==Phrack Inc.== Volume 0x0c, Issue 0x41, Phile #0x01 of 0x0f |=-----------------------------------------------------------------------=| |=--------------------------=[ Introduction ]=---------------------------=| |=-----------------------------------------------------------------------=| |=-------------------=[ By The Circle of Lost Hackers ]=-----------------=| |=-----------------------------------------------------------------------=| Welcome back. Another year has passed, another PHRACK issue is out, PHRACK65. Every time somebody gives me a present I end up thinking to the story of that gift. Where did it come from ? Who worked on it ? Did who worked on it ever thought that his work would have end up in my hands ? What about a PHRACK issue ? PHRACK comes from the underground, the underground worked on it, submitting papers, sending feedback, commenting, spending long night chatting, reading, BREATHING. Does the underground still breath ? Things change, panta rei. As hackers, we have fun. We want fun. Hacking is fun. You know it because you did it, because you spent nights and nights on this fucking fun, going to sleep at 6 a.m. and waking up three hours later to present your face at school or work, with your brain still back home on your encrypted work. Are you still having fun ? Please, don't take it personally, don't over-react. It's just a question. A question that everybody should pose to themselves every single day, no matter what he is doing. FUN is not only PAYBACK. We are human, we love receiving congrats, who doesn't ? We LOVE seeing our little work spread around. We love the clap-clap-clap sound. But does it really boil down only to that ? When you lose fun and start doing things only for the payback, you're dead. Everyone of you who experienced a bad job or a bad exam topic knows the feeling of "wasting time on useless things" that pops out in those moments. But, most of the time, you _HAVE TO_ do it. Well, nobody _HAS TO DO_ hacking. Nobody. If you are only doing that for a payback, than you are a DEAD hacker. If you are only doing that to present a paper to a conference, to see your name somewhere, than you are a DEAD hacker. It will work. You don't need fun to be skilled, you don't even need to be skilled to post or to go to a conference, there are so many around that everybody has some hole to fix. But your touch with the underground is gone. Your responsibility towards friends, ideas, codes will slowly fade away. HACKING is also responsibility and FUN is the only way to not feel its pressure You might disagree, just post on your idea. Maybe it is a too dark scenario, maybe it is just a spring blues, maybe I am just pessimistic, but this is the feeling. This is money taking over everywhere, this is seeing more and more things done only for the payback. This is seeing the underground heart beating slower and slower. PHRACK is just an example of what the underground has been able to do. Of what we can do. But so many hackers out there are capable of disrupting the system without having to read or write a magazine like we do. We are entering into a period where Government and Politics are trying to control technology with supposed-anti-terrorism laws. And they don't lack money or good congrats. So please, please, help this fucking heart beating faster, pushing blood around. Please HAVE FUN. This is the 65th edition of Phrack and we are still alive. Despite that some people say they don't learn anything when reading phrack we still think that Phrack is one of the best underground communication methods. Oh well, for sure, there are other and even better ways. But Phrack is one way and probably not the worse. We have tried to release this issue earlier but editing a magazine (and especially Phrack) is not easy. We have received a lot of positive comments after Phrack release #64 and a lot of people said they will contribute. However we did not see anything coming. Almost all articles from this release are coming from our first circle of friends. Again. This release, despite that it is not the perfect one, tries to bring a good mix between technical articles and what we call spirit articles. Our introducing and concluding articles (Phrack Prophile and The Underground Myth) bring two opposite visions of the hacking underground. Contradiction? No. Freedom of speech. We have kept with our regular columns Phrack World News and International Scenes. We also have decided to publish less exploit articles. However, low-level hackers should find their way easily into this new release. [-]=====================================================================[-] For this issue, we are bringing you the following : 0x01 Introduction TCLH 0x02 Phrack Prophile of The UNIX Terrorist TCLH 0x03 Phrack World News TCLH 0x04 Stealth Hooking: another way to subvert the Windows kernel mxatone ivanlefou 0x05 Clawing holes in NAT with UPnP felinemenace 0x06 The only laws on Internet are assembly and RFCs Julia 0x07 Hacking the System Management Mode BSDaemon, coideloko, d0nand0n 0x08 Mystifying the debugger for ultimate stealthness halfdead 0x09 Australian Restricted Defense Networks and FISSO The Finn 0x0a Phook - The PEB Hooker shearer & dreg 0x0b Hacking the $49 Wifi Finder openschemes 0x0c The art of exploitation: Samba WINS stack overflow max_packetz 0x0d The Underground Myth anonymous 0x0e Hacking your brain: Artificial Conciousness -C 0x0f International scenes various Windows stealth hooking article brings a deep analysis of the XP kernel internals by presenting two sophisticated backdooring techniques. It is generally hard to find valuable reverse engineering articles covering *new* topics and satisfying our standards, but these guys have made a great job. Make sure also to check out the PEB Hooker and the full published source code if M$ software reversing is your thing. Both of those articles will bring you a very good read. Felinemenace is featured again and brings you one of their latest hacks on more recent network protocols. Our second network article digs into FISSO by introducing not-so-public information about australian restricted networks. As we continue to care about cryptography, Phrack #65 includes a useful cryptographic concept of deniable encryption, a particulary relevant topic for hackers. Check out Julia's article for all details. As mentioned, we have tried to bring you the best low-level hacking around. Articles such as Hacking the System Management Mode, Hacking the $49 Wifi Finder, Mystifying the debugger, are not really 0day for those of you already in the underground, but aim to bring you sufficiently material to develop your creativity on that matter. Finally, we could not release Phrack without at least one exploitation article. Max Packets has done the job of describing step by step his Samba WINS exploit. The information contained herein will certainly be enough for those of you guys who want to develop their own. Scene Shoutz: ------------- Again, Phrack #65 could not have happened without so many people. Thanks to the admins, coders, hackers, scripterz. Shouts : mauro, sysk, leandro, assad, kiwicon for an amazing conference with a lot of original topics. As long as you stay a non profit event Phrack will support you! We are also looking forward to the next BACon in september 2008. Shouts to all south american hackers & expats. No shouts: All supposed "Underground people" who asked us million times when Phrack will be out but never contribute to the magazine. If you guys were a little more productive perhaps Phrack would be released more often. Also, we will -not- help poor indonesians bypassing government's p0rn websites filters. Sorry taufiks1428@gmail.com. Lames: * cucamonga (xt@docking.gaykansascity.com) has joined #phrack why hasnt phrack65 been leaked yet probably coz i don't have it probably cause nobody wants to read it Phrack has not been leaked this time...sorry for that... probably because shiftee needs to sharpen his hacking skills instead of posing on IRC. He could also read Phrack, we will not deny his IP address. Any questions, send us an email. Flames: vegas (insecure wannabe), HDM (pwnie coward) Enjoy the magazine! [-]=====================================================================[-] Nothing may be reproduced in whole or in part without the prior written permission from the editors. Phrack Magazine is made available to the public, as often as possible, free of charge. |=-----------=[ C O N T A C T P H R A C K M A G A Z I N E ]=---------=| Editors : circle[at]phrack{dot}org Submissions : circle[at]phrack{dot}org Commentary : loopback[@]phrack{dot}org Phrack World News : pwn[at]phrack{dot}org |=-----------------------------------------------------------------------=| Submissions may be encrypted with the following PGP key: (Hint: Always use the PGP key from the latest issue) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.5 (GNU/Linux) mQGiBEYfRF0RBADcVdkdzGcuHTx/r3ymypC622BkkAa4tYEsVXkOBFwvGLy5+ILn M1nfwx1hfs1ZHQS53e8lxrs4j8qFSFuCTCQTCZuVFHaS9JDt+RfEyWwtmTTPfuhL TYj1RON33t7OGEuyAF9oIca0Uj0PSREyT0mwbAOBVTZfWEC2yBZao+c3iwCghHaQ fRShZoA5iTfRNP+qnUyyyJ0EAIxix1TB2ImygXn+mPoPFxIOYh71eXsi2LXPPYU5 Q2/snVork1wkGVjwB7Bn2cHEeyUVb8sHjXY18lGpXcx0jFjq7ZMFcBtevI4I1YJL kfFkxQvXb8jjA8UY0IJfvhQ86O7OCsg0LnuCpHtnQAX8bljxZA27RO8cHLWfwOBX 4HhnBACZS4YrTKf5yC6HEVfB4j822a3hbmvuwSC9FVqJZzuW6agfeQjUMSi3TLig SW721aMesY2ZWsGCmD3OhapqWoDssb4qN+udlqzDj3urrlxsU2BthYyZkPyECf8q q5CzBOa7CZVj46XuNr0NebfKt8zJUahXUwXJ8WUG9Mq02IpCzrQxbG1iZHdyIChQ aHJhY2sgcGVyc29ubmFsIGtleSkgPGxtYmR3ckBwaHJhY2sub3JnPoheBBMRAgAe BQJGH0RdAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEMA5IJciKhVsCjEAmwTY y0PGxRDutAz4AAidWnXLVTfwAJ9z0lNQtQNSVs6/NVR7QlYPA8b5RLkBDQRGH0Rd EAQAvTWMbq05s05rQNPOGKngGbGnNunicDIPg4OfTieXXOa3HFDb3sGTCYpAUv4H 7IPnei7jGCdsdrco1xmtQmQ+xVWoklb44G0wmmjVvnuIZ2DGhf6d3ijxGKZfL0oi eBia/X68IIc+prAypwm7URlOAHVJnoHKCZG8MNcbD+5AyOsAAwUD/1JkpKjSXR48 SzW+G6GVxh2N0bmDAFBTaNzVPn4Hpv0MQgdU5EAYc+Py+E3ehFVPdaoasTUA+Bzx x4qXeFGaQI0xvkBfHART3ai6k3boY6e29OMdprBNyRlCGvFmhYT98bKK1hyoD9km m5zcHoyzr26RSEG1CcJhlp+i5E6o42qgiEkEGBECAAkFAkYfRF0CGwwACgkQwDkg lyIqFWxBXQCfbL9co8kDl32Ri0iNcoQi+HF5YC0An16AqMNGoNZ0zOkN8avUCWe3 zAAYmQGiBEZtVVQRBADK+AnxFD0Qg/kHQxo8ieAcypqBvSxl+O0YPwGTHhoxz7Sa pCKi68Tm9Dpe62RXgMqi72+JbzYXQW5SXrziE4cO4bIHv1oG+SVM5EnCj6N9gcH5 xf+3ljE5URjIvuaOzwq+hp4o1736WVTzykJ/plItRx/91kciFLNdGfVjho109wCg z4OAjOFg66jw3iuaWlf1xyYhH+8D/R4gCTHwoHxhR5ndg/oBH5umPZ/o8r3YFKbm 1DHTBKIipnq6Sisu6vYr80zR3MNYqT7//u27bDPXCtGaO68qHgZNYJ+Pl0g7mYTr 7htFE+t0O+sn26P7Za/yKHzQpUMJi4EfRv1/7CW0JAG18DbWQDSZo0bcr95MuVVQ Q+x2QYPkA/9/VrKDFjBWSPuHbowvyKCFOZ+rtlqQZBiV1vYx1cZX6uZCPiI9njfs vn1G+GNswTfruzngee/hPRimYayz4O6HmT7LBygz1MVMX0ViKrz4JHJzrH0EKm/+ 5+EvrdWYZfmYHj5RJp+E5vrbGfkqxrpRwWK2wE5hs8vVBSozBjScqbRhUGhyYWNr IHN0YWZmIDIwMDcgKFlldCBhbm90aGVyIGtleSwgdGhhdCBkb2VzbnQgZXhwaXJl IGFmdGVyIDEgZGF5IHRoaXMgdGltZSkgPGNpcmNsZUBwaHJhY2sub3JnPoheBBMR AgAeBQJGbVVUAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEDAEn2IWRoZwbQkA oIYvSaNwugFczTyUqpGiCHzb6KUZAKDAWIr2t7xSbQJnf/z80tvKmw88MIheBBMR AgAeBQJGbVVUAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEDAEn2IWRoZwbQkA n35TYBcJaUISdIV1iiFgoGYihlN9AKCzUmK7ynXAhta7GhOJpzkQdKDmabkBDQRG bVVUEAQAiNT5dMH5g6Yf+CSBjSnqb+B4sxDsb+kn2RezHGsq6JKpwQl3S5yBgPnW 8h2G6VOU/u8OVINBmGNzBnv4EabAwTIoKnVrOI0yu4F1n0ZZt35Jk2omh9h1JzpE Q96gG4TSx2QJ4tf7qfP7By0brOiVtGKJ1CLaQAX27M9NqwH43M8AAwUD/RoIKIdj gfTAabtd4CdvnvAeLBmsZzGKGpzSqcwPyWhvj3ElCvkLL5JAK3dnIgTbmrpv2ep5 KGeqkm/cbSNeHU8l9IaCX5Hd8QXWOKnf+zrbpJ90L3ZxSDZ1ZkSjMD4Ls6QxnRsJ 4jqzt6GSAOPD5urYjpErjZDkvYZ4S4ynB6G9iEkEGBECAAkFAkZtVVQCGwwACgkQ MASfYhZGhnAGQACdGlRjo7TYmHm7XMUOwhwSZ0hN43kAoIkhgLBdHfaOnskxc5YZ X8CVYa2m =yjXZ -----END PGP PUBLIC KEY BLOCK----- phrack:~# head -22 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of * the editors and contributors, truthful and accurate. When possible, * all facts are checked, all code is compiled. However, we are not * omniscient (hell, we don't even get paid). It is entirely possible * something contained within this publication is incorrect in some way. * If this is the case, please drop us some email so that we can correct * it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for * the entirely stupid (or illegal) things people may do with the * information contained herein. Phrack is a compendium of knowledge, * wisdom, wit, and sass. We neither advocate, condone nor participate * in any sort of illicit behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in * the articles of Phrack Magazine are intellectual property of their * authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -EOF- ==Phrack Inc.== Volume 0xc, Issue 0x41, Phile #0x02 of 0x0f |=------------------------=[ PHRACK PROPHILE ON ]=----------------------=| |=----------------------------------------------------------------------=| |=------------------------=[ The UNIX Terrorist ]=----------------------=| |=----------------------------------------------------------------------=| In this issue of Phrack, we have renewed with publishing the prophile of an influencial underground character. The UNIX terrorist was already prophiled two years ago but for some editorial reasons at the time, we were not able to get his prophile published. Now that the Phrack editorial staff has less open conflicts with some part of the scene represented by the_uT, we want to make sure everyone remember his engagement. A lot of people believed he was an extremist blackhat hacker proning non-disclosure during his time of activity. That was true. But he was not just this. I have known the UNIX Terrorist in real life seven years ago. At this time, during his youth, the_uT was a softer hacker. Dont get me wrong, the_uT (or whatever he was calling himself before) always had this characteristic personality that made him an exceptionally creative dude. Later on, after he started body-building (rumors mention that he followed the advices of his idol Mike Shifman), he got that impressive shape that certainly represented better his mind shift towards a more aggressive prophile. The UNIX terrorist is the result of this evolution from a young skilled hacker to a disabused philosopher of the underground. This prophile was realized by The Paper Street Hacker in November 2007 for publication in Phrack Magazine #65 by TCLH. Remember the opinion reflected in this interview only engages the UNIX Terrorist and does not represent the opinion of the Phrack editors. So here it is. |=---=[ Specifications Handle: the_uT AKA: daemon10, yu0, jungjeezy Handle origin: Africa Age of your body: 24 Produced in: The Heart of Darkness, USA Living in: The Paper Street Soap Company, USA Height & Weight: Excessive" / 250lbs Urlz: http://web.textfiles.com/ezines/EL8/ Computers: Anything with a network connection and a working ssh client will do... I'd rather spend my money on clothes & entertainment... less tech garbage also means my bedroom doesn't scare the bitches away Creator of: PROJEKT MAYHEM / Phrack High Council / anti.security.is Admin of: Most of South Korea/China ... Member of: NAMBLA (proud sponsors of TOR!) / ANONYMOUS Projects: M4YH3M Codez: stealthrm, the first blackhat RM(1) utility, designed to rm desktop computers silently. Distributed as a Linux LKM, VFS functions are hijacked so that file indexing and rm'ing can be smuggled and interleaved discretely amongst existing file operations. Additionally, keyboard I/O is monitored to determine the sysadmin's presence. Sporadic file wiping occurs either during heavy PLANNED system hard drive use, or occurs slowly and steadily, with timed delays, while the console user is absent. The primary purpose is to avoid the alarming and sickeningly unexpected HDD "crunching" sound that alerts many would-be "rm -rf /" victims to their impending doom. File removal is scheduled according to a proprietary prioritization algorithm whose factors include criteria such as inode atimes and VFS type. Files are secure DOD-wiped in place, but not unlinked, preserving disk statistics. Active since: 1998 Inactive since: I don't sleep... I metastasize |=---=[ Favorites Actors: Assorted government officials, "security experts," and "spiritual leaders" ... Scientologists Films: Apocalypse Now Redux, Happiness, Gummo, Pi, The Big Lebowski, Bad Boy Bubby, Irreversible Authors: Bret Easton Ellis, Louis-Ferdinand Celine, Hunter S Thompson, William S Burroughs, Will Self, Irvine Welsh, H.L. Mencken, Mark Twain Articles: "The New Hacking Manifesto" - warez mullah, PHC Phrack #62 "lyfestylez of the owned and lamest" - r0b1nleech, ~el8 3 Admins: hendy of team-teso, The Digital Ebola[LoU], pm/sneakerz.org Books: The Rise and Fall of the Third Reich, The Rape of Nanking, The Protocols of the Elders of Zion Novel: Fight Club, 120 Days of Sodom, American Psycho, Journey to the End of the Night, The Picture of Dorian Gray, The Jungle, Fear and Loathing in Las Vegas, Catch 22, A Confederacy of Dunces, The Story of /b/ Meeting: ADMCon / France (2001) Project: The Manhattan Project, The Final Solution Sex: "You're dead if you're homely - my shit's for adults, over eight years old only" Drugs: Beta blockers and dissociatives... just about any substance featured on Erowid or T-Nation... especially modafinil, ayahuasca, ketamine, dinitrophenol, epic stanozololz (Winstrofl), nandrolone, Epi-Pens Music: Revolutionary/violent/mysognist/apocalyptic hip-hop Ex: Jedi Mind Tricks, Necro, Circle of Tyrants, Non Phixion, Leak Bros, Immortal Technique, Q-Unique, Cage, Celph Titled Plastikman Alcohol: Like my women - 15-18 years old, single (malt) and on the fucking rocks Cars: blue dodge viper (vroom vroom!) Foods: Whey protein hydrolysate, Vitargo CGL, BCAA's, l-glutamine, Carlson's Fish Oil Liquid Omega-3 I like: Andrei Chikatilo, 2girls1[cup/finger], Puma Swede, thinspiration, violent sporting (WEC,UFC,Pride), solving intractable problems with violence, achieving EPIC LULZ of unprecedented magnitude I dislike: Fat goths, CISSPs, fat people (in general), women with a BMI over 18, women whose thighs touch when they stand, miniature dogs, people who tailgate or drink beer out of red plastic cups, Basshunter |=---=[ Your current life in a paragraph I'll give you a hint... it doesn't involve getting paid to do computer security research. The only reason I would even consider using a computer anymore would be to meet women of loose moral standards on myspace, or to engage in the wholesale piracy of music and video content, preferrably violent pornography. Or maybe to get directions to a strip club on mapquest... or order various scheduled substances from corrupt Eastern European pharmaceutical manufacturing facilities... In fact, if you're reading my prophile because you just happened still to be reading Phrack in 2008 and stumbled upon it, then I pity you... you fucking closet homosexual. |=---=[ First contact with computers Studying the mysteries of gorillas.bas and nibbles.bas, oldstyle! |=---=[ Youth I was 300 lbs, bespectacled, and acne-stricken. I used to read copies of Dr. Dobb's Journal in P.E. Everybody hated me. Then I underwent an emergency negroplasty and decided to enact my revenge upon the world by inflicting massive verbal trauma through a medium where personal interaction is impossible and everybody feels tougher than they really are. So I installed BitchX and went on EFNET, and the rest, my friend, is history. |=---=[ Passions : What makes you tick I'm distinguished by an acutely defined and unparalleled sense of schadenfreude. Technology is pretty fun too (or at least it was for a while), but what really drove me harder and further was the exciting possibility of using computers to turn the life of a particular fellow human being into a living hell. So no, I wasn't that kid that used to hang out at Radio Shack pulling apart electronic equipment and reassembling it to "see how it works." Shit like that doesn't make you a "hacker" - it makes you a wannabe EE undergrad. Driving people over the precipices of depair and frustration is a great way to pass one's time, but definitely falls short of the pleasure of discrediting or humiliating or otherwise defaming and slandering the ill-earned reputations of the various charlatans and hypocrites in the scene. Publishing the mail spoolz of the wicked, archiving the hard drives of the lame, and rm'ing the weak are all activities I find inspirational. Particularly, I choose to self-medicate my anomie by proving myself smarter and stronger than others. This is the sort of thing with which we'll have to make do until we can one day stalk elk around the ruins of the Rockefeller Center or strip venison in the empty carpool lanes of some abandoned superhighway. For further information about what makes me "tick," please consult Dr. Neal Krawetz's remarkable and highly academic psychological exegesis, fully annotated to official APA formatting standards. |=---=[ Entrance in the underground It all began on EFNET, some time around 1998 (long before they had CHANFIX like dalnet!) in lame and lamer channels like #b4b0 and #feed-the-goats. Historical note: Several incredibly diabolical and motivated individuals from b4b0 would come to rule the virtual entirety of the Interweb with an iron fist for the following decade. Yeah, I started hacking shit virtually exclusively on TCP/IP networks, and started writing exploits long after techniques like heap overflows and return-into-libc were published, so fuck you if you have a problem with the fact that I never scanned shit with toneloc or bruteforced SPRINTNET logins. |=---=[ Which research have you done or which one gave you the most fun? Writing any one of several reliable exploits for intelligently brute-forcing complex remote vulnerabilities, which all made me feel like a hacker from THE MATRIX. Especially writing a universal blind exploit for the Wu-FTPD globbing vuln for versions 2.5.x-2.6.1 (cmdtab power!), and porting the remote client for CORE-SDI's ingenious crc32 deattack backdoor to more exotic operating systems such as Solaris and IRIX (possibly the world's slowest exploit). Also, writing an LKM for dynamically loadable stack/heap execution protection on Linux. |=---=[ How started low-level ? Like most other "underground" groups out there, this one started from the flawed notion that it would somehow be cool to get a group of people together with a webpage and domain name and IRC channel and write a bunch of POC code and publish it to the public and post on sec lists for attention. It was a stupid idea. |=---=[ Personal general opinion about the underground Well, the underground is pretty much dead, but I guess you mostly have the security researchers out there to thank for that one. However, as a delicious proof of the old adage "be careful what you wish for," security professionals have made their own demand scarce. With vulnerabilities so much harder to find, it means that random idiots out there aren't likely to find anything remotely useful by grep'ing for overflows in unsafe C functions. The first sign that things were about to dry out occurred during the format bug craze in 2000, which resulted in the systematic scanning of all varargs style functions that were incorrectly used - the first time an entire class of vulnerabilities has been nearly perfectly eradicated in a body of open source code. Slowly over time, the same thing has happened to most other memory and integer overflows, and casting bugs. What happens as a result? 0day becomes a highly valued commodity. The chance of leakage decreases dramatically because: 1. 0day is much more valuable 2. Few people can find useful vulns, which decreases the amount of sharing. Additionally, smarter people usually find an intrinsically higher value in their own work than people that can't understand the exploits they're using. 3. "When guns are outlawed only outlaws will have guns" - Praise be to Allah and the fact that the divine mathematics of exploit creation are now made sacred by entities like WIPO and the DMCA. For nearly a decade, security companies relied on FUD and fearmongering, heralding the imminent spread of global cyber-warfare and e-terror. A particularly salient example of this idiocy would be the infamous Aris Threatcon, second in its contemptibility only to the Homeland Security Advisory meter. These scare tactics worked for a while, as sec. companies boosted sales of products such as firewalls, packet filters, network scanners, and other useless trash by relentlessly trumpeting the seriousness of various "hacker" threats and by strategically scaring the public with their own original (mostly stolen) advisories. Ironically, they ended up scaring legislators more than the commercial sector, and now people like Dmitry Skylarov are arrested for publishing their "astonishing!" findings. Note to security companies: you're attempting to be both the cause and the cure and we've got use for neither. 4. 0day auctions: Blackhats finally realize that it's a lot more lucrative to sell exploit information to shadowy interest groups. Such sales have the added benefit of preventing information dissemination, because it works against the interests of all parties involved. iDEFENSE, the first and largest name in hacking middlemanry, was forced to purchase exploits from the underground when they realized they lacked the technical skills in their meager R&D labs to find any exploits on their own. But who in their right mind would consider auctioning off vulns at Argentinian prices to a whitehat sweatshop that will just pawn their findings off as their own, and then publish them to Bugtraq - when they can make the same sale to somebody in the underground for 5-10x the cost and rest assured that the vuln will stay alive? Nowadays, it is claimed that the Chinese and even WOMEN are hacking things. Man, am I ever glad I got a chance to experience "the scene" before it degenerated completely. And remember, kids, knowing how to program or wanting really badly to figure out how things work inside doesn't make you a hacker! Hacking boxes makes you a "hacker" ! That's right! Write your local representatives at Wikipedia/urbandictionary/OED and let them know that hackers are people that gain unauthorized access/privileges to computerized systems! Linus Torvalds isn't a hacker! Richard Stallman isn't a hacker! Niels Provos isn't a hacker! Fat/ugly, maybe! Hackers, no! And what is up with the use of the term "cracker"? As far as I'm concerned, that term applies to people that bypass copyright protection mechanisms. Vladimir Levin? HACKER. phiber optik? HACKER. Kevin Mitnick? OK, maybe a gay/bad one, but still WAS a "hacker." Hope that's clear. |=---=[ Memorable Experiences First box I ever owned (dropstat'd son) Watching widespread panic and hysteria grip IRC and various security mailing lists after the publication of ~el8, esp. #2 and #3. The PHC Music & Film Festival, notably Joost Pol rms freebsd.cn The multi-homed attack/rm'ing of efnet irc operator "seiki," which resulted in PHC primacy and alpha male hegemony over #phrack Preparing the memorable vitriolic speech "Wolves Among Us" from scratch, in less than 30 minutes... then attempting to deliver it without inducing fatal hilarity Becoming the Freddy Krueger of the Internet/IRC Celebrating Kwanzaa online in #darknet with assorted South African infosec luminaries Civil rights champions worldwide cheer when a Polish transsexual becomes the most recognizable expert on the vanguard of kernel rootkit (un)detection research Having my first proposed Phrack prophile rejected by humorless German staff The suceessful social engineering of hacker "dvdman" - which resulted in the retrieval of an explicit masturbatory video of aforementioned individual iDEFENSE contributors and their laughably low sell-out prices are revealed in "fake" Phrack Vomiting in my mouth (just a little bit) the first time I walked into the Alexis Park Hotel The communal rm'ing of w00w0's jobe, which became the only known time in history where the same individual was rm'ed concurrently by multiple intruders, who, up until the time of the attack, had no knowledge of each other's presences Logging into my computer, relying only on muscle memory to type, after forgetting the alphabet and being too fucked up to read the letters on my keyboard The look of surprise on the Cheshire Catalyst's face after his password was shouted at him repeatedly, at approximately 80 decibels, while he was entertaining fans stringz attempts to replicate ~el8, fails, and is shamed offline forever securityfocus.com adds thumbnail pictures to its original columns - I finally find out infosec rockstars such as Don Parker, Scott Granneman, and Dr. Neal rawetz really look like! Slackware founder Patrick Volkerding sends an open SOS to the world after forgetting to brush his teeth nearly results in fatal halitosis. Watching the IRC suicide/accidental deaths of rippah/electrosk0t unfold Marty Roesch reaches midlife crisis; denies own obesity and the owning of snort.org |=---=[ Memorable people you have met The Blue Boar, at the very first Phrack High Council Ethics Roundtable The Rain Forest Puppy (sounds like an adorable stuffed animal from Mattel(C) but dresses in shiny reflective raver clothing) Captain Crunch (No thanks du0d I don't want you to open up my chakras with a special "energy massage") Ofir Arkin, world's leading ICMP fingerprinting technologist Honey Dew Moore, child hacker prodigy and world's leading exploit cataloguer Shok, world's foremost Mormon hacker Surprisingly, some actual hackers (various members of MoD), while attending HOPE, the worst con I've ever been to The Death Vegetable, largest carbon footprint of any netizen Packet Fairy |=---=[ Memorable places you have been spaf's mail spool (although I'd give it back in a heartbeat for a chance to take a joyride in his electric wheelchair instead) cvs.openbsd.org s1's famous "Studio 31337" HACKING FORT Rloxley's child porn archive |=---=[ How started PR0J3KT M4YH3M ? The idea obviously isn't something entirely new or original. The earliest known historical precursor to Project Mayhem was Erostratus, who set fire to the Temple of Artemis at Ephesus, one of the Seven Wonders of the Ancient World. Though his motives were questionable (he achieved the act merely because he had no other way of immortalizing his name), the base concept was there: destroying something beautiful just for the hell of it. Note: destruction and vandalism out of ignorance and fear are decidedly less noble in nature. Obviously, there was some inspiration from the novel, Fight Club. As far as scene-related influences, there were some early precursors... the venerable e-zine "CITADEL" and some of the better work of BOW (Brotherhood of Warez). ~el8 was probably the single biggest source of creative energy fueling PR0J3KT M4YH3M, and is still remembered to this day as the greatest, most revolutionary blackhat publication of all time. But what really kick-started PR0J3KT M4YH3M was the apparent lack of success of anti.security.is, a formal anti-disclosure movement constructed from a lucid and cogent document illustrating why it would be better for all parties in the infosec community to stop publishing exploit code. But as the US government is fond of saying of the Taliban, it soon occurred to many of us that these whitehats, like their white-turbaned friends in Afghanistan, "respond only to violence." Enter PR0J3KT M4YH3M, a spawn off PHC's Fight Club division. All in all, PR0J3KT M4YH3M had an impressive run, resulting in the ownage of high profile whitehats including Theo de Raadt, Kevin Mitnick, and Marty Roesch. IRC servers were conquered and their operators were vanquished. Prominent "hacker" magazines were stolen and leaked prematurely. Hard drives were dd'ed, tar'ed, gzipped', gpg'ed, and shipped off to snu.ac.kr. Codes of whitehats were backdoored and published unexpectedly. Violent/offensive/sacrilegious blackhat ASCII art was created. Heap exploitation tutorials were rebranded. Hitlists of the whitehat community were compiled. Info-security professionals were fired. Whitehat books & movies were leaked. g4yh1tl3r lived, died, and was born again. And we all had a lot of fun. |=---=[ Things you are proud of Closing Captains of Crush #2 (multiple times, with finesse) Coining several catch phrases which framed the zeitgeist of the blackhat movement of the early 21st century, including "w00w00 is p00p00" Becoming the first "hacker (over 5 ft. tall) on steroids" Transcending the blood-brain barrier Reading the last 5 issues of Phrack without learning anything new Stealthily avoiding all hidden toilet/shower cams at HAL 2001 Becoming the first hacker to write exploit headers in ebonics Proud author of an exploit that appears bundled with O'Reilly's "Network Security Assessment" book, after infosec genius Chris McNab deletes comments/headers and submits it for inclusion Becoming the first person to rm a box from a cellular device (while at a nightclub ala "Swordfish") Coming from a family free of mental retardation/physical birth defects Demonstrating to the world repeatedly how stupid it is to be a whitehat Triumphing over hackers such as mosthated, missnglnk, gov-boi, ben-z, ytcracker, kf, and joewee to earn the title of "blackest man on efnet" Learning how to krump proficiently after watching only 15 minutes of Rize Serving for several years as the High Chancellor of *.ac.kr and *.ac.jp Ordering the world's only team ~el8 tank top from cafepress.com World's fastest typer on sub-anaesthetic doses of special k Successfully masking my bipolar disorder in order to become a fully integrated and respected member of 'society' Rotating planes of polarized light counterclockwise around various enantiomers |=---=[ Things you are not proud of Ever having released code to the public Ever having posted to a security mailing list in which the intention of my correspondence was less than utter sarcasm, mockery, or malice Failed attempt at rm'ing def-con.org while at Defcon, due to network problems How underappreciated this prophile will inevitably be Not also ordering the "Countdown to rm" ~el8 wall clock from cafepress.com Unknowingly losing an underground ytalk speed typing competition to a rogue TIOCSTI program |=---=[ Opinion about security conferences There are any number of flawed reasons why people attend/speak at security conferences. If you're looking for recognition or publicity, you're probably better off committing suicide on Youtube (see "Budd Dwyer" Wikipedia for ideas). If you're looking for repulsive female companionship or fellow loser friends to socialize with "IRL," you'll probably save some time and airfare by checking your local Craigslist first. Otherwise, the proof is in the pudding. 10 years ago it would been inconceivable that there would one day be "security conferences" in retard 3rd world shitpile countries like Mexico, Malaysia, and Pakistan. Countries whose only contributions to the progression of the digital age have been the vigorous repeated typing of "jajaja" and "kekeke" and "gf0rce pakistan!!!" in various IRC channels and online message boards. Apparently, high tech vocations have taken over! My suggestion is to stock up on sombreros, Nikes, and taxi cab medallions now before they become relics of the past. |=---=[ Opinion on Phrack Magazine 1985' ? 1995' ? 2005' ? '2007 ? I've always thought this magazine sucked, but in regards to the specifics of the question at hand, it's probably gotten steadily worse over time. OK OK... I'm sure the editorial staff would like me to say something positive here so here's my best attempt: "PHRACK MAGAZINE - Hey, at least it's not 2600!" This will probably be the worst issue yet, but that's fine - I'm just using this prophile as a mouthpiece for my dogma of physical anabolism and moral decay. |=---=[ What you would like to see published in Phrack ? An article on phones! (Not VOIP!) Definitely more mail spools... a renewed focus on homemade improvised explosive devices... maybe even some tutorials on drug trafficking for newbies |=---=[ Shoutouts to specific (group of) peoples Doing (R.I.P.), tr4shc4n m4n, krad, odaymaztr, Funny Bunny, module of rhino9, g4yh1tl3r, drater, the crazy Turk, Rocky the virgin hacker Jesus, zilvio, all my Icelandic friends, sk8, j & r, Hans Reiser (everybody on IRC talks about murder, but nobody actually goes through with it), everybody on asylum & its admin, my old friends from #!!ADM and #!hax, the zoroastrian insomniac prophet & his partner in crime |=---=[ Flames to specific (group of) peoples pm/gaius (hey did you know there's a facebook group for HERT now?!?), hd moore & his ersatzsploit project (we commend you on your entrepreneurial vision of turning your look-mom-i-just-got-owned tcpdump logs into exploits with your own name on them), Richard "Dick Theft" Johnson (1500+ on his SAT; abject failure at real life), The Condor, THE WAREZ D00D (your next ten bag of heroin will be cut with ricin), jobe, Philip Emeagwali (father of the supercomputer/Internet), slashdot, Valdis Kletnieks (if I can't pronounce your name, it's time to kill yourself or go back to dragging a plow in Latvia), "Dr." Neal Krawetz, Stefan Esser (currently being hunted down by European PROJECT MAYHEM operatives with instructions to sever the right hand in accordance with holy e-jihad Shariah), Eric S. Raymond (still piecing back together his ~ from backups after the brutal desecration of his OSI bazaar via CVS 0day), Electronic Souls, hack.co.za, xfocus, nsfocus, Souljah Boy, "Tiger Team", GNU, Jose Nazario, Luigi Auriemma, tsao[IC], divineint (I'm sure the Singaporian government would have had you caned by now for trading IRIX/VMS/DGUX/AIX/HPUX/ Windows src code if you weren't already in their employment), Raven (congratulations on having a vagina... it's not even a good one, but it's still better than your brain so you should probably try hooking instead of thinking for a living), Don "Beetle" Bailey, Ron Dufresne, Gadi Evron, lcamtuf, Ulf H?rnhammar, jeff moss, pete shipley & other vampire hackers, jericho, marcus ranum, chesswick & bellovin, lamo, markoff/shimomura/mitnick, theo, knuth, dijkstra & other CS theory fags, HACKER CRACKER |=---=[ Quotes "WTF SAID I WAS A TRADER?" - The Warez Dude "eye dont wipe logz" - Kareless KaRL "I'm proud to say I have committed every sin in the Decalogue." - Sir Richard Burton "irc warfare isnt very fun when u can just vanquish your f0ez... i feel like i go thru life with IDDQD on...walking thru firewalls like IDSPISPOPD" - the_uT "I hate to think that all the whitehats in the world are concerned that phc members are busy hacking their home machines when people are really playing ninja gaiden and hocking off their computers to buy $1000 dogs." - gayh1tler "While you were sleeping we helped ourselves" - Canaan Banana "I'm on the Zoloft to keep from killing y'all" - Mike Tyson "I've got 5 words for you: drugs smuggled in presidential baggage" - lu1g1 "I guess I'm gonna fade into Bolivian" - Mike Tyson "I just want to conquer people and their souls" - Mike Tyson "My power is so discombobulatingly devastating I could feel his muscle tissues collapse under my force. It's ludicrous these mortals even attempt to enter my realm." - Mike Tyson "step in2 my e-z bake oven!" - gayh1tler "I think my mask of sanity is about to slip." - Patrick Bateman "its not nice to treat other people's boxes like toys-r-us" - unknown "With a gun barrel between your teeth, you speak only in vowels." - Fight Club "Fuck damnation, man! Fuck redemption! We are God's unwanted children? So be it!" - Tyler Durden "Eat your lima beans!" - Pavel "Papa" Sandrak "A race condition is how fast you can hit the reset button when you start hearing your hdd whine" - unknown "We will achieve samadhi while meditating over s1's studio 31337 MOTD" - the_uT "Like our great leader, this kernel module selects a child and touches him in a very special way." - warez mullah, THE EMMANUEL GOLDSTEIN LKM "Cuz if you can take a fucking dick, you can take a joke" - Immortal Technique "The greatest trick the devil ever pulled was convincing the world he doesn't exist" - The Usual Suspects / Baudelaire "So I'm rapelling down Mt. Vesuvius, and my rope breaks and I begin to fall and im falling, falling. Ahhhh, I'll never forget the terror! Then I thought to myself, hey Hansel. Haven't you been smoking peyote for 6 straight days and couldn't some of this maybe in your head? " - Zoolander "Shit! If I'd known it was going to be this kind of party I'd have stuck my dick in the mashed potatoes!" "ARE YOU FUCKING RETARDED? STOP CRYING AND FUCK YOUR OWN ASS WITH IT" - facialabuse.com "So don't ever talk shit. And remember something nigga, while you rave and rant - a roach can live for nine days without its head, but you can't" - Immortal Technique "d00d thats not a LADY OF THE PEN, thats ___ from CUMFIESTA!" - unknown "Can somebody please tell me what the fuck A RED MAP is???" "i did it 4 the lulz" - ANONYMOUS "we dish out rm's like petri" - the_uT "There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die." - HST UNF UNF "Behold I am become death, the destroyer of worlds" - Robert Oppenheimer "It is better to find 10 dead babies in 1 trash can than to find 1 dead baby in 10 trash cans." - Unknown "NIGGA, THE RM IS THE NEW EUGENICS... EUGENIX" - unknown hacker "WTF SAID I WAS A TRADER?" - The Warez Dude "For personal reasons, I do not browse the web from my computer. (I also have not net connection much of the time.) To look at page I send mail to a demon which runs wget and mails the page back to me. It is very efficient use of my time, but it is slow in real time." - Richard Stallman "and it shows that you are a complete dork. you are disconnected from reality. how can we take you for serious?" - mbalmer@openbsd.org in response to Stallman, officially winning at irony... FOREVERER "2 FAST 2 FURIOUS 4 U" - the_uT, upon winning an underground irc speed typing competition |=---=[ Anything more you want to say Looking back on my involvement in computers, I am very happy that the peak of my activity occurred right during the turn of the 20th century. Hacking was no longer as simple as manual labor (wardialing etc.) but finding vulnerabilities and writing exploits and tools was not exactly as tedious and prohibitively time-consuming as it is currently. To say that I would rather commit seppuku than adapt to the challenges of a changing world by auditing code for SQL injection vulnerabilities and client-side browser exploits is not an exaggeration. On the upside of things, hardcore pornography is now far better and more widely and freely available than ever, and productive programming like UFC can be seen on channels like Spike TV for free. Every day, more and more youngsters are born who are many times more likely to contribute articles to socially useful publications such as Encyclopedia Dramatica instead of 2600. Spreading terror and wreaking havoc for "epic lulz" have been established as viable alternatives to contributing to open source software projects. If you're a kid reading this zine for the first time because you're interested in becoming a hacker, fucking forget it. You're better off starting a collection of poached adult website passwords, or hanging out on 4chan. At least trash like this has some modicum of entertainment value, whereas the hacking/security scene had become some kind of fetid sinkhole for all the worst kinds of recycled academic masturbation imaginable. In summary, the end is fucking nigh, and don't tell me I didn't warn you... even though there's nothing you can do about it. Good night and good luck, - the UNIX TERRORIST |=[ EOF ]=| ==Phrack Inc.== Volume 0x0c, Issue 0x41, Phile #0x03 of 0x0f |=--------------------------------------------------------------------=| |=-----------------------=[ Phrack World News]=-----------------------=| |=----------------------------=[ by TCLH ]=---------------------------=| |=--------------------------------------------------------------------=| The Circle of Lost Hackers is looking for any kind of news related to security, hacking, conference report, philosophy, psychology, surrealism, new technologies, space war, spying systems, information warfare, secret societies, ... anything interesting! It could be a simple news with just an URL, a short text or a long text. Feel free to send us your news. We didn't get any news from the Underground since our last phrack issue, it means that one more time all the news reports are coming from friends of our's. It would be good if people who claim themself "underground" would send us their news... Is our underground dead? 1. Speedy Gonzales news 2. How is CSPP controlloing US education network? 3. Retrospective of underground scene 4. Killer robots 5. Meaningful IP addresses -------------------------------------------- --[ 1. _____ _ / ___| | | \ `--. _ __ ___ ___ __| |_ _ `--. \ '_ \ / _ \/ _ \/ _` | | | | /\__/ / |_) | __/ __/ (_| | |_| | \____/| .__/ \___|\___|\__,_|\__, | | | __/ | |_| |___/ _____ _ | __ \ | | | | \/ ___ _ __ ______ _| | ___ ___ | | __ / _ \| '_ \|_ / _` | |/ _ \/ __| | |_\ \ (_) | | | |/ / (_| | | __/\__ \ \____/\___/|_| |_/___\__,_|_|\___||___/ _ _ | \ | | | \| | _____ _____ | . ` |/ _ \ \ /\ / / __| | |\ | __/\ V V /\__ \ \_| \_/\___| \_/\_/ |___/ *-[ The underground complot: when quebec scene takes too much LSD ]- http://www.mindkind.org/mindkind1011.zip *-[ "king of the carders" but busted ]- http://www.theregister.co.uk/2007/09/18/max_butler_affidavit/ *-[ "secure area" and "Microsoft" don't belong in the same sentence ]- http://www.stuff.co.nz/4269090a28.html *-[ Being an ethical hacker is definitely not a good idea ]- http://www.smh.com.au/news/security/police-swoop-on-hacker-of-the-year/2007 /11/15/1194766821481.html?page=2 *-[ When NSA teaches you how to hack ]- https://www.hackerdegree.com Do they read phrack? :) *-[ When Phrack is a sponsor without its permission ]- http://conference.hackinthebox.org/hitbsecconf2007kl/?page_id=65 *-[ Terrorism excuse is good for spying business ]- http://www.corpwatch.org/article.php?id=14821 SAIC... *-[ Entersect sounds like an interesting target...]- http://www.washingtonpost.com/wp-dyn/content/article/2008/ 04/01/AR2008040103049_pf.html *-[ Want to work for MI6? ]- http://news.bbc.co.uk/player/nol/newsid_6150000/newsid_6153000/ 6153092.stm?bw=bb&mp=rm&nol_storyid=6153092&news=1 *-[ Flight "not" Simulator ]- http://www.theregister.co.uk/2008/01/07/ boeing_dreamliner_hacker_concerns/ *-[ This design looks familiar...]- http://hex90.org/ *-[ After hacking your brain: hacking your heart!]- http://packetstormsecurity.org/papers/attack/icd-study.pdf --[ 2. How is CSPP controlling US education network ]-- by dahut http://www.mccullagh.org/db9/d30-32/kay-rosen-holleyman-1.jpg The above picture shows Ken Kay, executive director of the Computer Systems Policy Project on the left and Robert Holleyman, president and CEO of the Business Software Alliance on the right. CSPP (www.cspp.org) was created in 1989, and later on renamed as Technology CEO Council. Bigger members are Applied Material, Dell, EMC, HP, IBM, Intel, Motorola, NCR and Unisys. All these companies together are generating 300 billion dollars of annual revenues. The company was made on request of the US President, to promote U.S. competitiveness through technology leadership. You can think technology is for information technology. You are wrong. It's for Intelligence technology. The project is two steps. First is to invent a spy chip and put it in every computer manufactured in US. So did Fairchild (http://en.wikipedia.org/wiki/Fairchild_Semiconductor) by producing the Clipper chip (http://en.wikipedia.org/wiki/Clipper_architecture). The Clipper was designed with internal circuitry to encrypt information and deliver backdoor capabilities, a little bit as the previous PROMIS software was doing with Mainframe. The Clipper was designed for RISC workstation. After a bankruptcy of Fairchild, and seeing that Hitachi was interested to acquire the company, the US government requested Intergraph to continue the project. So they did by starting the production of a new UNIX workstation line, named Interpro32 and running AT&T Unix operating system. So, the operating system was containing code to activate the secret part of the CPU, and access to users' data. The following declassified document explains to the US administration how dangerous it could be to continue to use the Clipper chip in conjunction with AT&T: http://www.softwar.net/bush.html. CIA and NSA are involved in this document. Now that the main US chipset and computer manufacturers are in the secrets of the CIA intelligence, let's go for step two. In 1996, the US president Clinton did ask to create the CEO Forum, managed by Ken Kay, to establish the best rules for the future classrooms, assuming they will be well connected to the Internet, with the best possible hardware. Members were Apple, Dell, IBM, Compaq, HP, Sun... Next, the US government did ask again to Ken Kay in 2002 to create the Partnership for 21st Century Skills to be at the center of US K-12 education by building collaborative partnerships among education, business, community and government leader (www.21stcenturyskills.org). It was a follow up to the CEO Forum. Members are: * Adobe, AOL, Apple, AT&T, Cisco, Dell, Intel, Microsoft, SAP, Oracle... * National Education Association, Ford Motor Company (?) and the US Department of Education Ken Kay is in charge of driving all these companies to install computer, software and networks systems in all schools of USA, as well as dictating the content of the courses! Thinking back to the picture in front of this article, you can make the connection between all software companies, the BSA company and Ken Kay. Thanks to the clipper chip success, they all know how to watch you! The cherry on the cake will be to tell you that Ken Kay is managing WWASP, the largest world network of special establishment for "Teens In Crisis". www.wwasp.com http://en.wikipedia.org/wiki/World_Wide_Association_of_Specialty_Programs_ and_Schools Many parents are complaining against the treatment methods employed by WWASPS institutions. These methods are said to be controversial, as there have been allegations of severe (sexual) abuse and torture by staff. In 2004, during a testimony, Ken Kay stated that in his opinion, sexual activity between staff members and students is "not necessarily abuse". How do you explain that Ken Kay is controlling the whole US computer industry, as well as the US education, and able to manage a galaxy of establishments doing sexual abuses in its total acceptation? (See also http://antiwwasp.com/) --[ 3. Retrospective of The Underground scene ]-- by Duvel Almost one year after the release of "A brief History of the Underground Scene", it's now time to give some feedback. First of all, The Phrack Staff and I would like to thank you all for your positive and negative comments about this article. The goal of this article was not to explain what the scene once was or what should be but more to provoke the debate. And on this point the article was a success. Now it's time to act. About the negative comments that I had, I won't reply to each of one. As you have probably seen, I didn't reply to any negative or positive comments (except one at the beginning...my bad) I prefer let people talk. But I was quite amused to see negative comments which for the majority were on some insignificant points (speech recognition is not datamining, this guy doesn't know subnets, underground pyramid is for Holywood magazine or hacking tricks are too lame). It would be stupid to reply to them. So I won't. One of the thing that I am the most happy about is that a lot of young generations of hackers have found this article interesting and found their way through it. As you have probably seen, there is another article about the Underground scene in this issue. Anonymous' opinion is opposite to mine but if you read beetween the lines, we both go to the same direction. Of course it's important to understand the history of hacking (what I tried to explain in my article) or how the underground died (what Anonymous tries to explain in his article) but it's more important to keep hackers alive. Even if the Underground won't ever be the same, the passion is still there. It's this passion of hacking that should stay alive. I really hope that all people who gave constructive comments can participate to the new Underground. A lot of people talk but don't do anything. I've seen lots of interesting comment from people who want to do something but at this stage we haven't seen anything from them. Are these people too busy? Are these people just dreamers? Are these people lacking required knowledge? Are these people....? I don't know. But this message is for these people: please stop talking but try to bring something to new generation of hackers. They need you. --[ 4. Killer robots ]-- My roomba can get lost under the dining room table, bumping off the chair legs, over and over. There are many routes of escape, but it rarely finds one. Only a true genius could turn this remarkable example of AI into a killing machine. http://blog.wired.com/defense/2007/10/roomba-maker-un.html -------------------------------------------------------------------- The makers of the cuter-than-cute robotic vacuum cleaner are rolling out a new machine: A big, fast-moving, semi-autonomous 'bot capable of killing a whole bunch of people at once. Unlike other armed robots -- which are entirely remote-controlled -- the Warriors are "being engineered with advanced software, giving them the ability to perform some battlefield functions autonomously." At the same time, a key dimension to the Warrior X700 is its ability to protect soldiers by firing weapons such as a machine gun or 40mm explosive round. -------------------------------------------------------------------- Bring in the big guns. http://blog.wired.com/defense/2007/10/robot-cannon-ki.html -------------------------------------------------------------------- We're not used to thinking of them this way. But many advanced military weapons are essentially robotic -- picking targets out automatically, slewing into position, and waiting only for a human to pull the trigger. Most of the time. Once in a while, though, these machines start firing mysteriously on their own. During the shooting trials at Armscor's Alkantpan shooting range, "I personally saw a gun go out of control several times," Young says. "They made a temporary rig consisting of two steel poles on each side of the weapon, with a rope in between to keep the weapon from swinging. The weapon eventually knocked the pol[e]s down." Mangope told The Star that it "is assumed that there was a mechanical problem, which led to the accident. The gun, which was fully loaded, did not fire as it normally should have," he said. "It appears as though the gun, which is computerised, jammed before there was some sort of explosion, and then it opened fire uncontrollably, killing and injuring the soldiers." But the brave, as yet unnamed officer was unable to stop the wildly swinging computerised Swiss/German Oerlikon 35mm MK5 anti-aircraft twin-barrelled gun. It sprayed hundreds of high-explosive 0.5kg 35mm cannon shells around the five-gun firing position. By the time the gun had emptied its twin 250-round auto-loader magazines, nine soldiers were dead and 11 injured. -------------------------------------------------------------------- Can I play too? http://blog.wired.com/defense/2007/12/new-killer-bot.html -------------------------------------------------------------------- The stars: "a 25-year-old self-taught engineer named Adam Gettings" and his "toy-like but gun-wielding robot designed to replace human soldiers on the battlefield." Gettings' company doesn't have much of an online signature -- not even a website. But he does have some interesting partners, including former Disney imagineer Terry Izumi (who cooked up this video for the 'bot) and shotgun maker Jerry Barber (who provided the firepower). Blackwater has also endorsed the product, allegedly. -------------------------------------------------------------------- Blackwater and Disney? Who could ask for better qualifications? Oh, and there's this cool marketing video. http://money.cnn.com/video/ft/#/video/fortune/2007/12/04/robotex.fortune Robot wars, anyone? http://blog.wired.com/defense/2007/05/top_war_tech_5_.html -------------------------------------------------------------------- "The Baghdad bomb squad used their iRobots to decorate their shop," Noah reported after an embed with an Army ordnance-disposal unit a couple years back. "Not far away, at the U.S. military's central robot depot for Iraq, the iRobots sat on shelves, serenely gathering dust, while Foster-Miller's Talon robots would come back, scarred and in pieces, after being chewed up by a bomb." The company noted that war zone "Robot Hospitals" are repairing more than 400 bomb-damaged robots a week to put them back into service. -------------------------------------------------------------------- My bot can kick your bot's ass. Great. But how do they stand up against humans? Not the kind of humans that throw rocks at tanks, but the thinking kind, like the ones that broke Israeli comms crypto during the recent war in Lebanon. Let's see what happens when it comes across a carpet stretched over a pit. Or somebody throws a blanket over it, or spray paints the camera lens, or fires IR lasers or very bright oLEDS at the camera. Once you have physical access to the thing, you own it. How hard would it be to re-chip the thing and send it back against its makers? Can we test our killer-robot counter measures? Maybe. The opportunity may soon be as close as your local pigsty. http://blog.wired.com/defense/2007/08/armed-robots-so.html -------------------------------------------------------------------- Armed robots -- similar to the ones now on patrol in Iraq -- are being marketed to domestic police forces, according to the machines' manufacturer and law enforcement officers. Foster-Miller, maker of the armed SWORDS robot for military use, is also actively promoting a similar model to domestic, civilian police forces. The Talon SWAT/MP is a "robot specifically equipped for scenarios frequently encountered by police SWAT [special weapon and tactics] units and MPs [military police]," a company fact sheet announces. It "can be configured with the following equipment: . Multi-shot TASER electronic control device with laser-dot aiming. . Loudspeaker and audio receiver for negotiations. . Night vision and thermal cameras. . Choice of weapons for lethal or less-than-lethal responses - 40 mm grenade launcher - 2 rounds - 12-gage shotgun - 5 rounds - FN303 less-lethal launcher - 15 rounds. In addition to the Massachusetts State Police, SWAT teams in Houston, San Francisco, and Lubbock, TX all have the robots, according to Foster-Miller spokesperson Cynthia Black. -------------------------------------------------------------------- Finally, a legitimate excuse for Swatting. http://en.wikipedia.org/wiki/Swatting -------------------------------------------------------------------- In the field of Information Security, Swatting is an attempt to trick an emergency service to dispatch an emergency response team. The name derives from attempts to trick an emergency services operator (a "911 operator") into dispatching a SWAT (Special Weapons and Training) team to a location under false pretense. -------------------------------------------------------------------- What next? http://blog.wired.com/defense/2007/11/black-knight.html -------------------------------------------------------------------- We now know that there are robotic cars smart enough to drive themselves around a city. The next step: give those vehicles automatic weapons, of course. Or the troops can stay just chill out, and let the thing drive itself. The Knight uses "advanced robotic technology for autonomous mobility," according to BAE. "This capability allows the Black Knight to plan routes, maneuver on the planned route, and avoid obstacles - all without operator intervention." -------------------------------------------------------------------- http://blog.wired.com/defense/2008/01/israel-thinking.html -------------------------------------------------------------------- So Israeli military leaders have begun early planning for a new, robotic defense system, armed with enough artificial intelligence that it "could take over completely" from flesh-and-blood operators. "It will be designed for... autonomous operations,' Brig. Gen. Daniel Milo, commander of Israel's air defense forces, tells Defense News' Barbara Opall-Rome. And in the event of a "doomsday" strike, Opall-Rome notes, the system could handle "attacks that exceed physiological limits of human command." How do you say "Skynet" in Hebrew, again? -------------------------------------------------------------------- http://www.reuters.com/article/oddlyEnoughNews/idUST27506220080408?feedType=RSS&feedName=oddlyEnoughNews&rpc=22&sp=true -------------------------------------------------------------------- Robots could fill the jobs of 3.5 million people in graying Japan by 2025, a thinktank says, helping to avert worker shortages as the country's population shrinks. Caregivers would save more than an hour a day if robots helped look after children, older people and did some housework, it added. Robotic duties could include reading books out loud or helping bathe the elderly. -------------------------------------------------------------------- Don't drop the soap. --[ 5. Meaningful IP addresses ]-- Here are some IP addresses that people send us...we haven't tried anything so don't blame us. If you have more ranges feel free to share. But before, the best IP list is probably the one on cryptome: http://cryptome.org/nsa-ip-update14.htm ----- RANGE 6 6.* - Army Information Systems Center RANGE 7 7.*.*.* Defense Information Systems Agency, VA RANGE 11 11.*.*.* DoD Intel Information Systems, Defense Intelligence Agency, Washington DC RANGE 21 21. - US Defense Information Systems Agency RANGE 22 22.* - Defense Information Systems Agency RANGE 24 24.198.*.* RANGE 25 25.*.*.* Royal Signals and Radar Establishment, UK RANGE 26 26.* - Defense Information Systems Agency RANGE 29 29.* - Defense Information Systems Agency RANGE 30 30.* - Defense Information Systems Agency RANGE 49 49.* - Joint Tactical Command RANGE 50 50.* - Joint Tactical Command RANGE 55 55.* - Army National Guard Bureau RANGE 55 55.* - Army National Guard Bureau RANGE 62 62.0.0.1 - 62.30.255.255 Do not scan! RANGE 64 64.70.*.* Do not scan 64.224.* Do not Scan 64.225.* Do not scan 64.226.* Do not scan RANGE 128 128.37.0.0 Army Yuma Proving Ground 128.38.0.0 Naval Surface Warfare Center 128.43.0.0 Defence Research Establishment-Ottawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Flight Facility 128.155.0.0 NASA Langley Research Center 128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Research Center 128.183.0.0 NASA Goddard Space Flight Center 128.190.0.0 Army Belvoir Reasearch and Development Center 128.202.0.0 50th Space Wing 128.216.0.0 MacDill Air Force Base 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. Air Force Academy RANGE 129 129.23.0.0 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 129.50.0.0 NASA Marshall Space Flight Center 129.51.0.0 Patrick Air Force Base 129.52.0.0 Wright-Patterson Air Force Base 129.53.0.0 - 129.53.255.255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology 129.99.0.0 NASA Ames Research Center 129.131.0.0 Naval Weapons Center 129.139.0.0 Army Armament Research Development and Engineering Center 129.141.0.0 85 MISSION SUPPORT SQUADRON/SCSN 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IVV 129.165.0.0 NASA Goddard Space Flight Center 129.166.0.0 NASA - John F. Kennedy Space Center 129.167.0.0 NASA Marshall Space Flight Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198.0.0 Air Force Flight Test Center 129.209.0.0 Army Ballistics Research Laboratory 129.229.0.0 U.S. Army Corps of Engineers 129.251.0.0 United States Air Force Academy RANGE 130 130.40.0.0 NASA Johnson Space Center 130.90.0.0 Mather Air Force Base 130.109.0.0 Naval Coastal Systems Center 130.114.0.0 Army Aberdeen Proving Ground Installation Support Activity 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S.Army Corps of Engineers 130.167.0.0 NASA Headquarters RANGE 131 131.3.0.0 - 131.3.255.255 Mather Air Force Base 131.6.0.0 Langley Air Force Base 131.10.0.0 Barksdale Air Force Base 131.17.0.0 Sheppard Air Force Base 131.21.0.0 Hahn Air Base 131.22.0.0 Keesler Air Force Base 131.24.0.0 6 Communications Squadron 131.25.0.0 Patrick Air Force Base 131.27.0.0 75 ABW 131.30.0.0 62 CS/SCSNT 131.32.0.0 37 Communications Squadron 131.35.0.0 Fairchild Air Force Base 131.36.0.0 Yokota Air Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Air Force Base 131.39.0.0 354CS/SCSN 131.40.0.0 Bergstrom Air Force Base 131.44.0.0 Randolph Air Force Base 131.46.0.0 20 Communications Squadron 131.47.0.0 Andersen Air Force Base 131.50.0.0 Davis-Monthan Air Force Base 131.52.0.0 56 Communications Squadron /SCBB 131.54.0.0 Air Force Concentrator Network 131.56.0.0 Upper Heyford Air Force Base 131.58.0.0 Alconbury Royal Air Force Base 131.59.0.0 7 Communications Squadron 131.61.0.0 McConnell Air Force Base 131.62.0.0 Norton Air Force Base 131.71.0.0 - 131.71.255.255 NAVAL AVIATION DEPOT CHERRY PO 131.74.0.0 Defense MegaCenter Columbus 131.84.0.0 Defense Technical Information Center 131.92.0.0 Army Information Systems Command - Aberdeen (EA) 131.105.0.0 McClellan Air Force Base 131.110.0.0 NASA/Michoud Assembly Facility 131.120.0.0 Naval Postgraduate School 131.121.0.0 United States Naval Academy 131.122.0.0 United States Naval Academy 131.176.0.0 European Space Operations Center 131.182.0.0 NASA Headquarters 131.250.0.0 Office of the Chief of Naval Research RANGE 132 132.3.0.0 Williams Air Force Base 132.5.0.0 - 132.5.255.255 49th Fighter Wing 132.6.0.0 Ankara Air Station 132.7.0.0 - 132.7.255.255 SSG/SINO 132.9.0.0 28th Bomb Wing 132.10.0.0 319 Comm Sq 132.11.0.0 Hellenikon Air Base 132.12.0.0 Myrtle Beach Air Force Base 132.13.0.0 Bentwaters Royal Air Force Base 132.14.0.0 Air Force Concentrator Network 132.15.0.0 Kadena Air Base 132.16.0.0 Kunsan Air Base 132.17.0.0 Lindsey Air Station 132.18.0.0 McGuire Air Force Base 132.19.0.0 100CS (NET-MILDENHALL) 132.20.0.0 35th Communications Squadron 132.21.0.0 Plattsburgh Air Force Base 132.22.0.0 23Communications Sq 132.24.0.0 Dover Air Force Base 132.25.0.0 786 CS/SCBM 132.27.0.0 - 132.27.255.255 39CS/SCBBN 132.28.0.0 14TH COMMUNICATION SQUADRON 132.30.0.0 Lajes Air Force Base 132.31.0.0 Loring Air Force Base 132.33.0.0 60CS/SCSNM 132.34.0.0 Cannon Air Force Base 132.35.0.0 Altus Air Force Base 132.37.0.0 75 ABW 132.38.0.0 Goodfellow AFB 132.39.0.0 K.I. Sawyer Air Force Base 132.40.0.0 347 COMMUNICATION SQUADRON 132.42.0.0 Spangdahlem Air Force Base 132.43.0.0 Zweibruchen Air Force Base 132.45.0.0 Chanute Air Force Base 132.46.0.0 Columbus Air Force Base 132.48.0.0 Laughlin Air Force Base 132.49.0.0 366CS/SCSN 132.50.0.0 Reese Air Force Base 132.52.0.0 Vance Air Force Base 132.54.0.0 Langley AFB 132.55.0.0 Torrejon Air Force Base 132.56.0.0 - 132.56.255.255 9 CS/SC 132.57.0.0 Castle Air Force Base 132.58.0.0 Nellis Air Force Base 132.59.0.0 24Comm Squadron\SCSNA 132.60.0.0 - 132.60.255.255 42ND COMMUNICATION SQUADRON 132.61.0.0 SSG/SIN 132.62.0.0 - 132.62.255.255 377 COMMUNICATION SQUADRON 132.79.0.0 Army National Guard Bureau 132.80.0.0 - 132.80.255.255 NGB-AIS-OS 132.80.0.0 - 132.85.255.255 National Guard Bureau 132.82.0.0 Army National Guard Bureau 132.86.0.0 National Guard Bureau 132.87.0.0 - 132.93.255.255 National Guard Bureau 132.94.0.0 Army National Guard Bureau 132.95.0.0 - 132.103.255.255 National Guard Bureau 132.95.0.0 - 132.108.0.0 DOD Network Information Center 132.104.0.0 - 132.104.255.255 Army National Guard Bureau 132.105.0.0 - 132.108.255.255 Army National Guard Bureau 132.109.0.0 National Guard Bureau 132.110.0.0 - 132.116.255.255 Army National Guard Bureau 132.114.0.0 Army National Guard 132.117.0.0 Army National Guard Bureau 132.118.0.0 - 132.132.0.0 Army National Guard Bureau 132.122.0.0 South Carolina Army National Guard, USPFO 132.133.0.0 National Guard Bureau 132.134.0.0 - 132.143.255.255 National Guard Bureau 132.159.0.0 Army Information Systems Command 132.193.0.0 Army Research Office 132.250.0.0 Naval Research Laboratory RANGE 134 134.5.0.0 Lockheed Aeronautical Systems Company 134.11.0.0 The Pentagon 134.12.0.0 NASA Ames Research Center 134.51.0.0 Boeing Military Aircraft Facility 134.52.*.* Boeing Corporation 134.78.0.0 Army Information Systems Command-ATCOM 134.80.0.0 Army Information Systems Command 134.118.0.0 NASA/Johnson Space Center 134.131.0.0 Wright-Patterson Air Force Base 134.136.0.0 Wright-Patterson Air Force Base 134.164.0.0 Army Engineer Waterways Experiment Station 134.165.0.0 Headquarters Air Force Space Command 134.194.0.0 U.S. Army Aberdeen Test Center 134.205.0.0 7th Communications Group 134.207.0.0 Naval Research Laboratory 134.229.0.0 Navy Regional Data Automation Center 134.230.0.0 Navy Regional Data Automation Center 134.232.0.0 - 134.232.255.255 U.S. Army, Europe 134.233.0.0 HQ 5th Signal Command 134.234.0.0 - 134.234.255.255 Southern European Task Force 134.235.0.0 HQ 5th Signal Command 134.240.0.0 U.S. Military Academy 136.149.0.0 Air Force Military Personnel Center RANGE 136 136.178.0.0 NASA Research Network 136.188.0.0 - 136.197.255.255 Defense Intelligence Agency 136.207.0.0 69th Signal Battalion 136.208.0.0 HQ, 5th Signal Command 136.209.0.0 HQ 5th Signal Command 136.210.0.0 HQ 5th Signal Command 136.212.0.0 HQ 5th Signal Command 136.213.0.0 HQ, 5th Signal Command 136.214.0.0 HQ, 5th Signal Command 136.215.0.0 HQ, 5th Signal Command 136.216.0.0 HQ, 5th Signal Command 136.217.0.0 HQ, 5th Signal Command 136.218.0.0 HQ, 5th Signal Command 136.219.0.0 HQ, 5th Signal Command 136.220.0.0 HQ, 5th Signal Command 136.221.0.0 HQ, 5th Signal Command 136.222.0.0 HQ, 5th Signal Command RANGE 137 137.1.0.0 Whiteman Air Force Base 137.2.0.0 George Air Force Base 137.3.0.0 Little Rock Air Force Base 137.4.0.0 - 137.4.255.255 437 CS/SC 137.5.0.0 Air Force Concentrator Network 137.6.0.0 Air Force Concentrator Network 137.11.0.0 HQ AFSPC/SCNNC 137.12.0.0 Air Force Concentrator Network 137.17.* National Aerospace Laboratory 137.24.0.0 Naval Surface Warfare Center 137.29.0.0 First Special Operations Command 137.67.0.0 Naval Warfare Assessment Center 137.94.* Royal Military College 137.95.* Headquarters, U.S. European Command 137.126.0.0 USAF MARS 137.127.* Army Concepts Analysis Agency 137.128.* U.S. ARMY Tank-Automotive Command 137.130.0.0 Defense Information Systems Agency 137.209.0.0 Defense Information Systems Agency 137.210.0.0 Defense Information Systems Agency 137.211.0.0 Defense Information Systems Agency 137.212.0.0 Defense Information Systems Agency 137.231.0.0 HQ 5th Signal Command 137.232.0.0 Defense Information Systems Agency 137.233.0.0 Defense Information Systems Agency 137.234.0.0 Defense Information Systems Agency 137.235.0.0 Defense Information Systems Agency 137.240.0.0 Air Force Materiel Command 137.241.0.0 75 ABW 137.242.0.0 Air Force Logistics Command 137.243.0.0 77 CS/SCCN 137.244.0.0 78 CS/SCSC 137.245.0.0 Wright Patterson Air Force Base 137.246.0.0 United States Atlantic Command Joint Training RANGE 138 138.13.0.0 Air Force Systems Command 138.27.0.0 Army Information Systems Command 138.50.0.0 HQ 5th Signal Command 138.65.0.0 HQ, 5th Signal Command 138.76.0.0 NASA Headquarters 138.109.0.0 Naval Surface Warfare Center 138.115.0.0 NASA Information and Electronic Systems Laboratory 138.135.0.0 - 138.135.255.255 DEFENSE PROCESSING CENTERPERAL HARBOR 138.136.0.0 - 138.136.255.255 Navy Computers and Telecommunications Station 138.137.0.0 Navy Regional Data Automation Center (NARDAC) 138.139.0.0 Marine Corps Air Station 138.140.0.0 Navy Regional Data Automation Center 138.141.0.0 Navy Regional Data Automation Center 138.142.0.0 Navy Regional Data Automation Center 138.143.0.0 Navy Regional Data Automation Center 138.144.0.0 NAVCOMTELCOM 138.145.0.0 NCTS WASHINGTON 138.146.0.0 NCTC 138.147.0.0 NCTC 138.148.0.0 NCTC 138.149.0.0 NCTC 138.150.0.0 NCTC 138.151.0.0 NCTC 138.152.0.0 NCTC 138.153.0.0 Yokosuka Naval Base 138.154.0.0 NCTC 138.155.0.0 NCTC 138.156.0.0 Marine Corps Central Design & Prog. Activity 138.157.0.0 - 138.157.255.255 Marine Corps Central Design & Prog. Activity 138.158.0.0 Marine Corps Central Design & Prog. Activity 138.159.0.0 NCTC 138.160.0.0 Naval Air Station 138.161.0.0 NCTC 138.162.0.0 NCTC 138.163.0.0 NCTC 138.164.0.0 NCTC 138.165.0.0 NCTC 138.166.0.0 NCTC 138.167.0.0 NOC, MCTSSA, East 138.168.0.0 Marine Corps Central Design & Prog. Activity 138.169.0.0 NAVAL COMPUTER AND TELECOMM 138.169.12.0 NAVAL COMPUTER AND TELECOMM 138.169.13.0 NAVAL COMPUTER AND TELECOMM 138.170.0.0 NCTC 138.171.0.0 NCTC 138.172.0.0 NCTC 138.173.0.0 NCTC 138.174.0.0 NCTC 138.175.0.0 NCTC 138.176.0.0 NCTC 138.177.0.0 NCTS Pensacola 138.178.0.0 NCTC 138.179.0.0 NCTC 138.180.0.0 NCTC 138.181.0.0 NCTC 138.182.0.0 CNO N60 138.183.0.0 NCTC 138.184.0.0 NCTS 138.193.0.0 NASA/Yellow Creek RANGE 139 139.31.0.0 20th Tactical Fighter Wing 139.32.0.0 48th Tactical Fighter Wing 139.33.0.0 36th Tactical Fighter Wing 139.34.0.0 52nd Tactical Fighter Wing 139.35.0.0 50th Tactical Fighter Wing 139.36.0.0 66th Electronic Combat Wing 139.37.0.0 26th Tactical Reconnaissance Wing 139.38.0.0 32nd Tactical Fighter Squadron 139.39.0.0 81st Tactical Fighter Wing 139.40.0.0 10th Tactical Fighter Wing 139.41.0.0 39th Tactical Air Control Group 139.42.0.0 40th Tactical Air Control Group 139.43.0.0 401st Tactical Fighter Wing 139.124.* Reseau Infomratique 139.142.*.* RANGE 140 140.1.0.0 Defense Information Systems Agency 140.3.0.0 Defense Information Systems Agency 140.4.0.0 Defense Information Systems Agency 140.5.0.0 Defense Information Systems Agency 140.6.0.0 Defense Information Systems Agency 140.7.0.0 Defense Information Systems Agency 140.8.0.0 Defense Information Systems Agency 140.9.0.0 Defense Information Systems Agency 140.10.0.0 Defense Information Systems Agency 140.11.0.0 Defense Information Systems Agency 140.12.0.0 Defense Information Systems Agency 140.13.0.0 Defense Information Systems Agency 140.14.0.0 DISA Columbus Level II NOC 140.15.0.0 Defense Information Systems Agency 140.16.0.0 Defense Information Systems Agency 140.17.0.0 Defense Information Systems Agency 140.18.0.0 Defense Information Systems Agency 140.19.0.0 Defense Information Systems Agency 140.20.0.0 Defense Information Systems Agency 140.21.0.0 Defense Information Systems Agency 140.22.0.0 Defense Information Systems Agency 140.23.0.0 Defense Information Systems Agency 140.24.0.0 ASIC ALLIANCE-MARLBORO 140.25.0.0 Defense Information Systems Agency 140.26.0.0 Defense Information Systems Agency 140.27.0.0 Defense Information Systems Agency 140.28.0.0 Defense Information Systems Agency 140.29.0.0 Defense Information Systems Agency 140.30.0.0 Defense Information Systems Agency 140.31.0.0 Defense Information Systems Agency 140.32.0.0 Defense Information Systems Agency 140.33.0.0 Defense Information Systems Agency 140.34.0.0 Defense Information Systems Agency 140.35.0.0 Defense Information Systems Agency 140.36.0.0 Defense Information Systems Agency 140.37.0.0 Defense Information Systems Agency 140.38.0.0 Defense Information Systems Agency 140.39.0.0 Defense Information Systems Agency 140.40.0.0 Defense Information Systems Agency 140.41.0.0 Defense Information Systems Agency 140.42.0.0 Defense Information Systems Agency 140.43.0.0 Defense Information Systems Agency 140.44.0.0 Defense Information Systems Agency 140.45.0.0 Defense Information Systems Agency 140.46.0.0 Defense Information Systems Agency 140.47.0.0 - 140.47.255.255 Defense Information Systems Agency 140.47.0.0 - 140.48.255.255 DOD Network Information Center 140.48.0.0 - 140.48.255.255 Defense Information Systems Agency 140.49.0.0 Defense Information Systems Agency 140.50.0.0 Defense Information Systems Agency 140.51.0.0 Defense Information Systems Agency 140.52.0.0 Defense Information Systems Agency 140.53.0.0 Defense Information Systems Agency 140.54.0.0 Defense Information Systems Agency 140.55.0.0 Defense Information Systems Agency 140.56.0.0 Defense Information Systems Agency 140.57.0.0 Defense Information Systems Agency 140.58.0.0 Defense Information Systems Agency 140.59.0.0 Defense Information Systems Agency 140.60.0.0 Defense Information Systems Agency 140.61.0.0 Defense Information Systems Agency 140.62.0.0 Defense Information Systems Agency 140.63.0.0 Defense Information Systems Agency 140.64.0.0 Defense Information Systems Agency 140.65.0.0 Defense Information Systems Agency 140.66.0.0 Defense Information Systems Agency 140.67.0.0 Defense Information Systems Agency 140.68.0.0 Defense Information Systems Agency 140.69.0.0 Defense Information Systems Agency 140.70.0.0 Defense Information Systems Agency 140.71.0.0 Defense Information Systems Agency 140.72.0.0 Defense Information Systems Agency 140.73.0.0 Defense Information Systems Agency 140.74.0.0 - 140.74.255.255 Defense Information Systems Agency 140.100.0.0 Naval Sea Systems Command 140.139.0.0 HQ US Army Medical Research and Development Command 140.154.0.0 HQ 5th Signal Command 140.155.0.0 HQ, 5th Signal Command 140.156.0.0 HQ, 5th Signal Command 140.175.0.0 Scott Air Force Base 140.178.0.0 Naval Undersea Warfare Center Division, Keyport 140.187.0.0 Fort Bragg 140.194.0.0 US Army Corps of Engineers 140.195.0.0 Naval Sea Systems Command 140.199.0.0 Naval Ocean Systems Center 140.201.0.0 HQ, 5th Signal Command 140.202.0.0 106TH SIGNAL BRIGADE RANGE 143 143.45.0.0 58th Signal Battalion 143.46.0.0 U.S. Army, 1141st Signal Battalion 143.68.0.0 Headquarters, USAISC 143.69.0.0 Headquarters, USAAISC 143.70.0.0 Headquarters, USAAISC 143.71.0.0 Headquarters, USAAISC 143.72.0.0 Headquarters, USAAISC 143.73.0.0 Headquarters, USAAISC 143.74.0.0 Headquarters, USAAISC 143.75.0.0 Headquarters, USAAISC 143.76.0.0 Headquarters, USAAISC 143.77.0.0 Headquarters, USAAISC 143.78.0.0 Headquarters, USAAISC 143.79.0.0 Headquarters, USAAISC 143.80.0.0 Headquarters, USAAISC 143.81.0.0 Headquarters, USAAISC 143.82.0.0 Headquarters, USAAISC 143.84.0.0 Headquarters, USAAISC 143.85.0.0 Headquarters, USAAISC 143.86.0.0 Headquarters, USAAISC 143.87.0.0 Headquarters, USAAISC 143.232.0.0 NASA Ames Research Center RANGE 144 144.99.0.0 United States Army Information Systems Command 144.109.0.0 Army Information Systems Command 144.143.0.0 Headquarters, Third United States Army 144.144.0.0 Headquarters, Third United States Army 144.146.0.0 Commander, Army Information Systems Center 144.147.0.0 Commander, Army Information Systems Center 144.170.0.0 HQ, 5th Signal Command 144.192.0.0 United States Army Information Services Command-Campbell 144.233.0.0 Defense Intelligence Agency 144.234.0.0 Defense Intelligence Agency 144.235.0.0 Defense Intelligence Agency 144.236.0.0 Defense Intelligence Agency 144.237.0.0 Defense Intelligence Agency 144.238.0.0 Defense Intelligence Agency 144.239.0.0 Defense Intelligence Agency 144.240.0.0 Defense Intelligence Agency 144.241.0.0 Defense Intelligence Agency 144.242.0.0 Defense Intelligence Agency 144.252.0.0 U.S. Army LABCOM RANGE 146 146.17.0.0 HQ, 5th Signal Command 146.80.0.0 Defence Research Agency 146.98.0.0 HQ United States European Command 146.154.0.0 NASA/Johnson Space Center 146.165.0.0 NASA Langley Research Center RANGE 147 147.35.0.0 HQ, 5th Signal Command 147.36.0.0 HQ, 5th Signal Command 147.37.0.0 HQ, 5th Signal Command 147.38.0.0 HQ, 5th Signal Command 147.39.0.0 HQ, 5th Signal Command 147.40.0.0 HQ, 5th Signal Command 147.42.0.0 Army CALS Project 147.103.0.0 Army Information Systems Software Center 147.104.0.0 Army Information Systems Software Center 147.159.0.0 Naval Air Warfare Center, Aircraft Division 147.168.0.0 Naval Surface Warfare Center 147.169.0.0 HQ, 5th Signal Command 147.198.0.0 Army Information Systems Command 147.199.0.0 Army Information Systems Command 147.238.0.0 Army Information Systems Command 147.239.0.0 1112th Signal Battalion 147.240.0.0 US Army Tank-Automotive Command 147.242.0.0 19th Support Command 147.248.0.0 Fort Monroe DOIM 147.254.0.0 7th Communications Group RANGE 148 148.114.0.0 NASA, Stennis Space Center RANGE 150 150.113.0.0 1114th Signal Battalion 150.114.0.0 1114th Signal Battalion 150.125.0.0 Space and Naval Warfare Command 150.133.0.0 10th Area Support Group 150.144.0.0 NASA Goodard Space Flight Center 150.149.0.0 Army Information Systems Command 150.157.0.0 USAISC-Fort Lee 150.184.0.0 Fort Monroe DOIM 150.190.0.0 USAISC-Letterkenny 150.196.0.0 USAISC-LABCOM RANGE 152 152.82.0.0 7th Communications Group of the Air Force 152.151.0.0 U.S. Naval Space & Naval Warfare Systems Command 152.152.0.0 NATO Headquarters 152.154.0.0 Defense Information Systems Agency 152.229.0.0 Defense MegaCenter (DMC) Denver RANGE 153 153.21.0.0 USCENTAF/SCM 153.22.0.0 USCENTAF/SCM 153.23.0.0 USCENTAF/SCM 153.24.0.0 USCENTAF/SCM 153.25.0.0 USCENTAF/SCM 153.26.0.0 USCENTAF/SCM 153.27.0.0 USCENTAF/SCM 153.28.0.0 USCENTAF/SCM 153.29.0.0 USCENTAF/SCM 153.30.0.0 USCENTAF/SCM 153.31.0.0 Federal Bureau of Investigation RANGE 155 155.5.0.0 1141st Signal Bn 155.6.0.0 1141st Signal Bn 155.7.0.0 American Forces Information 155.8.0.0 U.S. ArmyFort Gordon 155.9.0.0 - 155.9.255.255 United States Army Information Systems Command 155.74.0.0 PEO STAMIS 155.75.0.0 US Army Corps of Engineers 155.76.0.0 PEO STAMIS 155.77.0.0 PEO STAMIS 155.78.0.0 PEO STAMIS 155.79.0.0 US Army Corps of Engineers 155.80.0.0 PEO STAMIS 155.81.0.0 PEO STAMIS 155.82.0.0 PEO STAMIS 155.83.0.0 US Army Corps of Enginers 155.84.0.0 PEO STAMIS 155.85.0.0 PEO STAMIS 155.86.0.0 US Army Corps of Engineers 155.87.0.0 PEO STAMIS 155.88.0.0 PEO STAMIS 155.96.0.0 Drug Enforcement Administration 155.149.0.0 1112th Signal Battalion 155.155.0.0 HQ, 5th Signal Command 155.178.0.0 Federal Aviation Administration 155.213.0.0 USAISC Fort Benning 155.214.0.0 Director of Information Management 155.215.0.0 USAISC-FT DRUM 155.216.0.0 TCACCIS Project Management Office 155.217.0.0 Directorate of Information Management 155.218.0.0 USAISC 155.219.0.0 DOIM/USAISC Fort Sill 155.220.0.0 USAISC-DOIM 155.221.0.0 USAISC-Ft Ord RANGE 156 156.9.0.0 U. S. Marshals Service RANGE 157 157.150.0.0 United Nations 157.153.0.0 COMMANDER NAVAL SURFACE U.S. PACIFIC FLEET 157.202.0.0 US Special Operations Command 157.217.0.0 U. S. Strategic Command RANGE 158 158.1.0.0 Commander, Tooele Army Depot 158.2.0.0 USAMC Logistics Support Activity 158.3.0.0 U.S. Army TACOM 158.4.0.0 UASISC Ft. Carson 158.5.0.0 1112th Signal Battalion 158.6.0.0 USAISC-Ft. McCoy 158.7.0.0 USAISC-FLW 158.8.0.0 US Army Soldier Support Center 158.9.0.0 USAISC-CECOM 158.10.0.0 GOC 158.11.0.0 UASISC-Vint Hill 158.12.0.0 US Army Harry Diamond Laboratories 158.13.0.0 USAISC DOIM 158.14.0.0 1112th Signal Battalion 158.15.0.0 - 158.15.255.255 Defense Megacenter Huntsville 158.16.0.0 Rocky Mountain Arsenal (PMRMA) 158.17.0.0 Crane Army Ammunition Activity 158.18.0.0 Defense Finance & Accounting Service Center 158.19.0.0 DOIM 158.20.0.0 DOIM 158.235.0.0 Marine Corps Central Design and Programming Activity 158.243.0.0 Marine Corps Central Design and Programming Activity 158.244.0.0 Marine Corps Central Design and Programming Activity 158.245.0.0 Marine Corps Central Design and Programming Activity 158.246.0.0 Marine Corps Central Design and Programming Activity RANGE 159 159.120.0.0 Naval Air Systems Command (Air 4114) RANGE 160 160.132.0.0 US Army Recruiting Command 160.135.0.0 36th Signal BN 160.138.0.0 USAISC 160.139.0.0 USAISC 160.140.0.0 HQ, United States Army 160.143.0.0 USAISC 160.145.0.0 1101st Signal Brigade 160.146.0.0 USAISC SATCOMSTA-CAMP ROBERTS 160.150.0.0 Commander, Moncrief Army Hospital RANGE 161 161.124.0.0 NAVAL WEAPONS STATION RANGE 162 162.32.0.0 Naval Aviation Depot Pensacola 162.45.0.0 Central Intelligence Agency 162.46.0.0 Central Intelligence Agency RANGE 163 163.205.0.0 NASA Kennedy Space Center 163.206.0.0 NASA Kennedy Space Center RANGE 164 164.45.0.0 Naval Ordnance Center, Pacific Division 164.49.0.0 United States Army Space and Strategic Defense 164.158.0.0 Naval Surface Warfare Center 164.217.0.0 Institute for Defense Analyses 164.218.0.0 Bureau of Naval Personnel 164.219.0.0 HQ USAFE WARRIOR PREPARATION CENTER 164.220.0.0 - 164.220.255.255 NIMIP/TIP/NEWNET 164.221.0.0 - 164.221.255.255 Information Technology 164.223.0.0 Naval Undersea Warfare Center 164.224.0.0 Secretary of the Navy 164.225.0.0 U.S. Army Intelligence and Security Command 164.226.0.0 Naval Exchange Service Command 164.227.0.0 Naval Surface Warfare Center, Crane Division 164.228.0.0 USCINCPAC J21T 164.229.0.0 NCTS-NOLA 164.230.0.0 Naval Aviation Depot 164.231.0.0 Military Sealift Command 164.232.0.0 - 164.232.255.255 United States Southern Command RANGE 167 167.44.0.0 Government Telecommunications Agency RANGE 168 168.68.0.0 USDA Office of Operations 168.85.0.0 Fort Sanders Alliance 168.102.0.0 Indiana Purdue Fort Wayne RANGE 169 169.252.0.0 - 169.253.0.0 U.S. Department of State RANGE 194 RANGE 195 195.10.* Various - Do not scan RANGE 199 199.121.4.0 - 199.121.253.0 Naval Air Systems Command, VA RANGE 203 203.59.0.0 - 203.59.255.255 Perth Australia iiNET RANGE 204 204.34.0.0 - 204.34.15.0 IPC JAPAN 204.34.0.0 - 204.37.255.0 DOD Network Information Center 204.34.16.0 - 204.34.27.0 Bureau of Medicine and Surgery 204.34.32.0 - 204.34.63.0 USACOM 204.34.64.0 - 204.34.115.0 DEFENSE FINANCE AND ACCOUNTING SERVICE 204.34.128.0 DISA-Eucom / BBN-STD, Inc. 204.34.129.0 Defense Technical Information Center 204.34.130.0 GSI 204.34.131.0 NSA NAPLES ITALY 204.34.132.0 NAVSTA ROTA SPAIN 204.34.133.0 NAS SIGONELLA ITALY 204.34.134.0 Naval Air Warfare Center Aircraft Division 204.34.135.0 GSI 204.34.136.0 Naval Undersea Warfare Center USRD - Orlando 204.34.137.0 Joint Spectrum Center 204.34.138.0 GSI 204.34.139.0 HQ, JFMO Korea, Headquarters 204.34.140.0 DISA D75 204.34.141.0 U. S. Naval Air Facility, Atsugi Japan 204.34.142.0 Naval Enlisted Personnel Management Center 204.34.143.0 Afloat Training Group Pacific 204.34.144.0 HQ Special Operations Command - Europe 204.34.145.0 Commander Naval Base Pearl Harbor 204.34.147.0 NAVSEA Information Management Improvement Program 204.34.148.0 Q112 204.34.149.0 Ctr. for Info. Sys.Security,CounterMeasures 204.34.150.0 Resource Consultants, Inc. 204.34.151.0 Personnel Support Activity, San Diego 204.34.152.0 NAVAL AIR FACILITY, ADAK 204.34.153.0 NAVSEA Logistics Command Detachment 204.34.154.0 PEARL HARBOR NAVAL SHIPYARD 204.34.155.0 PEARL HARBOR NAVAL SHIPYARD 204.34.156.0 Defense Photography School 204.34.157.0 - 204.34.160.0 Defense Information School 204.34.161.0 Naval Air Systems Command 204.34.162.0 Puget Sound Naval Shipyard 204.34.163.0 Joint Precision Strike Demonstration 204.34.164.0 Naval Pacific Meteorology and Ocean 204.34.165.0 Joint Precision Strike Demonstration 204.34.167.0 USAF 204.34.168.0 Commander 204.34.169.0 Naval Air Warfare Center 204.34.170.0 Naval Air Systems Command 204.34.171.0 NAVSTA SUPPLY DEPARTMENT 204.34.173.0 SUBMEPP Activity 204.34.174.0 COMMANDER TASK FORCE 74 YOKOSUKA JAPAN 204.34.176.0 DISA-PAC,IPC-GUAM 204.34.177.0 Satellite Production Test Center 204.34.181.0 940 Air Refueling Wing 204.34.182.0 Defense Megacenter Warner Robins 204.34.183.0 GCCS Support Facility 204.34.184.0 Nav Air Tech Serv Facility-Detachment 204.34.185.0 NAVAL SUPPORT FACILITY, DIEGO GARCIA 204.34.186.0 Defense Logistics Agency - Europe 204.34.187.0 NAVMASSO 204.34.188.0 Commander-In-Chief, US Pacific Fleet 204.34.189.0 Defense MegaCenter - St Louis 204.34.190.0 NAVMASSO 204.34.192.0 HQ SOCEUR 204.34.193.0 Second Marine Expeditionary Force 204.34.194.0 Second Marine Expeditionary Force 204.34.195.0 Second Marine Expeditionary Force 204.34.196.0 NAVCOMTELSTAWASHDC 204.34.197.0 INFORMATION SYSTEMS TECHNOLOGY CENTER 204.34.198.0 Naval Observatory Detachment, Colorado 204.34.199.0 NAVILCODETMECH 204.34.200.0 Navy Environmental Preventive Medicine 204.34.201.0 Port Hueneme Division, Naval Surf 204.34.202.0 Naval Facilities Engineering Housing 204.34.203.0 NAVSEA Logistics Command Detachment 204.34.204.0 Naval Air Warfare Center 204.34.205.0 Portsmouth Naval Shipyard 204.34.206.0 INFORMATION SYSTEMS TECHNOLOGY CENTER 204.34.208.0 - 204.34.210.0 Military Sealift Command Pacific 204.34.211.0 USAF Academy 204.34.212.0 3rd Combat Service Support 204.34.213.0 1st Radio Battalion 204.34.214.0 OASD (Health Affairs) 204.34.215.0 Second Marine Expeditionary Force 204.34.216.0 1st Marine Air Wing 204.34.217.0 SA-ALC/LTE 204.34.218.0 3rd Marine 204.34.219.0 Communications and Electronics 204.34.220.0 G-6 Operations 204.34.221.0 G-6 Operations 204.34.222.0 G-6 Operations 204.34.223.0 G-6 Operations 204.34.224.0 G-6 Operations 204.34.225.0 Joint Interoperability Test Command 204.34.226.0 NAVMASSO 204.34.227.0 NAVMASSO 204.34.228.0 - 204.34.228.255 Field Command Defense Nuclear Agency 204.34.229.0 Naval Space Command 204.34.230.0 Naval Pacific Meteorology and Oceanography 204.34.232.0 Military Family Housing 204.34.233.0 - 204.34.233.255 Navy Material Transportation Office 204.34.234.0 NAVMASSO 204.34.235.0 Defense Finance and Accounting Service 204.34.237.0 European Stars and Stripes 204.34.238.0 Pacific Stars and Stripes 204.34.239.0 PUGET SOUND NAVAL SHIPYARD 204.34.240.0 Nval Station, Guantanamo Bay 204.34.242.0 COMNAVSURFPAC 204.34.243.0 NAVMASSO 204.34.244.0 Amphibious Force, Seventh Fleet, U. S. Navy 204.34.245.0 USAF SpaceCommand 204.34.246.0 USAF 204.34.247.0 U.S. Army Special Operations Command 204.34.248.0 FLEET COMBAT TRAINING CENTER ATLA 204.34.249.0 Naval Aviation Depot North Island 204.34.250.0 NAVMASSO 204.34.251.0 NAVSEA Log Command Detachment Pacific 204.34.252.0 Command Special Boat Squadron One 204.34.253.0 AFPCA/GNNN 204.34.254.0 Navy Environmental Preventive Medicine RANGE 205 205.0.0.0 - 205.117.255.0 Department of the Navy, Space and Naval Warfare System Command, Washington DC - SPAWAR 205.96.* - 205.103.* RANGE 207 207.30.* Sprint/United Telephone of Florida All the below are FBI controlled Linux servers & IPs/IP-Ranges 207.60.0.0 - 207.60.255.0 The Internet Access Company 207.60.2.128 - 207.60.2.255 Abacus Technology 207.60.3.0 - 207.60.3.127 Mass Electric Construction Co. 207.60.3.128 - 207.60.3.255 Peabody Proberties Inc 207.60.4.0 - 207.60.4.127 Northern Electronics 207.60.4.128 - 207.60.4.255 Posternak, Blankstein & Lund 207.60.5.64 - 207.60.5.127 Woodard & Curran 207.60.5.192 - 207.60.5.255 On Line Services 207.60.6.0 - 207.60.6.63 The 400 Group 207.60.6.64 - 207.60.6.127 RD Hunter and Company 207.60.6.128 - 207.60.6.191 Louis Berger and Associates 207.60.6.192 - 207.60.6.255 Ross-Simons 207.60.7.0 - 207.60.7.63 Eastern Cambridge Savings Bank 207.60.7.64 - 207.60.7.127 Greater Lawrence Community Action Committee 207.60.7.128 - 207.60.7.191 Data Electronic Devices, Inc 207.60.8.0 - 207.60.8.255 Sippican 207.60.9.0 - 207.60.9.31 Alps Sportswear Mfg Co 207.60.9.32 - 207.60.9.63 Escher Group Ltd 207.60.9.64 - 207.60.9.95 West Suburban Elder 207.60.9.96 - 207.60.9.127 Central Bank 207.60.9.128 - 207.60.9.159 Danick Systems 207.60.9.160 - 207.60.9.191 Alps Sportswear Mfg CO 207.60.9.192 - 207.60.9.223 BSCC 207.60.13.16 - 207.60.13.23 Patrons Insurance Group 207.60.13.40 - 207.60.13.47 Athera Technologies 207.60.13.48 - 207.60.13.55 Service Edge Partners Inc 207.60.13.56 - 207.60.13.63 Massachusetts Credit Union League 207.60.13.64 - 207.60.13.71 SierraCom 207.60.13.72 - 207.60.13.79 AI/ FOCS 207.60.13.80 - 207.60.13.87 Extreme soft 207.60.13.96 - 207.60.13.103 Eaton Seo Corp 207.60.13.112 - 207.60.13.119 C. White 207.60.13.120 - 207.60.13.127 Athera 207.60.13.128 - 207.60.13.135 Entropic Systems, INC 207.60.13.136 - 207.60.13.143 Wood Product Manufactureds Associates 207.60.13.160 - 207.60.13.167 Jamestown Distribution 207.60.13.168 - 207.60.13.175 C&M Computers 207.60.13.176 - 207.60.13.183 ABC Used Auto Parts 207.60.13.184 - 207.60.13.191 Tomas Weldon 207.60.13.192 - 207.60.13.199 Tage Inns 207.60.13.200 - 207.60.13.207 Control Module Inc 207.60.13.208 - 207.60.13.215 Hyper Crawler Information Systems 207.60.13.216 - 207.60.13.223 Eastern Bearings 207.60.13.224 - 207.60.13.231 North Shore Data Services 207.60.13.232 - 207.60.13.239 Mas New Hampshire 207.60.14.0 - 207.60.14.255 J. A. Webster 207.60.15.0 - 207.60.15.127 Trilogic 207.60.16.0 - 207.60.16.255 Area 54 207.60.18.0 - 207.60.18.63 Vested Development Inc 207.60.18.64 - 207.60.18.127 Conventures 207.60.21.0 - 207.60.21.255 Don Law Company 207.60.22.0 - 207.60.22.255 Advanced Microsensors 207.60.28.0 - 207.60.28.63 Applied Business Center 207.60.28.64 - 207.60.28.127 Color and Design Exchange 207.60.36.8 - 207.60.36.15 Shaun McCusker 207.60.36.16 - 207.60.36.23 Town of Framingham 207.60.36.24 - 207.60.36.31 AB Software 207.60.36.32 - 207.60.36.39 Seabass Dreams Too Much, Inc 207.60.36.40 - 207.60.36.47 Next Ticketing 207.60.36.48 - 207.60.36.55 Dulsi 207.60.36.56 - 207.60.36.63 The Internet Access Company 207.60.36.64 - 207.60.36.71 Maguire Group 207.60.36.72 - 207.60.36.79 Cogenex 207.60.36.88 - 207.60.36.95 AKNDC 207.60.36.96 - 207.60.36.103 McGovern election commitee 207.60.36.104 - 207.60.36.111 Digital Equipment Corp 207.60.36.112 - 207.60.36.119 PTR - Precision Technologies 207.60.36.120 - 207.60.36.127 Extech 207.60.36.128 - 207.60.36.135 Manfreddi Architects 207.60.36.144 - 207.60.36.151 Parent Naffah 207.60.36.152 - 207.60.36.159 Darling Dolls Inc 207.60.36.160 - 207.60.36.167 Wright Communications 207.60.36.168 - 207.60.36.175 Principle Software 207.60.36.176 - 207.60.36.183 Chris Pet Store 207.60.36.184 - 207.60.36.191 Fifteen Lilies 207.60.36.192 - 207.60.36.199 All-Com Technologies 207.60.37.0 - 207.60.37.31 Cardio Thoracic Surgical Associates, P. A. 207.60.37.32 - 207.60.37.63 Preferred Fixtures Inc 207.60.37.64 - 207.60.37.95 Apple and Eve Distributors 207.60.37.96 - 207.60.37.127 Nelson Copy Supply 207.60.37.128 - 207.60.37.159 Boston Optical Fiber 207.60.37.192 - 207.60.37.223 Fantasia&Company 207.60.41.0 - 207.60.41.255 Infoactive 207.60.48.0 - 207.60.48.255 Curry College 207.60.62.32 - 207.60.62.63 Alternate Power Source 207.60.62.64 - 207.60.62.95 Keystone Howley-White 207.60.62.128 - 207.60.62.159 Bridgehead Associates LTD 207.60.62.160 - 207.60.62.191 County Supply 207.60.62.192 - 207.60.62.223 NH Board of Nursing 207.60.64.0 - 207.60.64.63 Diversified Wireless Technologies 207.60.64.64 - 207.60.64.127 Phytera 207.60.66.0 - 207.60.66.15 The Network Connection 207.60.66.16 - 207.60.66.31 Young Refrigeration 207.60.66.32 - 207.60.66.47 Vision Appraisal Technology 207.60.66.48 - 207.60.66.63 EffNet Inc 207.60.66.64 - 207.60.66.79 Entropic Systems Inc 207.60.66.80 - 207.60.66.95 Finley Properties 207.60.66.96 - 207.60.66.111 Nancy Plowman Associates 207.60.66.112 - 207.60.66.127 Northeast Financial Strategies 207.60.66.128 - 207.60.66.143 Textnology Corp 207.60.66.144 - 207.60.66.159 Groton Neochem LLC 207.60.66.160 - 207.60.66.175 Tab Computers 207.60.66.176 - 207.60.66.191 Patrons Insurance 207.60.66.192 - 207.60.66.207 Chair City Web 207.60.66.208 - 207.60.66.223 Radex, Inc. 207.60.66.224 - 207.60.66.239 Robert Austein 207.60.66.240 - 207.60.66.255 Hologic Inc. 207.60.71.64 - 207.60.71.127 K-Tech International Inc. 207.60.71.128 - 207.60.71.191 Pan Communications 207.60.71.192 - 207.60.71.255 New England College of Finance 207.60.75.128 - 207.60.75.255 Absolve Technology 207.60.78.0 - 207.60.78.127 Extech 207.60.78.128 - 207.60.78.255 The Insight Group 207.60.83.0 - 207.60.83.255 JLM Technologies 207.60.84.0 - 207.60.84.255 Strategic Solutions 207.60.94.0 - 207.60.94.15 McWorks 207.60.94.32 - 207.60.94.47 Rooney RealEstate 207.60.94.48 - 207.60.94.63 Joseph Limo Service 207.60.94.64 - 207.60.94.79 The Portico Group 207.60.94.80 - 207.60.94.95 Event Travel Management Inc 207.60.94.96 - 207.60.94.111 Intellitech International 207.60.94.128 - 207.60.94.143 Orion Partners 207.60.94.144 - 207.60.94.159 Rainbow Software Solution 207.60.94.160 - 207.60.94.175 Grason Stadler Inc 207.60.94.192 - 207.60.94.207 Donnegan System 207.60.95.1 - 207.60.95.255 The Iprax Corp 207.60.102.0 - 207.60.102.63 Coporate IT 207.60.102.64 - 207.60.102.127 Putnam Technologies 207.60.102.128 - 207.60.102.191 Sycamore Networks 207.60.102.192 - 207.60.102.255 Bostek 2?7.6?.10?.128 - 207.60.103.255 Louis Berger and Associates 207.60.104.128 - 207.60.104.191 Hanson Data Systems 207.60.106.128 - 207.60.106.255 Giganet Inc. 207.60.107.0 - 207.60.107.255 Roll Systems 207.60.108.8 - 207.60.108.15 InternetQA 207.60.111.0 - 207.60.111.31 Reading Cooperative Bank 207.60.111.32 - 207.60.111.63 Edco collaborative 207.60.111.64 - 207.60.111.95 DTC Communications Inc 207.60.111.96 - 207.60.111.127 Mike Line 207.60.111.128 - 207.60.111.159 The Steppingstone Foundation 207.60.111.160 - 207.60.111.191 Caton Connector 207.60.111.192 - 207.60.111.223 Refron 207.60.111.224 - 207.60.111.255 Dolabany Comm Group 207.60.112.0 - 207.60.112.255 The CCS Companies 207.60.116.0 - 207.60.116.255 Continental PET Technologies 207.60.122.16 - 207.60.122.23 Corey & Company Designers Inc 207.60.122.24 - 207.60.122.31 SAIC 207.60.122.32 - 207.60.122.39 Netserve Entertainment Group 207.60.122.40 - 207.60.122.47 Avici Systems Inc 207.60.122.48 - 207.60.122.55 Webrdwne 207.60.122.56 - 207.60.122.63 Reality and Wonder 207.60.122.64 - 207.60.122.71 Nishan Desilva 207.60.122.72 - 207.60.122.79 NemaSoft Inc 207.60.122.80 - 207.60.122.87 Patrick Murphy 207.60.122.88 - 207.60.122.95 Corey and Company 207.60.122.96 - 207.60.122.103 Ames Textile Corp 207.60.122.104 - 207.60.122.111 Publicom 207.60.127.0 - Northstar Technologies 207.60.128.0 - 207.60.128.255 Northstar Technologies 207.60.129.0 - 207.60.129.255 Sanga Corp 207.60.129.64 - 207.60.129.127 Fired Up Network 207.60.129.128 - 207.60.129.191 Integrated Data Solutions 207.60.129.192 - 207.60.129.255 Metanext 207.61.* WorldLinx Telecommunications, Inc., Canada 207.120.* BBN Planet, MA RANGE 208 208.240.xxx.xxx RANGE 209 209.35.* Interland, Inc., GA RANGE 212 212.56.107.22 212.143 *** israelis isp's!! dont try those ranges!! 212.149.*** israelis isp's!! dont try those ranges!! 212.159.0.2 212.159.1.1 212.159.1.4 212.159.1.5 212.159.0.2 212.159.1.1 212.159.1.4 212.159.1.5 212.159.33.56 212.159.40.211 212.159.41.173 212.179.*** israelis isp's!! dont try those ranges!! 212.208.0.12.*** israelis isp's!! dont try those ranges!! RANGE 213 213.8.***.*** israelis isp's!! dont try those ranges!! RANGE 216 216.25.* 216.94.***.*** 216.247.* 216.248.*.* 217 217.6.* Do not scan -------------------------------- And from our Canadian friends... 192.139.201.0 - 192.139.201.24 : Government of Canada 192.139.202.0 - 192.139.202.24 : Government of Canada 192.139.203.0 - 192.139.203.24 : Government of Canada 192.139.204.0 - 192.139.204.24 : Government of Canada 192.197.83.0 - 192.197.83.24 : Government of Canada 198.103.0.0 - 198.103.0.16 : Government of Canada 128.43.0.0 - 128.43.0.16 : Canadian Department of National Defense (DND) 131.132.0.0 - 131.132.0.16 : Canadian Department of National Defense (DND) 131.133.0.0 - 131.133.0.16 : Canadian Department of National Defense (DND) 131.134.0.0 - 131.134.0.16 : Canadian Department of National Defense (DND) 131.135.0.0 - 131.135.0.16 : Canadian Department of National Defense (DND) 131.136.0.0 - 131.136.0.16 : Canadian Department of National Defense (DND) 131.137.0.0 - 131.137.0.16 : Canadian Department of National Defense (DND) 131.138.0.0 - 131.138.0.16 : Canadian Department of National Defense (DND) 131.139.0.0 - 131.139.0.16 : Canadian Department of National Defense (DND) 131.140.0.0 - 131.140.0.16 : Canadian Department of National Defense (DND) 131.141.0.0 - 131.141.0.16 : Canadian Department of National Defense (DND) 192.5.144.0 - 192.5.144.24 : Canadian Department of National Defense (DND) 192.12.98.0 - 192.12.98.24 : Canadian Department of National Defense (DND) 192.12.215.0 - 192.12.215.24 : Canadian Department of National Defense (DND) 192.16.205.0 - 192.16.205.24 : Canadian Department of National Defense (DND) 192.16.206.0 - 192.16.206.24 : Canadian Department of National Defense (DND) 192.16.207.0 - 192.16.207.24 : Canadian Department of National Defense (DND) 192.16.208.0 - 192.16.208.24 : Canadian Department of National Defense (DND) 192.16.242.0 - 192.16.242.24 : Canadian Department of National Defense (DND) 192.16.243.0 - 192.16.243.24 : Canadian Department of National Defense (DND) 192.35.144.0 - 192.35.144.24 : Canadian Department of National Defense (DND) 192.42.68.0 - 192.42.68.24 : Canadian Department of National Defense (DND) ==Phrack Inc.== Volume 0x0c, Issue 0x41, Phile #0x04 of 0x0f |=-----------------------------------------------------------------------=| |=---=[ Stealth hooking : Another way to subvert the Windows kernel ]=---=| |=-----------------------------------------------------------------------=| |=--------------------=[ by mxatone and ivanlef0u ]=---------------------=| |=-----------------------------------------------------------------------=| 1 - Introduction on anti-rookits technologies and bypass 1.1 - Rookits and anti-rootkits techniques 1.2 - About kernel level protections 1.3 - Concept key: use kernel code against itself 2 - Introducing stealth hooking on IDT. 2.1 - How Windows manage hardware interrupts 2.1.1 - Hardware interrupts dispatching on Windows 2.1.2 - Hooking hardware IT like a ninja 2.1.3 - Application 1 : Kernel keylogger 2.1.4 - Application 2 : NDIS incoming packets sniffer 2.2 - Conclusion about stealth hooking on IDT 3 - Owning NonPaged pool using stealth hooking 3.1 - Kernel allocation layout review 3.1.1 - Difference between Paged and NonPaged pool 3.1.2 - NonPaged pool tables 3.1.3 - Allocation and free algorithms 3.2 - Getting code execution abusing allocation code 3.2.1 - Data corruption of MmNonPagedPoolFreeListHead 3.2.2 - Expend it for every size 3.3 - Exploit our position 3.3.1 - Generic stack redirection 3.3.2 - Userland process code injection 4 - Detection 5 - Conclusion 6 - References ---[ 1 - Introduction on anti-rookits technologies and bypass Nowadays rootkits and anti-rootkits are becoming more and more important into the IT security landscape. Loved by some, hated by others, rootkits can be considered as the holy grail of backdoors : stealthy, little, close to hardware, ingenious, vicious... Their control over a computer locally or remotely make them the best choice for an attacker. Anti-rootkits try to detect and eradicate those malicious programs. Rk techniques and complexity are evolving fast and today developing a rk or anti-rk is a very hard mission. This paper deals about rootkits on Windows platform. More precisely about new kind of hijacking techniques that can be applied to the Windows kernel. Readers are assumed to be aware about rootkits techniques on Windows. ----[ 1.1 - Rootkits and anti-rootkits technics A rootkit hijacks an operating system's behavior. In order to achieve this task, it can simply modify the operating system's binaries but that's not very stealthy. Most rk's use hooks on important functions and change theirs results. A basic hook redirects execution flow by changing function start or a function pointer but there is no single way to hook a routine. The most common example is the SSDT (System Service Descriptor Table), this table contains the syscall list which is a set of functions pointers. If you can modify a pointer in this table, you are able to control the behavior of one function. That's an example of how rootkits proceed, obviously there is a lot of critical areas that can be controlled by an attacker. Anti-rootkits try to check those areas, but the task is very hard. Most of the time, anti-rk software makes a comparison between the memory image of the program and its binary on the disk or verify some function pointer tables to see if something has changed. That's how the war between rk-makers and anti-rk-junkies began, trying to find the best way, the best area, for hooking critical operating system features. On Windows those following areas are often used by rootkits : - SSDT (kernel syscalls table) and shadow SSDT (win32k syscall table) are the simplest solution. - MSR (Model Specific Registers) can be modified by a rootkit. On Windows the MSR_SYSENTER_EIP is used by the assembly instructions 'sysenter' to enter into ring0 mode. Hijacking this MSR allow an attacker to control the system. - MajorFunctions are functions used by drivers for I/O processing with others devices, hooking those functions can be useful for a rootkit. - IDT (Interrupt Descriptor Table) is table used by the system for handling exceptions and interruptions. Another kind of techniques has appeared. By accessing to the kernel objects a rootkit can easily change information about processes, threads, loaded modules and other stuff. Those techniques are called DKOM (Direct Kernel Object Manipulation). For example, the Windows kernel maintains a double linked list called PsActiveProcessList (EPROCESS structures) containing information about running processes. Unlink one of them and your process will disappear from process lists like task manager, whereas the process is still running. To block those kernel objects modifications, anti-rk checks other sections. For processes, they used to read the PspCidTable which has a table of PID (Process IDentifier) and TID (Thread IDentifier). A comparison between this table and PsActiveProcessList shows hidden processes. Against those attacks anti-rk tools have to find others sections and tricks to detect altered objects. One of the first paper about Windows stealth was written by Holy Father, "Invisibility on NT boxes" [1]. With this paper came one of the first public implementations of a rootkit with a ring0 driver, Hacker Defender [2], coded by Holy Father and Ratter of the famous VXing mag 29A [3]. This driver was able to elevate process rights using token manipulation. The rest of the rootkit uses user-land hooks to perform files and registry hiding, process infection with dll injection. A good example of a full ring0 rootkit is NT Rootkit of Greg Hoglund [4], this driver uses SSDT hooks to perform stealth operation. It registers a Filter Device Object above the NTFS file system and above the keyboard device for filtering IRP (I/O Request Packets). It also provides a NDIS protocol driver to hide communication on the network. Even if this rk was written for NT 4.0 and Win2K it's a perfect example for beginners. After came more advanced ring0 rk like FU [5], written by Fuzen_op and its improvement FUto published in the famous technical journal Uninformed [6]. Vista improvement on driver verification introduces new rootkits mostly based on hardware features. Like BootRoot [7] and Pixie [8] by Eeye loaded before any protection. Finally Joanna Rutkowska with her Blue Pill [9] used virtualization technology to create layer between the operating system and the hardware. In the wild the rk are used most of the time for lame mail spamming or botnets. They often use old techniques but some of them are interesting like Rustock [10] series or StormWorm [11] and the MBR rootkit [12]. They implement a lot of tricks as ADS (Alternate Data Stream), code obfuscation, anti-debug, anti-VM or polymorphic code. The goal is not only subverting the kernel but also slow down their analysis and make them harder to defeat. Even if the technology used by rootkits are more and more sophisticated, the underground community is still developing POCs to improve current techniques. Unreal [13] and AK992 [14] are both great examples. The first uses an ADS and a NTFS MajorFunctions hooking to hide itself, the second checks IRP completion when sended to disk's devices. You can find plenty examples of rootkit techniques on rootkit.com. Finally, this part would not be complete if we don't speak about anti-rk. The most famous is Rk Unhooker by MP_ART & EP_X0FF and their team UG North. Others anti-rk are DarkSpy [15] by CardMagic, IceSword [16] by pjf and Gmer [17]. ----[ 1.2 - About kernel level protections When we talk about protection, we must notice where the protection takes place into the system. A protection has an advantage on an attack only if it operates from a higher level. Protections like PaX or Exec Shield are efficient because they protecting userland from kernel. Protections like PatchGuard and other HIPS also protect the system integrity but as far as an attacker can find a way to attack those protections at their own level they will be useless. A protection is reliable only if it can't be corrupted by an attacker. Assuming an attacker find a way to inject code into the protection and you can consider that your b0x is dead. That's why PatchGuard isn't so efficient [18]. But we know that disabling or destroying a protection is very noisy. No, the best way is to fly under the radar by working with special objects and events that cannot be checked because of their volatility. In June 2006, Greg Hoglund presented the concept of KOH (Kernel Object Hooking) [19]. A new way of detouring code execution, you don't have to modify static code section but rather you work on dynamic allocated structures/codes like DPC (Deferred Procedure Calls). For protections, it's hard to find and verify those areas due to their instabilities. Others cool objects are IRP. They are the object used by the Windows kernel I/O manager to communicate with devices. Each I/O operation on hardware generates an IRP, sycalls send IRP to a driver through his device. In general a driver owns several devices; one of them is used to communique with the userland by using IOCTL and others devices are managing IRP by filtering them or performing a requested task. IRP are sent to a driver using its MajorFunctions table. This table includes the different functionalities provided by the driver. You can check the result returned by a MajorFunction by installing a completion routine on an IRP. They are very volatile objects; controlling and checking them is very hard. In fact, if you want to check everything you would need to completely redesign operating system architecture. So keep in mind that protection cannot be everywhere at every time and we will demonstrate it in the following parts. ----[ 1.3 - Concept key: use kernel code against itself The idea behind this paper is exploiting kernel code. Exploitation is possible because input defines code behavior. Submitting a crafted input to a vulnerable software can leads into code execution. Dangerous input is of course defined by your target. Kernel space contains more exploitation scenarios because you can change its environment. A rootkit can not change basic inputs as arguments. But it can change the environment around a code. Heap exploitation techniques such as unlinking is a perfect example. By changing a memory block structure, you are able to overwrite 4 bytes. Some techniques can even change next allocated block address [20]. It does work because a program trusts those information. In kernel, you have a total control on the environment. Also completely checking the kernel is bad for performance and totally impossible. Changing code environment has been used successfully for the phide2 rootkit [21] technique. This rootkit can hide threads without hooking Windows scheduler which is impressive. As it relies on code behavior, it needs strong reverse knowledge. It extends this concept into unknown operating system behaviors. Generic protections are based on generic assumptions. Such as checking only driver images for code hooks. These days operating systems design is against those protections and requires advanced software rootkit techniques. ---[ 2 - Introducing stealth hooking on IDT Let's introduce our concept about stealth hooking with an example based on IDT. First we will see what is the IDT and its purpose. Then we will discuss about hardware interrupts and how Windows deals with them. IDT (Interrupt Descriptor Table) is a CPU specific linear table localized in kernel-land. IDT can be read with ring3 privilege level but you must have ring0 privilege if you want to write into it. IDT is composed of 256 entries of KIDTENTRY structures and you can use the Kernel Debugger (KD) included into the Debugging Tools for Windows [22] to see the definition of an IDT entry. kd> dt nt!_KIDTENTRY +0x000 Offset : Uint2B +0x002 Selector : Uint2B +0x004 Access : Uint2B +0x006 ExtendedOffset : Uint2B Here we don't want to (re)explain the architecture of the IDT so we advise you to read Kad's paper published in Phrack 59 about IDT and about how it works [23]. The first 32 entries of IDT are reserved by the CPU for exceptions. Others are use to handle hardware interrupts and special system events. Here is a dump of the first 64 entries of the Windows' IDT. kd> !idt -a Dumping IDT: 00: 804df350 nt!KiTrap00 01: 804df4cb nt!KiTrap01 02: Task Selector = 0x0058 03: 804df89d nt!KiTrap03 04: 804dfa20 nt!KiTrap04 05: 804dfb81 nt!KiTrap05 06: 804dfd02 nt!KiTrap06 07: 804e036a nt!KiTrap07 08: Task Selector = 0x0050 09: 804e078f nt!KiTrap09 0a: 804e08ac nt!KiTrap0A 0b: 804e09e9 nt!KiTrap0B 0c: 804e0c42 nt!KiTrap0C 0d: 804e0f38 nt!KiTrap0D 0e: 804e164f nt!KiTrap0E 0f: 804e197c nt!KiTrap0F 10: 804e1a99 nt!KiTrap10 11: 804e1bce nt!KiTrap11 12: 804e197c nt!KiTrap0F 13: 804e1d34 nt!KiTrap13 14: 804e197c nt!KiTrap0F 15: 804e197c nt!KiTrap0F 16: 804e197c nt!KiTrap0F 17: 804e197c nt!KiTrap0F 18: 804e197c nt!KiTrap0F 19: 804e197c nt!KiTrap0F 1a: 804e197c nt!KiTrap0F 1b: 804e197c nt!KiTrap0F 1c: 804e197c nt!KiTrap0F 1d: 804e197c nt!KiTrap0F 1e: 804e197c nt!KiTrap0F 1f: 804e197c nt!KiTrap0F 20: 00000000 21: 00000000 22: 00000000 23: 00000000 24: 00000000 25: 00000000 26: 00000000 27: 00000000 28: 00000000 29: 00000000 2a: 804deb92 nt!KiGetTickCount 2b: 804dec95 nt!KiCallbackReturn 2c: 804dee34 nt!KiSetLowWaitHighThread 2d: 804df77c nt!KiDebugService 2e: 804de631 nt!KiSystemService 2f: 804e197c nt!KiTrap0F 30: 806f3d48 hal!HalpClockInterrupt 31: 80dd816c i8042prt!I8042KeyboardInterruptService (KINTERRUPT 80dd8130) 32: 804ddd04 nt!KiUnexpectedInterrupt2 33: 80dd3224 serial!SerialCIsrSw (KINTERRUPT 80dd31e8) 34: 804ddd18 nt!KiUnexpectedInterrupt4 35: 804ddd22 nt!KiUnexpectedInterrupt5 36: 804ddd2c nt!KiUnexpectedInterrupt6 37: 804ddd36 nt!KiUnexpectedInterrupt7 38: 806edef0 hal!HalpProfileInterrupt 39: 80f0827c ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 80f08240) 3a: 80dc67cc vmsrvc+0x1C16 (KINTERRUPT 80dc6790) 3b: 80df6414 NDIS!ndisMIsr (KINTERRUPT 80df63d8) 3c: 80de040c i8042prt!I8042MouseInterruptService (KINTERRUPT 80de03d0) 3d: 804ddd72 nt!KiUnexpectedInterrupt13 3e: 80ed78a4 atapi!IdePortInterrupt (KINTERRUPT 80ed7868) 3f: 80f01dd4 atapi!IdePortInterrupt (KINTERRUPT 80f01d98) 40: 804ddd90 nt!KiUnexpectedInterrupt16 [...] This dump represents a typical Windows IDT, you can see the IDT entries index followed by the address of the handler and this name. The first 32 entries are filled by KiTrap* functions that manage exceptions. The rest of the table is left to the system, you can see specials system interrupts like KiSystemService and KiCallbackReturn and handlers used by drivers like I8042KeyboardInterruptService or I8042MouseInterruptService. ----[ 2.1 - How Windows manage hardware interrupts When we talk about interrupts we must introduce the concept of IRQL (Interrupt ReQuest Level). The kernel represents IRQLs internally as a number from 0 through 31 on x86 with higher numbers representing higher priority interrupts. Although the kernel defines the standard set of IRQLs for software interrupts, the HAL (Hardware Abstraction Layer) maps hardware interrupt numbers to the IRQLs. +----------------+ 31 | Highests | \ to | IRQLs | | Clock, system failure. 27 | | / +----------------+ 26 | | \ to | DEVICE_IRQL | | Hardware interrupts. 3 | | / +----------------+ 2 | DISPATCH_LEVEL | Scheduler, DPC. +----------------+ 1 | APC_LEVEL | Used when dispatching APC. +----------------+ 0 | PASSIVE_LEVEL | Threads run at this IRQL. +----------------+ Each processor has its own IRQL. You can have a core running at an IRQL= DISPATCH_LEVEL whereas another is running at PASSIVE_LEVEL. In fact IRQL represents the "mask ability" of the current running code. Interrupts from a source with an IRQL above the current level interrupt the processor, whereas interrupts from sources with IRQLs equal to or below the current level are masked until an executing thread decrease the IRQL. Some system components are not accessible when code is running at IRQL>=DISPATH_LEVEL. Accessing to paged memory (memory which can be swapped on disk) is impossible and lots of kernel functions cannot be used. Hardware interrupts are asynchronous and reached by external peripherals. For example when you hit a key, your keyboard device sends an IRQ (Interrupt ReQuest) routed by the Southbridge [24] on your interrupt controller through the Northbridge [25]. The Southbridge is a chip that can be described like a I/O controller hub. This chip receives all the I/O externals interrupt and send them to the Northbridge. The Northbridge is directly connected to your memory and high speed graphic bus also to your CPU. This chip is also known as the memory controller hub. On most x86 systems we find a chipset called i82489, Advanced Programmable Interrupt Controller (APIC). The APIC is composed by 2 main components, a I/O APIC, one per CPU, and a LAPIC (Local APIC) on each core. I/O APIC uses a routing algorithm to dispatch an interrupt on the best adapted core. According to the principle of locality, I/O APIC will deliver the device interrupt on the core which handled it the previous time [26]. After this LAPIC translates the IRQ to an 8-bits value, an interrupt vector. This interrupt vector represents IDT's entry index associated with the handler. When the core is ready to handle the interrupt, its instruction flow is redirected on the IDT entry. IDT IDT IDT IDT 1 2 3 4 +---+ +---+ +---+ +---+ | | | | | | | | |---| |---| |---| |---| | | | | | | | | |---| |---| |---| |---| | | | | | | | | +---+ +---+ +---+ +---+ | | | | +--------+ +--------+ +--------+ +--------+ | | | | | | | | | core 1 | | core 2 | | core 3 | | core 4 | | | | | | | | | +--------+ +--------+ +--------+ +--------+ | LAPIC | | LAPIC | | LAPIC | | LAPIC | +---+----+ +---+----+ +---+----+ +---+----+ | | | | | | | | <---+--------------+------+-------+-------------+-----> Interrupt | Processor system bus Messages | | | External +------+------+ Interrupts | | ---------------> I/O APIC | | | +-------------+ -----[ 2.3.1 Hardware interrupts dispatching on Windows On Windows, the interrupt handler isn't executed immediately, there is a code template first. This template is implemented in the function KiInterruptTemplate and does two things. First, it saves the current core state in the stack and dispatches code flow to the right "interrupt dispatcher". When a interrupt is raised, after the core status core is saved, code flow is transferred to the interrupt handler as defined in the IDT. In fact each interrupt handler in the IDT points to a KiInterruptTemplate routine [27]. KiInterruptTemplate will call KiInterruptDispatch which performs the following operations : - Acquire the service routine spinlock. - Raise IRQL to DEVICE_IRQL, the IRQL of a given interrupt vector is calculated by subtracting the interrupt vector from 27d. - Call the interrupt handler, an ISR (Interrupt Service Routine). - Lower IRQL. - Release the service routine spinlock. For example, the keyboard device ISR is I8042KeyboardInterruptService. ISR are routines for handling interrupts like top-halves in the linux kernel. According to the WDK (Windows Driver Kit), the ISR must do whatever is appropriate to the device to dismiss the interrupt. Then, it should do only what is necessary to save stage and queue a DPC. It means it interruption management will take place on a lower IRQL than during ISR execution. The I/O processing is done into the DPC. DPC (Deferred Procedure Call) are equivalent of bottom-halves in linux. DPC works at IRQL DISPATCH_LEVEL, lower than the ISR's IRQL. In fact the ISR will queue a DPC to process the entire interrupt at a lower IRQL in order to avoid the core preemption taking too much time. For the keyboard the DPC is I8042KeyboardIsrDpc. Here a figure to sum up the interrupt processing : +-------------------------+ Hardware Interrupt /----> Here we are at | | | | IRQL=DEVICE_LEVEL | | | | The KiInterruptDispatch | /---> IDT ---\ | | routine calls the ISR. | | | | | | | | ISR handles interrupt | +-----------------------+ | | and queue a DPC for | | KiInterruptTemplate ------/ | later processing | +-----------------------+ | | +-------------------------+ KiInterruptDispatch receives one main argument from KiInterruptTemplate, a pointer to an interrupt object stored in the EDI register. Interrupt objects are defined by a KINTERRUPT structure : kd> dt nt!_KINTERRUPT +0x000 Type : Int2B +0x002 Size : Int2B +0x004 InterruptListEntry : _LIST_ENTRY +0x00c ServiceRoutine : Ptr32 unsigned char +0x010 ServiceContext : Ptr32 Void +0x014 SpinLock : Uint4B +0x018 TickCount : Uint4B +0x01c ActualLock : Ptr32 Uint4B +0x020 DispatchAddress : Ptr32 void +0x024 Vector : Uint4B +0x028 Irql : UChar +0x029 SynchronizeIrql : UChar +0x02a FloatingSave : UChar +0x02b Connected : UChar +0x02c Number : Char +0x02d ShareVector : UChar +0x030 Mode : _KINTERRUPT_MODE +0x034 ServiceCount : Uint4B +0x038 DispatchCount : Uint4B +0x03c DispatchCode : [106] Uint4B We retrieve in this structure, the SpinLock and the ServiceRoutine. Notice that SynchronizeIrql contains the IRQL when the ISR will be executed. For each entry in the IDT which handles a hardware interrupt, the KiInterruptTemplate is contained in the DispatchCode table of the KINTERRUPT stru