Copy Link
Add to Bookmark
Report

PURSUiT 01

eZine's profile picture
Published in 
PURSUiT
 · 26 Apr 2019

       XXXX                                               X 
XXXX XX X X XX XXXX XXXX X X XX XXXXX
XX XX XX XX XXX XX XX XX XX XX XXX
XX XX XX XX XXX XXX XX XX XX
XXXXXX XX XX XX XXX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX
XX XXX X XXXXX XXX XXXX XX
XX
[ P U R S U i T - a u g 9 9 ] X

Index for this issue of PURSUiT

[0x00] Introduction by the staff
[0x01] Editor's notes by bxj
[0x02] Internet2 (i2) and Next Generation Internet (NGI) by Cyphunk
[0x05] AXS Script Makes WebServer Vulnerable by f0bic
[0x06] Boxing in the UK (series) by Oktal
[0x07] Introduction to firewalls by deadline
[0x08] The FileThief exploit by Mister-X and Alkatraz
[0x09] PURSUiT News update

If you got an article you want us to publish, please e-mail it to
bxj, foney_op or Cyphunk and after we'll read it we will decide
if to publish it in PURSUiT or not. In either cases, the writer
will be informed.

I (bxj) can be contacted at <bxj@mail.com>, e-mails to f0bic can be
sent to <f0bic@deadprotocol.org> and Cyphunk can be e-mailed to
<mindmore@mindless.com> if needed. We all can be reached on the UnderNet
IRC network, in the channels #HackTech #HackUK and #KIP.

A note for Phrack editors: We come in peace.

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU
iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR
SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''



'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
` Well, there is not much to tell, just read the editor's notes for '
' information on the zine, and on each issue. `
` '
' We all would like to thank the following people for helping and `
` making this zine possible: '
' `
` Bill Clinton, Al Gor (hey, he invented the net), Monica Lewinsky, '
' Linda Trip, Jay Lenno, George Lucas, the New York Police, `
` Jack the ripper (the one who cut people), The guy who invented '
' air-conditioning, the guy who invented sneakers, Bose Inc., `
` And rest of the world, except the ones we really really hate. '
' `
` Yeah, this one was just to fill up space, so just ignore it, and '
' we were just kidding about the guy who invented sneakers. `
` '
' Don't forget to read the news at the end of the zine. `
` '
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'




,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''


_______________________
[_______________________]
[ ]
[ Editor's notes ]
[_______________________]
[_______________________]


What is PURSUiT? PURSUiT is about information. About knowledge.
Knowledge is not power, it's an advantage. Information is the
real power. We will supply information, and educate on how to
use that information. We will supply knowledge, and guide how
to control that knowledge.

PURSUiT is here to share information, to teach the world what
really is going in the underground. No, we will not teach how
to make a homade atom bomb. And no, we will not instruct on how
to kill your neighboors. We will tell you the stuff that really
matters.

A little background. PURSUiT started somewhere in 1999, as an idea
to get the old-school days back. To be a real, informative zine.
We gathered some of the most skilled individuals of this industry,
and became one. A smart man once said, that a small group of skilled
individuals, excellent with their performance and one with their
cause, are better than a whole army. Commandos, they called it.
Well, I belive PURSUiT are the commandos of todays digital world.

Remember the old days, the days of the BBSs, the telecommunications
and computers revolution, the days when "Windows" was not a fluent
term in more than 80% of Earth's population, the days when there were
almost no script kiddies, when the Internet was not a "super-highway"
and when Geocities was not formed yet. The days when true Hackers lived.
The days of learning, days of information and days of sharing.

PURSUiT is here to return these days.
PURSUiT is bringing back the old-school.

Peace out, and keep it real, always,

--bxj.


,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x x
x Tracking Satellites Basics x
x x
x By Overfien x
x x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Their are 3 basic types of orbits you should be aware of when
tracking satellites.

1) Low altitude circular orbits used by phase 2 satellites

2) Elliptical orbits as used by phase 3 sats.

3) Spacecraft and geostationary orbits planned for phase 4 satellites

Satellites are moving targets, so when a ground station uses
directional intennas aiming information must be available. Your average
daily access time for a satellite is an important quantity in determining
how useful the satellite will be to you.

A low-altitude satellite (such as SBID, Fugi-OSCAR 20, RS-10/11
or a microsat) will generally be in range for 25 minutes or less each
time it passes by.

A satellite in high-altitude elliptical orbits for phase 3 space-
craft (such as VBeekon, OSCAR 10 and 13) behaves very differently. It
will provide one or two passes per day, but the total access time will be
(very roughly) 12 hours for Northern hemisphere stations.

A geostationary satellite appears to hang motionless in the sky.
If it's in range you'll have access to it 24 hours per day (unless the
weather really sucks). If it's out of range you'll never see it.

Satellite enthusiasts wishing to track a satellite are intrested
in specific information. They want to know:
1) When the satellite will be in range; more specifically times
for AOS (acquisition of signal) and LOS (loss of signal) for
each pass.
2) Where to aim the antenna (azimuth and elevation) at any time.
3) The regions of the earth that have access to the satellite.

There are "2" main methods of tracking; which are the graphic
method and the computer method. I would like to focus on the computer meth.

Tracking software naturally answers the basic tracking questions:
It will tell you when the satellite is in range and provide you with
antenna pointing data. For example, at each specified time the program may
list range (the distance between your station and the satellite), the doppler
shift for the mode you specify (which helps you locate your downlink), the
height of the satellite (for elliptical orbits this varies), the phase or
mean Anomaly (a number that tells how close to you the satellites antennas
are currently aimed), predict signal levels (on the downlink), path delay
time (often labeled echo) and an orbit number (for refference purpose I
believe - no effect on tracking)

Lets look at the input the computer requires. Naturally it will need
the location of your groundstation in terms of latitude and longitude. Some
newer programs may even ask for your height above sea level (this shouldn't
have any observable effect for 99.99% of amateur/satellite tracking
programs), so even if you live in Seattle and have a monster EME antenna,
you can just enter "0" or some approx. "#" if you don't know the correct
value.

The program also has to know the precise orbit of the satellite
you're intrested in via orbit size, shape, orientation with respect of the
earth/stars. This is called orbital elemants. Now your basically ready to
track. For example, when I boot up my "sat box" basically one of my boxes
just used for tracking. A main menu pops up that asks:
1) Do you want Batch tracking data
2) Do you want real-time tracking data
3) Do you want to modify parameters
4) Move to graphical interface
5) Exit program

Once I responded by typing a single number (perhaps followed by
the enter key) If I respond "1" to obtain Batch tracking data, the program
needs to know which sat. your intrested in, the date an time to start the
calculations.

We now take a look at the Batch output provided by a typical program.
I am using the new version of IWI98:

ADLMIL 3
Ground Station: lat=39*N, long=77*W, Ht=0km
DAY # 602 - - - Friday, August 20 - - - 1999
UTC AZ EL Doppler Range
HHMM DEG DEG HZ KM
1145 167 5 - 18353
1200 166 11 -1867 20664
1215 165 16 -1733 22773
1230 166 21 -1596 24694


The heading identifies the satellite "ADLMIL 3" (HEH, I promise its
not a military satellite ;-)) My ground station location (I had to change for
unexplainable reasons) first 3 columns of the table show time, Azimuth and
Elevation. ADLMIL 3 will come in range sometime between 1145 and 1200 utc
and remain in range for 'bout 9.5 hours. Column 4 provides data on Doppler
shift. AT 1200 UTC a signal coming through the mode B transponder will appear
1867 HZ lower than predicted using the transponder frequency. Because of
the algorithm being used to compute Doppler shift, no value is provided for
1145 utc, the first time the satellite comes into range.

Alright just as theirs a jargon for practically everthing theirs also
one for "Satellite Tracking" heres it broken down:

Access range (acquisition distance)

Acquisition distance: Maximum distance between the subsatellite point
and ground station at which access to spacecraft
if possible

AOS (Acquisition Of Signal)

Apogee: Point on orbit where satellite height is maximum

Azimuth: Angle in the horizontal plane measured clockwise
with respect to North (North = 0*)

Epoch (Epoch time): A reference time at which orbital elements are
specified

EQX (ascending node)

Ground track (subsatellite path): Path on surface of earth traced out by
SSP as satellite moves through space

Increment (longitudinal increment)

LOS (Loss Of Signal)

Node: Point where satellite ground track crosses the equatar

Pass (satellite pass)

TCA (Time of Closest Approach): Time at which satellite passes closest
to a specific ground station during
orbit of intrest



Well, this completes my text on satellite tracking basics. Expect
too see more articles in the future until then "watch the sky"!!

Overfien@hushmail.com




,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''


=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
||PURSUiT is proud to present.. ||
|| ||
|| Internet2 (i2) and Next Generation Internet (NGI) ||
|| ||
|| Compiled by Cyphunk ||
|| ||
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

-----------------------------------------------------
- Internet2 (i2) and Next Generation Internet (NGI) -
-----------------------------------------------------

Internet2 and NGI are two advanced network initiatives by the US
government (for NGI) and UCAID (University Corporation for Advanced
Internet Development, for i2.) The key here is initiative. What I mean is
that you won't find physical networks that are called Internet2 and NGI.
Both NGI and i2 run over existing high speed US Backbone networks such as
the vBNS, Abilene, ESNet and many others (discussed later). The only real
thing that makes i2 and NGI different from each other is who is in
charge. You will see many NGI and i2 peers that are registered under both
initiatives. The requirements for becoming a peer on one of these
networks is:
1) You have a project that requires very reliable and high-speed
connections to another i2 peers.
2) You have a lot of money.

The reason for these initiatives was/is:
1) To foster high speed applications of which cannot run on the
existing Internet and need a guaranteed connection.
2) To develop smarter network services and ways of guaranteeing
bandwidth and latency rates.
3) To increase collaboration of National-to-National and
National-to-International research departments (commercial,
academic and governmental).

A question that may arise is: "Why not just upgrade the existing Internet
and use that as the platform for advanced research?"
The reason this was
not done is because it has become obvious over time that no matter how
much bandwidth you throw to the Internet it will be over used. So,
instead of thinking BIGGER the NGI and i2 initiatives are mainly about
thinking SMARTER. These networks are private to their peers and those
peers must have a Research and Development related purpose for being
there. This cuts out the general, bandwidth sucking, public right from
the start. In order to keep the i2 and NGI peers from causing the same
problems amoungst themselves advanced services and "Quality of Service"
(QoS) systems and policies have been developed and put in place over
these networks to keep one peer from stepping on the toes (line quality)
of another.

The end goal of many of the advanced applications and technologies being
developed by i2 and NGI peers is to have them introduced to the public
and commercialized through places such as the internet. Types of
applications already being developed involve TeleEmersion and
TeleMedicine (to think of a few).

After thinking and working *smarter* these networks will go *bigger* and
faster. Amongst the goals of i2 and NGI is to develop the fastest and
most efficient networks on the planet to "further the US lead in the
global IT market"
(whatever). To do so, both sides will work together on
finding ways to work more efficiently and develop faster hardware
devices. When at i2 and NGI conferences you may hear allot of talk about
TeraPOP's (Terabit Points of Access). Though there are no TeraPOP's out
there yet they are definitely on the horizon (a few years off).

Practically all of the literature on the net concerning i2 and NGI are
incomplete. The problem is that most of the papers are in M$ PowerPoint
format, which really does no good except for the person which created it.
It's like looking at teachers' notes when you're not the teacher; it's
not helpful. I hope to make this somewhat complete and understandable.
However, considering that many of the pieces of these two networks are
still under development, don't be surprised if there are some gaps and
you finish with more questions than you started with. My one request,
however, is that you e-mail me at: mindmore@mindless.com with the
questions that this article may raise and any comments/corrections you
may have. This article attempts to detail the services and the goals of
both NGI and i2. I'll try not to bore you though :)
Note: It helps if you already have an understanding of Networking (OSI
Layers, Protocols, devices and the likes) to understand the details of i2
and NGI. Also, I realize that there are probably allot of grammer errors,
thanks for bearing with me.

This paper is split up into 4 sections. The first discusses the Services
provided by NGI and i2 (QoS, Multicasting, and IPv6). The second
discusses i2 and NGI separately, covering the characteristics of the two
individually. The third discusses the physical characteristics of the
networks that the i2 and NGI peers connect through. The 4th, brief
sections, discusses security issues that I see.

I. Services
------------------------------------------------------------------------
As I said before, both i2 and NGI support and are active in developing
the standards for IPv6, QoS and Multicasting. I will try get into each
networks implementation of these services later. The purpose of this
section is to introduce you to the services I just mentioned so that you
have a basic understanding about them.

> IPv6 in brief
IPv6, also known as IPng (IP Next Generation), is the *upgrade* to the
currently over killed IPv4 addressing protocol. These addresses are
called IP addresses and every computer on the net must have a unique IP
address to communicate on the Internet. There are allot of computers on
the net and very soon there won't be enough IPv4 addresses left for them.
IPv4 addresses are 32-bit addresses. This allows for 4,294,967,296
possible numbers. However, I'm guessing that after segmentation we get
around 1.5 billion or so addresses. When this protocol was defined it was
thought that a 32-bit address would be plenty. After all, how many
computers could the small group of DARPA Geeks own :). However, the
Internet became something more then a high speed government and academic
network and into the public/global domain. Today we are coming to a point
where we just don't have enough IP addresses. I mean, you call you ISP
and ask them how much it would cost to get your own Static IP address
from them. For me, with my ISP, it is $20 more a month. That is a big
jump from FREE.

So, the guys and gals at the IETF (Internet Engineering Task Force) have
been working on IPv6, which will fix these problems. IPv6 gives us
128-bit addresses represented in binary, of course, and Hexadecimal. 128
bits give -18,446,744,073,709,551,616 squared- possible numbers, which
should last us until the transition of the Internet being public/global
to becoming extraterrestrial/public/universal. There is more to the
protocol than just an increased address space, however. The headers
structure of the IP packet has changed. IPv6 headers are somewhat larger
then IPv4 headers but IPv6 headers are much more simplified. For
instance, the IPv4 header sizes can vary whereas the IPv6 headers are
always 40 bytes. Making the headers a fixed size allow for easier
processing. IPv6 has also taken away some of the unused fields that were
in IPv4 making it simpler. It has also added optional fields that can be
used for increased security. For example IPv6 encryption headers indicate
which encryption keys to use, and carry other handshaking information.

For more info check the IPv6 related RFC's, there are a ton of them.

> QoS
One thing that people are starting to realize is that no matter how much
bandwidth you throw to the public or private sector, they always use it
and over use it. Though one objective of i2 and NGI is to increase
bandwidth capacity, the other is to manage or regulate who has access to
that bandwidth, how much of it and the quality of it.
The Internet currently runs as a "Best Effort" service network. This
means that if the TIT (Tokyo Institute of Technology) NanoTech department
needs 5mbps with no more then a 200ms delay for a joint project with MIT
(Massachusetts Institute of Technology), over the internet they will rely
on pure luck to get what they need. Luck that the lines from them to MIT
will not be saturated with traffic at that time. This is a big problem,
because this sort of luck rarely ever happens over the Internet. We need
to develop a way to guarantee them the bandwidth and quality they need
for that period of time.
This is done through QoS (Quality of Service) whose development is
primarily the job of the IETF (Internet Engineering Task Force) QoS
workgroup. One objective of NGI and i2 is to guarantee end to end QoS.
Which means that even if it takes 10 hops to get from TIT in Tokyo to MIT
of if it takes 2 hops, they will be guaranteed 5mbps, 200ms, all the
way. Currently there are two basic standards being used for QoS: the
RSVP protocol and DiffServ.

>> RSVP (Resource ReSerVation Protocol)
RSVP guarantees end to end bandwidth reservations and delay times from
node too node. Unlike DiffServ, which works more in a BB (Bandwidth
Broker, ISP)-to-BB basis or Network-to-Network basis whereas RSVP works
on a node to node basis. This allows for tighter QoS and is necessary for
Multicasting but is not as flexible as DiffServ. RSVP supports multicast
groups (discussed later) and RSVP operates on top of IPv4 or IPv6 acting
like a layer 4 protocol. RSVP, also, acts like a routing protocol though
it does not take the place of existing routing protocols, it operates on
top of them (adding features where needed). RSVP causes a higher strain
on the network due to the fact that there is checking going on from node
to node.

For more information on RSVP check out rfc1633 and rfc2205

>> DiffServ (Differentiated Services)
DiffServ causes less strain on a network then does RSVP. For this reason,
it is the preferred method. However, DiffServ doesn't guarantee the
connection as well and as tight as RSVP does. So there are trade offs.
DiffServ works buy labeling packets with "per-hop behaviors" (PHB's).
PHB's basically define the level of service that this packet will need.
The PHB is initially defined on the edge routers (closest to the sending
device). End devices on the network have the job of reshaping traffic as
it leaves the domain, taking into account any burst traffic that may
occur. DiffServ assures a basic throughput but allows for bursts when
resource availability permits (depending on the PHB type assigned to the
packet). All the information needed for DiffServ is held in the DS-field
in the IP headers.
In all likely hood we will not be implementing DiffServ on our home, or
small networks or even large ones for that matter. It will be the
responsibility of your BB (Bandwidth Broker, also know as your ISP) to
provide DiffServ where needed. It will be the BB's job of aggregating all
of their DiffServ traffic into one stream before it is sent out of the
network and onto another.
Last thing: DiffServ, unlike RSVP, has no built in support for
Multicasting.

For purposing of testing QoS methods the QBONE initiative was created in
1998. The QBONE is a joint effort of academic, governmental and corporate
researchers and engineers. Created as a wide area testbed for QoS
protocols. It crosses both NGI and i2 borders operating through almost
all of the advanced networks in the US and abroad (such as vBNS,
Abilene, ESNet, CA*NET, which are discussed later).

For more details on the QBONE and QoS try
http://www.internet2.edu/qbone/.

> IP Multicasting
Let's say that both you and I live in the same city and use the same
Internet provider. Lets also say that we are both listening to a live
stream (if they one day do live) of Geeks in Space
(www.the-sync.com/geeks) at the exact same time. This means that the same
datagrams are coming to the same network, the same POP, at the same time,
like so:
_____ ____
|Geeks|----Stream1-----|our |-------- Me
| in | |Lame|
|Space|----Stream2-----|ISP |-------- You
----- ----

It would certainly be to the entire Internets advantage and ours if we
could combine those two streams into one, creating less congestion on the
network. IP Multicasting reefers to doing exactly that. Example:

_____ ____
|Geeks| |our |-------- Me
| in |----Stream------|Lame|
|Space| |ISP |-------- You
----- ----

In the above example there is only one stream of datagrams going out over
the internet but once it gets to our ISP it splits the stream into two
and sends Geeks In Space to you and I at the same time. In order to do
this it creates "Multicasting Groups" for each stream (both you and I
being in the same group). It also requires smart routers which can
replicate streams and keep track of and create these groups, dynamically
adding users when needed. Also, the routers all along the way from the
Real Audio server to our ISP must support IP multicast protocols such as
DVMRP (Distance Vector Multicast Routing Protocol), PIM (Protocol
Independent Multicast) or MOSPF (Multicast Open Shortest Path First).
To use IP multicasting today you must connect to an existing network
within the public Internet known as the MBONE (at least, that is where
all the action is at). Before you can do that, however, your ISP must
support Multicasting. Check with them to see if they do, else, switch
ISP's. For more information about the MBONE and IP multicasting check out
www.mbone.com. For even more info on multicasting try
www.ncne.nlanr.net/faq/multicast.html


II. NGI and i2
------------------------------------------------------------------------
Like I said before, the NGI and i2 initiatives are almost identical. They
operate on, mostly, the same networks and backbones. They have pretty
much the same goals. However, there are a few things that make them
different, other than who is in control of each initiative and the budget
that they have. The following takes a look at each initiative.

> NGI
In the NGI there are a few different Government organizations that are
involved in making the goals of NGI a reality. Those organization are
DARPA (Defense Advanced Research Projects Agency), NSF (National Science
Foundation), NASA (National Aeronautics and Space Administration), NIST
(National Institute of Standards and Technology), NLM (National Library
of Medicine) and the DoE (Department of Energy). Each of these
organizations have different responsibilities, some overlapping in areas.
Each of these organizations have their own physical networks that they
can test things out on (some of which are discussed later). I'm not going
to discuss the specifics of what their jobs are, if you want more
information go to: www.ngi.gov

NGI project budget for 1998 was $80 million US Dollars. 1999 is $110
million. 2000 will be $110 million. The project was only granted 3 years
of funding by Congress but planned up till 2002 (I guess the budget comes
later). There is a possibility that it could be extended even father,
however. There are number of very specific goals for NGI:
To develop a NGI testbed that supports end-to-end QoS for new networking
technologies and advanced research. This testbed will connect at least
100 NGI sites - universities, Federal research institutions, and other
research partners - at speeds 100 times faster than today's Internet
(OC-3 - 155mbps), and will connect 10 sites at speeds 1,000 times faster
than the current Internet (OC-48 - 2.5gbps).
Another goal of the NGI is to demonstrate Terabit switching technology by
2002. At the NGI/i2 conference I went to there was a professor from
Hebrew University Israel who gave a lecture on an Optical Terabit switch
that he had developed and tested. The switch could do well over 1tbps
with hop rates of 10ms. That certainly grabbed the attention of the NSF
guys at the conference. The device is supposed to go into production
sometime in two years, as I remember.

The NGI network is spread out over several different networks. The ones
that I know of are: vBNS (run by NSF), Abilene (run by UCAID), ESNet (run
by DoE) and NREN (run by NASA).
In order for a corporation or University to hook up to NGI they must
connect to one of these backbones. In many cases we see where the
requesting peer will just connect to a GigaPOP which is already connected
to one of the backbone NAP's. Then they must arrange (with the NSF I
believe) to be added to the NGI registrar and routing tables. In many
cases, the organization or university can get government funding from the
NSF.

> i2
Internet2 is an advanced network initiative by UCAID (University
Corporation for Advanced Internet Development) and several other
corporations. The budget is about $80 million a year. i2, like NGI, is
spread out over various high speed backbones in the US. The two major
ones are vBNS and Abilene, which will be discussed later. In most cases
Universities will connect to GigaPOPs which intern connect to one of the
i2 backbones.
I2, like NGI, is involved with implementing and developing QoS, IPv6 and
advanced network applications. There isno real literature on the net that
discusses the goals of i2. The talk is more around the backbones that it
operates on.

III. Advanced high speed backbones
------------------------------------------------------------------------
As I said before, both i2 and NGI run over serveral high speed backbone
networks. The follow discusses a few of them in detail.

> vBNS
The NSF initiated the very high speed Backbone Network Service (vBNS) in
1995. With help from MCI the NSF setup a high speed backbone across the
US. The purpose was to connect Government, Industry and Universities to 5
SCC's (Super Computing Centers) in the US and then, inevitable, to each
other. For those interested, those 5 SCC's are:
- Cornell Theory Center
- National Center for Atmospheric Research
- Pittsburgh Supercomputer Center
- National Center for Supercomputer Applications
- San Diego Supercomputer Center

The vBNS serves as a backbone for both the NGI and i2 initiatives. The
vBNS uses IP over ATM over SONET. It operates at speeds up to OC-48
(2.5gbps). MCI also created a second "testnet" network for testing
experimental technologies until they prove stable for implementation on
the vBNS. Most Peers connect at DS3 and OC-3 speeds to one of the vBNS
NAP's (Network Access Points) or to a GigaPOP that is already plugged up
to a NAP. The vBNS supports both Native and Tunneled IPv6.

> Abilene
The Abilene network was created by UCAID in collaboration with Qwuest
Communications, Cisco, Nortel Networks and a few other that I don't
remember. Created for the sole purpose of connecting i2 peers. Operates
at speeds up to OC-48 using IP over SONET. As I remember, the lines were
laid and POP's put in place by Qwuest Communications. If you want to
connect to the Abilene backbone all you need is $110k a year for a OC-3
connection, $320k a year for a OC-12. Small price to pay :]

> ESNet
ESNet (Energy Science Network) headed by the DoE (department of Energy)
provides for speeds up to OC-12. Connects directly to the vBNS, STARTAP
and many other high speed US backbones. Peers connect anywhere from 64k
up to OC-12 speeds. Been around for a while and has allot of networks
connected to it. For more information check out: www.es.net

> International networks
It was 1997 that the NSF starting taking proposals from other R&D
networks in other countries to add International peers to its registrar
for the vBNS. I guess the US GOV and academic establishments realized
that the US wasn't exactly the smartest country on the planet. The
International peers connect through the STARTAP and connect from there to
other i2 or NGI peers. STARTAP (Science, Technology, And Research Transit
Access Point) is the International NAP for most US networks (other than
the Internet). The STARTAP connects directly to the Ameritech NAP in
Chicago which connects to the vBNS and many other high speed US networks.
The STARTAP is funded by the NSF and maintained by the University of
Illinois at Chicago and a few other Chicago based groups. The STARTAP
currently supports speeds up to OC-12 and supports DiffServ, RSVP,
Multicasting and IPv6. For more information on the STARTAP check out:
www.startap.net

The following are just a few examples of International networks are
hooking up to i2 or NGI through the STARTAP.

>> Israel's tap
The Israeli government has committed $10 million a year for the next four
years towards advanced network development in Israel. The group in charge
of all i2 and NGI activities is the IUCC (Israel Inter-University
Computation Center) whose main members are the eight major universities
in Israel. This is where it will start, with the Universities, and then
shortly after it should be open to commercial R&D departments.
There is one Satellite link at 44mbps from Israel (Tel Aviv University)
to the STARTAP in Chicago US. Israel bought the entire spectrum on the
sat so there are plans for upgrading that speed anywhere from 60mbps to
140mbps, as needed. There is also a fiber optic E3 (34mbps) line from
Israel (Bar Ilan U. I believe) to the UK where it connects to the QUANTUM
network in Europe (http://www.dante.net/quantum). After that there is
another fiber optic line going from the connection point in the UK over
to the US at 10mbps for redundancy.

I've heard rumors of a 2gbps line being setup from the US to Israel but I
have not been able to confirm this.

Though the i2 website for the IUCC claims full support for QoS, I don't
believe it. At an i2/NGI conference I went to I asked one of the IUCC
speakers about this and he gave no real assurances for QoS support, quite
the opposite.

For more information on the i2 project in Israel go to
www.internet-2.org.il

>> CA*NET3
CA*NET3 currently runs at OC-48 (2.5gbps). The Canadian government in
partner with some High Tech companies funds the project. NAP's to the
backbone are located all along the southern border of Canada and connects
to other US networks through the STARTAP. The Canadian Government has
committed $53 million to the project which will last a year or so (don't
remember the exacts). The project was initiated in 1998. CA*NET3 uses
DWDM (Dense Wavelength Division Multiplexing) to get to OC-48. CANARIE
(Canadian Network for the Advancement of Research, Industry and
Education) is the group in charge of the project and for more info check
out their site at: www.canarie.ca or www.canet3.net. The CANARIE
consortium includes commercial, academic and governmental departments of
Canada.

IV. Security concerns
------------------------------------------------------------------------
There are a couple of security concerns as I see it. The first is about
the way most universities and organizations make requests to plug up to
i2 or NGI. They create a proposal and many will list, in great detail,
the details of their network. One sad sight I saw was the San Diego
Supercomputer Center which posted a map of all the IP NetID's for its
network. Even worse was CANARIE which posted the same thing (the NetID's)
for the entire CA*NET3 backbone. Now, these are private networks.
However, all I would need, in theory, is a terminal at a i2 or NGI peer
to start playing around. It seams even easier when I start to really look
at their proposals. Most peers make the default path their NGI or i2
connection when the destination is another i2 or NGI peer, even for
something as simple as a webpage. So, depending on how it is implemented
I may be able to just start from a simple Student terminal, as opposed to
having to hack into the Systems group terminals or servers first.
The second is concerning DoS attacks. Give me bandwidth and I'm in DoS
heaven :) On a i2 or NGI peer's network I may have allot of bandwidth at
my disposal (depending on what type of policy they come under when
connecting to i2 or NGI backbones). Then, if I find a peer stupid enough
with a proxy from there to the normal Internet, who knows.
And I'm only a nominal security buff, I imagine that there are allot more
concerns that I haven't seen. There is, however, a IETF Security
Workgroup in place for this exact reason. So, who knows?



If you have any questions, comments, corrections...
e-mail me at: mindmore@mindless.com

I will try to post any technical corrections in the next issue of this
e-zine.

- Cyphunk



,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

------------------------------------------------+
|
------------------------------------- |
AXS Script Makes WebServer Vulnerable |
------------------------------------- |
|
--- by f0bic - [ linux security ] |
--- f0bic@deadprotocol.org |
(this article was also published on BugTraq) |
________ |
[_______________________________________|


-----------------
Brief Description
-----------------
The AXS webserver script by Fluid Dynamics(www.xav.com) allows unauthorized third party
users to make use of the ax-admin Administration/Configuration module and remotely edit and/or
delete log files and overwriting files on the system. System resources compromization might also
be one of the effects of this vulnerability.


--------------------
Vulnerable Platforms
--------------------
Any operating system AXS is compatible with.


- *NIX Operating Systems (AXS cgi set)

- WindowsNT Operating System (AXS perl set)

I have seen the AXS
( cgi set ) operate on Apache 1.2.6/1.3.3, NCSA, Netscape-Commerce.
( perl set ) operate on IIS 3.0/4.0, Netscape-Fasttrack.


-------------------------
Vulnerability Description
-------------------------
The AXS Script, which is a cgi or perl script that keeps track of the number, the source
locations, the clientinfo of visitors to your http port(80). It writes this data to an output
file, named log.txt by default (but it can easily be relocated). This log.txt is normally
located in the cgi-bin directory of the server, allowing write access to this directory.

The AXS cgi script contains two .cgi appended files; ax.cgi and ax-admin.cgi respectively.
The ax.cgi file is the one that actually "grabs" the info about the visitors and then writes
them to log.txt (or wherever you relocated this too). The ax-admin.cgi is the the configuration
file for the ax.cgi script. The ax-admin.cgi is default passworded by "IronMan" and sometimes
is even left blank. Due to this weak access security it is very easy to gain "configuration access"
to the ax.cgi script, allowing you to reconfigure it, delete the log files, change the location of the logs.

The default location for the AXS script is http://www.server.com/cgi-bin/ax.cgi.
The default location for the AXS Admin script is http://www.server.com/cgi-bin/ax-admin.cgi.

To obtain access to the ax-admin.cgi module by default you get a password screen issued, Ironman
being the default password. The password is determined by the characters in the $password="*"
field of the ax-admin.cgi hardcode ("*" being a the default/chosen password or a blank). Most of the
time I have seen the password field to be left blank or defaulted. If the password is left blank you
will not be prompted for a login screen, instead it will automatically drop you into the ax-admin
configuration page. From this point on you can alter files on the server system, possibly resulting
in Denial-of-Service attacks against the system's resources.



---------
Solutions
---------
The AXS problems relate to a lack of resources that could suffice for secure business applications.
The AXS script on the other hand has been developed for ease of use, not for trouble of security;
this is one of the mistakes that Fluid Dynamics has made. The easy way is not to run with none or
default password on the ax-admin.cgi module. I have informed Fluid Dynamics about the fact that I
have seen servers where the ax-admin password was the same as the one for a valid shell account on
that system. Fluid Dynamics has also gone trough no trouble at all to encrypt any of the passwords
used in the ax-admin verification.


EOF


,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''



+--------------------------+
| PURSUiT presentation, |
| |
| Boxing in the UK |
| |
| By Oktal |
| |
| <ms@punkass.com> |
+--------------------------+

Part 1. Blue Boxing

Part 2 will be on Beige Boxing and will be in the issue 3 of PURSUiT

Blue boxing is sending noises down a fone line to sieze the trunk and make
free fone calls (among other things). The trunk is where operators dial from.
But they don't use the same frequencies as home fones, so we need to get
the tones from your soundcard to the fone line.

What you will need for this hobby:

1 Computer + Sound card
1 Tone-generating software (eg. http://x-iz.net/gbh/bluebeep.zip)
1 Cheap telephone (I use the old 'Viscount' series by BT because I have a
friend who has loads he doesn't want)
4 Wires (at least 1 metre each)
2 2.5mm jack plugs (from your local electrical shop)
1 Hole-making equipment (hammer+nail)
1 Soldering iron + solder (optional)

What you must do for this hobby:

Open up the handset so you can see all the insides. There should be a
speaker and a microphone, each with 2 wires connecting into them.
Attach (or solder) one of your 4 wires to each of the wires in the handset.
Now make a hole in the casing for the wires to emerge from.
Open up the jack plugs and attach the 2 wires from the speaker to the
connections in one plug and and 2 wires from the mic to the connections
in the other plug. Use solder if you want. Stick the handset back together.

Disconnect the speakers and microphone from your computer and plug the
earpiece into the microphone socket and the mouthpiece into the speaker
socket.

-OR- If you have electrical knowledge, you could make a box that generates
the tones by its self and doesn't need connection to a soundcard.



A long time ago, BT had a tone (2280hz) which was used by BT engineers to
access cirtain funtions within the trunk. Phreakers discovered that this
could be abused to sieze the trunk and make free calls out of it. But BT
got wise to the phreakers so now blue boxing is impossible in the UK.
But BT does have 'country direct' lines which are freefone 0800 numbers to
overseas. They are mostly in the 0800 890 XXX range along with some other
useful numbers. These countries' exchanges are not as modern as here and they
are blue boxable. (NB: not all country direct lines are boxable)


Some country direct numbers to countries with CCITT-5 lines:
South Africa 0800 890 027
Germany 0800 890 049
Brazil 0800 890 055
Chilie 0800 890 056
Libia 0800 890 059
Australia 0800 890 061
Indonesia 0800 890 062
French 0800 890 133
Bahamas 0800 890 135
Gabon 0800 890 241
etc etc etc

You can then make an international call out of that country
to the UK (or any other country) and make a free call.



Using Bluebeep by Onkel Dittmeyer:

The 'action mode' sucks so you should program a script to play the
tones. A sample (and very good) script that I made is included in
the zip file (http://x-iz.net/gbh/bluebeep.zip)
To make your own script to your own needs, read 'Script Language'
from the Info|Documentation menu.
To run a script, type BLUEBEEP /EXEC FILENAME.EXT from the prompt.
For a list of all the command-line switches, type BLUEBEEP /?


Tone specifications for the CCITT-5 exchange:

Description Frequency (Hz) Duration (ms) Pause after tone (ms)

digit 1 700 & 900 60 40
digit 2 700 & 1100 60 40
digit 3 900 & 1100 60 40
digit 4 700 & 1300 60 40
digit 5 900 & 1300 60 40
digit 6 1100 & 1300 60 40
digit 7 700 & 1500 60 40
digit 8 900 & 1500 60 40
digit 9 1100 & 1500 60 40
digit 0 1300 & 1500 60 40
KP1 1100 & 1700 80 40
KP2 1300 & 1700 80 40
ST 1500 & 1700 80 80
Clear Ahead Tone 2400 & 2600 150 30
Seize Tone 2600 & 2600 80 20

Be aware that duration times may differ slightly with the exchange.

To sieze the trunk of a CCITT-5 line:

1. You will hear a bleep after you dial the country direct number
2. Send the clear ahead tone after that bleep (makes it think you've hung up)
3. Then Send the sieze tone (so it thinks it's talking to the telco equipment)
4. You will hear a bleep and a chunk
5. Dial the number as shown:
KP2+Zero+CountryCode+AreaCode+Number+ST
eg. KP2,0441818118181,ST

But BT often put filters on the country direct lines to filter out
these tones. Here are some tricks to get past a lot of filters:

The average tone of a conversation is around 3000 Hz. This is called
'pink noise'. Bluebeep allows 3 simultaneous tones, so add 3000 Hz
to the last frequency of each tone in the dial set list.

Some filters raise or lower the pitch of the sound slightly.
Try tones just above or just below the given frequencies.
(eg. 2395 or 2405 instead of 2400)
You may have to do some freqency analysis on the echo you get from the system.
A good tool for this is Wintone (30-day trial version at www.steaksandwich.com,
registration $20 (£13), or you could read my article on cracking software,
which will be coming soon in PURSUiT)


That's it guys. Any information you may have on UK boxing can be sent to
ms@punkass.com for a great big essay i have planned for the mag next year
on UK boxing. Remember part 2 of this article (beige boxing) is in issue 2.


Wardialling & Scanning

If a country direct number is abused too much then BT is forced to
shut it down :(
So every so often the one you use will go away and you'll have to
use another. Well, the list above is by no means complete. And there
are other very useful numbers in the 0800 890 XXX range, so...

Why not find out what they all are?
"What, scan 1000 numbers???"
No... you get a wardialler to do that for you. It dials them all up
(don't do this all at once, BT'll notice) and when you come back
it'll tell you which ones picked up and which ones didn't exist.
(it might also tell you if it was a data or voice line)
Then you can dial the ones that look interesting.
You just tell it what range to scan and leave it for a while.
You could also be at your deak while the dialler is running so you
can listen to them and take note of what the voice ones are, like
voice: "Mark at reception how may I help you?"
A good wardialler is ToneLoc at http://x-iz.net/gbh/toneloc.zip


Example ToneLoc Syntax:

C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /S:3:00a /E:4:00a
will dial 0800890000, 0800890001, 0800890002... 0800890999
starting at 3 am and ending at 4 am (regardless of how far thru the
scan it has got)
C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /H:1:00
will scan the range starting NOW and ending in one hour

Toneloc also has some cool options like Black Book; A txt file of
numbers to NEVER dial (eg. 999) during a scan and loads of other cool stuff.
To setup options like that and config stuff like modem strings, run
TLCFG.EXE

A really neat trick is the Scan Map. I can't explain it, it is just
so great. Run TONEMAP SAMPLE.DAT to see what I mean.



EOF

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''



*-------------------------------*
| PURSUiT is proud to present.. |
| |
| Introduction to Firewalls |
| |
| By deadline |
*-------------------------------*


What is a firewall?
---------------------
A firewall is a system or group of systems that enforces an access control
policy between two networks. The actual means by which this happens
varies widely, but in principle, the firewall can be thought
of as a pair of mechanisms, one that is there to block traffic, and the
other which permits traffic. Some firewalls place a greater
emphasis on only blocking traffic, while others are strictly for permitting traffic.

Diagram:

O = Outside Host 1: packets to the firewall
F = Firewall/Router 2: firewall accepts or denys
I = Internal Network 3: packets go to host

(3) IIII
|-----IIII
(2) |
(1) FFFFF-| (3)
OOOO-------FFFFF-------IIII
OOOO FFFFF-| IIII
| (3)
|-----IIII
IIII

Protection
--------------
Firewalls offer protection against many kinds of things. They offer
protection from malicious packets, e-mail spam/bombs, and also, intruders
to your system. But their is also attacks Firewalls CANNOT protect u
against (attacks that dont go threw the firewall) like people from inside
the network, and from there, that user can give access to outside
networks, which can be potentionally dangerous to your network. And
lastly, Firewalls cant protect against tunneling over application
protocols to trojaned or poorly written clients.

Types of Firewalls
--------------------

1: Network Layer
------------------
Network firewalls usually make there desicions based on address (source)
and the ports of a packet. Routers are probably the most known network
level firewall, because its not able to make a great decision about where
the packet is actually going or where it came from. Newer network firewalls
have increased greatly in maintaining information about the packets that
pass threw them, contents of data streams, and other sources of information.
A imporant thing to remember is that network firewalls route traffic directly
threw them, so to use one you usually need to have a validly assigned IP address
block. Network firewalls usually are fast and transparent to users.


2: Application Layer
----------------------
Application level firewalls are usually a host running proxy servers.
The proxy server usually permit no traffic directly between networks
and give a more detailed log of traffic then the Network level firewalls.
These firewalls can be used as network address translators, since packets
go "in one side and out the other", after passing threw a application
that effectivly masks the origin of the initiating connection.


Proxy Servers
---------------
A proxy server is a application that mediates traffic between a protected
network and the Internet, meaning it only allows specific connections to
connect to the host, and allows only connections out of the host threw specified
ports. Proxys are usually used instead of router based traffic controls, because they
prevent traffic from passing directly between two network. Alot of proxys
have more logging and support for the user authentication. Because proxys must
understand the application protocol being used, they can also implement protocol
specific security, where as only certin prototcols are allowed to be incoming
and outgoing from a host.


Firewall Downsides
--------------------
Firewalls while restricting access from outside attacks. Also restricts
users inside the network to connect to some/maybe even all networks
outside the current one. This means, a user in the secure network, may not
be able to connect to lets say www.linux.org unless he has the permissions
to. This also is the same for ftp, telnet, and other various network
utilities.


EOF


,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''



]--------------------------------[
[ FileThief.pl ]
]--------------------------------[
[ Developed By ]
]--------------------------------[
[ Mister-X (Admin@x-iz.net) ]
[ Alkatraz (funnet@icom-web.com) ]
]--------------------------------[

For those of you who cant tell what this script does by looking at the
source code. It scans /etc/passwd for users with the same UID as your own.
If it finds them it reports to STDOUT and log to a file, for later browsing.
Yes, it is a common occurance for slack admins to add users with the same
UID meaning that you have full access to their files.

PERL Script Follows:

#!/usr/bin/perl
($myusr, undef, $id, undef, undef, undef, undef, $hdir, undef) = getpwnam(getlogin);
$fid = time."-$id";
print "Welcome to filethief - searching for $id in /etc/passwd.\n";
$myusr = getlogin;
$found = 0;
open(logf, ">>$hdir/filethief-$fid.log");
open(pwd, "</etc/passwd");
while(<pwd>) {
local($usr, undef, $uid, undef) = split(/:/, $_, 4);
if(($uid eq $id) && ($usr ne $myusr)) {
$found++;
print logf "$usr has the same ID as $myusr ($id).\n";
}
}
close(pwd);
if($found eq 0) {
print logf "\nNo matches were found at ".localtime(time)."\n";
} else {
print logf "Found [$found] matches at ".localtime(time)."\n";
}
close(logf);
open(logf, "<$hdir/filethief-$fid.log");
while(<logf>) { print; }
close(logf);
exit(1);



EOF


,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''


iuuiuuiu
uiuiu uiu i I I
iu uiu yi BI BI
iu uiu i yi I BI
iu ui yi yi BI
uiuuiuui y yi yi BI
iuu yi yi iyi BIB
iu yi yiyi BI BI BI
iu yi yi BIBIBI BI
uiu
[ PURSUiT News Update ]


Well after all, that's the first issue of PURSUiT, so we have
no news to talk about, so we will use this space for ideas,
future features and other things.

Stuff we had on mind:
---------------------

1. Lamer list
This was the idea of one of us, just to take out rage on people
that keep on bugging us, or just for the fun of it. If we will
include it in the future, I belive it won't be serious, just to
have some laughs the night after it on IRC ;)

2. Shouts
It's my idea mostly, though I think it won't be included. If it
will, we will probably use it to thank people who helped putting
out the zine, reviewed it, made some corrections etc.

3. Docs exposing
Now this idea came through an anonymous source, which suggested
that PURSUiT could drop docs of a few people here and then. The
people we had on mind are mostly the ones that everyone hates,
(I won't declare them here :) but we first need to get the docs,
so it might not go.

4. Questions\Answers section
This is mostly self explained, a section or column, where people
will be able to email us and we will answer the question over
the zine, so that other people could know the answer too. If we
will get enough response for that, we might do it.


That's it for now, if you have other suggestions, ideas, or features
you belive we should include just email us to:

bxj - <bxj@mail.com>
f0bic - <f0bic@deadprotocol.org>


,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU
iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR
SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''



Well, we all hope you enjoyed the first issue of PURSUiT.
Remember, you can always catch us on IRC, or email us.


EOF

loading
sending ...
New to Neperos ? Sign Up for free
download Neperos from Google Play