-------------------------------------------------------------------------------- _ _ _ _ _ | | / ) | | | | (_)_ | | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _ | |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | | | | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| | |_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ | (____/ -------------------------------------------------------------------------------- I S S U E (10) L e g i o n s o f t h e U n d e r g r o u n d -------------------------------------------------[www.legions.org]-------------- [CONTENTS]------------------------------------------------------------[CONTENTS] [1]==============================[Editorial - Digital Ebola ] [2]=====================================================[KV Spam - The Readers ] [3]===================[Theory of Denial of Service - fejed ] [4]=============================[Project Sp00fed - threx ] [5]=========[KV10's 30 Second Useful Script - Digital Ebola ] [6]=============[Booty Con 2000, Rubicon Account - sodium ] [7]====================================[Spider DoS - fejed ] [8]==================================[FTP Advisory - fejed ] [9]====================[Women In Technology - Godess ] [10]===============[Expecting Mass Commands - Digital Ebola ] [11]=================================[NT Logging - NtWak0 ] [12]========================[UNIX Autopsies - Digital Ebola ] [13]========================[One Large ISP - Anonymous ] [14]=====================[Simple HTTP Security - Phriction ] [15]=========================[Hacker Paladins - Raschid ] [16]================[PERL Site Verification - Crater ] [17]==================[Legions Survey - Gridmark/Phriction ] [18]============[Guide to 0wning Your School - Gridmark ] [19]===========[OpenBSD Security Overview - David Jorm ] [20]=======================[Air Gapped Networks - dayzee ] [21]=================================[TKblink - clocker ] [22]==================================[TCP/UDP - dayzee ] [23]====================[Teleconferencing - Vixen ] [24]==========[TCP IP Datagrams Explained - vortek ] [25]=================================================[Parting Rant - The Editor] [26]=================[The Art of Selling Out - J-P ] [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] W W W . L E G I O N S . O R G [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] [Editorial]======================================================[Digital Ebola] Well, I have come to a revelation. After watching the billionth kiddie say "3y3 4m 31337, j00 ph33r!", I started to do some really extensive thinking. Where has the scene gone? I will tell you. Imagine a nice frosty bottle of Guiness Stout. Imagine taking a drink, and its like the most satisfying thing on Earth. Now what happenes when you finish it? You get to the bottom, and there is this sour foam that just makes you want to puke. That sour foam, resembles the scene. Everyone in the tasty part of the bottle has gotten good jobs, grown up, or left. What is left is the kiddies. The sour foam. Sometimes we may find that some of the tasty part ends up on the bottom too. Do not drink this. As you read this, you are telling yourself, that digi is on crack, he has lost his mind. Maybe I have, but the philospher part of me has taken over, and now I have to urge you, the competent reader, to savor the beer. Drink the beer, and when you come to the sour foam, toss the bottle in the trash and go to the fridge and get another. Do not let the sour foam prevent you from what you do best. Do not let the sour foam drag you down. Now that I have ranted, I now give you Keen Veracity 10. [KV Spam]==========================================================[The Readers] Date: Mon, 14 Aug 2000 02:42:34 -0700 From: Mercury To: digi@legions.org Subject: wintermute bbs Hi there. I remember logging into your Wintermute BBS a while back and im looking to setup a BBS now. I was wondering what software you used for that bbs, or if you know of any good unix bbs software. Thanks Mercury /* Yah, the BBS is quite dead. I haven't decided whether to build it back. If you are looking to set one up, I recommend Daydream for Linux. It seems to be the most flexible, and is quick to setup. Plan on spending alot of time with it still yet, as once started, the BBS is never quite finished.. =) */ Date: Thu, 17 Aug 2000 21:41:44 -0400 From: Robert Thomas To: digi@legions.org Subject: HELP ---------------------------------------- I NEED A HACKERS HELP, WILL PAY THANKS /* Money doesn't buy you everything... */ Date: Tue, 22 Aug 2000 19:51:27 EDT From: Kawaboy7@aol.com To: digi@legions.org Subject: i think your site is great I need help can you send me Roxy surfr 150 emails she is my EX- g/f and I want to hear about her new b/f /* Really now, is the bitch worth going to jail over? */ Date: Thu, 24 Aug 2000 05:49:45 GMT From: nobody user To: digi@legions.org Subject: Question Hello, I was interested in finding out how to hack an IRC server, so you could add your own O:lines and so forth. I haven't been able to find any information on this. The only thing I could find was getting ChanOps in a channel when a split happens, which doesn't work anymore. I read Keen Veracity, that is how I found your e-mail address. Could you maybe give me any pointers, or tell me if it could be done. I appreciate your time. Thanks, HACKIRC /* OK. The only thing you can do to learn about how IRC servers work, is to install one yourself. This means you should be setting up a UNIX machine of sometype, probably Linux would be best for you, if you are not familiar with these types of operating systems. Once you have gotten that far, you should goto www.freshmeat.net and search for a irc server. There are several, hybrid, bahumet are a couple that come to mind. Most of these are pretty much the same as far as layout. Oline and such are kept in a file called ircd.conf. Read the docs, set up your server and get familiar with it. */ Date: Sun, 27 Aug 2000 17:43:35 +0100 (BST) From: "[iso-8859-1] rakesh sud" To: digiebola@hackphreak.org Subject: Hacking rsud@vsnl.com Hello Guys, I have been for a month, trying to hack into an email account. I have previously broken into hotmail accounts without that much difficulty. I send the guys their passwords after that. It feels good. One bloke challenged me and said it is impossible to hack into email accounts from india's isp vsnl. I took up the challenge but couldnt pull it of. Starting to believe now that the guy who can do so has to be.....'A GENIUS'. Well I now forward the challenge to you blokes. If any of you can hack into into the email ' rsud@vsnl.com ', I will believe that you are 'the king'. But 'the king' is if you are the first to hack it and let me know. 'The King' will then be my guru and...i can do a lot of things for my guru. To start of with, I would register a domain name (costing $35) for you,for free ( Only to the first person). Do send the password to my email. Best of luck all. with love, Joseph. ( The email to be hacked is rsud@vsnl.com ). ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.in address at http://mail.yahoo.co.in /* If a kiddie is shot in the woods, does he make a sound? */ Date: Sun, 20 Aug 2000 19:42:42 -0900 From: Van Mortel To: digiebola@hackphreak.org Subject: Hacker Hi, I'm a new bies in the domain of hacking an I want to know how enter in a server or how can I hack. Thank You TeckForce /* Find a search engine or read stuff like KV. */ Date: Mon, 14 Aug 2000 03:47:06 -0700 (PDT) From: "[iso-8859-1] thecno trance" To: digiebola@hackphreak.org Subject: help need need to hack a web page,were can i get the toolz? Please answer,yo'l ge recompensation.... __________________________________________________ Do You Yahoo!? Yahoo! Mail ^Ö Free email you can access from anywhere! http://mail.yahoo.com/ /* www.jackinworld.com is a good place to start... */ Date: Sat, 12 Aug 2000 16:20:36 -0400 From: Freaksta To: digiebola@hackphreak.org Subject: Can i be lame like you too? How can i go about copywriting all my friends ideas and then sell them back to them for 30k?! /* well, first I suggest you get some friends... */ [Theory of Denial of Service]================================[fejed@legions.org] I'm writing on the topic of denial of service, here... no not ./winnuke or anything like that, but a rather more deeper thought out possibility. Ok, we all know what Virus Scanners do, don't we? ok.. I'm sure a few people that read this, will have no clue (just for you people with no clue out there.). Ok here's the deal, virus scanners search though binaries usually or as an option every file that is accessable by the virus scanner, looking for a specific signature that is in every duplicate of the virus, which it keeps in a database that comes with the Virus Scanner. Some Anti-Virus software, also scans for signatures of programs that are often misused, say hack.exe and tell the clueless user that its a virus so he/she that downloaded his 31337 hack.exe thinks its a virus and deletes the file, trojans are put under the title of virii/viruses also, which I personally think is incorrectly using the term, but anyway enough of that, lets get to the core of the situation. Ok, lets say bob, downloads the source every know virus that exists (x86 specific) that he can get his hands on, even all early ones, like junkie and aids, then he compiles and links them with the same linker, to make stuph simpler for himself. He then obtains a compression program or uses his elite hacker skills and codes one himself, that generates different signatures for binaries on the fly, a different signature every time it is run, then he shall bind the compressed virii with different signatures to different programs. Bob can now: 1.Penetrates a major software companies site (or something else large), and uses their software to bind his duplicated virii to, say a download site. Or he could he penetrate windows warez boxen, bind one virii to each then let it spread. 2. Ok, he's got all of his virii all spiffy with their new signatures, ready to go, so bob has his 20,000 or so virii, whats he going to do with all of them? Well, he's going to submit them to Anti Virus Companies, such as Anti-Viral-Pro (AVP) www.avp.com "Virus Protection for the Real World." Ok, If you chose number one, then I wish you luck, don't email me asking 'How do I hack?', anything of that matter will be most likely ignored. If you chose number 2 then, you keep making new strands of old virii and re-submitting them to companies, if we repeat the procedure, quite a bit then we'll be creating a slight denial of service against everyone that downloads an anti-virus program, because they'll be downloading around 200-400k more. At the least, and if you continue with the attack of new virii and many others do, then we'll be getting the area of a couple of more megs, we keep going, we may eventually reach a gig, also having a larger database of signatures, would mean more cpu cycles needed to scan faster, and more space to store the signatures, or again, if the signatures were stored remotely, then we'd be using more and more bandwidth for each scan we do, which will ultimatly take more time to do, with all these factors being as such, yet technology advances at time, but the user does not advance as fast, so the technology isn't as widely used, meaning we have a slower process in most areas, Such is Denial of Service. One more update to this text, (this is the 3rd addition to it). Whilst watching the news, on various free to air television channels, reading my email, watching people talk about it, reading headlines on various websites, I'm laughing to myself, quietly, I see how people talk so ignorantly and bluntly about such things as if they know what they are talking about, and they do it, without even realising, so bluntly without being specific at all, "Love Bug." just another virus, in another day, if so many ignorant people stopped using Operating Systems, with such control over the hardware they are connected to then, there would be less of a problem, *cough* Microsoft Windows *cough*, *cough* Microsoft Dos *cough*, this article proves that there is sufficient power to bring all x86 Windows95/98 MS Dos based operating systems and such to their knees, because if what I speak of was put into effect then scanning for simple viruses would be an enormous task, which may even prove impossible, due to the sheer size of the database + time needed to scan for the offending viruses. If such a thing was done, then I'm sure people would be pushed to use of operating systems based on unix, such as linux, or if not that, be so afraid that they would not even dare turn their computers on, for the fear of inevitability. Greets to all who know me. [Project Sp00fed]==========================================[threx@attrition.org] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % Title: Project Sp00fed % % Author: Threx % % Date: 7/16/00 % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - Table of Contents - 1.0 Intro 2.0 IPv4 2.1 IPv4 Packets Layout 2.2 The Header Fields 3.0 TCP 3.1 TCP Datagram Layout 3.2 The Header Fields 3.3 Explained Code 3.4 tcpsp00f.c 4.0 UDP 4.1 UDP Datagram Layout 4.2 The Header Fields 4.3 Code 4.4 udpsp00f.c 5.0 ICMP 5.1 Echo Reply Message Layout 5.2 The Fields 5.3 icmpsp00f.c 6.0 Reference 1.0 Intro ^^^^^^^^^ Well it's 6:45pm on Sunday and I guess I will start writing my article for Keen Veracity 10 :). I have started to learn alot about how to code spoof TCP/UDP/ICMP packets in the past month or so. So, I've decided to write my article on, you've guessed it, coding spoofed packets. Now even before reading this article you should have an understanding of C socket programming and TCP/IP. (NOTE: There might be mispelled words here and there... well I guess you're gonna have to live with it :P.) 2.0 IPv4 ^^^^^^^^ IPv4, also known as Internet Protocol version 4, is the most widely used IP version out there on the net for now. However, soon IPv6 will be the leading IP version out there, but that is a whole nother article for a different time. But be glad we are using IPv4. Why? Becuase they are so easy to spoof :). 2.1 IPv4 Packet Layout ^^^^^^^^^^^^^^^^^^^^^^ ----------------------------------------------- | version | header | type of | length | | | length | service | | |-----------------------------------------------| | identification | flags | fragment | | | | offset | |-----------------------------------------------| | time to live | protocol | header checksum | |-----------------------------------------------| | source ip address | |-----------------------------------------------| | destination ip address | |-----------------------------------------------| | options | |-----------------------------------------------| | data | ----------------------------------------------- 2.2 The Header Fields ^^^^^^^^^^^^^^^^^^^^^ The IP header is used to determine what will happen to the packet. It consists of 12 fields: # version = The IP version number. This will usually be 4 because it is the most widely used. Soon it will be 6, the next generation of the internet. I highly recommend to read some info on the topic. # header length = This is the total length of the IP header. This also includes the option field. # type of service = This indicates what type of handling this packet gets. The first 3 bits stand for routing priority, the next 4 bits stand for the type of service. # length = This is the total length of the IP header, and TCP header, UDP header, or ICMP header. # identification = This is a specific value that is used for fragmentation. If you are sending made up packets randomly then regard this. # flags & offset = These fields are used to reassemble packets when it reaches the destination host. # time to live = This is simply the time limit the packet has to live. Each time it passes through a router it will take one away til it reaches 0. Then the packet is discarded. (NOTE: depending what kind of packet you are sending, icmp, tcp, udp, this might need to be a specific value.) # protocol = This is the type of protocol (ex. TCP, UDP) that will be sent. Some common protocol numbers are: `Taken from /etc/protocols' ip 0 IP # internet protocol, pseudo protocol number icmp 1 ICMP # internet control message protocol igmp 2 IGMP # internet group multicast protocol ggp 3 GGP # gateway-gateway protocol tcp 6 TCP # transmission control protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # user datagram protocol idp 22 IDP # WhatsThis? raw 255 RAW # RAW IP interface # header checksum = This checksum is for the IP header only therfor it is set to 0. # source ip address = This is a 32 bit field containing the source address. # destination ip address = This is a 32 bit field containing the destination address. # options = This field is optional. These are additional options to the IP header. # data = This is another optional field. Here is where you put the payload to be sent with the IP header. 3.0 TCP ^^^^^^^ Transmission Control Protocol, TCP, is probably the most widely used protocol out there. But with popularity comes problems. See TCP is the hardest protocol type to spoof, I believe so. But again, it all depends what you want to do. If you want to make a SYN flooder then it is very easy. However, if you want to make a full TCP connection then you have to know the specific sequence number of the host your are trying to immitate. 3.1 TCP Datagram Layout ^^^^^^^^^^^^^^^^^^^^^^^ ----------------------------------------------- | source port | destination port | |-----------------------------------------------| | sequence number | |-----------------------------------------------| | acknowledgment number | |-----------------------------------------------| | header information | window size | |-----------------------------------------------| | tcp checksum | urgent pointer | |-----------------------------------------------| | options (optional field) | | | | | | | | | | data (optional field) | | | ----------------------------------------------- 3.2 The Header Fields ^^^^^^^^^^^^^^^^^^^^^ The TCP datagram is used to send a TCP packet (duh). It consists of 8 fields. # source port = A value indicating the port number the packet is coming from. # destination port = A field indicationg the port number the packet is being sent to. # sequence number = A field keeping the TCP segments in order. This is the reason why it is so hard to spoof a whole TCP connection. This value has to be perfect in order to send data and such. In other words you need to initialize a 3-way handsack. # acknowledgment number = A field that the sender expects to receive. This is the previous sequence number sent out. # header information = A field with one of the following flags. URG flag = URGENT. This will be routed faster. ACK flag = An acknowledgment is sent. PSH flag = The data will be pushed through immediately. RST flag = Reset the connection. SYN flag = Synchronize sequence numbers. FIN flag = This is the final data sent from the sender. # window size = A field specifying the amount of bytes that will be sent before an acknowledgment (ACK) is specified. # tcp checksum = A TCP checksum with a paylod, if any. # urgent pointer = A pointer is only used when the urgent flag (URG) is set. This points to the last byte that has been sent with priority. # options = This field is optional. It is mostly used if you want to add more parameters. # data = This field is optional. If any payload is add this is where it will go. 3.3 Code ^^^^^^^^ Well finally here is the code. Now let us analyze this shit alittle bit. Here are the needed header files in order to spoof packets. We don't use netinet/ip.h or netinet/tcp.c in this code. Those header files would make it a lot more portable. However, it's more work. So I've decided to use linux/ip.h and linux/tcp.h. This make it very limited to the Linux operating system. But I decided that's what I use mostly so tough luck if you don't. ===[ snip ]============================================ #include #include #include #include #include #include #include #include #include #include #include #include ===[ unsnip ]========================================== Here I have define some shit.. It's just a lot easier this way :). Here I define the source ip, the ip address the packet is using, and the destination ip, the ip address the packet is being sent too. I also define the source port and the destination port. Here the packet is coming from port 1111 and being sent to port 25, smtp. ===[ snip ]============================================ #define error -1 #define srcip "255.255.255.255" #define dstip "127.0.0.1" #define sport 1111 #define dport 25 ===[ unsnip ]========================================== It all comes together here. We struct the ip header previously declared in linux/ip.h. Also with the tcp header. Then we declare the packet which is simply the sum of the ip and tcp header. Now we declare the target, the destination ip address. Then to be able to put the source ip and destination ip in the ip header we declare saddr and daddr. We then declare sock and on. 'sock' is used to open a socket and set the socket options. 'on' is used for setting socket options. ===[ snip ]============================================ main() { struct iphdr *iphdr; struct tcphdr *tcp; u_char packet[sizeof(struct iphdr) + sizeof(struct tcphdr)]; struct sockaddr_in target; struct in_addr saddr, daddr; int sock, on = 1; ===[ unsnip ]========================================== Here we open a socket. We have to provide a domain, which is AF_INET, the type of socket this is, which is a raw socket, and the protocol, which is a raw protocol. We also have error checking. You should always have it. It's very useful. ===[ snip ]============================================ if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) { printf("socket error\n"); exit(1); } ===[ unsnip ]========================================== Now we set the socket options, setsockopt. We use the option IP_HDRINCL. This allows us to create our own ip header. If you don't have this option on your system then you can't spoof packets :(. ===[ snip ]============================================ if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) { printf("setsockopt error\n"); exit(1); } ===[ unsnip ]========================================== Here we just make the ip and tcp headers equal to their structures and the packet. Then we zero them out. ===[ snip ]============================================ iphdr = (struct iphdr *)packet; tcp = (struct tcphdr *)(packet + sizeof(struct iphdr)); memset((char *)iphdr,'\0',sizeof(struct iphdr)); memset((char *)tcp,'\0',sizeof(struct tcphdr)); ===[ unsnip ]========================================== Now we make the saddr.s_addr equal too the srcip defined earlier in the code. And I do the same for the destionation ip address. ===[ snip ]============================================ saddr.s_addr = inet_addr(srcip); daddr.s_addr = inet_addr(dstip); ===[ unsnip ]========================================== Finally we get to the good part, creating the packet. This is mainly self explained. Look at 3.2 The Header Fields for explaination. ===[ snip ]============================================ iphdr->ihl = 5; iphdr->version = 4; iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr); iphdr->id = 1234; iphdr->ttl = 250; iphdr->protocol = 6; iphdr->saddr = saddr.s_addr; iphdr->daddr = daddr.s_addr; iphdr->check = 0; tcp->source = htons(sport); tcp->dest = htons(dport); tcp->seq = htonl(rand()); tcp->ack_seq = htonl(rand()); tcp->res1 = 0; tcp->doff = 5; tcp->window = htons(4343); tcp->syn = 1; ===[ unsnip ]========================================== First we zero out our target. Then we define our sin family, port, and address. memset(&target,'\0',sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(dport); target.sin_addr = daddr; ===[ unsnip ]========================================== Now we finally get to send the packet. So we simply use the sendto() funtion to send it out. ===[ snip ]============================================ printf("sending packet: "); if (sendto(sock,&packet,sizeof(packet),0x0,(struct sockaddr *)&target, sizeof(target)) != sizeof(packet)) { printf("packet wasn't sent\n"); exit(1); } else { printf("packet sent\n"); } exit(0); } ===[ unsnip ]========================================== 3.4 tcpsp00f.c ^^^^^^^^^^^^^^ ===[ cut here ]=============================================== /* tcpsp00f.c for "Project Sp00fed" by Threx */ /* compile: gcc -o tcpsp00f tcpsp00f.c */ /* this code will send a spoofed packet to port 25(smtp) to 127.0.0.1 */ /* host. */ /* needed header files */ #include #include #include #include #include #include #include #include #include #include #include /* instead of using netinet/ip.h we use linux/ip.h */ #include /* so this will only work on linux */ /* define the constants */ #define error -1 #define srcip "255.255.255.255" /* source address */ #define dstip "127.0.0.1" /* destination address */ #define sport 1111 /* source port */ #define dport 25 /* destination port(smtp) */ main() { struct iphdr *iphdr; struct tcphdr *tcp; u_char packet[sizeof(struct iphdr) + sizeof(struct tcphdr)]; struct sockaddr_in target; struct in_addr saddr, daddr; int sock, on = 1; if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) { printf("socket error\n"); exit(1); } if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) { printf("setsockopt error\n"); exit(1); } iphdr = (struct iphdr *)packet; tcp = (struct tcphdr *)(packet + sizeof(struct iphdr)); memset((char *)iphdr,'\0',sizeof(struct iphdr)); memset((char *)tcp,'\0',sizeof(struct tcphdr)); saddr.s_addr = inet_addr(srcip); daddr.s_addr = inet_addr(dstip); /* let's build a packet */ iphdr->ihl = 5; iphdr->version = 4; /* this will always be 4 */ iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr); iphdr->id = 1234; iphdr->ttl = 250; /* a length of time the packet will survive */ iphdr->protocol = 6; iphdr->saddr = saddr.s_addr; /* source address */ iphdr->daddr = daddr.s_addr; /* destination address */ iphdr->check = 0; tcp->source = htons(sport); /* source port */ tcp->dest = htons(dport); /* destination port */ tcp->seq = htonl(rand()); tcp->ack_seq = htonl(rand()); tcp->res1 = 0; tcp->doff = 5; tcp->window = htons(4343); /* window size */ tcp->syn = 1; /* let's send a syn flag */ memset(&target,'\0',sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(dport); target.sin_addr = daddr; /* now let's send this packet */ printf("sending packet: "); if (sendto(sock,&packet,sizeof(packet),0x0,(struct sockaddr *)&target, sizeof(target)) != sizeof(packet)) { printf("packet wasn't sent\n"); exit(1); } else { printf("packet sent\n"); } exit(0); } ===[ done ]=================================================== 4.0 UDP ^^^^^^^ UDP, also known as User Datagram Protocol, is a connectionless protocol. This is great if you want to spoof UDP packets. The reason being is that it doesn't make a complete connection to the host. It's just sends out the packets, however it's is unrelible :(. 4.1 UDP Datagram Layout ^^^^^^^^^^^^^^^^^^^^^^^ -------------------------------------- | source port | destination port | |--------------------------------------| | length | checksum | |--------------------------------------| | data | -------------------------------------- 4.2 The Header Fields ^^^^^^^^^^^^^^^^^^^^^ Here are the 5 header fields that need to be filled in order to send a UDP packet and also spoof it. # source port = This field is optional, but fun to play with. This field is the port the information is coming from. # destination port = This field tells what port you are sending the UDP packet too. # length = The field specifying the number of bytes in the UDP datagram. # checksum = Just a checksum for the UDP header. # data = This is the data that will be sent to a UDP port. 4.3 Code ^^^^^^^^ This code will send spoofed UDP packet from 255.255.255.255 from port 1111 to 127.0.0.1 to port 137(netbios-ns). Since we discussed a lot about the TCP code I will just explain a few things. Here we use the linux/udp.h header file because we are now sending UDP packets. ===[ snip ]============================================ #include ===[ unsnip ]========================================== Now we have to struct the udphdr and add the 'data', the segment that will be sent, to the packet. ===[ snip ]============================================ main() { struct iphdr *iphdr; struct udphdr *udphdr; u_char packet[sizeof(struct iphdr) + sizeof(struct udphdr) + data]; struct sockaddr_in target; struct in_addr saddr, daddr; int sock, on = 1; ===[ unsnip ]========================================== Now we have to define what udphdr is equal too. Then we have to zero out everything. ===[ snip ]============================================ iphdr = (struct iphdr *)packet; udphdr = (struct udphdr *)(packet + sizeof(struct iphdr)); memset((char *)iphdr,'\0',sizeof(struct iphdr)); memset((packet+sizeof(struct udphdr)+sizeof(struct iphdr)),'0',data); ===[ unsnip ]========================================== 4.4 udpsp00f.c ^^^^^^^^^^^^^^ ===[ cut here ]=============================================== /* udpsp00f.c for "Project Sp00fed" by Threx */ /* compile: gcc -o udpsp00f udpsp00f.c */ /* needed header files */ #include #include #include #include #include #include #include #include #include #include #include /* instead of using netinet/ip.h we use linux/ip.h */ #include /* so this will only work on linux */ /* define the constants */ #define error -1 #define srcip "255.255.255.255" /* source address */ #define dstip "127.0.0.1" /* destination address */ #define sport 1111 /* source port */ #define dport 137 /* destination port(netbios-ns) */ #define data 69 /* the data segment that will be sent */ main() { struct iphdr *iphdr; struct udphdr *udphdr; u_char packet[sizeof(struct iphdr) + sizeof(struct udphdr) + data]; struct sockaddr_in target; struct in_addr saddr, daddr; int sock, on = 1; if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) { printf("socket error\n"); exit(1); } if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) { printf("setsockopt error\n"); exit(1); } iphdr = (struct iphdr *)packet; udphdr = (struct udphdr *)(packet + sizeof(struct iphdr)); memset((char *)iphdr,'\0',sizeof(struct iphdr)); memset((packet+sizeof(struct udphdr)+sizeof(struct iphdr)),'0',data); saddr.s_addr = inet_addr(srcip); daddr.s_addr = inet_addr(dstip); /* let's build a packet */ iphdr->ihl = 5; iphdr->version = 4; /* this will always be 4 */ iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + data; iphdr->id = 1234; iphdr->ttl = 250; /* a length of time the packet will survive */ iphdr->protocol = 17; iphdr->saddr = saddr.s_addr; /* source address */ iphdr->daddr = daddr.s_addr; /* destination address */ iphdr->check = 0; udphdr->source = htons(sport); /* source port */ udphdr->dest = htons(dport); /* destination port */ udphdr->len = sizeof(struct iphdr) + sizeof(struct udphdr) + data; udphdr->check = 0; memset(&target,'\0',sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(dport); target.sin_addr = daddr; /* now let's send this packet */ printf("sending packet: "); if (sendto(sock,&packet,sizeof(packet),0x0,(struct sockaddr *)&target, sizeof(target)) != sizeof(packet)) { printf("packet wasn't sent\n"); exit(1); } else { printf("packet sent\n"); } exit(0); } ===[ done ]=================================================== 5.0 ICMP ^^^^^^^^ ICMP, Internet Control Message Protocol, is used to create error messages. For example... Whenever you get some kind of error message, Host Unknown or Port Unreachable, you can be sure ICMP had its part in it. (NOTE: Trying to create ICMP packets are a little harder than TCP and UDP. So, I've decided to just create a simple echo reply message. However there are many other error messages that can be created... Please referr to the reference section for more information.) 5.1 Echo Reply Message Layout ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ---------------------------------------------- | type | code | chesksum | |----------------------------------------------| | identifier | sequence number | |----------------------------------------------| | data | ---------------------------------------------- 5.2 The Fields ^^^^^^^^^^^^^^ There are 6 fields that must be filled inorder to send out an error messages with ICMP. # type = This is the message type for the error message. Some examples are 0 = echo reply, 8 = echo request. Here they are from the ICMP header file. `Taken from /usr/include/linux/icmp.h' #define ICMP_ECHOREPLY 0 /* Echo Reply */ #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ #define ICMP_SOURCE_QUENCH 4 /* Source Quench */ #define ICMP_REDIRECT 5 /* Redirect (change route) */ #define ICMP_ECHO 8 /* Echo Request */ #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */ #define ICMP_PARAMETERPROB 12 /* Parameter Problem */ #define ICMP_TIMESTAMP 13 /* Timestamp Request */ #define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */ #define ICMP_INFO_REQUEST 15 /* Information Request */ #define ICMP_INFO_REPLY 16 /* Information Reply */ #define ICMP_ADDRESS 17 /* Address Mask Request */ #define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */ #define NR_ICMP_TYPES 18 # code = These are the codes for unreached hosts or ports, time exceeded, or for redirting nets, or hosts. Here are all the codes form the ICMP header file. `Taken from /usr/include/linux/icmp.h' /* Codes for UNREACH. */ #define ICMP_NET_UNREACH 0 /* Network Unreachable */ #define ICMP_HOST_UNREACH 1 /* Host Unreachable */ #define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */ #define ICMP_PORT_UNREACH 3 /* Port Unreachable */ #define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */ #define ICMP_SR_FAILED 5 /* Source Route failed */ #define ICMP_NET_UNKNOWN 6 #define ICMP_HOST_UNKNOWN 7 #define ICMP_HOST_ISOLATED 8 #define ICMP_NET_ANO 9 #define ICMP_HOST_ANO 10 #define ICMP_NET_UNR_TOS 11 #define ICMP_HOST_UNR_TOS 12 #define ICMP_PKT_FILTERED 13 /* Packet filtered */ #define ICMP_PREC_VIOLATION 14 /* Precedence violation */ #define ICMP_PREC_CUTOFF 15 /* Precedence cut off */ #define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate values */ /* Codes for REDIRECT. */ #define ICMP_REDIR_NET 0 /* Redirect Net */ #define ICMP_REDIR_HOST 1 /* Redirect Host */ #define ICMP_REDIR_NETTOS 2 /* Redirect Net for TOS */ #define ICMP_REDIR_HOSTTOS 3 /* Redirect Host for TOS */ /* Codes for TIME_EXCEEDED. */ #define ICMP_EXC_TTL 0 /* TTL count exceeded */ #define ICMP_EXC_FRAGTIME 1 /* Fragment Reass time exceeded */ # checksum = This is the checksum for the ICMP packet. It is just like the IP checksum. # identifier = This field's value is used for echo replies and requests. # sequence number = This will identify the sequence of the echo messages. This is used when more than one is sent. # data = This is the echo message's data that will be recieved by the echo request. 5.3 icmpsp00f.c ^^^^^^^^^^^^^^^ Well since I have explain the tcpsp00f.c and udpsp00f.c this next code, icmpsp00f.c, should come as no surprise to you. This will send a simple echo reply with a port unreached message from 255.255.255.255 to 127.0.0.1. ===[ cut here ]=============================================== /* icmpsp00f.c for "Project Sp00fed" by Threx */ /* compile: gcc -o icmpsp00f icmpsp00f.c */ /* needed header files */ #include #include #include #include #include #include #include #include #include #include #include /* instead of using netinet/ip.h we use linux/ip.h */ #include /* so this will only work on linux */ /* define the constants */ #define error -1 #define srcip "255.255.255.255" /* source address */ #define dstip "127.0.0.1" /* destination address */ #define dabuf (sizeof(struct icmphdr) + sizeof(struct iphdr)) main() { struct iphdr *iphdr; struct icmphdr *icmphdr; u_char buff[dabuf]; struct sockaddr_in target; struct in_addr saddr, daddr; int sock, on = 1; if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == error) { printf("socket error\n"); exit(1); } if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) == error) { printf("setsockopt error\n"); exit(1); } iphdr = (struct iphdr *)buff; icmphdr = (struct icmphdr *)(buff + sizeof(struct iphdr)); bzero((char *)iphdr,sizeof(struct iphdr)); bzero((char *)icmphdr,sizeof(struct icmphdr)); saddr.s_addr = inet_addr(srcip); daddr.s_addr = inet_addr(dstip); /* let's build a packet */ iphdr->ihl = 5; iphdr->version = 4; /* this will always be 4 */ iphdr->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr); iphdr->id = 1234; iphdr->ttl = 250; /* a length of time the packet will survive */ iphdr->protocol = 1; iphdr->saddr = saddr.s_addr; /* source address */ iphdr->daddr = daddr.s_addr; /* destination address */ iphdr->check = 0; icmphdr->type = 0; /* this is an echo reply */ icmphdr->code = 3; /* this code means the port wasn't reached */ icmphdr->un.echo.sequence = htonl(rand()); icmphdr->un.echo.id = htonl(rand()); icmphdr->checksum = 0; memset(&target,'\0',sizeof(target)); /* now let's send this packet */ printf("sending packet: "); while (1) if (sendto(sock,(char *)buff,sizeof(buff),0x0,(struct sockaddr *)&target, sizeof(target)) != sizeof(buff)) { printf("packet wasn't sent\n"); exit(1); } else { printf("packet sent\n"); } exit(0); } ===[ done ]=================================================== 6.0 Reference ^^^^^^^^^^^^^ Socket Programming: http://www.ecst.csuchico.edu/~beej/guide/net/ IPv4: rfc791 = Internet Protocol rfc1349 = Type of Service in the Internet Protocol Suite TCP: rfc793 = Transmission Control Protocol rfc1323 = TCP Extensions for High Performance UDP: rfc768 = User Datagram Protocol ICMP: rfc792 = Internet Control Missage Protocol rfc1256 = ICMP Router Discovery Messages rfc1788 = ICMP Domain Name Messages [KV10's 30 Second Useful Script]=================================[Digital Ebola] Looking at open Windows shares? Tired of typing all that samba crap? Or maybe you just can't remember how to type samba stuff? Well, this issue's 30 second script may just for you. You need to have Samba tools installed, and a program called NBTscan. In case you never heard of either, Samba is a set of utilities that allows you to view and mount Windows shares. It could be one of the best pieces of reversed engineering that has ever came from the Linux community. NBTscan is a binary that will query the NetBIOS of a Windows machine, and obtain its NetBIOS name, MAC address, and the login name of the current user. Both Samba and NBTscan can be obtained at http://www.freshmeat.net. #!/bin/bash echo ------------------------------------------------------------------------ echo WINCHECK 1.0 by Digital Ebola -digi@legions.org- echo ------------------------------------------------------------------------ echo echo echo Enter IP address: read IP nbtscan $IP echo echo Enter NetBIOS name: read NAME smbclient -L $NAME -I $IP echo echo Enter share to mount: read SHARE smbmount //$NAME/$SHARE /mnt -o ip=$IP echo echo ------------------------------------------------------------------------ [Booty Con 2000, An Account of the Hackercon Rubicon]===================[sodium] Prequel: The MOB had envisioned plans to attend Rubi Con 2000 since the first con had happened in 1999. For a variety of reasons the group was unable to attend the 99 convention, but that just made our drive to reach the con stronger. The intital planning started rolling about 2-3 months before the con was scheduled. The word was spread among the group and interest was sparked. A month before the con was sheduled members Tophat, sodium, Tradeser, Jouser, and 2ezy were all planning on going, along with other local 513 people. The plan was that sodium would drive his "fly ride" and pick up Tophat and Jouser along the way. Two other local kids, Godlike and Lordsomer, were going to hitch a ride with sodium as well. About 2 weeks before the con tophat tried to contact sodium to formalize the plans and found that sodium's telephone had been disconnected (thanks ma bell). This caused some waves in our plans. Right about this time as well, 2ezy informed Tophat that he was going to leave his wife, which happened to be the only way that allowed him to remain in the country, and that he was going to hitchhike to Tophat's dorm room where he would live and avoid the INS officers. Resulting in this, since he would be leaving his wife (who is a truckdriver) he would not have any means to make it to the con (he can't drive). minus one member. In order to get in contact with sodium, Tophat had MOB member DJ Ohki leave a note on sodium's apartment door that read, "Call Tophat ASAP 556-####". Tophat, upon recieving the call from sodium learned that sodium had broken up with his fiance, who was cheating on him, and that she had moved out. Without her there to give him mad head he sat naked in front of his computer until his telephone was cut off for not paying any bills. He had also pawned his engagement ring to pay the insurance for his "fly ride". Last minute plans were made, usually on the payphone outside of sodium's apartment, for the con. About this time Jouser informed Tophat that he most likely would not be able to attend the con on account of him being scared of us. Another member down. 2:00 AM the NIGHT before the convention, sodium calls and wakes up Tophat and informs him that he only has $0.88 to his name. Tophat, while still more or less asleep, agrees to help pay sodium's way but encourages sodium to get the money "some way". Sodium contemplates knocking off a 24hr liquor store or pawing his computer. Tophat explains to sodium that it would be useless to pawn his computer to go to a computer convention. 7:00 am the day of the con sodium calls up Tophat and informes him that he had scammed $100 off of his mom's debit card and that he would be right over to pick up the other people to go to the con. DAY ONE: Sodium is late picking up Tophat but eventually arrives and then they drive over to LordSomer's house where he and Dynamis are waiting, they switch cars and gear and start off. The car ride was pretty boring. The car ride is about 6-7 hours and with pretty bland scenery. About 4-5 hours into the trip Dynamis remarkes, "I'm glad that I drove up here instead of sodium, I really needed to get some experience on the express way." Lordsomer, Tophat, and sodium all look at each other. To make matters worse the hotel changed their name two days before the con, without anyone knowing. so instead of looking for the "Wyndam" hotel, we were supposed to be looknig for the "Clariton". We had to have passed by the hotel about 20 times. During the course of us driving past the correct hotel, dynamis' car started making funny sounds. We pulled over, called AAA, and waited until Snoop doggy dogg's long lost twin brother arrived in a tow truck and took our car (he didn't steal it, although we thought that he did after we arrived at the car station before he did). We then found the right hotel and procedded to check in for the con, after check in we picked up our car (it had a loose bolt in the right-front tire). We walked back to the hotel and setup in the network room. At this time we began to realize how much this con would suck. The whole con had about 7 people walking around. Out of the 7 people we notices a guy dressed in a bussiness suit and sodium was like "Niggaz, thats a fed.". We thought, "well, maybe its early..it will get better...." We met up with Tradeser who had reserved the hotel rooms for us and went back to the hotel and checked into our rooms. Then back to the con for corporate level - inspirational talk filled with buzzwords like "revolution" "going past the the edge" and "putting books on the shelf". I can't even remember what other talks were given that night, they must have been really interesting to say the least. The social engineering contest, for which we were a sure win, was canceled because the con organizers couldn't figure out how to setup a pbx. When we got back to the hotel we basically fucked around with the camera and drank. DAY TWO: We slept until about noon and then went over to the con we missed the first two talks of the day but made it in time to catch the "into to networking and tcp/ip" talk. Sodium is still asleep at this point. This guy's talk bascially consisted of reading tcp/ip vocab words off of a powerpoint projection. We got up and walked out. TDYC!, a group which was scheduled to give a few talks over the course of the con, never showed up and their talks were canceled. Then we fucked around in the LAN room, waiting for them to get the DHCP/ISDN line up so that we could connect our computers together. The red v. blue hacking contest had been virtually canceled, the blue defense boxes were taken off line. The "hacking contest" ending up being a bunch of kids installing sniffers on the local dhcp network and other people going around to other people's computers and giving themselves root accounts from console. Then we went off to listen to a talk by one of the con organizers about "Failsafe Computing". After waiting around for about 45 min. we were told that he was still sleeping in his room. After that we went back to the hotel and just fucked around a bunch. After fucking around for a bit and chilling at the beach-themed bar at the hotel and waking sodium's ass up, we headed back to the con. After wasteing about an hour or so phreaking the payphones and getting sniffed in the LAN room, we went to a talk given by Tim Cothers. He gave a talk on the anatomy of an internet attack, which basically consisted of him breaking into a NT box remotely. This was the best talk at the con (Tradeser took notes, hehe). Laster that night there was the the 2nd round of hacker jeapordy, or what they called "Win NFF's Shirts". Tophat, Lordsomer, and Tradeser made up the mobsters.net team and went up against 2 other teams made up of various people at the con. We absolutely got wh00ped. The score was something similar to team #1: 21,000 pts. team #2: 7,000 pts. mobsters.net: 0 pts. Aparantly team 1 had some crazy smart guy who won round one, the con organizers then purposely made round 2 nearly impossible to try to stump this guy (which with 21,000 pts. didn't work too well). Then, out of pity for not scoring any points, the mobsters.net team was allowed to advance to the final round, and sodium jumped in for some fun. We placed second in this, losing by a mere 1,000 pts. or so. This was kinda of fun, but overly rowdy with Lordsomer throwing objects at the guy who was asking questions. During the middle of the game, Rev. George, a team #2 member told everyone to quiet down. Aparently during the commotion of the game he had lost his cell phone. He borrowed his friend's phone so that he could ring his phone and find out where it is. To little surprise, sodium's coat pocket starts ringing. I mean seriously sodium, you should have taken the battery out. He handed over the phone and we continued the game. During the course of the whole day, Tradeser's friend had been chilling in the bar over at our hotel and the bar at the hotel where the con was being held. All day she had been drinking and talking to people. Apparently she had told everyone that she met that there would be a party in room 303 (our room), and that everyone was invited. We had absolutely no problem with this and continued to spread the word. Sodium and Tophat headed back to the room for the party (the rest of our crew just wanted to goof around on the 1kps lan...what party poopers!). We get to our room and find it filled with about 20 guys and 1 girl, Tradeser's friend. (note by sodium: Look, I was going to pimp on this girl hardcore, but this little bitch "Eric Son" was mack'n her ass on the bed. Just cause he can do a rubix cube in 2 min, doesnt make him a mackdaddy, niggaplease.) Then to make things worse, no one brought any booze. So we start talking to some guy who agrees to go and get a keg and bring it back to the other hotel. So we head back to the other hotel about a half an hour later to try and find our keg guy. When we get there we find that he didn't come through. So we find some friends of ours and go on a beer run. All brew was paid for by NFF, wow, what a guy! We head back to the hotel all ready to go and find a party going on in another room. Sodium and tophat continued to get drunk and party w/ various people from the con. Sodium and Bobonic are both trying to get on some nasty girl who kept showing everyone here tits while the rest of the room was playing poker and watching lesbian porn. (sodium's note: it was good porn, and we even had a naked chick, btw, she wasnt that nasty.) Sodium heads back to the hotel and enrout trys to pick up another skanky girl. (sodium's note: This bitch had it going on, like, ghetto bootie) Tophat scams some money off the drunk people there and heads back to the LAN room. The LAN room was dead so he went back to the hotel and ended the night. DAY THREE: We woke up late, but realize that all of the talks that we would have missed did not happen. Most people were unplugging all of their shit in the LAN room and packing up their computers to go home. We went to listen in on the debate over which OS sucks least. While we were waiting for the to get started NFF pulledo ut his cell and started asking the crowd for numbers to prank call. After calling random shit sodium shouts out the phone number of his ex fiance. What were you thinking man, how in the world could this end up good? (sodium's note: I was thinking free phone sex, plus i was still drunk) NFF called her up and explained that we were bored and had to kill some time and asked if she had any funny stories about Sodium. NFF would then try to relay whatever she said over the crowd's laughter. She told how Sodium had gotten drunk off of 2 Zimas and then after only 2 insertions, he fell alseep inside of her in their moment of intimacy, how she supported his broke ass, and how he would sit naked on his beanbag and irc all day while she worked and cooked. (total bullshit) Then she told how she would have Sodium wear dresses and girl accessories to turn her on. (it was halloween) sod was blood red. To get back at her sod told a story about how he had made her "baaaaa" like a sheep in the bedroom or something freaky like that. Sod was yelling his story to NFF who was relaying it to sod's ex. The crowd was just dying. Then, Sodium runs up and grabs the phone and whispers "I'm sorry, I'm at a computer con and they're making me do this.." (I was still wanting some pootang) After the laughter died down, the crowd said their goodbyes and the debate was started. LordSomer and Sodium took the side of linux as sucking the least, and while they put up a good fight, Win 9x took the cake (only because these guys had the balls to represent win 9x at a hacker con). After the debate we grabbed some loot that was lyring around the LAN room (we came out with about 20 CDs of software, a leatherman tool, keys to a payphone, a swappabl 1 gig HD and a 120 mb HD, phone books, and a bunch of other stuff). We then got a quick pic with the fed who had been following us around the whole con (viewable on our webpage), and then we headed out to the car. We didn't stay for the closing ceremonies. The drive home was pretty boring, sodium and tophat made calls to Jouser and other MOB members to make the ride go faster. This included sodium scareing Jouser so bad he cryed to his mommy. That ended our rubi-con adventure. The experience was fun, but the con sucked dick. I'll just save my money and check out HOPE or defcon next time.@ Outro: Yo, this is sodium, ok.. a good side note to this is, the night after the con, my exgirlfriend came up to my apartment, and tryed to tell me that what i did at the con was very immature and stupid. I basicaly kicked her out on her ass, and told her to go away. And I would also like to state for the record that I am not gay. -sodium [Spider DoS]=============================================================[fejed] Denial of Service Attack Against remote http Spidering/Mirroring Software. Basically, Spidering and Mirroring programs request robots.txt to set quotas for transfering files, for example only 2 files per hour or something like that. To perform this Denial of Service attack, you will require one unix based operating system, eg OpenBSD that runs a http daemon which can follow symbolic links. Once you have got your webserver up, you'll need to symbolically link a device that outputs random data (for example at the time of writing this, I would use /dev/random or an alternative such as /dev/prandom, /dev/urandom, /dev/srandom etc..) to robots.txt in the Document root path (The path on the filesystem that the httpd treats at / for requests) which would be accessed as http://yourserver/robots.txt. Now, there are a few ways to perform this attack one being is to submit your host to a search engine, like yahoo. When your site is spidered by yahoo the computer that is spidering your site, will ask for robots.txt. What happens when they ask for robots.txt? The server that is spidering your computer will recieve randomdata untill it is unable to handle the amount it has recieved due to lack of endless resources. ;-) The second way to perform an attack using the set up unix based system would be to have access to a unix based system on a normal user level not super user and use a tool such as wget to carry out the denial of service attack on the computer that you are issuing the mirroring to do be done from. I'm sure there are a few other things you could do with this attack, so use your mind and discover as I do. [File Transfer Protocol Advisory]========================================[fejed] In writing this Advisory I'm assuming you are familiar with the protocol in it's self a little bit. As standard all ftp daemons are forced to include use of the "PORT" command. This function of the protocol is used to set up the data transfer ports in between the user and the server. The ftp protocol includes support for files to be transfered to a third part host, to a terminal or printer that may not be able to make use of the file transfer protocol directly. So far I've explained how the PORT command is used properly to some effect. If you wish to have a deeper insight into the File Transfer Protocol and its syntaxes then please refer to rfc 959. Now the problem arises where anyone has the ability to transfer files to a third party host, you may think there is nothing wrong with this at all. Yet you are wrong, why? Well easy, by issuing the port command i can send files and directory listings to just about any remote server with a tcp port open. If we transfer large amounts of data accross high speed networks numerous times simutaniously we will be creating a Denial of Service attack against any choosen host. I'm not going to include the exact syntax in this article for all you script kiddies out there. There are many possibilities out there that you could use inconjuction with this attack to maximise its effect greatly, those I will not publish because it most likely will goto misuse, even though anyone with half a clue about how the file transfer protocol works would be able to easily see the hazards possible. I've thought of a fix so everyone doesn't have to engage in a flurry of wasting money and time on clueless idiots that have degrees and what not.. *shut up fejed*. This fix should be included in the next update of the ftp rfc; Users connecting to the service side of the protocol should NOT be allowed to issue the port command to set up the transfer data to be sent to ports that are listed in /etc/services or something similar to avoid the potential denial of service attack happening. If you can't implement this fix effective immediate then I suggest removing anonymous login so that your ftp daemon is not used in conjunction with others to create a DDoS/DoS attack against other hosts. [Women in Technology]===================================================[Godess] I recently read an article that I found quite disturbing. The article stated that according to a study by a North American Woman's University, females are being driven away from technology because they're intimidated by the amount of "geeky" men in the industry. I don't know where they based their facts from, but are women really that shallow? Are women really willing to stop themselves short just because the people they work with know more than they do? Perhaps its because women are intimidated by the lack of respect given women in the industry, Or could it be that they don't feel capable to learn at the same capacity as men do regarding technology. I believe that most women are afraid of learning technology because it's a high paced, fast moving industry. I'll admit it's hard to keep up, but If you keep focus in certain areas of technology (i.e. network security, networking, etc...) It can be done. I'm not saying that today's growing technology is not overwhelming, But isn't it exciting? Wouldn't it be great to discover something totally un-touched then release it to the world knowing you've made a difference by learning and manipulating technology to benefit the rest of the community? Be it exploits or patches or simple protocol manipulation and variations there of. Any one of these things can affect the whole way certain technologies are viewed and standardized. I know for a fact that there ARE women in technology, very bright and enlightened women. These women are making history, discovering new ways to use technology to benefit the rest of us. Not only are they making history and discoveries, but they're protecting our technology. People say "Hackers" are criminals, they also say "Hackers" are without ethics, without integrity, and without conscious. However, does it make sense for a Hacker to be out to destroy the one thing that breathes life into him/her? Technology. That's right, and women have to keep up. The day is not far when we will see typical female professions being taken over by technology. The time is already at hand. There's no longer a need for telephone operators, most companies throughout corporate america run computer automated phone systems. Soon there will be no need for Secretaries, Nurses, Bankers, etc....Its all going ONLINE! You can't even work at Fast-Food establishments without knowing at least something about technology, all registers now in days are computerized for efficiency. Why cant women take advantage of this? Why are there not more women in technology? Because they're scared. Not by "geeky" men, but of themselves and their limitations. Myself and My sisters in the community are doing all we can to make the industry a better place for women, all they have to do is apply themselves. The women involved in technology are not "geeks" nor are we anti-social, we're no less beautiful than a waitress, or secretary. We have lives outside of our computers. Only difference between us and other women is the drive to make a major difference in a world that's still new and being discovered. Other women can do it too, and hopefully will take the initiative someday. **Mad Props and Greets go to**: `immortal, WWsBabe, mo||y, baybee, and jennicide. Women who are not afraid. /* Editors Rant: Before you look at the above article, and say, "Gosh thats lame, Legions posted a girly article" think about this. Think about all the times you have wished to find a female in your industry, just so that you would have something to talk about. I have personally had the pleasure of working with Godess, and now know that women need every piece of encouragement they can get. I would have not known the difference between a scene whore and a brilliant woman, if I had not listened to what she and a few others have said to me. I will encourage more women to write for Keen Veracity, as we are a forum for everyone. */ [Expecting Mass Commands]========================================[Digital Ebola] Ah. About a half a year ago, I started working for a new company that has deployed alot of Linux servers. At the time that I came into it, we had maybe 120 servers total, and now we are up to almost 900, constantly adding more. My first task was to script something that would change the passwords on everything in a hurry. I had a deadline (the next morning) and was frantic. I had never heard of TCL/Expect up until this point. It did not take me very long to be turned on to it. Expect is a small utility, that allows interaction thru scripting. There are many utilities that require user interaction to run (telnet, ftp, ssh). Expect allows you to "fill in the blanks" automatically, so that you may be able to run your script, and walk away. Included with the Expect source, are examples of various scripts. I found "passmass" and it was the exact answer to my problem. I then took that script and worked it over so that it would be friendly with RedHat. Since then, I have been playing more with Expect and find it to be a very powerful tool, and it always works in a pinch. This is how Admin came to be. I needed to not only change passwords, but also do alot of other things, with a lot of hosts. I built this off my modified script, based off the original passmass. The result is a solution that has saved countless hours of "server touches". I now give this script to the public, may it be used for GOOD purposes. I do realize that with a little modification, it could launch the Internets version of world war 3. (300 hosts, ping -f starting remotely, ahem). This will work with Redhat 6 and above. Anything else, and you will need to modify it. Have fun, and read about about Expect! #!../expect -- #Mass Admin v1.0 by Digital Ebola #Based on the passmass script by Don Libes #COMMENTS: I dont really know if there was a example like this or not, I was #in a pinch to execute certain commands over a large number of hosts. #I basically took the passmass script and expanded it. If theres any bugs in #this, its becuase I thru it together in a hurry. This is tested on #Redhat 6.1 anything else might not work, so you might have to learn a lil #bit of expect :) #To run: you can either do it at the command line as # expect admin host1 host2 host3 or write a little script to do it for you if #you have a lot of hosts. exp_version -exit 5.0 if {$argc==0} { send_user "usage: $argv0 host1 host2 host3 . . .\n" exit } expect_before -i $user_spawn_id \003 exit proc badhost {host emsg} { global badhosts send_user "\r\n\007$host not modified.- $emsg\n\n" if {0==[llength $badhosts]} { set badhosts $host } else { set badhosts [concat $badhosts $host] } } # This needs to be set to 1 to su. set su 0 send_user "Enter Login Method: " expect_user -re "(.*)\n" set login $expect_out(1,string) send_user "\n" if {!$su} { send_user "Program to execute: " expect_user -re "(.*)\n" set program $expect_out(1,string) send_user "\n" send_user "user id: " expect_user -re "(.*)\n" send_user "\n" set user $expect_out(1,string) stty -echo send_user "Login password: " expect_user -re "(.*)\n" send_user "\n" set password(login) $expect_out(1,string) } else { send_user "Program to execute: " expect_user -re "(.*)\n" set program $expect_out(1,string) send_user "\n" send_user "user id: " expect_user -re "(.*)\n" send_user "\n" set user $expect_out(1,string) stty -echo send_user "login password: " expect_user -re "(.*)\n" send_user "\n" set password(login) $expect_out(1,string) send_user "root password: " expect_user -re "(.*)\n" send_user "\n" set password(old) $expect_out(1,string) } stty echo trap exit SIGINT #if you have major probs, you might have to set the timeout differently set timeout 15 set badhosts {} for {set i 0} {$i<$argc} {incr i} { set arg [lindex $argv $i] switch -- $arg "-user" { incr i set user [lindex $argv $i] continue } "-prompt" { incr i set prompt [lindex $argv $i] continue } "-rlogin" { set login "rlogin" continue } "-slogin" { set login "slogin" continue } "-telnet" { set login "telnet" continue } "-program" { incr i set program [lindex $argv $i] continue } "-timeout" { incr i set timeout [lindex $argv $i] continue } "-su" { incr i set su [lindex $argv $i] continue } set host $arg if {[string match $login "rlogin"]} { set pid [spawn rlogin $host -l $user] } elseif {[string match $login "slogin"]} { set pid [spawn slogin $host -l $user] } elseif {[string match $login "ssh"]} { set pid [spawn ssh $host -q -l $user] } else { set pid [spawn telnet $host] expect -re "(login|Username):.*" { send "$user\r" } } if ![info exists prompt] { if {[string match $user "root"]} { set prompt "# " } else { set prompt "(%|\\\$|#) " } } set logged_in 0 while {1} { expect "*assword*" { send "$password(login)\r" } eof { badhost $host "spawn failed" break } timeout { badhost $host "could not log in (or unrecognized prompt)" exec kill $pid expect eof break } -re "incorrect|invalid" { badhost $host "bad password or login" exec kill $pid expect eof break } -re $prompt { set logged_in 1 break } } if (!$logged_in) { continue } if ($su) { send "su -\r" expect "Password:" send "$password(old)\r" expect "# " send "$program\r" } else { send "$program\r" } expect "$prompt" send_user "\n" } if {[llength $badhosts]} { send_user "\nfailed to execute command on $badhosts\n" } [NT Logging]============================================================[NtWak0] +-----------------------------------------------------------------------------+ |Author : NtWaK0 | |Crew : Legions Of the Underound | |Subject: NT LOGGING | |Date: Sep-3-2000 | +-----------------------------------------------------------------------------+ INTRODUCTION ============ Many peoples asked me about NT and where are THESE logs,so here we go something I can think of about NT monitoring that will help NT admins and others peoples too :) First Let US Start With a Breif Description Of NT Logs. NT LOGS DESCRIPTION =================== Thier is no magic in NT logs like the UNIX logging.To manager you NT logs you have to use "Event Viewer". What is "Event Viewer", WELL IF YOU CLICK THE HELP IN NT VIEWER you will get a nice description.: Event Viewer is the tool you can use to monitor events in your system. You can use Event Viewer to view and manage System, Security, and Application event logs. You can also archive event logs. The event-logging service starts automatically when you run Windows NT. You can stop event logging with the Services tool in Control Panel. Let me comment on this last phrase from MS HELP "You can stop event logging with the Services tool in Control Panel" WELL IT IS NOT TRUE, YOU CANNOT STOP EVENT VIEWER WHILE YOU ARE RUNNING NT. WHAT YOU CAN DO IS DISABLE IT THAT MEAN NEXT TIME YOU REBOOT THE EVENT VIEWER SERVICE WILL BE STOPED. So to resume you cannot STOP EVENTLOG from the GUI you can only disabled it and from the command line you will get this : ----------------------------------------------[NET STOP EVENTLOG DUMP]------ C:\>net stop EVENTLOG The requested pause or stop is not valid for this service. More help is available by typing NET HELPMSG 2191. C:\>NET HELPMSG 2191 The requested pause or stop is not valid for this service. EXPLANATION This command is invalid for this service, or the service cannot accept the command right now. ACTION If the service normally accepts this command, try typing it again later. ---------------------------------------------------------------------------- LOGS TYPE ========= The three types of NT event logs are: System log ---------- Tracks miscellaneous system events, e.g. tracks events during system startup and hardware and controller failures. Application log --------------- Tracks application related events, e.g.applications generate informational such as failing to load a DLL will appear in the this log. Security log ------------ Tracks events such as logon, logoff, changes to access rights, and system startup and shutdown. By default like i said you will see later in this paper that the security log is turned off by default. LOGS LOCATION AND ENABLING ========================== The location of NT logs is : %SYSTEMROOT%\system32\config\SysEvent.Evt %SYSTEMROOT%\system32\config\SecEvent.Evt %SYSTEMROOT%\system32\config\AppEvent.Evt By default NT DOES not log all the event.You have to enable auditing, to do so follow these steps : 1- From the Start Menu, choose Program and then Administrative Tools (Common). From the Administrative Tools submenu, choose User Manager, which displays the User Manager window. 2- From User Manager Menu Click POLICIES then Click Audit, the Audit policy windows appeare 3- Select the Radio Box "Audit These Events" 4- Select what you want and Click OK and Close User Manager :) NOTE: If you decide to Audit all event you better HAVE SOME KICK ASS MACHINE cause this is going to suck a lot of resources Auditing of Privileges ====================== Certain privileges in the system are not audited by default even when auditing on privilege use is turned on. This is done to control the growth of audit logs. The privileges are: 1- Bypass traverse checking *** To Rveryone *** Is granted to everyone so is meaningless from auditing perspective 2- Debug programs *** To Administrators *** Not used in a working system and can be removed from administrators group 3- Create a token object *** To NO One *** Should not be granted to anyone 4- Replace process level token *** To NO One *** Should not be granted to anyone 5- Generate Security Audits *** To NO One *** Should not be granted to anyone 6- Backup files and directories *** To Administrators Backup Operators. *** Used during normal system operations 7- Restore files and directories *** To Administrators Backup Operators. *** Used during normal system operations To enable auditing of these privileges, add the following key Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: System\CurrentControlSet\Control\Lsa Name: FullPrivilegeAuditing Type: REG_BINARY Value: 1 Or Create a text file call it audit.reg and cut and past the lines below -----------------------------------------------------------[SNIP HERE]------ REGEDIT4 ADD A BLANK LINE HERE [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "FullPrivilegeAuditing"=hex:01 ADD A BLANK LINE HERE -----------------------------------------------------------[SNIP HERE]------ To merge the .Reg file Or you double click on it or you open a command prompt and you type : REGEDIT /S audit.reg This will merge the file you have created Auditing Base Objects ===================== This registry key setting tells Local Security Authority that base objects should be created with a default system audit control list Still the administrator will need to turn auditing on for the "Object Access" category using User Manager To enable auditing of base objects, add the following key Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: \CurrentControlSet\Control\Lsa Name: AuditBaseObjects Type: REG_DWORD Value: 1 Or Create a text file call it auditObj.reg and cut and past the lines below -----------------------------------------------------------[SNIP HERE]------ REGEDIT4 ADD A BLANK LINE HERE [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] "AuditBaseObjects"=dword:00000001 ADD A BLANK LINE HERE -----------------------------------------------------------[SNIP HERE]------ To merge the .Reg file Or you double click on it or you open a command prompt and you type : REGEDIT /S auditObj.reg This will merge the file you have created EXAMPLE ======= What do you see when you enable Security Auditing ? IN THIS EXAMPLE I DID ENABLE ONLY LOGON LOGOFF FAILURE ONLY Logon Failure: Reason: Unknown user name or bad password User Name: WaKiNg Domain: WaK0 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\BRAINCELL CLEARING NT LOGS ================ To clear a log, switch to the log you want to clear, on the Log menu click CLEAR ALL EVENTS a message asks if you want to archive the current events. If you answer Yes, the SAVE AS DIALOG box appears. Enter the filename and folder path where you want to store the saved logs After you answer Yes or No, Event Viewer empties the current log. Only new events will appear in the log. NOTE: When you clear the SECURITY LOG an event will SHOW in the Security log Even if you clean the log you still see this entry : The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: WaKiNg Client Domain: BRAINCELL Client Logon ID: (0x0,0x2581) This entry mean you cleared the security event log. Now if you want to clean the log well you can do the following : 1- Open control panel and then services 2- Locate EVENTLOG service and Click the STARTUP button 3- In Startup Type choose Manual Or Disabled 4- Restart NT 5- Go to %SYSTEMROOT%\system32\config\SecEvent.Evt and delete SecEvent.Evt By doing so it will stop the eventlog service and you can then delete the log you are interrested in. :) TOOLS TO MANAGE NT LOGS ======================= I use Dumpel.exe from NT resource KIT i am an Old dude who love cmd line :) If you like cmd line i suggest you Dumpel.exe if not see the links below And I use NTLast from ntobjectives Here is an example of what Dumpel.exe will report : DUMPEL Usage: dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x] -d Filters for event last days (number larger than zero) -e nn Filters for event id nn (up to 10 may be specified) -f Output filename (default stdout) -l Dumps the specified log (system, application, security) -b Dumps a backup file (use -l to specify file name) -m Filters for events logged by name -r Filters out events logged by name (must use -m too) -s Remote to servername -t Use tab to separate strings (default is space) -c Use comma to separate fields -ns Do not output strings -format Specify output format. Default format is dtTCISucs where t - time d - date T - event type C - event category I - event ID S - event source u - user c - computer s - strings NTLast v2.85 ------------ http://www.ntobjectives.com/ntlastv2.htm Is specifically targeted for serious security and IIS administration. Scheduled review of your NT event logs is critical for your network. A server breach can be uncovered by regular system auditing. Identifying and tracking who has gained access to your system, then documenting the details is now made easier with NTLast. This tool is able to quickly report on the status of IIS users, as well as filter out web server logons from console logons EventReader ----------- http://www.strongsoftware.net/eventrd/ EventReader(TM) is an administrative tool which allows network administrators to analyze and manage event logs. The program lets you collect event logs from Windows NT computers in a network and store the information in one or several ODBC compatible databases (Microsoft SQL Server or Microsoft Access). You can designate the computers from which to collect the information, and assign a schedule and data collection and event log backup parameters. The installation package includes a Microsoft Access sample database, which contains many queries and reports for effective event log analysis. Event Archiver Enterprise ------------------------- http://www.eventarchiver.com/download.asp Event Archiver Enterprise is one of the easiest to use products in the event log management market, and stands above the others with its flexibility. We think of it as a "set once, run forever" application that saves your organization considerable time and money. Given the average hourly cost of a Windows NT/2000 administrator, deploying Event Archiver Enterprise greatly reduces your organization's TCO. After installing Event Archiver, administrators can start analyzing event log entries instead of just trying to save and store them regularly EventReporter Version 4.0 ------------------------- http://www.eventreporter.com/en/ Version 4.0 provides a number of important enhancements: Support for message delivery via email Client added - a graphical user interface for customizing EventReporter Filtering of events based on severity code (e. g. error, warning,) Greatly enhanced documentation Greatly enhanced web site - especially support area Remote Viewers - Event Log Monitor ---------------------------------- http://www.tntsoftware.com/products/emon22/viewers.asp The Remote Viewer for Windows PC runs on Microsoft® Windows 95, Windows 98, Windows NT Let you search and display event log information as it is received by the console. Receive user selected real-time Alerts from the console which are immediately displayed in the Remote Viewer. Provide remote management for processes, services, and device drivers Provide remote search, edit, create user defined notes and message reference Provide multiple remote command prompt windows SECURITY ISSUE FOUND WHILE I WAS WRITING THIS PAPAER THE BUG WAS NOT OUT YET ============================================================================ To the one of you who know the SID in NT and the tool "sid2user" that allow you to get the SID of the users . Well I found a way to get the SID even Administrator Remotly if you certain conditions are meet: 1- By default NT logs can be viewed remotly :) 2- If you have Audting Enabled 3- If your policies Block The account after certain failure count. Now here is what you need to do to get NT Spit out the SID ---------------------------------------------------------- Try to login to the remote box using any exisiting account and the box you will get a logong failure and in event viewer you will generate an entry Logon Failure: Reason: Unknown user name or bad password User Name: WaKiNg Domain: WaK0 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\BRAINCELL If like I said you have a policy that block an account after certain count You will you see this entry in your log file. ser Account Locked Out: Target Account Name: WaKiNg Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 Caller Machine Name: \\BRAINCELL Caller User Name: SYSTEM Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E7) So now if you connect to the remote EVENT box using event viewer you will be able to see the logs and you will see the SID Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 I did not do any other research into this cause the objective was not to find something but it was to write this paper :) =============================================================================== Cheers, ------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ----------------------------------------------------------------- Live Well Do Good, Accept no limitations --:) =============================================================================== [UNIX Autopsies]=================================================[Digital Ebola] How to Perform A Autopsy (Oh God I've Been Owned) A Text for Admins in the Wonderful World Of Unix -------------------------------------------------------------------------------- No matter how good you are, eventually it's going to happen. You are going to get owned. Now, while this might not happen as often to a senior level admin that has been playing with UNIX for a long time, it will happen at one point. This is mathematics. Someone is going to find a bug somewhere, or maybe you just overlooked something. Never the less, it happened, stop crying like a baby, and plan your next action. It doesnt cost 80 thousand dollars to bring boxes back from the molestations of a 14 year old, but it does take some effort. You have essential 3 options which I will explain: 1. Reinstall. Time consuming, but very effective. Quicker then the other methods 2. DE-Own the box. A little more time consuming then a reinstall, but you saved your data. 3. Set up booby traps and wait. OPTION #1 Reinstalling is such a pain. You have custom scripts to replace, custom configurations for any of the services you may be running, and possibly even custom software that has been written in-house. I can not stress to you the importance of a back-up in any case. If you are not backing things up, you are not doing your job. Period. Don't go blaming your loss on the hacker that got you, because the same thing could have happened in the event of a hardware loss or a Layer 1 disaster. If you were smart, restore from backups, fix the original security hole, and your on your way. If you were not smart, well, you are going to spend some time reconfiguring, but this is still faster then the next methods I am about to detail. OPTION #2 DE-Owning the box is time consuming. No doubt about it. You will gain alot of information by doing this. What it takes is patience, and a lot of reading. First of all, you need to assess the visable damage. Was there any webpage defacements? Was there a nasty issue.net? Are users complaining of data loss? Are the logs still intact? Also, did the cracker leave behind a history file? Some crackers are way sloppy, either they are too much of a novice to know, or they just plain don't care. At any rate, this is information you have to collect. After your damage assessment is complete, you can then begin to fix your box. Chances are great, your cracker has left several backdoors in the system. The golden rule of thumb is: Anything that runs as root can be a backdoor. Some examples are, /bin/login , /root/.bash_profile , or any of your startup scripts such as /etc/rc.x or /etc/init.d so forth and so on. If you know UNIX, you will know what I am talking about. Another more simple backdoor is a suid shell somewhere on the box. You check for all SUID programs by doing this: owned$ find / -perm -4000 -print > suid You are looking for anything out of the ordinary such as this: -rwsr-sr-x 1 root root 426980 May 9 01:00 .bash Now, why would there be a SUID program in someones home directory that is owned by root? When did root put that there? Chances are, root did not. The kid that was playing around as root did. And in most cases, executing that program as a standard user will produce a root shell. Granted, there has been some improvements on some versions of shells that has better UID control, but there are alot of systems that will let you chmod +s sh and then run it as a user. It runs as root. You become root. Another even simpler backdoor can be found by simply checking your passwd file. You would be surprised the number of admins that never watch their passwd file. In this case you would be looking for: digi:x:1000:1000:Digital Ebola,,,:/home/digi:/bin/bash digi2:x:0:0:Digital Ebola,,,:/home/digi:/bin/bash The cracker would then proceed to telnet into your machine as a normal user, and then su to their rootshell. I must say, I have personally seen a backdoor like this last for up to 78 days. Another form of backdooring is the rootkit. crackers today are mostly unoriginal people, either be it from lack of skill or from impatience. This is a good thing for you the admin. Why? Their lack of creativity will allow you to find their back doors easily due to the public archiving of these rootkits. You should download every rootkit you can find, and do file compares between them and the binaries of your flavor/distro. Common trojaned services are telnetd, identd and even sshd. This takes time. Read the rootkit instructions, try the default methods of accessing. Most people never even bother to customized a pre-built rootkit. Another thing you can do, in certain cases, is checksum compares. Vendors release checksums along with thier packages, for integrity checking, and it has been known to help in recovery. Now, if you have had a real professional come in your machine, then I can honestly say that you may never find all the backdoors. I do not mean to kill off your hopes of a recovery, but there are some out there that have true finesse. I'll give you a example. Cracker comes in box via public exploit, just as any kiddie. He see this system as one to keep. He does not modify a webpage, he does not packet from the box. He wants to keep his access, to be the ghost in the machine. He then trojans the kernel. Dear admin, I must ask how well do you know your kernel configuration? Do you REALLY know the modules that you are loading? You can do ANYTHING from the kernel. End of story. I want to hide my processes, I want to become invisible. I will make the kernel do what I want. A easy way to do this from a crackers standpoint, is to install LIDS (if you are a Linux admin, if you are actual UNIX admin, similar tactics can apply). Yes, the Linux Intrusion Detection System. This thing can hide processes, make files undeleteable, and even monitor modifications. LIDS is can be used for as many evil purposes as for good. And most admins have never even noticed that their kernel has been recompiled, and their machine rebooted. You would think that Admins would pay more attention to their uptime, but there are ways of handling that too. Someone that can write custom kernel modules can stay in your machine for as long as they wish. Or at least until you recompile your kernel. Which means, after your intrusion, a kernel recompile is a must. The heart of your operating system has complete control, if the cracker controls your kernel, and knows how to manipulate it, you are going to be fighting him for a long time. If you even realize he is there. OPTION #3 Setting up booby traps can be fun. It can also give you a good deal of information. I am not talking about buying a pre-built "honey-pot". I am talking about rigging the system to where you can watch your intruder. See what he is doing. See where he is coming from. I will talk more about what you can do for perfoming a autopsy in a moment. For now, lets concentrate on what you need to know to be able to get to that point. First thing, is isolating what the intruder has done, assess the damage. Don't fix the problems, just write it all down. You must make it appear that you don't have a clue that he is there. Now, the trick way to watch him, is to work around what he has done. If he has not messed with your login service, you will be able to hide a ttysnoops server. Once he is logged in, you can watch his terminal session real time. Chances are, he has rigged the logs to wipe themselves after each logout. Start another log daemon, make it look like a service that is meant to be on the system. The cracker will most likely not notice. Log everything he does. Install a sniffer, and hide the process and log that too. This bringing me to the next section, doing the actual tracking. TRACKING You are now watching your server close for anything out of the ordinary. You see cracker log in. You are watching his every movements. What do you do? First thing, is to see where he is coming from. Is there a DNS reverse? or is it a IP? Does the IP reverse? In most of these situations, most admins do not know what to do beyond a simple nslookup, and if the IP does not reverse, the admin thinks that its hopeless. Not so. You can perform a ARIN whois. ARIN is the American Registery for Internet Numbers. They are the people in charge of assigning IP's and they work closely with other agencys around the world that perform that same function. If your attackers IP will not reverse, go to ARIN (http://www.arin.net) and lookup the IP. It will come back to the provider of that IP, and even sometimes a individule. At this point, you may call these people and ask them who is in charge of that IP. If you are suspecting a break-in, most providers are happy to help you out any way they can, short of giving out personal information. You can then go from there, to contacting the admin of that system, to see if its a actual user on his system, or maybe he has suffered a break-in as well. For IPs that do reverse, you can get the contact information of the domain that is being utilized thru a whois with network solutions. Generally, the contact of the domain will have some clue to who is using that machine, and you will be able to compare notes if they have had a break-in as well. Another thing you can do, if you were blessed with a web defacement, is to check the web defacement mirrors. Chances are, if they hit you, they hit others as well. You can then call the other people that had break-ins and compare notes. Crackers that do web defacements are often very blatant about who they are. A search on metacrawler or another popular search engine will often yield interesting information. Maybe even point you to a home page with contact info! Maybe the attacker IRC's. Most likely he is IRCing from his home machine. Be advised, IRC is a very anonymous medium. Just because someone says they are someone, does not mean they are that person. It is noteworthy to check it out, but please, realize that IRC is not true to life. Things you can do to make your autopsy go better... I have already stressed the importance of backups. Any admin worth his title knows to back his data up. Another thing you can do is use a loghost in addition to logging locally to your machine. A loghost is wonderful. It basically allows your machines to be penetrated, and yet you still have a full account of the connections. Make your loghost as close to unbreakable as you can. Do not run any other kinds of services on this box. Ideally, this machine will be local, so you will not have to even run telnetd. You can rig a cronjob to backup your networks logs to tape everynight, or even better, back up via CD burner. You will thank yourself later. Keep in mind, your logs are only good until the point the syslogd is killed. You should make it policy to log every event on the system no matter how small. It will develope a since of timing. If timings are wrong on your daily events, either you have a malfunction or you have a intruder. There are kernel modules availiable on the internet that allow you to log every command, regardless of shell, thru your kernel. Installing this and logging to a remote host is very effective for keeping your system monitored properly. Install tripwire, or a like binary, as tripwire has its flaws, and keep its database updated. Watch for little changes. Everything you watch and log now, will make your life easier in the event of a intrusion. CONCLUSION I see news reports of a hacker that is caught and fined 250,000 dollars. This is the supposive cost of restoring the system. This is outrageous. The higher the dollar amount, the longer the hacker goes away to prison. The sentence can be longer for hacking a machine, then it is for murder. Have we as a society decided that a Sun Enterprise 3500 is more important then a human life? Yes, hacking is wrong. So is murder. Taking a human life should be more of a charge then the taking of a server. It does not cost thousands of dollars to replace data. It does take time. It does take work. I can have no sympathy for a person that is too ignorant to back their data up. After all, are you going to blame a hacker for a hardware malfunction? Before you go condemning all hackers for your intrusion, please realize, that I could not have written this text, without intruding on machines at one point in my life. There will always be someone out there with more skill, or that has a piece of knowledge that you don't. Accept it, it is the reason we got into computers in the first place. If you are recovering from a intrusion, all you can do is learn from it, and become a wiser person. You might get the hacker in the end, you might send him to jail, but it is one of many. There will always be people out there that can get in. Some suggestions so you do not become a statistic: watch your distro /flavor's homepage for security updates. Watch bugtraq and securityfocus and any other security site possible. There are people that develope new vunerabilities every day. Watch out for these, and adjust your policies accordingly. Read about intrusion detection systems and use them. And if you do have a have a intrusion, don't just blame the hacker and don't just blame yourself. It's a learning experience, not a very fun one, but you will live thru it, and perhaps in the end teach someone else how to get thru it. EOF /* The author did not get 0wned to write this :P */ [One Large ISP]==========================================[anonymous@legions.org] One large ISP. I work for a large ISP that we will call 'BSFISP'. I will cover the tactics of this company and its all around shitty approch to bussness. We will cover all of the following items: - Company disaster 'recovery' plan - Company security including Physical and Network We will start out with the companys approch to disaster recovery and backup, or lack there of. Lets say that you are the prowd owner of a nation wide ISP with a very large customer base yet in the name of profit. You have elected to ignore some things like a working UPS, working power transfer switch, network redundency, etc. Lets say now that the unthinkable happens, you loose power in the middle of peak hours. You get a call from your NOC staff that are using thier personal cell phones because you are too cheap to provide backup power on the phone switch. You drive into the office to figure out what you should do because you have never taken the time and money to come up with a procedure for a disaster. Your power transfer switch is located in a room that only one person (The grounds keeper) has a key to. But that does not matter becuase you did not invest in a redundant power transfer switch and your only link to the outside world has burst into flames. What to do now? Figure out howto save your own ass. Spin control is the name of the game. You get one of your smarter employee's to gain access to said room so that you can figure out howto get the power back on so that you can get phones working (you are dreading the employee phone bill because they are all using their cell phones to call your partners). The very expencive UPS that you got at a discounted price that should have powered the building for a hour has died after only 10 minutes of use ; the chillers have toasted. This is a nightmare. Now what do you do? START BLAMING PEOPLE! Thats right its not YOUR fault. It must be the NOC staff they were the only people in the building when the local power company fucked up the grid! They must have done something to provoke this. Blame them. Now to deal with your partners... Call a company meeting and come up with a nice white lie that will not allow you to loose face. This is the approach that my company took when we faced a power outage. The problems we faced were not fixed. Anything that broke was bandanged back together and it was business as usual. Currently we have one broken generator, a UPS that will only last 10 minutes (Hardly enuff time to shut down 50 HP netservers 3 SUN enterprise 3500's, many Cisco routers and countless other servers.) We lost 10 pieces of equipment from this because we do not run surge protection into the equipment. It was GREAT. and NOTHING has changed. We did not tell our partners and customers what happened. Company security and why it costs too much to protect customer credit card information: Thats right folks at this ISP anyone can access our accounting system with VERY little effort thanks to a web based interface that the Systems admin's think is SO spiffy. "Well it is password protected. So that makes it secure." that would be true in most cases however with this company we have elected to moronic passwords to employees like this: Employee Name: John Doe Employee Username : jdoe employee Password: jdoe If you are able to guess a employees name (not hard there is a list on the website and yes.. the CEO's password is his username) you have access to EVERYTHING on the network If you get a NOC persons username you are now able to repoint domains delete the entire accounting system delete the entire DNS/DHCP database, reconfigure tftp files for the routers and cable modems. "Well if I do that they will know it was me because they HAVE to keep logs!" Not to worry at BSFISP we do not believe in logging anything. It takes to much disk space. Did I mention that the firewall we have is about as effective as a screen door on a sub? The russians tride this and look where they ended up.. Did I mention we run the ENTIRE operation on NT servers? No.. they are not patched.. yes IIS is exploitable on these machines in about 100 different ways. You can also access our ticketing system from the outside work (did I tell you that the script does not check for illegal characters? so that means in the input boxes you can type "bla ; cat /etc/passwd" and on this unix machine it will OUTPUT THE PASSWD FILE TO YOUR SCREEN!) fucked up ehh? We have a very unsecure VPN as well.. but why bother breaking that when it does not give you access to anything that you cant access from the outside world anyway. The only thing it is used for is people on the inside of the network needing access to things outside the network (thats backwards isnt it?) Anyway you get the point that security is a joke.. ohh yea.. they mag locks on the doors dont work. And no the company does not plan on fixing this. They think that they will never get hacked.. So you think you want a job with this company? It is not hard.. however if you have clue do not plan on having a easy life with this company they do not like employees that think. Its bad and it makes the higher up management look bad. Dont even think about pointing out anything that is fucked up on the network. Anyway I grow bored of typing so... there.. [Simple HTTP Security]===============================================[Phriction] Web based security is probably one of the biggest problems on the internet these days. Everyone wants their own web site or to run their own web site and do so with little or no knowledge about their security. In this article I'm going to talk about basic web security. DIR LISTING Directory listing is a major problem on lotsa of websites. When the webmaster or whoever is running the website allows Dir listing I can view files and folders in the directory's just as if I were to type ls -a. Problem is usually upload things to there website they don't want people to see or have stuff on their website that can lead to possible entry. For I was looking at a site once that used php scripting and had Dir listings which aloud me to find a backup copy of the php code which infact was used as a frontend to a SQL database in the code were login/passwords to the SQL database and the box. I usually like to check Dir listings on /cgi-bin/ when surfing the web just to see how many sites allow it and surprisingly enough sites do to keep me checking. The cgi-bin is probably one of the most dangerous places to have Dir listing cause lotsa people upload cgi scripts or files even though they never use them and in most cases httpd is suid nobody or root which means it could executes it's commands with root priveleg es so for example an old exploit of php.cgi using it to retrieve the /etc/pas swd by having entering the command into your web browser http://www.target.co m/cgi-bin/php.cgi?/etc/passwd. Lots of people don't write there own cgi script s they usually just use one of the internet so by searching for these files in a script archive you can possible exploit the script after reading the code. FUN WITH FORMS More and more web pages these days use forms for a basic information or for anything the problem is this if the script used to parse the form doesn't filter out arbitrary characters you can use this too your advantage. For example in cgi script AnyForm it doesn't parse out any arbitrary characters entered before it invokes a shell. So we enter into the form then submit the form. Now since the cgi invokes a shell the ; is used to identify the end of a command string so in place of cat /etc/passwd; can be placed any_command; for the script to execute on the server.By viewing the source of the form and seeing which script it is using to parse the form you can search for the script in archives. View the source and see if it's possible to exploit it. HASTALAVISTA.COM Well and some of you know altavista.com can be a bored computer users best friend, or script kiddie central, but maybe the more people who hear about this the more aware the public will be of vulnerabilities in webpages. I can already here some of you right now saying the exploits I named in this file are out of date and how most forms these days parse out the values of forms but I sit here and beg to differ. Goto http://www.altavista.com and for the parameters for your search type in for example +/cgi-bin/php.cgi and what shows up prolly some security paper on how bad it is to have php.cgi but also it returns websites running it. Kinda disgusting eh? I here the word 0-day being used more and more but it's sad when a 365-day++ exploit works and I'm talking .mil sites here also. Try it for yourself if your bored and want to make a site go Hasta la vista. PHRICTION HTTP SECURITY SCANNER PRE-RELEASE VER 0.5 Well I know you all use Whisker for your HTTP scans but what about us who use windows boxes well we could run a perl interpreter but come on the average script kiddie doesn't even know what that is. So thank me I ported a Version of my Pre-Release HTTP scanner for windows simple and easy to use a VB GUI interface soon to come for the command line inept of us. This version just searches for exploitable files doesn't exploit them yet. Yes you will hafta go search bugtrag on how to exploit them. Read the README to learn the rest thank you. Scanner avalaible at Http://phriction.sk1llz.net/programs.html Bugs, Comments, Suggestions phric@legions.org [Hacker Paladins]======================================================[Raschid] /* Editors Note: Many of our readers has expressed a certain need to well, express themselves. Not everyone can talk tech all the time, but they certainly do vent out through their writings. Which, has brought a change of thinking to the Keen Veracity staff. KV has primary been a technical zine, a forum to express ideas based on technology. We believe that in order to reach this point, one must take a stride through some other areas in order to stimulate thought processes. We hope to maintain a level of technical savvy, but we would also like to let some others stretch that expertise into something that merges tech, mind and soul. Hopefully, we may be able to stretch our intellects through the wanderings of personal expression. */ Behold a broken world, we pray, Where want and war increase, And grant us, Lord, in this our day, The ancient dream of peace. No force of arms shall there prevail Nor Justice cease its sway; Nor shall their loftiest visions fail The dreamers of the day." -"Behold a Broken World"; Christian hymn Of what benefit is there in fighting darksiders? Of what gain is there in thwarting their advances into the souls of our people? What use is there in resisting this element amongst us which rejects honor, which rejects knowledge, which rejects curiosity; which rejects all that is good, and clean, and noble and yet allows baseness, corruption and dishonor to flow so freely amongst the hearts and minds of our people? O my brothers and sisters in the underground, is this not a disgraceful thing? Through this we have found dishonor and ill favor among the other people of the world, that our name is considered a curse on the lips of all who utter it. Our name is that of the wolf on the lips of the digital lambs. And few care. Few it seems, give a jolly damn about the consequences of their action. Gone are the days of technical competence to achieve amazing results. Gone are the days of literature exclaiming the hacker as a good guy, someone who might just be alright, who is not necessarily the harbinger of doom, the demon of cyberspace. It's been suggested, half seriously, that the Anti-Christ just might be himself a hacker. And what of it, my friends? In our post-modernist society, where pop-culture has the attention span of an infant, it would seem plausible that such concepts as love, loyalty and virtuous living play a role in their lives only insomuch as it fails to inconvenience them. If our current age of people cannot abide such concepts, how can the hacker underground? For surely, we are nothing but the cybernetical extension of our surroundings. What has Zarcae to offer that your television does not? We offer the concepts of love, of ennobling our hacker brethren with those virtues which have long disappeared from the mainstream culture. There are two conceptions of the world of cyberspace floating about in the common parlance. One is of the Wild West, where cigarette champing cowboys roamed over an anarchistic frontier, where the only law was laid down by whomever had the fastest gun and most ammunition. What few authorities there were of true law and order were jokes typically, facsimiles of those virtues. The second main idea of cyberspace (and less popular one) is that of the medieval era, where the monarchy being replaced instead with the technocracy of sorts. That is to say loosely, that the more technical ability a person possesses, the higher in the social order of his relative society he will be. A main thesis of Zarcae holds this second main ideal of cyberspace to be the most accurate, and charges that hackers are the equivalent of knights in the Middle Ages. With our skills at intrusion, and the ability to wreck concentrated, disciplined havoc among computer systems, with said skills even possessing the ability to wreck chaos outside of cyberspace, it could be said that the possession of such skills is the equivalent, literally, of the militial skills of those historic knights. The problem with out analogy is that it begs for complicated technical expertise. This is no longer the case, as lamented by Erik Bloodaxe in the last Phrack editorial he did as editor in chief of it a few years back. He commented that as the level of technical competency went down, the quality of hacker went down in direct proportion, and the quantity of people ABLE to pursue violent action in cyberspace rose inversely. This is to say, still following our analogy, that as the level of military training needed went down, and as the level of technology rose so that even fools could fight skillful battles with rudimentary muskets and such , the quality of knights went down (where "quality" is equated with "ethicality") in direct proportion, and the amount of people able to engage in battle rose inversely. These are simple questions, OBVIOUS questions, but ones rarely asked or answered. Most people fail to consider the squires and would-be mercenaries of the underground (i.e., script kiddies, "warez" pirates) as knights, but this does not necessarily fail to distinguish them from those skilled cybernetic knights who have wholly sold their skills to the pursuit of profit or power, whom we call "darksiders". These hacker have given away their talent, prostituted their ability in the cause of baseness and immorality. They have betrayed their cultural legacy, and as such, propose a direct threat to us all. What then, does Zarcae propose to do about the mercenary class of hacker which has sprung up in the underground? How do we propose to counter-act the sea of immorality plaguing our people? What to do? Zarcae proposes to arise two new ideals of hacker. As I have stated, a basic Zarcae tenet is to hold hackers as knights; what is needed is to raise that standard further, to bring home the concept of the 'paladin hacker', which is to say, the concept of the hacker who fights with righteousness and the good on his side, bringing said lost virtues back to his people. To such a hacker, there is no enemy insurmountable, no evil so great as to not be overcome. Why, then, is our task called glorious? Because it is the stirring of the human soul against tyranny, it is the ringing cry to battle which lies in the hearts of all people, the noble love and fierce loyalty all hold towards family and people. We are protecting our own. The second concept is that of the 'scholar hacker'. Too long has the underground languished under a shadow of ignorance. Too long has communication flowed in tiny spurts among the elite, so that the gifted beginners in the underground gain knowledge to join their princely ranks only TO finally join as those jaded members they formerly swore never to become. Jaded, and incapable of rendering good works unto their fellow men and women as their high status honorably requires through moral obligation. Zarcae proposes the establishment of a hacker intelligentsia. We need an intellectual elite, capable of fielding the hostile outsider lashings of a world which misunderstands us, which fears and reviles us. We need hacker apologeticists, who can reasonably combat these arguments against the very existence of our people. There are scattered individuals who fight against this tide of incompetence so dominant in our people in the underground today. It is to be hoped that Zarcae will only be the first of such groups to encourage honest debate and intellectual argument among the underground, that others may follow, and so allow their lights to shine even greater than ours. We are the first, but the first is not necessarily the greatest, and in time. I feel, there will come others whose light will shine so much as to eclipse Zarcae's very memory. As to that time, I^M feel little sorrow, since we will have accomplished our purpose in igniting the passions of those intellectual descendants. Let our memory pass away into Time, as we ought to have no need of the vanities of mortal men. Let our deeds stand as our legacy, aside from vain words. Combined with the holy righteousness of the paladin, and the thoughtful pondering of the scholar, we come upon the question as to central motivation. What WILL be the overriding passion to which will give rise to all the actions of those who follow the Ethic? The answer to that is: Love. It is love of our fellow men and women which will inspire us to our acts of daring in cyberspace. It is through love that we will graciously accept the persecutions that the federal authorities and our mis-understanding brethren in the underground will render against us, and it is through love that we will inspire them to quit their heinous acts, lay down their swords of injustice, and follow us. Without love, all these virtues of justice, nobility, honor, would be useless. What use is the dispensing of the actions of goodness, without it being tempered with the love of the people involved? There is no goodness where love is not present. The Ethic forces our behavior outside of cyberspace to reflect our actions inside of it. The hacker who has spent his nights away from the modem carousing, drinking, cursing has no place in the hacker paladin ranks; how could he condemn the darksider when his soul is half there already? "Love must be sincere. Hate what is evil; cling to what is good." -Romans12:9 Without love, the eloquence of the greatest prophets ring hollow. There is no urge to follow noble ideals, only the lust of profit, and for power. Without love, the great deeds of virtuous men seem empty, and devoid of that noble spark, crumbling eventually, and sinking back again into the pit where evil waits patiently for the fall of all things, noble and un-noble alike. "So justice is driven back And righteousness stands at a distance; Truth has stumbled in the streets, Honesty cannot enter. Truth is nowhere to be found, And whoever shuns evil becomes a prey." -Isaiah 59:14-15 I have talked in the past of hackers who give lip-service to the ideals we express, but do nothing. How foolish are they! The ideals we express should be as a fire in your blood, constantly upon the brain, and a sword upon your tongue, to go forth and deliver your messages of goodness to the entire hacker community, that we may reform our manner, and so become true paladins and knights, and no longer mercenaries or bandits as we have fallen to. "What good is it, my brothers, if a man claims to have faith but no deeds? Can such faith save him? Suppose a brother or sister is without clothes and daily food. If one of you says to him "Go, I wish you well; keep warm and well fed', but does nothing about his physical needs, what good is it? In that same way, faith by itself, if it is not accomplished by action, is dead. But someone will say, You have faith; I have deeds.' Show me your faith without deeds, and I will you my faith by what I do. You believe there is one God. Good! Even the demons believe that and shudder." -James 2:14-19 As such, do we find later in James, another passage about wisdom and deeds. For a man or woman to be considered wise by Zarcae standards is not much; it is only to live as a person of faith in the Ethic, and to show that Ethic through their actions to others, both in cyberspace, and out. Such a man or woman need not even themself be a hacker, for surely my friends, that I am not. I have adopted the hacker underground as my own people, and would hope likewise to have been adopted, but I myself am not of the same stock as you, I have not learned the same tenants, have little knowledge of the same technology. This is not to say, friends, that I do not desire it. However, I have found it hard to find such knowledge, and wish readily enough for teachings, as I suppose many others of good quality do. This is somewhat what I mean by an established intelligentsia. It is as of yet too difficult for the gifted of our people to learn. We must establish some method to raise our people our of ignorance, raising them in knowledge with the Ethic, so as to form a community of hacker paladins and scholars. "Who is wise and understanding among you? Let him show it by his good life, by deeds done in the humility which comes from wisdom. But if you harbor bitter envy and selfish ambition in your hearts, do not boast about it or deny the truth. Such wisdom does not come down from heaven but is earthly, unspiritual....[f]or where you have envy and selfish ambition, there you will find disorder and every evil practice." -James 3:13-16 What then, is the quality of those who would follow the Zarcadian Ethic? It is simply to be loving of all, foe and friend alike. It is nothing to love your friends, even the worst of your fellow men and women manage that. If you can curse the feds and love your friends, what is that? You have failed in the Ethic, and are unworthy to be counted among the ranks of the paladins. Your sin describes you, and you have shown by your deed that you are not of our kind. Therefore, to love your foe is not to be submissive to them. They cannot understand their error so long as they labor under the clouds of their ignorance and lusts of power and social status. Your must teach them as you can, the errors of their ways. Failing that, you must hand them over to their respective justice systems, in the hope that such will correct their ethic troubles. Many among you will be puzzled by this, but it remains true. The federal authorities, though they will certainly persecute you, are nonetheless your allies in your endeavors. They abide by the same ideals largely, that you do. Justice is the basic idea of our modern legal system. Ineffectual or not, it is all we have to go by. Another reason remains for our assistance of the federal authorities of their capturing of the most malignant of the darksiders: they simply are overmanned. It is estimated that the FBI would have to spend every day, of every year, with every agent, just to keep barely current with computer crime. Currently, the Computer Crime Unit of the FBI and the computer crime specialists of the Secret Service is ludicrously small, and inept at any efforts to stop the waves of attacks that darksiders launch daily on the digitally innocent. As paladins, we owe it to these authorities to help them in their quest. I spoke earlier of envy and ambition. Such is to be avoided at all costs by the followers of the Ethic. I myself am the leader of Zarcae only by default of having created the group; no doubt there are others more eloquent, more impassioned in their speech, more technically competent to lead than I; surely there are others beside whom my knowledge and talents are as those of a child. In the absence of such characters, I believe it my duty to lead the group. Envy is horrible for paladins; why be jealous of a brother or sister who is better technically able? This is foolish. The better thing is to ask assistance from that person on what ails you technically, so that you may better serve others through your skills. If they are of little help to you, what of it? There are thousands of areas in electronics, computers, and such, where you could otherwise occupy and specialize. Even those who know nothing of hacking at all are useful in their writing talents; they may be hacker ethicists, who argue for a logical philosophical basis on which we may rest our actions firmly. With all that said, welcome to the coming Revolution friends, and Godbless. -Raschid *Founder of Warzael Zarcae [PERL Site Verification]================================================[Crater] Howdy, aight aight.. give me a break, I am a Texan. Anyways... I was asked to summit a few of my programs(scripts and anything else I could come up with on short order) for the ezine. Now, dont get me wrong, I am by no means a guru in programming. I am rather a jack of all trades. And I am always very king on modifying others code to suit my purpose. Don't reinvent the wheel is my motto. I leave the real stuff for the more technical. LOL :) Now, I think my first program should be something that will actually be of some use. I know you got alot of sys admins out there that already know alot of what I am about to show you, but is still usefull. But I am writing this for the new upstarts out there that are trying to get there foot in the door. I use this perl script at work for a site verification system. DigiEbola has since wrote another one that works really well.. But, needless to say, I LIKE MINE!!! j/k. Ok.. now the things you will need. You will need the Net-Ping module, IO-File-Multi module. On a few systems these should already be installed.. but, if not.. just surf on over to the CPAN site and download them.. they are very very useful modules that will do nothing but make your perl life easier. Now, enough talk lets get down to what you came here for. What I am about to show you is by no means the only way to script this.. its just the way I like it.. thats it. Ok.. first a explanation. Where I work, we bring on data centers around the world and alot of times we have to retrofit the centers. In doing that, we have alot of systems at one time we have to make sure are actually there. Now, I have been able to use fping and nmap, exscan and alot of others that do the same exact thing that this script does.. I just wanted one script that does it all.. and that was real easy to set up on other systems to run. So.. here we go. #### Normal stuff here #!/usr/bin/perl ######################## #Site Verification ######################## # Written by me Crater # # You can contact me at ddfelts@ultravision.net # if you need help with anything. # ######################## use Net::Ping; # Declare our args $file = @ARGV[0]; $file1 = "alive.$file"; # so we can send multi prints using one call.. # so one print statement can go to diffrent places.. just a time saver.. use IO::File::Multi; # so we can do the port scan stuff use IO::Socket; # We want to use icmp packets here... $host = Net::Ping->new("icmp"); # define our multi object $mult = new IO::File::Multi; # to stdout $mult->open('>-'); # to our alive.#file $mult->open(">>$file1"); unless ($file) { print "Usage: SiteVera argv0\n"; } else { # Open our data file.. should be just a plain ip file with # ip number on each line. open(INFO, "<$file"); # put each line in a array @lines = ; #close file close(INFO); #check to see if ip is alive #and port scan to see what services #are on the alive ips foreach $line (@lines) { unless ($host->ping($line, 2)) { $mult->print("$line Not responding\n"); } else { $mult->print("$line is alive\n"); #now lets port scan the alive ip for($port=1;$port<=500;$port++) { $sock=IO::Socket::INET->new(PeerAddr=>$line, PeerPort=>$ port, Proto=>'tcp'); if($sock) { $mult->print("Connected on Port $port"); } else { #if you uncomment the next line.. you will have a long long list of #of on unopened port prints #print("$port not open"); } } } } } $host->close(); close($file1); exit(); There you go.. this little simple script will open a file ping each ip in that file then if the ip is alive it will portscan it to see what services are there, and print every thing to a alive file and to stdout. I hope you find it useful and helpful. enjoy...!!! My next script will be a Perl/Tk varient of the one above. Maybe a few other things as well. I also will be writing a few C programs, Tcl/Tk, vrml. Who knows.. :-) [Legions Survey]============================================[Gridmark/Phriction] /* Editors Note: In spirit of such cool mags as Playboy or Cosmo, we have decided to include a short survey of our readers. Feel free to cut and paste it, fill out your answers and send it back to submit@legions.org... This should be mighty interesting... */ Legions of the Underground member/regular/luser survey. Legions Survey made possible because WGMATATS Tip: if you dont answer all the questions you will be savagely beaten to a bloody pulp by Gridmark and Phriction. Thank you and Enjoy! 1. Do you know you know what WGMATATS stands for? 2. What is your favorite unsigned long int? 3. What is your handle?(alias,nickname,AKA) 4. What is the origin of your handle?(where did you get it from) 5. Who in legions do you think is the most likely to get arrested and for what? 6. BeOS or MacOS? 7. touch or finger? 8. telnet or ssh? 9. Do most of the people you know refer to you by your handle? 10. What is your favorite protocol? 12. Favorite Daemon? 13. Usual bathroom reading? 14. Have you ever had sex with someone who could code Hello world in assembly language? 15. Binary? 16. Do you own a pair of keys to a local ATM machine? 17. Do you know what a scenewhore is? 18. Are you one? 19. What must someone do to be elite? 20. Have you ever tried to nuke someone? 21. Do you have a root dance? 22. Have you ever owned a box stoned? or drunk? 23. Have you ever wrote root@127.0.0.1 as your address on a job application? 24. Have you ever rooted yourself? 25. Favorite book? 26. Favorite Car? 27. Favorite color? 28. Do you look at mullet porn? 29. Mountain Dew || Coffee? 30. Multiple Choice Section Just fill in the _'s with x's if you dont get it you suck. Do you think this Survey is a threat to your security? _[3y3 pj33r] _[no... dumbass] Do you take large amounts of caffene and then lie about it the next day? _[Admitted Addict.] _[no, and im stickin to it] Do you have a 1Mbit+ connection running to your house? _[yep] _[nien] Do you have more than 10 computers in any one room of your house? _[si] _[no] Do you run around your house with a lampshade on your head sayin "Hi! ima squid!"? _[yay] _[nay] What are your "m4d sk1llz y0h"? _[i r00t stuff] _[skript kid] _[clubie crackhead fucknut] _[whats a computer?] What is your current rate of income? _[Under 10,000] _[11,000+] _[50,000+] _[100,000+] _[31,337] _[None of your fucking business Gridmark.] How much time do you "use" playing games? __[hrs] Do you use 31337'isms? _[y34 b1z47ch] _[No sir] Do you have MtDew cans flying at your head blindingly fast? (i.e. commercial) _[WATCH OUT!] _[whatchu talkin bout willis?] Do you like me? _[i lub j00] _[fsck you bitch] Are you a chick? _[yea baby] _[3y3 41nt gn0 ch1x0r] *//////////////* */ Sorry, /* How much do you like me? _[this is] _[getting tedious] */ I'm Lonley /* *//////////////* if [$lastquestion == yes]; then "can i r00t you?" _[no way in hell Gridmark.] /* I'm Lonley /* Sexiest stooge? Larry or Moe? _[larry] _[moe] _[shemp] _[nuyk nuyk] Are you bored yet _[zzzzz] _[CMON MAN KEEP GOING] Who selected the second answer to the last question? _[not me] _[not me] EOF [Guide to 0wning Your School]=========================================[Gridmark] Homework, a Guide to 0wning your school Chapter 1. This text is for the kiddies, may god have mercy on your souls. If your a CISCO router tech, than this is trivial bullshit. But if you grew up like me, got a Tandy for your birthday 8 years ago and has been hooked since. One that has used AOL and the like, One who thought winnuke was cool at a time. But i have grown. I now know the wrongs I have done. I now dedicate myself to the flow of information, for freedom and truth against all forms of oppisition. but it dosent change the fact that im a Lazy Sonnofabitch. Well its September, the leaves are turning a nice orange/brown, and school is in session. If you go to school, you should have computers in class, and they plike to restrict your use of a computer. Like mabye web filtering software. no mp3's for you, music disrupts the classroom. and of course no pron when the teacher isn't looking, damn. well what are you going to do about it? what about your access to local programs? no solitare when your done with your work. no loading Quake III Arena and fragging the shit outta Mike 3 classrooms away. Well this is a 4/5 part series on how to overcome these hurdles and do the unthinkable: 0wn your school. Fortres x.x hole Alot of the schools around here use compaqs, gateways, hp's, or dells. now each of these PC's is out of the box a wonderful machine, but then the idiot sysadmin goes and hand by hand installs a lockdown program, and now your perfect box is trash, you can mabye do one or two things on this box now. One such program is fortres. fortres is reletively easy to break. Bootdisk. Get a bootdisk from your box, make shure its clean. throw it in the target box, unplug it if nessesacary (but a reboot will do just fine). boot the shit up and delete the fortres directory. Btw attrib -h *.* will help you find the directory, its usually hidden) reboot again and your home free! IE Shitty old IE, whats it good for? breaking Fortres! if you can load up IE, but instead of surfing over to slashdot type C:\ in the url bar, look at that, the previously unaccessable directory listing! wilt full read/write! well the first thing you would do is going to is tools>folder options>view>Hidden files and folders>Show hidden files and folders. there you see the fortres directory. wait you can delete it. you must rename it. easy shit. reboot. (hammers work nicely for reboots)Lookie! no Fortres! Right Click It has come to my knowledge that Right clicking everything and executing commands on icons etc. You can access and rename the fgc folder and gain full access. I have not tested this method but it should work, they are pretty dumb. Thats it for now kids, stay tuned to Keen Veracity for more chapters! [OpenBSD Security Overview]=========================================[David Jorm] OpenBSD is often noted for its code auditing and integrated crypto, but the security features go far beyond this. OpenBSD was built from the ground up on the model of being a fabric woven with security in mind, not a patchwork of bug fixes and security updates. This has led to OpenBSD finally becoming recognised today for what it is; the most secure operating system on earth. This article aims to illustrate these features and provide practical examples of their implication on production machines. Encryption:> One of the most astounding things about the information superhighway is the number of people driving down it with their doors unlocked. Users and even administrators still commonly employ systems where sensitive information such as financial records and personal details are thrown over public networks as clear text. This is largely due to the proliferation of cleartext protocols such as telnet, rlogin and http. OpenBSD solves these issues by containing encrypted replacements by default; OpenSSH and https (OpenSSL) respectively. One of the first configuration tasks for an OpenBSD administrator should be the correct setup of ssh and ssl to ensure system security. OpenSSH is configured via two primary configuration, some useful examples follow: /etc/ssh_config (OpenSSH client configuration): UseRsh no FallBackToRsh no # OpenSSH will never fall back to the cleartest RSH protocol. ForwardX11 no # Do not allow X windows forwarding through the SSH session. /etc/sshd_config (OpenSSH server configuration): Port 22 ListenAddress 0.0.0.0 # Listen on all active interfaces HostKey /etc/ssh_host_key # Store the key in the default location ServerKeyBits 1664 # Generate a 1664 bit key (stronger crypto than by default) LoginGraceTime 600 # Allow 600 seconds for a client to login KeyRegenerationInterval 3600 # Generate a new key every 3600 seconds (hourly) PermitRootLogin no # Do not allow clients to login directly as root, must use su X11Forwarding no # Do not allow X windows forwarding through the SSH session. PermitEmptyPasswords no # A password MUST be issued - no passwordless logins allowed. With SSH configured using these or similar options, the next step in enabling OpenBSD crypto is to setup OpenSSL-based https. This is a good replacement to cleartext http when sensitive information is being parsed through CGI POSTs or similar methods. The official documentation for mod_ssl (located by default in /var/www/htdocs/manual/mod/mod_ssl/ on OpenBSD systems) provides more detailed configuration information, but the process is 3 relative simple steps: 1. Generate a server key and self-signed x.509 certificate: Generate a server.key: $ openssl genrsa -des3 -out server.key 1024 Place this file in /etc/ssl Generate a CSR (Certificate Signing Request): $ openssl req -new -key server.key -out server.csr Place this file in /etc/ssl Generate an RSA key for your CA (Certifcate Authority): $ openssl genrsa -des3 -out ca.key 1024 Place this file in /etc/ssl Generate an x.509 certificate for your CA: $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt Place this file in /etc/ssl Sign your CSR: $ ./sign.sh server.crt sign.sh comes packaged with the OpenSSL source distribution. 2. Edit /var/www/httpd.conf: In the main section: <IfDefine SSL> Listen 80 Listen 443 </IfDefine> <IfDefine SSL> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfDefine> A <VirtualHost> tag for your domain: <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot /home/www/vhost/www.mydomain.net/htdocs ServerName www.mydomain.net ServerAdmin admin@mydomain.net ErrorLog logs/error_log TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/server.key </VirtualHost> 3. Edit /etc/rc.conf to enable https: httpd_flags="-DSSL" Code Auditing: One of the largest problems with systems such as Linux and FreeBSD is the inclusion of unchecked third party software. If a vulnerability or security issue arises, the third party must release a patch and the operating system vendor must then redistribute this patch to their users. Not only this, but the third party software used is not in any way audited or checked for quality by the operating system vendors and as such can be vulnerable for a long time before any sort of fix is available to users (as happened numerous times with wu-ftpd). One of the major steps forward for OpenBSD was when the entire source tree was audited for buffer overflows and vulnerabilities. This has been constantly maintained and has resulted in a product unparalleled in terms of security and system integrity. In saying this, third party software is usually neccasary for the operation of a functional system, so OpenBSD makes it available via the ports tree; a mechanism for downloading installing and configuring third party software known to work under OpenBSD, or modified to do so. I won't go into details here of configuring the ports tree - this has been broadly documented elsewhere. Security Updates: As opposed to the majority of commercial vendors and even some other open source projects, OpenBSD takes a 'full disclosure' approach to any bugs or vulnerabilities found in the source tree. This means that bugs are reported immediately to users in their entirity, general with a patch or workaround included. The outcome of this is a system with no hidden bugs or 'features' shielded from the users, a prime example of this being the +.htr bug recently in Microsoft IIS. Users wishing to monitor security updates as they occur can subscribe to the security-announce mailing list, or monitor the patches posted to the OpenBSD errata page. The patches provided are generally a source tarball, which can be simply installed over the top of an existing system. An example of this is the installation of the recent ftpd remote-root exploit patch: 1. Download the patch: # wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/019_ftpd.patch 2. Place the patch in your source root directory (usr/src): # mv 019_ftpd.patch /usr/src 3. Apply the patch to the source tree: # patch -p0 < 019_ftpd.patch 4. Recompile ftpd: # cd libexec/ftpd # make obj && make depend && make && make install 5. Restart ftpd (which in this case has been started from inetd): # ps aux | grep inetd root 19983 0.0 0.4 72 264 ?? Ss 29May00 3:03.68 inetd # kill -1 19983 As has been demonstrated, OpenBSD's "Secure by default" slogan holds merit in all aspects of the system. Hopefully other open source projects (or dare I suggest it; commercial vendors) will start to take onboard this wholistic security approach to their own systems. Next week's article, which is the final in the OpenBSD Explained Networking series, will look at the future of OpenBSD Networking, examining developments such as ipv6 support, as well as other possibilities for future releases. [Air Gapped Networks]===================================================[dayzee] Security standards often demand that a system be disconnected from all networks before it can be given the highest security rating. Such pessimism seems justified by the latest information security headlines; viruses, worms, exploited vulnerabilities, denial-of-service attacks and Web site vandalisms have left the impression that a connected machine is a vulnerable machine. Unfortunately, cutting the connection ruins the quick and easy access to back-office data systems and outside to the trusted perimeter. For example, your typical e-commerce architecture includes client authentication, inventory tracking and valuable credit card information, all of which must be accessed by "the outside world" to complete a transaction. Currently there are three main categories of gap technologies: Real-Time Switch ================ In a real-time switch setup, two networks are physically disconnected but can share data as if they were connected. This seems like a contradiction, but by adding a gap device that send information back and forth between the two networks it's very realistic. In this example, the gap device is a hardware switch that can be physically connected to only one of the networks at a time. In other words, the switch connects to one network, receives the data, switches to the other network and sends the information onto it. This happens at very high speeds, allowing for real-time operation. ---------------------------- | Untrusted Network | ---------------------------- | ------------ | Firewall | -------------------- ------------ | Trusted Networks | | -------------------- --------- | | Switch |============ --------- Some of the problems surrounding real-time switch networks are per say just a hardware switch is not enough since attacks could be sent into the secure network and then vital information sent to the untrusted network. Since the headers are in "raw" format, this prevents risk of exploitation based on the networks protocol weaknesses. A real-time switch is physically connected to only one network at a time. After data is received from the untrusted network to the switch, the network connection is terminated and the TCP header information is stripped out. Then, the "raw" data is sent to the trusted network. One-Way Link ============ With a one-way link, data is sent from in one direction, from the source to the destination network. This creates a read-only network connection. This one is pretty much self-explanatory. It creates essentially a "read-only" network connection, which doesn't allow data to be sent back to the trusted network. As in the real-time setup, the one-way link also is implemented with hardware that prevents data from going the wrong way. This one seems more practical for sending data to web servers or online orders, helping prevent vital information getting out. --------------------- ---------- ----------------------- | Source Network |========| Switch |=========| Destination Network | --------------------- ---------- ----------------------- Network Switcher ================ A network switcher card has dual interfaces connected to separate networks, only one of which is active at any given time. All system resources are segmented between the two interfaces, with none shared. A network switcher is simply an implementation of a card with dual faces. Each interface is connected to a different network with only one active at a time. A correct implantation will segment all system resources, assigning some to each interface, with none belonging to both. Doing this, storage that is assigned to one network is never accessible to the other, meaning none of the information can be shared or viewed by the other network. There are a few networks using this type of gap technology, e-Gap from Whale Communications (www.whalecommunications.com), AirGap from Spearhead Technologies (www.spearheadtechnologies.com). The product offered by each company is a different solution with their own technology, which you can read more about at their website. -------------- ------------- | Network 1 | | Network 2 | -------------- ------------- | ===Single Physical System== | =========== | ------------------ |============| | | dual interface | | | | card | | | ------------------ | | ------------------- | | | virtual|| virtual| | | | system || system | | | | 1 || 2 | | | -------------------- | ============================ Sept 6, 2000, dayzee@madsekci.net [TKblink]==============================================================[clocker] #!/usr/bin/wish # list of colors to use. set colorlist "red blue green yellow white black cyan magenta brown turquoise lightcyan lightblue darkblue darkcyan purple orange" # number of columns. set col 10 # number of rows. set row 10 # number of milliseconds between light changes. set secsChange 125 # --- DON'T PLAY AROUND AFTER THIS LINE. --- # # Set the window title. wm title . TkBlinkenLights # Set the current column and row to render set cntCol 1 set cntRow 1 # dynamically create the grid of lights. # start the loop for rows while {$row >= $cntRow} { # create a frame for the row frame .f${cntRow} # render the frame for the row pack .f${cntRow} # start a loop for the buttons while {$col >= $cntCol} { # create the current button button .f${cntRow}.b${cntCol} # render the current button pack .f${cntRow}.b${cntCol} -side left -in .f${cntRow} incr cntCol } set cntCol 1 incr cntRow } # draw exit button. frame .exit pack .exit button .exit.b1 -text exit pack .exit.b1 -side left -in .exit # bind exit button. set exit 0 .exit.b1 configure -command "exit" # Start changing colors. # Don't worry about the infinite loop, that's what the "exit" button is there # for. proc doColorChange {} { global col row secsChange set randCol 0 set randRow 0 # get random numbers for the column and row to change while {$randCol == 0} { set randCol [expr round(rand() * 1000000) % $col + 1] } while {$randRow == 0} { set randRow [expr round(rand() * 1000000) % $row + 1] } # change the color .f${randRow}.b${randCol} configure -background [randcolor] .f${randRow}.b${randCol} configure -activebackground [randcolor] # after a specific amount of time, start this process again after $secsChange {doColorChange} } # process to get a random color proc randcolor {} { global colorlist return [lindex $colorlist [expr round(rand() * 1000000) % [llength $colorlist]]] } # start changing the colors, beeotch! doColorChange # Oh yeah, and uh, i guess this code is under the GNU GPL. # Don't like it? Fuck you, because i don't give a shit about you. Ungrateful bastard. [TCP/UDP]===============================================================[dayzee] TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). ===================================================================== Ports ===== What is a port? A TCP and UDP port is what is used by the internet server to distinguish between requests for different services. For example telnet runs on port 23, while a web server listens on TCP port 80. Here are some services and the ports they run on, you can also look on your computer in /etc/services: echo 7/tcp Echo systat 11/tcp Users ftp-data 20/tcp File Transfer [Default Data] ftp-data 20/udp File Transfer [Default Data] ssh 22/tcp secure shell ssh 22/udp secure shell telnet 23/tcp Telnet telnet 23/udp Telnet smtp 25/tcp Simple Mail Transfer smtp 25/udp Simple Mail Transfer nameserver 42/tcp Host Name Server nameserver 42/udp Host Name Server finger 79/tcp Finger finger 79/udp Finger www-http 80/tcp World Wide Web HTTP www-http 80/udp World Wide Web HTTP kerberos 88/tcp Kerberos kerberos 88/udp Kerberos hostname 101/tcp NIC Host Name Server hostname 101/udp NIC Host Name Server pop3 110/tcp Post Office Protocol - Version 3 pop3 110/udp Post Office Protocol - Version 3 auth 113/tcp Authentication Service auth 113/udp Authentication Service imap2 143/tcp Interim Mail Access Protocol v2 imap2 143/udp Interim Mail Access Protocol v2 syslog 514/udp System Log route 520/udp Router Routed whoami 565/udp whoami TCP === TCP (RFC 793) (Transmission Control Protocol) is a communication method (protocol) used along with internet protocol (IP) to send data in the form of data from computer to computer over an internet connection. While internet protocol takes care of handling the actual sending of the data, TCP takes care of keeping track of each packet that a message is divided into for efficient routing through the internet. For example, when you download a kernel, the TCP layer of the host divides the kernel into one or more packets, number the packets, and forwards them to the client. Although each packet has the same destination IP address, it may get routed differently through the network. At the other end, the TCP layer reassembles the packets and waits until they all arrive to forward them to you as a single file. TCP is known as the connection-oriented protocol, which means the connection is established and will stay connected until all the packets have been sent and received. TCP is responsible for making sure a file is divided into packets that the IP manages for reassembling the packets into the actual file that was downloaded at the other end. In the OSI layer, the TCP is in layer four, also known as the transportation layer. TCP Header |-------------------------------|---------------------------| | source port | destination port | |-------------------------------|---------------------------| | sequence number | |-----------------------------------------------------------| | acknowledgement number | |-----------------------------------------------------------| | data offset| reserved | flags | window | |-----------------------------------------------------------| | checksum | urgent pointer | |-----------------------------------------------------------| | options (+ padding) | |-----------------------------------------------------------| | data (variable) | |-----------------------------------------------------------| UDP === UDP (RFC 768) is a communications method (protocol) that offers a limited amount of service when messages are exchanged between computers in a network that uses the internet protocol. UDP is an alternative to the transmission control protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like TCP, UDP uses the internet protocol to send a datagram from one computer to another. Unlike TCP, UDP does not allow one to divide a message into packets and reassemble them at the other end. So, when a datagram is being send that is using UDP, it must arrive at the other computer in full and in the same order it was sent. Network applications that want to save processing time because they have very small data units to exchange may prefer UDP to TCP. UDP provides two services not provided by the IP layer. It provides port numbers to help distinguish different user requests and, optionally, a checksum capability to verify that the data arrived intact. In the OSI layer, UDP, like TCP, is in layer four, the transportation layer. UDP Header <-------------------------32 bits----------------------> |------------------------------------------------------| | Source Port | Destination Port | |-----------------------------|------------------------| | Length | Checksum | |------------------------------------------------------| dayzee - dayzee@stupidphat.com, October 1999 [Teleconferencing]=======================================================[Vixen] Let me start this off by saying, half of you probably already know how to do this. I am writing this only because people are still asking all the time how to set up teleconferences, or they say that they won't set one up because "they don't know how". I know I could easily refer them to the SysFail article about this, but for some reason that never seems to work. People just keep bugging me about it. So, in this article I will go over two ways of starting a teleconference. METHOD ONE: Your Friendly Neighborhood COCOT. First, find a COCOT Payphone. COCOT stands for Customer Owned Coin Operated Telephone. What the hell does that mean? Well, it means that it's a payphone that is owned or rented by some customer of the telephone company. It won't have a Bell or GTE logo on it or anything. The telephone line is a normal customer loop, instead of a special payphone loop that normal payphones are on that allow certain tones to go through when you put in your change (yeah, the red box tones). So you won't be able to get free calls by redboxing this thing, but there are still ways to fuck with it..... Now, go find one. Good, now that you've found one, dial 1-800-232-1234. An operator will pick up and you should have a conversation similar to this (note: individual conversations may vary): OPER: AT&T Teleconferencing, may I help you? YOU: Can you setup a teleconference for me? OPER: Yes, have you ever used the service before? YOU: No, you stupid bitch, I haven't. OPER: Okay, can I get your name? YOU: Yes, *name goes here*, and I'm with *random company*. OPER: Okay, let me setup a folder for you.... Okay your folder ID is xxxxx, now, can I have the name and number of all the participants? YOU: No, fucking whore, I want a dial-in. OPER: Okay, how many participants [OR:] how many ports? [both are the same] YOU: 15 OPER: Would you like that to auto-extend? YOU: Sure, that would be swell! OPER: When do you want this for? YOU: *anytime you want the conf up* OPER: Today? YOU: Yes, fucking moron! OPER: Duration? YOU: 3 hours, wait - no, no, 3 and a half hours! OPER: Can I have the number to your location? YOU: [give her the number of the COCOT payphone you are at] OPER: Alright, I'll call you back with the host and participant pins YOU: Gee-golly! that's great! At this point you will both hang up and you will snicker about the whole episode. But you're not done yet.... wait about 5 minutes.... Ring Ring Ring..... Ring Ring Ring, etc.... YOU: *random company you chose* this is *name you chose* how may i help you? OPER: Hello,Sarah with AT&T Teleconferencing YOU: It's about fucking time! OPER: Your 888 number is 888-422-7128. Your host pin is 738846. Your guest pin is 539427 YOU: Alright, let me verify those numbers. 800-422-7128. Host 738846 and user 539427? OPER: Yes, have a nice day. Thank you for using AT&T You both hang up, and you go tell all your IRC friends about the conf. Good thing you wrote that 888 number and those pin numbers down! Oh... you didn't? Erm.... you better go back to that COCOT and repeat all of this. Just remember to write everything down this time. By the way, the reason you say you are from a business. is because COCOTs are on a business line, and the operator thinks you are calling from a business. METHOD TWO: Beige Boxing Your Way To Fame First, get a notepad and a pen. Now get your beige box. Now get an ANI number. Getting an ANI number is very important. Test the ANI number before you go. Now, find a house to beige box. Call the ANI number and write down the number of the house. Now, call 1-800-232-1234 and have the same conversation you would have if you were using method one, EXCEPT, don't pretend to be a business. When the operator asks for the number you are calling from, give them the number of the house (that is what the ANI thing was about. See? It _was_ important!). Just be a normal person like you are calling from your own house. Now, when AT&T calls you back, write down the info and go home. Remember (for BOTH methods): Set up the teleconference to run PAST 12:30 AM! This way, even if you say you want the conference to end at 1:30 AM, it will automatically go on until 7:00 AM. IMPORTANT: Do _NOT_ use the Host pin from your house! They might back charge you for [TCP IP Datagrams Explained]============================================[vortek] Greetings Impiety "... of Belial, the wicked one; children of darkness. be impious..." Im writing this article to clarify a few things. There is a problem out there, This problem is changing the undernet as we know it. The problem, EXCESS LAMERS! Guys We need to set some ethics, Some standards for these new scholar's. That is why I'm writing this article. There are to many stupid @ss9 dosers out there and script kiddies, They don't even understand the protocol that they so much ride on. Let alone how the bloody h4x0r.c travels to its destination point. :D This article will explain the Ip datagram and all of its options, also it will clarify how they affect the way your Ip Datagram travels. This article will not be TO advanced. But It will teach you enough to understand whuts going on. Knowledge puffeth up, but charity edifieth. --1 Cor. viii. 1. "BIBLE!!" Ok Im gonna start out with the Basic lay out of an Ip Datagram. Yes I stole this leet ASCII art from a RFC I didn't feel like playing ASCII art kiddie to create it. Example * =(The first column #1 second column #2 = 12'th bit) (The first column then slide # up from second aka 12) 0 1 * 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Ok An Ip Datagram Is made of 6 layers, 0 to 31 bits. Each field tells us whut version, type how to send etc. We will start With the First field first option. This Is called the Version Field. Since this packet is assumed to be sent on a standard network well base this datagram on IPV4. "cd /proc/sys/net/ipv4/" If your smart and run linux. <> Some times referred to as VERS The Version field tells us the ip protocol version. It occupies the first field from 0 to 4 bits. Now this field tells that this ipdatagram is using ipv4, Ip version 4. To find out more about IPV4 consult your local rfc's. <> Some times referred to as HLEN This field tells us the total lenght of the header composed in 32 bit words. The defualt value is normaly 5 cause you hardly use any options in this field. Now since this is a 4 bit field you are limited to a header size of 60 bytes. Now this cripple's some options "Like record route option" but who cares. Now you can do very leet things with this field, Things like this are best when found on your own. But lets just say you can by-pass packet filters and be very sneaky about your data transfers. Be lucky I told you that. <> Some times referred to as T.O.S. Now this is one of my favorite fields cause it controls how the packet is sent in transit. Now this field is fubar also cuase the 3 bit precedence field isn't used no more. So were gona focus on the T.O.S. bits, Yes there are 4. These fields are as fallows. 0 1 2 3 4 5 6 7 8 ASCII ART STOLEN +-----+-----+-----+-----+-----+-----+-----+-----+ AGAIN "IM LAZY!" | | | | | | | | PRECEDENCE | D | T | R | 0 | 0 | | | | | | | | +-----+-----+-----+-----+-----+-----+-----+-----+ D: Ok bit 3 the Big D, "Delay" You have 2 options for all these Bits. You put a "0" in this field if you want normal Delay. 1 for low Delay. T: Bit 4 is the "Throughput" The Big T, You put a 0 for normal a 0 for normal throughput a 1 for high throughput. R: Bit 5 is the rascaly R, "Reliability" 0 for normal reliability 1 for high. The last fields are reserved for future use unless your mocking around with an experimental protocol. Now the values here will show up in hex for tcpdump. Tos affects a lot more things then what I described here and goes on to many more levals. This is just the basics for you to understand what's goind on. Lots of dos programs play with this. <> "Actualy 16-30" Total packet Lenght Now this field composes the total lenght from the Ip Header of the datagram and the total datagram lenght. The maximum size of this field is 65535 bytes. If this field is bigger then whut the router our host will accept prepair to be fragmented. More on that later. We can also use this field to tell were the data portion of the of the Ip Datagram starts and its lenght. Usualy this field is most used by data links aka Ethernet to solve some minor problems. On to the second layer. You guys still with me? Hang In there It will all add up soon. <> This field is just a simple 16 bit field. This field just assigns a number to each each datagram for reasembly upon fragmentation. In other words all the fragmentation from datagram foo will have the exact same Identification number. The kernel usualy increments a variable for each datagram upon assigning the value. Basicly it assigns a new ID to each datagram. <> This field controlls the fragmentation values of the packet. Fragmentation is basicly when you break a data gram into little chunks and assemble them again at the other end. Kinda like how they took apart that bridge some where in history. They gave each brick a number, took it apart. Then they moved the bridge brick by birck to the new home and putt all the bricks back togather. The bridge was to big to move as a whole so they moved it brick by brick "fragments" and put it all back the way it was at the new location. 0 1 2 +---+---+---+ | | D | M | | 0 | F | F | +---+---+---+ Thats whut the flag portion of the second layer looks like. It 3 bits. The first field is reserved for those men waling around in black coats our something. So we will focus on bit 1 and 2. This is rather simple here. The second bit. "1" DF: "Don't Fragment" 0 in this bit means let it be fragmented 1 means do not allow fragmentation. The third bit "2" MF: "More Fragments" 0 in this bit signals that this is the last fragment in this Datagram. And 1 tells us that there are more fragments. This field is also used by dosers who think there a big man cause they can run hack.c root a oc3 and type ping -f, Let alone some use terminals at MIT, Yeah bitch you know who I am talking about. Note this requires NO SKILL whut SO EVER. If you wan't to make an impact root there host j/k our just plain skewl them wich is also lame, But it shows us you got more brains then the avarage antionline.com junkie. <> This field is realy simple. It just tells us were the fragments of the datagram belong, To aid in assembly. This value is the measured in values of 64 bits. I wont go en depth in this field cause its usualy useless to hacking. USUALLY ;) Now we move onto the third layer. <