ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³The HAVOC Technical Journal ³± ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Vol. 1 | No.10 | May 1st, 1997 | A HAVOC Bell Systems Publication "Will someone please ICMP 127.0.0.1? That guy is an asshole!" -iCBM _____________________________________________________________________________ -[The HAVOC Technical Journal Issue 10]- Editorial..............................Scud-O Network Programming for the Beginner...Scud-O A Blue Box Story.......................memor Basic Electricity......................ec|ipse Pirating Your Own Radio Station........DataThief French Pager Annoying..................memor Unix Port Prober - prober.c............Scud-O udp-scan.c [ from Satan 1.1.1 ]........Wietse Venema phf.c (Again)..........................Scud-O/memor/[others] The history of digital technology......REality Scanning for losers....................shamr0ck REality's Digital Dictionary...........REality K-Kool hackers chat here!..............KungFuFox The News...............................KungFuFox Phonecalls.............................THTJ ------------------------------------------------- PLEASE NOTE: HBS's and THTJ's Web site is moving! Take note as Scud-O will be replacing his page with his own shit and code soon! The new site is still under wraps, stay tuned to thtj for more info, and look at the current geocities web site, which will lead you to the new site. _____________________________________________________________ Each pushes a weight against his chest, and howls At his opponent each time that they clash: "Why do you squander?" and "Why do you hoard?" Each wheels To roll his weight back round again; they rush Toward the circle's opposite point, collide Painfully once more, and curse each other afresh... The Inferno of Dante, Canto VII [ Subliminal Message: Get Inferno OS NOW! http://www.lucent.com/inferno/ ] _____________________________________________________________ The HAVOC Technical Journal - Information - Editor in Chief : Scud-O, FoxMulder@worldnet.att.net - Editor : KungFuFox, mazer@cycat.com - Submissions Editor: Keystroke, keystroke@thepentagon.com - THTJ email address: thtj@juno.com - THTJ website: http://www.geocities.com/SiliconValley/8805 - THTJ mailing address: PO BOX 448 Sykesville, MD 21784 The HAVOC Technical Journal Vol. 1, No.10, May 1st, 1997. A HAVOC Bell Systems Publication. Contents Copyright (©) 1997 HAVOC Bell Systems Publishing. All Rights Reserved. No part of this publication may be reproduced in whole or in part without the expressed written consent of HAVOC Bell Systems Publishing. [No copying THTJ, damnit.] The HAVOC Technical Journal does in no way endorse the illicit use of computers, computer networks, and telecommunications networks, nor is it to be held liable for any adverse results of pursuing such activities. [Actually, to tell you the honest to goodness truth, we do endorse that stuff. We just don't wanna get in trouble if you try it for yourself and something goes wrong.] For infomation about using articles published in THTJ, send mail to: e-mail: thtj@juno.com mail: THTJ c/o HBS PO Box 448 Sykesville, MD 21784 _____________________________________________________________ [Editorial : by Scud-O] Ok, I had a great editorial all written up, but some things have been going on, and I do not want to offend people, so I killed what I had written up. So naturally there is no editorial. Sorry. Hey, anyway, check out the new HBS site. I was bored with the old one so I bombed it, and made a whole new site. and dont worry, the 'After the Aftermath' doesn't mean that HBS or THTJ is going to die, we are stronger than ever, so dont worry. I would like to send thanks out to KungFuFox, not only for editing THTJ 9, but for majorly helping me out with THTJ. I owe you big Kung! Also, thanks go to JP, who has risen AntiOnline from a new site on a terribly slow connection, and a huge URL, to one of the largest hacking sites on the web, and its own domain. Keep it coming JP! And JP, I owe you too, thanks for your kind, witty advice, and for making a kick ass site, so I felt bad about my site, and fixed it up, majorly. And finally, wrath.sepulchre.org is gone. This is upsettting to me since I was planing on moving my site, but thanks to too many lamers that abused BitchX, wrath was K-Lined, and well after getting too many complaints from sysamdins, chiapope pulled the plug. So, thanks a hell of a lot to you lamers that made chia do this. ( You know who you are..... buncha punks...) [ AntiOnline: http://www.antionline.com ] [ RIP : wrath.sepulchre.org ] ---------------------------------------------- / ---/ --/ / / | /------/ / / /--- /-----/------/-----/ / / / /----------/ /--------/ -of HAVOC Bell Systems- FoxMulder@worldnet.att.net | http://www.geocities.com/SiliconValley/8805 (Hey, I'm left handed, so if ya dont like the quote, fuck you! ) "Any group that includes Charlemange, Rock Hudson, Paul McCartney, Leonardo da Vinci, Benjamin Franklin, Jack the Ripper, and the Boston Strangler must be select, if not elite." -author James de Kay talking about left handers The Truth May Be Out There (Call Me If You Find It) _____________________________________________________________ [Network Programming for the Beginner] A Tutorial by Scud-O Network programming is the heart of UNIX programming. It is as simple as that. (Well, ok not all programs need to communicate via a network, or modem, but network programming is still none the less an important part to UNIX.) And since this important topic can be so complex and compicated, I decided to write this primer on sockets and socket programming. Now this article is anything but complete and indepth, since this is only to give you the basics. With this you can start writing various utilities and firewall holes, whatever, but if you really want to know more, go out and buy the 3 volume set of books: TCP/IP Illustrated from Addison Westley Publishing. Although i currently do not have this 3 volume set, ( hell, im too busy saving up for my new car and a new hard drive!) I always stop by Borders and spend a few hours reading it, of stealing my friends copy for a few days. Ok, anyway, there are a few basic calls and protocols that you will use for the connection. o socket() o bind() o listen() o accept() o setsockopt() o getsockopt() o connect() o sendto() o recvfrom() You must also decide on which type of protocol that you will use: o Connection Based (TCP) o Connectionless (UDP) [Ports and Sockets] Network Programming is based on the use of sockets to accept and send information. As i showed above, there are 2 main protocols that you can use to send information. Transmission Control Protocol ( TCP ) and User Datagram Protocol ( UDP ) are your 2 choices. TCP is a connection based protocol, which means that when you open up a port you send a 3 way handshake, and usually login with a user id and password. UDP is a connectionless protocol, which means that no login in is made, and a handshake is not done, so connections can be easily lost, and errors are common, however this is an easier protocol to implement (or so i think). Basically, the main difference is that with TCP a connection is set up first, while in UDP, data is exchanged as part of the message. Both protocols require you to have a port number which you open up to, to transfer information. numbers are used so a computer doesn't have to 'read' want applications are running ( why do you think UNIX uses pids? ). It also makes it easy for the os to know how many applications are running at any given time. Technically, the port numbers could be assigned by the system administrator, but for the most part ( about 99% ) servers uses some standard conventions for assigning ports so machines can communicate. Port numbers are assigned from 1 and go on up. For the most part ports above 255 are for the local systems use only, but with everything, there are exceptions ( irc at port 6667 or httpd at 8080 for example ). The ports from 1 to 255 are for most networking services. Each network connection ( both going into and out of ) a host's port is uniquely identified by a combination of 2 numbers, the ip address of the machine and the port number in use, which together make up a socket. Because at least 2 computer will be involed with the connection, there are sockets on both the sending and recieving ends of the connection. And since both the ip addresses and the ports are unique to each machine, the sockets are thus unique, and this lets applications talk yo each other across the network based entirely on the socket number. Both machines on the connection maintain port lists that list all active ports, and the 2 machines involed have reversed entries for each session between the two, a process called binding. For example, if one machine has a source port at 23 and the destination at 25, the other machine will have a source port at 25 and a destination at 23. [Socket Programming] Linux supports BSD style socket programming, so everything here should work on either Linux or and of the BSD platforms. Well, once again, here is the list of the main socket C functions you will be using. o socket() o bind() o listen() o accept() o setsockopt() o getsockopt() o connect() o sendto() o recvfrom() [ The socket() System Call ] The socket() system call creates a socket for the client of the server. The socket() function is defined as: #include #include int socket(int family, int type, int protocol) For linux, the family equals AF_UNIX. The type would be either SOCK_STREAM ( socket stream: slow, reliable connection) or SOCK_DGRAM ( socket datagram: fast, less reliable connection). The protocol should be IPPROTO_TCP for SOCK_STREAM and IPPROTO_UDP for SOCK_DGRAM. The return value from this function is -1 if an error occured, otherwise it is a socket descriptor. You use the socket descriptor to refer to this socket in all calls in your program after a successful socket() . Sockets are created without names, since bind() is used by the clients to read or write to a socket. [ The bind() System Call ] The bind() call assigns a name to an unnamed socket. Bind is defined as: #include #include int bind(int sockfd, struct sockaddr *saddr, int addrlen) The first item is a socket descriptor, the second is a structure holding the name to use, and the last item is the structure's size. Now that you have bound an address for your client or server, you can either connect() to it (if your code is a client) , or listen() to it, (if your code is a server). First i'll show you listen() and a few other calls that servers use, and then we will get to clients. [ The listen() System Call ] The listen() system call is used by the server. It is defined as: #include #include int listen(int sockfd, int backlog); The sockfd is the socket descriptor, and the backlog is that wonderful little backlog queue that daemon9 showed us how to exploit in phrack 48. It holds the number of pending connections before any are rejected. Use the standard value of 5 for this. A return value of less than 1 is a error. If this call is successful, you can now accept connections. [ The accept() System Call ] accept() is used by a server to accept any incoming messages from a client's connect() call. Be aware that this function does not return if no connections are recieved. It is defined as: #include #include int accept(int sockfd, struct sockaddr *peeraddr, int addrlen); The parameters are the same for the bind() call, except that peeraddr points to information about the client that is making the connection request. Based upon the incoming message, the fields in peeraddr are filled out. [ The connect() System Call ] connect() is used by a client program to connect to a server when you are using a connection-based system (ie, TCP). This call should be made after you have bind()ed the connection. It is defined as: #include #include int connect(int sockfd, struct sockaddr *servaddr, int addrlen); As you can see, the parameters are the same as those for the bind call except for that servaddr points to info about the server that the client is connecting to. The accept() call creates a new socket for the server to work with the request. This way, the server can fork() off a new process and wait for more connections. [ setsockopt(), getsockopt(), and the Linux bug ] You may not know this, but there is a major bug in Linux's socket libraries. The bug is that even if you have closed a socket properly, you cannot reuse that socket.( I think daemon9 discussed this in his TCP/SYN article for phrack 48, and i think that his ideas on what was causing the problem is right, but that remains to be seen. ) For example,if you write a server that waits on a socket, it opens the socket and listens on it with a single problem. However, if the server either crashes or normally terminates and you restart the server, you can not bind back to the same port. The error codes from bind() keep returning an error indicating that the port you are trying to connect on is already bound by another process. The problem lies in the fact that Linux's kernel never marks ports as unused when the process that is using the socket terminates. To get around this, the solution is to use setsockopt() to set the options on the socket when it is opened, and before a connection is made. The setsockopt() sets options and the getsockopt() call gets options for a given socket. The syntax and definition of the 2 calls are: #include #include int setsockopt( int sockfd, int level, int name, char *value, int *otplen) int getsockopt( int sockfd, int level, int name, char *value, int *otplen) Once again, the sockfd must be an open socket, level is the protocol level, either IPPROTO_TCP for TCP/IP or SOL_SOCKET for socket level options. Name is the option as defined in the socket's man page. the *valeu pointer points to the location where a value is set by getsockopt() and must be set by you when calling setscokopt(). The full man page for this is under man page setsockopt(2). Have fun reading it. Now, back to the bug. When you open a socket, you must also call the setsockopt() function like so: #ifdef LINUX opt = 1; len = sizeof(opt); setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&opt,&len); #endif You only will need the #ifdef and #endif if you want to be able to quickly and easily port this code, since some UNIX systems dont support the SO_REUSEADDR flag. [ Sample Code: A Socket Oriented Server ] /******************************************************** * Sample Code: A Socket Oriented Server, from THTJ 10 * Written By Scud-O of HBS ********************************************************/ #include #include #include #include #define PORT 1152 /* Use what ever you want, it doesn't matter */ main(int argc, char *argv[]) { int sockfd, newfd; int cpid; /* child id */ struct sockaddr_in servaddr; struct sockaddr_in client_info; if ((sockfd = socket(AF_INET, SOCK_STREAM, 0) < 0 ) { myabort("Unable to create socket"); } #ifdef LINUX opt = 1; len = sizeof(opt); setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, &len)); #endif bzero((char *)&servaddr, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl(INADDR_ANY); servaddr.sin_family = htons(PORT); /****************** * the htonl ( for a long integer ) and htons ( for short integer ) convert * a host oriented byte order * into a network order. *******************/ if(bind(sockfd, sockaddr *)&servaddr, sizeof(struct sickaddr)) < 0) { myabort("Unable to bind socket"); } listen(sockfd, 5); for(;;) { /* Wait here.... */ newfd = accept(sockfd, (struct sockaddr *)&client_info, sizeof(struct sockaddr); if(newfd < 0) myabort("Unable to accept on socket"); if(( cpid = fork()) < 0) myabort("Unable to fork on accept"); else if (cpid == 0) { /* Child Process */ close(sockfd); /* We dont need the original anymore */ /* Place your code for what you want the server to do where do_what_ever_here(newfd); is ! */ do_what_ever_here(newfd); exit(0); } close(newfd); /* were back in the parent */ } /* end of for loop */ /* Good Bye! */ } Ok, so basically, the conection based server does the following things: o Creates a socket with socket() o Binds itself to an address with bind() o Listens for connections with listen() o accept any incoming connections with accept() o Gets incoming messages with read() and writes with write() [ read() and write() will be in your do_what_ever_here() call! ] NOTE: myabort() should be a procedure YOU create to handle error messages, and then kill the process, restart, etc. Now, for a client..... [ The Client ] /******************************************************** * Sample Code: A Socket Oriented Client, from THTJ 10 * Written By Scud-O of HBS ********************************************************/ #include #include #include #include #define PORT 1152 /* Use what ever you want, it doesn't matter */ #defne MY_HOST_ADDR "Put.Your.IP.Here" int getServerSocketId() { int fd, len; struct sockaddr_in unix_addr; /* Create a Unix domain stream socket */ if( (fd - socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { return(-1) } #ifdef LINUX opt = 1; len = sizeof(opt); setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, &len); #endif /* Fill socket address structure with our address */ memset(&unix_addr, 0 , sizeof(unix_addr)); unix_addr.sin_family = AF_INET; /* Convert internet address to binary value */ unix_addr.sin_addr.s_addr = inet_addr(MY_HOST_ADDR); unix_addr.sin_family = htons(PORT); if(bind(fd, (struct sockaddr *) &unix_addr, len) < 0) return(-2); memset(&unix_addr, 0, sizeof(unix_addr)); if(connect(fd, (struct sockaddr *) &unix_addr, len) < 0) return(-3); return(fd); } /* Add in main() function, do whatever you like to send out error messages, etc..... */ The client does the following things: o Creates a socket with socket() o Attempts to connect with connect() o If a connection is made, request data with write(), read info with read() [ NOTE: these would be called in main() ] Now, for a connectionless socket example [ Connectionless Sockets : The Server ] Ok, first we will need to know the few, subtile, but important differences with connectionless socket programming. The first main principle is that the server uses recvfrom() instead of listen() and accept(). And, to reply to messages, sendto() is used. #include #include #include #include #define PORT 262 /* Use what you wish */ #define MAXM 4096 chat mesg[MAXM]; main(int argc char *argv[]) { int sockfd, newfd; int cpid; /* for child process id */ struct sockaddr_in servaddr; struct sockaddr_in client_info; if ((sockfd = socket(AF_INET, SOCK_STREAM, 0) < 0 ) { myabort("Unable to create socket"); } #ifdef LINUX opt = 1; len = sizeof(opt); setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, &len)); #endif bzero((char *)&servaddr, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl(INADDR_ANY); servaddr.sin_family = htons(PORT); /****************** * the htonl ( for a long integer ) and htons ( for short integer ) convert * a host oriented byte order * into a network order. *******************/ if(bind(sockfd, sockaddr *)&servaddr, sizeof(struct sickaddr)) < 0) { myabort("Unable to bind socket"); } for(;;) { /* Wait here.... */ n = recvfrom(sockfd,mesg, MAXM, 0, (struct sockaddr *)&client_info, sizeof(struct sockaddr)); /* Place what server is to do in here. */ do_what_ever_here(mesg); sendto(sockfd, mesg, n, 0, (struct sockaddr *)&client_info, sizeof(struct sockaddr)); } /* end of for loop */ /* Good bye! */ } As you can see, connectionless programming is much easier than connection based programming, but i still advise against using connectionless, since errors are very common. And, a pain lies in that you must process each message one at a time, since messages from multiple clients can be multiplexed together. In the connection based model, the child process always knows where each message is coming from. The client, doesn't need to call the connect() call either, instead it calls sendto() directly. For a client side of the connectionless connection, use the same code as in the server, but note that sendto() is called before recvfrom(), as so: #include #include int sendto(int sockfd, const void *message__, /* pointer to message*/ int length, /* of message */ unsigned int flags, /* of routing, leave as 0 */ const struct sockaddr * client, /* where to send it */ int length ); /* of sockaddr */ NOTE: Uses this call, not sendmsg(), since sendto() is more efficent Any errors are returned as -1, and only local errors will be detected. recvfrom() looks like: #include #include int recvfrom(int sockfd, const void *message__, /* pointer to message*/ int length, /* of message */ unsigned int flags, /* of routing, leave as 0 */ const struct sockaddr * client, /* where to send it */ int length ); /* of sockaddr */ Note that iff the message is too long to fit in the buffers, the extra bytes will be discarded. The call could return immediately, or it could wait forever, it all depends on the type of flag that is sent. I also recommend that you set timeout values, read the man page for recvfrom, since this info changes from server to server. Ok, well, this is all for this beginner on Socket Programming. I have barely even started to get to the core of socket programming, but one can only devote so much time to a subject. For more information, check out the book : 'UNIX Network Programming' by W. Richard Stevens ( Prentice Hall, 1990) this is by far the most comprehensive guide out there, and most Universities use it for a text book for thier advanced C classes. _____________________________________________________________ [A Blue Box Story] by memor Israel Blueboxing is born because we found a Teletel Gate that we can access via a local israel number. ************************** *Remember Teletel Network* ************************** It is a V23 interface (1200/75Bauds that you can access with USR sportster, changing S38 register with ATS38=4&w &w for saving changes). It is under some Videotex Terminals. There are many kinds of that terminals, the first one made by France Telecom nammed "Minitel", it is like a modem + console.. The modem is a CAP23(1200/75bauds remote .. To 9600Bauds Local) and the console is Videotex (40 Cols mode or 80 Cols), the 40 Cols mode is the most used because its a graphical mode and 80 Cols is only a text mode. You activate Graphism mode on 40Cols with a $0e sent (Control + N) , after you calculate the graphism you send on a caracter with that method: ********* *$01*$02* example: if you want to make that graphism : ² ********* ²² *$04*$08* ² ********* *$10*$40* You will have to make lightning $01,$04,$10 and $08 with that ********* algorythm : $20 + $01 + $04 + $08 + $10 = $3D So you'll have to send to the local console a $0E , $3D. Colors(or gray scale if the minitel console is monochrom) or minitel are accessible with thoses commands sent to the local console: Text Color: *********** ESC @ - BLACK - ESC D - DARK BLUE - ESC A - RED - ESC E - PURPLE - ESC B - GREEN - ESC F - LIGHT BLUE- ESC C - YELLOW - ESC G - WHITE - Background Color: ***************** ESC P - BLACK - ESC T - DARK BLUE - ESC Q - RED - ESC U - PURPLE - ESC R - GREEN - ESC V - LIGHT BLUE- ESC S - YELLOW - ESC W - WHITE - You can use some effects on videotex terminal.. like thoses ones: Effect: ******* ESC Z : underlining ESC Y : Stop Underlining ESC ] : Inverse Video Mode ESC \ : Normal Video Mode CONTROL + N : Graphism Mode CONTROL + O : Text Mode ESC H : Flash On ESC I : Flash Off Normally on bbs (v32 v34...), file transfer are done in Zmodem,Ymodem, Xmodem or others Kermit... On Teletel Terminal or videotex RTC (Commuted Telephone Networks.. little BBS 1200/75 V23) are done in BBT protocole, a real slow and bad one (BBT protocol are free on ftp.teaser.fr or ftp.minitel.fr,recently hacked with some libroot.gz,unreachable) Little Videotex RTC answer output exemple: /* Minitel send a carrier on a "RING" */ atz /* Software Reset*/ OK ats34=8 /*Configuring modem for V23*/ OK *** executing answer script RING RING /*Answer after 2 rings because S00 sportster register S00=02*/ ata /*Send a carrier*/ CONNECT 1200/75 /*Connected to Cap23 or Minitel*/ *** connected *** run c:\usr\minitel\minitel.exe for more informations about teletel networks, email (France Telecom main server administrator) root@ftp.minitel.fr (A really known Teletel programmer and Graphist) chip@mail.teaser.fr (A videotex Graphist) darkseed@avo.net *********************** *Back To Bluebox Story* *********************** So, just like I said before , I and some phreakers friends were trying to bluebox on ISRAEL for calling for free that teletel gate (Israel allow only local dials with blueboxing) frequencies(mf) were : Frequencie1: F1: 2650 F2: 2250 Lenght: 175ms Delay: 10ms Frequencie2: F1: 2420 F2: 2400 Lenght: 345ms Delay: 10ms And the dial was AxxxxxxxxC A for local call.. B hanged up directly after some "disconnect" beeps and A + routine code + country code hanged up too, well only local call allowed. After 1 month of total blueboxing of some of us , a mass bust of DST came (DST == Territory Security Department)... the cops , after taking our computers (Atari STe , Mega St.. Amiga 500 and 1200 + Screens + Modems and all the hardware interfaces) and they just asked us if we were from the israelite spy service nammed Mossad.. We were only using thoses israel free phones numbers (080090xxxx) for using minitel with free calls. on Atari (Mega)St(e) , we were using Breeblebox. on Amiga 1200 , we were using Ultimate Access memor 04/09/97 ********************* *Some infoz about me* ********************* my emails memor@mygale.org memor@stepahead.net my phreaker page with links : http://www.mygale.org/00/memor _____________________________________________________________ Basic Electricity - by ec|ipse. 1.1 The Electron Theory All the effects of electricity can be explained and predicted by assuming the existence of a tiny particle called an electron. All the electrical or electronic devices used today have one thing in common, they are concerned with the controlling of electron movements. Three fundamental invisible quantities; voltage, current, and resistance are present in every electrical circuit. These quantities are controlled and directed by the proper arrangement of component parts to produce the desired electron movement. 1.2 Voltage (Abbreviated as E) Voltage is an electromotive force or pressure that causes electrons to move. If we consider a battery, it has a negatively charged pole and a positively charged pole. An electron is a small particle with a negative charged pole. An electron is a small particle with a negetive charge so it will be pulled to the positive pole and pushed away by the negative pole of the battery. The strength of the push and pull is governed by the difference in potential of the two poles. The potential difference is a force that can cause electrons to move from negative to positive and it is measured in volts. 1.3 Current (Abbreviated as I) The movement of electrons along a wire is called current flow and because electrons move from negative to positive, current is also said to flow from negative to positive. Current is produced by voltage and the rate that current is flowing is measured in amperes, similar to the way we measure water flow in gallons per second. 1.4 Resistance (Abbreviated as R) When an electrical current flows through a conductor, there is a loss of energy or opposition to the flow similar to the friction that occurs when water flows through a pipe. The cause of this loss in an electrical circuit is called resistance and is measured in ohms. A difference in potential of one volt will cause one ampere to flow though one ohm of resistance. This is the basis for Ohm's Law which gives the relationship for E, I and R in all electrical circuits involving only resistance. 1.5 Prefixed Used With Electrical Units In measuring currents, voltages, and resistances, the ampere, volt, and ohm, respectively are not always units of convenient size. Related units are often used that have values 10, 100, 1,000 or more times larger or smaller than these fundamental units. The size indicated by a prefix added to the fundamental name of the unit as follows: Mega 1,000,000 = 10(6) Kilo 1,000 = 10(3) Deci 1/10 = 10(-1) Milli 1/1,000 = 10(-3) Micro 1/1,000,000 = 10(-6) Pico 1/100,000,000,000,000 = 10(-12) The most common of these that you will encounter are as follows: A milliampere often referred to as a "milli" is 1/1,00 or .001 amperes. A kilohm is 1,000 ohms. A megohm is 1,000,000 ohms. A microfarad, used for measuring capacitance, is referred to as a "mike" and is 1/1,000,000 of a farad. 1.6 Ohm's Law I have briefly mentioned Ohm's Law when giving some of the preceding definitions, and it is the most important single principle in electricity. Maybe we should take a brief look at the law and what it means before we go any further. Expressed as an equation, the law becomes: I = E/R By manipulaiton, the law can also be writen as: R = E/I or E = I x R An easy way to remember these three equations of Ohm's law is to draw a circle and divide it in two with a horizontal line. Place E in the top half of the circle, and divide the lower half of the circle with the vertical line placing I to the left of the line and R to the right of the line. If you wish to find the voltage (E), place your thumb over E and you find E = I x R. If you wish to find the aperes (I), place your thumb over I and you find I = E/R 1.7 Difference of Potential We often hear the statement "all we need to make a relay operate is battery and ground." This is true, but it would be more correct to say "all we need to operate a relay is a 'Difference of Potential'." If you learn to look at it this way, you will find it much easier to understand the biasing of transistors at a later date. The force or effect that causes the electron flow between our battery and ground is simply a difference of potential. So let us have a look at what we mean by a difference of potential. Because electron flow if from negative to positive, the negative side of a battery could be said to push the electrons, and the positive side of a battery could be said to pull the electrons. If we were using a 50 volt battery supply (standard office voltage) it is the sum of the negative push and the positive pull which gives us our total of Electron Moving Force, or pressure that is exerted on the electrons. This force or pressure is properly known as Voltage or Electromotive Force (E.M.F.). In actual practice, we ground the positive side of our battery and then ground the side of the relay that would have gone to the positive battery terminal. Now you can see why we say "all we need to make our relay operate is battery and ground". But nothing has changed, really. Our potential difference and current flow will remain the same. 1.8 Booster Battery We have another battery supply in a central office known as booster battery which is usually either 50 or 60 volts. However, our external connections are reversed. That is to say, the negative side of the battery is connected to ground and the positive side is connected to the load. The Rule for electron movement, negative to positive, still applies. _____________________________________________________________ ------------------------------------- --=[Pirating Your Own Radio Station]=-- Written by DataThief - Built by DataThief and Delcon ------------------------------------- Here it is hackers and phreaks - How to build your own radio station. I'm sure you have all wanted your own way to communicate to the masses at one time or another, or if not, this can also be used as a wireless room bug. The actual construction is only about 2 x 3 x .5 inches including AA battery (AT MAX). Supplies: Symbol on Name Value/Item # Quantity Diagram -------------------------------------------------------------------------- Soldering iron A PC Board 4030 1 Capacitator 100pF (marked 101) 1 C2 Capacitator 10pF (marked 10) 1 C3 Capacitator 4pf (marked 103) 2 C4,C6 Capacitator 0.01uF (marked 103) 1 C5 Resistor 10 kOhm (Br,Bl,Or,Go) 1 R1 Resistor 1.2 kOhm (Br,Re,Re,Go) 1 R2 Resistor 33 kOhm (Or,Or,Or,Go) 2 R3,R5 Resistor 100 Ohm (Br,Bl,Br,Go) 1 R4 Resistor 180 Ohm (Br,Gr,Br,Go) 1 R6 Transistor 2SC1923 (marked C1923) 2 TR1,TR2 Electret Condenser Mic 1 ECM Electrolytic Capacitor 10uF 2 C1,C7 Coil 0.27-0.30uH 1 L 1.5 Volt Battery (AA,AAA,N battery) 1 B 1.5 Volt Battery holder 1 BH 1 Toggle Switch with 2 prongs on back (not 3) 1 S And some insulated copper wire KEY: Br = Brown Bl = Black Or = Orange Go = Gold Re = Red These are all the supplies needed for the bug, and will allow a signal that carries about 50-100 feet over a clear FM channel (the FM range is between 71-79 FM). For a radio station, I suggest you add a bigger amp and a much larger antenna (I use a CB antenna to transmit about 1-2 miles..) ___________________________________________________________ | Block Diagram | | ANT | | \./ | | _____ECM____ ____TR-1____ ____TR-2___ | | | | Condenser | | Oscilator/ | | | | | | | Microphone |---->| Modulator |---->| Amplifier |---' | | `------------' `------------' `-----------' | | |___________________|__________________| | | | | | __________ | | | Power | | Supply | | Supply | | | `----------' | | | `-----------------------------------------------------------' \./ Schematic Diagram |ANT. .----------------*----*------*------*----------*-----*----|--*----. | | | | | | | | | | \ \ |C5/ |C4/4P ) \ \ | | | / R2/ R3/ / === === )l R5/ / R6/ / | | | \ 1.28K 33K \ |0.01u | )*-. 33K \ 180 \ | | | / / _|___ | ) | / / | | | | | /// *------' | | *----' | | --- | R1/ ||+ | _/ | | || | |/ + | | | E |---*--/\/\/\---||---*-------|_ ===C3/ `--||---*---|TR2 ==== | | C | 10K || | TR1\ | 10P || |\ C7/ | | | M |---. C1/10u | `* C6/4P | 10u | | `---' | | | | | | | | / | | | | | R4/ \ | | | | C2/ | 100 / | | | | 100P === \ | | | | | | | | | `----------------*-----------*-----------------------*-------* | | | DC-IN (-)---------' | (+)--------------' Well, that's the best I can do in text. If you are seriously interested in building one, and you can't read this well enough, I might make one as a gif or something. I hope you enjoy it, and don't get caught. A few suggestions you could do to have lots of fun with your new pirate radio station: 1) You could piss alot of hicks off by transmitting over a local country station and tell them how much they suck! 2) You could piss alot more people off by transmitting over the most popular radio station and advertising for your own, or playing some hard techno. 3) If you're really good, find out what frequency McDonald's or some fast food joint's drive-thru voice system works on and modify the transmitter so it breaks through...I'm working on this one. 4) Use it as a bug to spy and blackmail someone. I've wasted enough time writing this bitch, so spread the knowledge, and if you don't like it, maybe someone else will, because drawing that diagram (as shitty as it is) took me forever! "l8r hackerz and phreaks!....This iz WFA-Q Fuck U signing off..." DataThief Greetz: Scud-O Delcon KeyStroke od|phreak KungFuFox The members of HBS, Area66 and X-TREME All the others I forgot because my mind blanked out. _____________________________________________________________ [prober.c - by Scud-O version 1] /*********************************************************************** * prober.c -- Unix Port Prober, by Scud-O for THTJ 10, released 5/1/97 ************************************************************************ * NOTE: This biatch doesn't have UDP working, since well, it is * connectionless, and that is a pain in the ass to get done right. If * You really want UDP, code it yourself, it really shouldn't be that hard, * But most important services run off of TCP ports, not UDP. ************************************************************************* * compile: cc -o pscan -s pscan.c ************************************************************************* * NOTE: for NIS listing to work right, the domain name, must be what you * pass as the remote host, otherwise problems are afoot. ************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef __GNU_LIBRARY__ /* this is needed for the GNU C library */ #include #else extern int optind; #endif #define LOWEST_PORT 1 #define HIGHEST_PORT 8080 /* The Sky is the limit! */ #define MAJOR 1 #define MINOR 1 static char sccsid[] = "@(#) Prober v1 , for The HAVOC Technical Journal 10 5/1/97"; typedef enum { false, true } bool; typedef enum { s_none, s_tcp, s_udp, s_rpc, s_nis } scan_t; #ifdef __GNU_LIBRARY__ static struct option long_options[] = { {"tcp", 0, 0, 0}, {"udp", 0, 0, 0}, {"rpc", 0, 0, 0}, {"nis", 0, 0, 0}, {"help", 0, 0, 0}, {"version", 0, 0, 0}, {0,0,0,0} }; #endif struct { char *alias; char *mapname; bool inuse; } yp_maps[] = { {"passwd", "passwd.byname", false}, {"group", "group.byname", false}, {"networks", "networks.byaddr", false}, {"hosts", "hosts.byaddr", false}, {"protocols", "protocols.bynumber", false}, {"services", "services.byname", false}, {"aliases", "mail.aliases", false}, {"ethers", "ethers.byname", false}, {NULL, NULL, false} }; scan_t scan_type; char remote_host[200]; char remote_ip[20]; int low_port; int high_port; int key; void print_version(s) { fprintf(stderr,"%s version %d.%d\n",s,MAJOR, MINOR); exit(0); } void print_usage(s) { fprintf(stderr,"usage %s: [low port] [high port]\n",s); fprintf(stderr,"where scan type is one of:\n"); #ifdef __GNU_LIBRARY__ fprintf(stderr," --tcp, -t - TCP port scan\n"); fprintf(stderr," --udp, -u - UDP port scan(NOT implemented)\n"); fprintf(stderr," --rpc, -r - RPC service list\n"); fprintf(stderr," --nis, -n - NIS map listing\n"); fprintf(stderr," --version, -v - Print version information\n"); fprintf(stderr," --help, -h - Print usage information\n"); #else fprintf(stderr," -t - TCP port scan\n"); fprintf(stderr," -u - UDP port scan(NOT implemented)\n"); fprintf(stderr," -r - RPC service list\n"); fprintf(stderr," -n - NIS map listing\n"); fprintf(stderr," -v - Print version information\n"); fprintf(stderr," -h - Print usage information\n"); #endif fprintf(stderr,"\n"); exit(0); } void get_args(n,v) int n; char *v[]; { int c; int opt_ind; scan_type = s_none; while (true) { #ifdef __GNU_LIBRARY__ c = getopt_long(n,v,"turnhv",long_options,&opt_ind); #else c = getopt(n,v,"turnhv"); #endif if (c == -1) break; switch(c) { #ifdef __GNU_LIBRARY__ case 0: opt_ind++; /* index's are one less than the scan type */ if (opt_ind == 5) print_usage(v[0]); if (opt_ind == 6) print_version(v[0]); scan_type = opt_ind; break; #endif case 't': scan_type = s_tcp; break; case 'u': /* This doen't work, but i added it in case you wish to add it in */ scan_type = s_udp; break; case 'r': scan_type = s_rpc; break; case 'n': scan_type = s_nis; break; case 'v': print_version(v[0]); break; case 'h': case '?': print_usage(v[0]); break; } } low_port = LOWEST_PORT; high_port = HIGHEST_PORT; for (opt_ind = 0;optind < n;optind++) { switch(opt_ind++) { case 0: /* remote host */ strncpy(remote_host,v[optind],199); break; case 1: /* low port */ low_port = atoi(v[optind]); break; case 2: /* high port */ high_port = atoi(v[optind]); break; } } if ((opt_ind == 0) || (scan_type == s_none)) { fprintf(stderr,"error: you must specify a scan type and a host\n"); print_usage(v[0]); } } void check_args() { struct hostent *host; host = gethostbyname(remote_host); if (host == NULL) { unsigned char a,b,c,d,n; char addr[5]; /* hmm.. perhaps it was a dotted quad entered.. */ n = sscanf(remote_host,"%u.%u.%u.%u",&a,&b,&c,&d); if (n != 4) { fprintf(stderr,"error: host '%s' not found\n",remote_host); exit(1); } addr[0] = a; addr[1] = b; addr[2] = c; addr[3] = d; host = gethostbyaddr(addr,4,AF_INET); if (host == NULL) { fprintf(stderr,"error: host '%s' not found\n",remote_host); exit(1); } sprintf(remote_ip,"%u.%u.%u.%u",a,b,c,d); } else { sprintf(remote_ip,"%u.%u.%u.%u", (unsigned char) host->h_addr_list[0][0], (unsigned char) host->h_addr_list[0][1], (unsigned char) host->h_addr_list[0][2], (unsigned char) host->h_addr_list[0][3]); } } void print_args() { static char *opt_table[] = { "tcp","udp","rpc","nis" }; fprintf(stdout,"scanning host %s's %s ports ",remote_host, opt_table[scan_type-1]); if (scan_type < 3) { fprintf(stdout,"%d through %d",LOWEST_PORT,HIGHEST_PORT); } fprintf(stdout,"\n"); } int scan() { int soc; struct sockaddr_in addr; struct servent *serv; int port,rc,addr_len,opt; if (scan_type >= 3) /* this proc only does tcp and udp */ return; for (port = LOWEST_PORT;port <= HIGHEST_PORT;port++) { if (scan_type == s_tcp) { soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); } else if (scan_type == s_udp) { soc = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); } else return; if (soc < 0) { fprintf(stderr,"error: socket() failed\n"); return; } rc = setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,&opt,sizeof(opt)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(remote_ip); addr.sin_port = htons(port); addr_len = sizeof(addr); rc = connect(soc, (struct sockaddr*) &addr, addr_len); if (scan_type == s_udp) { /* This currently doesnt work, its a pain in the ass to scan UDP, and since no really important services run under UDP, You really dont need it. */ printf(stderr,"\nUDP Scanning is not implemented. Do it yourself!\n\n"); exit(1); } close(soc); if (rc < 0) continue; if (scan_type == s_tcp) serv = getservbyport(htons(port),"tcp"); else if (scan_type == s_udp) serv = getservbyport(htons(port),"udp"); else return; fprintf(stdout,"port %d (%s) is running\n",port,(serv == NULL)?"UNKNOWN": serv->s_name); } } /* The next two routines were ripped out of ypcat , but with a few changes */ int callback_proc(is,ik,ikl,iv,ivl,id) int is; char *ik; int ikl; char *iv; int ivl; char *id; { if (is != YP_TRUE) return is; return 0; } void nis_dump() { int i,rc; char *domainname; char *map; struct ypall_callback callback; domainname = &remote_host[0]; for (i = 0;yp_maps[i].mapname != NULL;i++) { key = 0; callback.foreach = callback_proc; callback.data = NULL; map = yp_maps[i].mapname; rc = yp_all(domainname,map,&callback); switch(rc) { case 0: printf("%-10.10s is available\n",yp_maps[i].alias); break; case YPERR_YPBIND: fprintf(stderr,"error: server is not running ypbind\n"); exit(1); break; default: fprintf(stderr,"error: %s\n",yperr_string(rc)); exit(1); } } } /* this routine basically ripped from rpcinfo -p */ void rpc_scan() { struct sockaddr_in server_addr; register struct hostent *hp; struct pmaplist *head = NULL; int socket = RPC_ANYSOCK; struct timeval minutetimeout; register CLIENT *client; struct rpcent *rpc; minutetimeout.tv_sec = 60; minutetimeout.tv_usec = 0; server_addr.sin_addr.s_addr = inet_addr(remote_ip); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(111); if ((client = clnttcp_create(&server_addr, PMAPPROG, PMAPVERS, &socket, 50, 500)) == NULL) { clnt_pcreateerror("rpcinfo: can't contact portmapper"); exit(1); } if (clnt_call(client, PMAPPROC_DUMP, xdr_void, NULL, xdr_pmaplist, &head, minutetimeout) != RPC_SUCCESS) { fprintf(stderr, "rpcinfo: can't contact portmapper: "); clnt_perror(client, "rpcinfo"); exit(1); } if (head == NULL) { printf("No remote programs registered.\n"); } else { printf(" program vers proto port\n"); for (; head != NULL; head = head->pml_next) { printf("%10ld%5ld", head->pml_map.pm_prog, head->pml_map.pm_vers); if (head->pml_map.pm_prot == IPPROTO_UDP) printf("%6s", "udp"); else if (head->pml_map.pm_prot == IPPROTO_TCP) printf("%6s", "tcp"); else printf("%6ld", head->pml_map.pm_prot); printf("%7ld", head->pml_map.pm_port); rpc = getrpcbynumber(head->pml_map.pm_prog); if (rpc) printf(" %s\n", rpc->r_name); else printf("\n"); } } } int main(argc,argv) int argc; char *argv[]; { get_args(argc,argv); check_args(); print_args(); /* this will only do tcp and udp, otherwise returns without doing anything */ switch (scan_type) { case s_tcp: scan(); break; case s_udp: fprintf(stderr,"UDP port scanning is not implemented in this version\n"); break; case s_rpc: rpc_scan(); break; case s_nis: nis_dump(); break; } return 0; } _____________________________________________________________ [ udp-scan.c Wietse Venema - from good old Satan v.1.1.1] Ok, well you really want a good udp scanner and prober? well i was looking thru the source of Satan the other day, and this popped up. Have fun with it now..... and thank Wietse for the code, and Dan Farmer too, for his work on Satan. ( geez, he lost his job over it, give him some credit and thanks. ) /* * udp-scan - determine available udp services * * Author: Wietse Venema. */ #include #include #include #include #include #include #include #include /*#include */ #include #include #include #include #include "../../include/netinet/ip_icmp_lin.h" #include "../../include/netinet/udp_lin.h" extern int errno; #ifndef __STDC__ extern char *strerror(); #endif extern char *optarg; extern int optind; #define offsetof(t,m) (size_t)(&(((t *)0)->m)) #ifndef FD_SET #include #endif #include "lib.h" #define LOAD_LIMIT 100 /* default max nr of open sockets */ #define AVG_MARGIN 10 /* safety margin */ /* * In order to protect ourselves against dead hosts, we first probe UDP port * 1. If we do not get an ICMP error (no listener or host unreachable) we * assume this host is dead. If we do get an ICMP error, we have an estimate * of the roundtrip time. The test port can be changed with the -p option. */ char *test_port = "1"; int test_portno; #define YES 1 #define NO 0 int verbose = 0; /* default silent mode */ int open_file_limit; /* max nr of open files */ /* * We attempt to send as many probes per roundtrip time as network capacity * permits. With UDP we must do our own retransmission and congestion * handling. */ int hard_limit = LOAD_LIMIT; /* max nr of open sockets */ int soft_limit; /* slowly-moving load limit */ struct timeval now; /* global time after select() */ int ports_busy; /* number of open sockets */ int want_err = 0; /* show reachable/unreachable */ int show_all = 0; /* show all ports */ /* * Information about ongoing probes is sorted by time of last transmission. */ struct port_info { RING ring; /* round-robin linkage */ struct timeval last_probe; /* time of last probe */ int port; /* port number */ int pkts; /* number of packets sent */ }; struct port_info *port_info = 0; RING active_ports; /* active sockets list head */ RING dead_ports; /* dead sockets list head */ struct port_info *find_port_info(); /* retrieve port info */ /* * Performance statistics. These are used to update the transmission window * size depending on transmission error rates. */ double avg_irt = 0; /* inter-reply arrival time */ double avg_rtt = 0; /* round-trip time */ double avg_pkts = 1; /* number of packets sent per reply */ int probes_sent = 0; /* probes sent */ int probes_done = 0; /* finished probes */ int replies; /* number of good single probes */ struct timeval last_reply; /* time of last reply */ int send_sock; /* send probes here */ int icmp_sock; /* read replies here */ fd_set icmp_sock_mask; /* select() read mask */ static struct sockaddr_in sin; /* * Helpers... */ #define time_since(t) (now.tv_sec - t.tv_sec + 1e-6 * (now.tv_usec - t.tv_usec)) #define sock_age(sp) time_since(sp->last_probe) double average(); struct port_info *add_port(); /* main - command-line interface */ main(argc, argv) int argc; char *argv[]; { int c; struct protoent *pe; char **ports; progname = argv[0]; if (geteuid()) error("This program needs root privileges"); open_file_limit = open_limit(); while ((c = getopt(argc, argv, "al:p:uUv")) != EOF) { switch (c) { case 'a': show_all = 1; break; case 'l': if ((hard_limit = atoi(optarg)) <= 0) usage("invalid load limit"); break; case 'p': test_port = optarg; break; case 'u': want_err = EHOSTUNREACH; break; case 'U': want_err = ~EHOSTUNREACH; break; case 'v': verbose = 1; break; default: usage((char *) 0); break; } } argc -= (optind - 1); argv += (optind - 1); if (argc < 3) usage("missing argument"); if (hard_limit > open_file_limit - 10) hard_limit = open_file_limit - 10; soft_limit = hard_limit + 1; init_port_info(); if ((pe = getprotobyname("icmp")) == 0) error("icmp: unknown protocol"); if ((icmp_sock = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0) error("icmp socket: %m"); FD_ZERO(&icmp_sock_mask); FD_SET(icmp_sock, &icmp_sock_mask); if ((send_sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) error("socket: %m"); /* * First do a test probe to see if the host is up, and to establish the * round-trip time. This requires that the test port is not used. */ memset((char *) &sin, 0, sizeof(sin)); sin.sin_addr = find_addr(argv[1]); sin.sin_family = AF_INET; gettimeofday(&now, (struct timezone *) 0); last_reply = now; /* * Calibrate round-trip time and dead time. */ for (;;) { scan_ports(test_port); while (ports_busy > 0) monitor_ports(); if (avg_rtt) break; sleep(1); } scan_ports(test_port); /* * Scan those ports. */ for (ports = argv + 2; *ports; ports++) scan_ports(*ports); /* * All ports probed, wait for replies to trickle back. */ while (ports_busy > 0) monitor_ports(); return (0); } /* usage - explain command syntax */ usage(why) char *why; { if (why) remark(why); error("usage: %s [-apuU] [-l load] host ports...", progname); } /* scan_ports - scan ranges of ports */ scan_ports(service) char *service; { char *cp; int min_port; int max_port; int port; struct port_info *sp; if (service == test_port) test_portno = atoi(test_port); /* * Translate service argument to range of port numbers. */ if ((cp = strchr(service, '-')) != 0) { *cp++ = 0; min_port = (service[0] ? ntohs(find_port(service, "udp")) : 1); max_port = (cp[0] ? ntohs(find_port(cp, "udp")) : 65535); } else { min_port = max_port = ntohs(find_port(service, "udp")); } /* * Iterate over each port in the given range. Adjust the number of * simultaneous probes to the capacity of the network. */ for (port = min_port; port <= max_port; port++) { sp = add_port(port); write_port(sp); monitor_ports(); } } /* monitor_ports - watch for socket activity */ monitor_ports() { do { struct port_info *sp; /* * When things become quiet, examine the port that we haven't looked * at for the longest period of time. */ receive_answers(); if (ports_busy == 0) return; sp = (struct port_info *) ring_succ(&active_ports); if (sp->pkts > avg_pkts * AVG_MARGIN) { report_and_drop_port(sp, 0); } else /* * Strategy depends on whether transit times dominate (probe * multiple ports in parallel, retransmit when no reply was * received for at least one round-trip period) or by dead time * (probe one port at a time, retransmit when no reply was * received for some fraction of the inter-reply period). */ if (sock_age(sp) > (avg_rtt == 0 ? 1 : 2 * avg_rtt < avg_irt ? avg_irt / 4 : 1.5 * avg_rtt)) { write_port(sp); } /* * When all ports being probed seem to be active, send a test probe * to see if the host is still alive. */ if (time_since(last_reply) > 3 * (avg_rtt == 0 ? 1 : avg_rtt < avg_irt ? avg_irt : avg_rtt) && find_port_info(test_portno) == 0) { last_reply = now; write_port(add_port(test_portno)); } } while (ports_busy && (ports_busy >= hard_limit || ports_busy >= probes_done || ports_busy >= soft_limit)); } /* receive_answers - receive reactions to probes */ receive_answers() { fd_set read_mask; struct timeval waitsome; double delay; int answers; /* * The timeout is less than the inter-reply arrival time or we would not * be able to increase the load. */ delay = (2 * avg_rtt < avg_irt ? avg_irt / 3 : avg_rtt / (1 + ports_busy * 4)); waitsome.tv_sec = delay; waitsome.tv_usec = (delay - waitsome.tv_sec) * 1000000; read_mask = icmp_sock_mask; if ((answers = select(icmp_sock + 1, &read_mask, (fd_set *) 0, (fd_set *) 0, &waitsome)) < 0) error("select: %m"); gettimeofday(&now, (struct timezone *) 0); /* * For each answer that we receive without retransmissions, update the * average roundtrip time. */ if (answers > 0) { if (FD_ISSET(icmp_sock, &read_mask)) receive_icmp(icmp_sock); } return (answers); } /* receive_icmp - receive and decode ICMP message */ receive_icmp(sock) int sock; { union { char chars[BUFSIZ]; struct ip ip; } buf; int data_len; int hdr_len; struct ip *ip; struct icmp *icmp; struct udphdr *udp; struct port_info *sp; if ((data_len = recv(sock, (char *) &buf, sizeof(buf), 0)) < 0) { error("error: recv: %m"); return; } /* * Extract the IP header. */ ip = &buf.ip; if (ip->ip_p != IPPROTO_ICMP) { error("error: not ICMP proto (%d)", ip->ip_p); return; } /* * Extract the IP payload. */ hdr_len = ip->ip_hl << 2; if (data_len - hdr_len < ICMP_MINLEN) { remark("short ICMP packet (%d bytes)", data_len); return; } icmp = (struct icmp *) ((char *) ip + hdr_len); data_len -= hdr_len; if (icmp->icmp_type != ICMP_UNREACH) return; /* * Extract the offending IP header. */ if (data_len < offsetof(struct icmp, icmp_ip) + sizeof(icmp->icmp_ip)) { remark("short IP header in ICMP"); return; } ip = &(icmp->icmp_ip); if (ip->ip_p != IPPROTO_UDP) return; if (ip->ip_dst.s_addr != sin.sin_addr.s_addr) return; /* * Extract the offending UDP header. */ hdr_len = ip->ip_hl << 2; udp = (struct udphdr *) ((char *) ip + hdr_len); data_len -= hdr_len; if (data_len < sizeof(struct udphdr)) { remark("short UDP header in ICMP"); return; } /* * Process ICMP subcodes. */ switch (icmp->icmp_code) { case ICMP_UNREACH_NET: error("error: network unreachable"); /* NOTREACHED */ case ICMP_UNREACH_HOST: if (sp = find_port_info(ntohs(udp->uh_dport))) process_reply(sp, EHOSTUNREACH); break; case ICMP_UNREACH_PROTOCOL: error("error: protocol unreachable"); /* NOTREACHED */ case ICMP_UNREACH_PORT: if (sp = find_port_info(ntohs(udp->uh_dport))) process_reply(sp, ECONNREFUSED); break; } } /* process_reply - process reply */ process_reply(sp, err) struct port_info *sp; int err; { double age = sock_age(sp); int pkts = sp->pkts; double irt = time_since(last_reply); /* * Don't believe everything. */ if (age > 5) { age = 5; } else if (age < 0) { age = 1; } if (irt > 5) { irt = 5; } else if (irt < 0) { irt = 1; } /* * We jump some hoops for calibration purposes. First we estimate the * round-trip time: we use this to decide when to retransmit when network * transit time dominates. * * Next thing to do is to estimate the inter-reply time, in case the sender * has a "dead time" for ICMP replies; I have seen this happen with some * Cisco routers and with Solaris 2.4. The first reply will come fast; * subsequent probes will be ignored for a period of up to one second. * When this happens the retransmission period should be based on the * inter-reply time and not on the average round-trip time. */ last_reply = now; replies++; if (pkts == 1) avg_rtt = (avg_rtt == 0 ? age : /* adopt initial rtt */ average(age, avg_rtt)); /* normal processing */ avg_irt = (avg_irt == 0 ? 1 : /* prepare for irt * calibration */ avg_irt == 1 ? irt : /* adopt initial irt */ average(irt, avg_irt)); /* normal processing */ avg_pkts = average((double) pkts, avg_pkts); if (verbose) printf("%d:age %.3f irt %.3f pkt %d ports %2d soft %2d done %2d avrtt %.3f avpkt %.3f avirt %.3f\n", sp->port, age, irt, pkts, ports_busy, soft_limit, probes_done, avg_rtt, avg_pkts, avg_irt); report_and_drop_port(sp, err); } /* report_and_drop_port - report what we know about this service */ report_and_drop_port(sp, err) struct port_info *sp; int err; { struct servent *se; if (probes_done == 0) { if (err == 0) error("are we talking to a dead host or network?"); } else if (show_all || want_err == err || (want_err < 0 && want_err != ~err)) { printf("%d:%s:", sp->port, (se = getservbyport(htons(sp->port), "udp")) ? se->s_name : "UNKNOWN"); if (err && show_all) printf("%s", strerror(err)); printf("\n"); fflush(stdout); } drop_port(sp); } /* average - quick-rise, slow-decay moving average */ double average(new, old) double new; double old; { if (new > old) { /* quick rise */ return ((new + old) / 2); } else { /* slow decay */ return (0.1 * new + 0.9 * old); } } /* add_port - say this port is being probed */ struct port_info *add_port(port) int port; { struct port_info *sp = (struct port_info *) ring_succ(&dead_ports); ring_detach((RING *) sp); sp->port = port; sp->pkts = 0; ports_busy++; ring_append(&active_ports, (RING *) sp); return (sp); } /* write_port - write to port, update statistics */ write_port(sp) struct port_info *sp; { char ch = 0; ring_detach((RING *) sp); sin.sin_port = htons(sp->port); sp->last_probe = now; sendto(send_sock, &ch, 1, 0, (struct sockaddr *) & sin, sizeof(sin)); probes_sent++; sp->pkts++; ring_prepend(&active_ports, (RING *) sp); /* * Reduce the sending window when the first retransmission happens. Back * off when retransmissions dominate. Occasional retransmissons will keep * the load unchanged. */ if (sp->pkts > 1) { replies--; if (soft_limit > hard_limit) { soft_limit = (ports_busy + 1) / 2; } else if (replies < 0 && avg_irt) { soft_limit = 0.5 + 0.5 * (soft_limit + avg_rtt / avg_irt); replies = soft_limit / 2; } } } /* drop_port - release port info, update statistics */ drop_port(sp) struct port_info *sp; { ports_busy--; probes_done++; ring_detach((RING *) sp); ring_append(&dead_ports, (RING *) sp); /* * Increase the load when a sufficient number of probes succeeded. * Occasional retransmissons will keep the load unchanged. */ if (replies > soft_limit) { replies = soft_limit / 2; if (soft_limit < hard_limit) soft_limit++; } } /* init_port_info - initialize port info pool */ init_port_info() { struct port_info *sp; port_info = (struct port_info *) mymalloc(hard_limit * sizeof(*port_info)); ring_init(&active_ports); ring_init(&dead_ports); for (sp = port_info; sp < port_info + hard_limit; sp++) ring_append(&dead_ports, (RING *) sp); } /* find_port_info - lookup port info */ struct port_info *find_port_info(port) int port; { struct port_info *sp; for (sp = (struct port_info *) ring_succ(&active_ports); sp != (struct port_info *) & active_ports; sp = (struct port_info *) ring_succ((RING *) sp)) if (sp->port == port) return (sp); return (0); } _____________________________________________________________ [ French Pager Annyoing] by memor A little C++ (Borland3.1) program for Pager Annoying. 1--- Why that program? You Call french pagers TATOO via an automatic number reserved for each pager. in france , they begin by 0806xxxx mosty.. (for calling them via a foreign country like usa.. it is (+33) 806xxxx ) Well.. That program is using modem for paging someone u want to call u back.. it dials his pager, send the message (a number he will have to call back). That program make ure modem paging him 1 time or many times.. with many times i mean ,u can full his pager memory with 50-60k of page. *** BY THE WAY *** The dialing process for a french pager "TATOO" Motorola&France Telecom is 1/ Dial Tatoo Pager 2/ Dial Numeric Message 3/ Dial # 4/ Hang Up Its why the algorithm of my program is : begin: | | **************************** | *Define variables nbr,a,...* | **************************** | | *************************** | *Configure (9600bauds,8n1)* (8n1 = 8 bits per byte.. No parity and 1 Stop Bit) | *************************** | | ******************************** | *Ask Time Number of Paging->nbr* | ******************************** | | ************************** | *His Pager Number->Number* | ************************** | | | ************************** | *Message to send->Message* | ************************** | | ******************* | *Send ATZ + Return* | ******************* | | ************** | *Wait 0.5 Sec* | ************** | | ******************** | *0 to nbr.. do that* | ******************** | | | | *********** | | *Send ATDT* | | *********** | | | | ************* | | *Send Number* | | ************* | | | | *********** | | *Send ,,,,* | | *********** | | | | ************** | | *Send Message* | | ************** | | | | ************* | | *Send Return* | | ************* | | | | ********** | | *Send +++* | | ********** | | | | ************* | | *Wait 1.5sec* | | ************* | | | | ******************** | | *Send ATH0 + Return* | | ******************** | | ************* | *Continue It* | ************* | end: ****************** I used here for using serial device the INT86 (in dos.h) , i could have used outportb .. but i felt like using int86 (slower thing), maybe next time i'll do it with outportb. In that programm i used thoses modem command but first: *REMEMBER...* AT are the "AT" commands.. its a prefix "AT" , issued to the modem from the command mode (that command mode will be automatically set when the computer will be turned on). ************* ATZ : the reset.. That at command will reset all the modem values to their default settings. It respond OK, you have mostly to wait 1/2 sec before sending other commands. ATD: Dial.. That at command instructs the modem to the off-hook state and dial the number that follow it. that command can be followed by the Dial Modifier. P: for pulse dial (using pulse rotary dialing) .. not needed her AT ALL T: for touch tone dial I'll use THAT one. so..ATDT.. Touch Tone Dialing. , in a ATDT is for waiting a 2 seconds delay ATDT 11,,2 will dial 11 , wait 4 seconds (2*2s) and will dial 2 .. all that in touch tone. +++ : Set the modem to the command mode.. its an escape sequence. It needs at least one second pause before issuing other commands. ATH0: Switch the hook control, instructs the modem to drop the line.. Hanging up. 2--- Some Programming.. /*Including libraries*/ #include /*For using INT86*/ #include /*Gets and Strlen are here*/ #include /*Printf..Scanf...*/ #include /*For Lame Presentation*/ #include /*For Fun maybe*/ /*Define modem reseting,dialing,hangup,pause*/ char atz[10]="ATZ\n"; /*Reset*/ char atdt[10]="ATDT"; /*Dial Mode Touch Tone Dial*/ char pose[10]=",,,,"; /*2sec Pause * 4*/ char ppp[10]="+++\n"; /*Escape to Command Mode*/ char ath[10]="ATH0\n"; /*Hey Modem!,Drop the line please*/ /*define sub-fonctions modem configuring and Char sending*/ void configure(); /*Define Default Modem Configuring*/ void send(char x); /*Define Send the Char X!*/ /*main routine*/ void main() { int a,nbr=0; /*Define number of paging*/ char number[128]; /*Define pager number as char*/ char message[128]; /*Define Message to send as Char*/ clrscr(); /*Lame presentation*/ configure(); /*Call modem configuring*/ printf("Modem configured\n 9600 8n1"); /*Lame Presentation*/ printf("How many time do u want to page him?"); /*Same*/ scanf("%d",&nbr); /*Asking number of paging*/ fflush(stdin); /*For killing some bug with gets*/ printf("What is his pager number?"); /*Lame Presentation*/ gets(number); /*Catching pager number*/ printf("What message u want to send him (finish by a # on french Tatoos pager)"); /*Lame Presentation*/ gets(message); /*Catching Message to page*/ printf("Reseting modem\n"); /*Lame Presentation*/ for(a=0;a #include #define LF 10 #define HTML_BREAK printf("

%c", LF); typedef struct { char name[128]; char val[128]; } entry; typedef struct { char qfield[256]; int qlen; char qname[256]; } fields; void getword(char *word, char *line, char stop); char x2c(char *what); void unescape_url(char *url); void plustospace(char *str); void send_fd(FILE *f, FILE *fd); void send_doc(int which); static fields idxfields[] = { {"Qalias", 32, "Alias"}, {"Qname", 256, "Name" }, {"Qemail", 128, "E-mail Address"}, {"Qnickname", 120, "Nickname"}, {"Qoffice_phone", 60, "Office Phone Number"}, {"Qcallsign", 16, "HAM Callsign"}, {"Qproxy", 64, "Proxy"}, {"Qhigh_school", 30, "High School"}, {"Qslip", 256, "SLIP Address"}, {NULL, 0, NULL} }; static fields othersearchfields[] = { {"Qcurriculum", 64, "Curriculum"}, {"Qphone", 64, "Phone Number" }, {"Qaddress", 128, "Address"}, {"Qoffice_address", 128, "Office Address"}, {"Qhome_address", 128, "Home Address"}, {"Qpermanent_address", 128, "Permanent Address"}, {"Qpermanent_phone", 60, "Permanent Phone"}, {"Qdepartment", 64, "Department"}, {"Qtitle", 64, "Title"}, {"Qproject", 256, "Project"}, {"Qother", 256, "Other"}, {"Qbirthday", 24, "Birthday"}, {"Qcolleges", 120, "Colleges Attended"}, {"Qleft_uiuc", 24, "Date/Month Person left UIUC"}, {NULL, 0, NULL}, }; void send_doc(int which) { int x; printf("Form for CSO PH query%c", LF); printf("

Form for CSO PH query

%c", LF); printf("This form will send a PH query to the specified ph server.%c", LF); HTML_BREAK printf("
%c", LF); printf("
%c", getenv("SERVER_NAME"), getenv("SERVER_PORT"), getenv("SCRIPT_NAME"), LF); printf("PH Server:%c", LF); HTML_BREAK printf("

At least one of these fields must be specified:

    %c",LF); for(x=0; idxfields[x].qlen != 0; x++) printf("
  • %s%c" ,idxfields[x].qfield, idxfields[x].qlen, idxfields[x].qname,LF); printf("
%c", LF); if (!(which&0x10)) { printf("

Show additional fields to narrow query

%c", getenv("SCRIPT_NAME"), (which | 0x10), LF); } else { printf("

Additional fields to narrow query:

    %c",LF); for(x=0; othersearchfields[x].qlen != 0; x++) printf("
  • %s%c" ,othersearchfields[x].qfield, othersearchfields[x].qlen, othersearchfields[x].qname,LF); printf("
%c", LF); printf("Show fewer query fields%c", getenv("SCRIPT_NAME"), (which & 0x01), LF); } HTML_BREAK if (!(which & 0x01)) { printf("

Return more than default fields

%c", getenv("SCRIPT_NAME"), (which | 0x01), LF); } else { printf("

Fields to return:

    %c", LF); for(x=0; idxfields[x].qlen != 0; x++) printf("
  • %s%c", &(idxfields[x].qfield[1]), idxfields[x].qname, LF); for(x=0; othersearchfields[x].qlen != 0; x++) printf("
  • %s%c", &(othersearchfields[x].qfield[1]), othersearchfields[x].qname, LF); printf("
%c", LF); printf("Return default fields%c", getenv("SCRIPT_NAME"), (which & 0x10), LF); } HTML_BREAK printf("%c", LF); printf("
%c", LF); printf("
%c
", LF); printf("Questions, comments to: Jim Browne%c", LF); printf("
%c", LF); } main(int argc, char *argv[]) { entry entries[64]; register int x,m=0; char *cl; char returnstr[1024], typestr[4098], commandstr[8192], serverstr[256]; int atleastonereturn = 0, atleastonequery = 0, which = 0; FILE *phfp; printf("Content-type: text/html%c%c",LF,LF); strcpy(returnstr, "return "); strcpy(typestr, " "); cl = getenv("QUERY_STRING"); if((!cl) || (!cl[0])) { send_doc(0); exit(1); } for(x=0;cl[0] != '\0';x++) { m=x; getword(entries[x].val,cl,'&'); plustospace(entries[x].val); unescape_url(entries[x].val); getword(entries[x].name,entries[x].val,'='); } for(x=0; x <= m; x++) { /* printf("%s = %s %c", entries[x].name, entries[x].val, LF); */ if (!strcmp(entries[x].name, "return")) { strcat(returnstr, entries[x].val); strcat(returnstr, " "); atleastonereturn = 1; } else if ((entries[x].name[0] == 'Q') && strlen(entries[x].val)) { strcat(typestr, &(entries[x].name[1])); strcat(typestr, "="); strcat(typestr, entries[x].val); strcat(typestr, " "); atleastonequery = 1; } else if (!strcmp(entries[x].name, "Jserver")) strcpy(serverstr, entries[x].val); else if (!strcmp(entries[x].name, "Jform")) if (sscanf(entries[x].val, "%d", &which)) { send_doc(which); exit(1); } else exit(1); } printf("

Query Results

%c", LF); HTML_BREAK if (!atleastonequery) printf("You did not enter a query!%c",LF); else { strcpy(commandstr, "/usr/local/bin/ph -m "); if (strlen(serverstr)) { strcat(commandstr, " -s "); /* RM 2/22/94 oops */ escape_shell_cmd(serverstr); strcat(commandstr, serverstr); strcat(commandstr, " "); } escape_shell_cmd(typestr); strcat(commandstr, typestr); if (atleastonereturn) { escape_shell_cmd(returnstr); strcat(commandstr, returnstr); } printf("%s%c", commandstr, LF); printf("
%c", LF);

	   phfp = popen(commandstr,"r");
	   send_fd(phfp, stdout);

	   printf("
%c", LF); } } _____________________________________________________________ --------------------------------------- --=[The history of digital technology]=-- Written by REality REF. Evolution to Digital (elseberry@usa.net) --------------------------------------- In the early 1960's the Bell Systems began to introduce and use a new digital technology in its network. This was necessary because the older carrier systems were rapidly becoming obsolete, and the demand for newer and higher speed communications facilities was building both internally and among the end user communities. As this digital technology was being introduced, it was being deployed in the public telephone network as a means of increasing the traffic capacity, within the Bell system only, on the existing wire pair cable facilities as interoffice trunks. The older systems which included the N-Carrier system used a two or four wire connection through an analog multiplexing device to deliver 12 or 24 analog channels depending on the version of N-Carrier used. This was still an inefficient use of the line capacity, and the analog service was both noisy and required expensive line treatment equipment. Thus, Bell introduced its newer technology. The analog systems were therefore coming to the end of their usable life. The telephone companies had to find a way of improving the utilization of the cable plant on an interoffice basis because they had traditionally under-utilized the pairs of wires and the continued installation of inefficient systems was expensive and bulky. The average length of these wires between their offices was approximately 6.5 miles. As calling requirements continued to grow the telephone companies needed to increase the traffic handling on these interoffice routes. Yet, they were in a quandary. First, they didn't want to continue running on major sized cables between offices, there simply wasn't enough space. Second, costs were escalating based on the reinforcement to their outside plant. What did Bell Systems decide to do about this huge problem that they faced? Keep reading The HAVOC Technical journal to find out. This story will be continued in the next edition of The HAVOC Technical Journal. _____________________________________________________________ ------------------------- --=[Scanning for losers]=-- Written by shamr0ck ------------------------- Today I'm going to tell you stuff about scanners and fun things you can do with them. I have found many different active frequencies but the ones that are the most entertaining are from cellphones (806-956MHz) and cordless phones (43-50MHz/902-928MHz). I've got a pro-62 scanner and it doesn't have the cellular frequencies on it because it's illegal to sell scanners that pick up cellphones in the United States, but not in Canada, if you catch my drift. I am hoping to modify it some day, but anyway it does pick up cordless phones, and I've happened upon many different conversations with it. Like just today I heard some middle aged black guy having phone sex with a fat chick with a southern accent. Being the loser I am, I listened in for a while since I wasn't paying for it, and made sure to follow the warning message at the start of the call and kept both hands on the scanner at all times. I wasn't abusing myself or anything, I swear. Because of this wonderful scanner I've picked up calling card and credit card numbers, but God knows I wasn't planning to use them, because I like paying for stuff. Yeah, that's it. One of the perks of being close to your unsuspecting scanner victim is that you can disconnect their cellphone call. First off get your fat ass off your computer, and run over to radio shack. Acquire a scanner by any means necessary, but don't be a dumbass and pay more than $200 for it, if you pay for it at all. You could borrow one or something. Now you're all set. If you're listening to someone's cellphone call and you're within about 30 feet of the caller you can hang up their call. If you're asking yourself "How the fuck can I do that?", shut up and I'll tell you. Find their input frequency.. search 824-850 or whatever. Add 45MHz to see if you hear them on the output along with the phone line audio. Then if you add 10.7 to that frequency (if you have a radio shack scanner) and punch it in it will generate a low power carrier on their phone. Because the phone thinks it lost the cell frequency it will hang up in about 3 seconds. I didn't come up with this I got it off a web page but who cares it's still funny as hell. Another thing to get if you want to know more about scanners is this book called Police Call. Rip it off at your local radio shack. If you want to know more just e-mail me at speidel@lightspeed.net or come see me on undernet #phreak. If I'm not there, goto #flood and bug those shitheads. _____________________________________________________________ ---------------------------------- --=[REality's Digital Dictionary]=-- Written by REality REF. Racal-DataCOM (elseberry@usa.net) ---------------------------------- (ABAM) A designation for 22 gauge, 110 ohm, plastic insulated, twisted pair Western Electric cable normally used in central offices. (A&B Leads) This shit refers to the additional leads used typically with a channel bank tow wire E&M interface to certain types of 'ereet' PBXs (also used to return talk battery to the PBX itself). (A&B Signaling) Procedure used in T1 transmission facilities in which one bit, robbed from each of the 24 subchannels in every sisth frame, is used for carrying dial and control information. A type of T1 inband signaling, similar to ICMP for you warez kiddiez. (Access Unit) Sometimes this shit is abbreviated as (AU). It is a device that provides ISDN access to a packet switched service or network. Otherwords, a k-rad iNET connection. (Acoustic Coupler) WooHoo! This is a device that allows a telephone handset to be used for access tp the switched telephone network for data transmission (gennerally limited to low-speed 1200 bps). (ACU)(Automatic Calling Unit) A machine that dials a call automatically when under another computers control. (A/D) This is one of the easiest terms to remeber dwds. All it means is "Analog to Digital conversion." (ADM3) A Bellcore designation for the DS-3 device that has familar functionality to a T1 mux. Otherwords, a peice of shit.. (AIS) In T1, an all ones condition used to alert a reciever thats its incoming signal or frame has been lost. The loss of signal or frame is detected at the recieving end, and the failed signal is replaced by all ones condition which the reciever interprets as an AIS! the normal response to this AIS is for the recieving end to generate a Yellow Alarm signal as part of its transmission towards the faulty end. This is sometimes called a Blue signal, and I have no idea why. (Algorithm) A defined set of operational steps to be taken to effect a desired calculation. An example of its use os the Data Encryption Standard (DES) algorithm of the National Bereau of Standards which is used in the encryption of transmitted data to protect its security. (AM)(Amplitude Modulation) A transmission technique where the amplitude of the carrier signal is varied by the value of the signal to be transmitted. (Ameritech) One of the seven Regional Bell Holding Companies, resulting from divesiture, covering the midwestern U.S., based in Chicago, and comprised of Illinois Bell, Indiana Bell, Michigan Bell, Ohio Bell, and Wisconsin Tel. (Analog) In data communcations, the description of the continous wave or signal for which conventional telephone lines are designed. For transmission on these lines, the digital or pulse output of a computer or terminal must be converted to an analog signal. (ANI)(Automatic Number Identifacation) Ability of the network to notify the called party of the calling party's number and/or directory listing. (ATM)(Asynchronous Transfer Mode) A high-speed, connection oriented cell relay transmission scheme that provides bandwidth to channels as needed. ATM used a 53-octet cell, where the first five octets convey header information and the remaining 48 octets are payload. (Backbone Network) A transmission facility or arrangement of such facilities designed to interconnect lower speed distribution channels or clusters of dispersed users or devices. (Bandwidth) A range of frequencies between two defined limits expressed in cycles per second or Hertz. Also, the information carrying capacity of a circuit. (Baud) A unit of signalling speed equivalent to the number of discrete conditions or signal elements per second. Multiple bits may be used to chracterize individual paramters within one baud(ie, 9600 bits per second as a rate of 2400 baud = 4 bits per each baud). (Bellcore)(Bell Communications Research) The orginization established at AT&T divesiture, representing and funded by the BOCs and RBOCs, for the purpose of establishing eleet telephone network standards and interfaces. (Bit Stuffing) A process in bit-oriented protocols where a zero is inserted into a string of ones by the sender to prevent the reciever from interpreting valid user data as control characters. Check out THTJ11 for the second installment of REality's Digital Dictionary _____________________________________________________________ ------------------------------- --=[K-Kool hackers chat here!]=-- Discovered by KungFuFox ------------------------------- While I was busy trashing on the internet, I came across a superhacker forum that I think all of you should check out, because it's so elite. Well, at least read the posts, it's funny as hell. Topics include: "Can't hackers do something good" "DO any of you really know what hacking is???" "HACKING KICKS" "Hack Chat for hackers only!" "Real Hacker Conversations. Do not come in unless you are a real hacker." "my moms a hacker" Personally, I don't know of any hacker moms, and I was certainly interested in finding out what REAL HACKERS talk about, so I gave it a look. Here's a few clips that I found to be rather entertaining, from the "HACKING KICKS" topic. - by scott@netbridge.net, Mon Oct 28 03:06:37 1996 Achieving access to unauthorized places is also known as "burglary". If you were to break into an unauthorized place, such as my house, for example, you may find yourself bleeding from bullet wounds. Or, if the place you broke in to was a computer address, you may find yourself suffering from some other ailment-imprisonment. All real hackers would tell you, prison life sucks! This is where all real hackers end up. All others are wannabe's. by scott@netbridge.net, Mon Oct 28 03:12:31 1996 PS-If you are not brave enough to leave your name or address, then you must be a coward. by Hackers Heaven, Thu Oct 31 22:10:59 1996 What do you want my address for, do you want to come over and watch me Hack? by Hackers Heaven, Thu Oct 31 22:12:30 1996 If I were to break into your house, I would see to it that you were also bleeding from bullet wounds by scott@netbridge.net, Fri Nov 1 05:37:02 1996 I don't like to go to dork's houses, or watch them play with their toys, pretending to be cool. Come on over-we'll see who's bleeding , and cut down on 50% of these messages. Thanks for your input. Dork. by scott@netbridge.net, Fri Nov 1 05:43:28 1996 PS-If you were a real hacker, you'd have a lot better things to do than leave messages here. I don't think you're fooling anyone. Give it up, you're not a real hacker, so quit pretending. - Now isn't that just the most elite hacker talk you've ever seen? There's more where those came from! http://eagle.online.discovery.com /cgi-bin/forums_view/dir861922735/Technology/Technology%20Central/Hackers/ Discovery probably owns the rights to all that crap once it was posted, but that doesn't really matter now, does it? _____________________________________________________________ [news] -------------- --=[The News]=-- Compiled & edited by KungFuFox [ More news from antifire and Scud-O ] -------------- 1 : How To Hack Social Security 2 : E-Mail Security Warning 3 : Internet security code said vulnerable to hackers 4 : Hacker Contest Fails to Crack Mac Web Server 5 : Columnist Who Warned of Net's Collapse Pays Up 6 : DNS: The Problematic Phone Book of Cyberspace 7 : Viruses Tripled in Past Year 8 : Trojan Vigilante Targets AOL Cheats 9 : Regional Phone Companies to Offer New Access Technologies for ISPs 10: Hacker Provokes Klan Site Shutdown 11: RedButton Lets Anyone Be Everyone 12: AOL4FREE Culprit Tells His Tale 13: AGIS Keeps Mum Over Attack, FBI Inquiry 14: HLO brings chaos to CERT conference 15: 3rd Major NT Bug Found..................... antifire 16: Maryland Starts 10 Digit Dialing........... Scud-O 17: Bell Atlantic/ Nynex merger moves closer... Scud-O 18: Inferno OS Beta Test is Released........... Scud-O "It's the latest in communictions technology." -Ross, from the motion picture 'Congo' _____________________________________________________________ How To Hack Social Security WASHINGTON, D.C.: Want to know your co-worker's salary? How about checking out how much your new boyfriend is really worth? It's all available on the Social Security Administration's website with just a few bits of personal information: Social Security number, mother's maiden name and state of birth. The site, launched just a month ago, contains complete financial data on tens of millions of Americans dating back to 1951. The reason behind the page is primarily financial: The agency thinks that making the information available on the Web will save millions of dollars in paperwork. Last year, the SSA mailed some four million financial reports to taxpayers at a cost of $5.23 each. Delivering the same report over the Internet costs a fraction of a penny. As usual, the bureaucrats are not very concerned that the site makes collecting private Social Security information relatively easy. "We have confidence that in the huge majority of cases, the people requesting these things are the right people," John Sabo, SSA's director of the Electronic Services Staff, told USA Today, mysteriously. _____________________________________________________________ E-Mail Security Warning (04/08/97; 11:01 a.m. EST) By Jeff Sweat, InformationWeek Some versions of the IMAP and POP messaging and mail protocols contain security holes that can let hackers manipulate Internet applications built on the protocols and gain unauthorized access to networks, according to the Computer Emergency Response Team. The CERT Coordination Center, affiliated with Carnegie Mellon University in Pittsburgh, has issued a security advisory about the vulnerabilities in certain versions of the IMAP and POP protocols. Both protocols require root privileges so the server can access mail protocols. Although those privileges are typically discarded after log-on, the security flaws let hackers gain root access to a system through text entered in the log-on transaction. The hacker, who doesn't require a user account, can then execute commands on the system through the root privileges. The vulnerabilities affect IMAP d, IPOP 2d and IPOP 3d. To avoid problems, CERT recommended that IS organizations install a patch from their application vendors or upgrade to IMAP 4.0, revision 1. Until then, businesses should disable IMAP and POP services, CERT said. ©CMP Media, 1996. _____________________________________________________________ Internet security code said vulnerable to hackers Wednesday, April 09, 1997 6:49:00 PM EDT By David Morgan ATLANTA (Reuter) - The new security protocol for safeguarding credit-card transactions on the Internet may have to change because the underlying cryptography is too easy to hack through and too difficult to upgrade, an expert said Wednesday. Steve Mott, senior vice president of electronic commerce and new ventures for MasterCard International, said it could take hackers as little as a year to break the industry's standard encryption code, which is supposed to render credit-card numbers unreadable to outsiders on the Internet's World Wide Web. For that reason, the consortium of technology companies and creditors that has spent two years years developing the Secure Electronic Transaction (SET) protocol may switch to a faster encryption system called Elliptic Curve, which is produced by Certicom Corp. The first complete version of SET, known as SET 1.0, will be available to software makers June 1 with core cryptography provided by RSA Data Security, a unit of Security Dynamics Technologies Inc. "RSA is a very good starting point. But we suspect that in a year or two, the Kevin Mitnicks of the world will start to figure out ways to hack it," Mott said. Mitnick is one of the most notorious computer hackers. "The only way you scale an RSA is to add a lot more bits. You add a lot more bits and it becomes more complex software in terms of the interaction of the transaction messages. That's part of what's taken SET so long to start with." MasterCard has been helping put together merchants with its own member banks for SET pilot projects in Denmark, Japan, Taiwan, South Africa and the United States. Mott told a news conference at the Internet Commerce Expo that the Elliptic Curve encryption system would make a better encryption core. In fact, he said it would have been chosen in the first place if developers had been known about it. "It will fit on a chip card. I think its 160 bits equals security to 1,024 bits of RSA," the credit industry executive said. "We anticipate putting it into some SET 1.0 pilots in the very near future this year in the U.S." Far from being disturbed by the possibility of hackers getting through the current SET cryptography, Mott said SET's developers would "give them an award and a ribbon and then embody whatever they did as part of the improvements" in the next version of security standards. "The current version for SET is as safe as anybody can make it," he said. ©Reuters Ltd. _____________________________________________________________ Hacker Contest Fails to Crack Mac Web Server April 12, 1997 By JOE HUTSKO It was an invitation few hackers could resist, a cracker come-on backed by a cash prize: Be the first to break into our Web server and alter the home page, and we'll give you $15,000. But when the dust had settled, the humble Apple Macintosh Web server was still intact -- a boast that industry giants and more powerful computers could not match. Two months have passed since Infinit Information, a systems consulting firm based in Sweden, posed its digital dare, dubbed "Crack a Mac," offering 100,000 Swedish kroner, or about $15,000, to anyone who could break into its Macintosh-powered Web server. In the first week alone, more than 38,000 visitors dropped by to take either a curious peek or an outright crack at the challenge. But by the time the contest closed on Thursday, the company's chief executive, Joakim Jardenberg, said that the cash would go uncollected because no one had managed to crack into the company's server. In all, Jardenberg said, people at more than 100,000 computers (as identified by uniqure IP addresses) visited the challenge site, sending more than 8 gigabytes of data in their attempts to break in. He said that about 75 percent of the visitors were from the United States, 20 percent were from Sweden, and the remaining 5 percent were from other nations, including El Salvador and Mauritius. The rules of the game were straightforward. Crackers could not physically attack the computer or company premises; they were required to reach the Infinit Information Web server through the Internet. "Breaking into our house would not only mean you would be disqualified from the challenge, you would also have to deal with our dog and the police," the company declared. Proof of the crack was to be substantiated by altering the company's home page in whatever way the cracker deemed fit -- graphically, textually, noisily -- so long as it was "human-readable." To collect the prize, the winner would be required to describe in detail how the crack was accomplished, as well as permit Infinit Information to publish (anonymously, if the winner preferred) its findings. Jardenberg also asked that anyone who managed to break in not violate the company's other servers, which it uses to run its business. The contestants included at least a few heavy hitters, said Jardenberg, who was inspired by a similar cracker contest, The Security Challenge, that ran in 1995. Jardenberg listed International Business Machines, Microsoft, Silicon Graphics Inc., AT&T, Netscape Communications, NASA, and the United States Army among the higher-profile organizations that tried to break into his company's server. Citing high-profile cracker jobs like the attack on the Central Intelligence Agency's home page last year, Jardenberg stated that the contest's main objective was to prove the trustworthiness of the Apple Macintosh as a secure Web server in comparison with Unix-based servers produced by companies like Sun Microsystems and Silicon Graphics. There is no such thing as a definitive test of the security of one system versus another, but the outcome of Jardenberg's challenge clearly gives a lot of bragging rights to Mac proponents -- especially at a time when the Net is deluged with horror stories about security weaknesses in both Web servers, the machines that host sites, and Web browsers, the software that brings the Web into the user's machine. Infinit Information's challenge machine was a Macintosh 8500/150 running StarNine Technologies' WebStar server software. Having survived its first onslaught of attacks, Jardenberg said the company is giving its Mac server "a well-deserved break." But it won't be a vacation long. Jardenberg is promising foiled contestants another crack at the Infinit Information site in a few weeks. ©The New York Times _____________________________________________________________ Columnist Who Warned of Net's Collapse Pays Up Saturday, April 12, 1997 7:41:00 AM EDT SANTA CLARA, Calif. (Reuter) - A computer pioneer and industry columnist who predicted -- wrongly -- that the Internet would collapse last year kept his promise and literally ate his words at a conference room packed with Net experts and partisans. "Eat, baby, eat!" the crowd chanted, whooping and clapping, when columnist Bob Metcalfe tried to keep his pledge by eating a piece of giant cake iced to look like his column in the trade publication InfoWorld. It didn't fly. Metcalfe -- who invented Ethernet computer networking and founded networking company 3Com Corp. -- had promised to eat the words from his December 1995 column predicting a "catastrophic collapse" of the Internet in 1996 if it did not come to pass. Metcalfe, who made the vow at a 1995 conference in Boston, argued at the Sixth International World Wide Web Conference in Santa Clara, Calif., Thursday that there had been major outages last year. But he acknowledged the big collapse had not happened. When the audience at his closing address Thursday night objected to his cake gambit, the 51-year-old columnist said, with mock surprise, "I kind of suspected it would turn ugly." He then ripped a copy of the column from a back issue of InfoWorld, tore it into pieces and dropped it into a clear liquid in a blender hidden on stage. Metcalfe poured the resulting mix into bowl, sampled the cloudy, pulpy substance with a spoon then slurped it down to the crowd's cheers. ©Reuters Ltd. _____________________________________________________________ DNS: The Problematic Phone Book of Cyberspace by Simson Garfinkel 6:00pm 9.Apr.97.PDT -- Today the Internet's domain name system (DNS) remains one of the networks' weakest links. DNS is the Internet protocol that translates host names, like www.hotwired.com, into IP addresses, like 204.62.129.1. It's the phone book of cyberspace, but it's riddled with problems. Others have chronicled the political problems that the domain name system's top-down structure has created. Most of these problems involve Network Solutions Inc. (aka InterNIC), which manages the .com, .mil, .edu, .gov, .net, and .org top-level domains. NSI has been criticized for its handling of trademark disputes involving domain names and allegedly monopolistic practices. What's worse, the domain name system is fundamentally insecure. By transmitting rogue packets to a computer, a hacker or information terrorist can confuse that machine, cajoling it into contacting one machine on the Internet when it means to reach another. Under certain conditions, a hacker can use DNS spoofing to break into a computer. DNS spoofing can be used to redirect or steal electronic mail, intercept pages sent over the World Wide Web, or impersonate other Web surfers. It's easy, untraceable, and becoming more common all the time. Over the past few years, a working group of the Internet Engineering Task Force has developed an improved DNS - called DNSSEC - that solves the protocol's underlying security problems. The Department of Defense's Internet Infrastructure Protection program funded the technical work, which was in turn carried out by Trusted Information Systems. That organization has made a working implementation of the protocol freely available for download. DNSSEC uses public key encryption and digital signatures to certify every address that's resolved by the DNS system. Each domain is assigned a public key. When your computer looks up a host in a particular domain, it checks the signature on the host's response. This eliminates spoofing; the bad guys can still send you a bogus response, but they can't sign it with the matching private key. Besides strengthening the domain name system, DNSSEC can function as a database for distributing public keys. "Currently there is no protocol defined for publishing and automatically obtaining a public key for a user, a Web site, etc. DNSSEC can be used for this," says EFF founder John Gilmore, who is helping with the effort. "The keys themselves can be VeriSign keys, DNSSEC keys, Elliptic Curve encryption keys, or whatever." Getting the Internet to adopt DNSSEC is a three-step process, says Donald Eastlake, secretary of the DNSSEC working group. First, network administrators and webmasters need to create public keys and secret keys for their Internet domains, and store those keys in their DNS servers. Second, they must modify their nameservers so they provide signed responses whenever a DNS query is made. Finally, the major server software companies must modify the resolves - the programs that run on the desktop and translate domain names into IP addresses - to verify those signatures. But no company I am aware of has announced plans to incorporate DNSSEC into its DNS resolves. Signature verification also requires use of the RSA patent, and RSA Data Security hasn't yet given its go-ahead. But what's most disturbing is that few people in the computer industry - even those who work with computer security - have even heard about DNSSEC. It will have to gain a higher profile before it will fly. ©Packet _____________________________________________________________ Viruses Tripled in Past Year 2:54pm 15.Apr.97.PDT -- The National Computer Security Association (NCSA) says the rate of computer virus infections has tripled over the past year, with the viruses passing for the most part through Microsoft Word and spreadsheet attachments sent via email. The study, released Monday, points to the evolution of viral hacking that travels through tiny "macro viruses" - written in bits of code - rather than disks or software which contain larger executable, and therefore dangerous, code. "Most really successful viruses are very simple, very quiet and they hitch-hike on the most commonly spread types of files" like Word documents and spreadsheets, said Candace Turtle, spokeswoman for Trend Micro Inc., a maker of antivirus software that sponsored the survey with Microsoft, Quarterdeck, and Symantec, among others. The results of the annual survey of 300 organizations - each with more than 500 PCs - show that the infection rate is about 33 per 1,000 computers per month, up from about 10 per 1,000 last year. The report shows that nearly as many virus incidents occurred in January 1997 as in the last six months of 1996. The most common virus over the past year has been the Word.Concept virus, which travels on Microsoft Word documents and infected 49 percent of all sites in the survey. The Wazzu virus, another macro virus that embeds itself in Word documents, was responsible for about one-fifth of all outbreaks, according to the study. "'Macro viruses' are a huge industry problem," says Christine Winkel, product manager at Microsoft, "and we are working closely with the antivirus community to make [macros] safer." To block viral outbreaks, Word 97, which shipped in January, alerts users when a document containing a macro is opened and gives the them the choice of enabling the macro or not. "We encourage people to say 'no' if they're not sure of the source," says Winkel. ©FEED _____________________________________________________________ Trojan Vigilante Targets AOL Cheats (4/17/97; 1:00 p.m. EST) By Douglas Hayward , TechWire WASHINGTON -- Cheats who attempt to steal Internet access from America Online are having their hard disks wiped out by a digital vigilante. A highly dangerous Trojan horse program is circulating on the Internet that deletes all files on a user's hard disk, researchers at the U.S. Department of Energy's Computer Incident Advisory Capability unit said Wednesday in an urgent bulletin. The program masquerades as a piece of illegal software, the AOL4free.com program, that lets users create fraudulent AOL user accounts. Established in 1989, the Computer Incident Advisory Capability is a U.S. government agency that provides computer security services to employees and contractors of the Department of Energy. A Trojan horse program differs from a virus in that it must be run by users to do its damage. Trojan horses cannot automatically duplicate themselves or spread without human intervention, as viruses do. "If you are E-mailed this file, or if you have down loaded it from an online service, do not attempt to run it," the agency said. "If the program was received as an attachment to an E-mail message, do not double-click [to open] it. Opening an attached program runs that program, which in this case deletes all the files on your hard drive," the agency said. The AOL4free Trojan horse, which is just 933 bytes long, tells users that "Your computer has just been f***ed by *VP* f*** you AOL-lamer" while deleting all files on the user's hard disk using the DOS DelTree command. But pressing the Control and C keys before the Trojan horse has finished deleting the files will let users recover some files -- as long as they have programs that recover deleted files, the agency said. The agency also told users not to be lulled into a false sense of security by a message circulated earlier this year that said it was not true the AOL4free program contained a virus. "That warning was either a hoax or a badly misunderstood description of this Trojan horse," it said. "A lot of people will think this kind of Trojan horse serves the user right because it punishes people who are trying to do something illegal," said Neil Barrett, a consultant on computer security with Groupe Bull and the author of "Digital Crime: Policing The Cybernation," a book published earlier this year. "Their attitude will be that this is actually a rather jolly piece of software. But the fact is digital vigilantes can do as much damage -- including damage to innocent people -- as real-life vigilantes can do." Such serve-you-right attacks are becoming particularly popular among digital vigilantes targeting pedophiles on the Net, Barrett added. "We have come across cases where people have set up Websites that appear to be pedophile sites, with the intention of attracting pedophiles and then capturing their IP addresses. The people who set the sites up then attack people who have visited the site by planting viruses on them or by denial-of-service attacks," he said. "Whatever you think about pedophiles or people who defraud organizations like AOL, the fact is that causing damage to computers is a criminal offense in most countries," Barrett said. "This kind of thing [Trojan horses] can also affect innocent users." Because the rogue AOL4free program is a Trojan horse, experts say, it will spread slowly and its origins will be relatively easy to trace, making it unlikely to become a major menace. And though the agency said the program is circulating on the Net, antivirus researchers say it has made no real impact as yet. "We have not had any reports from users being hit by these program, so we don't want people to start panicking about it" said Graham Cluley, a senior virus expert at U.K.-based security specialist Dr Solomon's Software. "It is probably going to be a fairly small-scale thing," he said. "There are far more important things to worry about, like the huge number of macro viruses around." ©CMP Media, 1996. _____________________________________________________________ Regional Phone Companies to Offer New Access Technologies for ISPs April 22, 1997 By SANDEEP JUNNARKAR While the Federal Communications Commission deliberates on whether to end the pricing exemption that Internet service providers receive on telephone service, the regional phone companies plan to release two rounds of new access technologies in the hopes of luring ISPs off the exempted lines and onto revenue-generating high-speed lines. The federal rule, called the Enhanced Service Provider exemption, allows ISPs, including InternetMCI Dial Access, America Online and the Microsoft Network, to pay only local business connection rates. The regional phone companies, commonly known as the Baby Bells, say that this rule denies them revenues from long-distance communications at the same time that it's clogging their lines. The FCC began providing this exemption in 1983 to help foster the growth of the Internet. Phone companies say that the federal exemption has served its purpose and is now counterproductive. Several Baby Bells, including Bell Atlantic, NYNEX, and Pacific Bell, plan to implement new temporary services that they say will alleviate congestion on the voice networks until they release a family of innovative access technologies in 1998. Beginning this summer, NYNEX will market its Internet Access Provider Service, Bell Atlantic will focus on Internet Protocol Routing Service, and Pacific Bell will tout its Data Access Gateway. Apart from small technical variations, these systems are very similar. They involve taking the data traffic off the voice network near the ISP end of the call, directing it basically across the floor to a router that connects to a higher-speed frame relay network. "This is an approach a lot of the regional Bells seem to be taking to relieve a lot of the data traffic," said Peter Castleton, managing director for NYNEX's Data Access Products division. He added that the company's new service "helps to minimize some of the congestion and provides better and dedicated access to get to ISPs." But ISPs are apprehensive about the reliability of the networks offered by the Bells. "Our concern about Bell Atlantic's IPRS service, aside from the fact that we don't know how much it would cost, is that it essentially takes data off our network and runs it through a local exchange carrier packet switch network," said Jill Lesser, deputy director of Law and Public Policy at America Online, the largest Internet access provider in the United States with more than 8 million subscribers. "Right now we have ultimate quality control of our packet network and we like that." According to one person within the ISP industry, the other reasons the ISPs will not bite is that the proposed services offer no great leap forward over the existing systems. That person, who spoke on the condition that he not be identified, said he saw two problems with the phone companies' technologies. The first is that the data traffic will still have to go through one voice switch, thereby not considerably lessening congestion, he said. Second, this service will be available only in one or two hubs in every calling area rather than in every central office. "It's only when they deploy this technology in every single central office that they can take data completely off the voice network," said the industry source. "They talk about their technology offering less congestion and better service but at this point it doesn't measure up. Maybe in a couple of years that would be the case but by that point, hopefully, we are talking about xDSL technologies." And certainly everyone appears to be eagerly anticipating xDSL services, the next round of access technologies. (The "DSL" stands for Digital Subscriber Loop, while the "x" is a variable that represents the varying speeds and methods of transmission offered by different companies.) "The new DSL technologies are expected to drive a wide variety of applications in education, health care and telecommuting," said Vinton G. Cerf, who is widely considered one of the fathers of the Internet and who is now the executive vice president of Internet architecture at MCI. "This increased capacity allows consumers in homes and businesses to have access to high-speed services normally requiring expensive fiber optic line connections." Applications of the xDSL technologies will include interactive services like home shopping and banking, multi-party video games, and multimedia education and entertainment. In 1998, the Baby Bells, as well as companies like Cisco Systems, plan to release the xDSL family of access technologies, which use digital signals across the traditional copper wires -- the lines that connect nearly every home and business in the United States. That copper lines can provide high-speed Internet access comes as a surprise to most users because of the commonly held belief that the narrow bandwidth of copper can optimally only support voice traffic while causing data bottleneck on the Internet. "The truth is that we have used only 1 percent of the capability of copper; the other 99 percent of the band has just been sitting idle," said Jeff Waldhuter, executive director of research and development at NYNEX's Science and Technology division. "The existing copper pipe infrastructure has the capability to provide the super highway today." NYNEX plans to take advantage of this unused portion of the pipes by offering something called Asymmetric DSL technology by January 1998. "ADSL is not rocket science," Waldhuter said. "It builds off the technology of today's analog modems." According to Waldhuter, ADSL leverages the same advances in modem technology, and by using a larger window of the spectrum on the copper wires. He said: "It uses 200 times the spectrum on the copper wire than we are currently using. That is how we can get six to eight megabits over the copper to individual homes." NYNEX is working closely with US Robotics, the modem manufacturer, to design a modem that will initially provide 56K service but that could be used for ADSL service once it is launched. "We just met with US Robotics, and they see a tremendous upside opportunity in the market," Waldhuter said. "They are going to do some aggressive pricing to bring down the cost so it will be affordable to consumers by the 1998 time frame." Cisco Systems recently entered the Digital Subscriber Loop market by acquiring Telesend, a privately held company that developed a symmetrical xDSL technology, called IDSL. Cisco claims that users can obtain 128Kbps connections, double the speed of existing single B channel ISDN data services and many times faster than 28.8Kbps or 56Kbps modems. "ISDL can be deployed quite economically because many ISDN devices can potentially support IDSL with a simple software change," said Andrew Greenfield, director of Service Provider Infrastructure at Cisco Systems. Greenfield added that the difference between ADSL and IDSL is that ADSL has a different bandwidth in each direction. "One common configuration gives you 640 kilobits per second from the customer to the network and 6 megabits in the reverse direction," he said. "Whereas IDSL is symmetric with 128 Kbps in both directions." Companies offering an alphabet soup of xDSL technologies are confident that the variety of services will be compatible. "The approach we're going to take is standardizing the backbone data network off the circuit switch voice network to make sure that it is able to have a wide variety of DSL technologies plug right into our backbone," Castleton said. "That is the direction a number of the Ciscos and Bay Networks are heading." None of the companies provided clear pricing details. Cisco's Greenfield offered only that consumers would start seeing something analogous to business class and coach class service for the Internet. "There will a consumer oriented bandwidth that would be competitively priced to be affordable to consumers," said John Johnson, a NYNEX spokesman. "And a business-level bandwidth at a price businesses expect to pay -- one that is competitive with existing services." How effective the xDSL technologies will be depends entirely on how widely they will be available. "Our ADSL roll-out plans are being finalized, but we will be concentrating on metropolitan and suburban areas, and other areas of high demand," said Johnson. "I can't be more specific at this time. But yes, it will be limited by the weakest link in the chain, where ever that may be." Before xDSL technologies lure ISPs off the exempted lines, the question of costs and availability will have to be spelled out. "It's fine to say these products are available, but our primary concerns are whether its level of deployment will be close to ubiquity and what the ultimate cost would be to upgrade," said AOL's Lesser. "We are also concerned about what upgrades will be necessary from the consumer side because we serve largely a residential rather than a business market place. If it's not widely available to our customers, it's not that useful for us to invest in." With other access technologies on the horizon, such as cable and improved wireless connections, consumers can only wait to see which become the standard. ©New York Times _____________________________________________________________ Hacker Provokes Klan Site Shutdown by David Lazarus 11:55am 22.Apr.97.PDT -- A hacker named "Joka" managed to get America Online to briefly shut down a site run by the Texas branch of the Ku Klux Klan over the weekend, forcing the service to act for security reasons after it had declined to do so in response to widespread criticism that the site contains offensive material. "Somebody was password fishing," AOL spokeswoman Wendy Goldberg said Tuesday. "They were using a made-up screen name similar to the one for the Klan. When people register complaints, we pull the screen down." Simple as that - and exactly as Joka had hoped. In a newsletter called the AOL List that routinely slams the quality of AOL's service, David Cassel wrote that he'd spoken with Joka, who explained how he succeeded in attacking the Klan site by using "the hacker skill of social engineering." What Joka did was set up a screen name that closely resembled that of the Realm of Texas of the KKK. "I went around asking people for their passwords, hoping that they would report the wrong screen name," he was quoted as saying. It worked. Goldberg said a number of complaints were received from members last Friday that the operator of the Klan site was going around asking for people's passwords. AOL's security force promptly shut down the Klan site and launched an investigation. "We checked and saw it was a made-up screen name," Goldberg said. "When we saw this, we put the Klan's screen back up." She added that the amount of time the Klan site was down was not very long. AOL has drawn considerable flak since Wired News first reported the ongoing presence of the Klan site on its server - despite the service's crackdown on other sites deemed offensive or pornographic. The KKK Realm of Texas site discusses America being "duped by the lies of the race mixers and mongrelizers," and declares the Klan's commitment to "the preservation, protection, and advancement of the White race." Goldberg said the site was reviewed months ago by AOL, and the service decided to let it stay. "These are difficult judgment calls, and we're making them on a case-by-case basis," she said. "What we look at is the content and character of a site." For his part, Joka figures his shadow Klan operator drew about 200 complaints after attempting to shake down more than 3,000 AOL members. "Stupid people on AOL always amaze me," he was quoted as saying. ©1993-97 Wired Ventures, Inc. _____________________________________________________________ RedButton Lets Anyone Be Everyone by Michael Stutz 2:57pm 22.Apr.97.PDT -- A serious security hole in Windows NT is the latest in a recent series of published vulnerabilities in the Microsoft operating system. The "RedButton Bug," named for the first program to demonstrate the NT vulnerability, allows an intruder to bypass the traditional logon procedures and grants that user access to intimate system information on an NT server. Normally, entry to an NT machine is obtained by logging on with a valid username and password combination, or optionally using the guest account, if enabled. The RedButton Bug exploits an alternate means of access on NT machines - the anonymous account - which is normally used for machine-to-machine communication on a network. Once connected, this account gives users access to all resources available to the group called "everyone," which is as it sounds, all of the users on the system. These resources include file shares, of which the default group when first created is "everyone." Some resources could even be written by the intruder, allowing the implant of Trojan horses. The bug was discovered by Andy Baron at Midwestern Commerce Inc., a firm that specializes in NT security consulting and assessment. A working demo of the flaw was recently published on NTsecurity.com, the Columbus, Ohio, firm's Web site. When run, RedButton demonstrates how the flaw allows users to log on to any LAN or Internet workstation running Windows NT versions 3.5x or 4.0 for which they have network access. Users don't have to complete the username or password fields. Once on the server, a user sees sensitive information about the host machine, including the name of the administrator account and various entries in the Windows NT Registry, including a list of users. The RedButton program runs only on NT machines. "Our goal wasn't to make it available for all platforms," said MWC director of sales Andy Pozo. Potentially, the bug can be exploited by any networked computer. Microsoft officials were unavailable for comment Tuesday despite several attempts to reach them. For now, network administrators have no fix, other than disconnecting servers from the network, a practice that's incongruous with the function of the machines in the first place. And taking away the anonymous access isn't an option, said Pozo. "Disabling anonymous access would hinder NT as a useable networking platform," he said. Partial fixes are available, including the EVERYONE2USER.EXE program, developed by David LeBlanc at Internet Security Systems Inc., which changes resources from the "everyone" group to one called "user group." Internet-connected machines should have their NetBIOS services unbound from their Internet interface. "Microsoft may include a fix to this problem in time for Service Bug 3, but it could be difficult - this bug affects the basic design of NT," Pozo said. It would also require the patching of a number of kernel-level subroutines, he said. Pozo maintains that the latest breach in Microsoft's heavy-hitting OS does not mean it's not viable. NT is only showing its youth, he said. "[NT] doesn't have the 20 years [of security checking] that Unix has." To hackers, NT's vulnerability stems not from the lack of security but from the very existence of a security scheme. "NT has a security model, and Unix doesn't," said Mudge, a hacker at the Boston-based collective L0pht Communications. "That's a good thing, but the problem is that so many software vendors tend to bypass that model - including Microsoft itself," he said, referring to the oft-alleged tendency of Microsoft to ignore its own security precautions. And Mudge ought to know. He is the co-author of L0phtcrack, a new tool that demonstrates Windows NT password insecurities, somewhat analogous to the Crack utility in the Unix world. Cracking NT passwords is an easier task than the Unix counterpart because the NT encryption isn't as thorough. When encrypting passwords, NT makes no use of a salt, a mathematical function that increases the possibilities for an encrypted password. And NT only runs through one round of DES encryption for each password, as opposed to the 24 rounds of its Unix equivalent, Mudge said. Thanks to this and some slick code writing, L0phtcrack is currently the fastest password-cracking tool available for the NT platform. "Our goal is to be able to brute force a 14-character NT password on a Pentium Pro 200 in under 24 hours," said co-author and fellow L0pht hacker Weld Pond. But it's not the only one. The current issue of Phrack Magazine, one of the premier security and technology e-journals published by the hacker culture, demonstrates another program that cracks NT passwords. ©1993-97 Wired Ventures, Inc. _____________________________________________________________ AOL4FREE Culprit Tells His Tale by David Cassel 5:02am 22.Apr.97.PDT -- Nicholas Ryan, a college junior convicted for authoring the original AOL4FREE program, will be leaving Yale University this June to start a six-month home sentence, and two years of probation. For 25 hours a week, he will be working at a special education program as a form of community service. But on off-hours, Ryan will be working on an encryption program for Windows 95, based on the Macintosh program that stumped the Secret Service agents who confiscated his computer. "It would be a mini-encrypted hard drive - every time you shut down the computer, all the information would be totally encrypted." Three weeks after his conviction, Ryan says he is ready to talk about his hacker past, and to share his experience of creating a program in 1995 that allowed hackers to use AOL without paying the hourly charge. Last week, Ryan came forward with a 30-KB essay explaining his motives and experiences to hacker sites. His confessions came the same week that the Department of Energy put out a warning against the AOL4FREE "Trojan horse," a file-destroying program that is masquerading as Ryan's original program. "I was an outlaw, a spy," Ryan boasts, "and I loved cracking the puzzle of AOL's system." During the days of US$2.95-an-hour pricing, AOL4FREE made Ryan, aka Happy Hardcore, a hero in hacker chat rooms. "When I entered a room, I'd immediately get dozens of messages asking about when my next version would come out, who I knew, and many just thanking me." His essay also includes anecdotes of hacking live chats and distributing AOL customer data. In a press release applauding his conviction, AOL conceded that hundreds used the program to gain free access to the service. Ryan's is the first federal felony conviction involving an online service, AOL claims. "AOL and the prosecutors decided they wanted it to strike a blow against the hackers and take me out as an example," Ryan said in an interview. "At one point they were even claiming that the damages were US$1.5 million." Ironically, Ryan had titled one section of the documentation for AOL4FREE "Can I get caught?" He even supplied a prescient answer: "A better question would be, 'Would they want to prosecute me if I'm caught?'" Ryan now claims he'd been reassured by internal memos forwarded by hacker friends that AOL would not go after him. "I assumed they were going after the AOL4FREE users. Kind of a dumb assumption.... The Secret Service knocked on my door in December." Of the latest AOL4FREE decoy, Ryan says there's nothing new in naming Trojan-horse programs after real ones. "I remember during 1995, way back then, there was an AOL4FREE program that was actually a Trojan horse. So this program may just be a couple of years old." Mixed in with the harrowing stories of his exploits, Ryan's confessional essay includes a disclaimer: "I stress that in no way did we EVER do anything to cause permanent damage using the tools or information that we found." He adds: "We could've taken down 500 file libraries. We could've massively wreaked havoc on the service. But it wasn't what we were there for. It was a puzzle of it, the challenge of it." ©1993-97 Wired Ventures, Inc. _____________________________________________________________ AGIS Keeps Mum Over Attack, FBI Inquiry by Michael Stutz 11:55am 22.Apr.97.PDT -- One of the country's largest Internet service providers is tight-lipped after an attack on its networks was revealed to be more serious than originally reported. Apex Global Information Services (AGIS), considered one of the "big six" backbone Internet service providers, confirmed Monday that it has been the target of an all-out network attack and that the FBI is investigating the incident. In addition, the company has notified the Computer Emergency Response Team. Although the company would not comment on the scope of the FBI investigation, a spokesman said that no private information was compromised. Observers believe the attack is spam-related because of the company's belligerent attitude toward unsolicited bulk email. A quick scan of the Usenet groups such as news.admin.net-abuse reveals the depth of discontent with the service. AGIS, home to some of the most infamous spam factories on the Net, such as CyberPromotions, is considered to be the world's largest "rogue" site by anti-spam activists such as Robert Braver. Braver on Monday published Implementing Warnings for AGIS Netblocks, a collection of CGI scripts that webmasters could insert in their sites so that anyone from an AGIS network connecting to a page on the site would receive a warning message instead of the page's actual contents. The warning informs the user that, because AGIS provides bandwidth to spammers, some sites and networks may restrict access from their machines to AGIS. It is exactly that sort of blocking that was originally feared to have caused the recent AGIS attack. Users who traced the route from hosts originating on network giant ans.net to destinations in AGIS territory over the weekend noticed that their trail ended abruptly at AGIS' connection to the servers where MFS Communications Company Inc. administers to MAE-East, the largest national network access point. Forty-six ISPs, including all major US and some European firms, connect to routers here to exchange data with other networks. This cut-off fueled speculation among the sleuthing users that ans.net, tired of AGIS' spam-positive practices, configured one of their core routers to ignore all traffic to or from the AGIS address space. But this was not the case, as many hosts on MAE-East suffered similar routing problems during the same time span. Instead, the outage was most likely a hardware problem on AGIS' side - possibly related to the attack. Just what hardware failed and how is something AGIS appears to be keeping in its vest pocket for now. Even the company spokesman is in the dark. "My client hasn't told me whether or not [their silence] is because of the FBI investigation, or what," said the spokesman, Steven Wright-Mark. Nonetheless, it is likely that the company will be forced to change its spam-positive ways; Wright-Mark confirmed that AGIS is expected to release a statement sometime this week updating its position toward the highly unpopular junk email. If this change materializes, it will be a welcome move from a major ISP that, for a time, returned complaints and other email reports of Net abuse back to the sender, unread. ©1993-97 Wired Ventures, Inc. _____________________________________________________________ HLO brings chaos to CERT conference by K.F. Fox 13:00pm 31.Apr.97.EST (HNS) -- At the CERT conference on communications security held today in Atlanta, GA, an apparent reign of terror has begun at the hands of a group of militant phone phreaks known only as the HAVOC Liberation Organization, or HLO. Throughout the Atlanta metropolitan area the telephone network has collapsed, mainly due to malicious vandalism of telephone access boxes located on nearly every city block of the region. Moments before this terror spree began, an anonymous tip was called in to the Atlanta police, stating what could best be described as "the end of telecommunications tyranny" as the unidentified caller termed it. The caller, in the name of the HLO, claimed responsiblity for the terror, and stated that further destruction would be necessary if the HLO's demands for cheaper and more widely available phone service were not met. Rufus Jones, a spokesman for Southern Bell, Atlanta's largest local phone service provider, had this to say: "We stand firmly behind our pricing policies, and believe that this attack is mainly aimed at long distance carriers such as AT&T and Sprint." Ironically, the majority if not all of the property damaged in this reign of terror is owned and operated by Southern Bell. When asked if his company was indeed being singled out in the rampage, Jones refused comment. What is clear to investigators is that the amount of damage in this terror is significant. Preliminary reports estimate the cost at between $1.2 and $2.8 million. Those figures do not include the loss in business revenue anticipated as a result of this service outage. Atlanta Police are now following several leads in their investigation, including information provided by an informant working for the FBI. According to Tsutmu Shimomura, chief investigator for the APD, the informant, known only as "SINISTER", has been spying on the HLO through a super-secret underground hacker chat network on the internet, known as IRC. Through this network the HLO has discussed subjects ranging from prank phone calls to destroying entire areacodes with a device known as a blotto box. It is believed that the group's membership may number in the hundreds. "I don't know who these guys are, but they're real mean, and I'm going to write another autobiography when I catch them." said Shimomura. HNS will continue to report on this story as more information becomes available. ©1997 HAVOC News Service _____________________________________________________________ [3rd Major NT Security Flaw]--------------------------------------------- Following Microsoft's Internet Explorer Web broswer exploitation, another major flaw was discovered in another Microsoft product making it the 3rd major 'hack'. 2 security technologists wrote a code to exploit the major security flaw in Microsoft's NT network operating system which allowed the remote user to decrypt critical files including the registry of user passwords. Somehow I doubt Microsoft 'accidently' overlooked such a dangerous hole in one of their most advanced software productions. As of no surprise, Mike Nash (director of marketing for NT Server), has made no remark at all to developing a possible 'patch'. A child could obtain these passwords by sending a Trojan Horse to a user on the network. With these flaws it is easily predicted that more sysadmins will turn to Unix for security. "we're still seeing bugs coming out of 20-year-old Unix, and NT is a baby in comparison." -- Goggans based on an article first published via on the web at www.eet.com only a few days ago by Larry Lange. [Marlyand Begins 10 Digit Dialing]----------------------------------------- As of May 1st 1997 ( the release date of this issue) Marlyanders will have to dial 10 digits for local calls. This is the same date as Bell Atlantic adds 2 new area codes, 443 and 240 (not sure about the second area code) to Maryland's two current area codes, 410 and 301. This is the second time in the past ten years that Bell Atlantic has added area codes to Maryland, however, when they added 410 a few years back, we still kept the standard 7 digit dialing, oh well, that's progress for you. [The Bell Atlantic/ Nynex Merger Clears a Major Hurdle]---------------------- The coming Bell Atlantic/ Nynex merger, which was started off almost a year ago, has cleares the Justice Department. Suprisingly, after first passing each state's PTC ( Public Telephone Commission ) that the merger will affect, it was declared that the merger does not violate antitrust measures that will keep the monopoly and hurt the new comers to the local phone market. ( Yea right, i think this agreement came after some money had been slipped under the table.... ) Anyway, now the merger only need the blessing of the FCC, which shouldn't be hard to get. Stay tuned for more details in this 23 billion dollar deal. [Inferno OS Beta Test is Released]------------------------------------------- Lucent Technologies, formerly Bell Labs, but spun off into a new private company, has released Inferno OS, a new operating system which looks rather cool. It is mainly targeted to the programming and IS managers of the computer world, but Lucent is opening its view, and seeing that Inferno would make a viable internet host, and game development machine. It sounds like it is mainly based for UNIX machines, but there are versions of this for almost every platform. ( However, as of this writting, Slackware linux is unsupported while Red Hat is supported.) It is now looking like a multipurpose OS like JavaOS, which can be ported to many platforms and all apps will run and look the same. But, i think searching stuff on the internet from your toaster is still a few years off. You can find out more information and even download a copy of Inferno ( 20 mbs!) from: http://www.lucent.com/inferno/ _____________________________________________________________ [ Phone Calls ] [1] [ NOTE: First, let it be known, that if you didn't read the news, Bell Atlantic customers in the Maryland area, will have to use 10 digit dialing beginning May first. So get ready for this, of course, i have been dialing all ten digits for local calls, to get practice so my calls will go thru ] [ Crappy James Earl Jones Bell Atlantic Greeting] Operator> Thank you for using Bell Atantic. How may i help you? Me> I want to to fix your phone system. Operator> Excuse me? Me> Your phone system, it keeps giving me a 'The number you have dialed is not available, please hang up and try again' Operator> Are you sure you a dialing the right number? Me> Fuck yes I am, Im adding the area code in, so i remember when to do it when May 1st comes around. With out the area code, it works fine, fix your damn system. Operator> Sir, please try to calm down..... Me> Fuck that! I am calm! Operator> Sir, Please stop the abusive language.... Me> You want abusive language? Ill give you abusive language! Operator> Sir, I can't explain why your calls arent going through, maybe you are dialing the wrong number. Me> Do I sound like an idiot to you? Do I? Fuck you, let me speak with your supervisor. Operator> Are you sure you want to speak with my supervisor? Me> Hell Yes I do Operator> Ok sir, let me get them on the line for you.... [ Elevator Music ] Supervisor> Sir? Me> Yea, fix your damn phone system. Supervisor> What? Me> Damnit, I SAID FIX YOUR DAMN PHONE SYSTEM SO THAT I CAN USE THE AREA CODE TO DIAL A LOCAL CALL SO I WILL BE IN GOOD SHAPE WHEN MAY FIRST IS HERE! Supervisor> Sir, are you sure your calls are local? They may be long distance and you need to dial a '1' Me> Fuck head, I TOLD YOU, THESE ARE LOCAL CALLS. Supervisor> Oh, I'm sorry Me> Dumb Ass, your no help, let me speak with your supervisor Supervisor> Sir? Me> YOUR SUPERVISOR?!?! I want to speak with him Supervisor> He's not here right now sir Me> I DEMAND TO SPEAK WITH HIM! Supervisor> Sir, he's not here, can i leave a message? Me> Yea, tell him to fire your sorry lame ass, since you can't do your job... [ C L I C K ] _____________________________________________________________ ------------------------ ---------------------- -[HAVOC Bell Systems]- -[Acknowledgements]- ------------------------ ---------------------- Agrajag : PLA Michigan (MIA?) btm : Elite darkcyde : #phreak old-schooler digipimp : Co-conspirator Digital_X : Nemesis (MIA?) dr1x : It's 420! disc0re : Distributor (errrrrr) ec|ipse : Hysterical bastard Keystroke : Submissions Editor CrakerJak : Crazy ass mofo KungFuFox : Editor RBCP : Funniest man alive memor : Ueberleet French phreak shoelace : Kewl fellow, #phreak'er psych0 : Lame ass mofo Distorted : sup bro? REality : #phreak's southern accent yesimlame : No, he's not Scud-O : Founder and Editor in Chief JP : JP owns you all! Redtyde : #phreak not so old-schooler tombin : phear! theLURK3R : Coder guru Defraz : Spanish restaurant owner UnaBomber : Tired of IRC (MIA?) ChiaPope : sniff, we miss wrath! Dave : sup bro? Malhavoc : Infectous Thinker antifire : NT security guru darc : has bad info lines devnull : rmd his sendmail sploits TMessiah : Believes in 'Utopia' X-TREME : (to the group) sup all? #phreak : My home on IRC #hackers : My home away from home _____________________________________________________________ This Month's Question: ( submitied by mbanfeld@n*th*r.n*t ) Do you guys to web development? Yea, although we all make lame web pages, but hell, if a group of insane Heaven's Gate cultists can do it, so can we! _____________________________________________________________ Next Month: [My crystal ball is STILL in the shop, but when I was at Bob's Auto and Crystal Ball Repair Shop the other day, it metioned somethin about httpd problems and some firewalling holes, But stay tuned for more information.] Issue 11 is out June 1st! Send all articles for issue 11 to Keystroke at: keystroke@thepentagon.com Tune in next time, Same Bat Time, Same Bat Channel! ========================================================== = Is this copy of The HAVOC Technical Journal skunked? = = If this file doesn't read at 154768 bytes, it probably = = doesn't have a born on date! Get a fresh copy from our = = site at: http://www.geocities.com/SiliconValley/8805/ = ========================================================== -[EOF]-