💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › NAPALM › napalm… captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
/\ /^/_ _ __ __ _|^|_ __ ___
/ \/ / _` '_ \/ _` | | '_ ` _ \
/ /\ / (_| |_) (_| | | | | | | |
/ / \/ \__, .__/\__,_|_|_| |_| |_|
|_|
. . . ..n10: 2001.03.30
---------------------------------------------------------------------------
all content copyright � 2001 by the individual authors. all rights reserved
---------------------------------------------------------------------------
# prtvtoc
. . . .....................................................................
0x00 Editor's Comments
0x01 Subscriber Emails
0x02 BBS List, Revised
0x03 Chaffing as an Alternative to Encryption (Part I)
0x04 How I Got Myself Into The Comp-Sec World
0x05 Security Hole in Shareplex 2.x
0x06 Intro to Cryptographic Filesystems
0x07 Music Reviews
0x08 Credits
..................................................................... . . .
___________________________________
--------------------------- - kynik
[=] 0x00: Editor's Comments
A chunk of my commentary that I included in the last issue was published
in Information Security magazine. (See "Hacker 'Zines and Information
Security Magazine" in issue 9) You can see it online at
http://www.infosecuritymag.com/articles/february01/departments_talk_back.shtml
Not much new with the Napalm crew here, except that this issue is bound to
be considerably smaller than usual. Everybody's submissions just started
slowing down over New Year's Day and many of our contributors' winter
breaks. On the personal front, I've quit my job and started a security
consulting company for small businesses in my corner of the world. If
you're interested, check out Deus Security at:
http://www.deusec.com/
___________________________
---------------------------
[=] 0x01: Subscriber Emails
Shawn Moyer <shawn@net-connect.net> wrote:
I have one addition to Azure's article on IP hijacking on cable modem
networks... This generally won't work if you don't answer to an ARP
request for the additional IP's you're doing static NAT for.
There are two ways to make that happen:
1) Static ARP:
arp -s IP.you.want.to.snag [MAC address of your outside interface]
2) IP aliasing:
ifconfig (adapter) alias IP.you.want.to.snag
The better of the two would be static arp, since 'ifconfig alias blah'
will cause services on your firewall to start listening on that address
as well, depending on your setup.
--shawn
--------------------------------------------------------
Coney <coney@thehelm.com> wrote:
Your e-zine rocks! (more than Phrack)
[ That's always nice to hear. Phrack does have two things that we don't:
bigger issues and more famous people. (Assuming they release an issue) I
wouldn't call us nearly as big, either, with only 600 subscribers. It's
like comparing Be and Microsoft ;) {kynik} ]
[ There's an old joke about OS/2 being better than Windows. I think that's
called a "backhanded compliment". Still, thanks, we try. {ajax} ]
--------------------------------------------------------
crypt@mailtag.com wrote:
Sorry that this is about such an old article but I found your
Contemporary Telenet I article in the May 16th issue quite interesting.
I had been wondering if it was still alive because it seemed like some
really cool shit to dig into. I got my city's dialup number and
connected, I realized that...I had nowhere to go. After about 4
alternations of me looking up numbers and then connecting again, the
gateway booted me. What I am asking is: When is the next Telenet article
coming out and could you include some numbers for us to fool around with?
Crypt-0-Knight
[ I'll pester blakboot about it, but I'm not sure he's even thought about
doing a follow-up in a long time. {kynik} ]
[ Yes. Telenet lives. Kinda like X.25 and OSI, it just won't die. I
plugged "telenet access numbers" into google and got back a whole buncha
hits, http://www.undergroundnews.com/kbase/underground/hacking/basic.htm
among them, which seemed pretty authoritative. Play around. {ajax} ]
--------------------------------------------------------
John Kozubik <john@kozubik.com> wrote:
Hello,
I realize that this article is quite old, however I only recently
discovered and started reading Napalm.
I wanted to discuss one small point with you concerning your quantum
cryptography article - I realize it is very likely that in the 1.5 years
since you wrote this that you have already considered this fact. I think
it is very important though, so just in case I am bringing it up here.
An excerpt from your article:
It will happen eventually. Somebody will figure out a way to factor
large prime numbers, and, if you didn't know already, will break a
decent number of the 'military-grade' cryptographic algorithms out
there today.
I would like to put forth that at the present time, there is no
mathematical _proof_ that factoring large prime numbers is a so-called
"hard" problem. This is what you are talking about above. Therefore, as
you are suggesting, someone could come along and prove that it is an
_easy_ problem.
[ Quite right. {kynik} ]
[ By definition, factoring large prime numbers (or any prime number) is
not NP-hard, it's impossible. Period. If a number has positive factors
other than one and itself, it isn't prime. {echo8} ]
[ Ok, now I feel silly. I was quoted as predicting that people would be
able to factor large primes. I meant to say "large numbers", where
someone would factor them to try to _determine_ if they are prime. Of
course you can't factor primes, and I think the subscriber followed my
semantic misstep. My apologies, all. {kynik} ]
However, given what we know up to this point regarding this problem, it
is equally as likely that someone could come up with a mathematical
_proof_ that it _is_ a hard problem.
[ For those readers out there who are interested in knowing what the
difference between a "hard" and an "easy" problem, plug "NP hard" into
your favorite search engine. For those of you masochists, try this URL:
http://hissa.nist.gov/dads/HTML/nphard.html {kynik} ]
[ The issue of proof is also unclear. Nobody has yet proved that P != NP.
There are also problems which are provably non-computable. Number
theory is like that. {echo8} ]
[ Interesting things come up when you try to apply parallel computation to
problems that can't be solved in polynomial time serially. The little
bit of number theory I got into in grad school didn't really touch on
this, besides saying that everything gets more complex, as you'd
probably expect. {kynik} ]
That is, insofar as the security of XYZ cryptosystem relies on factoring
large primes being a "hard" problem, it is possible that we could someday
_prove_ that the cryptosystem is secure against a non-brute-force attack.
It is, of course, equally possible that we could _prove_ that it is _not_
an easy problem, at which point XYZ cryptosystem would be secure until
they figured out how to solve that "easy" problem (which would probably
happen simultaneously as they discover that it is an "easy" problem).
I am enjoying your magazine as I catch up on the back issues.
--john
--------------------------------------------------------
sycotik69@hotmail.com wrote:
I've been getting interested in DNS spoofing recently but have no idea at
all how to do it. Can you explain it a little to me please?
sycotik
[ Perhaps one of our more motivated readers or contributors would be
willing to go in-depth on the topic. Stay tuned! {kynik} ]
____________________________
------------------ - _azure
[=] 0x02: BBS List, Revised
[ This BBS list is current as of 2/8/01 {kynik} ]
+-----------------------------------------------------------------------+
| BBS Name | Connect With | Number / Address |
+-----------------------------------------------------------------------+
| Digital Decay | Modem | (741) 871-2057 |
| Firest0rm BBS | SSH | bbs.firest0rm.org |
| Glenside's Cup of CoCo | Modem | (847) 428-0436 |
| L0pht BBS | Telnet | bbs.l0pht.com |
| OSUNY | Telnet/SSH | osuny.inri.net |
| Postcards From The Edge | Telnet | luna.iirg.org |
| Sacrificial Lamb | SSH | english.gh0st.net |
| Technocratic Sanctuary | SSH | ts.darktech.org |
| The Upper Deck | SSH | bbs.vistech.net |
| Uncensored! | Telnet/SSH | uncensored.citadel.org |
+-----------------------------------------------------------------------+
[ L0pht bbs is part of history, last time I checked. Someone at @stake
probably clued them that there might be legal ramifications to hosting
a hacking bbs. Capitalism sucks that way. {ajax} ]
[ For the sake of correctness, we might want to point out that c0re *is*
technically still up -- but there appears to be a routing and/or
hardware issue that has slowed the system to a crawl. It is still
occasionally possible to login (though it's very difficult to
navigate). Regardless of the other areas in which L0pht seems to have
slacked (removing their website, etc.), they don't appear to have
purposely removed the BBS. As history has shown, they haven't (and
continue not to) pay much attention to the board. {_azure} ]
___________________________________________________________________
----------------------------------------------------------- - kynik
[=] 0x03: Chaffing as an Alternative to Encryption (Part I)
I remember reading Rivest's paper on chaffing[1] and being blown away
by the simplicity of the idea, not to mention the practical applications.
I told myself, "Self, you can write this, and it'd make a damn fine
secure file transfer method." So I thought about it, scribbled some stuff
down on a sheet of paper and forgot about it for about 6 months. I
noticed the copy of Rivest's paper in an abandoned directory and the
wheel started turning again. During my visit to San Francisco, I managed
to write almost all of the enchaffing and dechaffing pieces. I'm at a
point right now where I just need to debug and the libraries are done.
So let me explain what all of this babbling of mine is about.
Chaffing is the insertion of fake pieces into a message, so that anyone
eavesdropping on the message won't know which part is legitimate and which
is the chaff. Let's say we wanted to enchaff a simple message. This
example is from Rivest's paper. The enchaffed message might look something
like this:
(1,Hi Larry,532105)
(1,Hi Bob,465231)
(2,Meet me at,782290)
(2,I'll call you at,793122)
(3,6PM,891231)
(3,7PM,344287)
(4,Yours-Susan,553419)
(4,Love-Alice,312265)
You can't really be sure what the entire message is supposed to be
without knowing what's going on. The first number is a sequence number,
which basically allows the receiver to put the message pieces in the right
order, if they happen to be deliberately mixed. The third field is a keyed
hash, which basically means, "Append the secret key to the message and get
the [MD5 or whichever] hash." This way, only someone who knows the secret
key can easily determine which hash is correct, and thus, what the real
message is. Standard key-exchange algorithms such as Diffie-Hellman can be
used to transmit this key.
You can get even more complicated here by throwing a variable number of
chaff pieces into the message, perhaps with a probability of extra chaffed
packets. I added this functionality into my preliminary file enchaffing
and dechaffing routines. (I think I'm going to wait until Napalm 11 to
actually release the code, as I'd rather it be in a more complete state
before anybody tried to do anything with it.)
The biggest problem I've discovered is that generating chaff from
/dev/random or other random sources only works if your message looks
pseudo-random. While testing out my enchaffing functions on a text file,
and skimming through the resulting output, it's pretty clear which part is
the message and which part is the chaff. The strength of the enchaffing
program depends directly on how good the chaff-generation function is.
This problem can be somewhat avoided by using another of Rivest's
suggestions. He suggests that before the entire message is enchaffed, a
'package transform' or 'all-or-nothing transform' is applied. This
transform makes it impossible to retrieve the original message unless the
entire transformed message is received. Presumably, (I haven't
actually implemented this yet, though that's next in my priority list
on this project) this transform would make a text file look pseudo-random
and therefore it'd be much harder to determine what was chaff and what was
part of the real message. It would also be possible and not a bad idea to
compress the file before it's package transformed, to reduce the amount of
data that needs to be sent, and to remove the plaintext componenets of the
message.
So what, right? This is basically encryption. It sure seems like it, but
it's technically not, which is the beauty of it. The package transform is
not encryption. Rivest explains this:
The packaging operation can be undone by anyone who receives the
packaged message; as noted, packaging is not encryption and there are
no shared secret keys involved in the packaging operation.
The chaffing operation also is not encryption, since the sender is only
transmitting authenticated packets, with the important message part sent
in the clear. (Well, in a packaged form in the clear) Since these methods
do not involve encryption, a user can sidestep many laws regarding
encryption while still having a certain degree of confidentiality. Rivest
explains this sidestepping in greater detail in his paper than I will
here.
Expect to have a working file-enchaffer by Napalm 11. Hopefully I can
include a package transform and a compression component with it. I'm very
interested in hearing what you all think about this, and any ideas that
would improve or possibly defeat this. Feel free to email me at
kynik@firest0rm.org
[1] "Chaffing and Winnowing: Confidentiality without Encryption",
http://theory.lcs.mit.edu/~rivest/chaffing.txt
______________________________________________________________
-------------------------------------------------- - anonymous
[=] 0x04: How I Got Myself Into The Comp-Sec World
[ This article is from a subscriber who wishes to remain anonymous. Any
commentary on this may be sent to kynik@firest0rm.org and I can forward
it on. {kynik} ]
How I Got Myself into the Comp-Sec World
or
It May Sound Funny, but I Learned Hacking at School
I don't post to Bugtraq. I don't release stuff on Packetstorm (either
the code is too dumb or too cool to make it public). I'm not a member of
a crew. You don't know me. If you know my handle, forget it, tomorrow
it's different. I'm not kewl nor 31337. I'm not a wordclass-hacker (in
fact I settle myself somewhere between a cracker and a hacker), nor am I
a member of the "Underground" (if it still exists). I'm not perfect, I'm
no wizard; there are kids that are younger than me who know more than
twice as much as I do.
The better days of my all too short youth I spend in a top-notch
boarding school somewhere in Europe. It was quite a traditional one,
yeah, one with church every Sunday and ultrasmartasses learning all day.
But there were also different people, people like me. Dudes who did their
own stuff and didn't care a lot about what parents or teachers told us.
Well, we went to school, did our homework, smoked when it was possible,
drank ourselves near delirium every other weekend. School didn't matter,
we had good grades and when we had problems we helped each other (the
kind of guys that fuck the prom queen).
My buddies and I had a lot of different hobbies (rugby, drama, art,
etc.) but we had one hobby we all shared: computer games. We were addicted
to all sorts of games. Many I have forgotten since then, but some, like
Doom, or all the Sid Meier games are burned into my brain forever.
Computers weren't widely distributed at that time - it was '94. The masses
hadn't realised there were computer networks or people like "hackers".
1995 was the year that would change a lot. Windows 95 came out, changed
the world (and then crashed). Suddenly there were ads for internet service
providers like CompuServe, the school got a LAN "for educational purposes"
and we realised that computers could be serious fun when connected
together. A serial connection was ok, if we did nothing special but for
file sharing a real LAN would be better. Articles in computer magazines
encouraged us, there was no discussion, we installed one (expensive
10Mbit-ISA-cards and BNC-Cable).
It was all too fascinating, a new world for us to play with. A few
months all ran well, but after the summer, someone nearly slipped from the
roof of our main dormitory (if the roof had been wet he'd been straight
dead). The authorities thought about it, then they budgeted 10000$ to
install a LAN in the complete school and dorm buildings.
In '96 my buddies and I were absolute power users in networking (in our
opinions). We knew everything there was to know about setting up ethernet
networks. From the box of our minix-dude we learned that there were
strange OS's out there and finally came into contact with Linux. It was
strange because our world was totally dominated by M$ (and 4dos + some
other enhancements). I hated it. Some loved it because of the anti-MS
aspect - they weren't able to handle their Win 3.x and 95 stuff right.
(They weren't so leet in M$ than I was, hehehe). Well, most of these
Linux-tryers don't use it anymore. It was too shitty then. Now they don't
touch it because they think it's still crap.
With the growth of the internet, finally the school got the idea that
internet-access would be a cool thing for a elite boarding school. Well,
guess who were the morons that had to work out that NAT/proxy/cable/
internet stuff? Yep, it was me and two of my friends plus a strange guy
who was known as a hardcore Linux user in our school (he always laughed at
our windows problems). I thought I knew a lot about networking. *doh*.
That router installation was a real kick in the ass for me and a wake-up
call not to be so arrogant. It was hard work, but finally linux ran on
that box (I think it was Redhat 4.x (or 5.x?)). It ran Linux because the
school didn't want to buy another NetWare license. I would have preferred
NT 3.51, but no one would listen to me. That protocol stuff was strange -
yeah, packets cool - I know about packets, sir.
We started with a 33.6 connection, which was fine if you used it on
your own, what you only could to at night. So I stayed up and surfed the
net in the early mornings, my monitor killing my eyes, my body yearning
for sleep. After a week I found the first DoS tool (note: on
www.genocide2600.com/~tattooman/ which would later develop into
Packetstorm). Well, came there by accident, I was happy I had found
something mighty. "...will crash your computer....OOB....bluescreen".
Wait a minute, this is cool, I can crash other peoples boxes so I get the
connection to the net for myself. Cool. In the following week, many people
came to the conclusion that blue wasn't a pretty colour in the end.
In the next edition of our favourite computer magazine all was discussed
and soon after that patches were released. Finally, tools were released
that could even kick my beloved NT in the ass. One day I was in a VERY bad
mood (because of a girl ;). I flooded and DoS'd our gateway to death. I
tried every tool I had and after a while the box didn't answer my pings
anymore. I don't know why I actually did it. I simply did (and it worked).
Just to see the bluescreen (if it was blue on linux) I went with the
admin (the hardcore Linux user) to the gateway. Our admin had a very old
box - it was rumoured it was a 486 (very slow compared to our PII's; in
fact, it was a p100) and ran on Linux devel-kernel-code only (which was
like a area52 to us M$-Users). He was someone who knew how to use gdb and
gcc perfectly, my Linux friends "feared" him and I didn't get a clue out
of him.
He, a guy with glasses and too much pizza-muscles on his hips, showed me
the box: no bluescreen. He logged himself in, did some crazy shit, well
and we were back on the internet in less than a minute.
Utilising strange commands I had never seen like "ifconfig -a" and
"ps faux" he checked the box.
"Hey, wait a minute, what's that?" I asked.
"That would be a task manager in your eyes, but this is Linux, this is a
better world."
"Hmm. What is the most extreme shit you can do with Linux?"
"You can code a world, man. Source code, FREE source code, you can code
your own kernel, YOUR stuff. You can make the computer do exactly what
YOU want."
"It sounds interesting, but I won't use it. I don't wanna format my HD."
He turned around and looked in my eyes.
"Do you know the word 'multi-user'?"
Seconds later I was on my first telnet session ever, exploring the
admin's box from a user account.
"This is cool. It's so different. Is this DOS? What's the most extreme
you can do with remote boxes? Crash them?"
The admin grinned.
"No...you can hack them. Break into them. Make them give you admin
rights, so you have god-like control."
"Show me. Now."
"No, you gotta learn for yourself. But if you have good questions I will
maybe answer them."
I begged and asked again. He refused.
From that day on I was logged on to that admins box daily. My best
friend was "man", afterwards came "less" to read the RFC's (which was
really hard work the first time). In my senior year I took a computer
science class in school, which was a good decision because the teacher (a
new one) taught us about algorithms and C. Together with a few books and
advice from our admin, a lot of time, caffeine and long nights in front of
my box I learned to hack. The school's LAN was my playground where I
could test everything I wanted without fear. A few months before
graduation we got a E1 (2Mbit) and a Cisco. Protected by NAT and not
existing log files about internet usage I explored the Internet and had a
very good time. The time I finished school I was familiar with Linux, NT
and Netware and had a deep understanding of TCP/IP Networking.
I'm very happy someone introduced me to the world of Linux and free
software, else I'd perhaps still be a DoS-Kiddie. I've been to university
for a while now (and I've found another LAN to mess with) and sometimes
miss the time I had at school. NT and Win2000 are my "research field" at
the moment, but I plan to sell some stufff so I can afford a whole box for