 12 ::
:: iv) Griqua 03 13 ::
:: v) Chinese 04 14 ::
:: vi) Indian 05 15 ::
:: vii) Other Asian 06 16 ::
:: viii) Other Coloured 07 17 ::
:: ::
::4) The last (13th) digit is a control digit forming part of the number. ::
:: ::
:: [ Note from Wyzewun: Nobody is told what the function of the "control ::
:: digit is. It's simpy there. :/ It's my assumption that its used to ::
:: store information such as Code 9 == political activist, be sure to tap ::
:: his phone or something. This would also make sense as my ID number was ::
:: changed recently :> ] ::
:: ::
:: Notes: ::
:: ^^^^^^ ::
:: 1) Make sure your Date of Birth and the first four digits correlate. ::
:: ::
:: 2) Make sure your sex and name correlate to the second group and do not ::
:: use 0000. The best option is to use an random number such as 6483 etc. ::
:: ::
:: 3) Make sure your surname correlates to your cultural group. ::
:: ::
:: 4) Be wary of using 0 or 9 for the control digit as these are uncommon, ::
:: good numbers are 4,5,6 or 7 ::
:: ::
:: Digression: ::
:: ^^^^^^^^^^^ ::
:: 1) The format of the Date offers an interesting debate on Y2K issues. ::
:: For instance, what will happen to people, who are born after 2000, will ::
:: they receive a pension for being over 100 years old from the day they are::
:: born? Will people born in 1900 stop receiving their pensions as they are::
:: newly born? Perhaps the government should re-evaluate this numbering ::
:: system and soon. :P ::
:: ::
:: 2&3) This is racism and sexism florishing in the new South Africa, even ::
:: worse, it happens to be the old era kind. Why is there no African or ::
:: Black population group? Why do we even classify a person's race? The same::
:: goes for sex. Is this form of Big Brother classification and surveilance ::
:: neccassary? ::
:: ::
:: 3) The format restricts the amount of people who can be born in one day ::
:: to 5000 per sex and cultural group. What happens if more are born on one ::
:: day? ::
:: ::
:: Conclusion: ::
:: ^^^^^^^^^^^ ::
:: As you can see, this format is straight forward, albeit extremely flawed.::
:: Perhaps in time some polititions will change this system and I will be ::
:: able to revise this article. ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Defeating Portscan Detection by Wyzewun Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: There are a variety of tools available for detecting Portscans on Unix ::
:: systems, the most popular of which are probably Port Sentry by Psionic ::
:: <http://www.psionic.com/tools> and scanlogd by Solar Designer which can ::
:: be found somewhere on ftp.technotronic.com/unix ::
:: ::
:: This article will focus on defeating these utilities, but you may very ::
:: well benefit from being familiar with them yourself. If you haven't ::
:: looked at scanlogd or port sentry then I suggest you read T0uchT0ne's ::
:: article in Issue Eight of Keen Veracity. ::
:: ::
:: Basically, detecting a portscan done by some-one with a brain is pretty ::
:: hard unless you have a brain as well. ;) All portscan detection tools ::
:: work on the same principle of just detecting SYN's FIN's or whatever, ::
:: going to ports too fast. Look at this for example, from Solar Designer's ::
:: scanlogd 1.3 for Linux... ::
:: ::
:: #define SCAN_COUNT_THRESHOLD 10 ::
:: #define SCAN_DELAY_THRESHOLD (CLK_TCK * 3) ::
:: ::
:: Most people won't modify this. Basically, it means that for the alarm to ::
:: be triggered, at least 10 ports must be scanned with no longer than ::
:: SCAN_DELAY_THRESHOLD between each port. ::
:: ::
:: So, we could abuse that time-out function quite easily if we were to ::
:: modify our portscanner (I'll take my own Portscan.java as an example ::
:: because it is very simplistic and easy for some-one with next to no ::
:: knowledge of coding to understand ;P) to have just over that delay ::
:: inbetween ports. (eg. we hack the code of ScanThread.java) ::
:: ::
:: for (;;) { // Endless loop ::
:: port=sync.take(); // Get Port Number to scan ::
:: ::
:: for (;;i++) { // Endless loop + Increment instance variable ::
:: if (i = 9) { // If this is the 9th Port ::
:: sleep(10000); // Wait 10 seconds ::
:: i = 0; } // And reset instance variable ::
:: port=sync.take(); // Get Port Number to scan ::
:: ::
:: And so our scan doesn't show up. ;P Of course, because this is a lame ::
:: TCP/Connect Portscanner it will show up in files like /var/log/secure ::
:: but not in the actual scanlogd logs. Were we to modify a SYN, FIN, XMAS ::
:: or NULL portscanner, this would completely evade detection. Also note ::
:: that this will only work if you run my scanner with *one* thread. The ::
:: default of 20 will fuck things up. Bigtime. ;) ::
:: ::
:: Port Sentry is quite nice (And quite evil) in that it not only logs the ::
:: scan, but adds the portscanner to /etc/hosts.deny so they cannot connect ::
:: to any further ports. It allows you to make a file called hosts.ignore ::
:: so that people cannot spoof a scan as your upstream router and thus ::
:: block your connection. BUT, you're not going to put the whole damn ::
:: internet into your hosts.ignore, right? That's why we have killsentry.c ::
:: by Vortexia in this issue - To show that automatic firewalling is a ::
:: really dumb idea. :) ::
:: ::
:: As a rule of thumb, the longer you wait, the safer you are. Got time? ::
:: Put in a fucking 2 minute delay, screen it, and log out. Also, TCP ::
:: portscanners like Portscan.java or any Winblows portscanner won't be ::
:: useful against hosts that have been actively secured. Why? Well, they ::
:: could make a script that adds all connecters to Port 1 to hosts.deny ::
:: with a few alterations to their /etc/inetd.conf (Don't know how to do ::
:: this? Read Vortexia's article in FK3) Also, please note that a system ::
:: like this is more secure than Port Sentry or whatever because connect() ::
:: portscans can't be spoofed. (Well, there are other ways to mask them, ::
:: such as abusing WinNT's bad TCP/IP sequencing or at least spoofing DNS ::
:: but those are completely different stories) ::
:: ::
:: So, finally, the conclusion. You *cannot* stop people from portscanning ::
:: you. You can get in their way, block them, send them abuse mail, do ::
:: whatever the hell you like. But you cannot stop them. So, my suggestion ::
:: would be to not bother chasing after portscanners as actively, and ::
:: spending your extra time making sure your system is secure to all those ::
:: who actually managed to get their scans through. ;) ::
:: ::
:: --=====-- ::
:: <walla_walla> whos elete????????? ::
:: <walla_walla> whos elete????????? ::
:: <walla_walla> whos elete????????? ::
:: <M-|A> sowwy not me ::
:: <Pneuma> walla, no-one on this channel is called elete ::
:: <Pneuma> we have an enoxier, thats probably the closest ::
:: <Pneuma> but if there is, shame du0d, what a name ::
:: <M-|A> yeah ::
:: <walla_walla> anyone a fairly good hacker here??? ::
:: --=====-- ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO "Martha, The pigs are restless again" by Wyzewun Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: Well, I've been associating with evil syndicate people again, and have ::
:: found out some pretty shocking stuff, which I figured I should put here ::
:: as it is in direct breech of all which hackers stand for. ::
:: ::
:: As you may (not) know, a group codenamed "The Scorpions" has been formed ::
:: lately. These people, although government run, are independant of the ::
:: SAPS, and thus really the South African equivalent of the FBI. And in ::
:: fact have very strong connections in the FBI itself (*gulp*). They will ::
:: be handling mostly intelligence related stuff, and probably will be the ::
:: people we will see raiding half of the ZA hacking scene in the ::
:: not-so-distant future. They're also the same people who have been ::
:: listening to the private phonecalls of most of the FK staff long before ::
:: they even "existed". ::
:: ::
:: Ever read 1984? It seems the Scorpions have. Big brother is alive and ::
:: well in South Africa, under our new "enlightened" government. Now, next ::
:: time you are driving on the highway (and especially at the turnoffs), ::
:: look at the
street lights, near-ish the top, about .75 of a meter from ::
:: the top. Then wave hello to the camera. ::
:: ::
:: Next time you walk into a large office building, look at the surveilance ::
:: cameras - you will notice some of them are different. Why? Because they ::
:: weren't put there by security! Another item of handywork by the ::
:: Scorpions. ::
:: ::
:: Basically, the gist of it is that by filming next to everything, when ::
:: an individual is suspected of something, the evidence is right at hand. ::
:: There are video and audio records of next to everything. ::
:: ::
:: Well, it's all good and well that the government is wasting their money ::
:: on something other than cocaine, but I for one find things like this ::
:: completely unacceptable. I feel it to be an invasion on the privacy of ::
:: others, and an infringement on the rights of those who are watched ::
:: without them knowing. ::
:: ::
:: Thus, I resolve to smash the camera that films the Johannesburg 2600 ::
:: meetings (2600Za/Posthuman) every month, until they decide to go and ::
:: spend their money on something else - like hospitals. And if that means ::
:: I have to smash it 24 times over 2 years, so be it - but I will not ::
:: tolerate this invasion of my privacy. And you shouldn't tolerate the ::
:: invasion on yours either. ::
:: ::
:: --=====-- ::
:: --=====-- ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Coding simple Sockets in Perl by jus Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: This article assumes that you already know a little perl, and it's not ::
:: difficult at all to to read a few doc's and pick it up. I suggest ::
:: www.perl.com/www.cpan.org for a large resource of information. ::
:: ::
:: <Wyzewun: You may also have NoU Issue Two or f41th Issue Seven which ::
:: both have introductions to perl in them. Read those.> ::
:: ::
:: - Sockets? - ::
:: Sockets are the de facto standard for making network connections over ::
:: TCP/IP, they work by connecting a socket on the local machine to a socket::
:: on a remote machine, and then swapping information. This short article ::
:: explains simple use of the IO::Sockets socket interface included with ::
:: perl on most unix type systems, it assumes a basic understanding of ::
:: networking. ::
:: ::
:: - Opening/Closing a Socket - ::
:: The syntax to create a socket is as follows :- ::
:: ::
:: use IO::Socket; ::
:: $varname =IO::Socket::INET->new(Parameters) or die "Can't open socket\n";::
:: close $varname; ::
:: ::
:: The parameters is a combination of the following :- ::
:: ::
:: PeerAddr - Remote Host Address ::
:: PeerPort - Remote Host Port ::
:: LocalAddr - Local Host bind address ::
:: LocalPort - Local Host bind port ::
:: Proto - Protocol to use (TCP, UDP..) ::
:: Type - Socket Type(SOCK_STREAM, SOCK_DGRAM..) ::
:: Listen - Queue for listen ::
:: Timeout - Timeout value for various operations ::
:: ::
:: Its not necesary to pass them all though, it does depend on the type of ::
:: socket you are creating, client or server. Client makes a connection to ::
:: a remote socket, whereas Server waits for incoming connections from ::
:: remote machines. ::
:: ::
:: - Using Sockets - ::
:: The requirements for a Server socket are "Proto" - the protocol to use, ::
:: "LocalPort" - the port to wait on for a connection and "Listen" - the ::
:: amount of connections to queue before refusing more. ::
:: ::
:: For a client "Proto" - the protocol, "PeerAddr" - the remote machine's IP::
:: address, and "PeerPort" - the remote port to connect to, must be given. ::
:: ::
:: Here's an example :- ::
:: ::
:: #!/usr/bin/perl ::
:: #Perl Socket Coding Demonstration by jus ::
:: ::
:: use IO::Socket; ::
:: ::
:: #Make Client connection to localhost port 21 and display output ::
:: $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1", ::
:: PeerPort=>"21") or die "Failed to open socket\n"; ::
:: #Print output, note that the output has to be globbed. If you are running::
:: #an ftpd on your machine you should see something like FTPD VERSION x ::
:: #READY. ::
:: print $crud=<$socket>; ::
:: close $socket; ::
:: ::
:: #Make Server waiting on port 12345 and display input received ::
:: $socket = IO::Socket::INET->new(Proto=>"tcp", LocalPort=>"12345", ::
:: Listen=>"1"); ::
:: #We call the accept function of the socket to put it into wait mode. ::
:: $connection = $socket->accept; ::
:: #The following is just to auto flush the buffer for compatibility with ::
:: #older perl versions. ::
:: $connection->autoflush(1); ::
:: #Loop waiting for input, when found print. Note globbing is required. ::
:: while (<$connection>) ::
:: { ::
:: print ::
:: } ::
:: close $socket, $connection; ::
:: #This will loop infinitely waiting for input to display to screen, just ::
:: #kill it with ^C when you get bored of watching 12345 :) A easy way to ::
:: #test is just to telnet localhost 12345 and type a few lines... ::
:: #EOF ::
:: ::
:: There's a simple example, you now know enough to send data from one ::
:: machine to another using the very portable and simple perl. If you would ::
:: like to make the code into a binary instead of having to use the perl ::
:: interpreter when running, "perlcc" is used to compile perl. Don't forget ::
:: to chmod u+x programname.pl to allow it to be executed. ::
:: ::
:: - jus(jus@blabber.net) ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Hackers and the Media by Wyzewun Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: I just finished watching a short documentary celebrating the 30th ::
:: birthday of the Internet in which the creator of the Internet talked ::
:: about how he was "unhappy with the dark side of the Internet - porn and ::
:: hacking" which I, personally, found extremely offensive. ::
:: ::
:: To think that "hacking" is shoved alongside with pornography and ::
:: all the other cracked up shit that happens on the internet saddens me ::
:: deeply. Why is it that we are given this image by the media? As much as ::
:: I would like to say that it is due to the fact that they are bored out ::
:: of their minds and have nothing better to do than to feed the public a ::
:: pack of lies, it is not. Their opinions are in fact very well founded. ::
:: ::
:: Think about it - what are the hacks that they'll see? The ones that have ::
:: been defaced by clueless kiddies, desperate to prove their eliteness to ::
:: all of their dumb, RedHat-toting friends. And it is this type of ::
:: behaviour, which is tearing the hacking scene apart at the seams. It ::
:: shows nothing more than a complete lack of maturity, moral integrity, or ::
:: respect for the internet. It is *NOT* what hacking is all about. ::
:: ::
:: Call me old-school, call me archaic, call me what you like - but I ::
:: firmly believe in never defacing a webpage with mindless garbage, ::
:: advertising to the world how fantastically elite me and my crew are. And ::
:: when push comes to shove, the people who get caught are the people who ::
:: defaced websites. (The name "mindphasr" ring a bell?) ::
:: ::
:: Many people argue that they just want to get a message to the admin and ::
:: don't want to mail them, to prevent being traced. *Ahem* Ever heard of ::
:: an anonymous remailer? Fuck that, want to be completely sure? Change ::
:: the fucking /etc/motd! It's Windows? Put a file called "READ THIS NOW ::
:: YOU FUCKHEAD.TXT" on the desktop, just don't go off and deface their ::
:: webpage. The only thing you are defacing is the media's image of the ::
:: hacking community as a whole and that is stupid as hell. I suggest you ::
:: think about this very seriously. Thankyou. ::
:: ::
:: --=====-- ::
:: <JaWs> if i write my own script for mirc can i make it so i becum an op ::
:: without someone makeing me one ::
:: --=====-- ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Next Issue Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: The next Issue will be released sometime in December. Guess that means ::
:: it'll be the neato elito birthday issue then. Hmm, in a year, we have ::
:: gotten pretty good. Heh, I should be proud of me. Mmm. Still not good ::
:: enough though - but it shouldn't be too long before it is. ;-) ::
:: ::
:: Anyway, since it's our birthday - I expect you to mail me lots of beer, ::
:: birthday presents, MDMA, article submissions and any other dumb stuff ::
:: you feel like sending me at w1@macroshaft.org ::
:: ::
:: Strangely enough, December 1999 will be a first birthday month for FK, ::
:: HWA.hax0r.news *and* f41th. Guess the December of 1998 was a good time ::
:: for starting e-zines, eh? Props to D4rkcyde and HWA for picking such a ::
:: leet time to start an e-zine!@#$ :> ::
:: ::
:: The official Forbidden Knowledge mirrors are... ::
:: ::
:: Attrition -=- www.attrition.org ::
:: PacketStorm Security -=- packetstorm.securify.com ::
:: The E-Text Archives -=- ftp.etext.org ::
:: Posthuman Systems -=- Down Again (You suck Scarz :P) ::
:: ::
:: Hmm. Appears that there are distro sites which we just don't know about. ::
:: Please, if you run a distro site, please tell us, so that we can keep ::
:: you up-to-date with the latest issue - Thanks. ::
:: ::
:: Oh yeh, and I can't stress how much I need articles enuff. I'm a fscking ::
:: one-man zine team here. That's why it sucks so much. Werd. So give me ::
:: articles, and I'll, like, be eternally grateful or something. Peace out. ::
:: ::
:: www.posthuman.za.net /-=-/ w1@macroshaft.org ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
